Skip to content

High Priority: Dependency Updates - Phase 1 #141

Open
Open
High Priority: Dependency Updates - Phase 1#141
Assignees
JonathanGarro
@kathirpsmy

Description

@kathirpsmy
kathirpsmy
opened on Mar 2, 2026

Type: Enhancement / Maintenance
Priority: High
Effort: Medium-Large
Data Source: Automated PyPI scan (Feb 17, 2026)

Description

This project is using several outdated dependencies that require urgent updates. Analysis shows 93 of 114 packages (82%) need updates, with 7 security-critical packages requiring immediate attention.

The following are high-priority dependencies due to:

  • Security vulnerabilities or upcoming security patches
  • End-of-life or approaching end-of-life versions
  • Major breaking changes coming in new versions (requiring careful migration planning)
  • Critical bug fixes and stability improvements

Note: All version numbers below have been verified against PyPI and represent the latest stable versions as of this scan.

This issue tracks the Phase 1 (High Priority) dependency updates. We will handle subsequent updates in separate phases (Medium and Low priority).

High Priority Dependencies to Update

1. SQLAlchemy: 1.4.36 → 2.0.46 ⚠️ CRITICAL

  • Current Version: 1.4.36 (4+ years old)
  • Target Version: 2.0.46 (Latest stable)
  • Reason:
    • SQLAlchemy 1.4 reached end-of-life
    • 2.0+ introduces major breaking changes (removal of legacy ORM patterns, changes to query API)
    • Security improvements and critical bug fixes
  • Potential Breaking Changes:
    • ORM query API has changed significantly
    • Relationship configuration changes
    • Session management patterns differ
    • May require updates to all database-related code in SIMS_Portal/models.py
  • Affected Code:
    • SIMS_Portal/models.py
    • All route files that use database operations
  • Estimated Impact: ⚠️ High - Requires thorough testing

2. Flask-SQLAlchemy: 2.5.1 → 3.1.1 ⚠️ CRITICAL

  • Current Version: 2.5.1 (2+ years old)
  • Target Version: 3.1.1 (Latest stable)
  • Reason:
    • REQUIRED for SQLAlchemy 2.0+ compatibility
    • Improved session management and lazy loading defaults
    • Security improvements
  • Dependency Chain: Must update after SQLAlchemy 2.0.46
  • Potential Breaking Changes:
    • Session binding changes
    • Lazy loading behavior changes (now defaults to select)
    • Model initialization may require adjustments
  • Affected Code:
    • Database model definitions
    • All query operations
  • Estimated Impact: ⚠️ High - Tightly coupled with SQLAlchemy upgrade

3. Flask: 2.1.2 → 3.1.2 ⚠️ HIGH

  • Current Version: 2.1.2 (4+ years old)
  • Target Version: 3.1.2 (Latest stable)
  • Reason:
    • Flask 2.1 is approaching end-of-life
    • 3.0+ requires Python 3.8+ (current: 3.12.3 ✅)
    • Better security posture and performance improvements
  • Potential Breaking Changes:
    • Deprecation of some helper functions
    • Changes to jsonify() behavior with custom JSON encoders
    • Blueprint registration might need adjustments
  • Affected Code:
    • Main Flask app initialization
    • All blueprints in SIMS_Portal/*/routes.py
    • Response handling throughout the app
  • Estimated Impact: ⚠️ Medium-High - Requires careful testing

4. Werkzeug: 2.1.2 → 3.1.5 ⚠️ HIGH

  • Current Version: 2.1.2 (bundled with Flask 2.1.2)
  • Target Version: 3.1.5 (Latest stable, comes with Flask 3.1.2)
  • Reason:
    • Security updates and bug fixes
    • Automatically updated with Flask 3.1.2
  • Potential Breaking Changes:
    • Request/response object API changes
    • File handling changes
    • CORS and security header handling
  • Estimated Impact: ⚠️ Medium - Tested via Flask upgrade

