Open marcstern14 opened 5 days ago
alexcjohnson
commented
5 days ago See https://github.com/plotly/dash/pull/2538 and the community forum discussion mentioned there for context around our decision to restrict Flask and Werkzeug versions. I'm still strongly in favor of continuing the current approach of bumping these upper bounds only after we've tested them throughout the Dash ecosystem.
marcstern14
commented
5 days ago Hmm ok, I see that this issue has been discussed at length in the past. Considering the last bump of werkzeug was over a year ago, could there be plans to test bumping it again?
alexcjohnson
commented
5 days ago Absolutely - part of deciding to restrict it was that then it’s incumbent on us as maintainers to keep up with new versions and this one has been waiting too long. I’ll have to defer to @T4rk1n and @gvwilson, who are focused on getting v3 released shortly, but I would imagine this can be prioritized soon after that.
marcstern14
commented
5 days ago Sounds great! All your work is much appreciated – looking forward to tracking the progress.
werkzeugcurrently has an upper bound <3.1. There are more updated versions, which are compatible within the current Flask boundaries. Bumping the allowed versions ofwerkzeugwould help for more flexible dependency installs for apps, and settingwerkzeug>=3.0.6would prevent triggering snyk vulnerabilities: https://security.snyk.io/vuln/SNYK-PYTHON-WERKZEUG-8309092I've provided a PR here: https://github.com/plotly/dash/pull/3095