Skip to content

ansible lint 25.9.0 breaks with checkov 3.2.47x over importlib-metadata #4804

New issue
New issue
Closed as not planned
Closed as not planned
ansible lint 25.9.0 breaks with checkov 3.2.47x over importlib-metadata#4804
Labels
bug
@carlos-lehmann

Description

@carlos-lehmann
carlos-lehmann
opened on Oct 3, 2025
Summary

We are updating ansible lint with some other tools regularly with ansible.builtin.pip:

- name: Installing pip-packages for linting with fixed Versions
  block:
    - name: Installing pip-packages for linting with fixed Versions for user
      ansible.builtin.pip:
        name:
          - "autoflake=={{ pypi_version_autoflake }}"
          - "black=={{ pypi_version_black }}"
          - "pre-commit=={{ pypi_version_pre_commit }}"
          - "yamllint=={{ pypi_version_yamllint }}"
          - "checkov=={{ pypi_version_checkov }}"
          - "pylint=={{ pypi_version_pylint }}"
          - "ansible-lint=={{ pypi_version_ansible_lint }}"
          - "yamale=={{ pypi_version_yamale }}"
        virtualenv_command: "python3 -m venv"
        virtualenv: "{{ basics_virtualenvs_path }}/{{ venv_name }}"

And after 25.9.0 was introduce we run into a conflict in importlib-metadata with checkov.

INFO: pip is looking at multiple versions of ansible-lint to determine which version is compatible with other requirements. This could take a while.\n\nThe conflict is caused by:\n    checkov 3.2.473 depends on importlib-metadata<8.0.0 and >=6.0.0\n    ansible-lint 25.9.1 depends on importlib-metadata>=8.7.0\n\nTo fix this you could try to:\n1. loosen the range of package versions you've specified\n2. remove package versions to allow pip to attempt to solve the dependency conflict\n\n\n:stderr: ERROR: Cannot install ansible-lint==25.9.1 and checkov==3.2.473 because these package versions have conflicting dependencies.

From what I can see adoption to uv.lock in 25.9.0, particularly moving from importlib-metadata==8.7.0 to importlib-metadata>=8.70 seems to have made this conflict impossible to solve for pip.

What would be your suggestion in actions to take? I guess I'm in the wrong repo and should request checkov to update importlib-metadata?

Thanks for your help!

Issue Type
  • Bug Report
OS / ENVIRONMENT
ansible-lint --version
  • ansible installation method: one of source, pip, OS package
  • ansible-lint installation method: one of source, pip, OS package
STEPS TO REPRODUCE
 ~  pip install ansible-lint==25.9.1 checkov==3.2.473
Desired Behavior

Possible security bugs should be reported via email to [email protected]

Actual Behavior

Please give some details of what is happening. Include a minimum complete
verifiable example with:

  • minimized playbook to reproduce the error
  • the output of running ansible-lint including the command line used
  • if you're getting a stack trace, also the output of
    ansible-playbook --syntax-check playbook

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    🧰 devtools project board

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions