safety-schemas 0.0.7 requires outdated pydantic version that fails install on Python 3.13

[andy-maier]

Checklist

• I agree to the terms within the Safety Code of Conduct.

Safety version

safety-schemas 0.0.7

Python version

3.13

Operating System

macos, Ubuntu, Windows

Describe the problem you'd like to have solved

I am using the safety issue tracker for reporting this issue of safety-schemas, because I'm not aware of an issue tracker for safety-schemas.

The safety-schemas package version 0.0.7 has the following package dependencies:

$ python -m pipdeptree -p safety-schemas
safety-schemas==0.0.7
├── dparse [required: >=0.6.4b0, installed: 0.6.4b0]
│   └── packaging [required: Any, installed: 24.1]
├── packaging [required: >=21.0, installed: 24.1]
├── pydantic [required: ~=2.5.0, installed: 2.5.3]
│   ├── annotated-types [required: >=0.4.0, installed: 0.7.0]
│   ├── pydantic_core [required: ==2.14.6, installed: 2.14.6]
│   │   └── typing_extensions [required: >=4.6.0,!=4.7.0, installed: 4.12.2]
│   └── typing_extensions [required: >=4.6.1, installed: 4.12.2]
├── ruamel.yaml [required: >=0.17.21, installed: 0.18.6]
│   └── ruamel.yaml.clib [required: >=0.2.7, installed: 0.2.12]
└── typing_extensions [required: >=4.7.1, installed: 4.12.2]

This dependency chain pulls in pydantic-core 2.14.6 and which has a bug that causes its installation to fail on Python 3.13.
That bug has been reported in pydantic/pydantic-core#1366 and again in pydantic/pydantic-core#1500 and has been fixed with pydantic/pydantic-core#1299 in pydantic-core version 2.18.3.

pydantic-core version 2.18.3 was for the first time pulled in by pydantic version 2.7.2.

However, pydantic 2.7.2 has other install issues on Python 3.13, and I found that I needed pydantic>=2.8.0 to successfully install on Python 3.13.

Note that pydantic and pydantic-core are very tightly coupled in their dependencies: pydantic specifies the exact and only version of pydantic-core to be used.

The current dependency safety-schemas 0.0.7 specifies for the pydantic package is ~=2.5.0 which uses the so-called compatibility operator ~= which is equivalent to >=2.5.0, <2.6.0. This prevents installing the version of pydantic that has the bug fix.

safety-schemas 0.0.5 allowed any version for the pydantic package; That's why this issue started to occur with the release of safety-schemas 0.0.7.

Describe the ideal solution

Do not specify an upper limit for the pydantic dependency, at least not an upper 2.x minor version.

Specifying pydantic ~= 2.5 might be ok, because that is equivalent to >=2.5.0, <3.0.0

Alternatives and current workarounds

Our circumvention is to exclude safety-schemas 0.0.7, hoping that a subsequent safety-schemas version will no longer pin pydantic to <2.6.0.

Additional context

No response

What I Did

On Python 3.13:

pip install safety

[github-actions]

Hi @andy-maier, thank you for opening this issue!

We appreciate your effort in reporting this. Our team will review it and get back to you soon.
If you have any additional details or updates, feel free to add them to this issue.

Note: If this is a serious security issue that could impact the security of Safety CLI users, please email [email protected] immediately.

Thank you for contributing to Safety CLI!