Issue #2538 pinned the upper bound of the Flask dependency to 2.2.3. However Flask 2.2.3 is affected by a HIGH security vulnerability that is fixed in Flask 2.2.5. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30861

Debian 11, Python 3.11 (from Python official 3.11 Docker image)

# pip install dash
Collecting dash
  Downloading dash-2.10.1-py3-none-any.whl (10.3 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 10.3/10.3 MB 14.1 MB/s eta 0:00:00
Collecting Flask<=2.2.3,>=1.0.4 (from dash)
  Downloading Flask-2.2.3-py3-none-any.whl (101 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 101.8/101.8 kB 17.0 MB/s eta 0:00:00

dash                     2.10.1
dash-core-components     2.0.0
dash-html-components     2.0.0
dash-table               5.0.0

Describe the bug

Dash installs a vulnerable version of Flask and dependency scans flag the vulnerability.

Expected behavior

No known and fixed security vulnerabilities added. Perhaps Pin to 2.2.* instead of specific 2.2.3 version where future pins will find new security issues.