chore: bump werkzeug and Flask

[dpgaspar]

SUMMARY

Bump Flask and Werkzeug

https://nvd.nist.gov/vuln/detail/CVE-2023-30861

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[EugeneTorap]

Hi @dpgaspar! We have a Mypy configuration problem in #23927
Do you know how to fix it?

Basically the problem is that some dependencies (e.g. Flask since version 2.0) have stubs include in their main distribution, while other dependencies require stubs to be installed vie the typeshed distribution. (i.e. the 'types-*' packages from PyPI).

[dpgaspar]

Hi @dpgaspar! We have a Mypy configuration problem in #23927 Do you know how to fix it?

Basically the problem is that some dependencies (e.g. Flask since version 2.0) have stubs include in their main distribution, while other dependencies require stubs to be installed vie the typeshed distribution. (i.e. the 'types-*' packages from PyPI).

not yet

[EugeneTorap]

I suggest you to pin werkzeug in setup.py because we use this lib in superset project directly.

[dpgaspar]

done, makes sense

[codecov]

Codecov Report

Merging #23965 (d76eabc) into master (4a828f5) will decrease coverage by 11.20%.
The diff coverage is n/a.

❗ Current head d76eabc differs from pull request most recent head 5f80dcf. Consider uploading reports for the commit 5f80dcf to get more accurate results

@@             Coverage Diff             @@
##           master   #23965       +/-   ##
===========================================
- Coverage   68.18%   56.98%   -11.20%     
===========================================
  Files        1941     1941               
  Lines       75261    75261               
  Branches     8168     8168               
===========================================
- Hits        51317    42888     -8429     
- Misses      21855    30284     +8429     
  Partials     2089     2089               

Flag	Coverage Δ
hive	53.18% <ø> (ø)
mysql	?
presto	53.10% <ø> (ø)
python	59.60% <ø> (-23.11%)	⬇️
sqlite	?
unit	53.05% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 306 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[EugeneTorap]

@cwegener @dpgaspar I found that mypy PR python/mypy#10652 which resolves flask & werkzeug typing problems.
@dpgaspar Can you try to upgrade the mypy version?

[EugeneTorap]

@cwegener @dpgaspar Ohh we already has v1.0.1 mypy but it downloads flask-stubs because we use additional_dependencies: [types-all] in .pre-commit-config.yaml file

[cwegener]

Hi @dpgaspar! We have a Mypy configuration problem in #23927 Do you know how to fix it?

Basically the problem is that some dependencies (e.g. Flask since version 2.0) have stubs include in their main distribution, while other dependencies require stubs to be installed vie the typeshed distribution. (i.e. the 'types-*' packages from PyPI).

I'm actually not very concerned about the static type checking at the moment. I think it's a lower priority.
Getting the Async Query Runner working with Flask 2.2 is currently the main blocker for migrating to Flask 2.2

[cwegener]

@cwegener @dpgaspar Ohh we already has v1.0.1 mypy but it downloads flask-stubs because we use additional_dependencies: [types-all] in .pre-commit-config.yaml file

Yes. The solution for this particular mypy issue should be to remove the types-all dependency in the pre-commit config and replace it with the curated, explicit list of all desired python type stubs packages that we know are required to successfully run static type checks.

[cwegener]

Would it be better to go to Flask 2.2 before migrating to Flask 2.3?

[dpgaspar]

a bit of an hack, async_query_manager.init_app(app) registers a Flask app.before_request. New Flask will only allow registering before request hooks if no request was yet processed by the app.

[dpgaspar]

This is an interesting case that surfaced on this new Flask version. Flask now is stricter, so when popping a new context from the app stack it checks if the context is the one we are expecting. load_energy_table_with_slice creates a new app_context so it needs to be first

[dpgaspar]

Would it be better to go to Flask 2.2 before migrating to Flask 2.3?

Flask is on 2.2

[dpgaspar]

Wow, that's impressive work! Now we need to fix the flask-stubs issue. We use additional_dependencies: [types-all] in .pre-commit-config.yaml file which downloads the old flask-stubs.

yep, thank you once more for doing that on: #24033

[villebro]

LGTM, pretty big changes needed, thanks for all the work here 👍