chore(deps) Update dependency Flask to v3

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
Flask (changelog)	>=2.0.1,<3.0.0 → >=3.1.3,<3.2.0

---

Release Notes

pallets/flask (Flask)

v3.1.3

Compare Source

Released 2026-02-18

• The session is marked as accessed for operations that only access the keys
  but not the values, such as in and len. :ghsa:68rp-wp8r-4726

v3.1.2

Compare Source

Released 2025-08-19

• stream_with_context does not fail inside async views. :issue:5774
• When using follow_redirects in the test client, the final state
  of session is correct. :issue:5786
• Relax type hint for passing bytes IO to send_file. :issue:5776

v3.1.1

Compare Source

Released 2025-05-13

• Fix signing key selection order when key rotation is enabled via
  SECRET_KEY_FALLBACKS. :ghsa:4grg-w6v8-c28g
• Fix type hint for cli_runner.invoke. :issue:5645
• flask --help loads the app and plugins first to make sure all commands
  are shown. :issue:5673
• Mark sans-io base class as being able to handle views that return
  AsyncIterable. This is not accurate for Flask, but makes typing easier
  for Quart. :pr:5659

v3.1.0

Compare Source

Released 2024-11-13

• Drop support for Python 3.8. :pr:5623
• Update minimum dependency versions to latest feature releases.
  Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. :pr:5624,5633
• Provide a configuration option to control automatic option
  responses. :pr:5496
• Flask.open_resource/open_instance_resource and
  Blueprint.open_resource take an encoding parameter to use when
  opening in text mode. It defaults to utf-8. :issue:5504
• Request.max_content_length can be customized per-request instead of only
  through the MAX_CONTENT_LENGTH config. Added
  MAX_FORM_MEMORY_SIZE and MAX_FORM_PARTS config. Added documentation
  about resource limits to the security page. :issue:5625
• Add support for the Partitioned cookie attribute (CHIPS), with the
  SESSION_COOKIE_PARTITIONED config. :issue:5472
• -e path takes precedence over default .env and .flaskenv files.
  load_dotenv loads default files in addition to a path unless
  load_defaults=False is passed. :issue:5628
• Support key rotation with the SECRET_KEY_FALLBACKS config, a list of old
  secret keys that can still be used for unsigning. Extensions will need to
  add support. :issue:5621
• Fix how setting host_matching=True or subdomain_matching=False
  interacts with SERVER_NAME. Setting SERVER_NAME no longer restricts
  requests to only that domain. :issue:5553
• Request.trusted_hosts is checked during routing, and can be set through
  the TRUSTED_HOSTS config. :issue:5636

v3.0.3

Compare Source

Released 2024-04-07

• The default hashlib.sha1 may not be available in FIPS builds. Don't
  access it at import time so the developer has time to change the default.
  :issue:5448
• Don't initialize the cli attribute in the sansio scaffold, but rather in
  the Flask concrete class. :pr:5270

v3.0.2

Compare Source

Released 2024-02-03

• Correct type for jinja_loader property. :issue:5388
• Fix error with --extra-files and --exclude-patterns CLI options.
  :issue:5391

v3.0.1

Compare Source

Released 2024-01-18

• Correct type for path argument to send_file. :issue:5336
• Fix a typo in an error message for the flask run --key option. :pr:5344
• Session data is untagged without relying on the built-in json.loads
object_hook. This allows other JSON providers that don't implement that.
  :issue:5381
• Address more type findings when using mypy strict mode. :pr:5383

v3.0.0

Compare Source

Released 2023-09-30

• Remove previously deprecated code. :pr:5223
• Deprecate the __version__ attribute. Use feature detection, or
  importlib.metadata.version("flask"), instead. :issue:5230
• Restructure the code such that the Flask (app) and Blueprint
  classes have Sans-IO bases. :pr:5127
• Allow self as an argument to url_for. :pr:5264
• Require Werkzeug >= 3.0.0.

---

Configuration

📅 Schedule: (in timezone America/Chicago)

• Branch creation
  • "before 10pm on Sunday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: uv.lock

Command failed: uv lock --upgrade-package flask
Using CPython 3.14.5 interpreter at: /opt/containerbase/tools/python/3.14.5/bin/python3
  × No solution found when resolving dependencies for split (markers:
  │ python_full_version >= '3.13' and python_full_version < '4.0'):
  ╰─▶ Because flask-session2>=1.2.0 depends on flask>=2.2.2,<3.0.0 and only
      the following versions of flask-session2 are available:
          flask-session2<=1.2.0
          flask-session2==1.3.0
          flask-session2==1.3.1
      we can conclude that flask-session2>=1.2.0 depends on
      flask>=2.2.2,<3.0.0.
      And because your project depends on flask>=3.1.3 and
      flask-session2>=1.2.0, we can conclude that your project's requirements
      are unsatisfiable.