pin itsdangerous to v0.24

itsdangerous v1 uses sha512 instead of sha1 to sign and unsign its strings. Pin to 0.24 until we figure a migration plan, since it's used in a few places (In the DB, in email tokens, and sending blobs to celery at least).
2026-02-03 09:51:11 -05:00 · 2018-10-22 16:57:12 +01:00
parent 6dd255e474
commit 58cd349194
2 changed files with 8 additions and 1 deletions
--- a/requirements.txt
+++ b/requirements.txt
@@ -29,6 +29,10 @@ awscli==1.15.82  # pyup: ignore
 awscli-cwlogs>=1.4,<1.5
 botocore<1.11.0  # pyup: ignore

+
+# Putting upgrade on hold due to v1.0.0 using sha512 instead of sha1 by default
+itsdangerous==0.24  # pyup: <1.0.0
+
 git+https://github.com/alphagov/notifications-utils.git@30.5.5#egg=notifications-utils==30.5.5

 git+https://github.com/alphagov/boto.git@2.43.0-patch3#egg=boto==2.43.0-patch3
@@ -51,7 +55,6 @@ future==0.16.0
 greenlet==0.4.15
 html5lib==1.0.1
 idna==2.7
-ItsDangerous==1.0.0
 Jinja2==2.10
 jmespath==0.9.3
 kombu==3.0.37