merge app and request context (#5812)

slash in value would be interpreted as a path separator in the URL

.devcontainer/on-create-command.sh

@@ -1,9 +1,7 @@
 #!/bin/bash
 set -e
-
-python3 -m venv .venv
+python3 -m venv --upgrade-deps .venv
 . .venv/bin/activate
-pip install -U pip
 pip install -r requirements/dev.txt
 pip install -e .
 pre-commit install --install-hooks

.editorconfig

@@ -9,5 +9,5 @@ end_of_line = lf
 charset = utf-8
 max_line_length = 88
 
-[*.{yml,yaml,json,js,css,html}]
+[*.{css,html,js,json,jsx,scss,ts,tsx,yaml,yml}]
 indent_size = 2

.github/ISSUE_TEMPLATE/bug-report.md

@@ -5,7 +5,7 @@ about: Report a bug in Flask (not other projects which depend on Flask)
 
 <!--
 This issue tracker is a tool to address bugs in Flask itself. Please use
-Pallets Discord or Stack Overflow for questions about your own code.
+GitHub Discussions or the Pallets Discord for questions about your own code.
 
 Replace this comment with a clear outline of what the bug is.
 -->

.github/ISSUE_TEMPLATE/config.yml

@@ -1,11 +1,11 @@
 blank_issues_enabled: false
 contact_links:
   - name: Security issue
-    url: security@palletsprojects.com
-    about: Do not report security issues publicly. Email our security contact.
-  - name: Questions
-    url: https://stackoverflow.com/questions/tagged/flask?tab=Frequent
-    about: Search for and ask questions about your code on Stack Overflow.
-  - name: Questions and discussions
+    url: https://github.com/pallets/flask/security/advisories/new
+    about: Do not report security issues publicly. Create a private advisory.
+  - name: Questions on GitHub Discussions
+    url: https://github.com/pallets/flask/discussions/
+    about: Ask questions about your own code on the Discussions tab.
+  - name: Questions on Discord
     url: https://discord.gg/pallets
-    about: Discuss questions about your code on our Discord chat.
+    about: Ask questions about your own code on our Discord chat.

.github/SECURITY.md

@@ -1,19 +0,0 @@
-# Security Policy
-
-If you believe you have identified a security issue with a Pallets
-project, **do not open a public issue**. To responsibly report a
-security issue, please email security@palletsprojects.com. A security
-team member will contact you acknowledging the report and how to
-continue.
-
-Be sure to include as much detail as necessary in your report. As with
-reporting normal issues, a minimal reproducible example will help the
-maintainers address the issue faster. If you are able, you may also
-include a fix for the issue generated with `git format-patch`.
-
-The current and previous release will receive security patches, with
-older versions evaluated based on usage information and severity.
-
-After fixing an issue, we will make a security release along with an
-announcement on our blog. We may obtain a CVE id as well. You may
-include a name and link if you would like to be credited for the report.

.github/dependabot.yml

@@ -1,9 +0,0 @@
-version: 2
-updates:
-- package-ecosystem: "github-actions"
-  directory: "/"
-  schedule:
-    interval: "monthly"
-    day: "monday"
-    time: "16:00"
-    timezone: "UTC"

.github/pull_request_template.md

@@ -1,6 +1,7 @@
 <!--
 Before opening a PR, open a ticket describing the issue or feature the
-PR will address. Follow the steps in CONTRIBUTING.rst.
+PR will address. An issue is not required for fixing typos in
+documentation, or other simple non-code changes.
 
 Replace this comment with a description of the change. Describe how it
 addresses the linked ticket.
@@ -9,22 +10,16 @@ addresses the linked ticket.
 <!--
 Link to relevant issues or previous PRs, one per line. Use "fixes" to
 automatically close an issue.
--->
 
-- fixes #<issue number>
+fixes #<issue number>
+-->
 
 <!--
-Ensure each step in CONTRIBUTING.rst is complete by adding an "x" to
-each box below.
+Ensure each step in CONTRIBUTING.rst is complete, especially the following:
 
-If only docs were changed, these aren't relevant and can be removed.
+- Add tests that demonstrate the correct behavior of the change. Tests
+  should fail without the change.
+- Add or update relevant docs, in the docs folder and in code.
+- Add an entry in CHANGES.rst summarizing the change and linking to the issue.
+- Add `.. versionchanged::` entries in any relevant code docs.
 -->
-
-Checklist:
-
-- [ ] Add tests that demonstrate the correct behavior of the change. Tests should fail without the change.
-- [ ] Add or update relevant docs, in the docs folder and in code.
-- [ ] Add an entry in `CHANGES.rst` summarizing the change and linking to the issue.
-- [ ] Add `.. versionchanged::` entries in any relevant code docs.
-- [ ] Run `pre-commit` hooks and fix any issues.
-- [ ] Run `pytest` and `tox`, no tests failed.

.github/workflows/lock.yaml

@@ -1,21 +1,24 @@
-name: 'Lock threads'
-# Lock closed issues that have not received any further activity for
-# two weeks. This does not close open issues, only humans may do that.
-# We find that it is easier to respond to new issues with fresh examples
-# rather than continuing discussions on old issues.
+name: Lock inactive closed issues
+# Lock closed issues that have not received any further activity for two weeks.
+# This does not close open issues, only humans may do that. It is easier to
+# respond to new issues with fresh examples rather than continuing discussions
+# on old issues.
+
 on:
   schedule:
     - cron: '0 0 * * *'
 permissions:
   issues: write
   pull-requests: write
+  discussions: write
 concurrency:
   group: lock
 jobs:
   lock:
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@7de207be1d3ce97a9abe6ff1306222982d1ca9f9
+      - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1
         with:
           issue-inactive-days: 14
           pr-inactive-days: 14
+          discussion-inactive-days: 14

.github/workflows/pre-commit.yaml

@@ -0,0 +1,25 @@
+name: pre-commit
+on:
+  pull_request:
+  push:
+    branches: [main, stable]
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: astral-sh/setup-uv@d9e0f98d3fc6adb07d1e3d37f3043649ddad06a1 # v6.5.0
+        with:
+          enable-cache: true
+          prune-cache: false
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        id: setup-python
+        with:
+          python-version-file: pyproject.toml
+      - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        with:
+          path: ~/.cache/pre-commit
+          key: pre-commit|${{ hashFiles('pyproject.toml', '.pre-commit-config.yaml') }}
+      - run: uv run --locked --group pre-commit pre-commit run --show-diff-on-failure --color=always --all-files
+      - uses: pre-commit-ci/lite-action@5d6cc0eb514c891a40562a58a8e71576c5c7fb43 # v1.1.0
+        if: ${{ !cancelled() }}

.github/workflows/publish.yaml

@@ -1,69 +1,58 @@
 name: Publish
 on:
   push:
-    tags:
-      - '*'
+    tags: ['*']
 jobs:
   build:
     runs-on: ubuntu-latest
     outputs:
-      hash: ${{ steps.hash.outputs.hash }}
+      artifact-id: ${{ steps.upload-artifact.outputs.artifact-id }}
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
-          python-version: '3.x'
-          cache: pip
-          cache-dependency-path: requirements*/*.txt
-      - run: pip install -r requirements/build.txt
-      # Use the commit date instead of the current date during the build.
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@d9e0f98d3fc6adb07d1e3d37f3043649ddad06a1 # v6.5.0
+        with:
+          enable-cache: true
+          prune-cache: false
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version-file: pyproject.toml
       - run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
-      - run: python -m build
-      # Generate hashes used for provenance.
-      - name: generate hash
-        id: hash
-        run: cd dist && echo "hash=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
+      - run: uv build
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        id: upload-artifact
         with:
           name: dist
-          path: ./dist
-  provenance:
-    needs: [build]
-    permissions:
-      actions: read
-      id-token: write
-      contents: write
-    # Can't pin with hash due to how this workflow works.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
-    with:
-      base64-subjects: ${{ needs.build.outputs.hash }}
+          path: dist/
+          if-no-files-found: error
   create-release:
-    # Upload the sdist, wheels, and provenance to a GitHub release. They remain
-    # available as build artifacts for a while as well.
-    needs: [provenance]
+    needs: [build]
     runs-on: ubuntu-latest
     permissions:
       contents: write
     steps:
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
+      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        with:
+          artifact-ids: ${{ needs.build.outputs.artifact-id }}
+          path: dist/
       - name: create release
-        run: >
-          gh release create --draft --repo ${{ github.repository }}
-          ${{ github.ref_name }}
-          *.intoto.jsonl/* dist/*
+        run: gh release create --draft --repo ${{ github.repository }} ${{ github.ref_name }} dist/*
         env:
           GH_TOKEN: ${{ github.token }}
   publish-pypi:
-    needs: [provenance]
-    # Wait for approval before attempting to upload to PyPI. This allows reviewing the
-    # files in the draft release.
-    environment: publish
+    needs: [build]
+    environment:
+      name: publish
+      url: https://pypi.org/project/Flask/${{ github.ref_name }}
     runs-on: ubuntu-latest
     permissions:
       id-token: write
     steps:
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
-      - uses: pypa/gh-action-pypi-publish@f946db0f765b9ae754e44bfd5ae5b8b91cfb37ef
+      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
-          repository-url: https://test.pypi.org/legacy/
-      - uses: pypa/gh-action-pypi-publish@f946db0f765b9ae754e44bfd5ae5b8b91cfb37ef
+          artifact-ids: ${{ needs.build.outputs.artifact-id }}
+          path: dist/
+      - uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
+        with:
+          packages-dir: "dist/"

.github/workflows/tests.yaml

@@ -1,49 +1,51 @@
 name: Tests
 on:
-  push:
-    branches:
-      - main
-      - '*.x'
-    paths-ignore:
-      - 'docs/**'
-      - '*.md'
-      - '*.rst'
   pull_request:
-    paths-ignore:
-      - 'docs/**'
-      - '*.md'
-      - '*.rst'
+    paths-ignore: ['docs/**', 'README.md']
+  push:
+    branches: [main, stable]
+    paths-ignore: ['docs/**', 'README.md']
 jobs:
   tests:
-    name: ${{ matrix.name }}
-    runs-on: ${{ matrix.os }}
+    name: ${{ matrix.name || matrix.python }}
+    runs-on: ${{ matrix.os || 'ubuntu-latest' }}
     strategy:
       fail-fast: false
       matrix:
         include:
-          - {name: Linux, python: '3.12', os: ubuntu-latest, tox: py312}
-          - {name: Windows, python: '3.12', os: windows-latest, tox: py312}
-          - {name: Mac, python: '3.12', os: macos-latest, tox: py312}
-          - {name: '3.11', python: '3.11', os: ubuntu-latest, tox: py311}
-          - {name: '3.10', python: '3.10', os: ubuntu-latest, tox: py310}
-          - {name: '3.9', python: '3.9', os: ubuntu-latest, tox: py39}
-          - {name: '3.8', python: '3.8', os: ubuntu-latest, tox: py38}
-          - {name: 'PyPy', python: 'pypy-3.10', os: ubuntu-latest, tox: pypy310}
-          - {name: 'Minimum Versions', python: '3.12', os: ubuntu-latest, tox: py312-min}
-          - {name: 'Development Versions', python: '3.8', os: ubuntu-latest, tox: py38-dev}
-          - {name: Typing, python: '3.12', os: ubuntu-latest, tox: typing}
+          - {python: '3.13'}
+          - {name: Windows, python: '3.13', os: windows-latest}
+          - {name: Mac, python: '3.13', os: macos-latest}
+          - {python: '3.12'}
+          - {python: '3.11'}
+          - {python: '3.10'}
+          - {name: PyPy, python: 'pypy-3.11', tox: pypy3.11}
+          - {name: Minimum Versions, python: '3.13', tox: tests-min}
+          - {name: Development Versions, python: '3.10', tox: tests-dev}
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: astral-sh/setup-uv@d9e0f98d3fc6adb07d1e3d37f3043649ddad06a1 # v6.5.0
+        with:
+          enable-cache: true
+          prune-cache: false
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: ${{ matrix.python }}
-          cache: 'pip'
-          cache-dependency-path: requirements*/*.txt
+      - run: uv run --locked tox run -e ${{ matrix.tox || format('py{0}', matrix.python) }}
+  typing:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: astral-sh/setup-uv@d9e0f98d3fc6adb07d1e3d37f3043649ddad06a1 # v6.5.0
+        with:
+          enable-cache: true
+          prune-cache: false
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version-file: pyproject.toml
       - name: cache mypy
-        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: ./.mypy_cache
-          key: mypy|${{ matrix.python }}|${{ hashFiles('pyproject.toml') }}
-        if: matrix.tox == 'typing'
-      - run: pip install tox
-      - run: tox run -e ${{ matrix.tox }}
+          key: mypy|${{ hashFiles('pyproject.toml') }}
+      - run: uv run --locked tox run -e typing

.gitignore

@@ -1,10 +1,8 @@
 .idea/
 .vscode/
 __pycache__/
-.tox/
-.coverage
-.coverage.*
-htmlcov/
-docs/_build/
 dist/
-venv/
+.coverage*
+htmlcov/
+.tox/
+docs/_build/

.pre-commit-config.yaml

@@ -1,13 +1,15 @@
-ci:
-  autoupdate_schedule: monthly
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.1.13
+    rev: 54a455f7ce629598b7535ff828fd5fb796f4b83f  # frozen: v0.12.9
     hooks:
       - id: ruff
       - id: ruff-format
+  - repo: https://github.com/astral-sh/uv-pre-commit
+    rev: f9572a6b06237978e1d52fad0ae55bac5e36da26  # frozen: 0.8.12
+    hooks:
+      - id: uv-lock
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c  # frozen: v6.0.0
     hooks:
       - id: check-merge-conflict
       - id: debug-statements

.readthedocs.yaml

@@ -1,13 +1,10 @@
 version: 2
 build:
-  os: ubuntu-22.04
+  os: ubuntu-24.04
   tools:
-    python: "3.12"
-python:
-  install:
-    - requirements: requirements/docs.txt
-    - method: pip
-      path: .
-sphinx:
-  builder: dirhtml
-  fail_on_warning: true
+    python: '3.13'
+  commands:
+    - asdf plugin add uv
+    - asdf install uv latest
+    - asdf global uv latest
+    - uv run --group docs sphinx-build -W -b dirhtml docs $READTHEDOCS_OUTPUT/html

CHANGES.rst

@@ -1,3 +1,88 @@
+Version 3.2.0
+-------------
+
+Unreleased
+
+-   Drop support for Python 3.9. :pr:`5730`
+-   Remove previously deprecated code: ``__version__``. :pr:`5648`
+-   ``RequestContext`` has merged with ``AppContext``. ``RequestContext`` is now
+    a deprecated alias. If an app context is already pushed, it is not reused
+    when dispatching a request. This greatly simplifies the internal code for tracking
+    the active context. :issue:`5639`
+-   ``template_filter``, ``template_test``, and ``template_global`` decorators
+    can be used without parentheses. :issue:`5729`
+
+
+Version 3.1.2
+-------------
+
+Released 2025-08-19
+
+-   ``stream_with_context`` does not fail inside async views. :issue:`5774`
+-   When using ``follow_redirects`` in the test client, the final state
+    of ``session`` is correct. :issue:`5786`
+-   Relax type hint for passing bytes IO to ``send_file``. :issue:`5776`
+
+
+Version 3.1.1
+-------------
+
+Released 2025-05-13
+
+-   Fix signing key selection order when key rotation is enabled via
+    ``SECRET_KEY_FALLBACKS``. :ghsa:`4grg-w6v8-c28g`
+-   Fix type hint for ``cli_runner.invoke``. :issue:`5645`
+-   ``flask --help`` loads the app and plugins first to make sure all commands
+    are shown. :issue:`5673`
+-   Mark sans-io base class as being able to handle views that return
+    ``AsyncIterable``. This is not accurate for Flask, but makes typing easier
+    for Quart. :pr:`5659`
+
+
+Version 3.1.0
+-------------
+
+Released 2024-11-13
+
+-   Drop support for Python 3.8. :pr:`5623`
+-   Update minimum dependency versions to latest feature releases.
+    Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. :pr:`5624,5633`
+-   Provide a configuration option to control automatic option
+    responses. :pr:`5496`
+-   ``Flask.open_resource``/``open_instance_resource`` and
+    ``Blueprint.open_resource`` take an ``encoding`` parameter to use when
+    opening in text mode. It defaults to ``utf-8``. :issue:`5504`
+-   ``Request.max_content_length`` can be customized per-request instead of only
+    through the ``MAX_CONTENT_LENGTH`` config. Added
+    ``MAX_FORM_MEMORY_SIZE`` and ``MAX_FORM_PARTS`` config. Added documentation
+    about resource limits to the security page. :issue:`5625`
+-   Add support for the ``Partitioned`` cookie attribute (CHIPS), with the
+    ``SESSION_COOKIE_PARTITIONED`` config. :issue:`5472`
+-   ``-e path`` takes precedence over default ``.env`` and ``.flaskenv`` files.
+    ``load_dotenv`` loads default files in addition to a path unless
+    ``load_defaults=False`` is passed. :issue:`5628`
+-   Support key rotation with the ``SECRET_KEY_FALLBACKS`` config, a list of old
+    secret keys that can still be used for unsigning. Extensions will need to
+    add support. :issue:`5621`
+-   Fix how setting ``host_matching=True`` or ``subdomain_matching=False``
+    interacts with ``SERVER_NAME``. Setting ``SERVER_NAME`` no longer restricts
+    requests to only that domain. :issue:`5553`
+-   ``Request.trusted_hosts`` is checked during routing, and can be set through
+    the ``TRUSTED_HOSTS`` config. :issue:`5636`
+
+
+Version 3.0.3
+-------------
+
+Released 2024-04-07
+
+-   The default ``hashlib.sha1`` may not be available in FIPS builds. Don't
+    access it at import time so the developer has time to change the default.
+    :issue:`5448`
+-   Don't initialize the ``cli`` attribute in the sansio scaffold, but rather in
+    the ``Flask`` concrete class. :pr:`5270`
+
+
 Version 3.0.2
 -------------
 
@@ -13,7 +98,7 @@ Version 3.0.1
 
 Released 2024-01-18
 
--   Correct type for ``path`` argument to ``send_file``. :issue:`5230`
+-   Correct type for ``path`` argument to ``send_file``. :issue:`5336`
 -   Fix a typo in an error message for the ``flask run --key`` option. :pr:`5344`
 -   Session data is untagged without relying on the built-in ``json.loads``
     ``object_hook``. This allows other JSON providers that don't implement that.
@@ -53,6 +138,7 @@ Released 2023-05-01
 
 -   Set ``Vary: Cookie`` header when the session is accessed, modified, or refreshed.
 -   Update Werkzeug requirement to >=2.3.3 to apply recent bug fixes.
+    :ghsa:`m2qf-hxjv-5gpq`
 
 
 Version 2.3.1
@@ -823,7 +909,7 @@ Released 2018-04-26
     explicitly for each exception if you want to avoid traversing the
     MRO. :pr:`2362`
 -   Fix incorrect JSON encoding of aware, non-UTC datetimes. :pr:`2374`
--   Template auto reloading will honor debug mode even even if
+-   Template auto reloading will honor debug mode even if
     ``Flask.jinja_env`` was already accessed. :pr:`2373`
 -   The following old deprecated code was removed. :issue:`2385`
 
@@ -1305,7 +1391,7 @@ Released 2011-09-29, codename Rakija
     of Flask itself and no longer of the test client. This cleaned up
     some internal logic and lowers the odds of runaway request contexts
     in unittests.
--   Fixed the Jinja2 environment's ``list_templates`` method not
+-   Fixed the Jinja environment's ``list_templates`` method not
     returning the correct names when blueprints or modules were
     involved.
 
@@ -1391,7 +1477,7 @@ Released 2010-12-31
 
 -   Fixed an issue where the default ``OPTIONS`` response was not
     exposing all valid methods in the ``Allow`` header.
--   Jinja2 template loading syntax now allows "./" in front of a
+-   Jinja template loading syntax now allows "./" in front of a
     template load path. Previously this caused issues with module
     setups.
 -   Fixed an issue where the subdomain setting for modules was ignored

CODE_OF_CONDUCT.md

@@ -1,76 +0,0 @@
-# Contributor Covenant Code of Conduct
-
-## Our Pledge
-
-In the interest of fostering an open and welcoming environment, we as
-contributors and maintainers pledge to making participation in our project and
-our community a harassment-free experience for everyone, regardless of age, body
-size, disability, ethnicity, sex characteristics, gender identity and expression,
-level of experience, education, socio-economic status, nationality, personal
-appearance, race, religion, or sexual identity and orientation.
-
-## Our Standards
-
-Examples of behavior that contributes to creating a positive environment
-include:
-
-* Using welcoming and inclusive language
-* Being respectful of differing viewpoints and experiences
-* Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
-
-Examples of unacceptable behavior by participants include:
-
-* The use of sexualized language or imagery and unwelcome sexual attention or
- advances
-* Trolling, insulting/derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or electronic
- address, without explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
- professional setting
-
-## Our Responsibilities
-
-Project maintainers are responsible for clarifying the standards of acceptable
-behavior and are expected to take appropriate and fair corrective action in
-response to any instances of unacceptable behavior.
-
-Project maintainers have the right and responsibility to remove, edit, or
-reject comments, commits, code, wiki edits, issues, and other contributions
-that are not aligned to this Code of Conduct, or to ban temporarily or
-permanently any contributor for other behaviors that they deem inappropriate,
-threatening, offensive, or harmful.
-
-## Scope
-
-This Code of Conduct applies both within project spaces and in public spaces
-when an individual is representing the project or its community. Examples of
-representing a project or community include using an official project e-mail
-address, posting via an official social media account, or acting as an appointed
-representative at an online or offline event. Representation of a project may be
-further defined and clarified by project maintainers.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at report@palletsprojects.com. All
-complaints will be reviewed and investigated and will result in a response that
-is deemed necessary and appropriate to the circumstances. The project team is
-obligated to maintain confidentiality with regard to the reporter of an incident.
-Further details of specific enforcement policies may be posted separately.
-
-Project maintainers who do not follow or enforce the Code of Conduct in good
-faith may face temporary or permanent repercussions as determined by other
-members of the project's leadership.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
-available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
-
-[homepage]: https://www.contributor-covenant.org
-
-For answers to common questions about this code of conduct, see
-https://www.contributor-covenant.org/faq

CONTRIBUTING.rst

@@ -1,238 +0,0 @@
-How to contribute to Flask
-==========================
-
-Thank you for considering contributing to Flask!
-
-
-Support questions
------------------
-
-Please don't use the issue tracker for this. The issue tracker is a tool
-to address bugs and feature requests in Flask itself. Use one of the
-following resources for questions about using Flask or issues with your
-own code:
-
--   The ``#questions`` channel on our Discord chat:
-    https://discord.gg/pallets
--   Ask on `Stack Overflow`_. Search with Google first using:
-    ``site:stackoverflow.com flask {search term, exception message, etc.}``
--   Ask on our `GitHub Discussions`_ for long term discussion or larger
-    questions.
-
-.. _Stack Overflow: https://stackoverflow.com/questions/tagged/flask?tab=Frequent
-.. _GitHub Discussions: https://github.com/pallets/flask/discussions
-
-
-Reporting issues
-----------------
-
-Include the following information in your post:
-
--   Describe what you expected to happen.
--   If possible, include a `minimal reproducible example`_ to help us
-    identify the issue. This also helps check that the issue is not with
-    your own code.
--   Describe what actually happened. Include the full traceback if there
-    was an exception.
--   List your Python and Flask versions. If possible, check if this
-    issue is already fixed in the latest releases or the latest code in
-    the repository.
-
-.. _minimal reproducible example: https://stackoverflow.com/help/minimal-reproducible-example
-
-
-Submitting patches
-------------------
-
-If there is not an open issue for what you want to submit, prefer
-opening one for discussion before working on a PR. You can work on any
-issue that doesn't have an open PR linked to it or a maintainer assigned
-to it. These show up in the sidebar. No need to ask if you can work on
-an issue that interests you.
-
-Include the following in your patch:
-
--   Use `Black`_ to format your code. This and other tools will run
-    automatically if you install `pre-commit`_ using the instructions
-    below.
--   Include tests if your patch adds or changes code. Make sure the test
-    fails without your patch.
--   Update any relevant docs pages and docstrings. Docs pages and
-    docstrings should be wrapped at 72 characters.
--   Add an entry in ``CHANGES.rst``. Use the same style as other
-    entries. Also include ``.. versionchanged::`` inline changelogs in
-    relevant docstrings.
-
-.. _Black: https://black.readthedocs.io
-.. _pre-commit: https://pre-commit.com
-
-
-First time setup using GitHub Codespaces
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-`GitHub Codespaces`_ creates a development environment that is already set up for the
-project. By default it opens in Visual Studio Code for the Web, but this can
-be changed in your GitHub profile settings to use Visual Studio Code or JetBrains
-PyCharm on your local computer.
-
--   Make sure you have a `GitHub account`_.
--   From the project's repository page, click the green "Code" button and then "Create
-    codespace on main".
--   The codespace will be set up, then Visual Studio Code will open. However, you'll
-    need to wait a bit longer for the Python extension to be installed. You'll know it's
-    ready when the terminal at the bottom shows that the virtualenv was activated.
--   Check out a branch and `start coding`_.
-
-.. _GitHub Codespaces: https://docs.github.com/en/codespaces
-.. _devcontainer: https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers
-
-First time setup in your local environment
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
--   Make sure you have a `GitHub account`_.
--   Download and install the `latest version of git`_.
--   Configure git with your `username`_ and `email`_.
-
-    .. code-block:: text
-
-        $ git config --global user.name 'your name'
-        $ git config --global user.email 'your email'
-
--   Fork Flask to your GitHub account by clicking the `Fork`_ button.
--   `Clone`_ your fork locally, replacing ``your-username`` in the command below with
-    your actual username.
-
-    .. code-block:: text
-
-        $ git clone https://github.com/your-username/flask
-        $ cd flask
-
--   Create a virtualenv. Use the latest version of Python.
-
-    - Linux/macOS
-
-      .. code-block:: text
-
-         $ python3 -m venv .venv
-         $ . .venv/bin/activate
-
-    - Windows
-
-      .. code-block:: text
-
-         > py -3 -m venv .venv
-         > .venv\Scripts\activate
-
--   Install the development dependencies, then install Flask in editable mode.
-
-    .. code-block:: text
-
-        $ python -m pip install -U pip
-        $ pip install -r requirements/dev.txt && pip install -e .
-
--   Install the pre-commit hooks.
-
-    .. code-block:: text
-
-        $ pre-commit install --install-hooks
-
-.. _GitHub account: https://github.com/join
-.. _latest version of git: https://git-scm.com/downloads
-.. _username: https://docs.github.com/en/github/using-git/setting-your-username-in-git
-.. _email: https://docs.github.com/en/github/setting-up-and-managing-your-github-user-account/setting-your-commit-email-address
-.. _Fork: https://github.com/pallets/flask/fork
-.. _Clone: https://docs.github.com/en/github/getting-started-with-github/fork-a-repo#step-2-create-a-local-clone-of-your-fork
-
-.. _start coding:
-
-Start coding
-~~~~~~~~~~~~
-
--   Create a branch to identify the issue you would like to work on. If you're
-    submitting a bug or documentation fix, branch off of the latest ".x" branch.
-
-    .. code-block:: text
-
-        $ git fetch origin
-        $ git checkout -b your-branch-name origin/2.0.x
-
-    If you're submitting a feature addition or change, branch off of the "main" branch.
-
-    .. code-block:: text
-
-        $ git fetch origin
-        $ git checkout -b your-branch-name origin/main
-
--   Using your favorite editor, make your changes, `committing as you go`_.
-
-    -   If you are in a codespace, you will be prompted to `create a fork`_ the first
-        time you make a commit. Enter ``Y`` to continue.
-
--   Include tests that cover any code changes you make. Make sure the test fails without
-    your patch. Run the tests as described below.
--   Push your commits to your fork on GitHub and `create a pull request`_. Link to the
-    issue being addressed with ``fixes #123`` in the pull request description.
-
-    .. code-block:: text
-
-        $ git push --set-upstream origin your-branch-name
-
-.. _committing as you go: https://afraid-to-commit.readthedocs.io/en/latest/git/commandlinegit.html#commit-your-changes
-.. _create a fork: https://docs.github.com/en/codespaces/developing-in-codespaces/using-source-control-in-your-codespace#about-automatic-forking
-.. _create a pull request: https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request
-
-.. _Running the tests:
-
-Running the tests
-~~~~~~~~~~~~~~~~~
-
-Run the basic test suite with pytest.
-
-.. code-block:: text
-
-    $ pytest
-
-This runs the tests for the current environment, which is usually
-sufficient. CI will run the full suite when you submit your pull
-request. You can run the full test suite with tox if you don't want to
-wait.
-
-.. code-block:: text
-
-    $ tox
-
-
-Running test coverage
-~~~~~~~~~~~~~~~~~~~~~
-
-Generating a report of lines that do not have test coverage can indicate
-where to start contributing. Run ``pytest`` using ``coverage`` and
-generate a report.
-
-If you are using GitHub Codespaces, ``coverage`` is already installed
-so you can skip the installation command.
-
-.. code-block:: text
-
-    $ pip install coverage
-    $ coverage run -m pytest
-    $ coverage html
-
-Open ``htmlcov/index.html`` in your browser to explore the report.
-
-Read more about `coverage <https://coverage.readthedocs.io>`__.
-
-
-Building the docs
-~~~~~~~~~~~~~~~~~
-
-Build the docs in the ``docs`` directory using Sphinx.
-
-.. code-block:: text
-
-    $ cd docs
-    $ make html
-
-Open ``_build/html/index.html`` in your browser to view the docs.
-
-Read more about `Sphinx <https://www.sphinx-doc.org/en/stable/>`__.

