Update dependency Flask to v2 [SECURITY] #26
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^1.1.1
->^2.0.0
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2023-30861
When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by a proxy to other clients. If the proxy also caches
Set-Cookie
headers, it may send one client'ssession
cookie to other clients. The severity depends on the application's use of the session, and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.session.permanent = True
.SESSION_REFRESH_EACH_REQUEST
is enabled (the default).Cache-Control
header to indicate that a page is private or should not be cached.This happens because vulnerable versions of Flask only set the
Vary: Cookie
header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified.Release Notes
pallets/flask (Flask)
v2.2.5
Compare Source
Released 2023-05-02
Vary: Cookie
header when the session is accessed, modified, or refreshed.v2.2.4
Compare Source
Released 2023-04-25
v2.2.3
Compare Source
Released 2023-02-15
.svg
template files. :issue:4831
template_folder
to acceptpathlib.Path
. :issue:4892
--debug
option to theflask run
command. :issue:4777
v2.2.2
Compare Source
Released 2022-08-08
to the new faster router, header parsing, and the development
server. :pr:
4754
app.env
to be"production"
. Thisattribute remains deprecated. :issue:
4740
v2.2.1
Compare Source
Released 2022-08-03
json_encoder
orjson_decoder
raises adeprecation warning. :issue:
4732
v2.2.0
Compare Source
Released 2022-08-01
Remove previously deprecated code. :pr:
4667
send_file
parameters have been removed.download_name
replacesattachment_filename
,max_age
replaces
cache_timeout
, andetag
replacesadd_etags
.Additionally,
path
replacesfilename
insend_from_directory
.RequestContext.g
property returningAppContext.g
isremoved.
Update Werkzeug dependency to >= 2.2.
The app and request contexts are managed using Python context vars
directly rather than Werkzeug's
LocalStack
. This should resultin better performance and memory use. :pr:
4682
_app_ctx_stack.top
and
_request_ctx_stack.top
are deprecated. Store data ong
instead using a unique prefix, likeg._extension_name_attr
.The
FLASK_ENV
environment variable andapp.env
attribute aredeprecated, removing the distinction between development and debug
mode. Debug mode should be controlled directly using the
--debug
option or
app.run(debug=True)
. :issue:4714
Some attributes that proxied config keys on
app
are deprecated:session_cookie_name
,send_file_max_age_default
,use_x_sendfile
,propagate_exceptions
, andtemplates_auto_reload
. Use the relevant config keys instead.:issue:
4716
Add new customization points to the
Flask
app object for manypreviously global behaviors.
flask.url_for
will callapp.url_for
. :issue:4568
flask.abort
will callapp.aborter
.Flask.aborter_class
andFlask.make_aborter
can be usedto customize this aborter. :issue:
4567
flask.redirect
will callapp.redirect
. :issue:4569
flask.json
is an instance ofJSONProvider
. A differentprovider can be set to use a different JSON library.
flask.jsonify
will callapp.json.response
, otherfunctions in
flask.json
will call corresponding functions inapp.json
. :pr:4692
JSON configuration is moved to attributes on the default
app.json
provider.JSON_AS_ASCII
,JSON_SORT_KEYS
,JSONIFY_MIMETYPE
, andJSONIFY_PRETTYPRINT_REGULAR
aredeprecated. :pr:
4692
Setting custom
json_encoder
andjson_decoder
classes on theapp or a blueprint, and the corresponding
json.JSONEncoder
andJSONDecoder
classes, are deprecated. JSON behavior can now beoverridden using the
app.json
provider interface. :pr:4692
json.htmlsafe_dumps
andjson.htmlsafe_dump
are deprecated,the function is built-in to Jinja now. :pr:
4692
Refactor
register_error_handler
to consolidate error checking.Rewrite some error messages to be more consistent. :issue:
4559
Use Blueprint decorators and functions intended for setup after
registering the blueprint will show a warning. In the next version,
this will become an error just like the application setup methods.
:issue:
4571
before_first_request
is deprecated. Run setup code when creatingthe application instead. :issue:
4605
Added the
View.init_every_request
class attribute. If a viewsubclass sets this to
False
, the view will not create a newinstance on every request. :issue:
2520
.A
flask.cli.FlaskGroup
Click group can be nested as asub-command in a custom CLI. :issue:
3263
Add
--app
and--debug
options to theflask
CLI, insteadof requiring that they are set through environment variables.
