fix(deps): update dependency flask to v3.1.3 [security] (#4859)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [Flask](https://redirect.github.com/pallets/flask)
([changelog](https://flask.palletsprojects.com/page/changes/)) |
`==3.1.2` → `==3.1.3` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/flask/3.1.3?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/flask/3.1.2/3.1.3?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-27205](https://redirect.github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726)

When the `session` object is accessed, Flask should set the `Vary:
Cookie` header. This instructs caches not to cache the response, as it
may contain information specific to a logged in user. This is handled in
most cases, but some forms of access such as the Python `in` operator
were overlooked.

The severity depends on the application's use of the session, and the
cache's behavior regarding cookies. The risk depends on all these
conditions being met.

1. The application must be hosted behind a caching proxy that does not
ignore responses with cookies.
2. The application does not set a `Cache-Control` header to indicate
that a page is private or should not be cached.
3. The application accesses the session in a way that does not access
the values, only the keys, and does not mutate the session.

---

### Release Notes

<details>
<summary>pallets/flask (Flask)</summary>

###
[`v3.1.3`](https://redirect.github.com/pallets/flask/releases/tag/3.1.3)

[Compare
Source](https://redirect.github.com/pallets/flask/compare/3.1.2...3.1.3)

This is the Flask 3.1.3 security fix release, which fixes a security
issue but does not otherwise change behavior and should not result in
breaking changes compared to the latest feature release.

PyPI: <https://pypi.org/project/Flask/3.1.3/>
Changes: <https://flask.palletsprojects.com/page/changes/#version-3-1-3>

- The session is marked as accessed for operations that only access the
keys but not the values, such as `in` and `len`.
[GHSA-68rp-wp8r-4726](https://redirect.github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone Australia/Sydney,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/google/osv.dev).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNS4xMSIsInVwZGF0ZWRJblZlciI6IjQzLjI1LjExIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Author: renovate-bot

gcp/website/poetry.lock

@@ -2,7 +2,7 @@
 name = "website-backend"
 requires-python = ">=3.13,<4.0"
 dependencies = [
-    "Flask==3.1.2",
+    "Flask==3.1.3",
     "Flask-Caching==2.3.1",
     "Flask-Compress==1.23",
     "werkzeug==3.1.6",