From ecd2b0c4a3c6b3e9f62a885d6a82affbb4164e1a Mon Sep 17 00:00:00 2001
From: Chris Hill-Scott <me@quis.cc>
Date: Mon, 18 Oct 2021 15:00:39 +0100
Subject: [PATCH] Bump Werkzeug to version 2.0.2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is the newest version.

Pyup is complaining about vulnerabilities in version 1.0.1, specifically
> Werkzeug version 2.0.2 improves the security of the debugger cookies.
> "SameSite" attribute is set to "Strict" instead of "None", and the
> secure flag is added when on HTTPS.

Previously we were using whatever version of Werkzeug that Flask
specified this pins it to get rid of the vulnerability without having to
upgrade everything at once.

We’ve done this for the admin app already:
https://github.com/alphagov/notifications-admin/pull/4042/files

I suspect the memory usage issues we saw with version 2.0.0 have been
fixed in 2.0.2, per this line in the changelog:
> Fix memory usage for locals when using Python 3.6 or pre 0.4.17 greenlet versions.
> https://github.com/pallets/werkzeug/pull/2212

— https://werkzeug.palletsprojects.com/en/2.0.x/changes/
---
 requirements-app.txt | 4 +---
 requirements.txt     | 4 +---
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/requirements-app.txt b/requirements-app.txt
index 17d2f07c1..fb0245219 100644
--- a/requirements-app.txt
+++ b/requirements-app.txt
@@ -25,9 +25,7 @@ rfc3987==1.3.8
 cachetools==4.2.1
 beautifulsoup4==4.9.3
 lxml==4.6.3
-
-# When we upgraded to 2.0.1 we noticed significantly higher memory usage on the API
-Werkzeug==1.0.1 # puyp: < 2.0.0
+Werkzeug==2.0.2
 
 # higher version causes build to fail on PaaS due to lack of Rust
 # see https://github.com/pyca/cryptography/issues/5810
diff --git a/requirements.txt b/requirements.txt
index 5441888f1..1adc18fdf 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -27,9 +27,7 @@ rfc3987==1.3.8
 cachetools==4.2.1
 beautifulsoup4==4.9.3
 lxml==4.6.3
-
-# When we upgraded to 2.0.1 we noticed significantly higher memory usage on the API
-Werkzeug==1.0.1 # puyp: < 2.0.0
+Werkzeug==2.0.2
 
 # higher version causes build to fail on PaaS due to lack of Rust
 # see https://github.com/pyca/cryptography/issues/5810