safety icon indicating copy to clipboard operation
safety copied to clipboard

Published 20 hours ago verified publisher icon pyupio

safety packaging dependency conflicts with packages that require newer version of packaging

Open rktoomey opened this issue 2 years ago • 15 comments

  • safety version: 2.3.5
  • Python version: 3.10
  • Operating System: Linux

Description

The changelog for release 2.34 says the issue with packaging 22.0 is fixed: https://github.com/pyupio/safety/blob/d8bd6f7baefba3db6dcdef8f5a2750da15150106/CHANGELOG.md#234---2022-12-07 https://github.com/pyupio/safety/pull/439

However, in 2.3.5 packaging was then fixed to a compatible range being < 22.0: https://github.com/pyupio/safety/commit/aa1b1532818a1b2cb229b14907cad64c927fa8c6

I noticed this when I was updating dependencies and had a version conflict caused by newer packages requiring packaging

Because no versions of safety match >2.3.5,<3.0.0
 and safety (2.3.5) depends on packaging (>=21.0,<22.0), safety (>=2.3.5,<3.0.0) requires packaging (>=21.0,<22.0).
And because black (23.1.0) depends on packaging (>=22.0)
 and no versions of black match >23.1.0,<24.0.0, safety (>=2.3.5,<3.0.0) is incompatible with black (>=23.1.0,<24.0.0).

What I Did

Temporarily reverted the packages with a conflict and pinned them to an earlier version.

rktoomey avatar Feb 05 '23 21:02 rktoomey

Hi @rktoomey, 2.3.4 fixed the issue temporarily; in the coming days, a new version with multiple improvements will resolve the dependency issue you are reporting.

yeisonvargasf avatar Feb 05 '23 21:02 yeisonvargasf

Is there any update on the release of 2.3.6?

kevinbowen777 avatar Feb 19 '23 05:02 kevinbowen777

@kevinbowen777, we will release 2.4.0 as a beta with many improvements and a fix for this issue. The release will happen this week.

yeisonvargasf avatar Feb 19 '23 15:02 yeisonvargasf

Thank you. I'm looking forward to testing the new release.

kevinbowen777 avatar Feb 19 '23 17:02 kevinbowen777

@yeisonvargasf do you have any update on the safety release?

snazy avatar Mar 03 '23 09:03 snazy

Hi @rktoomey, @kevinbowen777, and @snazy, thanks for your patience here; we released a beta version (Feb 26) with significant changes and additional improvements.

This version ( https://pypi.org/project/safety/2.4.0b1/) should fix this issue. Could you try?

Let me know if this version works for you.

yeisonvargasf avatar Mar 06 '23 16:03 yeisonvargasf

Thanks for the beta release. I've been running it successfully against a couple of my repos and it looks good so far. This version also appears to fail properly with the insecure-package installed.

kevinbowen777 avatar Mar 07 '23 04:03 kevinbowen777

LGTM (our build's passing w/ 2.4.0b1 + the currently blocked tox + black version bumps)

snazy avatar Mar 07 '23 20:03 snazy

Hi @yeisonvargasf, do you have an update when 2.4.0 will be released?

snazy avatar Mar 15 '23 17:03 snazy

Hi, @yeisonvargasf, sorry for the delay.

I just tested my build with 2.4.0b1 and it works great. Thanks for working to get this fixed! Looking forward to the release :)

rktoomey avatar Mar 20 '23 17:03 rktoomey

We also had this issue with the pinning of "packaging", and tested safety 2.3.4 and 2.4.0b1 with packaging 22.0, 23.0 and 23.1 (on Python 3.9) and it all worked fine.

It turns out safety 2.4.0b1 pins packaging to <=23.0 which is in conflict with tox>=4.0 which requires packaging>=23.1

Can you not just remove the pinning for the "packaging" package completely, like it was in safety 2.3.4 and earlier? Pinning a dependent package is always prone to cause conflicts for someone out there, and you should find any incompatibilities with that package in your tests.

Right now, we solve these conflicts by excluding safety 2.3.5.

andy-maier avatar May 11 '23 08:05 andy-maier

Hi, @andy-maier agree about the problem with pinning; the pinning was a quick fix as we are under a significant revamp of Safety CLI, which right now is in a closed beta phase for version 3.0

In the coming month, we'll revamp our CI/CD pipelines to catch these issues and release quicker new features and bug fixes. We should have a better changelog, contribute guides, and better PR checks.

Also, as a comment, PyUp is in a rebranding journey, so hoping you all see soon the changes we are working on.

yeisonvargasf avatar Aug 04 '23 15:08 yeisonvargasf

What's the status on a new version release? Is it an option to release 2.4.0 before 3.0, or perhaps even a 2.3.6 bugfix? It would be nice to avoid this error with an unbound upper-version as on main branch. Also, why not move all content of setup.cfg and test_requirements.txt to pyproject.toml?

wkoot avatar Dec 11 '23 10:12 wkoot

Hi @rktoomey and everyone involved,

Thank you for your patience and for bringing this to our attention.

We understand the challenges caused by the dependency conflicts with the packaging library. We are pleased to inform you that Safety version 3 has been released, and it should resolve the conflicts with newer versions of packaging.

However, we recognize that pinning dependency versions can sometimes cause conflicts. To prevent similar issues in the future, we are working on improving our CI/CD pipelines to better test and validate our dependencies.

Please test your environment with the latest version, Safety 3, and let us know if the conflict persists. We are committed to ensuring smoother updates and fewer dependency conflicts moving forward.

Thank you for your continued support and for helping us improve Safety!

Best Regards, The Safety Team

dylanpulver avatar Aug 07 '24 17:08 dylanpulver