Releases: pallets/flask
1.0.1
0.12.4
1.0
The Pallets team is pleased to release Flask 1.0. [Read the announcement on our blog.](https://www.palletsprojects.com/blog/flask-1-0-released/
There are over a year's worth of changes in this release. Many features have been improved or changed. Read the changelog to understand how your project's code will be affected.
JSON Security Fix
Flask previously decoded incoming JSON bytes using the content type of the request. Although JSON should only be encoded as UTF-8, Flask was more lenient. However, Python includes non-text related encodings that could result in unexpected memory use by a request.
Flask will now detect the encoding of incoming JSON data as one of the supported UTF encodings, and will not allow arbitrary encodings from the request.
Install or Upgrade
Install from PyPI with pip:
pip install -U Flask
0.12.3
This release includes an important security fix for JSON and a minor backport for CLI support in PyCharm. It is provided for projects that cannot update to Flask 1.0 immediately. See the 1.0 announcement and update to it instead if possible.
JSON Security Fix
Flask previously decoded incoming JSON bytes using the content type of the request. Although JSON should only be encoded as UTF-8, Flask was more lenient. However, Python includes non-text related encodings that could result in unexpected memory use by a request.
Flask will now detect the encoding of incoming JSON data as one of the supported UTF encodings, and will not allow arbitrary encodings from the request.
Upgrade
Upgrade from PyPI with pip. Use a version identifier if you want to stay at 0.12:
pip install -U 'Flask~=0.12.3'
Or upgrade to 1.0:
pip install -U Flask