safety-schemas 0.0.7 requires outdated pydantic version that fails install on Python 3.13

[andy-maier]

Checklist

• I agree to the terms within the Safety Code of Conduct.

Safety version

safety-schemas 0.0.7

Python version

3.13

Operating System

macos, Ubuntu, Windows

Describe the problem you'd like to have solved

I am using the safety issue tracker for reporting this issue of safety-schemas, because I'm not aware of an issue tracker for safety-schemas.

The safety-schemas package version 0.0.7 has the following package dependencies:

$ python -m pipdeptree -p safety-schemas
safety-schemas==0.0.7
├── dparse [required: >=0.6.4b0, installed: 0.6.4b0]
│   └── packaging [required: Any, installed: 24.1]
├── packaging [required: >=21.0, installed: 24.1]
├── pydantic [required: ~=2.5.0, installed: 2.5.3]
│   ├── annotated-types [required: >=0.4.0, installed: 0.7.0]
│   ├── pydantic_core [required: ==2.14.6, installed: 2.14.6]
│   │   └── typing_extensions [required: >=4.6.0,!=4.7.0, installed: 4.12.2]
│   └── typing_extensions [required: >=4.6.1, installed: 4.12.2]
├── ruamel.yaml [required: >=0.17.21, installed: 0.18.6]
│   └── ruamel.yaml.clib [required: >=0.2.7, installed: 0.2.12]
└── typing_extensions [required: >=4.7.1, installed: 4.12.2]

This dependency chain pulls in pydantic-core 2.14.6 and which has a bug that causes its installation to fail on Python 3.13.
That bug has been reported in pydantic/pydantic-core#1366 and again in pydantic/pydantic-core#1500 and has been fixed with pydantic/pydantic-core#1299 in pydantic-core version 2.18.3.

pydantic-core version 2.18.3 was for the first time pulled in by pydantic version 2.7.2.

However, pydantic 2.7.2 has other install issues on Python 3.13, and I found that I needed pydantic>=2.8.0 to successfully install on Python 3.13.

Note that pydantic and pydantic-core are very tightly coupled in their dependencies: pydantic specifies the exact and only version of pydantic-core to be used.

The current dependency safety-schemas 0.0.7 specifies for the pydantic package is ~=2.5.0 which uses the so-called compatibility operator ~= which is equivalent to >=2.5.0, <2.6.0. This prevents installing the version of pydantic that has the bug fix.

safety-schemas 0.0.5 allowed any version for the pydantic package; That's why this issue started to occur with the release of safety-schemas 0.0.7.

Describe the ideal solution

Do not specify an upper limit for the pydantic dependency, at least not an upper 2.x minor version.

Specifying pydantic ~= 2.5 might be ok, because that is equivalent to >=2.5.0, <3.0.0

Alternatives and current workarounds

Our circumvention is to exclude safety-schemas 0.0.7, hoping that a subsequent safety-schemas version will no longer pin pydantic to <2.6.0.

Additional context

No response

What I Did

On Python 3.13:

pip install safety

[github-actions]

Hi @andy-maier, thank you for opening this issue!

We appreciate your effort in reporting this. Our team will review it and get back to you soon.
If you have any additional details or updates, feel free to add them to this issue.

Note: If this is a serious security issue that could impact the security of Safety CLI users, please email [email protected] immediately.

Thank you for contributing to Safety CLI!

[Dresdn]

I didn't want to open a new ticket, so I'm piggybacking here since the core issue is the same.

Can we revisit the decision to enforce an upper bound on the Pydantic version at the minor level @SafetyQuincyF @dylanpulver? With safety-schemas v0.0.9 (released Nov 4), the dependency is currently specified as "pydantic>=2.6.0,<2.10.0". However, Pydantic has since released versions 2.10.0 and 2.10.1, and this strict pinning is unnecessarily blocking the use of newer versions and their fixes/features.

Can we consider loosening the dependency to allow for major version compatibility instead, e.g., pydantic>=2.6.0,<3.0.0? This would be a much more sustainable and developer-friendly approach.

[m000]

Shouldn't safety and safety-schemas be somewhat in sync in terms of dependencies?

It seems that we currently have pydantic>=1.10.12 in safety and pydantic~=2.5.0 in safety-schemas. These requirements are wildly out-of-sync and should be fixed.

Also, IMHO, for packages that are considered stable ~ should either:

• be completely avoided (e.g. pydantic>=2.5.0)
• at least allow minor version upgrades (e.g. pydantic~=2.5)

[SafetyQuincyF]

Hi @andy-maier,

Thank you once again for reporting this issue! I’m happy to share that it has been resolved in the latest version of the Safety schema. I’ve tested it on Python 3.13, and everything is working as intended. 🎉

Let me know if you encounter any further issues!

[alex-pobeditel-2004]

@SafetyQuincyF hello! Are there any inconsistencies with pydantic >= 2.10.0?
It was released one month ago and Safety is incompatible with it 🤔

[andy-maier]

@SafetyQuincyF Thanks for the fix - it works for us.

I agree however with @alex-pobeditel-2004 that pinning pydantic to <2.10.0 is not a good idea. Sooner or later some package will require pydantic versions that are in conflict with that, so why do you create such a time bomb? Of course, unless there is a good reason, but it is not clear what that reason would be.