Bump flask from 2.3.3 to 3.1.3

[dependabot]

Bumps flask from 2.3.3 to 3.1.3.

Release notes

Sourced from flask's releases.

3.1.3

This is the Flask 3.1.3 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.3/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-3

• The session is marked as accessed for operations that only access the keys but not the values, such as in and len. GHSA-68rp-wp8r-4726

3.1.2

This is the Flask 3.1.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.2/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-2 Milestone: https://github.com/pallets/flask/milestone/38?closed=1

• stream_with_context does not fail inside async views. #5774
• When using follow_redirects in the test client, the final state of session is correct. #5786
• Relax type hint for passing bytes IO to send_file. #5776

3.1.1

This is the Flask 3.1.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.1/ Changes: https://flask.palletsprojects.com/en/stable/changes/#version-3-1-1 Milestone https://github.com/pallets/flask/milestone/36?closed=1

• Fix signing key selection order when key rotation is enabled via SECRET_KEY_FALLBACKS. GHSA-4grg-w6v8-c28g
• Fix type hint for cli_runner.invoke. #5645
• flask --help loads the app and plugins first to make sure all commands are shown. #5673
• Mark sans-io base class as being able to handle views that return AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. #5659

3.1.0

This is the Flask 3.1.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecations, or introduce potentially breaking changes. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

PyPI: https://pypi.org/project/Flask/3.1.0/ Changes: https://flask.palletsprojects.com/en/stable/changes/#version-3-1-0 Milestone: https://github.com/pallets/flask/milestone/33?closed=1

• Drop support for Python 3.8. #5623
• Update minimum dependency versions to latest feature releases. Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. #5624, #5633
• Provide a configuration option to control automatic option responses. #5496
• Flask.open_resource/open_instance_resource and Blueprint.open_resource take an encoding parameter to use when opening in text mode. It defaults to utf-8. #5504
• Request.max_content_length can be customized per-request instead of only through the MAX_CONTENT_LENGTH config. Added MAX_FORM_MEMORY_SIZE and MAX_FORM_PARTS config. Added documentation about resource limits to the security page. #5625
• Add support for the Partitioned cookie attribute (CHIPS), with the SESSION_COOKIE_PARTITIONED config. #5472
• -e path takes precedence over default .env and .flaskenv files. load_dotenv loads default files in addition to a path unless load_defaults=False is passed. #5628
• Support key rotation with the SECRET_KEY_FALLBACKS config, a list of old secret keys that can still be used for unsigning. Extensions will need to add support. #5621
• Fix how setting host_matching=True or subdomain_matching=False interacts with SERVER_NAME. Setting SERVER_NAME no longer restricts requests to only that domain. #5553
• Request.trusted_hosts is checked during routing, and can be set through the TRUSTED_HOSTS config. #5636

3.0.3

... (truncated)

Changelog

Sourced from flask's changelog.

Version 3.1.3

Released 2026-02-18

• The session is marked as accessed for operations that only access the keys but not the values, such as in and len. :ghsa:68rp-wp8r-4726

Version 3.1.2

Released 2025-08-19

• stream_with_context does not fail inside async views. :issue:5774
• When using follow_redirects in the test client, the final state of session is correct. :issue:5786
• Relax type hint for passing bytes IO to send_file. :issue:5776

Version 3.1.1

Released 2025-05-13

• Fix signing key selection order when key rotation is enabled via SECRET_KEY_FALLBACKS. :ghsa:4grg-w6v8-c28g
• Fix type hint for cli_runner.invoke. :issue:5645
• flask --help loads the app and plugins first to make sure all commands are shown. :issue:5673
• Mark sans-io base class as being able to handle views that return AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. :pr:5659

Version 3.1.0

Released 2024-11-13

• Drop support for Python 3.8. :pr:5623
• Update minimum dependency versions to latest feature releases. Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. :pr:5624,5633
• Provide a configuration option to control automatic option responses. :pr:5496
• Flask.open_resource/open_instance_resource and Blueprint.open_resource take an encoding parameter to use when opening in text mode. It defaults to utf-8. :issue:5504
• Request.max_content_length can be customized per-request instead of only through the MAX_CONTENT_LENGTH config. Added

... (truncated)