README.md

@@ -0,0 +1,53 @@
+<div align="center"><img src="https://raw.githubusercontent.com/pallets/flask/refs/heads/stable/docs/_static/flask-name.svg" alt="" height="150"></div>
+
+# Flask
+
+Flask is a lightweight [WSGI] web application framework. It is designed
+to make getting started quick and easy, with the ability to scale up to
+complex applications. It began as a simple wrapper around [Werkzeug]
+and [Jinja], and has become one of the most popular Python web
+application frameworks.
+
+Flask offers suggestions, but doesn't enforce any dependencies or
+project layout. It is up to the developer to choose the tools and
+libraries they want to use. There are many extensions provided by the
+community that make adding new functionality easy.
+
+[WSGI]: https://wsgi.readthedocs.io/
+[Werkzeug]: https://werkzeug.palletsprojects.com/
+[Jinja]: https://jinja.palletsprojects.com/
+
+## A Simple Example
+
+```python
+# save this as app.py
+from flask import Flask
+
+app = Flask(__name__)
+
+@app.route("/")
+def hello():
+    return "Hello, World!"
+```
+
+```
+$ flask run
+  * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
+```
+
+## Donate
+
+The Pallets organization develops and supports Flask and the libraries
+it uses. In order to grow the community of contributors and users, and
+allow the maintainers to devote more time to the projects, [please
+donate today].
+
+[please donate today]: https://palletsprojects.com/donate
+
+## Contributing
+
+See our [detailed contributing documentation][contrib] for many ways to
+contribute, including reporting issues, requesting features, asking or answering
+questions, and making PRs.
+
+[contrib]: https://palletsprojects.com/contributing/

README.rst

@@ -1,80 +0,0 @@
-Flask
-=====
-
-Flask is a lightweight `WSGI`_ web application framework. It is designed
-to make getting started quick and easy, with the ability to scale up to
-complex applications. It began as a simple wrapper around `Werkzeug`_
-and `Jinja`_ and has become one of the most popular Python web
-application frameworks.
-
-Flask offers suggestions, but doesn't enforce any dependencies or
-project layout. It is up to the developer to choose the tools and
-libraries they want to use. There are many extensions provided by the
-community that make adding new functionality easy.
-
-.. _WSGI: https://wsgi.readthedocs.io/
-.. _Werkzeug: https://werkzeug.palletsprojects.com/
-.. _Jinja: https://jinja.palletsprojects.com/
-
-
-Installing
-----------
-
-Install and update using `pip`_:
-
-.. code-block:: text
-
-    $ pip install -U Flask
-
-.. _pip: https://pip.pypa.io/en/stable/getting-started/
-
-
-A Simple Example
-----------------
-
-.. code-block:: python
-
-    # save this as app.py
-    from flask import Flask
-
-    app = Flask(__name__)
-
-    @app.route("/")
-    def hello():
-        return "Hello, World!"
-
-.. code-block:: text
-
-    $ flask run
-      * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
-
-
-Contributing
-------------
-
-For guidance on setting up a development environment and how to make a
-contribution to Flask, see the `contributing guidelines`_.
-
-.. _contributing guidelines: https://github.com/pallets/flask/blob/main/CONTRIBUTING.rst
-
-
-Donate
-------
-
-The Pallets organization develops and supports Flask and the libraries
-it uses. In order to grow the community of contributors and users, and
-allow the maintainers to devote more time to the projects, `please
-donate today`_.
-
-.. _please donate today: https://palletsprojects.com/donate
-
-
-Links
------
-
--   Documentation: https://flask.palletsprojects.com/
--   Changes: https://flask.palletsprojects.com/changes/
--   PyPI Releases: https://pypi.org/project/Flask/
--   Source Code: https://github.com/pallets/flask/
--   Issue Tracker: https://github.com/pallets/flask/issues/
--   Chat: https://discord.gg/pallets

docs/_static/flask-icon.svg

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="100%" height="100%" viewBox="0 0 500 500" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2;">
+    <rect id="Icon" x="0" y="0" width="500" height="500" style="fill:none;"/>
+    <clipPath id="_clip1">
+        <rect x="0" y="0" width="500" height="500"/>
+    </clipPath>
+    <g clip-path="url(#_clip1)">
+        <g>
+            <path d="M224.446,59.975c-0.056,-4.151 -0.483,-5.543 -2.7,-6.823c-2.104,-1.393 -5.288,-1.421 -8.329,-0.085l-204.674,87.64c-3.042,1.336 -5.913,4.008 -7.448,6.908c-1.535,2.899 -1.705,5.97 -0.511,8.158l17.084,31.384l0.228,0.369c1.847,2.928 6.026,3.696 10.29,1.82l1.251,-0.54c5.344,22.4 14.1,50.429 25.783,70.413l178.294,-79.794c-2.559,-23.14 -9.552,-89.602 -9.268,-119.479l0,0.029Z" style="fill:#3babc3;fill-rule:nonzero;"/>
+            <path d="M238.603,205.776l-171.698,76.838c10.091,19.132 22.542,39.428 37.722,58.986c50.429,-25.698 100.887,-51.396 151.316,-77.094c-3.269,-8.471 -6.452,-17.653 -17.34,-58.73Z" style="fill:#3babc3;fill-rule:nonzero;"/>
+            <path d="M497.601,388.846l-12.139,-18.535c-1.819,-2.018 -4.633,-2.786 -7.106,-1.791l-15.578,5.999c-1.848,-2.047 -4.52,-2.815 -7.135,-1.791c-5.089,1.99 -10.206,4.008 -15.294,5.998c-1.649,0.625 -2.104,1.847 -1.791,3.439l0.995,4.861c-28.711,3.099 -77.236,1.564 -120.701,-32.577c-19.216,-15.066 -37.239,-36.386 -52.277,-66.206l-144.75,73.768c26.466,29.08 59.697,54.864 100.973,70.385c57.422,21.633 130.593,23.679 222.838,-13.475l0.512,2.616c0.455,2.928 3.98,6.026 8.755,4.15l15.323,-5.97c5.258,-1.99 5.287,-6.026 4.519,-8.641l19.729,-7.704c2.217,-0.853 9.096,-6.169 3.183,-14.526l-0.056,-0Z" style="fill:#3babc3;fill-rule:nonzero;"/>
+        </g>
+    </g>
+</svg>

docs/_static/flask-logo.svg

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="100%" height="100%" viewBox="0 0 500 500" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2;">
+    <rect id="Logo" x="0" y="0" width="500" height="500" style="fill:none;"/>
+    <g>
+        <path id="Box" d="M500,50l0,400c0,27.596 -22.404,50 -50,50l-400,0c-27.596,0 -50,-22.404 -50,-50l0,-400c0,-27.596 22.404,-50 50,-50l400,0c27.596,0 50,22.404 50,50Z" style="fill:url(#_Linear1);"/>
+        <path id="Shadow" d="M500,398.646l0,51.354c0,27.596 -22.404,50 -50,50l-94.111,0l-170.452,-170.451c13.541,12.279 29.511,22.845 48.242,29.888c34.453,12.98 78.356,14.208 133.703,-8.084l0.307,1.569c0.273,1.757 2.388,3.616 5.253,2.49l9.193,-3.582c3.156,-1.194 3.173,-3.616 2.712,-5.185l11.837,-4.622c1.331,-0.512 5.458,-3.701 1.91,-8.716l-0.034,0l-7.283,-11.12c-1.091,-1.211 -2.78,-1.672 -4.264,-1.075l-9.346,3.599c-1.109,-1.228 -2.712,-1.688 -4.281,-1.074c-3.054,1.194 -6.124,2.404 -9.177,3.598c-0.989,0.376 -1.262,1.109 -1.074,2.064l0.597,2.917c-17.227,1.859 -46.342,0.938 -72.421,-19.547c-11.53,-9.039 -22.343,-21.831 -31.366,-39.723l-83.923,42.769l-13.246,-10.755c30.258,-15.419 60.532,-30.837 90.79,-46.256c-1.961,-5.083 -3.872,-10.592 -10.404,-35.238l-98.082,43.893l-11.828,-11.828l106.976,-47.876c-1.534,-13.88 -5.728,-53.736 -5.56,-71.67l-0,-0.017c-0.027,-1.894 -0.184,-2.827 -0.85,-3.504l266.182,266.182Zm-388.562,-185.436c1.272,1.164 3.414,1.356 5.594,0.397l0.75,-0.324c0.645,2.703 1.373,5.543 2.181,8.452l-8.525,-8.525Z" style="fill:#3b808b;"/>
+        <g id="Icon">
+            <path d="M234.668,135.985c-0.034,-2.49 -0.29,-3.326 -1.62,-4.094c-1.263,-0.835 -3.173,-0.852 -4.998,-0.051l-122.804,52.584c-1.825,0.802 -3.548,2.405 -4.469,4.145c-0.921,1.74 -1.023,3.582 -0.307,4.895l10.251,18.83l0.136,0.222c1.109,1.757 3.616,2.217 6.175,1.091l0.75,-0.324c3.207,13.441 8.46,30.258 15.47,42.248l106.976,-47.876c-1.535,-13.884 -5.731,-53.761 -5.56,-71.687l-0,0.017Z" style="fill:#fff;fill-rule:nonzero;"/>
+            <path d="M243.162,223.466l-103.019,46.103c6.055,11.478 13.525,23.656 22.633,35.391c30.258,-15.419 60.532,-30.837 90.79,-46.256c-1.961,-5.083 -3.872,-10.592 -10.404,-35.238Z" style="fill:#fff;fill-rule:nonzero;"/>
+            <path d="M398.56,333.307l-7.283,-11.12c-1.091,-1.211 -2.78,-1.672 -4.264,-1.075l-9.346,3.599c-1.109,-1.228 -2.712,-1.688 -4.281,-1.074c-3.054,1.194 -6.124,2.404 -9.177,3.598c-0.989,0.376 -1.262,1.109 -1.074,2.064l0.597,2.917c-17.227,1.859 -46.342,0.938 -72.421,-19.547c-11.53,-9.039 -22.343,-21.831 -31.366,-39.723l-86.85,44.26c15.879,17.449 35.818,32.919 60.584,42.231c34.453,12.98 78.356,14.208 133.703,-8.084l0.307,1.569c0.273,1.757 2.388,3.616 5.253,2.49l9.193,-3.582c3.156,-1.194 3.173,-3.616 2.712,-5.185l11.837,-4.622c1.331,-0.512 5.458,-3.701 1.91,-8.716l-0.034,0Z" style="fill:#fff;fill-rule:nonzero;"/>
+        </g>
+    </g>
+    <defs>
+        <linearGradient id="_Linear1" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(3.06162e-14,500,-500,3.06162e-14,267.59,0)"><stop offset="0" style="stop-color:#bdddeb;stop-opacity:1"/><stop offset="1" style="stop-color:#53a9d1;stop-opacity:1"/></linearGradient>
+    </defs>
+</svg>

docs/_static/flask-name.svg

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="100%" height="100%" viewBox="0 0 706 300" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2;">
+    <g>
+        <path id="Name" d="M420.35,117.6l-37.65,-0c-4.4,-0 -7.475,0.85 -9.225,2.55c-1.75,1.7 -2.625,4.65 -2.625,8.85l-0,14.85l39.15,-0l-1.5,18.6l-37.65,-0l-0,43.35l-20.85,-0l-0,-85.05c-0,-7.9 1.725,-13.5 5.175,-16.8c3.45,-3.3 9.375,-4.95 17.775,-4.95l47.4,-0l0,18.6Z" style="fill-rule:nonzero;"/>
+        <path d="M455.75,205.8l-19.5,0.15l-0,-112.95l19.5,-0l-0,112.8Z" style="fill-rule:nonzero;"/>
+        <path d="M535.7,205.8l-13.05,-0l-6,-10.35l-20.85,11.25c-11.6,-0 -19.4,-4.2 -23.4,-12.6c-2,-4.1 -3.375,-8.525 -4.125,-13.275c-0.75,-4.75 -1.125,-9.7 -1.125,-14.85c-0,-5.15 0.05,-8.95 0.15,-11.4c0.1,-2.45 0.35,-5.3 0.75,-8.55c0.4,-3.25 0.975,-5.975 1.725,-8.175c0.75,-2.2 1.825,-4.475 3.225,-6.825c1.4,-2.35 3.1,-4.225 5.1,-5.625c4.5,-3.1 10.35,-4.65 17.55,-4.65l20.55,-0l19.5,-1.2l-0,86.25Zm-19.5,-27.3l-0,-40.2l-14.85,-0c-5.5,-0 -9.325,2.1 -11.475,6.3c-2.15,4.2 -3.225,10.475 -3.225,18.825c-0,8.35 1.025,14.225 3.075,17.625c2.05,3.4 5.925,5.1 11.625,5.1l14.85,-7.65Z" style="fill-rule:nonzero;"/>
+        <path d="M615.65,182.1l0,2.25c-0.6,7.5 -3.775,13.15 -9.525,16.95c-5.75,3.8 -12.925,5.7 -21.525,5.7c-12.7,-0 -21.6,-2.3 -26.7,-6.9c-4.7,-4.2 -7.05,-10.4 -7.05,-18.6l0,-1.8l17.7,0c0,4.6 1.2,7.75 3.6,9.45c2.4,1.7 6.55,2.55 12.45,2.55c8,0 12,-2.9 12,-8.7c0,-4.8 -1.4,-8 -4.2,-9.6c-1.3,-0.8 -2.95,-1.4 -4.95,-1.8l-15.15,-2.55c-13.2,-2.1 -19.8,-10.35 -19.8,-24.75c0,-8 2.925,-14.225 8.775,-18.675c5.85,-4.45 13.275,-6.675 22.275,-6.675c20.5,0 30.75,8.85 30.75,26.55l0,1.95l-16.95,0c-0.2,-4.7 -1.45,-7.9 -3.75,-9.6c-2.3,-1.7 -5.525,-2.55 -9.675,-2.55c-4.15,0 -7.275,0.825 -9.375,2.475c-2.1,1.65 -3.15,3.475 -3.15,5.475c0,5.7 2.3,8.95 6.9,9.75l18.15,3.3c12.8,2.4 19.2,11 19.2,25.8Z" style="fill-rule:nonzero;"/>
+        <path d="M705.65,205.8l-23.4,-0l-22.5,-30.3l-8.55,12.15l0,18.15l-19.5,-0l0,-112.8l19.5,-0l0,71.25l27.3,-40.65l22.05,-0l-28.05,38.4l33.15,43.8Z" style="fill-rule:nonzero;"/>
+        <g id="Logo">
+            <path id="Box" d="M300,30l0,240c0,16.557 -13.443,30 -30,30l-240,-0c-16.557,-0 -30,-13.443 -30,-30l0,-240c0,-16.557 13.443,-30 30,-30l240,0c16.557,0 30,13.443 30,30Z" style="fill:url(#_Linear1);"/>
+            <path id="Shadow" d="M300,239.188l0,30.812c0,16.557 -13.443,30 -30,30l-56.467,-0l-102.271,-102.271c8.125,7.368 17.707,13.707 28.945,17.933c20.672,7.788 47.014,8.525 80.222,-4.85l0.184,0.941c0.164,1.054 1.433,2.17 3.152,1.494l5.516,-2.149c1.893,-0.716 1.904,-2.169 1.627,-3.111l7.103,-2.773c0.798,-0.307 3.274,-2.221 1.146,-5.23l-0.021,0l-4.37,-6.672c-0.655,-0.727 -1.668,-1.003 -2.558,-0.645l-5.608,2.16c-0.665,-0.737 -1.627,-1.013 -2.569,-0.645c-1.832,0.716 -3.674,1.443 -5.505,2.159c-0.594,0.225 -0.758,0.665 -0.645,1.239l0.358,1.749c-10.336,1.116 -27.805,0.563 -43.452,-11.727c-6.918,-5.424 -13.406,-13.099 -18.82,-23.835l-50.354,25.662l-7.947,-6.453c18.154,-9.251 36.319,-18.502 54.474,-27.754c-1.177,-3.049 -2.323,-6.355 -6.243,-21.143l-58.849,26.336l-7.097,-7.096l64.186,-28.726c-0.921,-8.328 -3.437,-32.242 -3.336,-43.002l-0,-0.01c-0.016,-1.137 -0.111,-1.697 -0.51,-2.103l159.709,159.71Zm-233.137,-111.262c0.763,0.699 2.048,0.814 3.356,0.238l0.45,-0.194c0.387,1.622 0.824,3.325 1.309,5.071l-5.115,-5.115Z" style="fill:#3b808b;"/>
+            <g id="Icon">
+                <path d="M140.801,81.591c-0.021,-1.494 -0.174,-1.996 -0.972,-2.456c-0.758,-0.502 -1.904,-0.512 -2.999,-0.031l-73.683,31.551c-1.095,0.481 -2.128,1.443 -2.681,2.486c-0.552,1.044 -0.614,2.149 -0.184,2.937l6.151,11.298l0.081,0.133c0.666,1.055 2.17,1.331 3.705,0.655l0.45,-0.194c1.924,8.064 5.076,18.155 9.282,25.349l64.186,-28.726c-0.921,-8.33 -3.439,-32.257 -3.336,-43.012l-0,0.01Z" style="fill:#fff;fill-rule:nonzero;"/>
+                <path d="M145.897,134.079l-61.811,27.662c3.633,6.887 8.115,14.194 13.58,21.235c18.154,-9.251 36.319,-18.502 54.474,-27.754c-1.177,-3.049 -2.323,-6.355 -6.243,-21.143Z" style="fill:#fff;fill-rule:nonzero;"/>
+                <path d="M239.136,199.984l-4.37,-6.672c-0.655,-0.727 -1.668,-1.003 -2.558,-0.645l-5.608,2.16c-0.665,-0.737 -1.627,-1.013 -2.569,-0.645c-1.832,0.716 -3.674,1.443 -5.505,2.159c-0.594,0.225 -0.758,0.665 -0.645,1.239l0.358,1.749c-10.336,1.116 -27.805,0.563 -43.452,-11.727c-6.918,-5.424 -13.406,-13.099 -18.82,-23.835l-52.11,26.557c9.528,10.469 21.491,19.751 36.35,25.338c20.672,7.788 47.014,8.525 80.222,-4.85l0.184,0.941c0.164,1.054 1.433,2.17 3.152,1.494l5.516,-2.149c1.893,-0.716 1.904,-2.169 1.627,-3.111l7.103,-2.773c0.798,-0.307 3.274,-2.221 1.146,-5.23l-0.021,0Z" style="fill:#fff;fill-rule:nonzero;"/>
+            </g>
+        </g>
+    </g>
+    <defs>
+        <linearGradient id="_Linear1" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(1.83697e-14,300,-300,1.83697e-14,160.554,0)"><stop offset="0" style="stop-color:#bdddeb;stop-opacity:1"/><stop offset="1" style="stop-color:#53a9d1;stop-opacity:1"/></linearGradient>
+    </defs>
+</svg>

docs/api.rst

@@ -31,17 +31,15 @@ Incoming Request Data
     :inherited-members:
     :exclude-members: json_module
 
-.. attribute:: request
+.. data:: request
 
-   To access incoming request data, you can use the global `request`
-   object. Flask parses incoming request data for you and gives you
-   access to it through that global object. Internally Flask makes
-   sure that you always get the correct data for the active thread if you
-   are in a multithreaded environment.
+    A proxy to the request data for the current request, an instance of
+    :class:`.Request`.
 
-   This is a proxy. See :ref:`notes-on-proxies` for more information.
+    This is only available when a :doc:`request context </appcontext>` is
+    active.
 
-   The request object is an instance of a :class:`~flask.Request`.
+    This is a proxy. See :ref:`context-visibility` for more information.
 
 
 Response Objects
@@ -62,40 +60,33 @@ does this is by using a signed cookie. The user can look at the session
 contents, but can't modify it unless they know the secret key, so make sure to
 set that to something complex and unguessable.
 
-To access the current session you can use the :class:`session` object:
+To access the current session you can use the :data:`.session` proxy.
 
-.. class:: session
+.. data:: session
 
-   The session object works pretty much like an ordinary dict, with the
-   difference that it keeps track of modifications.
+    A proxy to the session data for the current request, an instance of
+    :class:`.SessionMixin`.
 
-   This is a proxy. See :ref:`notes-on-proxies` for more information.
+    This is only available when a :doc:`request context </appcontext>` is
+    active.
 
-   The following attributes are interesting:
+    This is a proxy. See :ref:`context-visibility` for more information.
 
-   .. attribute:: new
+    The session object works like a dict but tracks assignment and access to its
+    keys. It cannot track modifications to mutable values, you need to set
+    :attr:`~.SessionMixin.modified` manually when modifying a list, dict, etc.
 
-      ``True`` if the session is new, ``False`` otherwise.
+    .. code-block:: python
 
-   .. attribute:: modified
-
-      ``True`` if the session object detected a modification. Be advised
-      that modifications on mutable structures are not picked up
-      automatically, in that situation you have to explicitly set the
-      attribute to ``True`` yourself. Here an example::
-
-          # this change is not picked up because a mutable object (here
-          # a list) is changed.
-          session['objects'].append(42)
+          # appending to a list is not detected
+          session["numbers"].append(42)
           # so mark it as modified yourself
           session.modified = True
 
-   .. attribute:: permanent
-
-      If set to ``True`` the session lives for
-      :attr:`~flask.Flask.permanent_session_lifetime` seconds. The
-      default is 31 days. If set to ``False`` (which is the default) the
-      session will be deleted when the user closes the browser.
+    The session is persisted across requests using a cookie. By default the
+    users's browser will clear the cookie when it is closed. Set
+    :attr:`~.SessionMixin.permanent` to ``True`` to persist the cookie for
+    :data:`PERMANENT_SESSION_LIFETIME`.
 
 
 Session Interface
@@ -158,20 +149,21 @@ another, a global variable is not good enough because it would break in
 threaded environments. Flask provides you with a special object that
 ensures it is only valid for the active request and that will return
 different values for each request. In a nutshell: it does the right
-thing, like it does for :class:`request` and :class:`session`.
+thing, like it does for :data:`.request` and :data:`.session`.
 
 .. data:: g
 
-    A namespace object that can store data during an
-    :doc:`application context </appcontext>`. This is an instance of
-    :attr:`Flask.app_ctx_globals_class`, which defaults to
-    :class:`ctx._AppCtxGlobals`.
+    A proxy to a namespace object used to store data during a single request or
+    app context. An instance of :attr:`.Flask.app_ctx_globals_class`, which
+    defaults to :class:`._AppCtxGlobals`.
 
-    This is a good place to store resources during a request. For
-    example, a ``before_request`` function could load a user object from
-    a session id, then set ``g.user`` to be used in the view function.
+    This is a good place to store resources during a request. For example, a
+    :meth:`~.Flask.before_request` function could load a user object from a
+    session id, then set ``g.user`` to be used in the view function.
 
-    This is a proxy. See :ref:`notes-on-proxies` for more information.
+    This is only available when an :doc:`app context </appcontext>` is active.
+
+    This is a proxy. See :ref:`context-visibility` for more information.
 
     .. versionchanged:: 0.10
         Bound to the application context instead of the request context.
@@ -185,17 +177,16 @@ Useful Functions and Classes
 
 .. data:: current_app
 
-    A proxy to the application handling the current request. This is
-    useful to access the application without needing to import it, or if
-    it can't be imported, such as when using the application factory
-    pattern or in blueprints and extensions.
+    A proxy to the :class:`.Flask` application handling the current request or
+    other activity.
 
-    This is only available when an
-    :doc:`application context </appcontext>` is pushed. This happens
-    automatically during requests and CLI commands. It can be controlled
-    manually with :meth:`~flask.Flask.app_context`.
+    This is useful to access the application without needing to import it, or if
+    it can't be imported, such as when using the application factory pattern or
+    in blueprints and extensions.
 
-    This is a proxy. See :ref:`notes-on-proxies` for more information.
+    This is only available when an :doc:`app context </appcontext>` is active.
+
+    This is a proxy. See :ref:`context-visibility` for more information.
 
 .. autofunction:: has_request_context
 
@@ -299,31 +290,31 @@ Stream Helpers
 Useful Internals
 ----------------
 
-.. autoclass:: flask.ctx.RequestContext
-   :members:
-
-.. data:: flask.globals.request_ctx
-
-    The current :class:`~flask.ctx.RequestContext`. If a request context
-    is not active, accessing attributes on this proxy will raise a
-    ``RuntimeError``.
-
-    This is an internal object that is essential to how Flask handles
-    requests. Accessing this should not be needed in most cases. Most
-    likely you want :data:`request` and :data:`session` instead.
-
 .. autoclass:: flask.ctx.AppContext
    :members:
 
 .. data:: flask.globals.app_ctx
 
-    The current :class:`~flask.ctx.AppContext`. If an app context is not
-    active, accessing attributes on this proxy will raise a
-    ``RuntimeError``.
+    A proxy to the active :class:`.AppContext`.
 
-    This is an internal object that is essential to how Flask handles
-    requests. Accessing this should not be needed in most cases. Most
-    likely you want :data:`current_app` and :data:`g` instead.
+    This is an internal object that is essential to how Flask handles requests.
+    Accessing this should not be needed in most cases. Most likely you want
+    :data:`.current_app`, :data:`.g`, :data:`.request`, and :data:`.session` instead.
+
+    This is only available when a :doc:`request context </appcontext>` is
+    active.
+
+    This is a proxy. See :ref:`context-visibility` for more information.
+
+.. class:: flask.ctx.RequestContext
+
+    .. deprecated:: 3.2
+        Merged with :class:`AppContext`. This alias will be removed in Flask 4.0.
+
+.. data:: flask.globals.request_ctx
+
+    .. deprecated:: 3.2
+        Merged with :data:`.app_ctx`. This alias will be removed in Flask 4.0.
 
 .. autoclass:: flask.blueprints.BlueprintSetupState
    :members:

docs/appcontext.rst

@@ -1,74 +1,63 @@
-.. currentmodule:: flask
+The App and Request Context
+===========================
 
-The Application Context
-=======================
+The context keeps track of data and objects during a request, CLI command, or
+other activity. Rather than passing this data around to every function, the
+:data:`.current_app`, :data:`.g`, :data:`.request`, and :data:`.session` proxies
+are accessed instead.
 
-The application context keeps track of the application-level data during
-a request, CLI command, or other activity. Rather than passing the
-application around to each function, the :data:`current_app` and
-:data:`g` proxies are accessed instead.
+When handling a request, the context is referred to as the "request context"
+because it contains request data in addition to application data. Otherwise,
+such as during a CLI command, it is referred to as the "app context". During an
+app context, :data:`.current_app` and :data:`.g` are available, while during a
+request context :data:`.request` and :data:`.session` are also available.
 
-This is similar to :doc:`/reqcontext`, which keeps track of
-request-level data during a request. A corresponding application context
-is pushed when a request context is pushed.
 
 Purpose of the Context
 ----------------------
 
-The :class:`Flask` application object has attributes, such as
-:attr:`~Flask.config`, that are useful to access within views and
-:doc:`CLI commands </cli>`. However, importing the ``app`` instance
-within the modules in your project is prone to circular import issues.
-When using the :doc:`app factory pattern </patterns/appfactories>` or
-writing reusable :doc:`blueprints </blueprints>` or
-:doc:`extensions </extensions>` there won't be an ``app`` instance to
-import at all.
+The context and proxies help solve two development issues: circular imports, and
+passing around global data during a request.
 
-Flask solves this issue with the *application context*. Rather than
-referring to an ``app`` directly, you use the :data:`current_app`
-proxy, which points to the application handling the current activity.
+The :class:`.Flask` application object has attributes, such as
+:attr:`~.Flask.config`, that are useful to access within views and other
+functions. However, importing the ``app`` instance within the modules in your
+project is prone to circular import issues. When using the
+:doc:`app factory pattern </patterns/appfactories>` or writing reusable
+:doc:`blueprints </blueprints>` or :doc:`extensions </extensions>` there won't
+be an ``app`` instance to import at all.
 
-Flask automatically *pushes* an application context when handling a
-request. View functions, error handlers, and other functions that run
-during a request will have access to :data:`current_app`.
+When the application handles a request, it creates a :class:`.Request` object.
+Because a *worker* handles only one request at a time, the request data can be
+considered global to that worker during that request. Passing it as an argument
+through every function during the request becomes verbose and redundant.
 
-Flask will also automatically push an app context when running CLI
-commands registered with :attr:`Flask.cli` using ``@app.cli.command()``.
+Flask solves these issues with the *active context* pattern. Rather than
+importing an ``app`` directly, or having to pass it and the request through to
+every single function, you import and access the proxies, which point to the
+currently active application and request data. This is sometimes referred to
+as "context local" data.
 
 
-Lifetime of the Context
------------------------
+Context During Setup
+--------------------
 
-The application context is created and destroyed as necessary. When a
-Flask application begins handling a request, it pushes an application
-context and a :doc:`request context </reqcontext>`. When the request
-ends it pops the request context then the application context.
-Typically, an application context will have the same lifetime as a
-request.
-
-See :doc:`/reqcontext` for more information about how the contexts work
-and the full life cycle of a request.
-
-
-Manually Push a Context
------------------------
-
-If you try to access :data:`current_app`, or anything that uses it,
-outside an application context, you'll get this error message:
+If you try to access :data:`.current_app`, :data:`.g`, or anything that uses it,
+outside an app context, you'll get this error message:
 
 .. code-block:: pytb
 
     RuntimeError: Working outside of application context.
 
-    This typically means that you attempted to use functionality that
-    needed to interface with the current application object in some way.
-    To solve this, set up an application context with app.app_context().
+    Attempted to use functionality that expected a current application to be
+    set. To solve this, set up an app context using 'with app.app_context()'.
+    See the documentation on app context for more information.
 
 If you see that error while configuring your application, such as when
-initializing an extension, you can push a context manually since you
-have direct access to the ``app``. Use :meth:`~Flask.app_context` in a
-``with`` block, and everything that runs in the block will have access
-to :data:`current_app`. ::
+initializing an extension, you can push a context manually since you have direct
+access to the ``app``. Use :meth:`.Flask.app_context` in a ``with`` block.
+
+.. code-block:: python
 
     def create_app():
         app = Flask(__name__)
@@ -78,70 +67,120 @@ to :data:`current_app`. ::
 
         return app
 
-If you see that error somewhere else in your code not related to
-configuring the application, it most likely indicates that you should
-move that code into a view function or CLI command.
+If you see that error somewhere else in your code not related to setting up the
+application, it most likely indicates that you should move that code into a view
+function or CLI command.
 
 
-Storing Data
-------------
+Context During Testing
+----------------------
 
-The application context is a good place to store common data during a
-request or CLI command. Flask provides the :data:`g object <g>` for this
-purpose. It is a simple namespace object that has the same lifetime as
-an application context.
+See :doc:`/testing` for detailed information about managing the context during
+tests.
 
-.. note::
-    The ``g`` name stands for "global", but that is referring to the
-    data being global *within a context*. The data on ``g`` is lost
-    after the context ends, and it is not an appropriate place to store
-    data between requests. Use the :data:`session` or a database to
-    store data across requests.
+If you try to access :data:`.request`, :data:`.session`, or anything that uses
+it, outside a request context, you'll get this error message:
 
-A common use for :data:`g` is to manage resources during a request.
+.. code-block:: pytb
 
-1.  ``get_X()`` creates resource ``X`` if it does not exist, caching it
-    as ``g.X``.
-2.  ``teardown_X()`` closes or otherwise deallocates the resource if it
-    exists. It is registered as a :meth:`~Flask.teardown_appcontext`
-    handler.
+    RuntimeError: Working outside of request context.
 
-For example, you can manage a database connection using this pattern::
+    Attempted to use functionality that expected an active HTTP request. See the
+    documentation on request context for more information.
 
-    from flask import g
+This will probably only happen during tests. If you see that error somewhere
+else in your code not related to testing, it most likely indicates that you
+should move that code into a view function.
 
-    def get_db():
-        if 'db' not in g:
-            g.db = connect_to_database()
+The primary way to solve this is to use :meth:`.Flask.test_client` to simulate
+a full request.
 
-        return g.db
+If you only want to unit test one function, rather than a full request, use
+:meth:`.Flask.test_request_context` in a ``with`` block.
 
-    @app.teardown_appcontext
-    def teardown_db(exception):
-        db = g.pop('db', None)
+.. code-block:: python
 
-        if db is not None:
-            db.close()
+    def generate_report(year):
+        format = request.args.get("format")
+        ...
 
