Update itsdangerous to 1.1.0

[alistairjcbrown]

Version 1.0.0 of itsdangerous was yanked, and docker images are failing to build in CI as they cannot install the appropriate version.

Changes in the PR added using pipenv install itsdangerous in the users and events service directories.

Questions

❓ Do we rely on itsdangerous - should it be in the pipfile?

Before

Installing dependencies from Pipfile.lock (7e0631)…
An error occurred while installing itsdangerous==1.0.0 --hash=sha256:a7de3201740a857380421ef286166134e10fe58846bcefbc9d6424a69a0b99ec --hash=sha256:aca4fc561b7671115a2156f625f2eaa5e0e3527e0adf2870340e7968c0a81f85! Will try again.
An error occurred while installing itsdangerous==1.0.0 --hash=sha256:a7de3201740a857380421ef286166134e10fe58846bcefbc9d6424a69a0b99ec --hash=sha256:aca4fc561b7671115a2156f625f2eaa5e0e3527e0adf2870340e7968c0a81f85! Will try again.
Installing initially failed dependencies…
Looking in indexes: https://pypi.python.org/simple
Collecting itsdangerous==1.0.0

  Could not find a version that satisfies the requirement itsdangerous==1.0.0 (from -r /tmp/pipenv-adgj0c9h-requirements/pipenv-cnhrbf6y-requirement.txt (line 1)) (from versions: 0.9, 0.9.1, 0.10, 0.11, 0.12, 0.13, 0.14, 0.15, 0.16, 0.17, 0.18, 0.19, 0.20, 0.21, 0.22, 0.23, 0.24, 1.1.0)
No matching distribution found for itsdangerous==1.0.0 (from -r /tmp/pipenv-adgj0c9h-requirements/pipenv-cnhrbf6y-requirement.txt (line 1))

ERROR: Service 'users-service' failed to build: The command '/bin/sh -c pipenv install --deploy --dev --ignore-pipfile --system' returned a non-zero code: 1

After

Installing dependencies from Pipfile.lock (caaa02)…
Ignoring appnope: markers 'sys_platform == "darwin"' don't match your environment
Looking in indexes: https://pypi.python.org/simple
Removing intermediate container 5a450de31552
 ---> 02c47676693c

[codeclimate]

Code Climate has analyzed commit ec6b984 and detected 0 issues on this pull request.

View more on Code Climate.

[apoclyps]

@alistairjcbrown looks like itsdangerous is a dependency of another dependency; I'm okay with adding this as a required dependency in order to bump it and unblock builds. I'll create an issue to review all dependencies and potentially remove this in the near future.

Issue raised in #512

[apoclyps]

LGTM 👍

[apoclyps]

Looks like dependabot just opened a PR to bump the dependency in the lock file in #513 ; If it's green we should bump it instead and avoid adding it as a direct dependency.

[alistairjcbrown]

@apoclyps It'll need to bump it in /services/users too - so just #512 on its own won't be enough, need to wait for it to open another for users.

looks like itsdangerous is a dependency of another dependency

Is it weird that dependabot bumps another dependency's dependency?
Also, for this PR, is there a better way of bumping that dependency than adding it as a direct dependency?

[alistairjcbrown]

I'm going to land this so that we can get green CI, and look into this after as part of the issue that's been spun out

[apoclyps]

@alistairjcbrown I believe dependabot will install the latest version of the dependency that is currently available; I'm guessing it's using itsdangerous >= 1.0 so in this case, it bumps it to 1.1.0 as 1.0 is no longer available. You should be able to do the same locally be deleting the Pipfile.lock and running pipenv install without needing to specify itsdangerous.

[alistairjcbrown]

Thanks - may be worth reverting this and doing that instead. Will look at it tomorrow if I have time.