Update dependencies

[jsnshrmn]

There have been numerous security updates and bugfixes to the dependencies listed in requirements.txt. Updating these does not seem to have any negative impact on the Wikipedia Library Card Platform, which is currently on python2.

[xqt]

requests-oauthlib 1.2.0 does support oauthlib 3.0.0 now. I don't see any advantage for this patch.

[jsnshrmn]

testing with requests-oauthlib 1.2.0. Also, I'm dropping the dependencies from requirements.txt that are now defined in requests-oauthlib.

[jsnshrmn]

verified that the change works without issue, including our url rewriting we're layering on top to send users to localized login pages.

[halfak]

Thank you! But we should probably still include requests in requirements.txt since we use it directly. See https://github.com/mediawiki-utilities/python-mwoauth/blob/master/mwoauth/functions.py#L39 and https://github.com/mediawiki-utilities/python-mwoauth/blob/master/mwoauth/functions.py#L181

[jsnshrmn]

makes sense! I added it back in.

[halfak]

From https://www.sourceclear.com/vulnerability-database/security/information-disclosure/python/sid-2048, it looks like we need a version of requests that is >= 2.3.0. It looks like 2.21.0 is out. Should we require that?

[jsnshrmn]

Yes, that was an accident to slip back to 2.2.1. 2.21.0 was what I was originally proposing. Sorry!

[halfak]

I just pushed mwoauth 0.3.3 to pypi with this change. Thanks for your work :)

[xqt]

Why do you test for equality instead of >= for dependencies?

[jsnshrmn]

@xqt

1. the dependencies were already defined using ==
2. New deployments and old deployments of the same release have the same behavior, because they are running the same code.
3. There are tools (such as Dependabot + CI) for assisting in the management of dependency updates on the maintainer side, instead of leaving it up to downstream users to be the first to encounter unexpected breakage from a minor update.

[halfak]

^ +1.