Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue(s) Resolved
Fixes #1171
Related Issues / Links
Description of Changes
The latest version of Werkzeug (3.0.1) includes changes to address a vulnerability which could potential be used for DoS attacks. Though it is not clear that that particular vulnerability is really an issue in common usage of Lektor, removing the
werkzeug<3
pin thus addresses that vulnerability.Issues
Should an upper pin to prevent unexpected breakage by new releases of Werkzeug be reinstated?
Both the Flask and Werkzeug projects do seem to zealously deprecate, rename, and remove certain APIs leading to breakage on some minor version bumps, even. (E.g. see #911, #1018, #1051, #1142 as well as this blog post and followup.)
Should we add a pin on
werkzeug<3.1
orwerkzeug<4
?[Decision, for now: no. See comments on #1171.]