Description
semgrep currently pins tomli~=2.0.1 (effectively >=2.0.1, <2.1.0). Starting with pip-audit 2.10.0, tomli>=2.2.1 is required. These two packages cannot coexist in the same environment.
Reproduction
pip install 'semgrep==1.156.0' 'pip-audit==2.10.0'
# ERROR: pip-audit 2.10.0 requires tomli>=2.2.1,
# but semgrep requires tomli~=2.0.1
Checked versions 1.157.0 through 1.159.0 — all still pin tomli~=2.0.1.
Suggested Fix
Loosen the pin to tomli>=2.0.1,<3 (or simply >=2.0.1). tomli is a small, stable, spec-compliant TOML parser — there's minimal risk from allowing 2.x minor bumps.
Environment
- semgrep 1.156.0 (also affects 1.157–1.159)
- pip-audit 2.10.0
- Python 3.14.3
- macOS (Apple Silicon)
Description
semgrep currently pins
tomli~=2.0.1(effectively>=2.0.1, <2.1.0). Starting with pip-audit 2.10.0,tomli>=2.2.1is required. These two packages cannot coexist in the same environment.Reproduction
Checked versions 1.157.0 through 1.159.0 — all still pin
tomli~=2.0.1.Suggested Fix
Loosen the pin to
tomli>=2.0.1,<3(or simply>=2.0.1). tomli is a small, stable, spec-compliant TOML parser — there's minimal risk from allowing 2.x minor bumps.Environment