Version 1.2.68 is now available, and this version contains upgrades of many
dependency packages. Unfortunately, the latest versions of Python's pip
installer will hang trying to install the upgrade; pip will run at 100% CPU
for hours (maybe days), possibly running out of memory. Apparently, this is
a "feature" of pip and not a "bug." It relates to the new way that pip
resolves dependency conflicts.
There actually are no dependency conflicts with version 1.2.68, and pip can
install docassemble.webapp and all of its dependencies without a problem in
an empty virtual environment. The presence of older versions of
dependencies on the system triggers code in pip that causes it to
The solution to this problem is to use an earlier version of pip. Version
1.2.68 now states a dependency on pip==20.1.1. However, if you press
"Upgrade" on the Package Management page, docassemble will use its current
version of pip (which is likely newer than 20.1.1) and it will hang before
version 20.1.1 can be installed.
THEREFORE, before you press the "Upgrade" button, go to Package Management,
enter pip==20.1.1 into the "Package on PyPI" field, then click "Update."
This will install version 20.1.1 of pip on your system. Then click the
"Upgrade" button to upgrade docassemble to 1.2.68.
Hopefully, in the next few months, the developers of pip will figure out a
way to resolve dependencies in a way that doesn't hang the machine, and we
will not need to run a downgraded version of pip forever.
A security vulnerability has been discovered in the docassemble code base.
Please upgrade your servers to version 1.2.65 as soon as possible.
To upgrade your server, log in as an administrator, go to Package
Management, and press the Upgrade button. (Note: a "system upgrade"
involving updating the Docker image is not necessary.)
If your server is on version 1.0.11 or earlier, upgrade to 1.0.12 instead