chore(deps): update dependency flask to v3.1.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
flask (changelog)	3.1.2 → 3.1.3

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Flask session does not add Vary: Cookie header when accessed in some ways

CVE-2026-27205 / GHSA-68rp-wp8r-4726

More information

Details

When the session object is accessed, Flask should set the Vary: Cookie header. This instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked.

The severity depends on the application's use of the session, and the cache's behavior regarding cookies. The risk depends on all these conditions being met.

1. The application must be hosted behind a caching proxy that does not ignore responses with cookies.
2. The application does not set a Cache-Control header to indicate that a page is private or should not be cached.
3. The application accesses the session in a way that does not access the values, only the keys, and does not mutate the session.

Severity

• CVSS Score: 2.3 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726
• https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4
• https://github.com/pallets/flask/releases/tag/3.1.3
• https://nvd.nist.gov/vuln/detail/CVE-2026-27205
• https://github.com/advisories/GHSA-68rp-wp8r-4726

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

pallets/flask (flask)

v3.1.3

Compare Source

Released 2026-02-18

• The session is marked as accessed for operations that only access the keys
  but not the values, such as in and len. :ghsa:68rp-wp8r-4726

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.21%. Comparing base (426436e) to head (8bed836).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #931   +/-   ##
=======================================
  Coverage   77.21%   77.21%           
=======================================
  Files         116      116           
  Lines       12065    12065           
  Branches      996      996           
=======================================
  Hits         9316     9316           
  Misses       2520     2520           
  Partials      229      229           

Flag	Coverage Δ		*Carryforward flag
agent	75.78% <ø> (ø)		Carriedforward from 426436e
cli	91.80% <ø> (ø)		Carriedforward from 426436e
device	63.34% <ø> (ø)		Carriedforward from 426436e
server	86.92% <ø> (ø)

*This pull request uses carry forward flags. Click here to find out more.

Components	Coverage Δ
Agent	75.78% <ø> (ø)
CLI	91.80% <ø> (ø)
Common	∅ <ø> (∅)
Device Connectors	63.34% <ø> (ø)
Server	86.92% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.