:issue:
2836
Add
--env-file
option to theflask
CLI. This allowsspecifying a dotenv file to load in addition to
.env
and.flaskenv
. :issue:3108
It is no longer required to decorate custom CLI commands on
app.cli
orblueprint.cli
with@with_appcontext
, an appcontext will already be active at that point. :issue:
2410
SessionInterface.get_expiration_time
uses a timezone-awarevalue. :pr:
4645
View functions can return generators directly instead of wrapping
them in a
Response
. :pr:4629
Add
stream_template
andstream_template_string
functions torender a template as a stream of pieces. :pr:
4629
A new implementation of context preservation during debugging and
testing. :pr:
4666
request
,g
, and other context-locals point to thecorrect data when running code in the interactive debugger
console. :issue:
2836
even if the context is preserved. They are also run after the
preserved context is popped.
stream_with_context
preserves context separately from awith client
block. It will be cleaned up whenresponse.get_data()
orresponse.close()
is called.Allow returning a list from a view function, to convert it to a
JSON response like a dict is. :issue:
4672
When type checking, allow
TypedDict
to be returned from viewfunctions. :pr:
4695
Remove the
--eager-loading/--lazy-loading
options from theflask run
command. The app is always eager loaded the firsttime, then lazily loaded in the reloader. The reloader always prints
errors immediately but continues serving. Remove the internal
DispatchingApp
middleware used by the previous implementation.:issue:
4715
v2.1.3
Compare Source
Released 2022-07-13
commands. :pr:
4606
after_request
functions. :issue:4600
instance_path
for namespace packages uses the path closest tothe imported submodule. :issue:
4610
render_template
andrender_template_string
are used outside an application context.:pr:
4693
v2.1.2
Compare Source
Released 2022-04-28
json.loads
, it accepts str or bytes.:issue:
4519
--cert
and--key
options onflask run
can be givenin either order. :issue:
4459
v2.1.1
Compare Source
Released on 2022-03-30
which is required on Python < 3.10. :issue:
4502
v2.1.0
Compare Source
Released 2022-03-28
Drop support for Python 3.6. :pr:
4335
Update Click dependency to >= 8.0. :pr:
4008
Remove previously deprecated code. :pr:
4337
script_info
to app factory functions.config.from_json
is replaced byconfig.from_file(name, load=json.load)
.json
functions no longer take anencoding
parameter.safe_join
is removed, usewerkzeug.utils.safe_join
instead.
total_seconds
is removed, usetimedelta.total_seconds
instead.
name=
when registering to specify a unique name.as_tuple
parameter is removed. Useresponse.request.environ
instead. :pr:4417
Some parameters in
send_file
andsend_from_directory
wererenamed in 2.0. The deprecation period for the old names is extended
to 2.2. Be sure to test with deprecation warnings visible.
attachment_filename
is renamed todownload_name
.cache_timeout
is renamed tomax_age
.add_etags
is renamed toetag
.filename
is renamed topath
.The
RequestContext.g
property is deprecated. Useg
directlyor
AppContext.g
instead. :issue:3898
copy_current_request_context
can decorate async functions.:pr:
4303
The CLI uses
importlib.metadata
instead ofpkg_resources
toload command entry points. :issue:
4419
Overriding
FlaskClient.open
will not cause an error on redirect.:issue:
3396
Add an
--exclude-patterns
option to theflask run
CLIcommand to specify patterns that will be ignored by the reloader.
:issue:
4188
When using lazy loading (the default with the debugger), the Click
context from the
flask run
command remains available in theloader thread. :issue:
4460
Deleting the session cookie uses the
httponly
flag.:issue:
4485
Relax typing for
errorhandler
to allow the user to use moreprecise types and decorate the same function multiple times.
:issue:
4095, 4295, 4297
Fix typing for
__exit__
methods for better compatibility withExitStack
. :issue:4474
From Werkzeug, for redirect responses the
Location
header URLwill remain relative, and exclude the scheme and domain, by default.
:pr:
4496
Add
Config.from_prefixed_env()
to load config values fromenvironment variables that start with
FLASK_
or another prefix.This parses values as JSON by default, and allows setting keys in
nested dicts. :pr:
4479
v2.0.3
Compare Source
Released 2022-02-14
as_tuple
parameter is deprecated and will beremoved in Werkzeug 2.1. It is now also deprecated in Flask, to be
removed in Flask 2.1, while remaining compatible with both in
2.0.x. Use
response.request.environ
instead. :pr:4341
errorhandler
decorator. :issue:4295
ImportError
tracebacks when importing the application. :issue:
4307
app.json_encoder
andjson_decoder
are only passed todumps
andloads
if they have custom behavior. This improvesperformance, mainly on PyPy. :issue:
4349
after_this_request
is used outside arequest context. :issue:
4333
v2.0.2
Compare Source
Released 2021-10-04
teardown_*
methods. :issue:4093
before_request
andbefore_app_request
decorators. :issue:
4104
decorators to accept functions with no arguments. :issue:
4098
4112
app.errorhandler
decorator. :issue:4095
4124
static_folder
to acceptpathlib.Path
.:issue:
4150
jsonify
handlesdecimal.Decimal
by encoding tostr
.:issue:
4157
:issue:
4096
**kwargs
in acreate_app
function.:issue:
4170
before_request
and other callbacks that triggerbefore the view returns. They are called from the app down to the
closest nested blueprint. :issue:
4229
v2.0.1
Compare Source
Released 2021-05-21
filename
parameter insend_from_directory
. Thefilename
parameter has been renamed topath
, the old nameis deprecated. :pr:
4019
imports in user projects. :issue:
4024
g
and inform mypy that it is a namespaceobject that has arbitrary attributes. :issue:
4020
4040
send_file
,send_from_directory
, andget_send_file_max_age
. :issue:4044
, :pr:4026
.
