Skip to content

make dependency locks more relaxed #1258

Description

@jpaodev

Environment

  • ggshield version: 1.51.0
  • Operating system (Linux, macOS, Windows): Tested on macOS
  • Operating system version: N/A
  • Python version: 3.11

Describe the bug

The version locks for dependencies of ggshield should be more relaxed: Vulnerabilities in the versions can not be fixed, because the ggshield dependency version range prevents the installation of the packages.

Steps to reproduce:

Create a requirements.txt like this:

boto3>=1.35.0,<2
google-auth>=2.35.0,<3
httpx>=0.27.0,<1
ggshield==1.51.0
cryptography==46.0.6
pyjwt==2.12.0
pyopenssl==26.0.0
python-dotenv==1.2.2
requests==2.33.0
tuf==7.0.0

Actual result:

# Using pip-audit
Found 10 known vulnerabilities in 6 packages
Name          Version ID                  Fix Versions
------------- ------- ------------------- ------------
cryptography  43.0.3  PYSEC-2026-35       46.0.6
cryptography  43.0.3  CVE-2024-12797      44.0.1
cryptography  43.0.3  CVE-2026-26007      46.0.5
pyjwt         2.6.0   PYSEC-2026-120      2.12.0
pyjwt         2.6.0   PYSEC-2025-183
pyopenssl     25.1.0  CVE-2026-27448      26.0.0
pyopenssl     25.1.0  CVE-2026-27459      26.0.0
python-dotenv 0.21.1  CVE-2026-28684      1.2.2
requests      2.32.5  CVE-2026-25645      2.33.0
tuf           6.0.0   GHSA-qp9x-wp8f-qgjj 7.0.0
(.venv) ➜ test-gitguardian-scanner git:(main) ✗ uv pip install -r requirements.txt
  × No solution found when resolving dependencies:
  ╰─▶ Because ggshield==1.51.0 depends on requests>=2.32.0,<2.33.dev0
      and you require ggshield==1.51.0, we can conclude that you require
      requests>=2.32.0,<2.33.dev0.
      And because you require requests==2.33.0, we can conclude that your
      requirements are unsatisfiable.
(.venv) ➜  test-gitguardian-scanner git:(main) ✗ uv pip install -r requirements.txt
  × No solution found when resolving dependencies:
  ╰─▶ Because ggshield==1.51.0 depends on requests>=2.32.0,<2.33.dev0
      and you require ggshield==1.51.0, we can conclude that you require
      requests>=2.32.0,<2.33.dev0.
      And because you require requests>=2.33.0, we can conclude that your
      requirements are unsatisfiable.
(.venv) ➜  test-gitguardian-scanner git:(main) ✗ uv pip install -r requirements.txt
  × No solution found when resolving dependencies:
  ╰─▶ Because ggshield==1.51.0 depends on python-dotenv>=0.21.0,<0.22.dev0
      and you require ggshield==1.51.0, we can conclude that you require
      python-dotenv>=0.21.0,<0.22.dev0.
      And because you require python-dotenv==1.2.2, we can conclude that your
      requirements are unsatisfiable.
(.venv) ➜  test-gitguardian-scanner git:(main) ✗ 

Metadata

Metadata

Assignees

No one assigned

    Labels

    status:newThis issue needs to be reviewedtype:bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions