- Update to 3.1.1 (CVE-2025-47278, bsc#1243163):
* Fix signing key selection order when key rotation is enabled via
SECRET_KEY_FALLBACKS. GHSA-4grg-w6v8-c28g
* Fix type hint for cli_runner.invoke. #5645
* flask --help loads the app and plugins first to make sure all
commands are shown. #5673
* Mark sans-io base class as being able to handle views that return
AsyncIterable. This is not accurate for Flask, but makes typing
easier for Quart. #5659
- Update to 3.1.1 (CVE-2025-47278, bsc#1243163):
* Fix signing key selection order when key rotation is enabled via
SECRET_KEY_FALLBACKS. GHSA-4grg-w6v8-c28g
* Fix type hint for cli_runner.invoke. #5645
* flask --help loads the app and plugins first to make sure all
commands are shown. #5673
* Mark sans-io base class as being able to handle views that return
AsyncIterable. This is not accurate for Flask, but makes typing
easier for Quart. #5659
OBS-URL: https://build.opensuse.org/request/show/1277662
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Flask?expand=0&rev=43
* Fix signing key selection order when key rotation is enabled via
SECRET_KEY_FALLBACKS. GHSA-4grg-w6v8-c28g
* Fix type hint for cli_runner.invoke. #5645
* flask --help loads the app and plugins first to make sure all
commands are shown. #5673
* Mark sans-io base class as being able to handle views that return
AsyncIterable. This is not accurate for Flask, but makes typing
easier for Quart. #5659
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask?expand=0&rev=52
- Update to 3.1.0:
* Drop support for Python 3.8.
* Update minimum dependency versions to latest feature releases.
Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9.
* Provide a configuration option to control automatic option responses.
* Flask.open_resource/open_instance_resource and Blueprint.open_resource
take an encoding parameter to use when opening in text mode. It defaults
to utf-8.
* Request.max_content_length can be customized per-request instead of only
through the MAX_CONTENT_LENGTH config.
* Add support for the Partitioned cookie attribute (CHIPS), with the
SESSION_COOKIE_PARTITIONED config.
* -e path takes precedence over default .env and .flaskenv files.
load_dotenv loads default files in addition to a path unless
load_defaults=False is passed.
* Support key rotation with the SECRET_KEY_FALLBACKS config, a list of old
secret keys that can still be used for unsigning.
* Fix how setting host_matching=True or subdomain_matching=False interacts
with SERVER_NAME. Setting SERVER_NAME no longer restricts requests to
only that domain.
* Request.trusted_hosts is checked during routing, and can be set through
the TRUSTED_HOSTS config.
OBS-URL: https://build.opensuse.org/request/show/1244038
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Flask?expand=0&rev=42
* Drop support for Python 3.8.
* Update minimum dependency versions to latest feature releases.
Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9.
* Provide a configuration option to control automatic option responses.
* Flask.open_resource/open_instance_resource and Blueprint.open_resource
take an encoding parameter to use when opening in text mode. It defaults
to utf-8.
* Request.max_content_length can be customized per-request instead of only
through the MAX_CONTENT_LENGTH config.
* Add support for the Partitioned cookie attribute (CHIPS), with the
SESSION_COOKIE_PARTITIONED config.
* -e path takes precedence over default .env and .flaskenv files.
load_dotenv loads default files in addition to a path unless
load_defaults=False is passed.
* Support key rotation with the SECRET_KEY_FALLBACKS config, a list of old
secret keys that can still be used for unsigning.
* Fix how setting host_matching=True or subdomain_matching=False interacts
with SERVER_NAME. Setting SERVER_NAME no longer restricts requests to
only that domain.
* Request.trusted_hosts is checked during routing, and can be set through
the TRUSTED_HOSTS config.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask?expand=0&rev=50
- update to 3.0.1:
* Correct type for path argument to send_file. :issue:`5230`
* Fix a typo in an error message for the flask run --key
option. :pr:`5344`
* Session data is untagged without relying on the built-in
json.loads object_hook. This allows other JSON providers that
don't implement that. :issue:`5381`
* Address more type findings when using mypy strict mode.
:pr:`5383`
* Remove previously deprecated code. :pr:`5223`
* Deprecate the __version__ attribute. Use feature detection,
or importlib.metadata.version("flask"), instead.
:issue:`5230`
* Restructure the code such that the Flask (app) and Blueprint
classes have Sans-IO bases. :pr:`5127`
* Allow self as an argument to url_for. :pr:`5264`
* Require Werkzeug >= 3.0.0.
* Add an --exclude-patterns option to the flask run CLI command to
* Relax typing for errorhandler to allow the user to use more precise
* From Werkzeug, for redirect responses the Location header URL will
* Add Config.from_prefixed_env() to load config values from environment
variables that start with FLASK_ or another prefix. This parses values as
* Fixed the issue where typing requires template global decorators to
- Set the default encoding to “UTF-8” when loading .env and .flaskenv
- flask shell sets up tab and history completion like the default
- add dependency on itsdangerous
OBS-URL: https://build.opensuse.org/request/show/1140137
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Flask?expand=0&rev=38
* Correct type for path argument to send_file. :issue:`5230`
* Fix a typo in an error message for the flask run --key
option. :pr:`5344`
* Session data is untagged without relying on the built-in
json.loads object_hook. This allows other JSON providers that
don't implement that. :issue:`5381`
* Address more type findings when using mypy strict mode.
:pr:`5383`
* Remove previously deprecated code. :pr:`5223`
* Deprecate the __version__ attribute. Use feature detection,
or importlib.metadata.version("flask"), instead.
