Skip to content

Remove upper bound on werkzeug [dependency] #3096

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
marcstern14 opened this issue Nov 27, 2024 · 8 comments
Open

Remove upper bound on werkzeug [dependency] #3096

marcstern14 opened this issue Nov 27, 2024 · 8 comments
Assignees
@gvwilson
Labels
dependencies Pull requests that update a dependency file P1 needed for current cycle

Comments

@marcstern14
Copy link

werkzeug currently has an upper bound <3.1. There are more updated versions, which are compatible within the current Flask boundaries. Bumping the allowed versions of werkzeug would help for more flexible dependency installs for apps, and setting werkzeug>=3.0.6 would prevent triggering snyk vulnerabilities: https://security.snyk.io/vuln/SNYK-PYTHON-WERKZEUG-8309092

I've provided a PR here: #3095
@marcstern14 marcstern14 changed the title Remove upper bound on werkzeug Remove upper bound on werkzeug [dependency] Nov 27, 2024
@marcstern14 marcstern14 mentioned this issue Nov 27, 2024
Open
@alexcjohnson
Copy link
Collaborator

See #2538 and the community forum discussion mentioned there for context around our decision to restrict Flask and Werkzeug versions. I'm still strongly in favor of continuing the current approach of bumping these upper bounds only after we've tested them throughout the Dash ecosystem.

@marcstern14
Copy link
Author

Hmm ok, I see that this issue has been discussed at length in the past. Considering the last bump of werkzeug was over a year ago, could there be plans to test bumping it again?

@alexcjohnson
Copy link
Collaborator

Absolutely - part of deciding to restrict it was that then it’s incumbent on us as maintainers to keep up with new versions and this one has been waiting too long. I’ll have to defer to @T4rk1n and @gvwilson, who are focused on getting v3 released shortly, but I would imagine this can be prioritized soon after that.

@marcstern14
Copy link
Author

Sounds great! All your work is much appreciated – looking forward to tracking the progress.

@gvwilson gvwilson added P2 considered for next cycle dependencies Pull requests that update a dependency file labels Dec 3, 2024
@marcstern14
Copy link
Author

Hi @yuvashrikarunakaran, are you the point person for this request? Any chance this will get bumped to P1 label?

@gvwilson
Copy link
Contributor

gvwilson commented Jan 9, 2025

Hi @marcstern14 - I'm the guilty party, and I'd be happy to look at it once we get the Dash 3.0 release candidate out - I hope that will be next week.

@gvwilson gvwilson self-assigned this Jan 9, 2025
@marcstern14
Copy link
Author

Hey @gvwilson just wanted to check in to see if this could be bumped to P1? As time goes on, there are more security vulnerabilities caused by downstream dependencies that are stuck because of the werkzeug limitations.

@gvwilson gvwilson added P1 needed for current cycle and removed P2 considered for next cycle labels Mar 4, 2025
@gvwilson
Copy link
Contributor

gvwilson commented Mar 4, 2025

Apologies @marcstern14 - the Dash 3.0 release is taking longer than expected. I'll see if I can get this looked at.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gvwilson gvwilson

Labels
dependencies Pull requests that update a dependency file P1 needed for current cycle
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gvwilson @alexcjohnson @marcstern14 and others