Environment
- ggshield version: 1.51.0
- Operating system (Linux, macOS, Windows): Tested on macOS
- Operating system version: N/A
- Python version: 3.11
Describe the bug
The version locks for dependencies of ggshield should be more relaxed: Vulnerabilities in the versions can not be fixed, because the ggshield dependency version range prevents the installation of the packages.
Steps to reproduce:
Create a requirements.txt like this:
boto3>=1.35.0,<2
google-auth>=2.35.0,<3
httpx>=0.27.0,<1
ggshield==1.51.0
cryptography==46.0.6
pyjwt==2.12.0
pyopenssl==26.0.0
python-dotenv==1.2.2
requests==2.33.0
tuf==7.0.0
Actual result:
# Using pip-audit
Found 10 known vulnerabilities in 6 packages
Name Version ID Fix Versions
------------- ------- ------------------- ------------
cryptography 43.0.3 PYSEC-2026-35 46.0.6
cryptography 43.0.3 CVE-2024-12797 44.0.1
cryptography 43.0.3 CVE-2026-26007 46.0.5
pyjwt 2.6.0 PYSEC-2026-120 2.12.0
pyjwt 2.6.0 PYSEC-2025-183
pyopenssl 25.1.0 CVE-2026-27448 26.0.0
pyopenssl 25.1.0 CVE-2026-27459 26.0.0
python-dotenv 0.21.1 CVE-2026-28684 1.2.2
requests 2.32.5 CVE-2026-25645 2.33.0
tuf 6.0.0 GHSA-qp9x-wp8f-qgjj 7.0.0
(.venv) ➜ test-gitguardian-scanner git:(main) ✗ uv pip install -r requirements.txt
× No solution found when resolving dependencies:
╰─▶ Because ggshield==1.51.0 depends on requests>=2.32.0,<2.33.dev0
and you require ggshield==1.51.0, we can conclude that you require
requests>=2.32.0,<2.33.dev0.
And because you require requests==2.33.0, we can conclude that your
requirements are unsatisfiable.
(.venv) ➜ test-gitguardian-scanner git:(main) ✗ uv pip install -r requirements.txt
× No solution found when resolving dependencies:
╰─▶ Because ggshield==1.51.0 depends on requests>=2.32.0,<2.33.dev0
and you require ggshield==1.51.0, we can conclude that you require
requests>=2.32.0,<2.33.dev0.
And because you require requests>=2.33.0, we can conclude that your
requirements are unsatisfiable.
(.venv) ➜ test-gitguardian-scanner git:(main) ✗ uv pip install -r requirements.txt
× No solution found when resolving dependencies:
╰─▶ Because ggshield==1.51.0 depends on python-dotenv>=0.21.0,<0.22.dev0
and you require ggshield==1.51.0, we can conclude that you require
python-dotenv>=0.21.0,<0.22.dev0.
And because you require python-dotenv==1.2.2, we can conclude that your
requirements are unsatisfiable.
(.venv) ➜ test-gitguardian-scanner git:(main) ✗
Environment
Describe the bug
The version locks for dependencies of ggshield should be more relaxed: Vulnerabilities in the versions can not be fixed, because the
ggshielddependency version range prevents the installation of the packages.Steps to reproduce:
Create a
requirements.txtlike this:Actual result: