dash icon indicating copy to clipboard operation
dash copied to clipboard

Published 20 hours ago verified publisher icon plotly

Remove upper bound on werkzeug [dependency]

Open marcstern14 opened this issue 1 year ago • 8 comments

werkzeug currently has an upper bound <3.1. There are more updated versions, which are compatible within the current Flask boundaries. Bumping the allowed versions of werkzeug would help for more flexible dependency installs for apps, and setting werkzeug>=3.0.6 would prevent triggering snyk vulnerabilities: https://security.snyk.io/vuln/SNYK-PYTHON-WERKZEUG-8309092

I've provided a PR here: https://github.com/plotly/dash/pull/3095

marcstern14 avatar Nov 27 '24 16:11 marcstern14

See https://github.com/plotly/dash/pull/2538 and the community forum discussion mentioned there for context around our decision to restrict Flask and Werkzeug versions. I'm still strongly in favor of continuing the current approach of bumping these upper bounds only after we've tested them throughout the Dash ecosystem.

alexcjohnson avatar Nov 27 '24 17:11 alexcjohnson

Hmm ok, I see that this issue has been discussed at length in the past. Considering the last bump of werkzeug was over a year ago, could there be plans to test bumping it again?

marcstern14 avatar Nov 27 '24 17:11 marcstern14

Absolutely - part of deciding to restrict it was that then it’s incumbent on us as maintainers to keep up with new versions and this one has been waiting too long. I’ll have to defer to @T4rk1n and @gvwilson, who are focused on getting v3 released shortly, but I would imagine this can be prioritized soon after that.

alexcjohnson avatar Nov 27 '24 17:11 alexcjohnson

Sounds great! All your work is much appreciated – looking forward to tracking the progress.

marcstern14 avatar Nov 27 '24 18:11 marcstern14

Hi @yuvashrikarunakaran, are you the point person for this request? Any chance this will get bumped to P1 label?

marcstern14 avatar Jan 09 '25 19:01 marcstern14

Hi @marcstern14 - I'm the guilty party, and I'd be happy to look at it once we get the Dash 3.0 release candidate out - I hope that will be next week.

gvwilson avatar Jan 09 '25 19:01 gvwilson

Hey @gvwilson just wanted to check in to see if this could be bumped to P1? As time goes on, there are more security vulnerabilities caused by downstream dependencies that are stuck because of the werkzeug limitations.

marcstern14 avatar Mar 04 '25 14:03 marcstern14

Apologies @marcstern14 - the Dash 3.0 release is taking longer than expected. I'll see if I can get this looked at.

gvwilson avatar Mar 04 '25 15:03 gvwilson

Hey @gvwilson any movement on this? Unfortunately, with this constraint, I'm unable to upgrade to dash 3 and all of its prowess!

marcstern14 avatar Jun 17 '25 13:06 marcstern14

Should be fixed in Dash 3.1.0 - please re-open this issue if you encounter problems.

gvwilson avatar Jun 26 '25 16:06 gvwilson