safety-schemas 0.0.7 requires outdated pydantic version that fails install on Python 3.13 #620
Description
Checklist
- I agree to the terms within the Safety Code of Conduct.
Safety version
safety-schemas 0.0.7
Python version
3.13
Operating System
macos, Ubuntu, Windows
Describe the problem you'd like to have solved
I am using the safety issue tracker for reporting this issue of safety-schemas, because I'm not aware of an issue tracker for safety-schemas.
The safety-schemas package version 0.0.7 has the following package dependencies:
$ python -m pipdeptree -p safety-schemas
safety-schemas==0.0.7
├── dparse [required: >=0.6.4b0, installed: 0.6.4b0]
│ └── packaging [required: Any, installed: 24.1]
├── packaging [required: >=21.0, installed: 24.1]
├── pydantic [required: ~=2.5.0, installed: 2.5.3]
│ ├── annotated-types [required: >=0.4.0, installed: 0.7.0]
│ ├── pydantic_core [required: ==2.14.6, installed: 2.14.6]
│ │ └── typing_extensions [required: >=4.6.0,!=4.7.0, installed: 4.12.2]
│ └── typing_extensions [required: >=4.6.1, installed: 4.12.2]
├── ruamel.yaml [required: >=0.17.21, installed: 0.18.6]
│ └── ruamel.yaml.clib [required: >=0.2.7, installed: 0.2.12]
└── typing_extensions [required: >=4.7.1, installed: 4.12.2]
This dependency chain pulls in pydantic-core 2.14.6 and which has a bug that causes its installation to fail on Python 3.13.
That bug has been reported in pydantic/pydantic-core#1366 and again in pydantic/pydantic-core#1500 and has been fixed with pydantic/pydantic-core#1299 in pydantic-core version 2.18.3.
pydantic-core version 2.18.3 was for the first time pulled in by pydantic version 2.7.2.
However, pydantic 2.7.2 has other install issues on Python 3.13, and I found that I needed pydantic>=2.8.0 to successfully install on Python 3.13.
Note that pydantic and pydantic-core are very tightly coupled in their dependencies: pydantic specifies the exact and only version of pydantic-core to be used.
The current dependency safety-schemas 0.0.7 specifies for the pydantic package is ~=2.5.0 which uses the so-called compatibility operator ~= which is equivalent to >=2.5.0, <2.6.0. This prevents installing the version of pydantic that has the bug fix.
safety-schemas 0.0.5 allowed any version for the pydantic package; That's why this issue started to occur with the release of safety-schemas 0.0.7.
Describe the ideal solution
Do not specify an upper limit for the pydantic dependency, at least not an upper 2.x minor version.
Specifying pydantic ~= 2.5 might be ok, because that is equivalent to >=2.5.0, <3.0.0
Alternatives and current workarounds
Our circumvention is to exclude safety-schemas 0.0.7, hoping that a subsequent safety-schemas version will no longer pin pydantic to <2.6.0.
Additional context
No response
What I Did
On Python 3.13:
pip install safety