Unwanted advertisement string injected into Gym releases

[matteobettini]

It appears that a new string has been injected into the Gym package that prints unsolicited messages to users’ screens. The message reads:

Gym has been unmaintained since 2022 and does not support NumPy 2.0 amongst other critical functionality.
Please upgrade to Gymnasium, the maintained drop-in replacement of Gym, or contact the authors of your software and request that they upgrade.
Users of this version of Gym should be able to simply replace 'import gym' with 'import gymnasium as gym' in the vast majority of cases.
See the migration guide at https://gymnasium.farama.org/introduction/migration_guide/ for additional information.

Why this is a problem:

This message is being forced on all users of Gym and all downstream libraries that depend on it, even if they are intentionally using the old version for compatibility reasons.
It is not acceptable to modify published wheels in-place in order to inject new behavior — this breaks reproducibility and undermines trust in the package.
Printing unsolicited advertisements to end users’ consoles is disruptive and not expected behavior from a library.

This has made it way into many of my projects (vmas, benchmarl, and their google colab notebooks) and ultimately even in tutorials on the pytorch website https://docs.pytorch.org/tutorials/intermediate/reinforcement_q_learning.html

Expected behavior:

Previously released versions of Gym should remain immutable. If a message like this needs to be communicated, it should be done through:

• Release notes / changelogs
• Documentation updates
• A new major release that downstream projects can opt into

Request:

Please remove the injected message from altered packages.
Restore the original wheels for the affected versions so downstream users can rely on consistent behavior.
Communicate deprecation and migration guidance through official channels (docs, GitHub README, PyPI project description), rather than forced runtime messages.

Thank you for addressing this quickly. Preserving trust in the stability and integrity of the Python packaging ecosystem is extremely important.

[vmoens]

+1 one on this
Multiprocessed / distributed logs are now polluted with a lot of unwanted warnings. Would be great if this was opt-in.

[jkterry1]

Hey guys,

I greatly appreciate your feedback and I apologize for the inconvenience.

Immediate solution: Pin gym-notices==0.0.8 in your dependencies to disable these messages permanently.

Let me clarify what happened technically: We didn't edit a published wheel. I don't believe PyPI even lets you for security reasons, and we would not want to do such a thing for reproducibility reasons.

What actually happened is that all releases of Gym since it was handed over (and most releases of most Farama packages) depended on a separate notifications package without a pinned version (package at issue here: https://github.com/Farama-Foundation/gym-notices). We included this dependency to announce large errors in releases without yanking them outright and breaking people's code even more (which actually came up with Gym 0.24.0 years ago). This message came from publishing an update of that package, not from editing any past releases of Gym in any way (which again we would not do and I don't believe we even can do). Aside from the warning message, this does not/cannot change reproducibility in any way.

Our thinking behind including these messages was that:

1. Gym hasn't been maintained for almost 4 years, it doesn't get security updates, support for new versions of Python, new versions of NumPy, and hasn't even had a documentation site for something like over a year. Additionally, while I'm deeply aware that support for legacy versions of Gym are a far higher priority for your group, other large production users of Gym/Gymnasium have largely upgraded away from Gym awhile ago now (and we've also made fairly good on the API stability promises of the 1.0 release over the past years).
2. Gym being unmaintained has been causing issues with undergraduate courses running old scripts and we've been getting problem reports from confused students for ages. Secondarily, as best we can tell from the statistics and for reasons entirely unknown to us, some non US/EU university clusters have recently started installing old versions of Gym millions of times a month, which will probably turn out to be moderately not great for the field given time (and is creating package install statistics issues for us).

Between these two things and the ability to permanently turn off the notifications with the single line gym-notices pin, we believed the warning would be net beneficial to the field. It's also probably worked - we've stopped getting confused messages from students since we turned this message on ~2 months ago (which is a really big deal for the field of RL if you imagine how many likely never email us), and in those two months no one that I'm at least aware of has reached out to us with an issue with the messages.

I do apologize for it not being clearer how to turn off the message with the single line dependency pin, and absolutely understand the concern with it seeming like we may have violated package reproducibility. When we cut this release we assumed that it would be really clear to people, but that was unreasonable in retrospect (there also isn't a super obvious place to post it). That being said, this issue will let people see that as soon as they Google the error message, so I appreciate the opportunity to create that clarification for our users here.

Also, if there's anything you guys need from us to help upgrade to Gymnasium (which has been pretty API stable for years now), please reach out. While things have been less than ideal, we do want to serve the interests of the entire RL community including you guys.

[vmoens]

Thanks for the detailed answer @jkterry1!

other large production users of Gym/Gymnasium have largely upgraded away from Gym awhile ago now

Exactly our point, I think most people who are willing to use gymnasium are using it. The community is well aware of gymnasium and the improvements it brings.

As of today, I would be surprised if anyone were using openai/gym unwillingly. Most people I know who are using it do it because of the simplicity it has or for some core features like specs etc. that they don't want/need to upgrade. For these users, this is an unwanted message.

[matteobettini]

Thanks for the answer!

I think the discussion prescinds the specifics of gymnasium and gym (I am sure the library is now amazing)

In my view it is a very bad practice to inject code retroactively into people’s projects via updates to an unbounded dependency.

This is actually a hacking pattern that has been used extensively. I am sure that if you present this case briefly to chatgpt you will be able to conclude the same thing.

I also think it is unreasonable to ask people to change the dependencies (of very old and already released!! projects) to silence this message.

I strongly suggest removing the code injection promptly

[pseudo-rnd-thoughts]

Hi Matteo, as discussed above we can't change the pypi wheels therefore, we can't remove that gym-notices is installed for gym v0.22+ and imported therefore, cannot complete your suggestion.

On code injection, I agree this such attacks are possible, however, this argument is true for all libraries without fixed dependencies which is almost all libraries.

On changing dependencies, for users to use gym they already need to fix several dependencies that future versions broke old code, not least setuptools, numpy, and ale-py, etc. Therefore, I agree with Vincent that most users should not be willingly be using gym at this point in time, and if they want to remove this message they can add gym-notices to the list of fixed dependencies they already have.

Looking at the libraries you said were affected, could you help explain to me why vmas can't to very simply be upgraded to Gymnasium given that gym v0.26.2 is supported?
Also on the Pytorch tutorial, I'm very confused by the warning is appearing as gym is not imported at all. I'm guessing that gym is being incorrectly installed and imported within the code but I don't understand where or why.