Please support latest marshmallow, werkzeug, flask-login

[rhertzog]

Hi,

I'm one of the Kali packagers and we kept an old version of marshmallow for the benefit of faraday. But that's no longer workable, there are other tools that require the latest version of marshmallow and you should really update your codebase to be compatible with the last version.

$ grep -r marsh requirements*
requirements_server.txt:marshmallow<3.0.0
requirements_server.txt:marshmallow-sqlalchemy==0.15.0

Any requirements that force a version lower than something is a hack that should be used sparingly and temporarily, it should not last forever. It constitutes technical debt as you're relying on an old version which is often no longer maintained.

There are other dependencies where you have forced a maximal version: werkzeug, flask-login In both cases, we already have a newer version in Kali so we can't respect those requirements.

cc @sbrun

[cript0nauta]

Hi @rhertzog! Thanks for reaching us.

We started migrating to marshmallow 3 (see https://github.com/infobyte/faraday/pull/353) but stopped when the library dropped support for Python 2. Now that we are 100% Python 3 compatible, it's a good time to resume that.

werkzeug and flask-login will probably be way easier to upgrade than marshmallow, so we'll check them too.

We'll start working on this and hopefully have this done in the next release. Let us know if you have any other issues related to packaging in Kali.

[cript0nauta]

As a side note related to this: We are using flask-kvsession-fork instead of the upstream flask-kvsession to improve security. This fork, maintained by us, adds support for SameSite cookies. If you prefer not to package a fork of this library, another option would be to apply this change to the upstream flask-kvsession: https://github.com/infobyte/flask-kvsession/commit/d6189ba9d702856444332842229e85b2f1a1072d.

Even if the upstream library isn't patched at all, Faraday will work ok as long as webargs>=5.5.3 is used (prior versions have a serious vulnerability). But having SameSite cookies wold be a major improvement to Faraday's security.

[ghost]

@cript0nauta dear developers, please, make support for newer versions of pypi packages. It will be very useful :)

[cript0nauta]

@rhertzog We have updated all the indicated dependencies (plus a few more), so now Faraday works with the latest versions of them.

The only library we haven't upgraded yet is webargs. We use version 5, as Kali does at the moment of writing. PR #401 upgrades to webargs 6, but isn't compatible with webargs 5. Would you be ok with upgrading to webargs 6 in Kali? If not, we could keep using webargs 5. That's not a problem.

All the changes of this issue are present in the master branch. If you need us to add a new release in order to make Kali packaging easier, feel free to reach us.

[rhertzog]

@cript0nauta We're fine with upgrading to webargs 6. The package is only in Kali for faraday/filteralchemy so upgrading will not break anything else.

When you're done, tagging a new release would be nice, yes.

[cript0nauta]

We merged the webargs 6 PR, did some testing and tagged v3.11.1. This release should work with the latest versions of the dependencies.