Update dependency Flask to v2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
Flask (changelog)	==1.1.4 -> ==2.2.5

GitHub Vulnerability Alerts

CVE-2023-30861

When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by a proxy to other clients. If the proxy also caches Set-Cookie headers, it may send one client's session cookie to other clients. The severity depends on the application's use of the session, and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.

1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.
2. The application sets session.permanent = True.
3. The application does not access or modify the session at any point during a request.
4. SESSION_REFRESH_EACH_REQUEST is enabled (the default).
5. The application does not set a Cache-Control header to indicate that a page is private or should not be cached.

This happens because vulnerable versions of Flask only set the Vary: Cookie header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified.

---

Release Notes

pallets/flask (Flask)

v2.2.5

Compare Source

Released 2023-05-02

• Update for compatibility with Werkzeug 2.3.3.
• Set Vary: Cookie header when the session is accessed, modified, or refreshed.

v2.2.4

Compare Source

Released 2023-04-25

• Update for compatibility with Werkzeug 2.3.

v2.2.3

Compare Source

Released 2023-02-15

• Autoescape is enabled by default for .svg template files. :issue:4831
• Fix the type of template_folder to accept pathlib.Path. :issue:4892
• Add --debug option to the flask run command. :issue:4777

v2.2.2

Compare Source

Released 2022-08-08

• Update Werkzeug dependency to >= 2.2.2. This includes fixes related
  to the new faster router, header parsing, and the development
  server. :pr:4754
• Fix the default value for app.env to be "production". This
  attribute remains deprecated. :issue:4740

v2.2.1

Compare Source

Released 2022-08-03

• Setting or accessing json_encoder or json_decoder raises a
  deprecation warning. :issue:4732

v2.2.0

Compare Source

Released 2022-08-01

• Remove previously deprecated code. :pr:4667

  • Old names for some send_file parameters have been removed.
    download_name replaces attachment_filename, max_age
    replaces cache_timeout, and etag replaces add_etags.
    Additionally, path replaces filename in
    send_from_directory.
  • The RequestContext.g property returning AppContext.g is
    removed.

• Update Werkzeug dependency to >= 2.2.

• The app and request contexts are managed using Python context vars
  directly rather than Werkzeug's LocalStack. This should result
  in better performance and memory use. :pr:4682

  • Extension maintainers, be aware that _app_ctx_stack.top
    and _request_ctx_stack.top are deprecated. Store data on
    g instead using a unique prefix, like
    g._extension_name_attr.

• The FLASK_ENV environment variable and app.env attribute are
  deprecated, removing the distinction between development and debug
  mode. Debug mode should be controlled directly using the --debug
  option or app.run(debug=True). :issue:4714

• Some attributes that proxied config keys on app are deprecated:
  session_cookie_name, send_file_max_age_default,
  use_x_sendfile, propagate_exceptions, and
  templates_auto_reload. Use the relevant config keys instead.
  :issue:4716

• Add new customization points to the Flask app object for many
  previously global behaviors.

  • flask.url_for will call app.url_for. :issue:4568
  • flask.abort will call app.aborter.
    Flask.aborter_class and Flask.make_aborter can be used
    to customize this aborter. :issue:4567
  • flask.redirect will call app.redirect. :issue:4569
  • flask.json is an instance of JSONProvider. A different
    provider can be set to use a different JSON library.
    flask.jsonify will call app.json.response, other
    functions in flask.json will call corresponding functions in
    app.json. :pr:4692

• JSON configuration is moved to attributes on the default
  app.json provider. JSON_AS_ASCII, JSON_SORT_KEYS,
  JSONIFY_MIMETYPE, and JSONIFY_PRETTYPRINT_REGULAR are
  deprecated. :pr:4692

• Setting custom json_encoder and json_decoder classes on the
  app or a blueprint, and the corresponding json.JSONEncoder and
  JSONDecoder classes, are deprecated. JSON behavior can now be
  overridden using the app.json provider interface. :pr:4692

• json.htmlsafe_dumps and json.htmlsafe_dump are deprecated,
  the function is built-in to Jinja now. :pr:4692

• Refactor register_error_handler to consolidate error checking.
  Rewrite some error messages to be more consistent. :issue:4559

• Use Blueprint decorators and functions intended for setup after
  registering the blueprint will show a warning. In the next version,
  this will become an error just like the application setup methods.
  :issue:4571

• before_first_request is deprecated. Run setup code when creating
  the application instead. :issue:4605

• Added the View.init_every_request class attribute. If a view
  subclass sets this to False, the view will not create a new
  instance on every request. :issue:2520.

