safety packaging dependency conflicts with packages that require newer version of packaging

[rktoomey]

• safety version: 2.3.5
• Python version: 3.10
• Operating System: Linux

Description

The changelog for release 2.34 says the issue with packaging 22.0 is fixed:
https://github.com/pyupio/safety/blob/d8bd6f7baefba3db6dcdef8f5a2750da15150106/CHANGELOG.md#234---2022-12-07
#439

However, in 2.3.5 packaging was then fixed to a compatible range being < 22.0:
aa1b153

I noticed this when I was updating dependencies and had a version conflict caused by newer packages requiring packaging

Because no versions of safety match >2.3.5,<3.0.0
 and safety (2.3.5) depends on packaging (>=21.0,<22.0), safety (>=2.3.5,<3.0.0) requires packaging (>=21.0,<22.0).
And because black (23.1.0) depends on packaging (>=22.0)
 and no versions of black match >23.1.0,<24.0.0, safety (>=2.3.5,<3.0.0) is incompatible with black (>=23.1.0,<24.0.0).

What I Did

Temporarily reverted the packages with a conflict and pinned them to an earlier version.

[yeisonvargasf]

Hi @rktoomey, 2.3.4 fixed the issue temporarily; in the coming days, a new version with multiple improvements will resolve the dependency issue you are reporting.

[kevinbowen777]

Is there any update on the release of 2.3.6?

[yeisonvargasf]

@kevinbowen777, we will release 2.4.0 as a beta with many improvements and a fix for this issue. The release will happen this week.

[kevinbowen777]

Thank you. I'm looking forward to testing the new release.

[snazy]

@yeisonvargasf do you have any update on the safety release?

[yeisonvargasf]

Hi @rktoomey, @kevinbowen777, and @snazy, thanks for your patience here; we released a beta version (Feb 26) with significant changes and additional improvements.

This version ( https://pypi.org/project/safety/2.4.0b1/) should fix this issue. Could you try?

Let me know if this version works for you.

[kevinbowen777]

Thanks for the beta release. I've been running it successfully against a couple of my repos and it looks good so far. This version also appears to fail properly with the insecure-package installed.

[snazy]

LGTM (our build's passing w/ 2.4.0b1 + the currently blocked tox + black version bumps)

[snazy]

Hi @yeisonvargasf, do you have an update when 2.4.0 will be released?