-During a request, every call to ``get_db()`` will return the same
-connection, and it will be closed automatically at the end of the
-request.
-
-You can use :class:`~werkzeug.local.LocalProxy` to make a new context
-local from ``get_db()``::
-
-    from werkzeug.local import LocalProxy
-    db = LocalProxy(get_db)
-
-Accessing ``db`` will call ``get_db`` internally, in the same way that
-:data:`current_app` works.
+    with app.test_request_context(
+        "/make_report/2017", query_string={"format": "short"}
+    ):
+        generate_report()
 
 
-Events and Signals
-------------------
+.. _context-visibility:
 
-The application will call functions registered with :meth:`~Flask.teardown_appcontext`
-when the application context is popped.
+Visibility of the Context
+-------------------------
 
-The following signals are sent: :data:`appcontext_pushed`,
-:data:`appcontext_tearing_down`, and :data:`appcontext_popped`.
+The context will have the same lifetime as an activity, such as a request, CLI
+command, or ``with`` block. Various callbacks and signals registered with the
+app will be run during the context.
+
+When a Flask application handles a request, it pushes a requet context
+to set the active application and request data. When it handles a CLI command,
+it pushes an app context to set the active application. When the activity ends,
+it pops that context. Proxy objects like :data:`.request`, :data:`.session`,
+:data:`.g`, and :data:`.current_app`, are accessible while the context is pushed
+and active, and are not accessible after the context is popped.
+
+The context is unique to each thread (or other worker type). The proxies cannot
+be passed to another worker, which has a different context space and will not
+know about the active context in the parent's space.
+
+Besides being scoped to each worker, the proxy object has a separate type and
+identity than the proxied real object. In some cases you'll need access to the
+real object, rather than the proxy. Use the
+:meth:`~.LocalProxy._get_current_object` method in those cases.
+
+.. code-block:: python
+
+    app = current_app._get_current_object()
+    my_signal.send(app)
+
+
+Lifcycle of the Context
+-----------------------
+
+Flask dispatches a request in multiple stages which can affect the request,
+response, and how errors are handled. See :doc:`/lifecycle` for a list of all
+the steps, callbacks, and signals during each request. The following are the
+steps directly related to the context.
+
+-   The app context is pushed, the proxies are available.
+-   The :data:`.appcontext_pushed` signal is sent.
+-   The request is dispatched.
+-   Any :meth:`.Flask.teardown_request` decorated functions are called.
+-   The :data:`.request_tearing_down` signal is sent.
+-   Any :meth:`.Flask.teardown_appcontext` decorated functions are called.
+-   The :data:`.appcontext_tearing_down` signal is sent.
+-   The app context is popped, the proxies are no longer available.
+-   The :data:`.appcontext_popped` signal is sent.
+
+The teardown callbacks are called by the context when it is popped. They are
+called even if there is an unhandled exception during dispatch. They may be
+called multiple times in some test scenarios. This means there is no guarantee
+that any other parts of the request dispatch have run. Be sure to write these
+functions in a way that does not depend on other callbacks and will not fail.
+
+
+How the Context Works
+---------------------
+
+Context locals are implemented using Python's :mod:`contextvars` and Werkzeug's
+:class:`~werkzeug.local.LocalProxy`. Python's contextvars are a low level
+structure to manage data local to a thread or coroutine. ``LocalProxy`` wraps
+the contextvar so that access to any attributes and methods is forwarded to the
+object stored in the contextvar.
+
+The context is tracked like a stack, with the active context at the top of the
+stack. Flask manages pushing and popping contexts during requests, CLI commands,
+testing, ``with`` blocks, etc. The proxies access attributes on the active
+context.
+
+Because it is a stack, other contexts may be pushed to change the proxies during
+an already active context. This is not a common pattern, but can be used in
+advanced use cases. For example, a Flask application can be used as WSGI
+middleware, calling another wrapped Flask app from a view.

docs/async-await.rst

@@ -23,12 +23,6 @@ method in views that inherit from the :class:`flask.views.View` class, as
 well as all the HTTP method handlers in views that inherit from the
 :class:`flask.views.MethodView` class.
 
-.. admonition:: Using ``async`` on Windows on Python 3.8
-
-    Python 3.8 has a bug related to asyncio on Windows. If you encounter
-    something like ``ValueError: set_wakeup_fd only works in main thread``,
-    please upgrade to Python 3.9.
-
 .. admonition:: Using ``async`` with greenlet
 
     When using gevent or eventlet to serve an application or patch the

docs/conf.py

@@ -11,16 +11,23 @@ release, version = get_version("Flask")
 
 # General --------------------------------------------------------------
 
-master_doc = "index"
+default_role = "code"
 extensions = [
     "sphinx.ext.autodoc",
+    "sphinx.ext.extlinks",
     "sphinx.ext.intersphinx",
     "sphinxcontrib.log_cabinet",
-    "pallets_sphinx_themes",
-    "sphinx_issues",
     "sphinx_tabs.tabs",
+    "pallets_sphinx_themes",
 ]
+autodoc_member_order = "bysource"
 autodoc_typehints = "description"
+autodoc_preserve_defaults = True
+extlinks = {
+    "issue": ("https://github.com/pallets/flask/issues/%s", "#%s"),
+    "pr": ("https://github.com/pallets/flask/pull/%s", "#%s"),
+    "ghsa": ("https://github.com/pallets/flask/security/advisories/GHSA-%s", "GHSA-%s"),
+}
 intersphinx_mapping = {
     "python": ("https://docs.python.org/3/", None),
     "werkzeug": ("https://werkzeug.palletsprojects.com/", None),
@@ -31,7 +38,6 @@ intersphinx_mapping = {
     "wtforms": ("https://wtforms.readthedocs.io/", None),
     "blinker": ("https://blinker.readthedocs.io/", None),
 }
-issues_github_path = "pallets/flask"
 
 # HTML -----------------------------------------------------------------
 
@@ -52,14 +58,13 @@ html_sidebars = {
 }
 singlehtml_sidebars = {"index": ["project.html", "localtoc.html", "ethicalads.html"]}
 html_static_path = ["_static"]
-html_favicon = "_static/shortcut-icon.png"
-html_logo = "_static/flask-vertical.png"
+html_favicon = "_static/flask-icon.svg"
+html_logo = "_static/flask-logo.svg"
 html_title = f"Flask Documentation ({version})"
 html_show_sourcelink = False
 
-# LaTeX ----------------------------------------------------------------
-
-latex_documents = [(master_doc, f"Flask-{version}.tex", html_title, author, "manual")]
+gettext_uuid = True
+gettext_compact = False
 
 # Local Extensions -----------------------------------------------------
 

docs/config.rst

@@ -125,6 +125,25 @@ The following configuration values are used internally by Flask:
 
     Default: ``None``
 
+.. py:data:: SECRET_KEY_FALLBACKS
+
+    A list of old secret keys that can still be used for unsigning. This allows
+    a project to implement key rotation without invalidating active sessions or
+    other recently-signed secrets.
+
+    Keys should be removed after an appropriate period of time, as checking each
+    additional key adds some overhead.
+
+    Order should not matter, but the default implementation will test the last
+    key in the list first, so it might make sense to order oldest to newest.
+
+    Flask's built-in secure cookie session supports this. Extensions that use
+    :data:`SECRET_KEY` may not support this yet.
+
+    Default: ``None``
+
+    .. versionadded:: 3.1
+
 .. py:data:: SESSION_COOKIE_NAME
 
     The name of the session cookie. Can be changed in case you already have a
@@ -142,6 +161,12 @@ The following configuration values are used internally by Flask:
 
     Default: ``None``
 
+    .. warning::
+        If this is changed after the browser created a cookie is created with
+        one setting, it may result in another being created. Browsers may send
+        send both in an undefined order. In that case, you may want to change
+        :data:`SESSION_COOKIE_NAME` as well or otherwise invalidate old sessions.
+
     .. versionchanged:: 2.3
         Not set by default, does not fall back to ``SERVER_NAME``.
 
@@ -167,6 +192,23 @@ The following configuration values are used internally by Flask:
 
     Default: ``False``
 
+.. py:data:: SESSION_COOKIE_PARTITIONED
+
+    Browsers will send cookies based on the top-level document's domain, rather
+    than only the domain of the document setting the cookie. This prevents third
+    party cookies set in iframes from "leaking" between separate sites.
+
+    Browsers are beginning to disallow non-partitioned third party cookies, so
+    you need to mark your cookies partitioned if you expect them to work in such
+    embedded situations.
+
+    Enabling this implicitly enables :data:`SESSION_COOKIE_SECURE` as well, as
+    it is only valid when served over HTTPS.
+
+    Default: ``False``
+
+    .. versionadded:: 3.1
+
 .. py:data:: SESSION_COOKIE_SAMESITE
 
     Restrict how cookies are sent with requests from external sites. Can
@@ -219,16 +261,40 @@ The following configuration values are used internally by Flask:
 
     Default: ``None``
 
-.. py:data:: SERVER_NAME
+.. py:data:: TRUSTED_HOSTS
 
-    Inform the application what host and port it is bound to. Required
-    for subdomain route matching support.
+    Validate :attr:`.Request.host` and other attributes that use it against
+    these trusted values. Raise a :exc:`~werkzeug.exceptions.SecurityError` if
+    the host is invalid, which results in a 400 error. If it is ``None``, all
+    hosts are valid. Each value is either an exact match, or can start with
+    a dot ``.`` to match any subdomain.
 
-    If set, ``url_for`` can generate external URLs with only an application
-    context instead of a request context.
+    Validation is done during routing against this value. ``before_request`` and
+    ``after_request`` callbacks will still be called.
 
     Default: ``None``
 
+    .. versionadded:: 3.1
+
+.. py:data:: SERVER_NAME
+
+    Inform the application what host and port it is bound to.
+
+    Must be set if ``subdomain_matching`` is enabled, to be able to extract the
+    subdomain from the request.
+
+    Must be set for ``url_for`` to generate external URLs outside of a
+    request context.
+
+    Default: ``None``
+
+    .. versionchanged:: 3.1
+        Does not restrict requests to only this domain, for both
+        ``subdomain_matching`` and ``host_matching``.
+
+    .. versionchanged:: 1.0
+        Does not implicitly enable ``subdomain_matching``.
+
     .. versionchanged:: 2.3
         Does not affect ``SESSION_COOKIE_DOMAIN``.
 
@@ -253,12 +319,54 @@ The following configuration values are used internally by Flask:
 
 .. py:data:: MAX_CONTENT_LENGTH
 
-    Don't read more than this many bytes from the incoming request data. If not
-    set and the request does not specify a ``CONTENT_LENGTH``, no data will be
-    read for security.
+    The maximum number of bytes that will be read during this request. If
+    this limit is exceeded, a 413 :exc:`~werkzeug.exceptions.RequestEntityTooLarge`
+    error is raised. If it is set to ``None``, no limit is enforced at the
+    Flask application level. However, if it is ``None`` and the request has no
+    ``Content-Length`` header and the WSGI server does not indicate that it
+    terminates the stream, then no data is read to avoid an infinite stream.
+
+    Each request defaults to this config. It can be set on a specific
+    :attr:`.Request.max_content_length` to apply the limit to that specific
+    view. This should be set appropriately based on an application's or view's
+    specific needs.
 
     Default: ``None``
 
+    .. versionadded:: 0.6
+
+.. py:data:: MAX_FORM_MEMORY_SIZE
+
+    The maximum size in bytes any non-file form field may be in a
+    ``multipart/form-data`` body. If this limit is exceeded, a 413
+    :exc:`~werkzeug.exceptions.RequestEntityTooLarge` error is raised. If it is
+    set to ``None``, no limit is enforced at the Flask application level.
+
+    Each request defaults to this config. It can be set on a specific
+    :attr:`.Request.max_form_memory_parts` to apply the limit to that specific
+    view. This should be set appropriately based on an application's or view's
+    specific needs.
+
+    Default: ``500_000``
+
+    .. versionadded:: 3.1
+
+.. py:data:: MAX_FORM_PARTS
+
+    The maximum number of fields that may be present in a
+    ``multipart/form-data`` body. If this limit is exceeded, a 413
+    :exc:`~werkzeug.exceptions.RequestEntityTooLarge` error is raised. If it
+    is set to ``None``, no limit is enforced at the Flask application level.
+
+    Each request defaults to this config. It can be set on a specific
+    :attr:`.Request.max_form_parts` to apply the limit to that specific view.
+    This should be set appropriately based on an application's or view's
+    specific needs.
+
+    Default: ``1_000``
+
+    .. versionadded:: 3.1
+
 .. py:data:: TEMPLATES_AUTO_RELOAD
 
     Reload templates when they are changed. If not set, it will be enabled in
@@ -280,6 +388,12 @@ The following configuration values are used internally by Flask:
     ``4093``. Larger cookies may be silently ignored by browsers. Set to
     ``0`` to disable the warning.
 
+.. py:data:: PROVIDE_AUTOMATIC_OPTIONS
+
+    Set to ``False`` to disable the automatic addition of OPTIONS
+    responses. This can be overridden per route by altering the
+    ``provide_automatic_options`` attribute.
+
 .. versionadded:: 0.4
    ``LOGGER_NAME``
 
@@ -331,6 +445,10 @@ The following configuration values are used internally by Flask:
 .. versionchanged:: 2.3
     ``ENV`` was removed.
 
+.. versionadded:: 3.10
+    Added :data:`PROVIDE_AUTOMATIC_OPTIONS` to control the default
+    addition of autogenerated OPTIONS responses.
+
 
 Configuring from Python Files
 -----------------------------

docs/contributing.rst

@@ -1 +1,8 @@
-.. include:: ../CONTRIBUTING.rst
+Contributing
+============
+
+See the Pallets `detailed contributing documentation <contrib_>`_ for many ways
+to contribute, including reporting issues, requesting features, asking or
+answering questions, and making PRs.
+
+.. _contrib: https://palletsprojects.com/contributing/

docs/deploying/asgi.rst

@@ -20,7 +20,7 @@ wrapping the Flask app,
     asgi_app = WsgiToAsgi(app)
 
 and then serving the ``asgi_app`` with the ASGI server, e.g. using
-`Hypercorn <https://gitlab.com/pgjones/hypercorn>`_,
+`Hypercorn <https://github.com/pgjones/hypercorn>`_,
 
 .. sourcecode:: text
 

docs/deploying/waitress.rst

@@ -68,7 +68,7 @@ reverse proxy such as :doc:`nginx` or :doc:`apache-httpd` should be used
 in front of Waitress.
 
 You can bind to all external IPs on a non-privileged port by not
-specifying the ``--host`` option. Don't do this when using a revers
+specifying the ``--host`` option. Don't do this when using a reverse
 proxy setup, otherwise it will be possible to bypass the proxy.
 
 ``0.0.0.0`` is not a valid address to navigate to, you'd use a specific

docs/design.rst

@@ -96,10 +96,10 @@ is ambiguous.
 One Template Engine
 -------------------
 
-Flask decides on one template engine: Jinja2.  Why doesn't Flask have a
+Flask decides on one template engine: Jinja.  Why doesn't Flask have a
 pluggable template engine interface?  You can obviously use a different
-template engine, but Flask will still configure Jinja2 for you.  While
-that limitation that Jinja2 is *always* configured will probably go away,
+template engine, but Flask will still configure Jinja for you.  While
+that limitation that Jinja is *always* configured will probably go away,
 the decision to bundle one template engine and use that will not.
 
 Template engines are like programming languages and each of those engines
@@ -107,7 +107,7 @@ has a certain understanding about how things work.  On the surface they
 all work the same: you tell the engine to evaluate a template with a set
 of variables and take the return value as string.
 
-But that's about where similarities end. Jinja2 for example has an
+But that's about where similarities end. Jinja for example has an
 extensive filter system, a certain way to do template inheritance,
 support for reusable blocks (macros) that can be used from inside
 templates and also from Python code, supports iterative template
@@ -118,8 +118,8 @@ other hand treats templates similar to Python modules.
 
 When it comes to connecting a template engine with an application or
 framework there is more than just rendering templates.  For instance,
-Flask uses Jinja2's extensive autoescaping support.  Also it provides
-ways to access macros from Jinja2 templates.
+Flask uses Jinja's extensive autoescaping support.  Also it provides
+ways to access macros from Jinja templates.
 
 A template abstraction layer that would not take the unique features of
 the template engines away is a science on its own and a too large
@@ -150,7 +150,7 @@ authentication technologies, and more. Flask may be "micro", but it's ready for
 production use on a variety of needs.
 
 Why does Flask call itself a microframework and yet it depends on two
-libraries (namely Werkzeug and Jinja2).  Why shouldn't it?  If we look
+libraries (namely Werkzeug and Jinja).  Why shouldn't it?  If we look
 over to the Ruby side of web development there we have a protocol very
 similar to WSGI.  Just that it's called Rack there, but besides that it
 looks very much like a WSGI rendition for Ruby.  But nearly all
@@ -169,19 +169,20 @@ infrastructure, packages with dependencies are no longer an issue and
 there are very few reasons against having libraries that depend on others.
 
 
-Thread Locals
--------------
+Context Locals
+--------------
 
-Flask uses thread local objects (context local objects in fact, they
-support greenlet contexts as well) for request, session and an extra
-object you can put your own things on (:data:`~flask.g`).  Why is that and
-isn't that a bad idea?
+Flask uses special context locals and proxies to provide access to the
+current app and request data to any code running during a request, CLI command,
+etc. Context locals are specific to the worker handling the activity, such as a
+thread, process, coroutine, or greenlet.
 
-Yes it is usually not such a bright idea to use thread locals.  They cause
-troubles for servers that are not based on the concept of threads and make
-large applications harder to maintain.  However Flask is just not designed
-for large applications or asynchronous servers.  Flask wants to make it
-quick and easy to write a traditional web application.
+The context and proxies help solve two development issues: circular imports, and
+passing around global data. :data:`.current_app: can be used to access the
+application object without needing to import the app object directly, avoiding
+circular import issues. :data:`.request`, :data:`.session`, and :data`.g` can be
+imported to access the current data for the request, rather than needing to
+pass them as arguments through every single function in your project.
 
 
 Async/await and ASGI support
@@ -208,7 +209,7 @@ What Flask is, What Flask is Not
 
 Flask will never have a database layer.  It will not have a form library
 or anything else in that direction.  Flask itself just bridges to Werkzeug
-to implement a proper WSGI application and to Jinja2 to handle templating.
+to implement a proper WSGI application and to Jinja to handle templating.
 It also binds to a few common standard library packages such as logging.
 Everything else is up for extensions.
 

docs/extensiondev.rst

@@ -67,7 +67,7 @@ application instance.
 It is important that the app is not stored on the extension, don't do
 ``self.app = app``. The only time the extension should have direct
 access to an app is during ``init_app``, otherwise it should use
-:data:`current_app`.
+:data:`.current_app`.
 
 This allows the extension to support the application factory pattern,
 avoids circular import issues when importing the extension instance
@@ -105,7 +105,7 @@ during an extension's ``init_app`` method.
 A common pattern is to use :meth:`~Flask.before_request` to initialize
 some data or a connection at the beginning of each request, then
 :meth:`~Flask.teardown_request` to clean it up at the end. This can be
-stored on :data:`g`, discussed more below.
+stored on :data:`.g`, discussed more below.
 
 A more lazy approach is to provide a method that initializes and caches
 the data or connection. For example, a ``ext.get_db`` method could
@@ -179,13 +179,12 @@ name as a prefix, or as a namespace.
     g._hello = SimpleNamespace()
     g._hello.user_id = 2
 
-The data in ``g`` lasts for an application context. An application
-context is active when a request context is, or when a CLI command is
-run. If you're storing something that should be closed, use
-:meth:`~flask.Flask.teardown_appcontext` to ensure that it gets closed
-when the application context ends. If it should only be valid during a
-request, or would not be used in the CLI outside a request, use
-:meth:`~flask.Flask.teardown_request`.
+The data in ``g`` lasts for an application context. An application context is
+active during a request, CLI command, or ``with app.app_context()`` block. If
+you're storing something that should be closed, use
+:meth:`~flask.Flask.teardown_appcontext` to ensure that it gets closed when the
+app context ends. If it should only be valid during a request, or would not be
+used in the CLI outside a request, use :meth:`~flask.Flask.teardown_request`.
 
 
 Views and Models
@@ -294,10 +293,13 @@ ecosystem remain consistent and compatible.
     indicate minimum compatibility support. For example,
     ``sqlalchemy>=1.4``.
 9.  Indicate the versions of Python supported using ``python_requires=">=version"``.
-    Flask itself supports Python >=3.8 as of April 2023, but this will update over time.
+    Flask and Pallets policy is to support all Python versions that are not
+    within six months of end of life (EOL). See Python's `EOL calendar`_ for
+    timing.
 
 .. _PyPI: https://pypi.org/search/?c=Framework+%3A%3A+Flask
 .. _Discord Chat: https://discord.gg/pallets
 .. _GitHub Discussions: https://github.com/pallets/flask/discussions
 .. _Official Pallets Themes: https://pypi.org/project/Pallets-Sphinx-Themes/
 .. _Pallets-Eco: https://github.com/pallets-eco
+.. _EOL calendar: https://devguide.python.org/versions/

docs/index.rst

@@ -3,10 +3,15 @@
 Welcome to Flask
 ================
 
-.. image:: _static/flask-horizontal.png
+.. image:: _static/flask-name.svg
     :align: center
+    :height: 200px
 
-Welcome to Flask's documentation. Get started with :doc:`installation`
+Welcome to Flask's documentation. Flask is a lightweight WSGI web application framework.
+It is designed to make getting started quick and easy, with the ability to scale up to
+complex applications.
+
+Get started with :doc:`installation`
 and then get an overview with the :doc:`quickstart`. There is also a
 more detailed :doc:`tutorial/index` that shows how to create a small but
 complete application with Flask. Common patterns are described in the
@@ -47,14 +52,13 @@ community-maintained extensions to add even more functionality.
    views
    lifecycle
    appcontext
-   reqcontext
    blueprints
    extensions
    cli
    server
    shell
    patterns/index
-   security
+   web-security
    deploying/index
    async-await
 

docs/installation.rst

@@ -5,7 +5,7 @@ Installation
 Python Version
 --------------
 
-We recommend using the latest version of Python. Flask supports Python 3.8 and newer.
+We recommend using the latest version of Python. Flask supports Python 3.10 and newer.
 
 
 Dependencies

docs/license.rst

@@ -1,4 +1,5 @@
 BSD-3-Clause License
 ====================
 
-.. include:: ../LICENSE.rst
+.. literalinclude:: ../LICENSE.txt
+    :language: text

docs/lifecycle.rst

@@ -117,15 +117,12 @@ the view function, and pass the return value back to the server. But there are m
 parts that you can use to customize its behavior.
 
 #.  WSGI server calls the Flask object, which calls :meth:`.Flask.wsgi_app`.
-#.  A :class:`.RequestContext` object is created. This converts the WSGI ``environ``
-    dict into a :class:`.Request` object. It also creates an :class:`AppContext` object.
-#.  The :doc:`app context <appcontext>` is pushed, which makes :data:`.current_app` and
-    :data:`.g` available.
+#.  An :class:`.AppContext` object is created. This converts the WSGI ``environ``
+    dict into a :class:`.Request` object.
+#.  The :doc:`app context <appcontext>` is pushed, which makes
+    :data:`.current_app`, :data:`.g`, :data:`.request`, and :data:`.session`
+    available.
 #.  The :data:`.appcontext_pushed` signal is sent.
-#.  The :doc:`request context <reqcontext>` is pushed, which makes :attr:`.request` and
-    :class:`.session` available.
-#.  The session is opened, loading any existing session data using the app's
-    :attr:`~.Flask.session_interface`, an instance of :class:`.SessionInterface`.
 #.  The URL is matched against the URL rules registered with the :meth:`~.Flask.route`
     decorator during application setup. If there is no match, the error - usually a 404,
     405, or redirect - is stored to be handled later.
@@ -141,7 +138,8 @@ parts that you can use to customize its behavior.
     called to handle the error and return a response.
 #.  Whatever returned a response value - a before request function, the view, or an
     error handler, that value is converted to a :class:`.Response` object.
-#.  Any :func:`~.after_this_request` decorated functions are called, then cleared.
+#.  Any :func:`~.after_this_request` decorated functions are called, which can modify
+    the response object. They are then cleared.
 #.  Any :meth:`~.Flask.after_request` decorated functions are called, which can modify
     the response object.
 #.  The session is saved, persisting any modified session data using the app's
@@ -154,14 +152,19 @@ parts that you can use to customize its behavior.
 #.  The response object's status, headers, and body are returned to the WSGI server.
 #.  Any :meth:`~.Flask.teardown_request` decorated functions are called.
 #.  The :data:`.request_tearing_down` signal is sent.
-#.  The request context is popped, :attr:`.request` and :class:`.session` are no longer
-    available.
 #.  Any :meth:`~.Flask.teardown_appcontext` decorated functions are called.
 #.  The :data:`.appcontext_tearing_down` signal is sent.
-#.  The app context is popped, :data:`.current_app` and :data:`.g` are no longer
-    available.
+#.  The app context is popped, :data:`.current_app`, :data:`.g`, :data:`.request`,
+    and :data:`.session` are no longer available.
 #.  The :data:`.appcontext_popped` signal is sent.
 
+When executing a CLI command or plain app context without request data, the same
+order of steps is followed, omitting the steps that refer to the request.
+
+A :class:`Blueprint` can add handlers for these events that are specific to the
+blueprint. The handlers for a blueprint will run if the blueprint
+owns the route that matches the request.
+
 There are even more decorators and customization points than this, but that aren't part
 of every request lifecycle. They're more specific to certain things you might use during
 a request, such as templates, building URLs, or handling JSON data. See the rest of this

docs/logging.rst

@@ -159,7 +159,7 @@ Depending on your project, it may be more useful to configure each logger you
 care about separately, instead of configuring only the root logger. ::
 
     for logger in (
-        app.logger,
+        logging.getLogger(app.name),
         logging.getLogger('sqlalchemy'),
         logging.getLogger('other_package'),
     ):

docs/patterns/appfactories.rst

@@ -99,9 +99,9 @@ to the factory like this:
 
 .. code-block:: text
 
-    $ flask --app hello:create_app(local_auth=True) run
+    $ flask --app 'hello:create_app(local_auth=True)' run
 
-Then the ``create_app`` factory in ``myapp`` is called with the keyword
+Then the ``create_app`` factory in ``hello`` is called with the keyword
 argument ``local_auth=True``. See :doc:`/cli` for more detail.
 
 Factory Improvements

docs/patterns/favicon.rst

@@ -24,8 +24,11 @@ the root path of the domain you either need to configure the web server to
 serve the icon at the root or if you can't do that you're out of luck. If
 however your application is the root you can simply route a redirect::
 
-    app.add_url_rule('/favicon.ico',
-                     redirect_to=url_for('static', filename='favicon.ico'))
+    app.add_url_rule(
+        "/favicon.ico",
+        endpoint="favicon",
+        redirect_to=url_for("static", filename="favicon.ico"),
+    )
 
 If you want to save the extra redirect request you can also write a view
 using :func:`~flask.send_from_directory`::

docs/patterns/mongoengine.rst

@@ -80,7 +80,7 @@ Queries
 Use the class ``objects`` attribute to make queries. A keyword argument
 looks for an equal value on the field. ::
 
-    bttf = Movies.objects(title="Back To The Future").get_or_404()
+    bttf = Movie.objects(title="Back To The Future").get_or_404()
 
 Query operators may be used by concatenating them with the field name
 using a double-underscore. ``objects``, and queries returned by

docs/patterns/sqlalchemy.rst

@@ -131,9 +131,8 @@ Here is an example :file:`database.py` module for your application::
     def init_db():
         metadata.create_all(bind=engine)
 
-As in the declarative approach, you need to close the session after
-each request or application context shutdown.  Put this into your
-application module::
+As in the declarative approach, you need to close the session after each app
+context. Put this into your application module::
 
     from yourapplication.database import db_session
 

docs/patterns/sqlite3.rst

@@ -1,9 +1,9 @@
 Using SQLite 3 with Flask
 =========================
 
-In Flask you can easily implement the opening of database connections on
-demand and closing them when the context dies (usually at the end of the
-request).
+You can implement a few functions to work with a SQLite connection during a
+request context. The connection is created the first time it's accessed,
+reused on subsequent access, until it is closed when the request context ends.
 
 Here is a simple example of how you can use SQLite 3 with Flask::
 

docs/patterns/streaming.rst

@@ -29,7 +29,7 @@ debug environments with profilers and other things you might have enabled.
 Streaming from Templates
 ------------------------
 
-The Jinja2 template engine supports rendering a template piece by
+The Jinja template engine supports rendering a template piece by
 piece, returning an iterator of strings. Flask provides the
 :func:`~flask.stream_template` and :func:`~flask.stream_template_string`
 functions to make this easier to use.
@@ -49,13 +49,13 @@ the template.
 Streaming with Context
 ----------------------
 
-The :data:`~flask.request` will not be active while the generator is
-running, because the view has already returned at that point. If you try
-to access ``request``, you'll get a ``RuntimeError``.
+The :data:`.request` proxy will not be active while the generator is
+running, because the app has already returned control to the WSGI server at that
+point. If you try to access ``request``, you'll get a ``RuntimeError``.
 
 If your generator function relies on data in ``request``, use the
-:func:`~flask.stream_with_context` wrapper. This will keep the request
-context active during the generator.
+:func:`.stream_with_context` wrapper. This will keep the request context active
+during the generator.
 
 .. code-block:: python
 

docs/patterns/wtforms.rst

@@ -99,7 +99,7 @@ WTForm's field function, which renders the field for us.  The keyword
 arguments will be inserted as HTML attributes.  So, for example, you can
 call ``render_field(form.username, class='username')`` to add a class to
 the input element.  Note that WTForms returns standard Python strings,
-so we have to tell Jinja2 that this data is already HTML-escaped with
+so we have to tell Jinja that this data is already HTML-escaped with
 the ``|safe`` filter.
 
 Here is the :file:`register.html` template for the function we used above, which

docs/quickstart.rst

@@ -139,18 +139,16 @@ how you're using untrusted data.
 
 .. code-block:: python
 
+    from flask import request
     from markupsafe import escape
 
-    @app.route("/<name>")
-    def hello(name):
+    @app.route("/hello")
+    def hello():
+        name = request.args.get("name", "Flask")
         return f"Hello, {escape(name)}!"
 
-If a user managed to submit the name ``<script>alert("bad")</script>``,
-escaping causes it to be rendered as text, rather than running the
-script in the user's browser.
-
-``<name>`` in the route captures a value from the URL and passes it to
-the view function. These variable rules are explained below.
+If a user submits ``/hello?name=<script>alert("bad")</script>``, escaping causes
+it to be rendered as text, rather than running the script in the user's browser.
 
 
 Routing
@@ -260,7 +258,7 @@ Why would you want to build URLs using the URL reversing function
 For example, here we use the :meth:`~flask.Flask.test_request_context` method
 to try out :func:`~flask.url_for`. :meth:`~flask.Flask.test_request_context`
 tells Flask to behave as though it's handling a request even while we use a
-Python shell. See :ref:`context-locals`.
+Python shell. See :doc:`/appcontext`.
 
 .. code-block:: python
 
@@ -354,7 +352,7 @@ Rendering Templates
 
 Generating HTML from within Python is not fun, and actually pretty
 cumbersome because you have to do the HTML escaping on your own to keep
-the application secure.  Because of that Flask configures the `Jinja2
+the application secure.  Because of that Flask configures the `Jinja
 <https://palletsprojects.com/p/jinja/>`_ template engine for you automatically.
 
