[Feature] Support sqlparse 0.5.0

[lkell]

Is this your first time submitting a feature request?

• I have read the expectations for open source contributors
• I have searched the existing issues, and I could not find an existing issue for this feature
• I am requesting a straightforward extension of existing dbt functionality, rather than a Big Idea better suited to a discussion

Describe the feature

sqlparse < 0.5.0 contains a high severity vulnerability: GHSA-2m57-hf25-phgg.

dbt-core currently pins sqlparse to < 0.50, see https://github.com/dbt-labs/dbt-core/blob/ee74a60082b34c3a3d0df8a0d5d5cbfd7ec5ed6a/core/setup.py#L70C9-L70C31.

Upgrading the sqlparse dependency will allow dependent projects to use the patched version.

Describe alternatives you've considered

I don't think there are any real alternatives to upgrading sqlparse, since using a non-patched version would be problematic for many of the developers and organizations who use dbt.

Who will this benefit?

All users and organizations who want to use the patched version of sqlparse.

Are you interested in contributing this feature?

No response

Anything else?

No response

[dbeatty10]

Thanks for reaching out @lkell 🏆

We opened up #9951 to bump sqlparse to the range of 0.5 to 0.6 to address this.

[rory-donaldson]

When is the next release expected that will contain this fix?

[emmyoop]

We will be releasing this fix in 1.8.0b3 (today) and back porting it to v1.7 and v1.6 (planned to release today).

Unfortunately, fixing this issue isn't straightforward for us for dbt-core v1.5.

While we'd love to update sqlparse to a safer version, it no longer supports Python 3.7, and dbt-core v1.5 relies on Python 3.7 compatibility. That means if we update sqlparse, we would break compatibility with our supported Python version.

Given that dbt-core v1.5 will soon reach its end of life, we've decided not to update sqlparse.