From 3e17574fe6357822912784c8dc3ba79616b53004 Mon Sep 17 00:00:00 2001
From: Steve Dogiakos <dogiakos@gmail.com>
Date: Mon, 9 Mar 2026 20:15:14 -0600
Subject: [PATCH] fix: upgrade to Flask 3.x and replace before_first_request

- Pin Flask to >=3.1.3 to resolve all outstanding Dependabot CVEs
  (session cookie Vary header, Werkzeug DoS/RCE/safe_join vulns)
- Replace removed @before_first_request decorator with app.app_context()
  call at module level, compatible with Flask 3.0+
---
 app.py           | 5 +----
 requirements.txt | 2 +-
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/app.py b/app.py
index b3f1103..e989526 100644
--- a/app.py
+++ b/app.py
@@ -66,10 +66,7 @@ def is_valid_email(email):
     pattern = r'^[\w\.-]+@[\w\.-]+\.\w+$'
     return re.match(pattern, email)
 
-# TODO: @before_first_request is deprecated in Flask 2.2 and removed in Flask 3.0.
-# Replace with: with app.app_context(): init_db() at module level, or use a CLI command.
-@app.before_first_request
-def initialize_database():
+with app.app_context():
     init_db()
 
 @app.route('/', methods=['GET', 'POST'])
diff --git a/requirements.txt b/requirements.txt
index 4f020a3..faa652e 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,3 +1,3 @@
-Flask==2.2.5
+Flask>=3.1.3
 Werkzeug>=3.0.6
 gunicorn
\ No newline at end of file