 Templates can be used to generate any type of text file. For web applications, you'll
@@ -375,7 +373,7 @@ Here's a simple example of how to render a template::
     @app.route('/hello/')
     @app.route('/hello/<name>')
     def hello(name=None):
-        return render_template('hello.html', name=name)
+        return render_template('hello.html', person=name)
 
 Flask will look for templates in the :file:`templates` folder.  So if your
 application is a module, this folder is next to that module, if it's a
@@ -394,8 +392,8 @@ package it's actually inside your package:
         /templates
             /hello.html
 
-For templates you can use the full power of Jinja2 templates.  Head over
-to the official `Jinja2 Template Documentation
+For templates you can use the full power of Jinja templates.  Head over
+to the official `Jinja Template Documentation
 <https://jinja.palletsprojects.com/templates/>`_ for more information.
 
 Here is an example template:
@@ -404,8 +402,8 @@ Here is an example template:
 
     <!doctype html>
     <title>Hello from Flask</title>
-    {% if name %}
-      <h1>Hello {{ name }}!</h1>
+    {% if person %}
+      <h1>Hello {{ person }}!</h1>
     {% else %}
       <h1>Hello, World!</h1>
     {% endif %}
@@ -419,7 +417,7 @@ know how that works, see :doc:`patterns/templateinheritance`. Basically
 template inheritance makes it possible to keep certain elements on each
 page (like header, navigation and footer).
 
-Automatic escaping is enabled, so if ``name`` contains HTML it will be escaped
+Automatic escaping is enabled, so if ``person`` contains HTML it will be escaped
 automatically.  If you can trust a variable and you know that it will be
 safe HTML (for example because it came from a module that converts wiki
 markup to HTML) you can mark it as safe by using the
@@ -451,105 +449,58 @@ Here is a basic introduction to how the :class:`~markupsafe.Markup` class works:
 Accessing Request Data
 ----------------------
 
-For web applications it's crucial to react to the data a client sends to
-the server.  In Flask this information is provided by the global
-:class:`~flask.request` object.  If you have some experience with Python
-you might be wondering how that object can be global and how Flask
-manages to still be threadsafe.  The answer is context locals:
+For web applications it's crucial to react to the data a client sends to the
+server. In Flask this information is provided by the global :data:`.request`
+object, which is an instance of :class:`.Request`. This object has many
+attributes and methods to work with the incoming request data, but here is a
+broad overview. First it needs to be imported.
 
-
-.. _context-locals:
-
-Context Locals
-``````````````
-
-.. admonition:: Insider Information
-
-   If you want to understand how that works and how you can implement
-   tests with context locals, read this section, otherwise just skip it.
-
-Certain objects in Flask are global objects, but not of the usual kind.
-These objects are actually proxies to objects that are local to a specific
-context.  What a mouthful.  But that is actually quite easy to understand.
-
-Imagine the context being the handling thread.  A request comes in and the
-web server decides to spawn a new thread (or something else, the
-underlying object is capable of dealing with concurrency systems other
-than threads).  When Flask starts its internal request handling it
-figures out that the current thread is the active context and binds the
-current application and the WSGI environments to that context (thread).
-It does that in an intelligent way so that one application can invoke another
-application without breaking.
-
-So what does this mean to you?  Basically you can completely ignore that
-this is the case unless you are doing something like unit testing.  You
-will notice that code which depends on a request object will suddenly break
-because there is no request object.  The solution is creating a request
-object yourself and binding it to the context.  The easiest solution for
-unit testing is to use the :meth:`~flask.Flask.test_request_context`
-context manager.  In combination with the ``with`` statement it will bind a
-test request so that you can interact with it.  Here is an example::
+.. code-block:: python
 
     from flask import request
 
-    with app.test_request_context('/hello', method='POST'):
-        # now you can do something with the request until the
-        # end of the with block, such as basic assertions:
-        assert request.path == '/hello'
-        assert request.method == 'POST'
+If you have some experience with Python you might be wondering how that object
+can be global when Flask handles multiple requests at a time. The answer is
+that :data:`.request` is actually a proxy, pointing at whatever request is
+currently being handled by a given worker, which is managed interanlly by Flask
+and Python. See :doc:`/appcontext` for much more information.
 
-The other possibility is passing a whole WSGI environment to the
-:meth:`~flask.Flask.request_context` method::
+The current request method is available in the :attr:`~.Request.method`
+attribute. To access form data (data transmitted in a ``POST`` or ``PUT``
+request), use the :attr:`~flask.Request.form` attribute, which behaves like a
+dict.
 
-    with app.request_context(environ):
-        assert request.method == 'POST'
+.. code-block:: python
 
-The Request Object
-``````````````````
-
-The request object is documented in the API section and we will not cover
-it here in detail (see :class:`~flask.Request`). Here is a broad overview of
-some of the most common operations.  First of all you have to import it from
-the ``flask`` module::
-
-    from flask import request
-
-The current request method is available by using the
-:attr:`~flask.Request.method` attribute.  To access form data (data
-transmitted in a ``POST`` or ``PUT`` request) you can use the
-:attr:`~flask.Request.form` attribute.  Here is a full example of the two
-attributes mentioned above::
-
-    @app.route('/login', methods=['POST', 'GET'])
+    @app.route("/login", methods=["GET", "POST"])
     def login():
         error = None
-        if request.method == 'POST':
-            if valid_login(request.form['username'],
-                           request.form['password']):
-                return log_the_user_in(request.form['username'])
+
+        if request.method == "POST":
+            if valid_login(request.form["username"], request.form["password"]):
+                return store_login(request.form["username"])
             else:
-                error = 'Invalid username/password'
-        # the code below is executed if the request method
-        # was GET or the credentials were invalid
-        return render_template('login.html', error=error)
+                error = "Invalid username or password"
 
-What happens if the key does not exist in the ``form`` attribute?  In that
-case a special :exc:`KeyError` is raised.  You can catch it like a
-standard :exc:`KeyError` but if you don't do that, a HTTP 400 Bad Request
-error page is shown instead.  So for many situations you don't have to
-deal with that problem.
+        # Executed if the request method was GET or the credentials were invalid.
+        return render_template("login.html", error=error)
 
-To access parameters submitted in the URL (``?key=value``) you can use the
-:attr:`~flask.Request.args` attribute::
+If the key does not exist in ``form``, a special :exc:`KeyError` is raised. You
+can catch it like a normal ``KeyError``, otherwise it will return a HTTP 400
+Bad Request error page. You can also use the
+:meth:`~werkzeug.datastructures.MultiDict.get` method to get a default
+instead of an error.
+
+To access parameters submitted in the URL (``?key=value``), use the
+:attr:`~.Request.args` attribute. Key errors behave the same as ``form``,
+returning a 400 response if not caught.
+
+.. code-block:: python
 
     searchword = request.args.get('key', '')
 
-We recommend accessing URL parameters with `get` or by catching the
-:exc:`KeyError` because users might change the URL and presenting them a 400
-bad request page in that case is not user friendly.
-
-For a full list of methods and attributes of the request object, head over
-to the :class:`~flask.Request` documentation.
+For a full list of methods and attributes of the request object, see the
+:class:`~.Request` documentation.
 
 
 File Uploads

docs/reqcontext.rst

@@ -1,243 +1,6 @@
-.. currentmodule:: flask
+:orphan:
 
 The Request Context
 ===================
 
-The request context keeps track of the request-level data during a
-request. Rather than passing the request object to each function that
-runs during a request, the :data:`request` and :data:`session` proxies
-are accessed instead.
-
-This is similar to :doc:`/appcontext`, which keeps track of the
-application-level data independent of a request. A corresponding
-application context is pushed when a request context is pushed.
-
-
-Purpose of the Context
-----------------------
-
-When the :class:`Flask` application handles a request, it creates a
-:class:`Request` object based on the environment it received from the
-WSGI server. Because a *worker* (thread, process, or coroutine depending
-on the server) handles only one request at a time, the request data can
-be considered global to that worker during that request. Flask uses the
-term *context local* for this.
-
-Flask automatically *pushes* a request context when handling a request.
-View functions, error handlers, and other functions that run during a
-request will have access to the :data:`request` proxy, which points to
-the request object for the current request.
-
-
-Lifetime of the Context
------------------------
-
-When a Flask application begins handling a request, it pushes a request
-context, which also pushes an :doc:`app context </appcontext>`. When the
-request ends it pops the request context then the application context.
-
-The context is unique to each thread (or other worker type).
-:data:`request` cannot be passed to another thread, the other thread has
-a different context space and will not know about the request the parent
-thread was pointing to.
-
-Context locals are implemented using Python's :mod:`contextvars` and
-Werkzeug's :class:`~werkzeug.local.LocalProxy`. Python manages the
-lifetime of context vars automatically, and local proxy wraps that
-low-level interface to make the data easier to work with.
-
-
-Manually Push a Context
------------------------
-
-If you try to access :data:`request`, or anything that uses it, outside
-a request context, you'll get this error message:
-
-.. code-block:: pytb
-
-    RuntimeError: Working outside of request context.
-
-    This typically means that you attempted to use functionality that
-    needed an active HTTP request. Consult the documentation on testing
-    for information about how to avoid this problem.
-
-This should typically only happen when testing code that expects an
-active request. One option is to use the
-:meth:`test client <Flask.test_client>` to simulate a full request. Or
-you can use :meth:`~Flask.test_request_context` in a ``with`` block, and
-everything that runs in the block will have access to :data:`request`,
-populated with your test data. ::
-
-    def generate_report(year):
-        format = request.args.get("format")
-        ...
-
-    with app.test_request_context(
-        "/make_report/2017", query_string={"format": "short"}
-    ):
-        generate_report()
-
-If you see that error somewhere else in your code not related to
-testing, it most likely indicates that you should move that code into a
-view function.
-
-For information on how to use the request context from the interactive
-Python shell, see :doc:`/shell`.
-
-
-How the Context Works
----------------------
-
-The :meth:`Flask.wsgi_app` method is called to handle each request. It
-manages the contexts during the request. Internally, the request and
-application contexts work like stacks. When contexts are pushed, the
-proxies that depend on them are available and point at information from
-the top item.
-
-When the request starts, a :class:`~ctx.RequestContext` is created and
-pushed, which creates and pushes an :class:`~ctx.AppContext` first if
-a context for that application is not already the top context. While
-these contexts are pushed, the :data:`current_app`, :data:`g`,
-:data:`request`, and :data:`session` proxies are available to the
-original thread handling the request.
-
-Other contexts may be pushed to change the proxies during a request.
-While this is not a common pattern, it can be used in advanced
-applications to, for example, do internal redirects or chain different
-applications together.
-
-After the request is dispatched and a response is generated and sent,
-the request context is popped, which then pops the application context.
-Immediately before they are popped, the :meth:`~Flask.teardown_request`
-and :meth:`~Flask.teardown_appcontext` functions are executed. These
-execute even if an unhandled exception occurred during dispatch.
-
-
-.. _callbacks-and-errors:
-
-Callbacks and Errors
---------------------
-
-Flask dispatches a request in multiple stages which can affect the
-request, response, and how errors are handled. The contexts are active
-during all of these stages.
-
-A :class:`Blueprint` can add handlers for these events that are specific
-to the blueprint. The handlers for a blueprint will run if the blueprint
-owns the route that matches the request.
-
-#.  Before each request, :meth:`~Flask.before_request` functions are
-    called. If one of these functions return a value, the other
-    functions are skipped. The return value is treated as the response
-    and the view function is not called.
-
-#.  If the :meth:`~Flask.before_request` functions did not return a
-    response, the view function for the matched route is called and
-    returns a response.
-
-#.  The return value of the view is converted into an actual response
-    object and passed to the :meth:`~Flask.after_request`
-    functions. Each function returns a modified or new response object.
-
-#.  After the response is returned, the contexts are popped, which calls
-    the :meth:`~Flask.teardown_request` and
-    :meth:`~Flask.teardown_appcontext` functions. These functions are
-    called even if an unhandled exception was raised at any point above.
-
-If an exception is raised before the teardown functions, Flask tries to
-match it with an :meth:`~Flask.errorhandler` function to handle the
-exception and return a response. If no error handler is found, or the
-handler itself raises an exception, Flask returns a generic
-``500 Internal Server Error`` response. The teardown functions are still
-called, and are passed the exception object.
-
-If debug mode is enabled, unhandled exceptions are not converted to a
-``500`` response and instead are propagated to the WSGI server. This
-allows the development server to present the interactive debugger with
-the traceback.
-
-
-Teardown Callbacks
-~~~~~~~~~~~~~~~~~~
-
-The teardown callbacks are independent of the request dispatch, and are
-instead called by the contexts when they are popped. The functions are
-called even if there is an unhandled exception during dispatch, and for
-manually pushed contexts. This means there is no guarantee that any
-other parts of the request dispatch have run first. Be sure to write
-these functions in a way that does not depend on other callbacks and
-will not fail.
-
-During testing, it can be useful to defer popping the contexts after the
-request ends, so that their data can be accessed in the test function.
-Use the :meth:`~Flask.test_client` as a ``with`` block to preserve the
-contexts until the ``with`` block exits.
-
-.. code-block:: python
-
-    from flask import Flask, request
-
-    app = Flask(__name__)
-
-    @app.route('/')
-    def hello():
-        print('during view')
-        return 'Hello, World!'
-
-    @app.teardown_request
-    def show_teardown(exception):
-        print('after with block')
-
-    with app.test_request_context():
-        print('during with block')
-
-    # teardown functions are called after the context with block exits
-
-    with app.test_client() as client:
-        client.get('/')
-        # the contexts are not popped even though the request ended
-        print(request.path)
-
-    # the contexts are popped and teardown functions are called after
-    # the client with block exits
-
-Signals
-~~~~~~~
-
-The following signals are sent:
-
-#.  :data:`request_started` is sent before the :meth:`~Flask.before_request` functions
-    are called.
-#.  :data:`request_finished` is sent after the :meth:`~Flask.after_request` functions
-    are called.
-#.  :data:`got_request_exception` is sent when an exception begins to be handled, but
-    before an :meth:`~Flask.errorhandler` is looked up or called.
-#.  :data:`request_tearing_down` is sent after the :meth:`~Flask.teardown_request`
-    functions are called.
-
-
-.. _notes-on-proxies:
-
-Notes On Proxies
-----------------
-
-Some of the objects provided by Flask are proxies to other objects. The
-proxies are accessed in the same way for each worker thread, but
-point to the unique object bound to each worker behind the scenes as
-described on this page.
-
-Most of the time you don't have to care about that, but there are some
-exceptions where it is good to know that this object is actually a proxy:
-
--   The proxy objects cannot fake their type as the actual object types.
-    If you want to perform instance checks, you have to do that on the
-    object being proxied.
--   The reference to the proxied object is needed in some situations,
-    such as sending :doc:`signals` or passing data to a background
-    thread.
-
-If you need to access the underlying object that is proxied, use the
-:meth:`~werkzeug.local.LocalProxy._get_current_object` method::
-
-    app = current_app._get_current_object()
-    my_signal.send(app)
+Obsolete, see :doc:`/appcontext` instead.

docs/server.rst

@@ -77,7 +77,7 @@ following example shows that process id 6847 is using port 5000.
 
 macOS Monterey and later automatically starts a service that uses port
 5000. You can choose to disable this service instead of using a different port by
-searching for "AirPlay Receiver" in System Preferences and toggling it off.
+searching for "AirPlay Receiver" in System Settings and toggling it off.
 
 
 Deferred Errors on Reload

docs/shell.rst

@@ -1,56 +1,37 @@
 Working with the Shell
 ======================
 
-.. versionadded:: 0.3
+One of the reasons everybody loves Python is the interactive shell. It allows
+you to play around with code in real time and immediately get results back.
+Flask provides the ``flask shell`` CLI command to start an interactive Python
+shell with some setup done to make working with the Flask app easier.
 
-One of the reasons everybody loves Python is the interactive shell.  It
-basically allows you to execute Python commands in real time and
-immediately get results back.  Flask itself does not come with an
-interactive shell, because it does not require any specific setup upfront,
-just import your application and start playing around.
+.. code-block:: text
 
-There are however some handy helpers to make playing around in the shell a
-more pleasant experience.  The main issue with interactive console
-sessions is that you're not triggering a request like a browser does which
-means that :data:`~flask.g`, :data:`~flask.request` and others are not
-available.  But the code you want to test might depend on them, so what
-can you do?
-
-This is where some helper functions come in handy.  Keep in mind however
-that these functions are not only there for interactive shell usage, but
-also for unit testing and other situations that require a faked request
-context.
-
-Generally it's recommended that you read :doc:`reqcontext` first.
-
-Command Line Interface
-----------------------
-
-Starting with Flask 0.11 the recommended way to work with the shell is the
-``flask shell`` command which does a lot of this automatically for you.
-For instance the shell is automatically initialized with a loaded
-application context.
-
-For more information see :doc:`/cli`.
+    $ flask shell
 
 Creating a Request Context
 --------------------------
 
+``flask shell`` pushes an app context automatically, so :data:`.current_app` and
+:data:`.g` are already available. However, there is no HTTP request being
+handled in the shell, so :data:`.request` and :data:`.session` are not yet
+available.
+
 The easiest way to create a proper request context from the shell is by
 using the :attr:`~flask.Flask.test_request_context` method which creates
 us a :class:`~flask.ctx.RequestContext`:
 
 >>> ctx = app.test_request_context()
 
-Normally you would use the ``with`` statement to make this request object
-active, but in the shell it's easier to use the
-:meth:`~flask.ctx.RequestContext.push` and
-:meth:`~flask.ctx.RequestContext.pop` methods by hand:
+Normally you would use the ``with`` statement to make this context active, but
+in the shell it's easier to call :meth:`~.RequestContext.push` and
+:meth:`~.RequestContext.pop` manually:
 
 >>> ctx.push()
 
-From that point onwards you can work with the request object until you
-call `pop`:
+From that point onwards you can work with the request object until you call
+``pop``:
 
 >>> ctx.pop()
 

docs/signals.rst

@@ -144,11 +144,10 @@ function, you can pass ``current_app._get_current_object()`` as sender.
 Signals and Flask's Request Context
 -----------------------------------
 
-Signals fully support :doc:`reqcontext` when receiving signals.
-Context-local variables are consistently available between
-:data:`~flask.request_started` and :data:`~flask.request_finished`, so you can
-rely on :class:`flask.g` and others as needed.  Note the limitations described
-in :ref:`signals-sending` and the :data:`~flask.request_tearing_down` signal.
+Context-local proxies are available between :data:`~flask.request_started` and
+:data:`~flask.request_finished`, so you can rely on :class:`flask.g` and others
+as needed. Note the limitations described in :ref:`signals-sending` and the
+:data:`~flask.request_tearing_down` signal.
 
 
 Decorator Based Signal Subscriptions

docs/templating.rst

@@ -1,21 +1,21 @@
 Templates
 =========
 
-Flask leverages Jinja2 as its template engine.  You are obviously free to use
-a different template engine, but you still have to install Jinja2 to run
+Flask leverages Jinja as its template engine.  You are obviously free to use
+a different template engine, but you still have to install Jinja to run
 Flask itself.  This requirement is necessary to enable rich extensions.
-An extension can depend on Jinja2 being present.
+An extension can depend on Jinja being present.
 
-This section only gives a very quick introduction into how Jinja2
+This section only gives a very quick introduction into how Jinja
 is integrated into Flask.  If you want information on the template
-engine's syntax itself, head over to the official `Jinja2 Template
+engine's syntax itself, head over to the official `Jinja Template
 Documentation <https://jinja.palletsprojects.com/templates/>`_ for
 more information.
 
 Jinja Setup
 -----------
 
-Unless customized, Jinja2 is configured by Flask as follows:
+Unless customized, Jinja is configured by Flask as follows:
 
 -   autoescaping is enabled for all templates ending in ``.html``,
     ``.htm``, ``.xml``, ``.xhtml``, as well as ``.svg`` when using
@@ -25,13 +25,13 @@ Unless customized, Jinja2 is configured by Flask as follows:
 -   a template has the ability to opt in/out autoescaping with the
     ``{% autoescape %}`` tag.
 -   Flask inserts a couple of global functions and helpers into the
-    Jinja2 context, additionally to the values that are present by
+    Jinja context, additionally to the values that are present by
     default.
 
 Standard Context
 ----------------
 
-The following global variables are available within Jinja2 templates
+The following global variables are available within Jinja templates
 by default:
 
 .. data:: config
@@ -137,32 +137,58 @@ using in this block.
 
 .. _registering-filters:
 
-Registering Filters
--------------------
+Registering Filters, Tests, and Globals
+---------------------------------------
 
-If you want to register your own filters in Jinja2 you have two ways to do
-that.  You can either put them by hand into the
-:attr:`~flask.Flask.jinja_env` of the application or use the
-:meth:`~flask.Flask.template_filter` decorator.
+The Flask app and blueprints provide decorators and methods to register your own
+filters, tests, and global functions for use in Jinja templates. They all follow
+the same pattern, so the following examples only discuss filters.
 
-The two following examples work the same and both reverse an object::
+Decorate a function with :meth:`~.Flask.template_filter` to register it as a
+template filter.
 
-    @app.template_filter('reverse')
-    def reverse_filter(s):
-        return s[::-1]
+.. code-block:: python
 
-    def reverse_filter(s):
-        return s[::-1]
-    app.jinja_env.filters['reverse'] = reverse_filter
+    @app.template_filter
+    def reverse(s):
+        return reversed(s)
 
-In case of the decorator the argument is optional if you want to use the
-function name as name of the filter.  Once registered, you can use the filter
-in your templates in the same way as Jinja2's builtin filters, for example if
-you have a Python list in context called `mylist`::
+.. code-block:: jinja
 
-    {% for x in mylist | reverse %}
+    {% for item in data | reverse %}
     {% endfor %}
 
+By default it will use the name of the function as the name of the filter, but
+that can be changed by passing a name to the decorator.
+
+.. code-block:: python
+
+    @app.template_filter("reverse")
+    def reverse_filter(s):
+        return reversed(s)
+
+A filter can be registered separately using :meth:`~.Flask.add_template_filter`.
+The name is optional and will use the function name if not given.
+
+.. code-block:: python
+
+    def reverse_filter(s):
+        return reversed(s)
+
+    app.add_template_filter(reverse_filter, "reverse")
+
+For template tests, use the :meth:`~.Flask.template_test` decorator or
+:meth:`~.Flask.add_template_test` method. For template global functions, use the
+:meth:`~.Flask.template_global` decorator or :meth:`~.Flask.add_template_global`
+method.
+
+The same methods also exist on :class:`.Blueprint`, prefixed with ``app_`` to
+indicate that the registered functions will be avaialble to all templates, not
+only when rendering from within the blueprint.
+
+The Jinja environment is also available as :attr:`~.Flask.jinja_env`. It may be
+modified directly, as you would when using Jinja outside Flask.
+
 
 Context Processors
 ------------------
@@ -211,7 +237,7 @@ strings. This can be used for streaming HTML in chunks to speed up
 initial page load, or to save memory when rendering a very large
 template.
 
-The Jinja2 template engine supports rendering a template piece
+The Jinja template engine supports rendering a template piece
 by piece, returning an iterator of strings. Flask provides the
 :func:`~flask.stream_template` and :func:`~flask.stream_template_string`
 functions to make this easier to use.

docs/testing.rst

@@ -192,7 +192,7 @@ which records the request that produced that response.
 .. code-block:: python
 
     def test_logout_redirect(client):
-        response = client.get("/logout")
+        response = client.get("/logout", follow_redirects=True)
         # Check that there was one redirect response.
         assert len(response.history) == 1
         # Check that the second request was to the index page.
@@ -275,11 +275,10 @@ command from the command line.
 Tests that depend on an Active Context
 --------------------------------------
 
-You may have functions that are called from views or commands, that
-expect an active :doc:`application context </appcontext>` or
-:doc:`request context  </reqcontext>` because they access ``request``,
-``session``, or ``current_app``. Rather than testing them by making a
-request or invoking the command, you can create and activate a context
+You may have functions that are called from views or commands, that expect an
+active :doc:`app context </appcontext>` because they access :data:`.request`,
+:data:`.session`, :data:`.g`, or :data:`.current_app`. Rather than testing them by
+making a request or invoking the command, you can create and activate a context
 directly.
 
 Use ``with app.app_context()`` to push an application context. For

docs/tutorial/blog.rst

@@ -305,7 +305,7 @@ The pattern ``{{ request.form['title'] or post['title'] }}`` is used to
 choose what data appears in the form. When the form hasn't been
 submitted, the original ``post`` data appears, but if invalid form data
 was posted you want to display that so the user can fix the error, so
-``request.form`` is used instead. :data:`request` is another variable
+``request.form`` is used instead. :data:`.request` is another variable
 that's automatically available in templates.
 
 

docs/tutorial/database.rst

@@ -37,6 +37,7 @@ response is sent.
     :caption: ``flaskr/db.py``
 
     import sqlite3
+    from datetime import datetime
 
     import click
     from flask import current_app, g
@@ -59,17 +60,17 @@ response is sent.
         if db is not None:
             db.close()
 
-:data:`g` is a special object that is unique for each request. It is
+:data:`.g` is a special object that is unique for each request. It is
 used to store data that might be accessed by multiple functions during
 the request. The connection is stored and reused instead of creating a
 new connection if ``get_db`` is called a second time in the same
 request.
 
-:data:`current_app` is another special object that points to the Flask
+:data:`.current_app` is another special object that points to the Flask
 application handling the request. Since you used an application factory,
 there is no application object when writing the rest of your code.
 ``get_db`` will be called when the application has been created and is
-handling a request, so :data:`current_app` can be used.
+handling a request, so :data:`.current_app` can be used.
 
 :func:`sqlite3.connect` establishes a connection to the file pointed at
 by the ``DATABASE`` configuration key. This file doesn't have to exist
@@ -132,6 +133,11 @@ Add the Python functions that will run these SQL commands to the
         init_db()
         click.echo('Initialized the database.')
 
+
+    sqlite3.register_converter(
+        "timestamp", lambda v: datetime.fromisoformat(v.decode())
+    )
+
 :meth:`open_resource() <Flask.open_resource>` opens a file relative to
 the ``flaskr`` package, which is useful since you won't necessarily know
 where that location is when deploying the application later. ``get_db``
@@ -142,6 +148,10 @@ read from the file.
 that calls the ``init_db`` function and shows a success message to the
 user. You can read :doc:`/cli` to learn more about writing commands.
 
+The call to :func:`sqlite3.register_converter` tells Python how to
+interpret timestamp values in the database. We convert the value to a
+:class:`datetime.datetime`.
+
 
 Register with the Application
 -----------------------------

docs/tutorial/templates.rst

@@ -71,7 +71,7 @@ specific sections.
       {% block content %}{% endblock %}
     </section>
 
-:data:`g` is automatically available in templates. Based on if
+:data:`.g` is automatically available in templates. Based on if
 ``g.user`` is set (from ``load_logged_in_user``), either the username
 and a log out link are displayed, or links to register and log in
 are displayed. :func:`url_for` is also automatically available, and is

docs/tutorial/tests.rst

@@ -311,7 +311,7 @@ input and error messages without writing the same code three times.
 
 The tests for the ``login`` view are very similar to those for
 ``register``. Rather than testing the data in the database,
-:data:`session` should have ``user_id`` set after logging in.
+:data:`.session` should have ``user_id`` set after logging in.
 
 .. code-block:: python
     :caption: ``tests/test_auth.py``
@@ -336,10 +336,10 @@ The tests for the ``login`` view are very similar to those for
         assert message in response.data
 
 Using ``client`` in a ``with`` block allows accessing context variables
-such as :data:`session` after the response is returned. Normally,
+such as :data:`.session` after the response is returned. Normally,
 accessing ``session`` outside of a request would raise an error.
 
-Testing ``logout`` is the opposite of ``login``. :data:`session` should
+Testing ``logout`` is the opposite of ``login``. :data:`.session` should
 not contain ``user_id`` after logging out.
 
 .. code-block:: python

docs/tutorial/views.rst

@@ -208,13 +208,13 @@ There are a few differences from the ``register`` view:
     password in the same way as the stored hash and securely compares
     them. If they match, the password is valid.
 
-#.  :data:`session` is a :class:`dict` that stores data across requests.
+#.  :data:`.session` is a :class:`dict` that stores data across requests.
     When validation succeeds, the user's ``id`` is stored in a new
     session. The data is stored in a *cookie* that is sent to the
     browser, and the browser then sends it back with subsequent requests.
     Flask securely *signs* the data so that it can't be tampered with.
 
-Now that the user's ``id`` is stored in the :data:`session`, it will be
+Now that the user's ``id`` is stored in the :data:`.session`, it will be
 available on subsequent requests. At the beginning of each request, if
 a user is logged in their information should be loaded and made
 available to other views.
@@ -236,7 +236,7 @@ available to other views.
 :meth:`bp.before_app_request() <Blueprint.before_app_request>` registers
 a function that runs before the view function, no matter what URL is
 requested. ``load_logged_in_user`` checks if a user id is stored in the
-:data:`session` and gets that user's data from the database, storing it
+:data:`.session` and gets that user's data from the database, storing it
 on :data:`g.user <g>`, which lasts for the length of the request. If
 there is no user id, or if the id doesn't exist, ``g.user`` will be
 ``None``.
@@ -245,7 +245,7 @@ there is no user id, or if the id doesn't exist, ``g.user`` will be
 Logout
 ------
 
-To log out, you need to remove the user id from the :data:`session`.
+To log out, you need to remove the user id from the :data:`.session`.
 Then ``load_logged_in_user`` won't load a user on subsequent requests.
 
 .. code-block:: python

docs/web-security.rst

@@ -1,9 +1,43 @@
 Security Considerations
 =======================
 
-Web applications usually face all kinds of security problems and it's very
-hard to get everything right.  Flask tries to solve a few of these things
-for you, but there are a couple more you have to take care of yourself.
+Web applications face many types of potential security problems, and it can be
+hard to get everything right, or even to know what "right" is in general. Flask
+tries to solve a few of these things by default, but there are other parts you
+may have to take care of yourself. Many of these solutions are tradeoffs, and
+will depend on each application's specific needs and threat model. Many hosting
+platforms may take care of certain types of problems without the need for the
+Flask application to handle them.
+
+Resource Use
+------------
+
+A common category of attacks is "Denial of Service" (DoS or DDoS). This is a
+very broad category, and different variants target different layers in a
+deployed application. In general, something is done to increase how much
+processing time or memory is used to handle each request, to the point where
+there are not enough resources to handle legitimate requests.
+
+Flask provides a few configuration options to handle resource use. They can
+also be set on individual requests to customize only that request. The
+documentation for each goes into more detail.
+
+-   :data:`MAX_CONTENT_LENGTH` or :attr:`.Request.max_content_length` controls
+    how much data will be read from a request. It is not set by default,
+    although it will still block truly unlimited streams unless the WSGI server
+    indicates support.
+-   :data:`MAX_FORM_MEMORY_SIZE` or :attr:`.Request.max_form_memory_size`
+    controls how large any non-file ``multipart/form-data`` field can be. It is
+    set to 500kB by default.
+-   :data:`MAX_FORM_PARTS` or :attr:`.Request.max_form_parts` controls how many
+    ``multipart/form-data`` fields can be parsed. It is set to 1000 by default.
+    Combined with the default `max_form_memory_size`, this means that a form
+    will occupy at most 500MB of memory.
+
+Regardless of these settings, you should also review what settings are available
+from your operating system, container deployment (Docker etc), WSGI server, HTTP
+server, and hosting platform. They typically have ways to set process resource
+limits, timeouts, and other checks regardless of how Flask is configured.
 
