Checklist

• I added a descriptive title
• I searched open requests and couldn't find a duplicate

What is the idea?

https://github.com/conda/conda/blob/main/tests/conda_env/support/requirements.txt specifies Flask version 0.10.1. This is old (almost 10 years!) and subject to several vulnerabilities with known exploits, e.g. CVE-2018-1000656 or CVE-2019-1010083.

I believe those are not normally an issue, because it's only used in a temporary environment for conda tests and not exposed publicly, but could be used by an attacker who can change the test data.

Would it be possible to update to a newer Flask version? The lowest without known vulnerabilities is (I believe) 1.0, but the newer the better.

Why is this needed?

The test environment has high-severity vulnerabilities where an attacker could cause DOS on the affected system.

What should happen?

The test environment should be as safe as practical, i.e. the dependency shouldn't contain any vulnerabilities.

Additional Context

https://nvd.nist.gov/vuln/detail/CVE-2018-1000656
https://nvd.nist.gov/vuln/detail/CVE-2019-1010083