Compatibility of Connexion v3 with Werkzeug 3.0

[hehe7318]

Hi team,

We currently rely on Connexion v2 (version ~2.13.0) along with Flask (>=2.2.5,<2.3) and Werkzeug (~2.0) in production. Due to a security advisory (CVE-2024-34069), we need to upgrade to Werkzeug 3.0. However, we’ve run into compatibility issues because Connexion v2 does not officially support Werkzeug 3.0, prompting us to explore migrating to Connexion v3.

According to the Connexion v3 documentation, it is recommended to use an ASGI server instead of a WSGI server. We also noticed the mention of wrapping Connexion with the ASGIMiddleware from a2wsgi as a temporary workaround. However, given our production environment constraints, this approach isn’t feasible for us at the moment, and we haven’t found a suitable way to wrap our existing application.

With that in mind, we’d like to confirm whether Connexion v3 can still be used reliably with Werkzeug 3.0 in a WSGI-based production setup. Are there official recommendations, known limitations, or additional configurations required for this scenario?

Additionally, we’ve seen the open issue #1969 and the corresponding PR #1992 aimed at updating Connexion v2 dependencies to support newer Werkzeug versions. Could you share any updates on whether these changes will be merged and released for v2, or if there’s a planned timeline?

As a temporary workaround, we have imported Connexion v2 code into our codebase and made several modifications to enable compatibility with Werkzeug 3.0. This solution works for us in production, but we would prefer an upstream solution aligned with your official releases.

Thank you for your time and assistance. We appreciate any guidance you can provide on using Connexion alongside Werkzeug 3.0 in a WSGI environment.

Appendix

Below are the error messages we saw when using connexion v3 with werkzeug:

• Errors in Unit tests: connexion.exceptions.BadRequestProblem: 400: malformed, starlette.exceptions.HTTPException: 404, Exception: Unexpected fatal exception. Please look at API logs for details on the encountered failure. and etc. For example:

  elf = <connexion.apps.flask.FlaskApp object at 0x114a55340>
  xc = <NotFound '404: Not Found'>
  
  	def _http_exception(self, exc: werkzeug.exceptions.HTTPException):
      	"""Reraise werkzeug HTTPExceptions as starlette HTTPExceptions"""
     	raise starlette.exceptions.HTTPException(exc.code, detail=exc.description)
     	starlette.exceptions.HTTPException: 404: The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.
  

• Errors in API(Postman) test:

  ET http://127.0.0.1:8080/v3/clusters
  rror: socket hang up
  equest Headers
  ccept: application/json
  uthorization: {{apiKey}}
  ser-Agent: PostmanRuntime/7.43.0
  ostman-Token: 5e8b19df-a6d5-4463-9983-36d3d13b8c53
  ost: 127.0.0.1:8080
  ccept-Encoding: gzip, deflate, br
  onnection: keep-alive
  

[FelixSchwarz]

Not part of the team and as a disclaimer, I am only using Connexion in a pretty low-traffic environment. However I migrated that service from Connexion v2 to v3+flask.

With that in mind, we’d like to confirm whether Connexion v3 can still be used reliably with Werkzeug 3.0 in a WSGI-based production setup. Are there official recommendations, known limitations, or additional configurations required for this scenario?

I am using Connexion 3.2 with Werkzeug 3.1.3 in production. Our monitoring does not show any failed requests but we have only internal (well-behaved) clients.

On our part, we run Connexion via gunicorn -k uvicorn.workers.UvicornWorker ...

[mihirverma7781]

@hehe7318 I am running into a similar issue. Did you get any fix for the issue?

[FelixSchwarz]

@mihirverma7781 This issue is a bit vague. It might be due to many different reasons. I think it is best if you open a new ticket and include a minimal reproducible example.

[chrisinmtown]

The community has created and is trying to release version 2.15 which keeps Connexion V2 behavior and updates all dependencies including Werkzeug to a version (2.2.3) that does not have the vulnerability you mentioned. You could test your app with that pre-release version 2, it's available from PyPI.

[hehe7318]

Hi @chrisinmtown , thanks for the update! I have tested this PR before and it worked for us. So it should be good now. I will do a test with the pre-release version and let you know the result. Thanks again!

[hehe7318]

Hi @chrisinmtown , I hope you are doing well.

We have successfully tested connexion==2.15.0rc3 in our development environment, and the results are promising. This version, along with some adjustments, has enabled us to successfully upgrade Werkzeug to 3.1.3.

However, before proceeding with implementation, we would like to understand:

• Are there any potential risks in deploying this release candidate in a production environment?
• How stable is this RC version based on current testing and feedback?
• Do you have an estimated timeline for the release of the final 2.15.0 version?

Your insights would be greatly appreciated.

Best regards, Xuanqi He

[hehe7318]

Hi @chrisinmtown,

Is there any update?

Best regards, Xuanqi He

[chrisinmtown]

@hehe7318 I have the same question about the expected release date of version 2.15.0. I hope a maintainer posts here with information about the process for promoting that to a real release, and the expected timeline for that.

You raise good questions about risk and stability, but I cannot answer them.

[hehe7318]

Hi @chrisinmtown ,

Thank you for the response. I thought you were maintainer, it's a mistake, sorry.

Hi @Ruwann @RobbeSneyders , can you answer the above questions? Thank you!

Best Regards, Xuanqi He