[Snyk] Update Flask

[nickumia-reisys]

_Please keep any sensitive details in Google Drive._

Date of report: 5/8/2023 Severity: High Due date: 6/8/2023

Due date is based on severity and described in RA-5. 15-days for Critical, 30-days for High, and 90-days for Moderate and lower.

• [ ] Analysis has been performed and an issue has been linked to address other occurrences for this class of vulnerability* (link)

* When a finding is identified, we create two issues. One to address the specific instance identified in the report. The other is to identify and address all other occurrences of this vulnerability within the application.

Brief description

Failing Snyk Scans:

• https://github.com/GSA/catalog.data.gov/actions/runs/4914898688/jobs/8776751892
• (Inventory is not on Flask 2.x yet... and I guess Flask 1.x is not vulnerable)

Reference:

• https://security.snyk.io/vuln/SNYK-PYTHON-FLASK-5490129

[hkdctol]

Can't do until completing CKAN 2.10 most likely

[nickumia-reisys]

Related to

• https://github.com/GSA/data.gov/issues/4209

[nickumia-reisys]

Blocked by CKAN releasing compatibility changes to core code. See PR for details:

• https://github.com/GSA/inventory-app/pull/622

[nickumia-reisys]

See comment

• https://github.com/GSA/catalog.data.gov/pull/989#issuecomment-1744961644

[btylerburton]

Conversation with CKAN core team on release schedule. No new developments, but at least they are aware that we are awaiting these fixes.

https://github.com/ckan/ckan/discussions/6381