search

pyupio / safety

Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected.
https://safetycli.com/product/safety-cli
MIT License
1.71k stars 142 forks source link

safety-schemas 0.0.7 requires outdated pydantic version that fails install on Python 3.13 #620

Open andy-maier opened 2 hours ago

andy-maier commented 2 hours ago

Checklist

Safety version

safety-schemas 0.0.7

Python version

3.13

Operating System

macos, Ubuntu, Windows

Describe the problem you'd like to have solved

I am using the safety issue tracker for reporting this issue of safety-schemas, because I'm not aware of an issue tracker for safety-schemas.

The safety-schemas package version 0.0.7 has the following package dependencies:

$ python -m pipdeptree -p safety-schemas
safety-schemas==0.0.7
├── dparse [required: >=0.6.4b0, installed: 0.6.4b0]
│   └── packaging [required: Any, installed: 24.1]
├── packaging [required: >=21.0, installed: 24.1]
├── pydantic [required: ~=2.5.0, installed: 2.5.3]
│   ├── annotated-types [required: >=0.4.0, installed: 0.7.0]
│   ├── pydantic_core [required: ==2.14.6, installed: 2.14.6]
│   │   └── typing_extensions [required: >=4.6.0,!=4.7.0, installed: 4.12.2]
│   └── typing_extensions [required: >=4.6.1, installed: 4.12.2]
├── ruamel.yaml [required: >=0.17.21, installed: 0.18.6]
│   └── ruamel.yaml.clib [required: >=0.2.7, installed: 0.2.12]
└── typing_extensions [required: >=4.7.1, installed: 4.12.2]

This dependency chain pulls in pydantic-core 2.14.6 and which has a bug that causes its installation to fail on Python 3.13. That bug has been reported in https://github.com/pydantic/pydantic-core/issues/1366 and again in https://github.com/pydantic/pydantic-core/issues/1500 and has been fixed with https://github.com/pydantic/pydantic-core/pull/1299 in pydantic-core version 2.18.3.

pydantic-core version 2.18.3 was for the first time pulled in by pydantic version 2.7.2.

However, pydantic 2.7.2 has other install issues on Python 3.13, and I found that I needed pydantic>=2.8.0 to successfully install on Python 3.13.

Note that pydantic and pydantic-core are very tightly coupled in their dependencies: pydantic specifies the exact and only version of pydantic-core to be used.

The current dependency safety-schemas 0.0.7 specifies for the pydantic package is ~=2.5.0 which uses the so-called compatibility operator ~= which is equivalent to >=2.5.0, <2.6.0. This prevents installing the version of pydantic that has the bug fix.

safety-schemas 0.0.5 allowed any version for the pydantic package; That's why this issue started to occur with the release of safety-schemas 0.0.7.

Describe the ideal solution

Do not specify an upper limit for the pydantic dependency, at least not an upper 2.x minor version.

Specifying pydantic ~= 2.5 might be ok, because that is equivalent to >=2.5.0, <3.0.0

Alternatives and current workarounds

Our circumvention is to exclude safety-schemas 0.0.7, hoping that a subsequent safety-schemas version will no longer pin pydantic to <2.6.0.

Additional context

No response

What I Did

On Python 3.13:

pip install safety
github-actions[bot] commented 2 hours ago

Hi @andy-maier, thank you for opening this issue!

We appreciate your effort in reporting this. Our team will review it and get back to you soon. If you have any additional details or updates, feel free to add them to this issue.

Note: If this is a serious security issue that could impact the security of Safety CLI users, please email security@safetycli.com immediately.

Thank you for contributing to Safety CLI!