Older versions (1.x.x) of flask pin some dependencies in a way that could cause issues

[zdelagrange]

first of all, congratulations on the new release! this is an amazing codebase and framework <3

flask's 1.x.x setup.py lists semvers that might cause breaking changes:

https://github.com/pallets/flask/blob/1.1.x/setup.py#L57-L59
https://github.com/pallets/flask/blob/1.0.x/setup.py#L53-L56

specifically, with the new releases of itsdangerous and MarkupSafe, it's possible here to unintentionally increase the versions of those packages while remaining on a 1.x.x version of flask. for example I saw this error occur in a service i manage:

TypeError: Object of type 'Decimal' is not JSON serializable
  File "flask/app.py", line 2292, in wsgi_app
    response = self.full_dispatch_request()
  File "flask/app.py", line 1815, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "flask/app.py", line 1718, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "flask/_compat.py", line 35, in reraise
    raise value
  File "flask/app.py", line 1813, in full_dispatch_request
    rv = self.dispatch_request()
  File "flask/app.py", line 1799, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "{OBFUSCATED}", line 688, in timed_function
    return fn(*args, **kwargs)
  File "{OBFUSCATED}", line 268, in handler
    return ok_response(results)
  File "{OBFUSCATED}", line 101, in ok_response
    return make_response(jsonify(success=True, data=data), 200)
  File "flask/json/__init__.py", line 321, in jsonify
    dumps(data, indent=indent, separators=separators) + '\n',
  File "flask/json/__init__.py", line 179, in dumps
    rv = _json.dumps(obj, **kwargs)
  File "__init__.py", line 238, in dumps
    **kw).encode(obj)
  File "json/encoder.py", line 199, in encode
    chunks = self.iterencode(o, _one_shot=True)
  File "json/encoder.py", line 257, in iterencode
    return _iterencode(o, 0)
  File "flask/json/__init__.py", line 81, in default
    return _json.JSONEncoder.default(self, o)
  File "json/encoder.py", line 180, in default
    o.__class__.__name__)

reproduction: take a currently running flask application's python environment, pip freeze. make a new venv, and install, pip freeze, check out the diff

flask shouldn't upgrade major versions of these dependencies to avoid breaking changes. i realize that better package management like poetry would help with this, but hindsight is 2020 :)

Environment:

• Python version: 3.6
• Flask version: 1.x.x

[davidism]

Our strong advice to all users experiencing this type of issue is to pin dependencies using a tool such as pip-compile, or as you suggest, Poetry. This is not a Flask-specific issue, it could happen with any transitive dependencies in your stack, so applications need to control when they get updates.

We do not follow semver, although in this case the major release essentially corresponds to the same thing. 2.x releases will contain deprecation and removals going forward. There are no plans for a 3.x release in the currently foreseeable future.

That said, in this specific case, because we intend the 2.0, etc. releases to be a new baseline are immediately not supporting the 1.x line, we will make a new release on the 1.1.x line to set maximum versions. Note that we do not intend to do this in general for future releases.

[davidism]

1.1.3 is now available on PyPI: https://pypi.org/project/Flask/1.1.3