Not compatible with Werkzeug > 2.1.2
sqall01 opened this issue · 4 comments
We have an application using Flask-Login and Werkzeug. However, after rebuilding it our audit pass told us that Werkzeug in version 2.1.2 has two vulnerabilities:
- GHSA-xg9f-g7g7-2323 (high severity)
- GHSA-px8h-6qxv-m22q (low severity)
After upgrading to Werkzeug 2.2.3 we can no longer run the application. We get the following error:
ImportError: cannot import name 'parse_rule' from 'werkzeug.routing'
According to this stackoverflow post it is because parse_rule()
has being marked as :internal:
in the newest Werkzeug versions. However, since we have a high severity vulnerability in Werkzeug, it is no longer a workaround to keep the Werkzeug version at 2.1.2.
Best regards,
Andre
You are using an unsupported version of Flask-Login, please update to the latest version (0.6.2) if possible.
When writing an application, you must use a tool like pip-tools to pin your application's full dependency tree. This gives you reproducible deployments, allowing you to control when you get updates.
I am using Flask-Login in version 0.6.2.
Here is the list of installed packages:
certifi==2022.12.7
charset-normalizer==2.0.12
click==8.1.3
Flask==2.0.3
Flask-Classful==0.14.2
Flask-Login==0.6.2
gitdb==4.0.10
GitPython==3.1.30
greenlet==2.0.2
idna==3.4
iptools==0.7.0
itsdangerous==2.1.2
Jinja2==3.1.2
MarkupSafe==2.1.2
psycopg2-binary==2.9.4
pycryptodome==3.12.0
python-dotenv==0.21.1
PyYAML==5.4.1
requests==2.27.1
smmap==5.0.0
splunk-sdk==1.6.20
SQLAlchemy==1.4.46
urllib3==1.26.14
uWSGI==2.0.21
Werkzeug==2.2.3
@davidism can you please re-open the issue? Otherwise I have to create a new one with the same content.
Sorry, we can't help you here. You'll need to debug your project yourself. If you post a new issue with the same content, it will not help you get an answer here.
I do not get that error when using the latest version of Flask and Flask-Login, however you've listed many more dependencies. You've only posted the error message, not the traceback, so perhaps the actual traceback points to a different dependency. A good way to debug this is to create a minimal, reproducible example and look at the full traceback.