• A flask.cli.FlaskGroup Click group can be nested as a
  sub-command in a custom CLI. :issue:3263

• Add --app and --debug options to the flask CLI, instead
  of requiring that they are set through environment variables.
  :issue:2836

• Add --env-file option to the flask CLI. This allows
  specifying a dotenv file to load in addition to .env and
  .flaskenv. :issue:3108

• It is no longer required to decorate custom CLI commands on
  app.cli or blueprint.cli with @with_appcontext, an app
  context will already be active at that point. :issue:2410

• SessionInterface.get_expiration_time uses a timezone-aware
  value. :pr:4645

• View functions can return generators directly instead of wrapping
  them in a Response. :pr:4629

• Add stream_template and stream_template_string functions to
  render a template as a stream of pieces. :pr:4629

• A new implementation of context preservation during debugging and
  testing. :pr:4666

  • request, g, and other context-locals point to the
    correct data when running code in the interactive debugger
    console. :issue:2836
  • Teardown functions are always run at the end of the request,
    even if the context is preserved. They are also run after the
    preserved context is popped.
  • stream_with_context preserves context separately from a
    with client block. It will be cleaned up when
    response.get_data() or response.close() is called.

• Allow returning a list from a view function, to convert it to a
  JSON response like a dict is. :issue:4672

• When type checking, allow TypedDict to be returned from view
  functions. :pr:4695

• Remove the --eager-loading/--lazy-loading options from the
  flask run command. The app is always eager loaded the first
  time, then lazily loaded in the reloader. The reloader always prints
  errors immediately but continues serving. Remove the internal
  DispatchingApp middleware used by the previous implementation.
  :issue:4715

v2.1.3

Compare Source

Released 2022-07-13

• Inline some optional imports that are only used for certain CLI
  commands. :pr:4606
• Relax type annotation for after_request functions. :issue:4600
• instance_path for namespace packages uses the path closest to
  the imported submodule. :issue:4610
• Clearer error message when render_template and
  render_template_string are used outside an application context.
  :pr:4693

v2.1.2

Compare Source

Released 2022-04-28

• Fix type annotation for json.loads, it accepts str or bytes.
  :issue:4519
• The --cert and --key options on flask run can be given
  in either order. :issue:4459

v2.1.1

Compare Source

Released on 2022-03-30

• Set the minimum required version of importlib_metadata to 3.6.0,
  which is required on Python < 3.10. :issue:4502

v2.1.0

Compare Source

Released 2022-03-28

• Drop support for Python 3.6. :pr:4335

• Update Click dependency to >= 8.0. :pr:4008

• Remove previously deprecated code. :pr:4337

  • The CLI does not pass script_info to app factory functions.
  • config.from_json is replaced by
    config.from_file(name, load=json.load).
  • json functions no longer take an encoding parameter.
  • safe_join is removed, use werkzeug.utils.safe_join
    instead.
  • total_seconds is removed, use timedelta.total_seconds
    instead.
  • The same blueprint cannot be registered with the same name. Use
    name= when registering to specify a unique name.
  • The test client's as_tuple parameter is removed. Use
    response.request.environ instead. :pr:4417

• Some parameters in send_file and send_from_directory were
  renamed in 2.0. The deprecation period for the old names is extended
  to 2.2. Be sure to test with deprecation warnings visible.

  • attachment_filename is renamed to download_name.
  • cache_timeout is renamed to max_age.
  • add_etags is renamed to etag.
  • filename is renamed to path.

