Pin MarkSafe to a compatible version with Jinja

[phillipuniverse]

This is designed to fix the following issue in the 0.11 line when running s3pypi:

pip install s3pypi==0.11.0 && poetry build && s3pypi --bucket some-bucket --region us-west-2'

has the following error:

Traceback (most recent call last):
   File "/usr/src/app/.venv/bin/s3pypi", line 5, in <module>
     from s3pypi.__main__ import main
   File "/usr/src/app/.venv/lib/python3.7/site-packages/s3pypi/__main__.py", line 9, in <module>
     from s3pypi.package import Package
   File "/usr/src/app/.venv/lib/python3.7/site-packages/s3pypi/package.py", line 9, in <module>
     from jinja2 import Environment, PackageLoader
   File "/usr/src/app/.venv/lib/python3.7/site-packages/jinja2/__init__.py", line 12, in <module>
     from .environment import Environment
   File "/usr/src/app/.venv/lib/python3.7/site-packages/jinja2/environment.py", line 25, in <module>
     from .defaults import BLOCK_END_STRING
   File "/usr/src/app/.venv/lib/python3.7/site-packages/jinja2/defaults.py", line 3, in <module>
     from .filters import FILTERS as DEFAULT_FILTERS  # noqa: F401
   File "/usr/src/app/.venv/lib/python3.7/site-packages/jinja2/filters.py", line 13, in <module>
     from markupsafe import soft_unicode
 ImportError: cannot import name 'soft_unicode' from 'markupsafe' (/usr/src/app/.venv/lib/python3.7/site-packages/markupsafe/__init__.py)

Reproduction:

This appears to be a regression in Jinja at pallets/jinja#1593 where there is a very flexible version of MarkupSafe but it's not actually compatible.

A few comments here:

1. Maybe we should pin the version of Jinja to explicitly 2.10.1 instead of ^2.10.1
2. There are a lot of changes in poetry.lock, but this is almost certainly because I"m using a newer version of Poetry. I am on 1.1.12 but if you let me know what version of Poetry was used originally to generate it I can regen with the older version
3. There is a workaround which I am currently doing in my project:

   pip install markupsafe==2.0.1 s3pypi==0.11.0 && poetry build && s3pypi --bucket pypi.shipwell.com --region us-west-2'
   

4. This maybe only effects the 0.11 line, not sure if it affects 1.0. If it doesn't and you want to consume this backport it should probably go against a 0.11 support branch to release 0.11.1

[mdwint]

Hi @phillipuniverse. Thanks for submitting this.

As you pointed out, this only affects 0.11 since we no longer use Jinja in 1.0. I've created a release/0.11.x branch for this PR to be merged into.

There are a lot of changes in poetry.lock, but this is almost certainly because I"m using a newer version of Poetry. I am on 1.1.12 but if you let me know what version of Poetry was used originally to generate it I can regen with the older version

I guess we used Poetry 1.1.0b2 back then, since s3pypi 0.11 was released on September 1 2020.

[phillipuniverse]

@mdwint I actually think this doesn't need a poetry.lock modification at all. By only changing the pyproject.toml requirements this generated the following METADATA in dist after doing a poetry build:

Metadata-Version: 2.1
Name: s3pypi
Version: 0.11.0
Summary: CLI for creating a Python Package Repository in an S3 bucket
Author: Matteo De Wint
Author-email: [email protected]
Requires-Python: >=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*
Classifier: Programming Language :: Python :: 2
Classifier: Programming Language :: Python :: 2.7
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Requires-Dist: Jinja2 (>=2.10.1,<3.0.0)
Requires-Dist: boto3 (>=1.9.211,<2.0.0)
Requires-Dist: markupsafe (<=2.0.1)
Requires-Dist: wheel (>=0.33.6,<0.34.0)

I'm pretty sure that would resolve this issue, what do you think?

[mdwint]

I went ahead and updated poetry.lock anyway, to avoid this warning:

$ poetry install
Installing dependencies from lock file
Warning: The lock file is not up to date with the latest changes in pyproject.toml. You may be getting outdated dependencies. Run update to update them.

I used poetry lock --no-update with Poetry 1.1.13. This ensures the lock file is in sync with pyproject.toml, without updating any dependencies.

[phillipuniverse]

@mdwint ah right, makes sense.

Anything else you’d like me to do with this PR?