feat: upgrade to Flask 3.1.3 and SQLAlchemy 1.4.53

[wtfiwtz]

Summary

• Upgrade Flask 2.3 → 3.1.3, SQLAlchemy 1.3 → 1.4.53, Flask-SQLAlchemy 2.5 → 3.0.5
• Update paginate, query ordering, metrics, and ORM compatibility code for SQLAlchemy 1.4
• Rewrite embed CSP handling for flask-talisman compatibility with Flask 3
• Improve test infrastructure (pytest.ini pythonpath, destinations package, JWT teardown)

Test plan

• Merge or rebase onto security: upgrade Python dependencies to Flask 2.3.3 and Werkzeug 3.1.6 #7719 (Python security deps on Flask 2) first
• poetry install --only main,dev
• make test — expect ~900+ pytest passes
• Smoke-test login, query execution, dashboard embed views

Notes

This is the significant migration PR. Depends on #7719 for authlib/Werkzeug foundation.
Does not include advocate→champion (#7721) or npm upgrades (#7720).

Made with Cursor

[cubic-dev-ai]

3 issues found across 26 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="redash/cli/rq.py">

<violation number="1" location="redash/cli/rq.py:114">
P1: Click CLI commands do not use return values as exit codes. `return 1` in a `@manager.command()` function will be ignored and the process will exit with code 0, so monitoring scripts relying on exit status will incorrectly treat a failed healthcheck as successful.</violation>
</file>

<file name="redash/utils/query_order.py">

<violation number="1" location="redash/utils/query_order.py:104">
P1: Regression: get_mapper no longer raises on ambiguous table-to-mapper mappings</violation>
</file>

<file name="redash/models/changes.py">

<violation number="1" location="redash/models/changes.py:76">
P2: Broad `except Exception: pass` in audit change tracking can silently corrupt change history by failing to record the true previous value and providing no observability when unexpected errors occur.</violation>
</file>

<sub>Tip: cubic can generate docs of your entire codebase and keep them up to date. Try it here.

Re-trigger cubic</sub>

[cubic-dev-ai]

P1: Click CLI commands do not use return values as exit codes. return 1 in a @manager.command() function will be ignored and the process will exit with code 0, so monitoring scripts relying on exit status will incorrectly treat a failed healthcheck as successful.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At redash/cli/rq.py, line 114:

<comment>Click CLI commands do not use return values as exit codes. `return 1` in a `@manager.command()` function will be ignored and the process will exit with code 0, so monitoring scripts relying on exit status will incorrectly treat a failed healthcheck as successful.</comment>

<file context>
@@ -47,47 +60,57 @@ def worker(queues):
 @manager.command()
 def healthcheck():
+    if not SUPERVISOR_CHECKS_AVAILABLE:
+        print("Error: supervisor_checks not available. Cannot perform healthcheck.")
+        return 1
     return check_runner.CheckRunner("worker_healthcheck", "worker", None, [(WorkerHealthcheck, {})]).run()
</file context>

[cubic-dev-ai]

P1: Regression: get_mapper no longer raises on ambiguous table-to-mapper mappings

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At redash/utils/query_order.py, line 104:

<comment>Regression: get_mapper no longer raises on ambiguous table-to-mapper mappings</comment>

<file context>
@@ -98,7 +95,28 @@ def get_query_entities(query):
+    for from_obj in query.statement.get_final_froms():
+        if hasattr(from_obj, "left") and hasattr(from_obj, "right"):
+            if isinstance(from_obj.right, sa.Table):
+                for registry in mapperlib._mapper_registries:
+                    for mapper in registry.mappers:
+                        if from_obj.right in mapper.tables:
</file context>

[cubic-dev-ai]

P2: Broad except Exception: pass in audit change tracking can silently corrupt change history by failing to record the true previous value and providing no observability when unexpected errors occur.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At redash/models/changes.py, line 76:

<comment>Broad `except Exception: pass` in audit change tracking can silently corrupt change history by failing to record the true previous value and providing no observability when unexpected errors occur.</comment>

<file context>
@@ -63,10 +63,19 @@ def prep_cleanvalues(self):
+                    try:
+                        previous = getattr(self, attr.key, None)
+                        self._clean_values[col.name] = previous
+                    except Exception:
+                        # If we can't get the attribute (e.g., object deleted), skip it
+                        pass
</file context>

[wtfiwtz]

This PR has been split into two smaller, more reviewable PRs:

1. feat: upgrade SQLAlchemy 1.3→1.4 and Flask-SQLAlchemy 2.5→3.0 #7723 — SQLAlchemy 1.3→1.4 + Flask-SQLAlchemy 2.5→3.0 (Flask stays at 2.3.3)
2. feat: upgrade Flask 2.3.3 → 3.1.3 #7724 — Flask 2.3.3→3.1.3 (depends on feat: upgrade SQLAlchemy 1.3→1.4 and Flask-SQLAlchemy 2.5→3.0 #7723 merging first)

Why the split?

The key insight is that Flask-SQLAlchemy 3.0.5 requires only Flask ≥ 2.2.5 (not Flask 3). This means the ORM migration can land independently, and the Flask 3 upgrade can follow as a smaller, cleaner PR.

Benefits:

• Smaller review surface for each PR
• Makes CI failures easier to attribute
• SQLAlchemy migration can land without blocking on Flask 3
• Follows dependency chain: security: upgrade Python dependencies to Flask 2.3.3 and Werkzeug 3.1.6 #7719 → feat: upgrade SQLAlchemy 1.3→1.4 and Flask-SQLAlchemy 2.5→3.0 #7723 → feat: upgrade Flask 2.3.3 → 3.1.3 #7724

Closing this PR in favor of the split approach.