-
-
Notifications
You must be signed in to change notification settings - Fork 16.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Older versions (1.x.x) of flask pin some dependencies in a way that could cause issues #4043
Comments
Our strong advice to all users experiencing this type of issue is to pin dependencies using a tool such as pip-compile, or as you suggest, Poetry. This is not a Flask-specific issue, it could happen with any transitive dependencies in your stack, so applications need to control when they get updates. We do not follow semver, although in this case the major release essentially corresponds to the same thing. 2.x releases will contain deprecation and removals going forward. There are no plans for a 3.x release in the currently foreseeable future. That said, in this specific case, because we intend the 2.0, etc. releases to be a new baseline are immediately not supporting the 1.x line, we will make a new release on the 1.1.x line to set maximum versions. Note that we do not intend to do this in general for future releases. |
1.1.3 is now available on PyPI: https://pypi.org/project/Flask/1.1.3 |
first of all, congratulations on the new release! this is an amazing codebase and framework <3
flask's 1.x.x setup.py lists semvers that might cause breaking changes:
https:/pallets/flask/blob/1.1.x/setup.py#L57-L59
https:/pallets/flask/blob/1.0.x/setup.py#L53-L56
specifically, with the new releases of itsdangerous and MarkupSafe, it's possible here to unintentionally increase the versions of those packages while remaining on a 1.x.x version of flask. for example I saw this error occur in a service i manage:
reproduction: take a currently running flask application's python environment, pip freeze. make a new venv, and install, pip freeze, check out the diff
flask shouldn't upgrade major versions of these dependencies to avoid breaking changes. i realize that better package management like poetry would help with this, but hindsight is 2020 :)
Environment:
The text was updated successfully, but these errors were encountered: