Pinning Flask<2 requires pinning ItsDangerous<2.1 and MarkupSafe<2.1

[jeehoonkim-youha]

Since the update of itsdangerous module to version 2.1.0, Flask 1.1.2 fails to run.
This is because Flask’s requirements.txt indicates to install itsdangerous >= 0.24, it automatically installs the newest version which leads to using deprecated feature.
I can do a workaround in my project’s requirements.txt to install itsdangerous <= 2.0.1 before installing Flask but is it possible to fix the requirements.txt in Flask to install itsdangerous not upper than 2.0.1?

To replicate the bug,

1. install Flask 1.1.2
2. flask run in terminal
3. it will produce ImportError: cannot import name 'json' from 'itsdangerous'

Thank you in advance.

Environment:

• Python version: 3.8
• Flask version: 1.1.2

[gandalftheFFFFFF]

I just hit this during a deployment with flask version 1.0.2 and python 3.7.9

[fwindolf]

You can simply fix the requirements from your side to work around the issue until it's fixed.

itsdangerous==1.1.0
markupsafe==1.1.1

[aditya-kar]

I would recommend moving up to Flask 1.1.4 from 1.1.2. It already has the fix you're looking for.

    install_requires=[
        "Werkzeug >= 0.15, < 2.0",
        "Jinja2 >= 2.10.1, < 3.0",
        "itsdangerous >= 0.24, < 2.0",
        "click >= 5.1, < 8.0",
    ],

[davidism]

You are using an unsupported version of Flask, please update to the latest version. Additionally, please read https://hynek.me/articles/semver-will-not-save-you/, then use a tool like pip-tools to pin your dependencies and control when you get updates. Be sure to run your tests with deprecation warnings treated as errors so that you get notified of these types of changes early.

[chrisinmtown]

I would recommend moving up to Flask 1.1.4 from 1.1.2. It already has the fix you're looking for.

I had flask pinned to version 1.1.4, that still yielded this runtime error:

ImportError: cannot import name 'soft_unicode' from 'markupsafe'

In my ignorance and impatience I tried unpinning Flask. Then it jumped up to version 2.0.3 and pip found a solution for all dependencies. HTH

[remoyson]

You are using an unsupported version of Flask, please update to the latest version. Additionally, please read https://hynek.me/articles/semver-will-not-save-you/, then use a tool like pip-tools to pin your dependencies and control when you get updates. Be sure to run your tests with deprecation warnings treated as errors so that you get notified of these types of changes early.

@davidism Your remark made me wondering what versions of Flask are still supported officially? Only 2.0.3 then as latest, so Flask does not guarantee any backwards compatibility (or only for patches)? Or how can we see when a version has reached end of life (a bit like everyone knowing python 3.6 was end of life 31 December 2021 cause it is widely announced). F.e. where could we have found that version 1.1.4 has reached end of life? I think this would be useful in future to have a better idea of what versions are supported (and when support will end) and also to plan upfront for upgrading.
Thanks in advance for your insights on this :)

[davidism]

pallets/markupsafe#286 (comment)

The only supported version is the latest version (currently 2.0.x, but 2.1.x will be released in the next week or two) which receives bug fixes. The development version (main) receives features and merges in bug fixes, but it's not "supported" since it's not a stable release. This is true for all the Pallets projects, and is the typical implicit policy of most open source projects unless otherwise noted. https://bernat.tech/posts/version-numbers/#whats-the-problem-with-semantic-versioning discusses some of the reasons why this is.

[BenDavisson]

If you have a dependency on an older version of Flask like myself, I found a solution by following this answer given by @fwindolf.

My versions:

- flask=1.1.4
- itsdangerous==1.1.0
- markupsafe==1.1.1

[woodgiraffe]

pallets/markupsafe#286 (comment)

The only supported version is the latest version (currently 2.0.x, but 2.1.x will be released in the next week or two) which receives bug fixes. The development version (main) receives features and merges in bug fixes, but it's not "supported" since it's not a stable release. This is true for all the Pallets projects, and is the typical implicit policy of most open source projects unless otherwise noted. https://bernat.tech/posts/version-numbers/#whats-the-problem-with-semantic-versioning discusses some of the reasons why this is.

Thanks for the info on this and thanks for your work on the project! I fully agree with the article that you linked and it also seems to me that pallets never specified that the projects follow semver to begin with, so while understandable that one would mistake these version to strictly follow semver, that's a bit of a hasty judgement and so it seems important, I think, to highlight that pallets project don't follow strict semver at all and never made any promises to do so.

I would recommend to update and if not possible, the latest version of itsdangerous that is compatible with <2 Flask is 2.0.1, so I'd recommend trying this version first.

Cheers.