Merge pull request #4255 from alphagov/bump-itsdangerous

Upgrade itsdangerous from 1.1.0 to 2.0.1

requirements.in

@@ -27,7 +27,7 @@ pyproj==3.3.1
 
 # PaaS
 awscli-cwlogs>=1.4,<1.5
-itsdangerous==1.1.0  # pyup: <2
+itsdangerous==2.0.1  # pyup: <2.1.0  Release 2.1.0 introduced a change that is not compatible with Flask 1.x
 notifications-utils @ git+https://github.com/alphagov/notifications-utils.git@55.1.6
 govuk-frontend-jinja @ git+https://github.com/alphagov/govuk-frontend-jinja.git@v0.5.8-alpha
 

requirements.txt

@@ -89,7 +89,7 @@ humanize==4.1.0
     # via -r requirements.in
 idna==3.3
     # via requests
-itsdangerous==1.1.0
+itsdangerous==2.0.1
     # via
     #   -r requirements.in
     #   flask

tests/__init__.py

@@ -3,6 +3,7 @@ from datetime import datetime, timedelta, timezone
 from unittest.mock import patch
 from urllib.parse import parse_qs, urlparse
 
+import freezegun
 import pytest
 from flask import session as flask_session
 from flask import url_for
@@ -11,6 +12,12 @@ from flask_login import login_user
 
 from app.models.user import User
 
+# Add itsdangerous to the libraries which freezegun ignores to avoid errors.
+# In tests where we freeze time, the code in the test function will get the frozen time but the
+# fixtures will be using the current time. This causes itsdangerous to raise an exception - when
+# the session is decoded it appears to be created in the future.
+freezegun.configure(extend_ignore_list=['itsdangerous'])
+
 
 class TestClient(FlaskClient):
     def login(self, user, mocker=None, service=None):