Skip to content

Comments

chore(deps): update dependency flask to v3.1.3 [security]#173

Open
renovate-bot wants to merge 1 commit intoGoogleCloudPlatform:mainfrom
renovate-bot:renovate/pypi-flask-vulnerability
Open

chore(deps): update dependency flask to v3.1.3 [security]#173
renovate-bot wants to merge 1 commit intoGoogleCloudPlatform:mainfrom
renovate-bot:renovate/pypi-flask-vulnerability

Conversation

@renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Feb 20, 2026

This PR contains the following updates:

Package Change Age Confidence
Flask (changelog) ==3.0.1==3.1.3 age confidence

GitHub Vulnerability Alerts

CVE-2026-27205

When the session object is accessed, Flask should set the Vary: Cookie header. This instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked.

The severity depends on the application's use of the session, and the cache's behavior regarding cookies. The risk depends on all these conditions being met.

  1. The application must be hosted behind a caching proxy that does not ignore responses with cookies.
  2. The application does not set a Cache-Control header to indicate that a page is private or should not be cached.
  3. The application accesses the session in a way that does not access the values, only the keys, and does not mutate the session.

Release Notes

pallets/flask (Flask)

v3.1.3

Compare Source

This is the Flask 3.1.3 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.3/
Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-3

  • The session is marked as accessed for operations that only access the keys but not the values, such as in and len. GHSA-68rp-wp8r-4726

v3.1.2

Compare Source

Released 2025-08-19

  • stream_with_context does not fail inside async views. :issue:5774
  • When using follow_redirects in the test client, the final state
    of session is correct. :issue:5786
  • Relax type hint for passing bytes IO to send_file. :issue:5776

v3.1.1

Compare Source

Released 2025-05-13

  • Fix signing key selection order when key rotation is enabled via
    SECRET_KEY_FALLBACKS. :ghsa:4grg-w6v8-c28g
  • Fix type hint for cli_runner.invoke. :issue:5645
  • flask --help loads the app and plugins first to make sure all commands
    are shown. :issue:5673
  • Mark sans-io base class as being able to handle views that return
    AsyncIterable. This is not accurate for Flask, but makes typing easier
    for Quart. :pr:5659

v3.1.0

Compare Source

Released 2024-11-13

  • Drop support for Python 3.8. :pr:5623
  • Update minimum dependency versions to latest feature releases.
    Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. :pr:5624,5633
  • Provide a configuration option to control automatic option
    responses. :pr:5496
  • Flask.open_resource/open_instance_resource and
    Blueprint.open_resource take an encoding parameter to use when
    opening in text mode. It defaults to utf-8. :issue:5504
  • Request.max_content_length can be customized per-request instead of only
    through the MAX_CONTENT_LENGTH config. Added
    MAX_FORM_MEMORY_SIZE and MAX_FORM_PARTS config. Added documentation
    about resource limits to the security page. :issue:5625
  • Add support for the Partitioned cookie attribute (CHIPS), with the
    SESSION_COOKIE_PARTITIONED config. :issue:5472
  • -e path takes precedence over default .env and .flaskenv files.
    load_dotenv loads default files in addition to a path unless
    load_defaults=False is passed. :issue:5628
  • Support key rotation with the SECRET_KEY_FALLBACKS config, a list of old
    secret keys that can still be used for unsigning. Extensions will need to
    add support. :issue:5621
  • Fix how setting host_matching=True or subdomain_matching=False
    interacts with SERVER_NAME. Setting SERVER_NAME no longer restricts
    requests to only that domain. :issue:5553
  • Request.trusted_hosts is checked during routing, and can be set through
    the TRUSTED_HOSTS config. :issue:5636

v3.0.3

Compare Source

Released 2024-04-07

  • The default hashlib.sha1 may not be available in FIPS builds. Don't
    access it at import time so the developer has time to change the default.
    :issue:5448
  • Don't initialize the cli attribute in the sansio scaffold, but rather in
    the Flask concrete class. :pr:5270

v3.0.2

Compare Source

Released 2024-02-03

  • Correct type for jinja_loader property. :issue:5388
  • Fix error with --extra-files and --exclude-patterns CLI options.
    :issue:5391

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate-bot renovate-bot requested a review from a team as a code owner February 20, 2026 23:25
@dpebot
Copy link
Collaborator

dpebot commented Feb 20, 2026

/gcbrun

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@renovate-bot @dpebot