Dependencies for psutil and filelock are too tight #721
Description
Checklist
- I agree to the terms within the Safety Code of Conduct.
Safety version
Safety 3.4.0 uses ~= with the complete version for the psutil and filelock packages:
$ python -m pipdeptree -p safety | grep '~='
├── filelock [required: ~=3.16.1, installed: 3.16.1]
├── psutil [required: ~=6.1.0, installed: 6.1.1]
This translates to:
filelock>=3.16.1,<3.17.0
psutil>=6.1.0,<6.2.0
The latest released versions of these packages are:
filelock 3.18.0
psutil 7.0.0
These tight version spans for the filelock and psutil versions that safety requires, work only for us because all the other packages we use happen to be ok with these versions :
$ python -m pipdeptree -r -p filelock
------------------------------------------------------------------------
filelock==3.16.1
├── safety==3.4.0 [requires: filelock~=3.16.1]
├── virtualenv==20.30.0 [requires: filelock>=3.12.2,<4]
└── tox==4.25.0 [requires: filelock>=3.16.1]
$ python -m pipdeptree -r -p psutil
------------------------------------------------------------------------
psutil==6.1.1
├── safety==3.4.0 [requires: psutil~=6.1.0]
└── ipykernel==6.29.5 [requires: psutil]
The pinning implied by these tight version spans also prevents upgrades of the dependent packages to fix vulnerabilities.
So this is not an immediate version conflict, but it should be avoided if possible, because it may create version conflicts in the future and because it prevents upgrades to fix vulnerabilities.
Python version
3.8 to 3.13
Operating System
macOS, Linux, Windows
Describe the problem you'd like to have solved
See above
Describe the ideal solution
Unless you have a really good reason to exclude the higher versions for filelock and psutil, please open up the version requirements for these packages, for example:
filelock>=3.16.1
psutil>=6.1.0
Alternatives and current workarounds
No response
Additional context
No response
What I Did
See above