:issue:`5230`
* Restructure the code such that the Flask (app) and Blueprint
classes have Sans-IO bases. :pr:`5127`
* Allow self as an argument to url_for. :pr:`5264`
* Require Werkzeug >= 3.0.0.
* Add an --exclude-patterns option to the flask run CLI command to
* Relax typing for errorhandler to allow the user to use more precise
* From Werkzeug, for redirect responses the Location header URL will
* Add Config.from_prefixed_env() to load config values from environment
variables that start with FLASK_ or another prefix. This parses values as
* Fixed the issue where typing requires template global decorators to
- Set the default encoding to “UTF-8” when loading .env and .flaskenv
- flask shell sets up tab and history completion like the default
- add dependency on itsdangerous
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask?expand=0&rev=42
* Python 3.12 compatibility.
* Require Werkzeug >= 2.3.7.
* Use ``flit_core`` instead of ``setuptools`` as build backend.
* Refactor how an app's root and instance paths are determined.
- Fiddle with captialisation again, I look forward to this flipping back
to Flask at some point.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask?expand=0&rev=40
- Update to 2.3.2:
* Set ``Vary: Cookie`` header when the session is accessed, modified, or
refreshed.
* Update Werkzeug requirement to >=2.3.3 to apply recent bug fixes.
* Restore deprecated ``from flask import Markup``.
* Drop support for Python 3.7.
* Update minimum requirements to the latest versions.
* Remove previously deprecated code.
* Importing ``escape`` and ``Markup`` from ``flask`` is deprecated.
* The ``app.got_first_request`` property is deprecated.
* The ``locked_cached_property`` decorator is deprecated.
* Signals are always available. ``blinker>=1.6.2`` is a required dependency.
* Signals support ``async`` subscriber functions.
* Remove uses of locks that could cause requests to block each other very
briefly.
* Use modern packaging metadata with ``pyproject.toml``.
* Ensure subdomains are applied with nested blueprints.
* If a blueprint is created with an empty name it raises a ``ValueError``.
* ``SESSION_COOKIE_DOMAIN`` does not fall back to ``SERVER_NAME``.
* The ``routes`` command shows each rule's ``subdomain`` or ``host``
when domain matching is in use.
* Use postponed evaluation of annotations.
- Switch to pyproject macros.
- Delete unneeded .gitignore files, update rpmlintrc
OBS-URL: https://build.opensuse.org/request/show/1101890
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Flask?expand=0&rev=35
* Set ``Vary: Cookie`` header when the session is accessed, modified, or
refreshed.
* Update Werkzeug requirement to >=2.3.3 to apply recent bug fixes.
* Restore deprecated ``from flask import Markup``.
* Drop support for Python 3.7.
* Update minimum requirements to the latest versions.
* Remove previously deprecated code.
* Importing ``escape`` and ``Markup`` from ``flask`` is deprecated.
* The ``app.got_first_request`` property is deprecated.
* The ``locked_cached_property`` decorator is deprecated.
* Signals are always available. ``blinker>=1.6.2`` is a required dependency.
* Signals support ``async`` subscriber functions.
* Remove uses of locks that could cause requests to block each other very
briefly.
* Use modern packaging metadata with ``pyproject.toml``.
* Ensure subdomains are applied with nested blueprints.
* If a blueprint is created with an empty name it raises a ``ValueError``.
* ``SESSION_COOKIE_DOMAIN`` does not fall back to ``SERVER_NAME``.
* The ``routes`` command shows each rule's ``subdomain`` or ``host``
when domain matching is in use.
* Use postponed evaluation of annotations.
- Switch to pyproject macros.
- Delete unneeded .gitignore files, update rpmlintrc
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask?expand=0&rev=36
- update to 2.2.5 (bsc#1211246, CVE-2023-30861):
* Set ``Vary: Cookie`` header when the session is accessed,
modified, or refreshed.
* Update for compatibility with Werkzeug 2.3.
* Autoescape is enabled by default for ``.svg`` template
files. :issue:`4831`
* Fix the type of ``template_folder`` to accept
``pathlib.Path``. :issue:`4892`
* Add ``--debug`` option to the ``flask run`` command.
:issue:`4777`
OBS-URL: https://build.opensuse.org/request/show/1086038
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Flask?expand=0&rev=34
* Set ``Vary: Cookie`` header when the session is accessed,
modified, or refreshed.
* Update for compatibility with Werkzeug 2.3.
* Autoescape is enabled by default for ``.svg`` template
files. :issue:`4831`
* Fix the type of ``template_folder`` to accept
``pathlib.Path``. :issue:`4892`
* Add ``--debug`` option to the ``flask run`` command.
:issue:`4777`
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask?expand=0&rev=34
- Update to 2.0.3
* The test client's ``as_tuple`` parameter is deprecated and will be
removed in Werkzeug 2.1. It is now also deprecated in Flask, to be
removed in Flask 2.1, while remaining compatible with both in
2.0.x. Use ``response.request.environ`` instead. PR#4341
* Fix type annotation for ``errorhandler`` decorator. #4295
* Revert a change to the CLI that caused it to hide ``ImportError``
tracebacks when importing the application. #4307
* ``app.json_encoder`` and ``json_decoder`` are only passed to
``dumps`` and ``loads`` if they have custom behavior. This improves
performance, mainly on PyPy. #4349
* Clearer error message when ``after_this_request`` is used outside a
request context. #4333
OBS-URL: https://build.opensuse.org/request/show/954385
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Flask?expand=0&rev=28