5. Cryptography: 37.0.2 → 46.0.5 🔒 SECURITY

  • Current Version: 37.0.2 (4+ years old, 9-version gap!)
  • Target Version: 46.0.5 (Latest stable)
  • Reason:
    • SIGNIFICANT security gap - 9 major versions behind
    • Critical for authentication systems and encrypted data handling
    • Essential Python 3.12 compatibility
  • Potential Breaking Changes:
    • Minimal - mostly backward compatible
  • Affected Code:
    • Authentication modules
    • Password hashing (bcrypt)
    • Any encryption/decryption operations
  • Estimated Impact: ✅ Low - Likely minimal breaking changes

6. Requests: 2.27.1 → 2.32.5 🔒 SECURITY

  • Current Version: 2.27.1 (4+ years old, 5-version gap)
  • Target Version: 2.32.5 (Latest stable)
  • Reason:
    • Multiple security patches and SSL/TLS improvements
    • Used throughout app for API calls (Slack, GitHub, Mapbox, etc.)
    • Better standards compliance
  • Potential Breaking Changes:
    • Minimal - mostly backward compatible
  • Affected Code:
    • External API calls (Slack, GitHub, Mapbox, Dropbox, etc.)
    • Webhook handlers
  • Estimated Impact: ✅ Low - Should be mostly drop-in replacement

7. PyJWT: 2.8.0 → 2.11.0 🔒 SECURITY

  • Current Version: 2.8.0 (3-version gap)
  • Target Version: 2.11.0 (Latest stable)
  • Reason:
    • JWT security critical - handles authentication tokens
    • Backward compatible security improvements
  • Potential Breaking Changes:
    • None - backward compatible updates
  • Affected Code:
    • OAuth/authentication flows
    • Token generation and validation
  • Estimated Impact: ✅ Low

8. MarkupSafe: 2.1.1 → 3.0.3 🔒 SECURITY

  • Current Version: 2.1.1 (4+ years old)
  • Target Version: 3.0.3 (Latest stable)
  • Reason:
    • Template rendering safety - security critical
    • Required for Flask template rendering
  • Potential Breaking Changes:
    • Minimal across most use cases
  • Affected Code:
    • Template rendering (all HTML templates)
  • Estimated Impact: ✅ Low

9. Certifi: 2022.5.18.1 → 2026.1.4 🔒 SECURITY

  • Current Version: 2022.5.18.1 (4+ years old CA certificates)
  • Target Version: 2026.1.4 (Latest stable)
  • Reason:
    • Contains updated CA certificate bundle
    • Critical for HTTPS/SSL validation
    • Required dependency for requests/urllib3
  • Potential Breaking Changes:
    • None - data-only package
  • Estimated Impact: ✅ None - Safe to update

10. Pandas: 1.4.2 → 3.0.0 ⚠️ MEDIUM-HIGH

  • Current Version: 1.4.2 (4+ years old)
  • Target Version: 3.0.0 (Latest stable)
  • Reason:
    • 1.4.x is outdated
    • Performance improvements
    • Better handling of missing data and types
  • Potential Breaking Changes:
    • Behavior changes in some operations (groupby, resample)
    • Deprecation of some accessor methods
    • Changes to nullable data types
  • Affected Code:
    • Any data processing logic (likely in portfolio/analytics modules)
    • Data export/import operations
  • Estimated Impact: ⚠️ Medium - Depends on usage

11. NumPy: 1.22.4 → 2.4.2 ⚠️ MEDIUM

  • Current Version: 1.22.4 (4+ years old)
  • Target Version: 2.4.2 (Latest stable, compatible with Pandas 3.0.0)
  • Reason:
    • Supports newer Python versions
    • Performance and security improvements
    • Dependency for pandas and other scientific libraries
  • Potential Breaking Changes:
    • Some API deprecations removed
    • Behavioral changes in edge cases
  • Affected Code:
    • Data processing operations (usually indirect via pandas)
  • Estimated Impact: ⚠️ Medium - Mostly affects pandas operations

Recommended Update Strategy

Phase 1 (This Issue) - Critical Path (Must follow this order):

Tier 1 - Core Framework (sequential):

