Open washeck opened 7 months ago
Hey there, @washeck.
I'm sorry to hear about your issue with some dependencies of Safety. I agree that things like that should work smoother and not disturb you as a user as much as happened here. But let me quickly explain why some of those dependencies exist. Mainly to be transparent and prevent any confusion.
The typer we are using is https://typer.tiangolo.com/, used to build CLI apps, not as a dev dependency. To remove any misunderstanding here. We are switching to Typer because it is easier to use and reduces the code we have to write for validation on options, etc. It is included as a dependency in our setup.cfg file going forward.
Others like packaging
and pydantic
are needed not just for us as developers but also for some functionality in our product.
As we are a small growing company/product, it might happen that we run into migration or deprecation issues. Something that isn't great and that doesn't feel good to the user, but some of it has to happen, unfortunately. We are trying to be better about this.
I hope this relieves some of your concerns with our dependencies.
Related to the issue, I recommend installing Safety in an isolated environment and using the scan command to target your project root; with that approach, you won't have dependency issues. If you require further help, please let me know the safety and Python versions, plus any other details to help identify if this is a Safety bug.
I think the issue we ran into is https://github.com/tiangolo/typer/issues/790 - typer probably issued somehow broken release.
Based on you advice to use safety
in isolated environment, I was thinking about running it in docker but it seems like either the doc https://docs.safetycli.com/safety-docs/installation/docker-containers is outdated or the pyupio/safety
is not maintained. Running the command from doc
$ docker run --rm -ti pyupio/safety --version
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "--version": executable file not found in $PATH: unknown.
as thee is probably wrong entrypoint in the docker file. Using the working command
$ docker run --rm -ti pyupio/safety safety --version
safety, version 1.10.3
shows the image is outdated.
Do you provide up-to-date one?
To fix the issue, you have to uninstall and reinstall typer ... I know (source).
@washeck, nice catch with the docs there. The team updated the docs: https://docs.safetycli.com/safety-docs/installation/docker-containers
We moved our docker images to ghcr.io, docker hub is there only for legacy support. You can use ghcr.io/pyupio/safety:3.1
if you want to pin the docker image.
Right now, safety does not require any specific version of typer: https://github.com/pyupio/safety/blob/main/setup.cfg#L51C5-L51C10
As the issue was solved in typer 0.12.1, safety 3.x should increase its minimum version of typer to >=0.12.1.
@washeck If you have uv
available in your environment, invoking safety with uvx safety scan
will install and run safety in an isolated virtualenv. You do not need to be using uv for your actual project for this to work.
@Jwomers
I want to express my strong disappointment with the way safety is developed.
For us it is just a support tool, one of the many small tools such as linters, code formatters and other nice but not critical tools meant to make our product better and safe developers time.
We started to use
safetycli
because we are migrating frompipenv
topoetry
and we cannot usepipenv check
anymore. We are not interested in any other features, we just want the tool to work same aspipenv check
.Since the migration to
safety
, I am seeing many complications I have not encountered before. There was https://github.com/pyupio/safety/issues/495 , https://github.com/pyupio/safety/issues/447 , fixes were available only in beta versionToday I ran
pipenv lock
just to upgrade vulnerablepillow
library and I see that sometyper
appeared as a new dependency and it does not workI don't want to spend my time on your experiments with typing. While typing seems like interesting addition to Python, please keep pydantic, mypy, typer or whatever typing technology you find interesting in you dev dependencies.