• The RequestContext.g property is deprecated. Use g directly
  or AppContext.g instead. :issue:3898

• copy_current_request_context can decorate async functions.
  :pr:4303

• The CLI uses importlib.metadata instead of pkg_resources to
  load command entry points. :issue:4419

• Overriding FlaskClient.open will not cause an error on redirect.
  :issue:3396

• Add an --exclude-patterns option to the flask run CLI
  command to specify patterns that will be ignored by the reloader.
  :issue:4188

• When using lazy loading (the default with the debugger), the Click
  context from the flask run command remains available in the
  loader thread. :issue:4460

• Deleting the session cookie uses the httponly flag.
  :issue:4485

• Relax typing for errorhandler to allow the user to use more
  precise types and decorate the same function multiple times.
  :issue:4095, 4295, 4297

• Fix typing for __exit__ methods for better compatibility with
  ExitStack. :issue:4474

• From Werkzeug, for redirect responses the Location header URL
  will remain relative, and exclude the scheme and domain, by default.
  :pr:4496

• Add Config.from_prefixed_env() to load config values from
  environment variables that start with FLASK_ or another prefix.
  This parses values as JSON by default, and allows setting keys in
  nested dicts. :pr:4479

v2.0.3

Compare Source

Released 2022-02-14

• The test client's as_tuple parameter is deprecated and will be
  removed in Werkzeug 2.1. It is now also deprecated in Flask, to be
  removed in Flask 2.1, while remaining compatible with both in
  2.0.x. Use response.request.environ instead. :pr:4341
• Fix type annotation for errorhandler decorator. :issue:4295
• Revert a change to the CLI that caused it to hide ImportError
  tracebacks when importing the application. :issue:4307
• app.json_encoder and json_decoder are only passed to
  dumps and loads if they have custom behavior. This improves
  performance, mainly on PyPy. :issue:4349
• Clearer error message when after_this_request is used outside a
  request context. :issue:4333

v2.0.2

Compare Source

Released 2021-10-04

• Fix type annotation for teardown_* methods. :issue:4093
• Fix type annotation for before_request and before_app_request
  decorators. :issue:4104
• Fixed the issue where typing requires template global
  decorators to accept functions with no arguments. :issue:4098
• Support View and MethodView instances with async handlers. :issue:4112
• Enhance typing of app.errorhandler decorator. :issue:4095
• Fix registering a blueprint twice with differing names. :issue:4124
• Fix the type of static_folder to accept pathlib.Path.
  :issue:4150
• jsonify handles decimal.Decimal by encoding to str.
  :issue:4157
• Correctly handle raising deferred errors in CLI lazy loading.
  :issue:4096
• The CLI loader handles **kwargs in a create_app function.
  :issue:4170
• Fix the order of before_request and other callbacks that trigger
  before the view returns. They are called from the app down to the
  closest nested blueprint. :issue:4229

v2.0.1

Compare Source

Released 2021-05-21

• Re-add the filename parameter in send_from_directory. The
  filename parameter has been renamed to path, the old name
  is deprecated. :pr:4019
• Mark top-level names as exported so type checking understands
  imports in user projects. :issue:4024
• Fix type annotation for g and inform mypy that it is a namespace
  object that has arbitrary attributes. :issue:4020
• Fix some types that weren't available in Python 3.6.0. :issue:4040
• Improve typing for send_file, send_from_directory, and
  get_send_file_max_age. :issue:4044, :pr:4026
• Show an error when a blueprint name contains a dot. The . has
  special meaning, it is used to separate (nested) blueprint names and
  the endpoint name. :issue:4041
• Combine URL prefixes when nesting blueprints that were created with
  a url_prefix value. :issue:4037
• Revert a change to the order that URL matching was done. The
  URL is again matched after the session is loaded, so the session is
  available in custom URL converters. :issue:4053
• Re-add deprecated Config.from_json, which was accidentally
  removed early. :issue:4078
• Improve typing for some functions using Callable in their type
  signatures, focusing on decorator factories. :issue:4060
• Nested blueprints are registered with their dotted name. This allows
  different blueprints with the same name to be nested at different
  locations. :issue:4069
• register_blueprint takes a name option to change the
  (pre-dotted) name the blueprint is registered with. This allows the
  same blueprint to be registered multiple times with unique names for
  url_for. Registering the same blueprint with the same name
  multiple times is deprecated. :issue:1091
• Improve typing for stream_with_context. :issue:4052

