We were blocked on using the very latest version of itsdangerous because
it was only compatible with versions of Flask greater than 2.
Now that we’re using the latest version of Flask we can also keep this
dependency up to date.
Now that we’ve upgraded itsdangerous to the latest version we are:
- unblocked from upgrading to Flask 2, which requires a recent version
of itsdangerous
- unblocked from upgrading Jinja and Werkzeug to the latest versions,
which require Flask 2
This commit just does the version upgrades, breaking changes will be
addressed in subsequent commits.
The only impactful change is the major version itself, where I've
fixed the breaking changes due to the upgrade of PyPDF2 [^1] and
checked there are no deprecation warnings when I run the tests.
[^1]: https://github.com/alphagov/notifications-utils/pull/973
This upgrades itsdangerous by a major version.
When testing most routes we:
* use the `client_request` fixture
* under the hood this logs in the user with `TestClient.login`
* logging in the user signs their session with a secret and the current time
For some tests we also:
* wrap the test method with a `freeze_time()` decorator to simulate a past date and time
When Pytest calls the wrapped test method:
* any application code which tries to get the current time will get the frozen time
* any application code getting the current user means decoding the session
* the code which decodes the session will see that the session was created in the future, in other words it has a negative age
* as of ItsDangerous 2.0.0 signatures with a negative age raise an exception
To avoid all the tests which freeze time failing, this adds itsdangerous
to the list of packages that freezegun ignores.
We can't yet upgrade to a version of itsdangerous that is >= 2.1.0
because there are compatibility issues with Flask 1.x.
xlrd is a library for reading data and formatting information from
Excel files in the historical .xls format.
Version 2 of xlrd no longer supports anything other than .xls files.
We were using it to also support reading .xlsm files (old Excel files
with macro support).
We could keep using the old version of this dependency, but hopefully
this niche version of an ancient file format is obscure enough that
no-one is using it, and we can drop support, keeping our dependencies
up to date.
We can’t upgrade to Werkzeug 2.1.0 because the `BaseResponse` class
has been renamed. The old version of Flask we are using tries to import
`BaseResponse` causing an error.
See https://github.com/pallets/werkzeug/issues/1963
We can’t upgrade to Jinja 3.1.0 because the `escape` module has been
moved to the `markupsafe` library. The old version of Flask we are
using tries to import `escape` from `jinja2`, causing an error.
See https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-0
This will allow both prometheis (the shared one and our own) to scrape
the /metrics endpoint, each with their own authentication
See alphagov/gds_metrics_python#1 for more details
This required bumping the minimum version of boto3 with:
pip-compile -P awscli requirements.in
I haven't looked into the awscli/boto3/botocore changes due to the
high churn on those libraries. Given they're minor changes we can
assume they are benign. s3transfer changes are also benign [^1]
[^1]: https://github.com/boto/s3transfer/blob/develop/CHANGELOG.rst
The prometheus-client was pinned to avoid installing version 0.10.0,
which removed support for `prometheus_multiproc_dir` and renamed the
variable `PROMETHEUS_MULTIPROC_DIR`. Version 0.10.1 reintroduced support
for the lowercase `prometheus_multiproc_dir` environment variable.
Changes:
53.0.0
---
* `notifications_utils.columns.Columns` has moved to
`notifications_utils.insensitive_dict.InsensitiveDict`
* `notifications_utils.columns.Rows` has moved to
`notifications_utils.recipients.Rows`
* `notifications_utils.columns.Cell` has moved to
`notifications_utils.recipients.Cell`
52.0.0
---
* Deprecate the following unused `redis_client` functions:
- `redis_client.increment_hash_value`
- `redis_client.decrement_hash_value`
- `redis_client.get_all_from_hash`
- `redis_client.set_hash_and_expire`
- `redis_client.expire`
51.3.1
---
* Bump govuk-bank-holidays to cache holidays for next year.
51.3.0
---
* Log exception and stacktrace when Celery tasks fail.
we previously pinned cryptography to versions less than 3.4 since after
that point, cryptography started using rust as a dependency. This isn't
an issue if you install from wheel, but we found that the version of pip
bundled with the python buildpack was too old to support this. However,
since upgrading from python 3.6 to python 3.9, the pip version has been
bumped and we now no longer need to pin cryptography as it installs
correctly.
This will capture and send various events to Sentry:
- Any unhandled exceptions.
- Any logger.error calls.
- Some request traces.
The latter are severely limited to avoid going over the free tier
limits for Sentry, and to avoid excess effort on our end.
While the package can always fetch new holidays via the GOV.UK API,
the latest version of the packages also caches ones for next year,
which means we can avoid unnecessary web requests.
This brings a few performance improvements for RecipientCSV, which
we use to preview and process CSVs. One change also renames one of
the attributes for the class to "guestlist".
Makes the mock up of an alert we show use an
inline SVG instead of it as a background image.
This means it can use the colour of the heading
text next to it in a way that adapts when high
contrast mode is on.
https://github.com/alphagov/notifications-utils/pull/922
Brings in https://github.com/alphagov/notifications-utils/pull/889/files
At the moment, we are not doing any transformation of features before
applying geometric algorithms to them. This is, in effect, assuming that
the earth is flat.
This new version of utils implements the transformation of our polygons
to a Cartesian plane. In other words, it converts them from being
defined in spherical degrees to metres.
For the admin app this means we need to convert places where the code
expects things to be measured in degrees to work in metres instead.
WTForms versions less than 3.0.0 have a security vulnerability where
arbitrary HTML can be inserted into the label of a form, allowing the
possibility of a cross-site scripting attack.
I don’t know if there’s anywhere we put user-generated content into form
labels but it’s possible we are vulnerable somewhere.
This require moving some imports because as of
https://github.com/wtforms/wtforms/pull/614/files
there is no longer a separate module for HTML 5 fields, they are now
considered core fields.
As of https://github.com/wtforms/wtforms/issues/445/files custom
implementations of `pre_validate` or `post_validate` must raise
`ValidationError` to trigger a validation message, where we were raising
`ValueError` this was no longer being caught.
As of https://github.com/wtforms/wtforms/pull/355/files `StringField`
returns `None` for empty data, not `''` but our `validate_email_address`
function only accepts strings.
Previously when trying to bring in
https://github.com/alphagov/notifications-utils/pull/889 we had trouble
because there were no wheels available for the version of Pip that we
were using. Now that we have upgraded to Python 3.9 we are using a
newer buildpack which should have the necessary wheels available.
This commit is just installing the package and nothing else, to give us
more confidence that we can merge
https://github.com/alphagov/notifications-utils/pull/915/files without
having to subsequently revert it.