Commits

• 22d9247 release version 3.1.3
• 089cb86 Merge commit from fork
• c17f379 request context tracks session access
• 27be933 start version 3.1.3
• 4e652d3 Abort if the instance folder cannot be created (#5903)
• 3d03098 Abort if the instance folder cannot be created
• 407eb76 document using gevent for async (#5900)
• ac5664d document using gevent for async
• 4f79d5b Increase required flit_core version to 3.11 (#5865)
• fe3b215 Increase required flit_core version to 3.11
• Additional commits viewable in compare view

[greptile-apps]

Greptile Summary

This PR bumps Flask from 2.3.3 to 3.1.3 (including security fixes for session access tracking). However, three other pinned dependencies in requirements.txt are directly incompatible with Flask 3.x and will prevent the application from starting:

• Flask-SQLAlchemy==2.5.1 crashes on import with ImportError: cannot import name '_app_ctx_stack' (removed in Flask 2.3+); needs upgrade to ≥3.0.
• flask-restx==1.3.0 has the same class of internal import breakage against Flask 3; Flask 3 support requires ≥2.0.0.
• itsdangerous==2.1.2 is below Flask 3.1's hard minimum of ≥2.2, causing pip to reject the dependency set entirely.

Confidence Score: 1/5

Not safe to merge — three co-pinned dependencies are broken against Flask 3.x and will prevent the app from starting.

Three P1 findings cover hard installation failure (itsdangerous version conflict) and two startup-time ImportErrors (Flask-SQLAlchemy 2.5.1, flask-restx 1.3.0). All three block the application from running at all.

requirements.txt — itsdangerous, Flask-SQLAlchemy, and flask-restx all need version bumps before this change can land.

Important Files Changed

Filename	Overview
requirements.txt	Bumps Flask 2.3.3 → 3.1.3, but three pinned dependencies are incompatible: itsdangerous==2.1.2 (Flask 3.1 requires ≥2.2), flask-restx==1.3.0 (Flask 3 requires ≥2.0.0), and Flask-SQLAlchemy==2.5.1 (removed _app_ctx_stack causes ImportError at startup)

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["pip install Flask==3.1.3"] --> B{Resolve dependencies}
    B -->|"itsdangerous==2.1.2\n(requires >=2.2)"| C["❌ Dependency conflict\n(install fails)"]
    B -->|"Flask-SQLAlchemy==2.5.1"| D["❌ ImportError: _app_ctx_stack\n(removed in Flask 2.3+)"]
    B -->|"flask-restx==1.3.0"| E["❌ Import errors\n(Flask 3 needs >=2.0.0)"]
    B -->|"Flask-Login==0.6.3\nWerkzeug==3.1.6\nblinker==1.9.0"| F["✅ Compatible"]

Loading

Comments Outside Diff (1)

1. requirements.txt, line 44 (link)

   itsdangerous pinned below Flask 3.1's minimum requirement

   Flask 3.1.0 raised its minimum dependency to ItsDangerous >= 2.2, but itsdangerous==2.1.2 is pinned here. pip will refuse to satisfy both constraints simultaneously, causing the installation to fail with a dependency conflict. Bump itsdangerous to at least 2.2.0.

_{Reviews (1): Last reviewed commit: "Bump flask from 2.3.3 to 3.1.3" | Re-trigger Greptile}

[greptile-apps]

Flask-SQLAlchemy 2.5.1 incompatible with Flask 3.x

Flask-SQLAlchemy==2.5.1 imports _app_ctx_stack from flask, which was removed starting in Flask 2.3. Running this with Flask 3.1.3 will raise ImportError: cannot import name '_app_ctx_stack' from 'flask' on startup. You need to upgrade to Flask-SQLAlchemy>=3.0 (note: this is a major version bump with its own breaking changes, such as the session being scoped to the app context and SQLALCHEMY_DATABASE_URI no longer defaulting to in-memory SQLite).

[catinhere]

@greptileai _app_ctx_stack was actually removed in Flask 3.0. Also, flask-bouncer==0.3.0 uses _app_ctx_stack.

[greptile-apps]

You're right on both points — thanks for the correction. _app_ctx_stack was removed in Flask 3.0, not 2.3 as I stated.

On flask-bouncer: the requirements.txt in this PR shows flask-bouncer==0.3.0, not 0.1.12. Do you know if 0.3.0 still uses _app_ctx_stack? If so, that's an additional blocker alongside Flask-SQLAlchemy==2.5.1 before this upgrade can land.

Tip: You can give me more context with [.greptile/rules](https://www.greptile.com/docs/code-review/custom-standards) so I get this right next time.