 .. _security-xss:
 
@@ -17,12 +51,12 @@ tags.  For more information on that have a look at the Wikipedia article
 on `Cross-Site Scripting
 <https://en.wikipedia.org/wiki/Cross-site_scripting>`_.
 
-Flask configures Jinja2 to automatically escape all values unless
+Flask configures Jinja to automatically escape all values unless
 explicitly told otherwise.  This should rule out all XSS problems caused
 in templates, but there are still other places where you have to be
 careful:
 
--   generating HTML without the help of Jinja2
+-   generating HTML without the help of Jinja
 -   calling :class:`~markupsafe.Markup` on data submitted by users
 -   sending out HTML from uploaded files, never do that, use the
     ``Content-Disposition: attachment`` header to prevent that problem.
@@ -31,7 +65,7 @@ careful:
     trick a browser to execute HTML.
 
 Another thing that is very important are unquoted attributes.  While
-Jinja2 can protect you from XSS issues by escaping HTML, there is one
+Jinja can protect you from XSS issues by escaping HTML, there is one
 thing it cannot protect you from: XSS by attribute injection.  To counter
 this possible attack vector, be sure to always quote your attributes with
 either double or single quotes when using Jinja expressions in them:
@@ -124,7 +158,7 @@ recommend reviewing each of the headers below for use in your application.
 The `Flask-Talisman`_ extension can be used to manage HTTPS and the security
 headers for you.
 
-.. _Flask-Talisman: https://github.com/GoogleCloudPlatform/flask-talisman
+.. _Flask-Talisman: https://github.com/wntrblm/flask-talisman
 
 HTTP Strict Transport Security (HSTS)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -235,17 +269,25 @@ values (or any values that need secure signatures).
 .. _samesite_support: https://caniuse.com/#feat=same-site-cookie-attribute
 
 
-HTTP Public Key Pinning (HPKP)
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Host Header Validation
+----------------------
 
-This tells the browser to authenticate with the server using only the specific
-certificate key to prevent MITM attacks.
+The ``Host`` header is used by the client to indicate what host name the request
+was made to. This is used, for example, by ``url_for(..., _external=True)`` to
+generate full URLs, for use in email or other messages outside the browser
+window.
 
-.. warning::
-   Be careful when enabling this, as it is very difficult to undo if you set up
-   or upgrade your key incorrectly.
+By default the app doesn't know what host(s) it is allowed to be accessed
+through, and assumes any host is valid. Although browsers do not allow setting
+the ``Host`` header, requests made by attackers in other scenarios could set
+the ``Host`` header to a value they want.
 
-- https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
+When deploying your application, set :data:`TRUSTED_HOSTS` to restrict what
+values the ``Host`` header may be.
+
+The ``Host`` header may be modified by proxies in between the client and your
+application. See :doc:`deploying/proxy_fix` to tell your app which proxy values
+to trust.
 
 
 Copy/Paste to Terminal

examples/celery/pyproject.toml

@@ -3,8 +3,8 @@ name = "flask-example-celery"
 version = "1.0.0"
 description = "Example Flask application with Celery background tasks."
 readme = "README.md"
-requires-python = ">=3.8"
-dependencies = ["flask>=2.2.2", "celery[redis]>=5.2.7"]
+classifiers = ["Private :: Do Not Upload"]
+dependencies = ["flask", "celery[redis]"]
 
 [build-system]
 requires = ["flit_core<4"]

examples/javascript/README.rst

@@ -15,7 +15,7 @@ page. Demonstrates using |fetch|_, |XMLHttpRequest|_,  and
 .. |jQuery.ajax| replace:: ``jQuery.ajax``
 .. _jQuery.ajax: https://api.jquery.com/jQuery.ajax/
 
-.. _Flask docs: https://flask.palletsprojects.com/patterns/jquery/
+.. _Flask docs: https://flask.palletsprojects.com/patterns/javascript/
 
 
 Install

examples/javascript/pyproject.toml

@@ -3,12 +3,13 @@ name = "js_example"
 version = "1.1.0"
 description = "Demonstrates making AJAX requests to Flask."
 readme = "README.rst"
-license = {file = "LICENSE.rst"}
+license = {file = "LICENSE.txt"}
 maintainers = [{name = "Pallets", email = "contact@palletsprojects.com"}]
+classifiers = ["Private :: Do Not Upload"]
 dependencies = ["flask"]
 
 [project.urls]
-Documentation = "https://flask.palletsprojects.com/patterns/jquery/"
+Documentation = "https://flask.palletsprojects.com/patterns/javascript/"
 
 [project.optional-dependencies]
 test = ["pytest"]

examples/javascript/tests/test_js_example.py

@@ -5,7 +5,7 @@ from flask import template_rendered
 @pytest.mark.parametrize(
     ("path", "template_name"),
     (
-        ("/", "xhr.html"),
+        ("/", "fetch.html"),
         ("/plain", "xhr.html"),
         ("/fetch", "fetch.html"),
         ("/jquery", "jquery.html"),

examples/tutorial/flaskr/db.py

@@ -1,4 +1,5 @@
 import sqlite3
+from datetime import datetime
 
 import click
 from flask import current_app
@@ -44,6 +45,9 @@ def init_db_command():
     click.echo("Initialized the database.")
 
 
+sqlite3.register_converter("timestamp", lambda v: datetime.fromisoformat(v.decode()))
+
+
 def init_app(app):
     """Register database functions with the Flask app. This is called by
     the application factory.

examples/tutorial/pyproject.toml

@@ -3,8 +3,9 @@ name = "flaskr"
 version = "1.0.0"
 description = "The basic blog app built in the Flask tutorial."
 readme = "README.rst"
-license = {text = "BSD-3-Clause"}
+license = {file = "LICENSE.txt"}
 maintainers = [{name = "Pallets", email = "contact@palletsprojects.com"}]
+classifiers = ["Private :: Do Not Upload"]
 dependencies = [
     "flask",
 ]

pyproject.toml

@@ -1,45 +1,84 @@
 [project]
 name = "Flask"
-version = "3.0.2"
+version = "3.2.0.dev"
 description = "A simple framework for building complex web applications."
-readme = "README.rst"
-license = {file = "LICENSE.rst"}
+readme = "README.md"
+license = "BSD-3-Clause"
+license-files = ["LICENSE.txt"]
 maintainers = [{name = "Pallets", email = "contact@palletsprojects.com"}]
 classifiers = [
     "Development Status :: 5 - Production/Stable",
     "Environment :: Web Environment",
     "Framework :: Flask",
     "Intended Audience :: Developers",
-    "License :: OSI Approved :: BSD License",
     "Operating System :: OS Independent",
     "Programming Language :: Python",
     "Topic :: Internet :: WWW/HTTP :: Dynamic Content",
     "Topic :: Internet :: WWW/HTTP :: WSGI",
     "Topic :: Internet :: WWW/HTTP :: WSGI :: Application",
     "Topic :: Software Development :: Libraries :: Application Frameworks",
+    "Typing :: Typed",
 ]
-requires-python = ">=3.8"
+requires-python = ">=3.10"
 dependencies = [
-    "Werkzeug>=3.0.0",
-    "Jinja2>=3.1.2",
-    "itsdangerous>=2.1.2",
+    "blinker>=1.9.0",
     "click>=8.1.3",
-    "blinker>=1.6.2",
-    "importlib-metadata>=3.6.0; python_version < '3.10'",
+    "itsdangerous>=2.2.0",
+    "jinja2>=3.1.2",
+    "markupsafe>=2.1.1",
+    "werkzeug>=3.1.0",
+]
+
+[project.optional-dependencies]
+async = ["asgiref>=3.2"]
+dotenv = ["python-dotenv"]
+
+[dependency-groups]
+dev = [
+    "ruff",
+    "tox",
+    "tox-uv",
+]
+docs = [
+    "pallets-sphinx-themes",
+    "sphinx",
+    "sphinx-tabs",
+    "sphinxcontrib-log-cabinet",
+]
+docs-auto = [
+    "sphinx-autobuild",
+]
+gha-update = [
+    "gha-update ; python_full_version >= '3.12'",
+]
+pre-commit = [
+    "pre-commit",
+    "pre-commit-uv",
+]
+tests = [
+    "asgiref",
+    "greenlet",
+    "pytest",
+    "python-dotenv",
+]
+typing = [
+    "asgiref",
+    "cryptography",
+    "mypy",
+    "pyright",
+    "pytest",
+    "python-dotenv",
+    "types-contextvars",
+    "types-dataclasses",
 ]
 
 [project.urls]
 Donate = "https://palletsprojects.com/donate"
 Documentation = "https://flask.palletsprojects.com/"
-Changes = "https://flask.palletsprojects.com/changes/"
-"Source Code" = "https://github.com/pallets/flask/"
-"Issue Tracker" = "https://github.com/pallets/flask/issues/"
+Changes = "https://flask.palletsprojects.com/page/changes/"
+Source = "https://github.com/pallets/flask/"
 Chat = "https://discord.gg/pallets"
 
-[project.optional-dependencies]
-async = ["asgiref>=3.2"]
-dotenv = ["python-dotenv"]
-
 [project.scripts]
 flask = "flask.cli:main"
 
@@ -54,16 +93,17 @@ name = "flask"
 include = [
     "docs/",
     "examples/",
-    "requirements/",
     "tests/",
     "CHANGES.rst",
-    "CONTRIBUTING.rst",
-    "tox.ini",
+    "uv.lock"
 ]
 exclude = [
     "docs/_build/",
 ]
 
+[tool.uv]
+default-groups = ["dev", "pre-commit", "tests", "typing"]
+
 [tool.pytest.ini_options]
 testpaths = ["tests"]
 filterwarnings = [
@@ -77,9 +117,16 @@ source = ["flask", "tests"]
 [tool.coverage.paths]
 source = ["src", "*/site-packages"]
 
+[tool.coverage.report]
+exclude_also = [
+    "if t.TYPE_CHECKING",
+    "raise NotImplementedError",
+    ": \\.{3}",
+]
+
 [tool.mypy]
-python_version = "3.8"
-files = ["src/flask", "tests/typing"]
+python_version = "3.10"
+files = ["src", "tests/type_check"]
 show_error_codes = true
 pretty = true
 strict = true
@@ -93,11 +140,16 @@ module = [
 ]
 ignore_missing_imports = true
 
+[tool.pyright]
+pythonVersion = "3.10"
+include = ["src", "tests/type_check"]
+typeCheckingMode = "basic"
+
 [tool.ruff]
 src = ["src"]
 fix = true
 show-fixes = true
-show-source = true
+output-format = "full"
 
 [tool.ruff.lint]
 select = [
@@ -108,8 +160,118 @@ select = [
     "UP",  # pyupgrade
     "W",  # pycodestyle warning
 ]
-ignore-init-module-imports = true
+ignore = [
+    "UP038",  # keep isinstance tuple
+]
 
 [tool.ruff.lint.isort]
 force-single-line = true
 order-by-type = false
+
+[tool.tox]
+env_list = [
+    "py3.13", "py3.12", "py3.11", "py3.10",
+    "pypy3.11",
+    "tests-min", "tests-dev",
+    "style",
+    "typing",
+    "docs",
+]
+
+[tool.tox.env_run_base]
+description = "pytest on latest dependency versions"
+runner = "uv-venv-lock-runner"
+package = "wheel"
+wheel_build_env = ".pkg"
+constrain_package_deps = true
+use_frozen_constraints = true
+dependency_groups = ["tests"]
+env_tmp_dir = "{toxworkdir}/tmp/{envname}"
+commands = [[
+    "pytest", "-v", "--tb=short", "--basetemp={env_tmp_dir}",
+    {replace = "posargs", default = [], extend = true},
+]]
+
+[tool.tox.env.tests-min]
+description = "pytest on minimum dependency versions"
+base_python = ["3.13"]
+commands = [
+    [
+        "uv", "pip", "install",
+        "blinker==1.9.0",
+        "click==8.1.3",
+        "itsdangerous==2.2.0",
+        "jinja2==3.1.2",
+        "markupsafe==2.1.1",
+        "werkzeug==3.1.0",
+    ],
+    [
+        "pytest", "-v", "--tb=short", "--basetemp={env_tmp_dir}",
+        {replace = "posargs", default = [], extend = true},
+    ],
+]
+
+[tool.tox.env.tests-dev]
+description = "pytest on development dependency versions (git main branch)"
+base_python = ["3.10"]
+commands = [
+    [
+        "uv", "pip", "install",
+        "https://github.com/pallets-eco/blinker/archive/refs/heads/main.tar.gz",
+        "https://github.com/pallets/click/archive/refs/heads/main.tar.gz",
+        "https://github.com/pallets/itsdangerous/archive/refs/heads/main.tar.gz",
+        "https://github.com/pallets/jinja/archive/refs/heads/main.tar.gz",
+        "https://github.com/pallets/markupsafe/archive/refs/heads/main.tar.gz",
+        "https://github.com/pallets/werkzeug/archive/refs/heads/main.tar.gz",
+    ],
+    [
+        "pytest", "-v", "--tb=short", "--basetemp={env_tmp_dir}",
+        {replace = "posargs", default = [], extend = true},
+    ],
+]
+
+[tool.tox.env.style]
+description = "run all pre-commit hooks on all files"
+dependency_groups = ["pre-commit"]
+skip_install = true
+commands = [["pre-commit", "run", "--all-files"]]
+
+[tool.tox.env.typing]
+description = "run static type checkers"
+dependency_groups = ["typing"]
+commands = [
+    ["mypy"],
+    ["pyright"],
+]
+
+[tool.tox.env.docs]
+description = "build docs"
+dependency_groups = ["docs"]
+commands = [["sphinx-build", "-E", "-W", "-b", "dirhtml", "docs", "docs/_build/dirhtml"]]
+
+[tool.tox.env.docs-auto]
+description = "continuously rebuild docs and start a local server"
+dependency_groups = ["docs", "docs-auto"]
+commands = [["sphinx-autobuild", "-W", "-b", "dirhtml", "--watch", "src", "docs", "docs/_build/dirhtml"]]
+
+[tool.tox.env.update-actions]
+description = "update GitHub Actions pins"
+labels = ["update"]
+dependency_groups = ["gha-update"]
+skip_install = true
+commands = [["gha-update"]]
+
+[tool.tox.env.update-pre_commit]
+description = "update pre-commit pins"
+labels = ["update"]
+dependency_groups = ["pre-commit"]
+skip_install = true
+commands = [["pre-commit", "autoupdate", "--freeze", "-j4"]]
+
+[tool.tox.env.update-requirements]
+description = "update uv lock"
+labels = ["update"]
+dependency_groups = []
+no_default_groups = true
+skip_install = true
+commands = [["uv", "lock", {replace = "posargs", default = ["-U"], extend = true}]]

requirements-skip/README.md

@@ -1,2 +0,0 @@
-Dependabot will only update files in the `requirements` directory. This directory is
-separate because the pins in here should not be updated automatically.

requirements-skip/tests-dev.txt

@@ -1,6 +0,0 @@
-https://github.com/pallets/werkzeug/archive/refs/heads/main.tar.gz
-https://github.com/pallets/jinja/archive/refs/heads/main.tar.gz
-https://github.com/pallets/markupsafe/archive/refs/heads/main.tar.gz
-https://github.com/pallets/itsdangerous/archive/refs/heads/main.tar.gz
-https://github.com/pallets/click/archive/refs/heads/main.tar.gz
-https://github.com/pallets-eco/blinker/archive/refs/heads/main.tar.gz

requirements-skip/tests-min.in

@@ -1,6 +0,0 @@
-werkzeug==3.0.0
-jinja2==3.1.2
-markupsafe==2.1.1
-itsdangerous==2.1.2
-click==8.1.3
-blinker==1.6.2

requirements-skip/tests-min.txt

@@ -1,21 +0,0 @@
-#
-# This file is autogenerated by pip-compile with Python 3.11
-# by the following command:
-#
-#    pip-compile tests-min.in
-#
-blinker==1.6.2
-    # via -r tests-min.in
-click==8.1.3
-    # via -r tests-min.in
-itsdangerous==2.1.2
-    # via -r tests-min.in
-jinja2==3.1.2
-    # via -r tests-min.in
-markupsafe==2.1.1
-    # via
-    #   -r tests-min.in
-    #   jinja2
-    #   werkzeug
-werkzeug==3.0.0
-    # via -r tests-min.in

requirements/build.in

@@ -1 +0,0 @@
-build

requirements/build.txt

@@ -1,12 +0,0 @@
-#
-# This file is autogenerated by pip-compile with Python 3.11
-# by the following command:
-#
-#    pip-compile build.in
-#
-build==1.0.3
-    # via -r build.in
-packaging==23.2
-    # via build
-pyproject-hooks==1.0.0
-    # via build

requirements/dev.in

@@ -1,6 +0,0 @@
--r docs.in
--r tests.in
--r typing.in
-pip-tools
-pre-commit
-tox

requirements/dev.txt

@@ -1,151 +0,0 @@
-#
-# This file is autogenerated by pip-compile with Python 3.11
-# by the following command:
-#
-#    pip-compile dev.in
-#
-alabaster==0.7.16
-    # via sphinx
-asgiref==3.7.2
-    # via
-    #   -r tests.in
-    #   -r typing.in
-babel==2.14.0
-    # via sphinx
-build==1.0.3
-    # via pip-tools
-cachetools==5.3.2
-    # via tox
-certifi==2023.11.17
-    # via requests
-cffi==1.16.0
-    # via cryptography
-cfgv==3.4.0
-    # via pre-commit
-chardet==5.2.0
-    # via tox
-charset-normalizer==3.3.2
-    # via requests
-click==8.1.7
-    # via pip-tools
-colorama==0.4.6
-    # via tox
-cryptography==41.0.7
-    # via -r typing.in
-distlib==0.3.8
-    # via virtualenv
-docutils==0.18.1
-    # via
-    #   sphinx
-    #   sphinx-tabs
-filelock==3.13.1
-    # via
-    #   tox
-    #   virtualenv
-identify==2.5.33
-    # via pre-commit
-idna==3.6
-    # via requests
-imagesize==1.4.1
-    # via sphinx
-iniconfig==2.0.0
-    # via pytest
-jinja2==3.1.3
-    # via sphinx
-markupsafe==2.1.3
-    # via jinja2
-mypy==1.8.0
-    # via -r typing.in
-mypy-extensions==1.0.0
-    # via mypy
-nodeenv==1.8.0
-    # via pre-commit
-packaging==23.2
-    # via
-    #   build
-    #   pallets-sphinx-themes
-    #   pyproject-api
-    #   pytest
-    #   sphinx
-    #   tox
-pallets-sphinx-themes==2.1.1
-    # via -r docs.in
-pip-tools==7.3.0
-    # via -r dev.in
-platformdirs==4.1.0
-    # via
-    #   tox
-    #   virtualenv
-pluggy==1.3.0
-    # via
-    #   pytest
-    #   tox
-pre-commit==3.6.0
-    # via -r dev.in
-pycparser==2.21
-    # via cffi
-pygments==2.17.2
-    # via
-    #   sphinx
-    #   sphinx-tabs
-pyproject-api==1.6.1
-    # via tox
-pyproject-hooks==1.0.0
-    # via build
-pytest==7.4.4
-    # via -r tests.in
-python-dotenv==1.0.0
-    # via
-    #   -r tests.in
-    #   -r typing.in
-pyyaml==6.0.1
-    # via pre-commit
-requests==2.31.0
-    # via sphinx
-snowballstemmer==2.2.0
-    # via sphinx
-sphinx==7.2.6
-    # via
-    #   -r docs.in
-    #   pallets-sphinx-themes
-    #   sphinx-issues
-    #   sphinx-tabs
-    #   sphinxcontrib-log-cabinet
-sphinx-issues==3.0.1
-    # via -r docs.in
-sphinx-tabs==3.4.4
-    # via -r docs.in
-sphinxcontrib-applehelp==1.0.8
-    # via sphinx
-sphinxcontrib-devhelp==1.0.6
-    # via sphinx
-sphinxcontrib-htmlhelp==2.0.5
-    # via sphinx
-sphinxcontrib-jsmath==1.0.1
-    # via sphinx
-sphinxcontrib-log-cabinet==1.0.1
-    # via -r docs.in
-sphinxcontrib-qthelp==1.0.7
-    # via sphinx
-sphinxcontrib-serializinghtml==1.1.10
-    # via sphinx
-tox==4.12.0
-    # via -r dev.in
-types-contextvars==2.4.7.3
-    # via -r typing.in
-types-dataclasses==0.6.6
-    # via -r typing.in
-typing-extensions==4.9.0
-    # via mypy
-urllib3==2.1.0
-    # via requests
-virtualenv==20.25.0
-    # via
-    #   pre-commit
-    #   tox
-wheel==0.42.0
-    # via pip-tools
-
-# The following packages are considered to be unsafe in a requirements file:
-# pip
-# setuptools

requirements/docs.in

@@ -1,5 +0,0 @@
-pallets-sphinx-themes
-sphinx
-sphinx-issues
-sphinxcontrib-log-cabinet
-sphinx-tabs

requirements/docs.txt

@@ -1,67 +0,0 @@
-#
-# This file is autogenerated by pip-compile with Python 3.11
-# by the following command:
-#
-#    pip-compile docs.in
-#
-alabaster==0.7.16
-    # via sphinx
-babel==2.14.0
-    # via sphinx
-certifi==2023.11.17
-    # via requests
-charset-normalizer==3.3.2
-    # via requests
-docutils==0.18.1
-    # via
-    #   sphinx
-    #   sphinx-tabs
-idna==3.6
-    # via requests
-imagesize==1.4.1
-    # via sphinx
-jinja2==3.1.3
-    # via sphinx
-markupsafe==2.1.3
-    # via jinja2
-packaging==23.2
-    # via
-    #   pallets-sphinx-themes
-    #   sphinx
-pallets-sphinx-themes==2.1.1
-    # via -r docs.in
-pygments==2.17.2
-    # via
-    #   sphinx
-    #   sphinx-tabs
-requests==2.31.0
-    # via sphinx
-snowballstemmer==2.2.0
-    # via sphinx
-sphinx==7.2.6
-    # via
-    #   -r docs.in
-    #   pallets-sphinx-themes
-    #   sphinx-issues
-    #   sphinx-tabs
-    #   sphinxcontrib-log-cabinet
-sphinx-issues==3.0.1
-    # via -r docs.in
-sphinx-tabs==3.4.4
-    # via -r docs.in
-sphinxcontrib-applehelp==1.0.8
-    # via sphinx
-sphinxcontrib-devhelp==1.0.6
-    # via sphinx
-sphinxcontrib-htmlhelp==2.0.5
-    # via sphinx
-sphinxcontrib-jsmath==1.0.1
-    # via sphinx
-sphinxcontrib-log-cabinet==1.0.1
-    # via -r docs.in
-sphinxcontrib-qthelp==1.0.7
-    # via sphinx
-sphinxcontrib-serializinghtml==1.1.10
-    # via sphinx
-urllib3==2.1.0
-    # via requests

requirements/tests.in

@@ -1,4 +0,0 @@
-pytest
-asgiref
-greenlet ; python_version < "3.11"
-python-dotenv

requirements/tests.txt

@@ -1,18 +0,0 @@
-#
-# This file is autogenerated by pip-compile with Python 3.11
-# by the following command:
-#
-#    pip-compile tests.in
-#
-asgiref==3.7.2
-    # via -r tests.in
-iniconfig==2.0.0
-    # via pytest
-packaging==23.2
-    # via pytest
-pluggy==1.3.0
-    # via pytest
-pytest==7.4.4
-    # via -r tests.in
-python-dotenv==1.0.0
-    # via -r tests.in

requirements/typing.in

@@ -1,6 +0,0 @@
-mypy
-types-contextvars
-types-dataclasses
-asgiref
-cryptography
-python-dotenv

requirements/typing.txt

@@ -1,26 +0,0 @@
-#
-# This file is autogenerated by pip-compile with Python 3.11
-# by the following command:
-#
-#    pip-compile typing.in
-#
-asgiref==3.7.2
-    # via -r typing.in
-cffi==1.16.0
-    # via cryptography
-cryptography==41.0.7
-    # via -r typing.in
-mypy==1.8.0
-    # via -r typing.in
-mypy-extensions==1.0.0
-    # via mypy
-pycparser==2.21
-    # via cffi
-python-dotenv==1.0.0
-    # via -r typing.in
-types-contextvars==2.4.7.3
-    # via -r typing.in
-types-dataclasses==0.6.6
-    # via -r typing.in
-typing-extensions==4.9.0
-    # via mypy

src/flask/__init__.py

@@ -1,7 +1,3 @@
-from __future__ import annotations
-
-import typing as t
-
 from . import json as json
 from .app import Flask as Flask
 from .blueprints import Blueprint as Blueprint
@@ -41,20 +37,3 @@ from .templating import stream_template as stream_template
 from .templating import stream_template_string as stream_template_string
 from .wrappers import Request as Request
 from .wrappers import Response as Response
-
-
-def __getattr__(name: str) -> t.Any:
-    if name == "__version__":
-        import importlib.metadata
-        import warnings
-
-        warnings.warn(
-            "The '__version__' attribute is deprecated and will be removed in"
-            " Flask 3.1. Use feature detection or"
-            " 'importlib.metadata.version(\"flask\")' instead.",
-            DeprecationWarning,
-            stacklevel=2,
-        )
-        return importlib.metadata.version("flask")
-
-    raise AttributeError(name)

src/flask/app.py

@@ -24,24 +24,20 @@ from werkzeug.routing import RoutingException
 from werkzeug.routing import Rule
 from werkzeug.serving import is_running_from_reloader
 from werkzeug.wrappers import Response as BaseResponse
+from werkzeug.wsgi import get_host
 
 from . import cli
 from . import typing as ft
 from .ctx import AppContext
-from .ctx import RequestContext
 from .globals import _cv_app
-from .globals import _cv_request
-from .globals import current_app
 from .globals import g
 from .globals import request
-from .globals import request_ctx
 from .globals import session
 from .helpers import get_debug_flag
 from .helpers import get_flashed_messages
 from .helpers import get_load_dotenv
 from .helpers import send_from_directory
 from .sansio.app import App
-from .sansio.scaffold import _sentinel
 from .sessions import SecureCookieSessionInterface
 from .sessions import SessionInterface
 from .signals import appcontext_tearing_down
@@ -59,6 +55,7 @@ if t.TYPE_CHECKING:  # pragma: no cover
 
     from .testing import FlaskClient
     from .testing import FlaskCliRunner
+    from .typing import HeadersValue
 
 T_shell_context_processor = t.TypeVar(
     "T_shell_context_processor", bound=ft.ShellContextProcessorCallable
@@ -179,8 +176,10 @@ class Flask(App):
             "TESTING": False,
             "PROPAGATE_EXCEPTIONS": None,
             "SECRET_KEY": None,
+            "SECRET_KEY_FALLBACKS": None,
             "PERMANENT_SESSION_LIFETIME": timedelta(days=31),
             "USE_X_SENDFILE": False,
+            "TRUSTED_HOSTS": None,
             "SERVER_NAME": None,
             "APPLICATION_ROOT": "/",
             "SESSION_COOKIE_NAME": "session",
@@ -188,9 +187,12 @@ class Flask(App):
             "SESSION_COOKIE_PATH": None,
             "SESSION_COOKIE_HTTPONLY": True,
             "SESSION_COOKIE_SECURE": False,
+            "SESSION_COOKIE_PARTITIONED": False,
             "SESSION_COOKIE_SAMESITE": None,
             "SESSION_REFRESH_EACH_REQUEST": True,
             "MAX_CONTENT_LENGTH": None,
+            "MAX_FORM_MEMORY_SIZE": 500_000,
+            "MAX_FORM_PARTS": 1_000,
             "SEND_FILE_MAX_AGE_DEFAULT": None,
             "TRAP_BAD_REQUEST_ERRORS": None,
             "TRAP_HTTP_EXCEPTIONS": False,
@@ -198,6 +200,7 @@ class Flask(App):
             "PREFERRED_URL_SCHEME": "http",
             "TEMPLATES_AUTO_RELOAD": None,
             "MAX_COOKIE_SIZE": 4093,
+            "PROVIDE_AUTOMATIC_OPTIONS": True,
         }
     )
 
@@ -241,15 +244,25 @@ class Flask(App):
             root_path=root_path,
         )
 
+        #: The Click command group for registering CLI commands for this
+        #: object. The commands are available from the ``flask`` command
+        #: once the application has been discovered and blueprints have
+        #: been registered.
+        self.cli = cli.AppGroup()
+
+        # Set the name of the Click group in case someone wants to add
+        # the app's commands to another CLI tool.
+        self.cli.name = self.name
+
         # Add a static route using the provided static_url_path, static_host,
         # and static_folder if there is a configured static_folder.
         # Note we do this without checking if static_folder exists.
         # For one, it might be created while the server is running (e.g. during
         # development). Also, Google App Engine stores static files somewhere
         if self.has_static_folder:
-            assert (
-                bool(static_host) == host_matching
-            ), "Invalid static_host/host_matching combination"
+            assert bool(static_host) == host_matching, (
+                "Invalid static_host/host_matching combination"
+            )
             # Use a weakref to avoid creating a reference cycle between the app
             # and the view function (see #3761).
             self_ref = weakref.ref(self)
@@ -277,7 +290,7 @@ class Flask(App):
 
         .. versionadded:: 0.9
         """
-        value = current_app.config["SEND_FILE_MAX_AGE_DEFAULT"]
+        value = self.config["SEND_FILE_MAX_AGE_DEFAULT"]
 
         if value is None:
             return None
@@ -309,9 +322,10 @@ class Flask(App):
             t.cast(str, self.static_folder), filename, max_age=max_age
         )
 
-    def open_resource(self, resource: str, mode: str = "rb") -> t.IO[t.AnyStr]:
-        """Open a resource file relative to :attr:`root_path` for
-        reading.
+    def open_resource(
+        self, resource: str, mode: str = "rb", encoding: str | None = None
+    ) -> t.IO[t.AnyStr]:
+        """Open a resource file relative to :attr:`root_path` for reading.
 
         For example, if the file ``schema.sql`` is next to the file
         ``app.py`` where the ``Flask`` app is defined, it can be opened
@@ -322,31 +336,46 @@ class Flask(App):
             with app.open_resource("schema.sql") as f:
                 conn.executescript(f.read())
 
-        :param resource: Path to the resource relative to
-            :attr:`root_path`.
-        :param mode: Open the file in this mode. Only reading is
-            supported, valid values are "r" (or "rt") and "rb".
-
-        Note this is a duplicate of the same method in the Flask
-        class.
+        :param resource: Path to the resource relative to :attr:`root_path`.
+        :param mode: Open the file in this mode. Only reading is supported,
+            valid values are ``"r"`` (or ``"rt"``) and ``"rb"``.
+        :param encoding: Open the file with this encoding when opening in text
+            mode. This is ignored when opening in binary mode.
 
+        .. versionchanged:: 3.1
+            Added the ``encoding`` parameter.
         """
         if mode not in {"r", "rt", "rb"}:
             raise ValueError("Resources can only be opened for reading.")
 
