2.11.x | Fix range for MarkupSafe to stay below 2.1

[aditya-kar]

MarkupSafe 2.1.0 has a breaking change

Remove soft_unicode, which was previously deprecated. Use soft_str instead. #261

Jinja 2.11.x requires MarkupSafe >= 0.23. This allows it to pick up the latest version of MarkupSafe with the breaking change. This PR fixes the range of MarkupSafe to stay below 2.1.0.

• fixes MarkupSafe 2.1.0 gives ImportError(soft_unicode) for Jinja2 2.11.3 #1587

Checklist:

• Add tests that demonstrate the correct behavior of the change. Tests should fail without the change.
• Add or update relevant docs, in the docs folder and in code.
• Add an entry in CHANGES.rst summarizing the change and linking to the issue.
• Add .. versionchanged:: entries in any relevant code docs.
• Run pre-commit hooks and fix any issues.
• Run pytest and tox, no tests failed.

[davidism]

You are using an unsupported version of the project, please update to the latest version. Additionally, please read https://hynek.me/articles/semver-will-not-save-you/, then use a tool like pip-tools to pin your dependencies and control when you get updates. Be sure to run your tests with deprecation warnings treated as errors so that you get notified of these types of changes early.

[kochb]

Could you clarify the harm in merging this pull request? It seems like an easy one-line change that allows us to avoid breaking existing Flask installations, and it seems like a better use of time than copy-pasting across the internet.

We couldn't make an upgrade to Flask 2.0 on release, due to a few bugs that weren't patched until 2.0.2. Not pinning transitive dependencies is on us, but expecting everyone to be up to date with breaking changes within just a few months seems like an unnecessary ask.

[ThiefMaster]

It wouldn't help because it'd also require a new release of the older versions...

[davidism]

Pinning transitive dependencies is how you control when you become up to date with changes. Please see the two links I posted, they explain better than I will here.

[kochb]

I fully understand those links. We should recognize that the headache is partially caused by Jinja2 not following their advice.

Let's take an example pinned against Flask 1.1.4. It requires Jinja2, and Jinja2 requires MarkupSafe.

Flask==1.1.4
- click [required: >=5.1,<8.0]
- itsdangerous [required: >=0.24,<2.0]
- Jinja2 [required: >=2.10.1,<3.0]
  - MarkupSafe [required: >=0.23]

Releasing a Jinja2 2.11.4 would result in the following dependency tree:

Flask==1.1.4
- click [required: >=5.1,<8.0]
- itsdangerous [required: >=0.24,<2.0]
- Jinja2 [required: >=2.10.1,<3.0]
  - MarkupSafe [required: >=0.23,<2.1]

So anyone not pinning transitive dependencies on flask would automatically pick up the change, saving a large number of developers some headaches while everyone gets their act together.