chore: Bump flask libs

[EugeneTorap]

SUMMARY

The PR bump the next flask libs:

• flask to 2.1.3
• flask-compress to 1.13
• flask-login to 0.6.0
• flask-talisman to 1.0.0
• flask-wtf to 1.0.1
• werkzeug to 2.1.2

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[codecov]

Codecov Report

Merging #22355 (a5fa09d) into master (6e4d6e5) will increase coverage by 0.00%.
The diff coverage is 96.00%.

❗ Current head a5fa09d differs from pull request most recent head 3f85e77. Consider uploading reports for the commit 3f85e77 to get more accurate results

@@           Coverage Diff           @@
##           master   #22355   +/-   ##
=======================================
  Coverage   67.00%   67.01%           
=======================================
  Files        1859     1859           
  Lines       71019    71037   +18     
  Branches     7766     7766           
=======================================
+ Hits        47587    47605   +18     
  Misses      21410    21410           
  Partials     2022     2022           

Flag	Coverage Δ
hive	52.46% <43.47%> (-0.01%)	⬇️
mysql	78.00% <95.65%> (+0.01%)	⬆️
postgres	78.07% <95.65%> (+0.01%)	⬆️
presto	52.36% <43.47%> (-0.01%)	⬇️
python	81.33% <95.65%> (+<0.01%)	⬆️
sqlite	76.45% <95.65%> (+0.01%)	⬆️
unit	51.46% <43.47%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...s/legacy-plugin-chart-country-map/src/countries.ts	100.00% <ø> (ø)
superset/views/core.py	74.96% <75.00%> (-0.02%)	⬇️
...c/components/Chart/DrillDetail/DrillDetailPane.tsx	76.04% <100.00%> (ø)
...mponents/DataTablesPane/components/SamplesPane.tsx	97.67% <100.00%> (ø)
superset/config.py	91.66% <100.00%> (+0.12%)	⬆️
superset/dashboards/api.py	92.57% <100.00%> (ø)
superset/views/filters.py	100.00% <100.00%> (ø)
superset/views/datasource/schemas.py	97.22% <0.00%> (-2.78%)	⬇️
superset/views/base.py	76.97% <0.00%> (+0.68%)	⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[EugeneTorap]

Werkzeug 2.1.0 changelog:

Response.autocorrect_location_header is disabled by default. The Location header URL will remain relative, and exclude the scheme and domain, by default. pallets/werkzeug#2352

When Response.autocorrect_location_header was added in 2011 pallets/werkzeug@0ec643b, it was documented as "correct the location header to be RFC conformant". It was referring to RFC 2616. That was superseded by RFC 7231 in 2014, which allows relative URLs. MDN lists all browsers as compliant with this. Switch autocorrect_location_header to be disabled by default.

[EugeneTorap]

Werkzeug 2.1.0 changelog:

Request.get_json() will raise a 400 BadRequest error if the Content-Type header is not application/json. This makes a very common source of confusion more visible. pallets/werkzeug#2339

If there's no json param or json=None then 400 http status will be thrown

[dpgaspar]

Seeing that GHSA-7wxw-4483-3m34 is a disputed CVE, and only occurs when running Flask with the provided dev server, something you should never do on production for several reasons.

regarding flask-caching I don't see on the CVE any submitted patches, GHSA-656c-6cxf-hvcv. This CVE is disputed also, since an attacker would have to be able to write to the cache itself, something that would cause severe issues all around not just by deserializing content with Pickle.

Can you please just bump Pillow and resolve the current PR conflicts? Thank you

[EugeneTorap]

@dpgaspar I've created a separate PR for Pillow - #22489
This PR will be for updating flask libs.

[dpgaspar]

looks good, final comments

[dpgaspar]

this seems like an unrelated change, no?

[EugeneTorap]

It's the related change. When you want to run the local tests with SQLALCHEMY_EXAMPLES_URI = None you will have an exception here and I fix the issue.

URI to database storing the example data, points to
SQLALCHEMY_DATABASE_URI by default if set to None

[dpgaspar]

why did this changed to a 400 now?

[EugeneTorap]

Werkzeug 2.1.0 changelog:

Request.get_json() will raise a 400 BadRequest error if the Content-Type header is not application/json. This makes a very common source of confusion more visible. pallets/werkzeug#2339

If there's no json param or json=None then 400 http status will be thrown

[EugeneTorap]

@dpgaspar @villebro I have fixed that 400 'Bad Request' problem for datasource/samples [POST] API.
Can you take a look and I guess we can merge the PR.

[dpgaspar]

Great work! @EugeneTorap

[cwegener]

@EugeneTorap @dpgaspar Seeing that the compiled .txt lock files are manually edited in this change as well, is it correct to assume that pip-compile-multi is now deprecated and no longer used? Will it be replaced with an alternative any time soon?

[EugeneTorap]

Hi @cwegener! I want to prepare a PR with poetry instead of pip-compile-multi usage for dependency management.

[villebro]

@cwegener @EugeneTorap the lock files should preferably be updated via pip-compile-multi, and IMO it does work quite ok. Having said that, I'd love to see us move over to poetry, but I think it's a pretty big task and requires proper coordination to avoid unnecessary regressions or general back and forth.

[cwegener]

I find that poetry's dependency management is not quite reliable enough for large codebases.

Anyway. Sounds like there is a need for either discussion of the Python dependency management options, or a better checking of consistent pip-compile-multi usage.

[villebro]

I find that poetry's dependency management is not quite reliable enough for large codebases.

Anyway. Sounds like there is a need for either discussion of the Python dependency management options, or a better checking of consistent pip-compile-multi usage.

We should probably add a check to to our linting workflow ensure the compiled lock files are correct. Should be easy.