-        return open(os.path.join(self.root_path, resource), mode)
+        path = os.path.join(self.root_path, resource)
 
-    def open_instance_resource(self, resource: str, mode: str = "rb") -> t.IO[t.AnyStr]:
-        """Opens a resource from the application's instance folder
-        (:attr:`instance_path`).  Otherwise works like
-        :meth:`open_resource`.  Instance resources can also be opened for
-        writing.
+        if mode == "rb":
+            return open(path, mode)  # pyright: ignore
 
-        :param resource: the name of the resource.  To access resources within
-                         subfolders use forward slashes as separator.
-        :param mode: resource file opening mode, default is 'rb'.
+        return open(path, mode, encoding=encoding)
+
+    def open_instance_resource(
+        self, resource: str, mode: str = "rb", encoding: str | None = "utf-8"
+    ) -> t.IO[t.AnyStr]:
+        """Open a resource file relative to the application's instance folder
+        :attr:`instance_path`. Unlike :meth:`open_resource`, files in the
+        instance folder can be opened for writing.
+
+        :param resource: Path to the resource relative to :attr:`instance_path`.
+        :param mode: Open the file in this mode.
+        :param encoding: Open the file with this encoding when opening in text
+            mode. This is ignored when opening in binary mode.
+
+        .. versionchanged:: 3.1
+            Added the ``encoding`` parameter.
         """
-        return open(os.path.join(self.instance_path, resource), mode)
+        path = os.path.join(self.instance_path, resource)
+
+        if "b" in mode:
+            return open(path, mode)
+
+        return open(path, mode, encoding=encoding)
 
     def create_jinja_environment(self) -> Environment:
         """Create the Jinja environment based on :attr:`jinja_options`
@@ -393,32 +422,45 @@ class Flask(App):
         is created at a point where the request context is not yet set
         up so the request is passed explicitly.
 
-        .. versionadded:: 0.6
-
-        .. versionchanged:: 0.9
-           This can now also be called without a request object when the
-           URL adapter is created for the application context.
+        .. versionchanged:: 3.1
+            If :data:`SERVER_NAME` is set, it does not restrict requests to
+            only that domain, for both ``subdomain_matching`` and
+            ``host_matching``.
 
         .. versionchanged:: 1.0
             :data:`SERVER_NAME` no longer implicitly enables subdomain
             matching. Use :attr:`subdomain_matching` instead.
+
+        .. versionchanged:: 0.9
+           This can be called outside a request when the URL adapter is created
+           for an application context.
+
+        .. versionadded:: 0.6
         """
         if request is not None:
-            # If subdomain matching is disabled (the default), use the
-            # default subdomain in all cases. This should be the default
-            # in Werkzeug but it currently does not have that feature.
-            if not self.subdomain_matching:
-                subdomain = self.url_map.default_subdomain or None
-            else:
+            if (trusted_hosts := self.config["TRUSTED_HOSTS"]) is not None:
+                request.trusted_hosts = trusted_hosts
+
+            # Check trusted_hosts here until bind_to_environ does.
+            request.host = get_host(request.environ, request.trusted_hosts)  # pyright: ignore
             subdomain = None
+            server_name = self.config["SERVER_NAME"]
+
+            if self.url_map.host_matching:
+                # Don't pass SERVER_NAME, otherwise it's used and the actual
+                # host is ignored, which breaks host matching.
+                server_name = None
+            elif not self.subdomain_matching:
+                # Werkzeug doesn't implement subdomain matching yet. Until then,
+                # disable it by forcing the current subdomain to the default, or
+                # the empty string.
+                subdomain = self.url_map.default_subdomain or ""
 
             return self.url_map.bind_to_environ(
-                request.environ,
-                server_name=self.config["SERVER_NAME"],
-                subdomain=subdomain,
+                request.environ, server_name=server_name, subdomain=subdomain
             )
-        # We need at the very least the server name to be set for this
-        # to work.
+
+        # Need at least SERVER_NAME to match/build outside a request.
         if self.config["SERVER_NAME"] is not None:
             return self.url_map.bind(
                 self.config["SERVER_NAME"],
@@ -470,8 +512,8 @@ class Flask(App):
         names: t.Iterable[str | None] = (None,)
 
         # A template may be rendered outside a request context.
-        if request:
-            names = chain(names, reversed(request.blueprints))
+        if (ctx := _cv_app.get(None)) is not None and ctx.has_request:
+            names = chain(names, reversed(ctx.request.blueprints))
 
         # The values passed to render_template take precedence. Keep a
         # copy to re-apply after all context functions.
@@ -839,7 +881,8 @@ class Flask(App):
            This no longer does the exception handling, this code was
            moved to the new :meth:`full_dispatch_request`.
         """
-        req = request_ctx.request
+        req = _cv_app.get().request
+
         if req.routing_exception is not None:
             self.raise_routing_exception(req)
         rule: Rule = req.url_rule  # type: ignore[assignment]
@@ -910,7 +953,7 @@ class Flask(App):
 
         .. versionadded:: 0.7
         """
-        adapter = request_ctx.url_adapter
+        adapter = _cv_app.get().url_adapter
         methods = adapter.allowed_methods()  # type: ignore[union-attr]
         rv = self.response_class()
         rv.allow.update(methods)
@@ -1010,11 +1053,9 @@ class Flask(App):
         .. versionadded:: 2.2
             Moved from ``flask.url_for``, which calls this method.
         """
-        req_ctx = _cv_request.get(None)
-
-        if req_ctx is not None:
-            url_adapter = req_ctx.url_adapter
-            blueprint_name = req_ctx.request.blueprint
+        if (ctx := _cv_app.get(None)) is not None and ctx.has_request:
+            url_adapter = ctx.url_adapter
+            blueprint_name = ctx.request.blueprint
 
             # If the endpoint starts with "." and the request matches a
             # blueprint, the endpoint is relative to the blueprint.
@@ -1029,13 +1070,11 @@ class Flask(App):
             if _external is None:
                 _external = _scheme is not None
         else:
-            app_ctx = _cv_app.get(None)
-
             # If called by helpers.url_for, an app context is active,
             # use its url_adapter. Otherwise, app.url_for was called
             # directly, build an adapter.
-            if app_ctx is not None:
-                url_adapter = app_ctx.url_adapter
+            if ctx is not None:
+                url_adapter = ctx.url_adapter
             else:
                 url_adapter = self.create_url_adapter(None)
 
@@ -1136,7 +1175,8 @@ class Flask(App):
            response object.
         """
 
-        status = headers = None
+        status: int | None = None
+        headers: HeadersValue | None = None
 
         # unpack tuple returns
         if isinstance(rv, tuple):
@@ -1148,7 +1188,7 @@ class Flask(App):
             # decide if a 2-tuple has status or headers
             elif len_rv == 2:
                 if isinstance(rv[1], (Headers, dict, tuple, list)):
-                    rv, headers = rv
+                    rv, headers = rv  # pyright: ignore
                 else:
                     rv, status = rv  # type: ignore[assignment,misc]
             # other sized tuples are not allowed
@@ -1174,7 +1214,7 @@ class Flask(App):
                 # waiting to do it manually, so that the class can handle any
                 # special logic
                 rv = self.response_class(
-                    rv,
+                    rv,  # pyright: ignore
                     status=status,
                     headers=headers,  # type: ignore[arg-type]
                 )
@@ -1216,7 +1256,7 @@ class Flask(App):
 
         # extend existing headers with provided headers
         if headers:
-            rv.headers.update(headers)  # type: ignore[arg-type]
+            rv.headers.update(headers)
 
         return rv
 
@@ -1230,12 +1270,13 @@ class Flask(App):
         value is handled as if it was the return value from the view, and
         further request handling is stopped.
         """
-        names = (None, *reversed(request.blueprints))
+        req = _cv_app.get().request
+        names = (None, *reversed(req.blueprints))
 
         for name in names:
             if name in self.url_value_preprocessors:
                 for url_func in self.url_value_preprocessors[name]:
-                    url_func(request.endpoint, request.view_args)
+                    url_func(req.endpoint, req.view_args)
 
         for name in names:
             if name in self.before_request_funcs:
@@ -1260,12 +1301,12 @@ class Flask(App):
         :return: a new response object or the same, has to be an
                  instance of :attr:`response_class`.
         """
-        ctx = request_ctx._get_current_object()  # type: ignore[attr-defined]
+        ctx = _cv_app.get()
 
         for func in ctx._after_request_functions:
             response = self.ensure_sync(func)(response)
 
-        for name in chain(request.blueprints, (None,)):
+        for name in chain(ctx.request.blueprints, (None,)):
             if name in self.after_request_funcs:
                 for func in reversed(self.after_request_funcs[name]):
                     response = self.ensure_sync(func)(response)
@@ -1275,77 +1316,57 @@ class Flask(App):
 
         return response
 
-    def do_teardown_request(
-        self,
-        exc: BaseException | None = _sentinel,  # type: ignore[assignment]
-    ) -> None:
-        """Called after the request is dispatched and the response is
-        returned, right before the request context is popped.
+    def do_teardown_request(self, exc: BaseException | None = None) -> None:
+        """Called after the request is dispatched and the response is finalized,
+        right before the request context is popped. Called by
+        :meth:`.AppContext.pop`.
 
-        This calls all functions decorated with
-        :meth:`teardown_request`, and :meth:`Blueprint.teardown_request`
-        if a blueprint handled the request. Finally, the
-        :data:`request_tearing_down` signal is sent.
+        This calls all functions decorated with :meth:`teardown_request`, and
+        :meth:`Blueprint.teardown_request` if a blueprint handled the request.
+        Finally, the :data:`request_tearing_down` signal is sent.
 
-        This is called by
-        :meth:`RequestContext.pop() <flask.ctx.RequestContext.pop>`,
-        which may be delayed during testing to maintain access to
-        resources.
-
-        :param exc: An unhandled exception raised while dispatching the
-            request. Detected from the current exception information if
-            not passed. Passed to each teardown function.
+        :param exc: An unhandled exception raised while dispatching the request.
+            Passed to each teardown function.
 
         .. versionchanged:: 0.9
             Added the ``exc`` argument.
         """
-        if exc is _sentinel:
-            exc = sys.exc_info()[1]
+        req = _cv_app.get().request
 
-        for name in chain(request.blueprints, (None,)):
+        for name in chain(req.blueprints, (None,)):
             if name in self.teardown_request_funcs:
                 for func in reversed(self.teardown_request_funcs[name]):
                     self.ensure_sync(func)(exc)
 
         request_tearing_down.send(self, _async_wrapper=self.ensure_sync, exc=exc)
 
-    def do_teardown_appcontext(
-        self,
-        exc: BaseException | None = _sentinel,  # type: ignore[assignment]
-    ) -> None:
-        """Called right before the application context is popped.
+    def do_teardown_appcontext(self, exc: BaseException | None = None) -> None:
+        """Called right before the application context is popped. Called by
+        :meth:`.AppContext.pop`.
 
-        When handling a request, the application context is popped
-        after the request context. See :meth:`do_teardown_request`.
+        This calls all functions decorated with :meth:`teardown_appcontext`.
+        Then the :data:`appcontext_tearing_down` signal is sent.
 
-        This calls all functions decorated with
-        :meth:`teardown_appcontext`. Then the
-        :data:`appcontext_tearing_down` signal is sent.
-
-        This is called by
-        :meth:`AppContext.pop() <flask.ctx.AppContext.pop>`.
+        :param exc: An unhandled exception raised while the context was active.
+            Passed to each teardown function.
 
         .. versionadded:: 0.9
         """
-        if exc is _sentinel:
-            exc = sys.exc_info()[1]
-
         for func in reversed(self.teardown_appcontext_funcs):
             self.ensure_sync(func)(exc)
 
         appcontext_tearing_down.send(self, _async_wrapper=self.ensure_sync, exc=exc)
 
     def app_context(self) -> AppContext:
-        """Create an :class:`~flask.ctx.AppContext`. Use as a ``with``
-        block to push the context, which will make :data:`current_app`
-        point at this application.
+        """Create an :class:`.AppContext`. When the context is pushed,
+        :data:`.current_app` and :data:`.g` become available.
 
-        An application context is automatically pushed by
-        :meth:`RequestContext.push() <flask.ctx.RequestContext.push>`
-        when handling a request, and when running a CLI command. Use
-        this to manually create a context outside of these situations.
+        A context is automatically pushed when handling each request, and when
+        running any ``flask`` CLI command. Use this as a ``with`` block to
+        manually push a context outside of those situations, such as during
+        setup or testing.
 
-        ::
+        .. code-block:: python
 
             with app.app_context():
                 init_db()
@@ -1356,44 +1377,37 @@ class Flask(App):
         """
         return AppContext(self)
 
-    def request_context(self, environ: WSGIEnvironment) -> RequestContext:
-        """Create a :class:`~flask.ctx.RequestContext` representing a
-        WSGI environment. Use a ``with`` block to push the context,
-        which will make :data:`request` point at this request.
+    def request_context(self, environ: WSGIEnvironment) -> AppContext:
+        """Create an :class:`.AppContext` with request information representing
+        the given WSGI environment. A context is automatically pushed when
+        handling each request. When the context is pushed, :data:`.request`,
+        :data:`.session`, :data:`g:, and :data:`.current_app` become available.
 
-        See :doc:`/reqcontext`.
+        This method should not be used in your own code. Creating a valid WSGI
+        environ is not trivial. Use :meth:`test_request_context` to correctly
+        create a WSGI environ and request context instead.
 
-        Typically you should not call this from your own code. A request
-        context is automatically pushed by the :meth:`wsgi_app` when
-        handling a request. Use :meth:`test_request_context` to create
-        an environment and context instead of this method.
+        See :doc:`/appcontext`.
 
-        :param environ: a WSGI environment
+        :param environ: A WSGI environment.
         """
-        return RequestContext(self, environ)
+        return AppContext.from_environ(self, environ)
 
-    def test_request_context(self, *args: t.Any, **kwargs: t.Any) -> RequestContext:
-        """Create a :class:`~flask.ctx.RequestContext` for a WSGI
-        environment created from the given values. This is mostly useful
-        during testing, where you may want to run a function that uses
-        request data without dispatching a full request.
+    def test_request_context(self, *args: t.Any, **kwargs: t.Any) -> AppContext:
+        """Create an :class:`.AppContext` with request information created from
+        the given arguments. When the context is pushed, :data:`.request`,
+        :data:`.session`, :data:`g:, and :data:`.current_app` become available.
 
-        See :doc:`/reqcontext`.
+        This is useful during testing to run a function that uses request data
+        without dispatching a full request. Use this as a ``with`` block to push
+        a context.
 
-        Use a ``with`` block to push the context, which will make
-        :data:`request` point at the request for the created
-        environment. ::
+        .. code-block:: python
 
             with app.test_request_context(...):
                 generate_report()
 
-        When using the shell, it may be easier to push and pop the
-        context manually to avoid indentation. ::
-
-            ctx = app.test_request_context(...)
-            ctx.push()
-            ...
-            ctx.pop()
+        See :doc:`/appcontext`.
 
         Takes the same arguments as Werkzeug's
         :class:`~werkzeug.test.EnvironBuilder`, with some defaults from
@@ -1403,20 +1417,18 @@ class Flask(App):
         :param path: URL path being requested.
         :param base_url: Base URL where the app is being served, which
             ``path`` is relative to. If not given, built from
-            :data:`PREFERRED_URL_SCHEME`, ``subdomain``,
-            :data:`SERVER_NAME`, and :data:`APPLICATION_ROOT`.
-        :param subdomain: Subdomain name to append to
-            :data:`SERVER_NAME`.
+            :data:`PREFERRED_URL_SCHEME`, ``subdomain``, :data:`SERVER_NAME`,
+            and :data:`APPLICATION_ROOT`.
+        :param subdomain: Subdomain name to prepend to :data:`SERVER_NAME`.
         :param url_scheme: Scheme to use instead of
             :data:`PREFERRED_URL_SCHEME`.
-        :param data: The request body, either as a string or a dict of
-            form keys and values.
+        :param data: The request body text or bytes,or a dict of form data.
         :param json: If given, this is serialized as JSON and passed as
             ``data``. Also defaults ``content_type`` to
             ``application/json``.
-        :param args: other positional arguments passed to
+        :param args: Other positional arguments passed to
             :class:`~werkzeug.test.EnvironBuilder`.
-        :param kwargs: other keyword arguments passed to
+        :param kwargs: Other keyword arguments passed to
             :class:`~werkzeug.test.EnvironBuilder`.
         """
         from .testing import EnvironBuilder
@@ -1424,10 +1436,12 @@ class Flask(App):
         builder = EnvironBuilder(self, *args, **kwargs)
 
         try:
-            return self.request_context(builder.get_environ())
+            environ = builder.get_environ()
         finally:
             builder.close()
 
+        return self.request_context(environ)
+
     def wsgi_app(
         self, environ: WSGIEnvironment, start_response: StartResponse
     ) -> cabc.Iterable[bytes]:
@@ -1448,7 +1462,6 @@ class Flask(App):
             Teardown events for the request and app contexts are called
             even if an unhandled error occurs. Other events may not be
             called depending on when an error occurs during dispatch.
-            See :ref:`callbacks-and-errors`.
 
         :param environ: A WSGI environment.
         :param start_response: A callable accepting a status code,
@@ -1471,7 +1484,6 @@ class Flask(App):
         finally:
             if "werkzeug.debug.preserve_context" in environ:
                 environ["werkzeug.debug.preserve_context"](_cv_app.get())
-                environ["werkzeug.debug.preserve_context"](_cv_request.get())
 
             if error is not None and self.should_ignore_error(error):
                 error = None

src/flask/blueprints.py

@@ -4,16 +4,54 @@ import os
 import typing as t
 from datetime import timedelta
 
+from .cli import AppGroup
 from .globals import current_app
 from .helpers import send_from_directory
 from .sansio.blueprints import Blueprint as SansioBlueprint
 from .sansio.blueprints import BlueprintSetupState as BlueprintSetupState  # noqa
+from .sansio.scaffold import _sentinel
 
 if t.TYPE_CHECKING:  # pragma: no cover
     from .wrappers import Response
 
 
 class Blueprint(SansioBlueprint):
+    def __init__(
+        self,
+        name: str,
+        import_name: str,
+        static_folder: str | os.PathLike[str] | None = None,
+        static_url_path: str | None = None,
+        template_folder: str | os.PathLike[str] | None = None,
+        url_prefix: str | None = None,
+        subdomain: str | None = None,
+        url_defaults: dict[str, t.Any] | None = None,
+        root_path: str | None = None,
+        cli_group: str | None = _sentinel,  # type: ignore
+    ) -> None:
+        super().__init__(
+            name,
+            import_name,
+            static_folder,
+            static_url_path,
+            template_folder,
+            url_prefix,
+            subdomain,
+            url_defaults,
+            root_path,
+            cli_group,
+        )
+
+        #: The Click command group for registering CLI commands for this
+        #: object. The commands are available from the ``flask`` command
+        #: once the application has been discovered and blueprints have
+        #: been registered.
+        self.cli = AppGroup()
+
+        # Set the name of the Click group in case someone wants to add
+        # the app's commands to another CLI tool.
+        self.cli.name = self.name
+
     def get_send_file_max_age(self, filename: str | None) -> int | None:
         """Used by :func:`send_file` to determine the ``max_age`` cache
         value for a given file path if it wasn't passed.
@@ -63,29 +101,28 @@ class Blueprint(SansioBlueprint):
             t.cast(str, self.static_folder), filename, max_age=max_age
         )
 
-    def open_resource(self, resource: str, mode: str = "rb") -> t.IO[t.AnyStr]:
-        """Open a resource file relative to :attr:`root_path` for
-        reading.
+    def open_resource(
+        self, resource: str, mode: str = "rb", encoding: str | None = "utf-8"
+    ) -> t.IO[t.AnyStr]:
+        """Open a resource file relative to :attr:`root_path` for reading. The
+        blueprint-relative equivalent of the app's :meth:`~.Flask.open_resource`
+        method.
 
-        For example, if the file ``schema.sql`` is next to the file
-        ``app.py`` where the ``Flask`` app is defined, it can be opened
-        with:
-
-        .. code-block:: python
-
-            with app.open_resource("schema.sql") as f:
-                conn.executescript(f.read())
-
-        :param resource: Path to the resource relative to
-            :attr:`root_path`.
-        :param mode: Open the file in this mode. Only reading is
-            supported, valid values are "r" (or "rt") and "rb".
-
-        Note this is a duplicate of the same method in the Flask
-        class.
+        :param resource: Path to the resource relative to :attr:`root_path`.
+        :param mode: Open the file in this mode. Only reading is supported,
+            valid values are ``"r"`` (or ``"rt"``) and ``"rb"``.
+        :param encoding: Open the file with this encoding when opening in text
+            mode. This is ignored when opening in binary mode.
 
+        .. versionchanged:: 3.1
+            Added the ``encoding`` parameter.
         """
         if mode not in {"r", "rt", "rb"}:
             raise ValueError("Resources can only be opened for reading.")
 
-        return open(os.path.join(self.root_path, resource), mode)
+        path = os.path.join(self.root_path, resource)
+
+        if mode == "rb":
+            return open(path, mode)  # pyright: ignore
+
+        return open(path, mode, encoding=encoding)

src/flask/cli.py

@@ -229,15 +229,13 @@ def prepare_import(path: str) -> str:
 @t.overload
 def locate_app(
     module_name: str, app_name: str | None, raise_if_not_found: t.Literal[True] = True
-) -> Flask:
-    ...
+) -> Flask: ...
 
 
 @t.overload
 def locate_app(
     module_name: str, app_name: str | None, raise_if_not_found: t.Literal[False] = ...
-) -> Flask | None:
-    ...
+) -> Flask | None: ...
 
 
 def locate_app(
@@ -299,6 +297,9 @@ class ScriptInfo:
     a bigger role.  Typically it's created automatically by the
     :class:`FlaskGroup` but you can also manually create it and pass it
     onwards as click object.
+
+    .. versionchanged:: 3.1
+        Added the ``load_dotenv_defaults`` parameter and attribute.
     """
 
     def __init__(
@@ -306,6 +307,7 @@ class ScriptInfo:
         app_import_path: str | None = None,
         create_app: t.Callable[..., Flask] | None = None,
         set_debug_flag: bool = True,
+        load_dotenv_defaults: bool = True,
     ) -> None:
         #: Optionally the import path for the Flask application.
         self.app_import_path = app_import_path
@@ -316,6 +318,16 @@ class ScriptInfo:
         #: this script info.
         self.data: dict[t.Any, t.Any] = {}
         self.set_debug_flag = set_debug_flag
+
+        self.load_dotenv_defaults = get_load_dotenv(load_dotenv_defaults)
+        """Whether default ``.flaskenv`` and ``.env`` files should be loaded.
+
+        ``ScriptInfo`` doesn't load anything, this is for reference when doing
+        the load elsewhere during processing.
+
+        .. versionadded:: 3.1
+        """
+
         self._loaded_app: Flask | None = None
 
     def load_app(self) -> Flask:
@@ -325,9 +337,9 @@ class ScriptInfo:
         """
         if self._loaded_app is not None:
             return self._loaded_app
-
+        app: Flask | None = None
         if self.create_app is not None:
-            app: Flask | None = self.create_app()
+            app = self.create_app()
         else:
             if self.app_import_path:
                 path, name = (
@@ -481,23 +493,22 @@ _debug_option = click.Option(
 def _env_file_callback(
     ctx: click.Context, param: click.Option, value: str | None
 ) -> str | None:
-    if value is None:
-        return None
-
-    import importlib
-
     try:
-        importlib.import_module("dotenv")
+        import dotenv  # noqa: F401
     except ImportError:
+        # Only show an error if a value was passed, otherwise we still want to
+        # call load_dotenv and show a message without exiting.
+        if value is not None:
             raise click.BadParameter(
                 "python-dotenv must be installed to load an env file.",
                 ctx=ctx,
                 param=param,
             ) from None
 
-    # Don't check FLASK_SKIP_DOTENV, that only disables automatically
-    # loading .env and .flaskenv files.
-    load_dotenv(value)
+    # Load if a value was passed, or we want to load default files, or both.
+    if value is not None or ctx.obj.load_dotenv_defaults:
+        load_dotenv(value, load_defaults=ctx.obj.load_dotenv_defaults)
+
     return value
 
 
@@ -506,7 +517,11 @@ def _env_file_callback(
 _env_file_option = click.Option(
     ["-e", "--env-file"],
     type=click.Path(exists=True, dir_okay=False),
-    help="Load environment variables from this file. python-dotenv must be installed.",
+    help=(
+        "Load environment variables from this file, taking precedence over"
+        " those set by '.env' and '.flaskenv'. Variables set directly in the"
+        " environment take highest precedence. python-dotenv must be installed."
+    ),
     is_eager=True,
     expose_value=False,
     callback=_env_file_callback,
@@ -530,6 +545,9 @@ class FlaskGroup(AppGroup):
         directory to the directory containing the first file found.
     :param set_debug_flag: Set the app's debug flag.
 
+    .. versionchanged:: 3.1
+        ``-e path`` takes precedence over default ``.env`` and ``.flaskenv`` files.
+
     .. versionchanged:: 2.2
         Added the ``-A/--app``, ``--debug/--no-debug``, ``-e/--env-file`` options.
 
@@ -551,7 +569,7 @@ class FlaskGroup(AppGroup):
         set_debug_flag: bool = True,
         **extra: t.Any,
     ) -> None:
-        params = list(extra.pop("params", None) or ())
+        params: list[click.Parameter] = list(extra.pop("params", None) or ())
         # Processing is done with option callbacks instead of a group
         # callback. This allows users to make a custom group callback
         # without losing the behavior. --env-file must come first so
@@ -583,15 +601,7 @@ class FlaskGroup(AppGroup):
         if self._loaded_plugin_commands:
             return
 
-        if sys.version_info >= (3, 10):
-            from importlib import metadata
-        else:
-            # Use a backport on Python < 3.10. We technically have
-            # importlib.metadata on 3.8+, but the API changed in 3.10,
-            # so use the backport for consistency.
-            import importlib_metadata as metadata
-
-        for ep in metadata.entry_points(group="flask.commands"):
+        for ep in importlib.metadata.entry_points(group="flask.commands"):
             self.add_command(ep.load(), ep.name)
 
         self._loaded_plugin_commands = True
@@ -618,7 +628,7 @@ class FlaskGroup(AppGroup):
         # Push an app context for the loaded app unless it is already
         # active somehow. This makes the context available to parameter
         # and command callbacks without needing @with_appcontext.
-        if not current_app or current_app._get_current_object() is not app:  # type: ignore[attr-defined]
+        if not current_app or current_app._get_current_object() is not app:
             ctx.with_resource(app.app_context())
 
         return app.cli.get_command(ctx, name)
@@ -656,20 +666,19 @@ class FlaskGroup(AppGroup):
         # when importing, blocking whatever command is being called.
         os.environ["FLASK_RUN_FROM_CLI"] = "true"
 
-        # Attempt to load .env and .flask env files. The --env-file
-        # option can cause another file to be loaded.
-        if get_load_dotenv(self.load_dotenv):
-            load_dotenv()
-
         if "obj" not in extra and "obj" not in self.context_settings:
             extra["obj"] = ScriptInfo(
-                create_app=self.create_app, set_debug_flag=self.set_debug_flag
+                create_app=self.create_app,
+                set_debug_flag=self.set_debug_flag,
+                load_dotenv_defaults=self.load_dotenv,
             )
 
         return super().make_context(info_name, args, parent=parent, **extra)
 
     def parse_args(self, ctx: click.Context, args: list[str]) -> list[str]:
-        if not args and self.no_args_is_help:
+        if (not args and self.no_args_is_help) or (
+            len(args) == 1 and args[0] in self.get_help_option_names(ctx)
+        ):
             # Attempt to load --env-file and --app early in case they
             # were given as env vars. Otherwise no_args_is_help will not
             # see commands from app.cli.
@@ -686,18 +695,26 @@ def _path_is_ancestor(path: str, other: str) -> bool:
     return os.path.join(path, other[len(path) :].lstrip(os.sep)) == other
 
 
-def load_dotenv(path: str | os.PathLike[str] | None = None) -> bool:
-    """Load "dotenv" files in order of precedence to set environment variables.
-
-    If an env var is already set it is not overwritten, so earlier files in the
-    list are preferred over later files.
+def load_dotenv(
+    path: str | os.PathLike[str] | None = None, load_defaults: bool = True
+) -> bool:
+    """Load "dotenv" files to set environment variables. A given path takes
+    precedence over ``.env``, which takes precedence over ``.flaskenv``. After
+    loading and combining these files, values are only set if the key is not
+    already set in ``os.environ``.
 
     This is a no-op if `python-dotenv`_ is not installed.
 
     .. _python-dotenv: https://github.com/theskumar/python-dotenv#readme
 
-    :param path: Load the file at this location instead of searching.
-    :return: ``True`` if a file was loaded.
+    :param path: Load the file at this location.
+    :param load_defaults: Search for and load the default ``.flaskenv`` and
+        ``.env`` files.
+    :return: ``True`` if at least one env var was loaded.
+
+    .. versionchanged:: 3.1
+        Added the ``load_defaults`` parameter. A given path takes precedence
+        over default files.
 
     .. versionchanged:: 2.0
         The current directory is not changed to the location of the
@@ -717,34 +734,33 @@ def load_dotenv(path: str | os.PathLike[str] | None = None) -> bool:
     except ImportError:
         if path or os.path.isfile(".env") or os.path.isfile(".flaskenv"):
             click.secho(
-                " * Tip: There are .env or .flaskenv files present."
-                ' Do "pip install python-dotenv" to use them.',
+                " * Tip: There are .env files present. Install python-dotenv"
+                " to use them.",
                 fg="yellow",
                 err=True,
             )
 
         return False
 
-    # Always return after attempting to load a given path, don't load
-    # the default files.
-    if path is not None:
-        if os.path.isfile(path):
-            return dotenv.load_dotenv(path, encoding="utf-8")
+    data: dict[str, str | None] = {}
 
-        return False
-
-    loaded = False
-
-    for name in (".env", ".flaskenv"):
-        path = dotenv.find_dotenv(name, usecwd=True)
-
-        if not path:
+    if load_defaults:
+        for default_name in (".flaskenv", ".env"):
+            if not (default_path := dotenv.find_dotenv(default_name, usecwd=True)):
                 continue
 
-        dotenv.load_dotenv(path, encoding="utf-8")
-        loaded = True
+            data |= dotenv.dotenv_values(default_path, encoding="utf-8")
 
-    return loaded  # True if at least one file was located and loaded.
+    if path is not None and os.path.isfile(path):
+        data |= dotenv.dotenv_values(path, encoding="utf-8")
+
+    for key, value in data.items():
+        if key in os.environ or value is None:
+            continue
+
+        os.environ[key] = value
+
+    return bool(data)  # True if at least one env var was loaded.
 
 
 def show_server_banner(debug: bool, app_import_path: str | None) -> None:
@@ -936,7 +952,7 @@ def run_command(
     option.
     """
     try:
-        app: WSGIApplication = info.load_app()
+        app: WSGIApplication = info.load_app()  # pyright: ignore
     except Exception as e:
         if is_running_from_reloader():
             # When reloading, print out the error immediately, but raise

src/flask/config.py

@@ -27,12 +27,10 @@ class ConfigAttribute(t.Generic[T]):
         self.get_converter = get_converter
 
     @t.overload
-    def __get__(self, obj: None, owner: None) -> te.Self:
-        ...
+    def __get__(self, obj: None, owner: None) -> te.Self: ...
 
