We can’t upgrade to Werkzeug 2.1.0 because the `BaseResponse` class
has been renamed. The old version of Flask we are using tries to import
`BaseResponse` causing an error.
See https://github.com/pallets/werkzeug/issues/1963
We can’t upgrade to Jinja 3.1.0 because the `escape` module has been
moved to the `markupsafe` library. The old version of Flask we are
using tries to import `escape` from `jinja2`, causing an error.
See https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-0
This will allow both prometheis (the shared one and our own) to scrape
the /metrics endpoint, each with their own authentication
See alphagov/gds_metrics_python#1 for more details
This required bumping the minimum version of boto3 with:
pip-compile -P awscli requirements.in
I haven't looked into the awscli/boto3/botocore changes due to the
high churn on those libraries. Given they're minor changes we can
assume they are benign. s3transfer changes are also benign [^1]
[^1]: https://github.com/boto/s3transfer/blob/develop/CHANGELOG.rst
The prometheus-client was pinned to avoid installing version 0.10.0,
which removed support for `prometheus_multiproc_dir` and renamed the
variable `PROMETHEUS_MULTIPROC_DIR`. Version 0.10.1 reintroduced support
for the lowercase `prometheus_multiproc_dir` environment variable.
Changes:
53.0.0
---
* `notifications_utils.columns.Columns` has moved to
`notifications_utils.insensitive_dict.InsensitiveDict`
* `notifications_utils.columns.Rows` has moved to
`notifications_utils.recipients.Rows`
* `notifications_utils.columns.Cell` has moved to
`notifications_utils.recipients.Cell`
52.0.0
---
* Deprecate the following unused `redis_client` functions:
- `redis_client.increment_hash_value`
- `redis_client.decrement_hash_value`
- `redis_client.get_all_from_hash`
- `redis_client.set_hash_and_expire`
- `redis_client.expire`
51.3.1
---
* Bump govuk-bank-holidays to cache holidays for next year.
51.3.0
---
* Log exception and stacktrace when Celery tasks fail.
we previously pinned cryptography to versions less than 3.4 since after
that point, cryptography started using rust as a dependency. This isn't
an issue if you install from wheel, but we found that the version of pip
bundled with the python buildpack was too old to support this. However,
since upgrading from python 3.6 to python 3.9, the pip version has been
bumped and we now no longer need to pin cryptography as it installs
correctly.
This will capture and send various events to Sentry:
- Any unhandled exceptions.
- Any logger.error calls.
- Some request traces.
The latter are severely limited to avoid going over the free tier
limits for Sentry, and to avoid excess effort on our end.
While the package can always fetch new holidays via the GOV.UK API,
the latest version of the packages also caches ones for next year,
which means we can avoid unnecessary web requests.
This brings a few performance improvements for RecipientCSV, which
we use to preview and process CSVs. One change also renames one of
the attributes for the class to "guestlist".
Makes the mock up of an alert we show use an
inline SVG instead of it as a background image.
This means it can use the colour of the heading
text next to it in a way that adapts when high
contrast mode is on.
https://github.com/alphagov/notifications-utils/pull/922
Brings in https://github.com/alphagov/notifications-utils/pull/889/files
At the moment, we are not doing any transformation of features before
applying geometric algorithms to them. This is, in effect, assuming that
the earth is flat.
This new version of utils implements the transformation of our polygons
to a Cartesian plane. In other words, it converts them from being
defined in spherical degrees to metres.
For the admin app this means we need to convert places where the code
expects things to be measured in degrees to work in metres instead.
WTForms versions less than 3.0.0 have a security vulnerability where
arbitrary HTML can be inserted into the label of a form, allowing the
possibility of a cross-site scripting attack.
I don’t know if there’s anywhere we put user-generated content into form
labels but it’s possible we are vulnerable somewhere.
This require moving some imports because as of
https://github.com/wtforms/wtforms/pull/614/files
there is no longer a separate module for HTML 5 fields, they are now
considered core fields.
As of https://github.com/wtforms/wtforms/issues/445/files custom
implementations of `pre_validate` or `post_validate` must raise
`ValidationError` to trigger a validation message, where we were raising
`ValueError` this was no longer being caught.
As of https://github.com/wtforms/wtforms/pull/355/files `StringField`
returns `None` for empty data, not `''` but our `validate_email_address`
function only accepts strings.
It’s a pain having to remember to update both of them. Looks like `pip`
now supports a different syntax without the `egg` bit which means a git
dependency only needs the version number changing in one place.
Previously when trying to bring in
https://github.com/alphagov/notifications-utils/pull/889 we had trouble
because there were no wheels available for the version of Pip that we
were using. Now that we have upgraded to Python 3.9 we are using a
newer buildpack which should have the necessary wheels available.
This commit is just installing the package and nothing else, to give us
more confidence that we can merge
https://github.com/alphagov/notifications-utils/pull/915/files without
having to subsequently revert it.
We can’t use the latest version of importlib-metadata because it’s
pinned to <4.3 by the newest version of flake8.
The conflict is caused by:
The user requested importlib-metadata==4.8.1
click 8.0.1 depends on importlib-metadata; python_version < "3.8"
pytest 6.2.5 depends on importlib-metadata>=0.12; python_version < "3.8"
flake8 4.0.1 depends on importlib-metadata<4.3; python_version < "3.8"
Our `make freeze-requirements` task doesn’t catch this because it
doesn’t look at dependencies in `requirements-for-test.txt`. Therefore
it only freezes the version that `click` is specifying, which is the
latest version.
Pinning the version in `requirements.in` gets around this.
Flask version 2 requires Jinja2 version 3. However rather than bumping
both at once it feels safer to do this incrementally, so we can isolate
anything which breaks.
This is the newest version.
Pyup is complaining about vulnerabilities in version 1.0.1, specifically
> Werkzeug version 2.0.2 improves the security of the debugger cookies.
> "SameSite" attribute is set to "Strict" instead of "None", and the
> secure flag is added when on HTTPS.
Previously we were using whatever version of Werkzeug that Flask
specified this pins it to get rid of the vulnerability without having to
upgrade everything at once.
This requires a few changes to tests which were relying on importing
`session` and `current_user` from Flask. Previously it seemed that
importing these in the tests referred to the same object that was being
used in the app. This appears to no longer be the case. This commit
works around that by:
- using a context manager to get the contents of the session, like we
already do in most tests
- asserting that the mock which logs the user in is being called with
the right values, rather than looking at the state of the
`current_user` object (which was probably giving false certainty
anyway)