It should be noted that the maintainer knows this, but has commented that he cannot change the default to json because folks are still storing non-json-safe data.
This is the right decision (for now). Otherwise, we'd see a "flask just broke everyone's apps" story on the front page.
Why do people keep doing these things in new frameworks? It has been known that it is not secure to receive pickles from clients for many years and yet the same mistake keeps being repeated.
It should be noted that the maintainer knows this, but has commented that he cannot change the default to json because folks are still storing non-json-safe data.
This is the right decision (for now). Otherwise, we'd see a "flask just broke everyone's apps" story on the front page.