security: upgrade Flask ecosystem (Flask 2.3.3, Werkzeug 3.1.6, Jinja2 3.1.6)#7728
Draft
wtfiwtz wants to merge 1 commit into
Draft
security: upgrade Flask ecosystem (Flask 2.3.3, Werkzeug 3.1.6, Jinja2 3.1.6)#7728wtfiwtz wants to merge 1 commit into
wtfiwtz wants to merge 1 commit into
Conversation
…2 3.1.6) Upgrade Flask web framework and its ecosystem: Core upgrades: - flask: 2.3.2 → 2.3.3 - werkzeug: 2.3.8 → 3.1.6 - jinja2: 3.1.5 → 3.1.6 - itsdangerous: 2.1.2 → 2.2.0 - flask-login: 0.6.0 → 0.6.3 - flask-wtf: 1.1.1 → 1.3.0 Security fixes: - CVE-2026-27199 (Werkzeug): Security vulnerability in Werkzeug 2.x - CVE-2025-27516 (Jinja2): Sandbox escape vulnerability Werkzeug 3.x compatibility code changes: - Remove api_key_load_user_from_request from user_loader (belongs in request_loader) - Add TESTING-mode reset_request_g_cache hook to prevent g leakage across test requests - Replace flask.globals._app_ctx_stack with current_app (Werkzeug 3 removal) - Add user=False to test_query_results API key test (explicit session handling) These changes ensure Flask 2.3.x runs correctly with Werkzeug 3.x while maintaining backward compatibility. Flask-Login and flask-wtf are updated for compatibility with the new Werkzeug API. Related: split from orchestrated-io/redash#7719 Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
Description
Upgrade Flask web framework and its ecosystem to current security patch levels:
Core upgrades:
Security fixes:
Werkzeug 3.x compatibility code changes:
api_key_load_user_from_requestfromuser_loader(belongs inrequest_loader)reset_request_g_cachehook to preventgleakage across test requestsflask.globals._app_ctx_stackwithcurrent_app(Werkzeug 3 removal)user=Falseto test_query_results API key test (explicit session handling)These changes ensure Flask 2.3.x runs correctly with Werkzeug 3.x while maintaining backward compatibility. Flask-Login and flask-wtf are updated for compatibility with the new Werkzeug API.
How is this tested?
Related Tickets & Documents
Split from orchestrated-io/redash#7719 per @zachliu's review feedback to separate Flask ecosystem upgrades from unrelated dependency changes.
Part of the security vulnerability remediation work tracked in #7711.
Note
This PR is marked as draft until manual testing is complete.
Made with Cursor