     @t.overload
-    def __get__(self, obj: App, owner: type[App]) -> T:
-        ...
+    def __get__(self, obj: App, owner: type[App]) -> T: ...
 
     def __get__(self, obj: App | None, owner: type[App] | None = None) -> T | te.Self:
         if obj is None:
@@ -152,13 +150,13 @@ class Config(dict):  # type: ignore[type-arg]
         .. versionadded:: 2.1
         """
         prefix = f"{prefix}_"
-        len_prefix = len(prefix)
 
         for key in sorted(os.environ):
             if not key.startswith(prefix):
                 continue
 
             value = os.environ[key]
+            key = key.removeprefix(prefix)
 
             try:
                 value = loads(value)
@@ -166,9 +164,6 @@ class Config(dict):  # type: ignore[type-arg]
                 # Keep the value as a string if loading failed.
                 pass
 
-            # Change to key.removeprefix(prefix) on Python >= 3.9.
-            key = key[len_prefix:]
-
             if "__" not in key:
                 # A non-nested key, set directly.
                 self[key] = value

src/flask/ctx.py

@@ -1,20 +1,20 @@
 from __future__ import annotations
 
 import contextvars
-import sys
 import typing as t
 from functools import update_wrapper
 from types import TracebackType
 
 from werkzeug.exceptions import HTTPException
+from werkzeug.routing import MapAdapter
 
 from . import typing as ft
 from .globals import _cv_app
-from .globals import _cv_request
 from .signals import appcontext_popped
 from .signals import appcontext_pushed
 
-if t.TYPE_CHECKING:  # pragma: no cover
+if t.TYPE_CHECKING:
+    import typing_extensions as te
     from _typeshed.wsgi import WSGIEnvironment
 
     from .app import Flask
@@ -31,7 +31,7 @@ class _AppCtxGlobals:
     application context.
 
     Creating an app context automatically creates this object, which is
-    made available as the :data:`g` proxy.
+    made available as the :data:`.g` proxy.
 
     .. describe:: 'key' in g
 
@@ -117,29 +117,27 @@ class _AppCtxGlobals:
 def after_this_request(
     f: ft.AfterRequestCallable[t.Any],
 ) -> ft.AfterRequestCallable[t.Any]:
-    """Executes a function after this request.  This is useful to modify
-    response objects.  The function is passed the response object and has
-    to return the same or a new one.
+    """Decorate a function to run after the current request. The behavior is the
+    same as :meth:`.Flask.after_request`, except it only applies to the current
+    request, rather than every request. Therefore, it must be used within a
+    request context, rather than during setup.
 
-    Example::
+    .. code-block:: python
 
-        @app.route('/')
+        @app.route("/")
         def index():
             @after_this_request
             def add_header(response):
-                response.headers['X-Foo'] = 'Parachute'
+                response.headers["X-Foo"] = "Parachute"
                 return response
-            return 'Hello World!'
 
-    This is more useful if a function other than the view function wants to
-    modify a response.  For instance think of a decorator that wants to add
-    some headers without converting the return value into a response object.
+            return "Hello, World!"
 
     .. versionadded:: 0.9
     """
-    ctx = _cv_request.get(None)
+    ctx = _cv_app.get(None)
 
-    if ctx is None:
+    if ctx is None or not ctx.has_request:
         raise RuntimeError(
             "'after_this_request' can only be used when a request"
             " context is active, such as in a view function."
@@ -153,13 +151,27 @@ F = t.TypeVar("F", bound=t.Callable[..., t.Any])
 
 
 def copy_current_request_context(f: F) -> F:
-    """A helper function that decorates a function to retain the current
-    request context.  This is useful when working with greenlets.  The moment
-    the function is decorated a copy of the request context is created and
-    then pushed when the function is called.  The current session is also
-    included in the copied request context.
+    """Decorate a function to run inside the current request context. This can
+    be used when starting a background task, otherwise it will not see the app
+    and request objects that were active in the parent.
 
-    Example::
+    .. warning::
+
+        Due to the following caveats, it is often safer (and simpler) to pass
+        the data you need when starting the task, rather than using this and
+        relying on the context objects.
+
+    In order to avoid execution switching partially though reading data, either
+    read the request body (access ``form``, ``json``, ``data``, etc) before
+    starting the task, or use a lock. This can be an issue when using threading,
+    but shouldn't be an issue when using greenlet/gevent or asyncio.
+
+    If the task will access ``session``, be sure to do so in the parent as well
+    so that the ``Vary: cookie`` header will be set. Modifying ``session`` in
+    the task should be avoided, as it may execute after the response cookie has
+    already been written.
+
+    .. code-block:: python
 
         import gevent
         from flask import copy_current_request_context
@@ -176,7 +188,7 @@ def copy_current_request_context(f: F) -> F:
 
     .. versionadded:: 0.10
     """
-    ctx = _cv_request.get(None)
+    ctx = _cv_app.get(None)
 
     if ctx is None:
         raise RuntimeError(
@@ -187,48 +199,57 @@ def copy_current_request_context(f: F) -> F:
     ctx = ctx.copy()
 
     def wrapper(*args: t.Any, **kwargs: t.Any) -> t.Any:
-        with ctx:  # type: ignore[union-attr]
-            return ctx.app.ensure_sync(f)(*args, **kwargs)  # type: ignore[union-attr]
+        with ctx:
+            return ctx.app.ensure_sync(f)(*args, **kwargs)
 
     return update_wrapper(wrapper, f)  # type: ignore[return-value]
 
 
 def has_request_context() -> bool:
-    """If you have code that wants to test if a request context is there or
-    not this function can be used.  For instance, you may want to take advantage
-    of request information if the request object is available, but fail
-    silently if it is unavailable.
+    """Test if an app context is active and if it has request information.
 
-    ::
+    .. code-block:: python
 
-        class User(db.Model):
+        from flask import has_request_context, request
 
-            def __init__(self, username, remote_addr=None):
-                self.username = username
-                if remote_addr is None and has_request_context():
+        if has_request_context():
             remote_addr = request.remote_addr
-                self.remote_addr = remote_addr
 
-    Alternatively you can also just test any of the context bound objects
-    (such as :class:`request` or :class:`g`) for truthness::
+    If a request context is active, the :data:`.request` and :data:`.session`
+    context proxies will available and ``True``, otherwise ``False``. You can
+    use that to test the data you use, rather than using this function.
 
-        class User(db.Model):
+    .. code-block:: python
 
-            def __init__(self, username, remote_addr=None):
-                self.username = username
-                if remote_addr is None and request:
+        from flask import request
+
+        if request:
             remote_addr = request.remote_addr
-                self.remote_addr = remote_addr
 
     .. versionadded:: 0.7
     """
-    return _cv_request.get(None) is not None
+    return (ctx := _cv_app.get(None)) is not None and ctx.has_request
 
 
 def has_app_context() -> bool:
-    """Works like :func:`has_request_context` but for the application
-    context.  You can also just do a boolean check on the
-    :data:`current_app` object instead.
+    """Test if an app context is active. Unlike :func:`has_request_context`
+    this can be true outside a request, such as in a CLI command.
+
+    .. code-block:: python
+
+        from flask import has_app_context, g
+
+        if has_app_context():
+            g.cached_data = ...
+
+    If an app context is active, the :data:`.g` and :data:`.current_app` context
+    proxies will available and ``True``, otherwise ``False``. You can use that
+    to test the data you use, rather than using this function.
+
+        from flask import g
+
+        if g:
+            g.cached_data = ...
 
     .. versionadded:: 0.9
     """
@@ -236,214 +257,260 @@ def has_app_context() -> bool:
 
 
 class AppContext:
-    """The app context contains application-specific information. An app
-    context is created and pushed at the beginning of each request if
-    one is not already active. An app context is also pushed when
-    running CLI commands.
-    """
+    """An app context contains information about an app, and about the request
+    when handling a request. A context is pushed at the beginning of each
+    request and CLI command, and popped at the end. The context is referred to
+    as a "request context" if it has request information, and an "app context"
+    if not.
 
-    def __init__(self, app: Flask) -> None:
-        self.app = app
-        self.url_adapter = app.create_url_adapter(None)
-        self.g: _AppCtxGlobals = app.app_ctx_globals_class()
-        self._cv_tokens: list[contextvars.Token[AppContext]] = []
+    Do not use this class directly. Use :meth:`.Flask.app_context` to create an
+    app context if needed during setup, and :meth:`.Flask.test_request_context`
+    to create a request context if needed during tests.
 
-    def push(self) -> None:
-        """Binds the app context to the current context."""
-        self._cv_tokens.append(_cv_app.set(self))
-        appcontext_pushed.send(self.app, _async_wrapper=self.app.ensure_sync)
+    When the context is popped, it will evaluate all the teardown functions
+    registered with :meth:`~flask.Flask.teardown_request` (if handling a
+    request) then :meth:`.Flask.teardown_appcontext`.
 
-    def pop(self, exc: BaseException | None = _sentinel) -> None:  # type: ignore
-        """Pops the app context."""
-        try:
-            if len(self._cv_tokens) == 1:
-                if exc is _sentinel:
-                    exc = sys.exc_info()[1]
-                self.app.do_teardown_appcontext(exc)
-        finally:
-            ctx = _cv_app.get()
-            _cv_app.reset(self._cv_tokens.pop())
+    When using the interactive debugger, the context will be restored so
+    ``request`` is still accessible. Similarly, the test client can preserve the
+    context after the request ends. However, teardown functions may already have
+    closed some resources such as database connections, and will run again when
+    the restored context is popped.
 
-        if ctx is not self:
-            raise AssertionError(
-                f"Popped wrong app context. ({ctx!r} instead of {self!r})"
-            )
+    :param app: The application this context represents.
+    :param request: The request data this context represents.
+    :param session: The session data this context represents. If not given,
+        loaded from the request on first access.
 
-        appcontext_popped.send(self.app, _async_wrapper=self.app.ensure_sync)
+    .. versionchanged:: 3.2
+        Merged with ``RequestContext``. The ``RequestContext`` alias will be
+        removed in Flask 4.0.
 
-    def __enter__(self) -> AppContext:
-        self.push()
-        return self
+    .. versionchanged:: 3.2
+        A combined app and request context is pushed for every request and CLI
+        command, rather than trying to detect if an app context is already
+        pushed.
 
-    def __exit__(
-        self,
-        exc_type: type | None,
-        exc_value: BaseException | None,
-        tb: TracebackType | None,
-    ) -> None:
-        self.pop(exc_value)
-
-
-class RequestContext:
-    """The request context contains per-request information. The Flask
-    app creates and pushes it at the beginning of the request, then pops
-    it at the end of the request. It will create the URL adapter and
-    request object for the WSGI environment provided.
-
-    Do not attempt to use this class directly, instead use
-    :meth:`~flask.Flask.test_request_context` and
-    :meth:`~flask.Flask.request_context` to create this object.
-
-    When the request context is popped, it will evaluate all the
-    functions registered on the application for teardown execution
-    (:meth:`~flask.Flask.teardown_request`).
-
-    The request context is automatically popped at the end of the
-    request. When using the interactive debugger, the context will be
-    restored so ``request`` is still accessible. Similarly, the test
-    client can preserve the context after the request ends. However,
-    teardown functions may already have closed some resources such as
-    database connections.
+    .. versionchanged:: 3.2
+        The session is loaded the first time it is accessed, rather than when
+        the context is pushed.
     """
 
     def __init__(
         self,
         app: Flask,
-        environ: WSGIEnvironment,
+        *,
         request: Request | None = None,
         session: SessionMixin | None = None,
     ) -> None:
         self.app = app
-        if request is None:
-            request = app.request_class(environ)
-            request.json_module = app.json
-        self.request: Request = request
-        self.url_adapter = None
-        try:
-            self.url_adapter = app.create_url_adapter(self.request)
-        except HTTPException as e:
-            self.request.routing_exception = e
-        self.flashes: list[tuple[str, str]] | None = None
-        self.session: SessionMixin | None = session
-        # Functions that should be executed after the request on the response
-        # object.  These will be called before the regular "after_request"
-        # functions.
+        """The application represented by this context. Accessed through
+        :data:`.current_app`.
+        """
+
+        self.g: _AppCtxGlobals = app.app_ctx_globals_class()
+        """The global data for this context. Accessed through :data:`.g`."""
+
+        self.url_adapter: MapAdapter | None = None
+        """The URL adapter bound to the request, or the app if not in a request.
+        May be ``None`` if binding failed.
+        """
+
+        self._request: Request | None = request
+        self._session: SessionMixin | None = session
+        self._flashes: list[tuple[str, str]] | None = None
         self._after_request_functions: list[ft.AfterRequestCallable[t.Any]] = []
 
-        self._cv_tokens: list[
-            tuple[contextvars.Token[RequestContext], AppContext | None]
-        ] = []
+        try:
+            self.url_adapter = app.create_url_adapter(self._request)
+        except HTTPException as e:
+            if self._request is not None:
+                self._request.routing_exception = e
 
-    def copy(self) -> RequestContext:
-        """Creates a copy of this request context with the same request object.
-        This can be used to move a request context to a different greenlet.
-        Because the actual request object is the same this cannot be used to
-        move a request context to a different thread unless access to the
-        request object is locked.
+        self._cv_token: contextvars.Token[AppContext] | None = None
+        """The previous state to restore when popping."""
 
-        .. versionadded:: 0.10
+        self._push_count: int = 0
+        """Track nested pushes of this context. Cleanup will only run once the
+        original push has been popped.
+        """
+
+    @classmethod
+    def from_environ(cls, app: Flask, environ: WSGIEnvironment, /) -> te.Self:
+        """Create an app context with request data from the given WSGI environ.
+
+        :param app: The application this context represents.
+        :param environ: The request data this context represents.
+        """
+        request = app.request_class(environ)
+        request.json_module = app.json
+        return cls(app, request=request)
+
+    @property
+    def has_request(self) -> bool:
+        """True if this context was created with request data."""
+        return self._request is not None
+
+    def copy(self) -> te.Self:
+        """Create a new context with the same data objects as this context. See
+        :func:`.copy_current_request_context`.
 
         .. versionchanged:: 1.1
-           The current session object is used instead of reloading the original
-           data. This prevents `flask.session` pointing to an out-of-date object.
+            The current session data is used instead of reloading the original data.
+
+        .. versionadded:: 0.10
         """
         return self.__class__(
             self.app,
-            environ=self.request.environ,
-            request=self.request,
-            session=self.session,
+            request=self._request,
+            session=self._session,
         )
 
+    @property
+    def request(self) -> Request:
+        """The request object associated with this context. Accessed through
+        :data:`.request`. Only available in request contexts, otherwise raises
+        :exc:`RuntimeError`.
+        """
+        if self._request is None:
+            raise RuntimeError("There is no request in this context.")
+
+        return self._request
+
+    @property
+    def session(self) -> SessionMixin:
+        """The session object associated with this context. Accessed through
+        :data:`.session`. Only available in request contexts, otherwise raises
+        :exc:`RuntimeError`.
+        """
+        if self._request is None:
+            raise RuntimeError("There is no request in this context.")
+
+        if self._session is None:
+            si = self.app.session_interface
+            self._session = si.open_session(self.app, self.request)
+
+            if self._session is None:
+                self._session = si.make_null_session(self.app)
+
+        return self._session
+
     def match_request(self) -> None:
-        """Can be overridden by a subclass to hook into the matching
-        of the request.
+        """Apply routing to the current request, storing either the matched
+        endpoint and args, or a routing exception.
         """
         try:
-            result = self.url_adapter.match(return_rule=True)  # type: ignore
-            self.request.url_rule, self.request.view_args = result  # type: ignore
+            result = self.url_adapter.match(return_rule=True)  # type: ignore[union-attr]
         except HTTPException as e:
-            self.request.routing_exception = e
+            self._request.routing_exception = e  # type: ignore[union-attr]
+        else:
+            self._request.url_rule, self._request.view_args = result  # type: ignore[union-attr]
 
     def push(self) -> None:
-        # Before we push the request context we have to ensure that there
-        # is an application context.
-        app_ctx = _cv_app.get(None)
+        """Push this context so that it is the active context. If this is a
+        request context, calls :meth:`match_request` to perform routing with
+        the context active.
 
-        if app_ctx is None or app_ctx.app is not self.app:
-            app_ctx = self.app.app_context()
-            app_ctx.push()
-        else:
-            app_ctx = None
+        Typically, this is not used directly. Instead, use a ``with`` block
+        to manage the context.
 
-        self._cv_tokens.append((_cv_request.set(self), app_ctx))
+        In some situations, such as streaming or testing, the context may be
+        pushed multiple times. It will only trigger matching and signals if it
+        is not currently pushed.
+        """
+        self._push_count += 1
 
-        # Open the session at the moment that the request context is available.
-        # This allows a custom open_session method to use the request context.
-        # Only open a new session if this is the first time the request was
-        # pushed, otherwise stream_with_context loses the session.
-        if self.session is None:
-            session_interface = self.app.session_interface
-            self.session = session_interface.open_session(self.app, self.request)
+        if self._cv_token is not None:
+            return
 
-            if self.session is None:
-                self.session = session_interface.make_null_session(self.app)
+        self._cv_token = _cv_app.set(self)
+        appcontext_pushed.send(self.app, _async_wrapper=self.app.ensure_sync)
 
-        # Match the request URL after loading the session, so that the
-        # session is available in custom URL converters.
-        if self.url_adapter is not None:
+        if self._request is not None and self.url_adapter is not None:
             self.match_request()
 
-    def pop(self, exc: BaseException | None = _sentinel) -> None:  # type: ignore
-        """Pops the request context and unbinds it by doing that.  This will
-        also trigger the execution of functions registered by the
-        :meth:`~flask.Flask.teardown_request` decorator.
+    def pop(self, exc: BaseException | None = None) -> None:
+        """Pop this context so that it is no longer the active context. Then
+        call teardown functions and signals.
+
+        Typically, this is not used directly. Instead, use a ``with`` block
+        to manage the context.
+
+        This context must currently be the active context, otherwise a
+        :exc:`RuntimeError` is raised. In some situations, such as streaming or
+        testing, the context may have been pushed multiple times. It will only
+        trigger cleanup once it has been popped as many times as it was pushed.
+        Until then, it will remain the active context.
+
+        :param exc: An unhandled exception that was raised while the context was
+            active. Passed to teardown functions.
 
         .. versionchanged:: 0.9
-           Added the `exc` argument.
+            Added the ``exc`` argument.
         """
-        clear_request = len(self._cv_tokens) == 1
+        if self._cv_token is None:
+            raise RuntimeError(f"Cannot pop this context ({self!r}), it is not pushed.")
 
-        try:
-            if clear_request:
-                if exc is _sentinel:
-                    exc = sys.exc_info()[1]
-                self.app.do_teardown_request(exc)
+        ctx = _cv_app.get(None)
 
-                request_close = getattr(self.request, "close", None)
-                if request_close is not None:
-                    request_close()
-        finally:
-            ctx = _cv_request.get()
-            token, app_ctx = self._cv_tokens.pop()
-            _cv_request.reset(token)
-
-            # get rid of circular dependencies at the end of the request
-            # so that we don't require the GC to be active.
-            if clear_request:
-                ctx.request.environ["werkzeug.request"] = None
-
-            if app_ctx is not None:
-                app_ctx.pop(exc)
-
-            if ctx is not self:
-                raise AssertionError(
-                    f"Popped wrong request context. ({ctx!r} instead of {self!r})"
+        if ctx is None or self._cv_token is None:
+            raise RuntimeError(
+                f"Cannot pop this context ({self!r}), there is no active context."
             )
 
-    def __enter__(self) -> RequestContext:
+        if ctx is not self:
+            raise RuntimeError(
+                f"Cannot pop this context ({self!r}), it is not the active"
+                f" context ({ctx!r})."
+            )
+
+        self._push_count -= 1
+
+        if self._push_count > 0:
+            return
+
+        try:
+            if self._request is not None:
+                self.app.do_teardown_request(exc)
+                self._request.close()
+        finally:
+            self.app.do_teardown_appcontext(exc)
+            _cv_app.reset(self._cv_token)
+            self._cv_token = None
+            appcontext_popped.send(self.app, _async_wrapper=self.app.ensure_sync)
+
+    def __enter__(self) -> te.Self:
         self.push()
         return self
 
     def __exit__(
         self,
-        exc_type: type | None,
+        exc_type: type[BaseException] | None,
         exc_value: BaseException | None,
         tb: TracebackType | None,
     ) -> None:
         self.pop(exc_value)
 
     def __repr__(self) -> str:
+        if self._request is not None:
             return (
-            f"<{type(self).__name__} {self.request.url!r}"
-            f" [{self.request.method}] of {self.app.name}>"
+                f"<{type(self).__name__} {id(self)} of {self.app.name},"
+                f" {self.request.method} {self.request.url!r}>"
             )
+
+        return f"<{type(self).__name__} {id(self)} of {self.app.name}>"
+
+
+def __getattr__(name: str) -> t.Any:
+    import warnings
+
+    if name == "RequestContext":
+        warnings.warn(
+            "'RequestContext' has merged with 'AppContext', and will be removed"
+            " in Flask 4.0. Use 'AppContext' instead.",
+            DeprecationWarning,
+            stacklevel=2,
+        )
+        return AppContext
+
+    raise AttributeError(name)

src/flask/debughelpers.py

@@ -6,7 +6,7 @@ from jinja2.loaders import BaseLoader
 from werkzeug.routing import RequestRedirect
 
 from .blueprints import Blueprint
-from .globals import request_ctx
+from .globals import _cv_app
 from .sansio.app import App
 
 if t.TYPE_CHECKING:
@@ -136,8 +136,9 @@ def explain_template_loading_attempts(
     info = [f"Locating template {template!r}:"]
     total_found = 0
     blueprint = None
-    if request_ctx and request_ctx.request.blueprint is not None:
-        blueprint = request_ctx.request.blueprint
+
+    if (ctx := _cv_app.get(None)) is not None and ctx.has_request:
+        blueprint = ctx.request.blueprint
 
     for idx, (loader, srcobj, triple) in enumerate(attempts):
         if isinstance(srcobj, App):

src/flask/globals.py

@@ -9,43 +9,69 @@ if t.TYPE_CHECKING:  # pragma: no cover
     from .app import Flask
     from .ctx import _AppCtxGlobals
     from .ctx import AppContext
-    from .ctx import RequestContext
     from .sessions import SessionMixin
     from .wrappers import Request
 
+    T = t.TypeVar("T", covariant=True)
+
+    class ProxyMixin(t.Protocol[T]):
+        def _get_current_object(self) -> T: ...
+
+    # These subclasses inform type checkers that the proxy objects look like the
+    # proxied type along with the _get_current_object method.
+    class FlaskProxy(ProxyMixin[Flask], Flask): ...
+
+    class AppContextProxy(ProxyMixin[AppContext], AppContext): ...
+
+    class _AppCtxGlobalsProxy(ProxyMixin[_AppCtxGlobals], _AppCtxGlobals): ...
+
+    class RequestProxy(ProxyMixin[Request], Request): ...
+
+    class SessionMixinProxy(ProxyMixin[SessionMixin], SessionMixin): ...
+
 
 _no_app_msg = """\
 Working outside of application context.
 
-This typically means that you attempted to use functionality that needed
-the current application. To solve this, set up an application context
-with app.app_context(). See the documentation for more information.\
+Attempted to use functionality that expected a current application to be set. To
+solve this, set up an app context using 'with app.app_context()'. See the
+documentation on app context for more information.\
 """
 _cv_app: ContextVar[AppContext] = ContextVar("flask.app_ctx")
-app_ctx: AppContext = LocalProxy(  # type: ignore[assignment]
+app_ctx: AppContextProxy = LocalProxy(  # type: ignore[assignment]
     _cv_app, unbound_message=_no_app_msg
 )
-current_app: Flask = LocalProxy(  # type: ignore[assignment]
+current_app: FlaskProxy = LocalProxy(  # type: ignore[assignment]
     _cv_app, "app", unbound_message=_no_app_msg
 )
-g: _AppCtxGlobals = LocalProxy(  # type: ignore[assignment]
+g: _AppCtxGlobalsProxy = LocalProxy(  # type: ignore[assignment]
     _cv_app, "g", unbound_message=_no_app_msg
 )
 
 _no_req_msg = """\
 Working outside of request context.
 
-This typically means that you attempted to use functionality that needed
-an active HTTP request. Consult the documentation on testing for
-information about how to avoid this problem.\
+Attempted to use functionality that expected an active HTTP request. See the
+documentation on request context for more information.\
 """
-_cv_request: ContextVar[RequestContext] = ContextVar("flask.request_ctx")
-request_ctx: RequestContext = LocalProxy(  # type: ignore[assignment]
-    _cv_request, unbound_message=_no_req_msg
+request: RequestProxy = LocalProxy(  # type: ignore[assignment]
+    _cv_app, "request", unbound_message=_no_req_msg
 )
-request: Request = LocalProxy(  # type: ignore[assignment]
-    _cv_request, "request", unbound_message=_no_req_msg
-)
-session: SessionMixin = LocalProxy(  # type: ignore[assignment]
-    _cv_request, "session", unbound_message=_no_req_msg
+session: SessionMixinProxy = LocalProxy(  # type: ignore[assignment]
+    _cv_app, "session", unbound_message=_no_req_msg
 )
+
+
+def __getattr__(name: str) -> t.Any:
+    import warnings
+
+    if name == "request_ctx":
+        warnings.warn(
+            "'request_ctx' has merged with 'app_ctx', and will be removed"
+            " in Flask 4.0. Use 'app_ctx' instead.",
+            DeprecationWarning,
+            stacklevel=2,
+        )
+        return app_ctx
+
+    raise AttributeError(name)

src/flask/helpers.py

@@ -5,7 +5,7 @@ import os
 import sys
 import typing as t
 from datetime import datetime
-from functools import lru_cache
+from functools import cache
 from functools import update_wrapper
 
 import werkzeug.utils
@@ -13,10 +13,10 @@ from werkzeug.exceptions import abort as _wz_abort
 from werkzeug.utils import redirect as _wz_redirect
 from werkzeug.wrappers import Response as BaseResponse
 
-from .globals import _cv_request
+from .globals import _cv_app
+from .globals import app_ctx
 from .globals import current_app
 from .globals import request
-from .globals import request_ctx
 from .globals import session
 from .signals import message_flashed
 
@@ -47,38 +47,55 @@ def get_load_dotenv(default: bool = True) -> bool:
     return val.lower() in ("0", "false", "no")
 
 
+@t.overload
+def stream_with_context(
+    generator_or_function: t.Iterator[t.AnyStr],
+) -> t.Iterator[t.AnyStr]: ...
+
+
+@t.overload
+def stream_with_context(
+    generator_or_function: t.Callable[..., t.Iterator[t.AnyStr]],
+) -> t.Callable[[t.Iterator[t.AnyStr]], t.Iterator[t.AnyStr]]: ...
+
+
 def stream_with_context(
     generator_or_function: t.Iterator[t.AnyStr] | t.Callable[..., t.Iterator[t.AnyStr]],
-) -> t.Iterator[t.AnyStr]:
-    """Request contexts disappear when the response is started on the server.
-    This is done for efficiency reasons and to make it less likely to encounter
-    memory leaks with badly written WSGI middlewares.  The downside is that if
-    you are using streamed responses, the generator cannot access request bound
-    information any more.
+) -> t.Iterator[t.AnyStr] | t.Callable[[t.Iterator[t.AnyStr]], t.Iterator[t.AnyStr]]:
+    """Wrap a response generator function so that it runs inside the current
+    request context. This keeps :data:`.request`, :data:`.session`, and :data:`.g`
+    available, even though at the point the generator runs the request context
+    will typically have ended.
 
-    This function however can help you keep the context around for longer::
+    Use it as a decorator on a generator function:
+
+    .. code-block:: python
 
         from flask import stream_with_context, request, Response
 
-        @app.route('/stream')
+        @app.get("/stream")
         def streamed_response():
             @stream_with_context
             def generate():
-                yield 'Hello '
-                yield request.args['name']
-                yield '!'
+                yield "Hello "
+                yield request.args["name"]
+                yield "!"
+
             return Response(generate())
 
-    Alternatively it can also be used around a specific generator::
+    Or use it as a wrapper around a created generator:
+
+    .. code-block:: python
 
         from flask import stream_with_context, request, Response
 
-        @app.route('/stream')
+        @app.get("/stream")
         def streamed_response():
             def generate():
-                yield 'Hello '
-                yield request.args['name']
-                yield '!'
+                yield "Hello "
+                yield request.args["name"]
+                yield "!"
+
             return Response(stream_with_context(generate()))
 
     .. versionadded:: 0.9
@@ -93,35 +110,29 @@ def stream_with_context(
 
         return update_wrapper(decorator, generator_or_function)  # type: ignore[arg-type]
 
-    def generator() -> t.Iterator[t.AnyStr | None]:
-        ctx = _cv_request.get(None)
-        if ctx is None:
+    def generator() -> t.Iterator[t.AnyStr]:
+        if (ctx := _cv_app.get(None)) is None:
             raise RuntimeError(
                 "'stream_with_context' can only be used when a request"
                 " context is active, such as in a view function."
             )
-        with ctx:
-            # Dummy sentinel.  Has to be inside the context block or we're
-            # not actually keeping the context around.
-            yield None
 
-            # The try/finally is here so that if someone passes a WSGI level
-            # iterator in we're still running the cleanup logic.  Generators
-            # don't need that because they are closed on their destruction
-            # automatically.
+        with ctx:
+            yield None  # type: ignore[misc]
+
             try:
                 yield from gen
             finally:
+                # Clean up in case the user wrapped a WSGI iterator.
                 if hasattr(gen, "close"):
                     gen.close()
 
-    # The trick is to start the generator.  Then the code execution runs until
-    # the first dummy None is yielded at which point the context was already
-    # pushed.  This item is discarded.  Then when the iteration continues the
-    # real generator is executed.
+    # Execute the generator to the sentinel value. This captures the current
+    # context and pushes it to preserve it. Further iteration will yield from
+    # the original iterator.
     wrapped_g = generator()
     next(wrapped_g)
-    return wrapped_g  # type: ignore[return-value]
+    return wrapped_g
 
 
 def make_response(*args: t.Any) -> Response:
@@ -245,8 +256,8 @@ def redirect(
         Calls ``current_app.redirect`` if available instead of always
         using Werkzeug's default ``redirect``.
     """
-    if current_app:
-        return current_app.redirect(location, code=code)
+    if (ctx := _cv_app.get(None)) is not None:
+        return ctx.app.redirect(location, code=code)
 
     return _wz_redirect(location, code=code, Response=Response)
 
@@ -268,8 +279,8 @@ def abort(code: int | BaseResponse, *args: t.Any, **kwargs: t.Any) -> t.NoReturn
         Calls ``current_app.aborter`` if available instead of always
         using Werkzeug's default ``abort``.
     """
-    if current_app:
-        current_app.aborter(code, *args, **kwargs)
+    if (ctx := _cv_app.get(None)) is not None:
+        ctx.app.aborter(code, *args, **kwargs)
 
     _wz_abort(code, *args, **kwargs)
 
@@ -321,7 +332,7 @@ def flash(message: str, category: str = "message") -> None:
     flashes = session.get("_flashes", [])
     flashes.append((category, message))
     session["_flashes"] = flashes
-    app = current_app._get_current_object()  # type: ignore
+    app = current_app._get_current_object()
     message_flashed.send(
         app,
         _async_wrapper=app.ensure_sync,
@@ -361,10 +372,10 @@ def get_flashed_messages(
     :param category_filter: filter of categories to limit return values.  Only
                             categories in the list will be returned.
     """
-    flashes = request_ctx.flashes
+    flashes = app_ctx._flashes
     if flashes is None:
         flashes = session.pop("_flashes") if "_flashes" in session else []
-        request_ctx.flashes = flashes
+        app_ctx._flashes = flashes
     if category_filter:
         flashes = list(filter(lambda f: f[0] in category_filter, flashes))
     if not with_categories:
@@ -373,20 +384,22 @@ def get_flashed_messages(
 
 
 def _prepare_send_file_kwargs(**kwargs: t.Any) -> dict[str, t.Any]:
+    ctx = app_ctx._get_current_object()
+
     if kwargs.get("max_age") is None:
-        kwargs["max_age"] = current_app.get_send_file_max_age
+        kwargs["max_age"] = ctx.app.get_send_file_max_age
 
     kwargs.update(
-        environ=request.environ,
-        use_x_sendfile=current_app.config["USE_X_SENDFILE"],
-        response_class=current_app.response_class,
-        _root_path=current_app.root_path,  # type: ignore
+        environ=ctx.request.environ,
+        use_x_sendfile=ctx.app.config["USE_X_SENDFILE"],
+        response_class=ctx.app.response_class,
+        _root_path=ctx.app.root_path,
     )
     return kwargs
 
 
 def send_file(
-    path_or_file: os.PathLike[t.AnyStr] | str | t.BinaryIO,
+    path_or_file: os.PathLike[t.AnyStr] | str | t.IO[bytes],
     mimetype: str | None = None,
     as_attachment: bool = False,
     download_name: str | None = None,
@@ -535,7 +548,8 @@ def send_from_directory(
     raises a 404 :exc:`~werkzeug.exceptions.NotFound` error.
 
