LoginManager fails because of Werkzeug dependency

[frank1010111]

After Werkzeug updated to v 2.1.0, LoginManager cannot import werkzeug.security.safe_str_cmp. This is because Werkzeug has removed several deprecated code elements (see pallets/werkzeug#2276). The Werkzeug changelog suggests using hashlib and hmac instead to provide that functionality.

[endersonmenezes]

Just for complement, on official documentation says.

Deprecated since version 2.0: Will be removed in Werkzeug 2.1. Use [hmac.compare_digest()](https://docs.python.org/3/library/hmac.html#hmac.compare_digest) instead.

In main branch its correct on line 62 and 63, buts the pypi version is outdated.

[ye]

The current latest version of Flask-Login 0.5.0 has been broken since today because of the Werkzeug upstream version 2.1.0 release.

Can Flask-Login maintainers release a new version and push it to PyPI please?

This is the commit merged into the main branch. (PR #585 )
322e0dd

which was merged in July 2021. A new release is long over due!

Update: it looks like Flask Login version 0.6.0 (PR #598) is in the works but unreleased. Can someone push it to PyPI?

[Xevion]

Yup, this just gave me the run around trying to figure out what went wrong with Flask-Login a day after it was working fine.

Werkzeug developers seem to be essentially telling anyone who got hit with this error today should've seen it coming:
pallets/werkzeug#2359 (comment)

[Xevion]

Huh. I don't care/have the time enough to actually go through and find how much time the safe_str_cmp was deprecated, but I am a little curious now. How long precisely did flask-login have to notice (and prepare for) what has happened here?

[davidism]

We're actively working on updating this project and will make a new release soon. I've locked this as the discussion was not moving in a productive direction.

[davidism]

Duplicate of #584