[Security] Bump flask from 0.12.4 to 1.1.1

[dependabot-preview]

Bumps flask from 0.12.4 to 1.1.1.

Release notes

Sourced from flask's releases.

1.0.2

This release includes bug fixes and minor changes since 1.0.1. See the changelog for details.

Install or Upgrade

Install from PyPI with pip:

pip install -U Flask

1.0.1

This release includes bug fixes and minor changes since 1.0. See the changelog for details.

Install or Upgrade

Install from PyPI with pip:

pip install -U Flask

1.0

The Pallets team is pleased to release Flask 1.0. [Read the announcement on our blog.](https://www.palletsprojects.com/blog/flask-1-0-released/

There are over a year's worth of changes in this release. Many features have been improved or changed. Read the changelog to understand how your project's code will be affected.

JSON Security Fix

Flask previously decoded incoming JSON bytes using the content type of the request. Although JSON should only be encoded as UTF-8, Flask was more lenient. However, Python includes non-text related encodings that could result in unexpected memory use by a request.

Flask will now detect the encoding of incoming JSON data as one of the supported UTF encodings, and will not allow arbitrary encodings from the request.

Install or Upgrade

Install from PyPI with pip:

pip install -U Flask

Changelog

Sourced from flask's changelog.

Version 1.1.1

Released 2019-07-08

• The flask.json_available flag was added back for compatibility with some extensions. It will raise a deprecation warning when used, and will be removed in version 2.0.0. 3288

Version 1.1.0

Released 2019-07-04

• Bump minimum Werkzeug version to >= 0.15.
• Drop support for Python 3.4.
• Error handlers for InternalServerError or 500 will always be passed an instance of InternalServerError. If they are invoked due to an unhandled exception, that original exception is now available as e.original_exception rather than being passed directly to the handler. The same is true if the handler is for the base HTTPException. This makes error handler behavior more consistent. 3266
  • Flask.finalize_request is called for all unhandled exceptions even if there is no 500 error handler.
• Flask.logger takes the same name as Flask.name (the value passed as Flask(import_name). This reverts 1.0's behavior of always logging to "flask.app", in order to support multiple apps in the same process. A warning will be shown if old configuration is detected that needs to be moved. 2866
• flask.RequestContext.copy includes the current session object in the request context copy. This prevents session pointing to an out-of-date object. 2935
• Using built-in RequestContext, unprintable Unicode characters in Host header will result in a HTTP 400 response and not HTTP 500 as previously. 2994
• send_file supports ~os.PathLike objects as described in PEP 0519, to support pathlib in Python 3. 3059
• send_file supports ~io.BytesIO partial content. 2957
• open_resource accepts the "rt" file mode. This still does the same thing as "r". 3163
• The MethodView.methods attribute set in a base class is used by subclasses. 3138
• Flask.jinja_options is a dict instead of an ImmutableDict to allow easier configuration. Changes must still be made before creating the environment. 3190
• Flask's JSONMixin for the request and response wrappers was moved into Werkzeug. Use Werkzeug's version with Flask-specific support. This bumps the Werkzeug dependency to >= 0.15. 3125
• The flask command entry point is simplified to take advantage of Werkzeug 0.15's better reloader support. This bumps the Werkzeug dependency to >= 0.15. 3022
• Support static_url_path that ends with a forward slash. 3134
• Support empty static_folder without requiring setting an empty static_url_path as well. 3124
• jsonify supports dataclasses.dataclass objects. 3195
• Allow customizing the Flask.url_map_class used for routing. 3069
• The development server port can be set to 0, which tells the OS to pick an available port. 2926
• The return value from cli.load_dotenv is more consistent with the documentation. It will return False if python-dotenv is not installed, or if the given path isn't a file. 2937
• Signaling support has a stub for the connect_via method when the Blinker library is not installed. 3208
• Add an --extra-files option to the flask run CLI command to specify extra files that will trigger the reloader on change. 2897
• Allow returning a dictionary from a view function. Similar to how returning a string will produce a text/html response, returning a dict will call jsonify to produce a application/json response. 3111
• Blueprints have a cli Click group like app.cli. CLI commands registered with a blueprint will be available as a group under the flask command. 1357.
• When using the test client as a context manager (with client:), all preserved request contexts are popped when the block exits, ensuring nested contexts are cleaned up correctly. 3157
• Show a better error message when the view return type is not supported. 3214
• flask.testing.make_test_environ_builder() has been deprecated in favour of a new class flask.testing.EnvironBuilder. 3232
• The flask run command no longer fails if Python is not built with SSL support. Using the --cert option will show an appropriate error message. 3211
• URL matching now occurs after the request context is pushed, rather than when it's created. This allows custom URL converters to access the app and request contexts, such as to query a database for an id. 3088

Version 1.0.4

Released 2019-07-04

• The key information for BadRequestKeyError is no longer cleared outside debug mode, so error handlers can still access it. This requires upgrading to Werkzeug 0.15.5. 3249
• send_file url quotes the ":" and "/" characters for more compatible UTF-8 filename support in some browsers. 3074
• Fixes for PEP451 import loaders and pytest 5.x. 3275

... (truncated)

Commits

• ffc6884 release version 1.1.1
• 1a6696d Merge pull request #3292 from pallets/deprecate-json-available
• 1617202 restore and deprecate json_available
• 1b4ace9 release version 1.1.0
• 8a78fdb Merge branch '1.0.x'
• 626b5cc release version 1.0.4
• 2844fdb Merge branch '1.0.x'
• c074759 Merge pull request #3285 from ThiefMaster/dotenv-msg-stderr
• 975f979 Move dotenv warning to stderr
• 6d0e79b Merge pull request #3284 from pallets/logger-warning
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it). To ignore the version in this PR you can just close it
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[dependabot-preview]

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

Low severity vulnerability that affects flask
The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1.

Affected versions: ["< 1.0.0"]

[dependabot-preview]

Superseded by #58.