fix: Pin itsdangerous

[john-bodley]

SUMMARY

Version 2.0.0 of the itsdangerous package was recently released (May 12, 2021) which replaces the simplejson with json which cannot decode decimal.Decimal objects, i.e.,

Traceback (most recent call last):
...
  File "/srv/superset-internal/superset-fork/superset/utils/core.py", line 1407, in time_function
    response = func(*args, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/flask_appbuilder/api/__init__.py", line 1499, in get_list_headless
    return self.response(200, **_response)
...
  File "/usr/lib/python3.8/json/encoder.py", line 179, in default
    raise TypeError(f'Object of type {o.__class__.__name__} '
TypeError: Object of type Decimal is not JSON serializable

Eventually when we update Flask we will need to deal with this as it also removes simplejson (pallets/flask#3555) and doesn't rely on on itsdangerous for defining which JSON package to use per pallets/flask#3562.

I tried using the logic they suggested (to help future proof ourselves), i.e., in superset/app.py

from simplejson import JSONEncoder


app = Flask(__name__)
app.json_encoder = JSONEncoder

however I ran into a somewhat similar problem,

Traceback (most recent call last):
...
  File "/srv/superset-internal/superset-fork/superset/utils/core.py", line 1407, in time_function
    response = func(*args, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/flask_appbuilder/api/__init__.py", line 1499, in get_list_headless
    return self.response(200, **_response)
...
  File "/usr/local/lib/python3.8/dist-packages/simplejson/encoder.py", line 272, in default
    raise TypeError('Object of type %s is not JSON serializable' %
TypeError: Object of type Table is not JSON serializable

which is somewhat perplexing, i.e., I'm not sure why this is problematic and I couldn't find any JSON encoders in Superset, Flask, or Flask-SQLAlchemy which handled serializing SQLAlchemy Table objects. For now to remedy any issues resulting from pip installing Apache Superset I thought there was merit in simply restricting the version of itsdangerous.

Note the generated requirements were updated via,

pip-compile-multi --only-name base --upgrade-package itsdangerous 

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TEST PLAN

ADDITIONAL INFORMATION

• Has associated issue:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[codecov]

Codecov Report

Merging #14627 (2c8bc91) into master (3a81e6a) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master   #14627   +/-   ##
=======================================
  Coverage   77.38%   77.38%           
=======================================
  Files         959      959           
  Lines       48467    48467           
  Branches     5678     5678           
=======================================
  Hits        37508    37508           
  Misses      10759    10759           
  Partials      200      200           

Flag	Coverage Δ
hive	80.96% <ø> (ø)
mysql	81.24% <ø> (ø)
postgres	81.26% <ø> (ø)
python	81.63% <ø> (ø)
sqlite	80.88% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3a81e6a...2c8bc91. Read the comment docs.

[betodealmeida]

Agree, I think it's good to freeze this before it breaks anything.