  1. SQLAlchemy: 1.4.36 → 2.0.46 (must be first - all others depend on it)
  2. Flask-SQLAlchemy: 2.5.1 → 3.1.1 (requires SQLAlchemy 2.0+)
  3. Flask: 2.1.2 → 3.1.2 (requires Flask-SQLAlchemy 3.1.1)

Tier 2 - Security Critical (updates automatically with Tier 1):

  • Werkzeug 2.1.2 → 3.1.5 (automatic with Flask 3.1.2)
  • MarkupSafe 2.1.1 → 3.0.3 (required for Flask 3.1.2)

Tier 3 - Security Hot Fixes (can be parallel with Tier 1 testing):

  • Cryptography 37.0.2 → 46.0.5 (9-version gap!)
  • Requests 2.27.1 → 2.32.5 (5-version gap)
  • PyJWT 2.8.0 → 2.11.0
  • Certifi 2022.5.18.1 → 2026.1.4 (outdated CA bundle)

Phase 2 (Medium Priority) - After Phase 1 validation:

  • Pandas 1.4.2 → 3.0.0
  • NumPy 1.22.4 → 2.4.2
  • Other Flask extensions (Flask-Admin, Flask-Migrate, etc.)
  • Celery 5.2.7 → 5.6.2 and related packages

Phase 3 (Low Priority) - After Phase 2:

  • All remaining 73+ outdated packages
  • Update cycle can be 1-2 packages per week

Overall Impact: 93 packages total need updates (82% of dependencies)

Migration Checklist

Before Starting:

  • Create a new branch: deps/high-priority-upgrade
  • Document current Python version
  • Back up current working requirements.txt as requirements.txt.backup
  • Run full test suite to establish baseline

During Update:

  • Update SQLAlchemy to 2.0+ first
  • Review SQLAlchemy 2.0 migration guide (see Links)
  • Update models.py to use new ORM patterns
  • Run tests after SQLAlchemy changes
  • Update Flask-SQLAlchemy to 3.0+
  • Test database operations
  • Update Flask to 3.0+
  • Test app startup and basic routes
  • Run full test suite
  • Test all authenticated endpoints
  • Test external API integrations (Slack, GitHub, etc.)

After Update:

  • Remove any deprecated warnings from logs
  • Performance benchmarking (optional but recommended)
  • Create detailed migration notes for team
  • Schedule code review
  • Deploy to staging first

Resources & Documentation

SQLAlchemy 2.0 Migration:

Flask 3.0 Migration:

Flask-SQLAlchemy:

Current Environment Status

Python Version: 3.12.3 (Compatible with all target versions)
⚠️ Critical Gap: 93 of 114 packages outdated (82%)
🔒 Security-Critical Packages Outdated: 7 packages

Dependency Age Summary:

  • Framework Core (Flask, SQLAlchemy): 4+ years old
  • Cryptography: 4 years old (9-version gap - highest priority)
  • Requests/PyJWT: 4 years old (security critical)
  • Data Stack (Pandas/NumPy): 4 years old

Testing Strategy

  1. Unit Tests: Run existing test suite frequently
  2. Integration Tests: Verify database operations work correctly
  3. Regression Tests: Test all routes that handle:
    • Database reads/writes
    • Authentication
    • External API calls
    • File uploads/downloads
  4. Manual Testing: Login flows, form submissions, role-based access

Notes

  • Single Developer Note: This update requires careful sequential testing. Consider breaking it into small commits for easier review and rollback.
  • Breaking Changes: SQLAlchemy and Flask upgrades are non-trivial. Allocate sufficient time for this phase.
  • Python Version: Verify minimum Python version requirement after Flask upgrade (Flask 3.0+ requires Python 3.8+)
  • Virtual Environment: Keep an old venv for reference during migration if needed

Questions to Address

  • What's the minimum Python version currently in use? (needed for Flask 3.0)
  • Are there any custom SQLAlchemy extensions or configurations we need to review?
  • Do we have comprehensive test coverage for database operations?
  • Should we run performance tests before and after?

Labels: dependencies, maintenance, high-priority, breaking-changes

Related Issues: (To be filled after Phase 1 completion for Phase 2 and Phase 3)

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions