Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove pin on werkzeug <3.0 #1172

Merged
merged 1 commit into from
Nov 4, 2023
Merged

Remove pin on werkzeug <3.0 #1172

merged 1 commit into from
Nov 4, 2023

Conversation

dairiki
Copy link
Contributor

@dairiki dairiki commented Oct 31, 2023
edited

Issue(s) Resolved

Fixes #1171

Related Issues / Links

Description of Changes

The latest version of Werkzeug (3.0.1) includes changes to address a vulnerability which could potential be used for DoS attacks. Though it is not clear that that particular vulnerability is really an issue in common usage of Lektor, removing the werkzeug<3 pin thus addresses that vulnerability.

Issues

Should an upper pin to prevent unexpected breakage by new releases of Werkzeug be reinstated?

Both the Flask and Werkzeug projects do seem to zealously deprecate, rename, and remove certain APIs leading to breakage on some minor version bumps, even. (E.g. see #911, #1018, #1051, #1142 as well as this blog post and followup.)

Should we add a pin on werkzeug<3.1 or werkzeug<4?
[Decision, for now: no. See comments on #1171.]

@dairiki dairiki merged commit d60b493 into lektor:master Nov 4, 2023
15 checks passed
@dairiki dairiki deleted the fix.1171-unpin-werkzeug branch November 4, 2023 16:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove werkzeug pin to versions < 2.4
1 participant
@dairiki