You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The version of itsdangerous is hardcoded to 2.0.1 right now, which leads to issues in projects consuming starlette-csrf. Projects using Poetry can't install starlette-csrf if they already depend on a newer version of itsdangerous. If you install starlette-csrf via pip, you might end up with an outdated version of itsdangerous.
In my case I'm using Poetry and I already have the most recent version of itsdangerous (2.1.1) in my project. When I try to add starlette-csrf to my project, Poetry fails resolving the dependencies, because my project depends on a newer version of itsdangerous, but starlette-csrf requires a specific version of itsdangerous. In my specific case, I think I would have to downgrade itsdangerous to make everything work, but since itsdangerous is doing cryptographic stuff, I definetly want to use the latest version of it to get all (security) bug fixes.
I know not everyone is using Poetry but I can imagine other dependency managers might have a similar problem. Unfortunatly I don't know much about them and did not test this.
I tested to install starlette-crsf via pip directly and in this case you get itsdangerous version 2.0.1 if you don't specify a different version. Version 2.0.1 is outdated, but in my opinion you always want the latest version of itsdangerous to get all the latest (security) bug fixes.
I guess you specified this specific version of itsdangerous to ensure everything is working as expected, but i think it would be better to use some kind of version range like you already did with starlette. Maybe something like >=2.0.1,<3.0.0 would be a good idea? This way, users of starlette-csrf would get the most recent version of itsdangerous, but since the version is less than the next major release, breaking changes should not occure.
The text was updated successfully, but these errors were encountered:
The version of itsdangerous is hardcoded to 2.0.1 right now, which leads to issues in projects consuming starlette-csrf. Projects using Poetry can't install starlette-csrf if they already depend on a newer version of itsdangerous. If you install starlette-csrf via pip, you might end up with an outdated version of itsdangerous.
In my case I'm using Poetry and I already have the most recent version of itsdangerous (2.1.1) in my project. When I try to add starlette-csrf to my project, Poetry fails resolving the dependencies, because my project depends on a newer version of itsdangerous, but starlette-csrf requires a specific version of itsdangerous. In my specific case, I think I would have to downgrade itsdangerous to make everything work, but since itsdangerous is doing cryptographic stuff, I definetly want to use the latest version of it to get all (security) bug fixes.
I know not everyone is using Poetry but I can imagine other dependency managers might have a similar problem. Unfortunatly I don't know much about them and did not test this.
I tested to install starlette-crsf via pip directly and in this case you get itsdangerous version 2.0.1 if you don't specify a different version. Version 2.0.1 is outdated, but in my opinion you always want the latest version of itsdangerous to get all the latest (security) bug fixes.
I guess you specified this specific version of itsdangerous to ensure everything is working as expected, but i think it would be better to use some kind of version range like you already did with starlette. Maybe something like >=2.0.1,<3.0.0 would be a good idea? This way, users of starlette-csrf would get the most recent version of itsdangerous, but since the version is less than the next major release, breaking changes should not occure.
The text was updated successfully, but these errors were encountered: