Safety fails

[cjolowicz]

• Safety marks itself vulnerable.
• Cannot upgrade safety because poetry < 1.2 caps packaging.
• Cannot upgrade poetry because flake8 caps importlib-metadata.

| package                    | installed | affected                 | ID       |
+============================+===========+==========================+==========+
| py                         | 1.11.0    | <=1.11.0                 | 51457    |
+==============================================================================+
| Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular     |
| expression Denial of Service) attack via a Subversion repository with        |
| crafted info data, because the InfoSvnCommand argument is mishandled.        |
| https://github.com/pytest-dev/py/issues/287                                  |
+==============================================================================+
| safety                     | 1.10.3    | <2.2.0                   | 51358    |
+==============================================================================+
| Safety 2.2.0 updates its dependency 'dparse' to include a security fix.      |

ERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.
poetry 1.1.15 requires packaging<21.0,>=20.4, but you have packaging 21.3 which is incompatible.

 Because no versions of poetry match >1.2,<1.2.1 || >1.2.1,<1.2.2 || >1.2.2
 and poetry (1.2.0) depends on importlib-metadata (>=4.4,<5.0), poetry (>=1.2,<1.2.1 || >1.2.1,<1.2.2 || >1.2.2) requires importlib-metadata (>=4.4,<5.0).
(1) So, because poetry (1.2.1) depends on importlib-metadata (>=4.4,<5.0)
 and poetry (1.2.2) depends on importlib-metadata (>=4.4,<5.0), poetry (>=1.2) requires importlib-metadata (>=4.4,<5.0).

    Because no versions of flake8 match >5.0.0,<5.0.1 || >5.0.1,<5.0.2 || >5.0.2,<5.0.3 || >5.0.3,<5.0.4 || >5.0.4
 and flake8 (5.0.0) depends on importlib-metadata (<4.3), flake8 (>=5.0.0,<5.0.1 || >5.0.1,<5.0.2 || >5.0.2,<5.0.3 || >5.0.3,<5.0.4 || >5.0.4) requires importlib-metadata (<4.3).
    And because flake8 (5.0.1) depends on importlib-metadata (<4.3)
 and flake8 (5.0.2) depends on importlib-metadata (<4.3), flake8 (>=5.0.0,<5.0.3 || >5.0.3,<5.0.4 || >5.0.4) requires importlib-metadata (<4.3).
    And because flake8 (5.0.3) depends on importlib-metadata (<4.3)
 and flake8 (5.0.4) depends on importlib-metadata (>=1.1.0,<4.3), flake8 (>=5.0.0) requires importlib-metadata (<4.3).
    Because flake8 (4.0.1) depends on importlib-metadata (<4.3)
 and no versions of flake8 match >4.0.1,<5.0.0, flake8 (>=4.0.1,<5.0.0) requires importlib-metadata (<4.3).
    Thus, flake8 (>=4.0.1) requires importlib-metadata (<4.3).
    And because poetry (>=1.2) requires importlib-metadata (>=4.4,<5.0) (1), poetry (>=1.2) is incompatible with flake8 (>=4.0.1)
    So, because nox-poetry depends on both flake8 (>=4.0.1) and poetry (>=1.2), version solving failed.

[cjolowicz]

See #929 (comment)

[johnthagen]

For what it's worth, I simply had to drop Python 3.7 support from my projects due to Flake8's importlib-metadata cap and all of the conflicts that causes with other packages.

3.7 is EOL in 7 months and isn't included in any supported Ubuntu version, so maybe that is okay: https://endoflife.date/python