     :param directory: The directory that ``path`` must be located under,
-        relative to the current application's root path.
+        relative to the current application's root path. This *must not*
+        be a value provided by the client, otherwise it becomes insecure.
     :param path: The path to the file to send, relative to
         ``directory``.
     :param kwargs: Arguments to pass to :func:`send_file`.
@@ -587,7 +601,7 @@ def get_root_path(import_name: str) -> str:
         return os.getcwd()
 
     if hasattr(loader, "get_filename"):
-        filepath = loader.get_filename(import_name)
+        filepath = loader.get_filename(import_name)  # pyright: ignore
     else:
         # Fall back to imports.
         __import__(import_name)
@@ -611,7 +625,7 @@ def get_root_path(import_name: str) -> str:
     return os.path.dirname(os.path.abspath(filepath))  # type: ignore[no-any-return]
 
 
-@lru_cache(maxsize=None)
+@cache
 def _split_blueprint_path(name: str) -> list[str]:
     out: list[str] = [name]
 

src/flask/json/__init__.py

@@ -141,7 +141,7 @@ def jsonify(*args: t.Any, **kwargs: t.Any) -> Response:
     mimetype. A dict or list returned from a view will be converted to a
     JSON response automatically without needing to call this.
 
-    This requires an active request or application context, and calls
+    This requires an active app context, and calls
     :meth:`app.json.response() <flask.json.provider.JSONProvider.response>`.
 
     In debug mode, the output is formatted with indentation to make it

src/flask/json/provider.py

@@ -113,7 +113,7 @@ def _default(o: t.Any) -> t.Any:
         return str(o)
 
     if dataclasses and dataclasses.is_dataclass(o):
-        return dataclasses.asdict(o)
+        return dataclasses.asdict(o)  # type: ignore[arg-type]
 
     if hasattr(o, "__html__"):
         return str(o.__html__())
@@ -135,7 +135,7 @@ class DefaultJSONProvider(JSONProvider):
         method) will call the ``__html__`` method to get a string.
     """
 
-    default: t.Callable[[t.Any], t.Any] = staticmethod(_default)  # type: ignore[assignment]
+    default: t.Callable[[t.Any], t.Any] = staticmethod(_default)
     """Apply this function to any object that :meth:`json.dumps` does
     not know how to serialize. It should return a valid JSON type or
     raise a ``TypeError``.

src/flask/json/tag.py

@@ -40,6 +40,7 @@ be processed before ``dict``.
 
     app.session_interface.serializer.register(TagOrderedDict, index=0)
 """
+
 from __future__ import annotations
 
 import typing as t

src/flask/sansio/app.py

@@ -177,11 +177,8 @@ class App(Scaffold):
     #: 3. Return None instead of AttributeError on unexpected attributes.
     #: 4. Raise exception if an unexpected attr is set, a "controlled" flask.g.
     #:
-    #: In Flask 0.9 this property was called `request_globals_class` but it
-    #: was changed in 0.10 to :attr:`app_ctx_globals_class` because the
-    #: flask.g object is now application context scoped.
-    #:
     #: .. versionadded:: 0.10
+    #:     Renamed from ``request_globals_class`.
     app_ctx_globals_class = _AppCtxGlobals
 
     #: The class that is used for the ``config`` attribute of this app.
@@ -213,7 +210,7 @@ class App(Scaffold):
     #:
     #: This attribute can also be configured from the config with the
     #: :data:`SECRET_KEY` configuration key. Defaults to ``None``.
-    secret_key = ConfigAttribute[t.Union[str, bytes, None]]("SECRET_KEY")
+    secret_key = ConfigAttribute[str | bytes | None]("SECRET_KEY")
 
     #: A :class:`~datetime.timedelta` which is used to set the expiration
     #: date of a permanent session.  The default is 31 days which makes a
@@ -291,7 +288,7 @@ class App(Scaffold):
         instance_path: str | None = None,
         instance_relative_config: bool = False,
         root_path: str | None = None,
-    ):
+    ) -> None:
         super().__init__(
             import_name=import_name,
             static_folder=static_folder,
@@ -410,10 +407,6 @@ class App(Scaffold):
         # request.
         self._got_first_request = False
 
-        # Set the name of the Click group in case someone wants to add
-        # the app's commands to another CLI tool.
-        self.cli.name = self.name
-
     def _check_setup_finished(self, f_name: str) -> None:
         if self._got_first_request:
             raise AssertionError(
@@ -427,7 +420,7 @@ class App(Scaffold):
             )
 
     @cached_property
-    def name(self) -> str:  # type: ignore
+    def name(self) -> str:
         """The name of the application.  This is usually the import name
         with the difference that it's guessed from the run file if the
         import name is main.  This name is used as a display name when
@@ -525,7 +518,7 @@ class App(Scaffold):
         return os.path.join(prefix, "var", f"{self.name}-instance")
 
     def create_global_jinja_loader(self) -> DispatchingJinjaLoader:
-        """Creates the loader for the Jinja2 environment.  Can be used to
+        """Creates the loader for the Jinja environment.  Can be used to
         override just the loader and keeping the rest unchanged.  It's
         discouraged to override this function.  Instead one should override
         the :meth:`jinja_loader` function instead.
@@ -632,7 +625,7 @@ class App(Scaffold):
         methods = {item.upper() for item in methods}
 
         # Methods that should always be added
-        required_methods = set(getattr(view_func, "required_methods", ()))
+        required_methods: set[str] = set(getattr(view_func, "required_methods", ()))
 
         # starting with Flask 0.8 the view_func object can disable and
         # force-enable the automatic options handling.
@@ -642,7 +635,7 @@ class App(Scaffold):
             )
 
         if provide_automatic_options is None:
-            if "OPTIONS" not in methods:
+            if "OPTIONS" not in methods and self.config["PROVIDE_AUTOMATIC_OPTIONS"]:
                 provide_automatic_options = True
                 required_methods.add("OPTIONS")
             else:
@@ -664,21 +657,34 @@ class App(Scaffold):
                 )
             self.view_functions[endpoint] = view_func
 
-    @setupmethod
+    @t.overload
+    def template_filter(self, name: T_template_filter) -> T_template_filter: ...
+    @t.overload
     def template_filter(
         self, name: str | None = None
-    ) -> t.Callable[[T_template_filter], T_template_filter]:
-        """A decorator that is used to register custom template filter.
-        You can specify a name for the filter, otherwise the function
-        name will be used. Example::
+    ) -> t.Callable[[T_template_filter], T_template_filter]: ...
+    @setupmethod
+    def template_filter(
+        self, name: T_template_filter | str | None = None
+    ) -> T_template_filter | t.Callable[[T_template_filter], T_template_filter]:
+        """Decorate a function to register it as a custom Jinja filter. The name
+        is optional. The decorator may be used without parentheses.
 
-          @app.template_filter()
-          def reverse(s):
-              return s[::-1]
+        .. code-block:: python
 
-        :param name: the optional name of the filter, otherwise the
-                     function name will be used.
+            @app.template_filter("reverse")
+            def reverse_filter(s):
+                return reversed(s)
+
+        The :meth:`add_template_filter` method may be used to register a
+        function later rather than decorating.
+
+        :param name: The name to register the filter as. If not given, uses the
+            function's name.
         """
+        if callable(name):
+            self.add_template_filter(name)
+            return name
 
         def decorator(f: T_template_filter) -> T_template_filter:
             self.add_template_filter(f, name=name)
@@ -690,24 +696,34 @@ class App(Scaffold):
     def add_template_filter(
         self, f: ft.TemplateFilterCallable, name: str | None = None
     ) -> None:
-        """Register a custom template filter.  Works exactly like the
-        :meth:`template_filter` decorator.
+        """Register a function to use as a custom Jinja filter.
 
-        :param name: the optional name of the filter, otherwise the
-                     function name will be used.
+        The :meth:`template_filter` decorator can be used to register a function
+        by decorating instead.
+
+        :param f: The function to register.
+        :param name: The name to register the filter as. If not given, uses the
+            function's name.
         """
         self.jinja_env.filters[name or f.__name__] = f
 
-    @setupmethod
+    @t.overload
+    def template_test(self, name: T_template_test) -> T_template_test: ...
+    @t.overload
     def template_test(
         self, name: str | None = None
-    ) -> t.Callable[[T_template_test], T_template_test]:
-        """A decorator that is used to register custom template test.
-        You can specify a name for the test, otherwise the function
-        name will be used. Example::
+    ) -> t.Callable[[T_template_test], T_template_test]: ...
+    @setupmethod
+    def template_test(
+        self, name: T_template_test | str | None = None
+    ) -> T_template_test | t.Callable[[T_template_test], T_template_test]:
+        """Decorate a function to register it as a custom Jinja test. The name
+        is optional. The decorator may be used without parentheses.
 
-          @app.template_test()
-          def is_prime(n):
+        .. code-block:: python
+
+            @app.template_test("prime")
+            def is_prime_test(n):
                 if n == 2:
                     return True
                 for i in range(2, int(math.ceil(math.sqrt(n))) + 1):
@@ -715,11 +731,17 @@ class App(Scaffold):
                         return False
               return True
 
-        .. versionadded:: 0.10
+        The :meth:`add_template_test` method may be used to register a function
+        later rather than decorating.
 
-        :param name: the optional name of the test, otherwise the
-                     function name will be used.
+        :param name: The name to register the filter as. If not given, uses the
+            function's name.
+
+        .. versionadded:: 0.10
         """
+        if callable(name):
+            self.add_template_test(name)
+            return name
 
         def decorator(f: T_template_test) -> T_template_test:
             self.add_template_test(f, name=name)
@@ -731,33 +753,49 @@ class App(Scaffold):
     def add_template_test(
         self, f: ft.TemplateTestCallable, name: str | None = None
     ) -> None:
-        """Register a custom template test.  Works exactly like the
-        :meth:`template_test` decorator.
+        """Register a function to use as a custom Jinja test.
+
+        The :meth:`template_test` decorator can be used to register a function
+        by decorating instead.
+
+        :param f: The function to register.
+        :param name: The name to register the test as. If not given, uses the
+            function's name.
 
         .. versionadded:: 0.10
-
-        :param name: the optional name of the test, otherwise the
-                     function name will be used.
         """
         self.jinja_env.tests[name or f.__name__] = f
 
-    @setupmethod
+    @t.overload
+    def template_global(self, name: T_template_global) -> T_template_global: ...
+    @t.overload
     def template_global(
         self, name: str | None = None
-    ) -> t.Callable[[T_template_global], T_template_global]:
-        """A decorator that is used to register a custom template global function.
-        You can specify a name for the global function, otherwise the function
-        name will be used. Example::
+    ) -> t.Callable[[T_template_global], T_template_global]: ...
+    @setupmethod
+    def template_global(
+        self, name: T_template_global | str | None = None
+    ) -> T_template_global | t.Callable[[T_template_global], T_template_global]:
+        """Decorate a function to register it as a custom Jinja global. The name
+        is optional. The decorator may be used without parentheses.
 
-            @app.template_global()
+        .. code-block:: python
+
+            @app.template_global
             def double(n):
                 return 2 * n
 
-        .. versionadded:: 0.10
+        The :meth:`add_template_global` method may be used to register a
+        function later rather than decorating.
 
-        :param name: the optional name of the global function, otherwise the
-                     function name will be used.
+        :param name: The name to register the global as. If not given, uses the
+            function's name.
+
+        .. versionadded:: 0.10
         """
+        if callable(name):
+            self.add_template_global(name)
+            return name
 
         def decorator(f: T_template_global) -> T_template_global:
             self.add_template_global(f, name=name)
@@ -769,22 +807,24 @@ class App(Scaffold):
     def add_template_global(
         self, f: ft.TemplateGlobalCallable, name: str | None = None
     ) -> None:
-        """Register a custom template global function. Works exactly like the
-        :meth:`template_global` decorator.
+        """Register a function to use as a custom Jinja global.
+
+        The :meth:`template_global` decorator can be used to register a function
+        by decorating instead.
+
+        :param f: The function to register.
+        :param name: The name to register the global as. If not given, uses the
+            function's name.
 
         .. versionadded:: 0.10
-
-        :param name: the optional name of the global function, otherwise the
-                     function name will be used.
         """
         self.jinja_env.globals[name or f.__name__] = f
 
     @setupmethod
     def teardown_appcontext(self, f: T_teardown) -> T_teardown:
-        """Registers a function to be called when the application
-        context is popped. The application context is typically popped
-        after the request context for each request, at the end of CLI
-        commands, or after a manually pushed context ends.
+        """Registers a function to be called when the app context is popped. The
+        context is popped at the end of a request, CLI command, or manual ``with``
+        block.
 
         .. code-block:: python
 
@@ -793,9 +833,7 @@ class App(Scaffold):
 
         When the ``with`` block exits (or ``ctx.pop()`` is called), the
         teardown functions are called just before the app context is
-        made inactive. Since a request context typically also manages an
-        application context it would also be called when you pop a
-        request context.
+        made inactive.
 
         When a teardown function was called because of an unhandled
         exception it will be passed an error object. If an

src/flask/sansio/blueprints.py

@@ -440,16 +440,31 @@ class Blueprint(Scaffold):
             )
         )
 
-    @setupmethod
+    @t.overload
+    def app_template_filter(self, name: T_template_filter) -> T_template_filter: ...
+    @t.overload
     def app_template_filter(
         self, name: str | None = None
-    ) -> t.Callable[[T_template_filter], T_template_filter]:
-        """Register a template filter, available in any template rendered by the
-        application. Equivalent to :meth:`.Flask.template_filter`.
+    ) -> t.Callable[[T_template_filter], T_template_filter]: ...
+    @setupmethod
+    def app_template_filter(
+        self, name: T_template_filter | str | None = None
+    ) -> T_template_filter | t.Callable[[T_template_filter], T_template_filter]:
+        """Decorate a function to register it as a custom Jinja filter. The name
+        is optional. The decorator may be used without parentheses.
 
-        :param name: the optional name of the filter, otherwise the
-                     function name will be used.
+        The :meth:`add_app_template_filter` method may be used to register a
+        function later rather than decorating.
+
+        The filter is available in all templates, not only those under this
+        blueprint. Equivalent to :meth:`.Flask.template_filter`.
+
+        :param name: The name to register the filter as. If not given, uses the
+            function's name.
         """
+        if callable(name):
+            self.add_app_template_filter(name)
+            return name
 
         def decorator(f: T_template_filter) -> T_template_filter:
             self.add_app_template_filter(f, name=name)
@@ -461,31 +476,51 @@ class Blueprint(Scaffold):
     def add_app_template_filter(
         self, f: ft.TemplateFilterCallable, name: str | None = None
     ) -> None:
-        """Register a template filter, available in any template rendered by the
-        application. Works like the :meth:`app_template_filter` decorator. Equivalent to
-        :meth:`.Flask.add_template_filter`.
+        """Register a function to use as a custom Jinja filter.
 
-        :param name: the optional name of the filter, otherwise the
-                     function name will be used.
+        The :meth:`app_template_filter` decorator can be used to register a
+        function by decorating instead.
+
+        The filter is available in all templates, not only those under this
+        blueprint. Equivalent to :meth:`.Flask.add_template_filter`.
+
+        :param f: The function to register.
+        :param name: The name to register the filter as. If not given, uses the
+            function's name.
         """
 
-        def register_template(state: BlueprintSetupState) -> None:
-            state.app.jinja_env.filters[name or f.__name__] = f
+        def register_template_filter(state: BlueprintSetupState) -> None:
+            state.app.add_template_filter(f, name=name)
 
-        self.record_once(register_template)
+        self.record_once(register_template_filter)
 
-    @setupmethod
+    @t.overload
+    def app_template_test(self, name: T_template_test) -> T_template_test: ...
+    @t.overload
     def app_template_test(
         self, name: str | None = None
-    ) -> t.Callable[[T_template_test], T_template_test]:
-        """Register a template test, available in any template rendered by the
-        application. Equivalent to :meth:`.Flask.template_test`.
+    ) -> t.Callable[[T_template_test], T_template_test]: ...
+    @setupmethod
+    def app_template_test(
+        self, name: T_template_test | str | None = None
+    ) -> T_template_test | t.Callable[[T_template_test], T_template_test]:
+        """Decorate a function to register it as a custom Jinja test. The name
+        is optional. The decorator may be used without parentheses.
+
+        The :meth:`add_app_template_test` method may be used to register a
+        function later rather than decorating.
+
+        The test is available in all templates, not only those under this
+        blueprint. Equivalent to :meth:`.Flask.template_test`.
+
+        :param name: The name to register the filter as. If not given, uses the
+            function's name.
 
         .. versionadded:: 0.10
-
-        :param name: the optional name of the test, otherwise the
-                     function name will be used.
         """
+        if callable(name):
+            self.add_app_template_test(name)
+            return name
 
         def decorator(f: T_template_test) -> T_template_test:
             self.add_app_template_test(f, name=name)
@@ -497,33 +532,53 @@ class Blueprint(Scaffold):
     def add_app_template_test(
         self, f: ft.TemplateTestCallable, name: str | None = None
     ) -> None:
-        """Register a template test, available in any template rendered by the
-        application. Works like the :meth:`app_template_test` decorator. Equivalent to
-        :meth:`.Flask.add_template_test`.
+        """Register a function to use as a custom Jinja test.
+
+        The :meth:`app_template_test` decorator can be used to register a
+        function by decorating instead.
+
+        The test is available in all templates, not only those under this
+        blueprint. Equivalent to :meth:`.Flask.add_template_test`.
+
+        :param f: The function to register.
+        :param name: The name to register the test as. If not given, uses the
+            function's name.
 
         .. versionadded:: 0.10
-
-        :param name: the optional name of the test, otherwise the
-                     function name will be used.
         """
 
-        def register_template(state: BlueprintSetupState) -> None:
-            state.app.jinja_env.tests[name or f.__name__] = f
+        def register_template_test(state: BlueprintSetupState) -> None:
+            state.app.add_template_test(f, name=name)
 
-        self.record_once(register_template)
+        self.record_once(register_template_test)
 
-    @setupmethod
+    @t.overload
+    def app_template_global(self, name: T_template_global) -> T_template_global: ...
+    @t.overload
     def app_template_global(
         self, name: str | None = None
-    ) -> t.Callable[[T_template_global], T_template_global]:
-        """Register a template global, available in any template rendered by the
-        application. Equivalent to :meth:`.Flask.template_global`.
+    ) -> t.Callable[[T_template_global], T_template_global]: ...
+    @setupmethod
+    def app_template_global(
+        self, name: T_template_global | str | None = None
+    ) -> T_template_global | t.Callable[[T_template_global], T_template_global]:
+        """Decorate a function to register it as a custom Jinja global. The name
+        is optional. The decorator may be used without parentheses.
+
+        The :meth:`add_app_template_global` method may be used to register a
+        function later rather than decorating.
+
+        The global is available in all templates, not only those under this
+        blueprint. Equivalent to :meth:`.Flask.template_global`.
+
+        :param name: The name to register the global as. If not given, uses the
+            function's name.
 
         .. versionadded:: 0.10
-
-        :param name: the optional name of the global, otherwise the
-                     function name will be used.
         """
+        if callable(name):
+            self.add_app_template_global(name)
+            return name
 
         def decorator(f: T_template_global) -> T_template_global:
             self.add_app_template_global(f, name=name)
@@ -535,20 +590,25 @@ class Blueprint(Scaffold):
     def add_app_template_global(
         self, f: ft.TemplateGlobalCallable, name: str | None = None
     ) -> None:
-        """Register a template global, available in any template rendered by the
-        application. Works like the :meth:`app_template_global` decorator. Equivalent to
-        :meth:`.Flask.add_template_global`.
+        """Register a function to use as a custom Jinja global.
+
+        The :meth:`app_template_global` decorator can be used to register a function
+        by decorating instead.
+
+        The global is available in all templates, not only those under this
+        blueprint. Equivalent to :meth:`.Flask.add_template_global`.
+
+        :param f: The function to register.
+        :param name: The name to register the global as. If not given, uses the
+            function's name.
 
         .. versionadded:: 0.10
-
-        :param name: the optional name of the global, otherwise the
-                     function name will be used.
         """
 
-        def register_template(state: BlueprintSetupState) -> None:
-            state.app.jinja_env.globals[name or f.__name__] = f
+        def register_template_global(state: BlueprintSetupState) -> None:
+            state.app.add_template_global(f, name=name)
 
-        self.record_once(register_template)
+        self.record_once(register_template_global)
 
     @setupmethod
     def before_app_request(self, f: T_before_request) -> T_before_request:

src/flask/sansio/scaffold.py

@@ -8,7 +8,6 @@ import typing as t
 from collections import defaultdict
 from functools import update_wrapper
 
-import click
 from jinja2 import BaseLoader
 from jinja2 import FileSystemLoader
 from werkzeug.exceptions import default_exceptions
@@ -16,10 +15,12 @@ from werkzeug.exceptions import HTTPException
 from werkzeug.utils import cached_property
 
 from .. import typing as ft
-from ..cli import AppGroup
 from ..helpers import get_root_path
 from ..templating import _default_template_ctx_processor
 
+if t.TYPE_CHECKING:  # pragma: no cover
+    from click import Group
+
 # a singleton sentinel value for parameter defaults
 _sentinel = object()
 
@@ -66,6 +67,7 @@ class Scaffold:
     .. versionadded:: 2.0
     """
 
+    cli: Group
     name: str
     _static_folder: str | None = None
     _static_url_path: str | None = None
@@ -82,7 +84,7 @@ class Scaffold:
         #: to. Do not change this once it is set by the constructor.
         self.import_name = import_name
 
-        self.static_folder = static_folder  # type: ignore
+        self.static_folder = static_folder
         self.static_url_path = static_url_path
 
         #: The path to the templates folder, relative to
@@ -97,12 +99,6 @@ class Scaffold:
         #: up resources contained in the package.
         self.root_path = root_path
 
-        #: The Click command group for registering CLI commands for this
-        #: object. The commands are available from the ``flask`` command
-        #: once the application has been discovered and blueprints have
-        #: been registered.
-        self.cli: click.Group = AppGroup()
-
         #: A dictionary mapping endpoint names to view functions.
         #:
         #: To register a view function, use the :meth:`route` decorator.
@@ -511,8 +507,8 @@ class Scaffold:
     @setupmethod
     def teardown_request(self, f: T_teardown) -> T_teardown:
         """Register a function to be called when the request context is
-        popped. Typically this happens at the end of each request, but
-        contexts may be pushed manually as well during testing.
+        popped. Typically, this happens at the end of each request, but
+        contexts may be pushed manually during testing.
 
         .. code-block:: python
 
@@ -710,15 +706,6 @@ def _endpoint_from_view_func(view_func: ft.RouteCallable) -> str:
     return view_func.__name__
 
 
-def _path_is_relative_to(path: pathlib.PurePath, base: str) -> bool:
-    # Path.is_relative_to doesn't exist until Python 3.9
-    try:
-        path.relative_to(base)
-        return True
-    except ValueError:
-        return False
-
-
 def _find_package_path(import_name: str) -> str:
     """Find the path that contains the package or module."""
     root_mod_name, _, _ = import_name.partition(".")
@@ -749,7 +736,7 @@ def _find_package_path(import_name: str) -> str:
                 search_location = next(
                     location
                     for location in root_spec.submodule_search_locations
-                    if _path_is_relative_to(package_path, location)
+                    if package_path.is_relative_to(location)
                 )
             else:
                 # Pick the first path.
@@ -781,7 +768,7 @@ def find_package(import_name: str) -> tuple[str | None, str]:
     py_prefix = os.path.abspath(sys.prefix)
 
     # installed to the system
-    if _path_is_relative_to(pathlib.PurePath(package_path), py_prefix):
+    if pathlib.PurePath(package_path).is_relative_to(py_prefix):
         return py_prefix, package_path
 
     site_parent, site_folder = os.path.split(package_path)

src/flask/sessions.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import collections.abc as c
 import hashlib
 import typing as t
 from collections.abc import MutableMapping
@@ -20,8 +21,7 @@ if t.TYPE_CHECKING:  # pragma: no cover
     from .wrappers import Response
 
 
-# TODO generic when Python > 3.8
-class SessionMixin(MutableMapping):  # type: ignore[type-arg]
+class SessionMixin(MutableMapping[str, t.Any]):
     """Expands a basic dictionary with session attributes."""
 
     @property
@@ -49,8 +49,7 @@ class SessionMixin(MutableMapping):  # type: ignore[type-arg]
     accessed = True
 
 
-# TODO generic when Python > 3.8
-class SecureCookieSession(CallbackDict, SessionMixin):  # type: ignore[type-arg]
+class SecureCookieSession(CallbackDict[str, t.Any], SessionMixin):
     """Base class for sessions based on signed cookies.
 
     This session backend will set the :attr:`modified` and
@@ -72,7 +71,10 @@ class SecureCookieSession(CallbackDict, SessionMixin):  # type: ignore[type-arg]
     #: different users.
     accessed = False
 
-    def __init__(self, initial: t.Any = None) -> None:
+    def __init__(
+        self,
+        initial: c.Mapping[str, t.Any] | c.Iterable[tuple[str, t.Any]] | None = None,
+    ) -> None:
         def on_update(self: te.Self) -> None:
             self.modified = True
             self.accessed = True
@@ -105,7 +107,7 @@ class NullSession(SecureCookieSession):
             "application to something unique and secret."
         )
 
-    __setitem__ = __delitem__ = clear = pop = popitem = update = setdefault = _fail  # type: ignore # noqa: B950
+    __setitem__ = __delitem__ = clear = pop = popitem = update = setdefault = _fail  # noqa: B950
     del _fail
 
 
@@ -224,6 +226,14 @@ class SessionInterface:
         """
         return app.config["SESSION_COOKIE_SAMESITE"]  # type: ignore[no-any-return]
 
+    def get_cookie_partitioned(self, app: Flask) -> bool:
+        """Returns True if the cookie should be partitioned. By default, uses
+        the value of :data:`SESSION_COOKIE_PARTITIONED`.
+
+        .. versionadded:: 3.1
+        """
+        return app.config["SESSION_COOKIE_PARTITIONED"]  # type: ignore[no-any-return]
+
     def get_expiration_time(self, app: Flask, session: SessionMixin) -> datetime | None:
         """A helper method that returns an expiration date for the session
         or ``None`` if the session is linked to the browser session.  The
@@ -277,6 +287,14 @@ class SessionInterface:
 session_json_serializer = TaggedJSONSerializer()
 
 
+def _lazy_sha1(string: bytes = b"") -> t.Any:
+    """Don't access ``hashlib.sha1`` until runtime. FIPS builds may not include
+    SHA-1, in which case the import and use as a default would fail before the
+    developer can configure something else.
+    """
+    return hashlib.sha1(string)
+
+
 class SecureCookieSessionInterface(SessionInterface):
     """The default session interface that stores sessions in signed cookies
     through the :mod:`itsdangerous` module.
@@ -286,7 +304,7 @@ class SecureCookieSessionInterface(SessionInterface):
     #: signing of cookie based sessions.
     salt = "cookie-session"
     #: the hash function to use for the signature.  The default is sha1
-    digest_method = staticmethod(hashlib.sha1)
+    digest_method = staticmethod(_lazy_sha1)
     #: the name of the itsdangerous supported key derivation.  The default
     #: is hmac.
     key_derivation = "hmac"
@@ -299,14 +317,21 @@ class SecureCookieSessionInterface(SessionInterface):
     def get_signing_serializer(self, app: Flask) -> URLSafeTimedSerializer | None:
         if not app.secret_key:
             return None
-        signer_kwargs = dict(
-            key_derivation=self.key_derivation, digest_method=self.digest_method
-        )
+
+        keys: list[str | bytes] = []
+
+        if fallbacks := app.config["SECRET_KEY_FALLBACKS"]:
+            keys.extend(fallbacks)
+
+        keys.append(app.secret_key)  # itsdangerous expects current key at top
         return URLSafeTimedSerializer(
-            app.secret_key,
+            keys,  # type: ignore[arg-type]
             salt=self.salt,
             serializer=self.serializer,
-            signer_kwargs=signer_kwargs,
+            signer_kwargs={
+                "key_derivation": self.key_derivation,
+                "digest_method": self.digest_method,
+            },
         )
 
     def open_session(self, app: Flask, request: Request) -> SecureCookieSession | None:
@@ -330,6 +355,7 @@ class SecureCookieSessionInterface(SessionInterface):
         domain = self.get_cookie_domain(app)
         path = self.get_cookie_path(app)
         secure = self.get_cookie_secure(app)
+        partitioned = self.get_cookie_partitioned(app)
         samesite = self.get_cookie_samesite(app)
         httponly = self.get_cookie_httponly(app)
 
@@ -346,6 +372,7 @@ class SecureCookieSessionInterface(SessionInterface):
                     domain=domain,
                     path=path,
                     secure=secure,
+                    partitioned=partitioned,
                     samesite=samesite,
                     httponly=httponly,
                 )
@@ -357,15 +384,16 @@ class SecureCookieSessionInterface(SessionInterface):
             return
 
         expires = self.get_expiration_time(app, session)
-        val = self.get_signing_serializer(app).dumps(dict(session))  # type: ignore
+        val = self.get_signing_serializer(app).dumps(dict(session))  # type: ignore[union-attr]
         response.set_cookie(
             name,
-            val,  # type: ignore
+            val,
             expires=expires,
             httponly=httponly,
             domain=domain,
             path=path,
             secure=secure,
+            partitioned=partitioned,
             samesite=samesite,
         )
         response.vary.add("Cookie")