Hardcoded version of itsdangerous leads to dependency conflicts

[Latios96]

The version of itsdangerous is hardcoded to 2.0.1 right now, which leads to issues in projects consuming starlette-csrf. Projects using Poetry can't install starlette-csrf if they already depend on a newer version of itsdangerous. If you install starlette-csrf via pip, you might end up with an outdated version of itsdangerous.

In my case I'm using Poetry and I already have the most recent version of itsdangerous (2.1.1) in my project. When I try to add starlette-csrf to my project, Poetry fails resolving the dependencies, because my project depends on a newer version of itsdangerous, but starlette-csrf requires a specific version of itsdangerous. In my specific case, I think I would have to downgrade itsdangerous to make everything work, but since itsdangerous is doing cryptographic stuff, I definetly want to use the latest version of it to get all (security) bug fixes.

I know not everyone is using Poetry but I can imagine other dependency managers might have a similar problem. Unfortunatly I don't know much about them and did not test this.

I tested to install starlette-crsf via pip directly and in this case you get itsdangerous version 2.0.1 if you don't specify a different version. Version 2.0.1 is outdated, but in my opinion you always want the latest version of itsdangerous to get all the latest (security) bug fixes.

I guess you specified this specific version of itsdangerous to ensure everything is working as expected, but i think it would be better to use some kind of version range like you already did with starlette. Maybe something like >=2.0.1,<3.0.0 would be a good idea? This way, users of starlette-csrf would get the most recent version of itsdangerous, but since the version is less than the next major release, breaking changes should not occure.

[frankie567]

I've loosen the dependency constraint of itsdangerous >=2.0.1,<3.0.0. Released in v1.4.3.

[Latios96]

Great, thank you!