checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

update Python module packaging

Open AndreasPelzer opened this issue 11 months ago • 8 comments

Describe the feature

The Python module packaging is only allowed for version 23.x. The module itself has been upgraded to version >=24 almost one year ago. Can you please upgrade it? Reason: Builds with other Python modules fail due to conflict of version. Thanks & Regards

AndreasPelzer avatar Jan 14 '25 09:01 AndreasPelzer

Hi @AndreasPelzer , thanks for reaching out. I'm not quite sure I understand what you are trying to achieve here. Are you trying to use Checkov as a Python package? If not, could you please elaborate and provide an example?

Saarett avatar Jan 14 '25 15:01 Saarett

Yes, I am compiling the Python module checkov together with other modules and get the following error:

ERROR: Cannot install -r /requirements.txt (line 3) and -r /requirements.txt (line 9) because these package versions have conflicting dependencies.
The conflict is caused by:
checkov 3.2.352 depends on packaging<24.0 and >=23.0
poetry 2.0.1 depends on packaging>=24.0

Packaging version 24.0 exists since March 2024, see here. Thus I suggest to upgrade it for checkov. I hope this is the right approach

AndreasPelzer avatar Jan 15 '25 09:01 AndreasPelzer

Thank you for your feedback. Currently, Checkov is primarily supported as a CLI tool rather than a Python package, so we do not have immediate plans to address this. However, we would be happy to review and welcome contributions for upgrades.

Saarett avatar Jan 15 '25 13:01 Saarett

OK, I provided my first contribution with this pr. Please let me know if anything else is required.

AndreasPelzer avatar Jan 15 '25 15:01 AndreasPelzer

Echoing this issue: the packaging<24.0 constraint in checkov conflicts with our other dependencies requiring packaging>=24.0. This is blocking poetry.lock updates in our Poetry-managed CI pipeline.

While we use checkov as a CLI tool, installing it as a managed Python dependency makes this conflict disruptive to our workflows. The fix in PR #6952 is straightforward (updating the packaging constraint to >=24.0). That PR is still open, but it appears the CI checks failed and it hasn't yet been reviewed or assigned.

Could a maintainer please take a look or provide an update on how we can move this forward?

eberkut avatar May 14 '25 16:05 eberkut

@Saarett, pinging on this issue as it has been open for over six months.

This dependency pin is a significant blocker. The community provided a fix in PR #6952 immediately, and the more general PR #7185 also remains unreviewed after more than a month.

Can we please get an update on when a review for either of these pull requests can be expected?

eberkut avatar Jun 23 '25 18:06 eberkut

this issue also prevents installation on upcoming debian 13 (to be released soon)

jefimm avatar Jul 27 '25 12:07 jefimm

I'm also facing this issue trying to use checkov within a DevContainer. I'm running into conflicts with tox (tox-ansible) and pyproject-api. Both of these require packaging>=25. Any update on getting this updated?

jasonthrasher avatar Dec 09 '25 02:12 jasonthrasher