hasspecial meaning, it is used to separate (nested) blueprint names and
the endpoint name. :issue:
4041
a
url_prefix
value. :issue:4037
URL is again matched after the session is loaded, so the session is
available in custom URL converters. :issue:
4053
Config.from_json
, which was accidentallyremoved early. :issue:
4078
Callable
in their typesignatures, focusing on decorator factories. :issue:
4060
different blueprints with the same name to be nested at different
locations. :issue:
4069
register_blueprint
takes aname
option to change the(pre-dotted) name the blueprint is registered with. This allows the
same blueprint to be registered multiple times with unique names for
url_for
. Registering the same blueprint with the same namemultiple times is deprecated. :issue:
1091
stream_with_context
. :issue:4052
v2.0.0
Compare Source
Released 2021-05-11
Jinja2 >= 3, MarkupSafe >= 2, ItsDangerous >= 2, Click >= 8. Be sure
to check the change logs for each project. For better compatibility
with other applications (e.g. Celery) that still require Click 7,
there is no hard dependency on Click 8 yet, but using Click 7 will
trigger a DeprecationWarning and Flask 2.1 will depend on Click 8.
override
app.json_encoder
andjson_decoder
. :issue:3555
encoding
option to JSON functions is deprecated. :pr:3562
script_info
to app factory functions is deprecated. Thiswas not portable outside the
flask
command. Useclick.get_current_context().obj
if it's needed. :issue:3552
when looking up commands. :issue:
2741
SessionInterface.get_cookie_name
to allow setting thesession cookie name dynamically. :pr:
3369
Config.from_file
to load config using arbitrary fileloaders, such as
toml.load
orjson.load
.Config.from_json
is deprecated in favor of this. :pr:3398
flask run
command will only defer errors on reload. Errorspresent during the initial call will cause the server to exit with
the traceback immediately. :issue:
3431
send_file
raises aValueError
when passed anio
objectin text mode. Previously, it would respond with 200 OK and an empty
file. :issue:
3358
instead of PyOpenSSL. :pr:
3492
FLASK_APP
, keywordargument can be passed. :issue:
3553
.env
or.flaskenv
file, the current workingdirectory is no longer changed to the location of the file.
:pr:
3560
(response, headers)
tuple from a view, theheaders replace rather than extend existing headers on the response.
For example, this allows setting the
Content-Type
forjsonify()
. Useresponse.headers.extend()
if extending isdesired. :issue:
3628
Scaffold
class provides a common API for theFlask
andBlueprint
classes.Blueprint
information is stored inattributes just like
Flask
, rather than opaque lambda functions.This is intended to improve consistency and maintainability.
:issue:
3215
samesite
andsecure
options when removing thesession cookie. :pr:
3726
pathlib.Path
tostatic_folder
. :pr:3579
send_file
andsend_from_directory
are wrappers around theimplementations in
werkzeug.utils
. :pr:3828
send_file
parameters have been renamed, the old names aredeprecated.
attachment_filename
is renamed todownload_name
.cache_timeout
is renamed tomax_age
.add_etags
isrenamed to
etag
. :pr:3828, 3883
send_file
passesdownload_name
even ifas_attachment=False
by usingContent-Disposition: inline
.:pr:
3828
send_file
setsconditional=True
andmax_age=None
bydefault.
Cache-Control
is set tono-cache
ifmax_age
isnot set, otherwise
public
. This tells browsers to validateconditional requests instead of using a timed cache. :pr:
3828
helpers.safe_join
is deprecated. Usewerkzeug.utils.safe_join
instead. :pr:3828
This could allow a session interface to change behavior based on
request.endpoint
. :issue:3776
|tojson
filter. :issue:3881
@app.post("/login")
is a shortcut for@app.route("/login", methods=["POST"])
. :pr:3907
teardown functions. :pr:
3412
593, 1548
, :pr:3923
.env
and.flaskenv
files to allow to use non-ASCII characters. :issue:3931
flask shell
sets up tab and history completion like the defaultpython
shell ifreadline
is installed. :issue:3941
helpers.total_seconds()
is deprecated. Usetimedelta.total_seconds()
instead. :pr:3962
3973
.v1.1.4
Compare Source
Released 2021-05-13
static_folder
to use_compat.fspath
instead ofos.fspath
to continue supporting Python < 3.6 :issue:4050
v1.1.3
Compare Source
Released 2021-05-13
:issue:
4043
pathlib.Path
forstatic_folder
.:pr:
3579
v1.1.2
Compare Source
Released 2020-04-03
flask
command with anexternal debugger on Windows. :issue:
3297
Flask
static_folder
argument ends with a slash. :issue:3452
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.