v2.0.0

Compare Source

Released 2021-05-11

• Drop support for Python 2 and 3.5.
• Bump minimum versions of other Pallets projects: Werkzeug >= 2,
  Jinja2 >= 3, MarkupSafe >= 2, ItsDangerous >= 2, Click >= 8. Be sure
  to check the change logs for each project. For better compatibility
  with other applications (e.g. Celery) that still require Click 7,
  there is no hard dependency on Click 8 yet, but using Click 7 will
  trigger a DeprecationWarning and Flask 2.1 will depend on Click 8.
• JSON support no longer uses simplejson. To use another JSON module,
  override app.json_encoder and json_decoder. :issue:3555
• The encoding option to JSON functions is deprecated. :pr:3562
• Passing script_info to app factory functions is deprecated. This
  was not portable outside the flask command. Use
  click.get_current_context().obj if it's needed. :issue:3552
• The CLI shows better error messages when the app failed to load
  when looking up commands. :issue:2741
• Add SessionInterface.get_cookie_name to allow setting the
  session cookie name dynamically. :pr:3369
• Add Config.from_file to load config using arbitrary file
  loaders, such as toml.load or json.load.
  Config.from_json is deprecated in favor of this. :pr:3398
• The flask run command will only defer errors on reload. Errors
  present during the initial call will cause the server to exit with
  the traceback immediately. :issue:3431
• send_file raises a ValueError when passed an io object
  in text mode. Previously, it would respond with 200 OK and an empty
  file. :issue:3358
• When using ad-hoc certificates, check for the cryptography library
  instead of PyOpenSSL. :pr:3492
• When specifying a factory function with FLASK_APP, keyword
  argument can be passed. :issue:3553
• When loading a .env or .flaskenv file, the current working
  directory is no longer changed to the location of the file.
  :pr:3560
• When returning a (response, headers) tuple from a view, the
  headers replace rather than extend existing headers on the response.
  For example, this allows setting the Content-Type for
  jsonify(). Use response.headers.extend() if extending is
  desired. :issue:3628
• The Scaffold class provides a common API for the Flask and
  Blueprint classes. Blueprint information is stored in
  attributes just like Flask, rather than opaque lambda functions.
  This is intended to improve consistency and maintainability.
  :issue:3215
• Include samesite and secure options when removing the
  session cookie. :pr:3726
• Support passing a pathlib.Path to static_folder. :pr:3579
• send_file and send_from_directory are wrappers around the
  implementations in werkzeug.utils. :pr:3828
• Some send_file parameters have been renamed, the old names are
  deprecated. attachment_filename is renamed to download_name.
  cache_timeout is renamed to max_age. add_etags is
  renamed to etag. :pr:3828, 3883
• send_file passes download_name even if
  as_attachment=False by using Content-Disposition: inline.
  :pr:3828
• send_file sets conditional=True and max_age=None by
  default. Cache-Control is set to no-cache if max_age is
  not set, otherwise public. This tells browsers to validate
  conditional requests instead of using a timed cache. :pr:3828
• helpers.safe_join is deprecated. Use
  werkzeug.utils.safe_join instead. :pr:3828
• The request context does route matching before opening the session.
  This could allow a session interface to change behavior based on
  request.endpoint. :issue:3776
• Use Jinja's implementation of the |tojson filter. :issue:3881
• Add route decorators for common HTTP methods. For example,
  @app.post("/login") is a shortcut for
  @app.route("/login", methods=["POST"]). :pr:3907
• Support async views, error handlers, before and after request, and
  teardown functions. :pr:3412
• Support nesting blueprints. :issue:593, 1548, :pr:3923
• Set the default encoding to "UTF-8" when loading .env and
  .flaskenv files to allow to use non-ASCII characters. :issue:3931
• flask shell sets up tab and history completion like the default
  python shell if readline is installed. :issue:3941
• helpers.total_seconds() is deprecated. Use
  timedelta.total_seconds() instead. :pr:3962
• Add type hinting. :pr:3973.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.