Deprecate common `cache`
Opened this issue · 1 comments
The plugin framework webviz-config
today has a thin wrapper on flask-caching
in order to give a caching object to plugin projects (the idea back then was that the plugin framework could faciliate different caching backends, e.g. redis, simple cache, and the timeout based on how it is deployed).
Today flask-caching
has a CVE (https://nvd.nist.gov/vuln/detail/CVE-2021-33026) which is highly discussed in the flask-caching
repository if relevant or not (TL;DR: since pickle
is used by default in flask-caching
an attacker can potentially run his/her Python code GIVEN the attacker in some way a priori have gotten write access to file system/cache storage). Not much have happened since the CVE release, other than a review of a related PR.
Consider changing the common cache object in the plugin framework a no-op (+ deprecate it) and instead let plugin projects choose caching backend? E.g. in Python 3.2+ you have functools.lru_cache
which does something along the same lines as flask-caching
in simple
mode.
Dash 2.0 will support caching of long-running callbacks. Maybe that could take over responsibility for some of the use cases?