-
-
Notifications
You must be signed in to change notification settings - Fork 16.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Flask 1.1.2 accidentally ships with itsdangerous
v2, hence ignores simplejson
#4025
Comments
You should pin transitive requirements in your application. Tools like |
Sorry about that, I forgot that However, the fact remains that the v1.12 docstring of |
Also, may I ask whether there is a specific reason against adding the upper bound? Just because I did something suboptimally does not mean it would be a bad thing for flask to assist me with slightly more conservative requirements. If users of I do realize it's additional work to commit things and add a patch release though, I'm just wondering whether that's the only reason. Thanks for the quick response so far. |
IIRC that's the main reason |
This is the type of incompatibility you could get from any library upgrade, potentially. Which is why applications need to pin their transitive dependencies in general. |
As with #4027, this means that all Flask users need to either upgrade to the newest major release within a few hours or know your internal policies on which transitive dependencies work correctly when they're following the (very important!) best practice of routinely updating their dependencies. This level of implementation detail knowledge is probably unwise to rely on It would be really great to get a Flask 1.1.3 that sets upper bounds on all of its dependencies. |
Description
A deployment of our app suddenly stopped being able to (de)serialize
Decimal
s.An installation of
Flask~=1.1.2
suddenly ships withitsdangerous
version 2, which has been released yesterday.However, this introduces the breaking change of not using the
simplejson
anymore, even if it's present.This is most likely not intended, because the v1.1.2 docs of
flask.json.dumps
clearly dictates thatsimplejson
will be used if present:Replication
Flask~=1.1.2
andsimplejson~=3.11.1
(or any other version, really)Decimal
:Environment
requirements.txt
Fix
Change
itsdangerous>=0.24
toitsdangerous>=0.24, <2.0
in the setup.py.The text was updated successfully, but these errors were encountered: