Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Scheduled weekly dependency update for week 47 #245

Open
wants to merge 55 commits into
base: master
Choose a base branch
from

Conversation

pyup-bot
Copy link
Collaborator

Update asgiref from 3.6.0 to 3.8.1.

Changelog

3.8.1

------------------

* Fixes a regression in 3.8.0 affecting nested task cancellation inside
sync_to_async.

3.8.0

------------------

* Adds support for Python 3.12.

* Drops support for (end-of-life) Python 3.7.

* Fixes task cancellation propagation to subtasks when using synchronous Django
middleware.

* Allows nesting ``sync_to_async`` via ``asyncio.wait_for``.

* Corrects WSGI adapter handling of root path.

* Handles case where `"client"` is ``None`` in WsgiToAsgi adapter.

3.7.2

------------------

* The type annotations for SyncToAsync and AsyncToSync have been changed to
more accurately reflect the kind of callables they return.

3.7.1

------------------

* On Python 3.10 and below, the version of the "typing_extensions" package
is now constrained to be at least version 4 (as we depend on functionality
in that version and above)

3.7.0

------------------

* Contextvars are now required for the implementation of `sync` as Python 3.6
is now no longer a supported version.

* sync_to_async and async_to_sync now pass-through

* Debug and Lifespan State extensions have resulted in a typing change for some
request and response types. This change should be backwards-compatible.

* ``asgiref`` frames will now be hidden in Django tracebacks by default.

* Raw performance and garbage collection improvements in Local, SyncToAsync,
and AsyncToSync.
Links

Update asttokens from 2.2.1 to 2.4.1.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

Update black from 22.12.0 to 24.10.0.

Changelog

24.10.0

Highlights

- Black is now officially tested with Python 3.13 and provides Python 3.13
mypyc-compiled wheels. (4436) (4449)
- Black will issue an error when used with Python 3.12.5, due to an upstream memory
safety issue in Python 3.12.5 that can cause Black's AST safety checks to fail. Please
use Python 3.12.6 or Python 3.12.4 instead. (4447)
- Black no longer supports running with Python 3.8 (4452)

Stable style

- Fix crashes involving comments in parenthesised return types or `X | Y` style unions.
(4453)
- Fix skipping Jupyter cells with unknown `%%` magic (4462)

Preview style

- Fix type annotation spacing between * and more complex type variable tuple (i.e. `def
fn(*args: *tuple[*Ts, T]) -> None: pass`) (4440)

Caching

- Fix bug where the cache was shared between runs with and without `--unstable` (4466)

Packaging

- Upgrade version of mypyc used to 1.12 beta (4450) (4449)
- `blackd` now requires a newer version of aiohttp. (4451)

Output

- Added Python target version information on parse error (4378)
- Add information about Black version to internal error messages (4457)

24.8.0

Stable style

- Fix crash when ` fmt: off` is used before a closing parenthesis or bracket. (4363)

Packaging

- Packaging metadata updated: docs are explictly linked, the issue tracker is now also
linked. This improves the PyPI listing for Black. (4345)

Parser

- Fix regression where Black failed to parse a multiline f-string containing another
multiline string (4339)
- Fix regression where Black failed to parse an escaped single quote inside an f-string
(4401)
- Fix bug with Black incorrectly parsing empty lines with a backslash (4343)
- Fix bugs with Black's tokenizer not handling `\{` inside f-strings very well (4422)
- Fix incorrect line numbers in the tokenizer for certain tokens within f-strings
(4423)

Performance

- Improve performance when a large directory is listed in `.gitignore` (4415)

_Blackd_

- Fix blackd (and all extras installs) for docker container (4357)

24.4.2

This is a bugfix release to fix two regressions in the new f-string parser introduced in
24.4.1.

Parser

- Fix regression where certain complex f-strings failed to parse (4332)

Performance

- Fix bad performance on certain complex string literals (4331)

24.4.1

Highlights

- Add support for the new Python 3.12 f-string syntax introduced by PEP 701 (3822)

Stable style

- Fix crash involving indented dummy functions containing newlines (4318)

Parser

- Add support for type parameter defaults, a new syntactic feature added to Python 3.13
by PEP 696 (4327)

Integrations

- Github Action now works even when `git archive` is skipped (4313)

24.4.0

Stable style

- Fix unwanted crashes caused by AST equivalency check (4290)

Preview style

- `if` guards in `case` blocks are now wrapped in parentheses when the line is too long.
(4269)
- Stop moving multiline strings to a new line unless inside brackets (4289)

Integrations

- Add a new option `use_pyproject` to the GitHub Action `psf/black`. This will read the
Black version from `pyproject.toml`. (4294)

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you
run Black on untrusted input, or if you habitually put thousands of leading tab
characters in your docstrings, you are strongly encouraged to upgrade immediately to fix
[CVE-2024-21503](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21503).

This release also fixes a bug in Black's AST safety check that allowed Black to make
incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

- Don't move comments along with delimiters, which could cause crashes (4248)
- Strengthen AST safety check to catch more unsafe changes to strings. Previous versions
of Black would incorrectly format the contents of certain unusual f-strings containing
nested strings with the same quote type. Now, Black will crash on such strings until
support for the new f-string syntax is implemented. (4270)
- Fix a bug where line-ranges exceeding the last code line would not work as expected
(4273)

Performance

- Fix catastrophic performance on docstrings that contain large numbers of leading tab
characters. This fixes
[CVE-2024-21503](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21503).
(4278)

Documentation

- Note what happens when `--check` is used with `--quiet` (4236)

24.2.0

Stable style

- Fixed a bug where comments where mistakenly removed along with redundant parentheses
(4218)

Preview style

- Move the `hug_parens_with_braces_and_square_brackets` feature to the unstable style
due to an outstanding crash and proposed formatting tweaks (4198)
- Fixed a bug where base expressions caused inconsistent formatting of \*\* in tenary
expression (4154)
- Checking for newline before adding one on docstring that is almost at the line limit
(4185)
- Remove redundant parentheses in `case` statement `if` guards (4214).

Configuration

- Fix issue where _Black_ would ignore input files in the presence of symlinks (4222)
- _Black_ now ignores `pyproject.toml` that is missing a `tool.black` section when
discovering project root and configuration. Since _Black_ continues to use version
control as an indicator of project root, this is expected to primarily change behavior
for users in a monorepo setup (desirably). If you wish to preserve previous behavior,
simply add an empty `[tool.black]` to the previously discovered `pyproject.toml`
(4204)

Output

- Black will swallow any `SyntaxWarning`s or `DeprecationWarning`s produced by the `ast`
module when performing equivalence checks (4189)

Integrations

- Add a JSONSchema and provide a validate-pyproject entry-point (4181)

24.1.1

Bugfix release to fix a bug that made Black unusable on certain file systems with strict
limits on path length.

Preview style

- Consistently add trailing comma on typed parameters (4164)

Configuration

- Shorten the length of the name of the cache file to fix crashes on file systems that
do not support long paths (4176)

24.1.0

Highlights

This release introduces the new 2024 stable style (4106), stabilizing the following
changes:

- Add parentheses around `if`-`else` expressions (2278)
- Dummy class and function implementations consisting only of `...` are formatted more
compactly (3796)
- If an assignment statement is too long, we now prefer splitting on the right-hand side
(3368)
- Hex codes in Unicode escape sequences are now standardized to lowercase (2916)
- Allow empty first lines at the beginning of most blocks (3967, 4061)
- Add parentheses around long type annotations (3899)
- Enforce newline after module docstrings (3932, 4028)
- Fix incorrect magic trailing comma handling in return types (3916)
- Remove blank lines before class docstrings (3692)
- Wrap multiple context managers in parentheses if combined in a single `with` statement
(3489)
- Fix bug in line length calculations for power operations (3942)
- Add trailing commas to collection literals even if there's a comment after the last
entry (3393)
- When using `--skip-magic-trailing-comma` or `-C`, trailing commas are stripped from
subscript expressions with more than 1 element (3209)
- Add extra blank lines in stubs in a few cases (3564, 3862)
- Accept raw strings as docstrings (3947)
- Split long lines in case blocks (4024)
- Stop removing spaces from walrus operators within subscripts (3823)
- Fix incorrect formatting of certain async statements (3609)
- Allow combining ` fmt: skip` with other comments (3959)

There are already a few improvements in the `--preview` style, which are slated for the
2025 stable style. Try them out and
[share your feedback](https://github.com/psf/black/issues). In the past, the preview
style has included some features that we were not able to stabilize. This year, we're
adding a separate `--unstable` style for features with known problems. Now, the
`--preview` style only includes features that we actually expect to make it into next
year's stable style.

Stable style

Several bug fixes were made in features that are moved to the stable style in this
release:

- Fix comment handling when parenthesising conditional expressions (4134)
- Fix bug where spaces were not added around parenthesized walruses in subscripts,
unlike other binary operators (4109)
- Remove empty lines before docstrings in async functions (4132)
- Address a missing case in the change to allow empty lines at the beginning of all
blocks, except immediately before a docstring (4130)
- For stubs, fix logic to enforce empty line after nested classes with bodies (4141)

Preview style

- Add `--unstable` style, covering preview features that have known problems that would
block them from going into the stable style. Also add the `--enable-unstable-feature`
flag; for example, use
`--enable-unstable-feature hug_parens_with_braces_and_square_brackets` to apply this
preview feature throughout 2024, even if a later Black release downgrades the feature
to unstable (4096)
- Format module docstrings the same as class and function docstrings (4095)
- Fix crash when using a walrus in a dictionary (4155)
- Fix unnecessary parentheses when wrapping long dicts (4135)
- Stop normalizing spaces before ` fmt: skip` comments (4146)

Configuration

- Print warning when configuration in `pyproject.toml` contains an invalid key (4165)
- Fix symlink handling, properly ignoring symlinks that point outside of root (4161)
- Fix cache mtime logic that resulted in false positive cache hits (4128)
- Remove the long-deprecated `--experimental-string-processing` flag. This feature can
currently be enabled with `--preview --enable-unstable-feature string_processing`.
(4096)

Integrations

- Revert the change to run Black's pre-commit integration only on specific git hooks
(3940) for better compatibility with older versions of pre-commit (4137)

23.12.1

Packaging

- Fixed a bug that included dependencies from the `d` extra by default (4108)

23.12.0

Highlights

It's almost 2024, which means it's time for a new edition of _Black_'s stable style!
Together with this release, we'll put out an alpha release 24.1a1 showcasing the draft
2024 stable style, which we'll finalize in the January release. Please try it out and
[share your feedback](https://github.com/psf/black/issues/4042).

This release (23.12.0) will still produce the 2023 style. Most but not all of the
changes in `--preview` mode will be in the 2024 stable style.

Stable style

- Fix bug where ` fmt: off` automatically dedents when used with the `--line-ranges`
option, even when it is not within the specified line range. (4084)
- Fix feature detection for parenthesized context managers (4104)

Preview style

- Prefer more equal signs before a break when splitting chained assignments (4010)
- Standalone form feed characters at the module level are no longer removed (4021)
- Additional cases of immediately nested tuples, lists, and dictionaries are now
indented less (4012)
- Allow empty lines at the beginning of all blocks, except immediately before a
docstring (4060)
- Fix crash in preview mode when using a short `--line-length` (4086)
- Keep suites consisting of only an ellipsis on their own lines if they are not
functions or class definitions (4066) (4103)

Configuration

- `--line-ranges` now skips _Black_'s internal stability check in `--safe` mode. This
avoids a crash on rare inputs that have many unformatted same-content lines. (4034)

Packaging

- Upgrade to mypy 1.7.1 (4049) (4069)
- Faster compiled wheels are now available for CPython 3.12 (4070)

Integrations

- Enable 3.12 CI (4035)
- Build docker images in parallel (4054)
- Build docker images with 3.12 (4055)

23.11.0

Highlights

- Support formatting ranges of lines with the new `--line-ranges` command-line option
(4020)

Stable style

- Fix crash on formatting bytes strings that look like docstrings (4003)
- Fix crash when whitespace followed a backslash before newline in a docstring (4008)
- Fix standalone comments inside complex blocks crashing Black (4016)
- Fix crash on formatting code like `await (a ** b)` (3994)
- No longer treat leading f-strings as docstrings. This matches Python's behaviour and
fixes a crash (4019)

Preview style

- Multiline dicts and lists that are the sole argument to a function are now indented
less (3964)
- Multiline unpacked dicts and lists as the sole argument to a function are now also
indented less (3992)
- In f-string debug expressions, quote types that are visible in the final string are
now preserved (4005)
- Fix a bug where long `case` blocks were not split into multiple lines. Also enable
general trailing comma rules on `case` blocks (4024)
- Keep requiring two empty lines between module-level docstring and first function or
class definition (4028)
- Add support for single-line format skip with other comments on the same line (3959)

Configuration

- Consistently apply force exclusion logic before resolving symlinks (4015)
- Fix a bug in the matching of absolute path names in `--include` (3976)

Performance

- Fix mypyc builds on arm64 on macOS (4017)

Integrations

- Black's pre-commit integration will now run only on git hooks appropriate for a code
formatter (3940)

23.10.1

Highlights

- Maintenance release to get a fix out for GitHub Action edge case (3957)

Preview style

- Fix merging implicit multiline strings that have inline comments (3956)
- Allow empty first line after block open before a comment or compound statement (3967)

Packaging

- Change Dockerfile to hatch + compile black (3965)

Integrations

- The summary output for GitHub workflows is now suppressible using the `summary`
parameter. (3958)
- Fix the action failing when Black check doesn't pass (3957)

Documentation

- It is known Windows documentation CI is broken
https://github.com/psf/black/issues/3968

23.10.0

Stable style

- Fix comments getting removed from inside parenthesized strings (3909)

Preview style

- Fix long lines with power operators getting split before the line length (3942)
- Long type hints are now wrapped in parentheses and properly indented when split across
multiple lines (3899)
- Magic trailing commas are now respected in return types. (3916)
- Require one empty line after module-level docstrings. (3932)
- Treat raw triple-quoted strings as docstrings (3947)

Configuration

- Fix cache versioning logic when `BLACK_CACHE_DIR` is set (3937)

Parser

- Fix bug where attributes named `type` were not accepted inside `match` statements
(3950)
- Add support for PEP 695 type aliases containing lambdas and other unusual expressions
(3949)

Output

- Black no longer attempts to provide special errors for attempting to format Python 2
code (3933)
- Black will more consistently print stacktraces on internal errors in verbose mode
(3938)

Integrations

- The action output displayed in the job summary is now wrapped in Markdown (3914)

23.9.1

Due to various issues, the previous release (23.9.0) did not include compiled mypyc
wheels, which make Black significantly faster. These issues have now been fixed, and
this release should come with compiled wheels once again.

There will be no wheels for Python 3.12 due to a bug in mypyc. We will provide 3.12
wheels in a future release as soon as the mypyc bug is fixed.

Packaging

- Upgrade to mypy 1.5.1 (3864)

Performance

- Store raw tuples instead of NamedTuples in Black's cache, improving performance and
decreasing the size of the cache (3877)

23.9.0

Preview style

- More concise formatting for dummy implementations (3796)
- In stub files, add a blank line between a statement with a body (e.g an
`if sys.version_info > (3, x):`) and a function definition on the same level (3862)
- Fix a bug whereby spaces were removed from walrus operators within subscript(3823)

Configuration

- Black now applies exclusion and ignore logic before resolving symlinks (3846)

Performance

- Avoid importing `IPython` if notebook cells do not contain magics (3782)
- Improve caching by comparing file hashes as fallback for mtime and size (3821)

_Blackd_

- Fix an issue in `blackd` with single character input (3558)

Integrations

- Black now has an
[official pre-commit mirror](https://github.com/psf/black-pre-commit-mirror). Swapping
`https://github.com/psf/black` to `https://github.com/psf/black-pre-commit-mirror` in
your `.pre-commit-config.yaml` will make Black about 2x faster (3828)
- The `.black.env` folder specified by `ENV_PATH` will now be removed on the completion
of the GitHub Action (3759)

23.7.0

Highlights

- Runtime support for Python 3.7 has been removed. Formatting 3.7 code will still be
supported until further notice (3765)

Stable style

- Fix a bug where an illegal trailing comma was added to return type annotations using
PEP 604 unions (3735)
- Fix several bugs and crashes where comments in stub files were removed or mishandled
under some circumstances (3745)
- Fix a crash with multi-line magic comments like `type: ignore` within parentheses
(3740)
- Fix error in AST validation when _Black_ removes trailing whitespace in a type comment
(3773)

Preview style

- Implicitly concatenated strings used as function args are no longer wrapped inside
parentheses (3640)
- Remove blank lines between a class definition and its docstring (3692)

Configuration

- The `--workers` argument to _Black_ can now be specified via the `BLACK_NUM_WORKERS`
environment variable (3743)
- `.pytest_cache`, `.ruff_cache` and `.vscode` are now excluded by default (3691)
- Fix _Black_ not honouring `pyproject.toml` settings when running `--stdin-filename`
and the `pyproject.toml` found isn't in the current working directory (3719)
- _Black_ will now error if `exclude` and `extend-exclude` have invalid data types in
`pyproject.toml`, instead of silently doing the wrong thing (3764)

Packaging

- Upgrade mypyc from 0.991 to 1.3 (3697)
- Remove patching of Click that mitigated errors on Python 3.6 with `LANG=C` (3768)

Parser

- Add support for the new PEP 695 syntax in Python 3.12 (3703)

Performance

- Speed up _Black_ significantly when the cache is full (3751)
- Avoid importing `IPython` in a case where we wouldn't need it (3748)

Output

- Use aware UTC datetimes internally, avoids deprecation warning on Python 3.12 (3728)
- Change verbose logging to exactly mirror _Black_'s logic for source discovery (3749)

_Blackd_

- The `blackd` argument parser now shows the default values for options in their help
text (3712)

Integrations

- Black is now tested with
[`PYTHONWARNDEFAULTENCODING = 1`](https://docs.python.org/3/library/io.html#io-encoding-warning)
(3763)
- Update GitHub Action to display black output in the job summary (3688)

Documentation

- Add a CITATION.cff file to the root of the repository, containing metadata on how to
cite this software (3723)
- Update the _classes_ and _exceptions_ documentation in Developer reference to match
the latest code base (3755)

23.3.0

Highlights

This release fixes a longstanding confusing behavior in Black's GitHub action, where the
version of the action did not determine the version of Black being run (issue 3382). In
addition, there is a small bug fix around imports and a number of improvements to the
preview style.

Please try out the
[preview style](https://black.readthedocs.io/en/stable/the_black_code_style/future_style.html#preview-style)
with `black --preview` and tell us your feedback. All changes in the preview style are
expected to become part of Black's stable style in January 2024.

Stable style

- Import lines with ` fmt: skip` and ` fmt: off` no longer have an extra blank line
added when they are right after another import line (3610)

Preview style

- Add trailing commas to collection literals even if there's a comment after the last
entry (3393)
- `async def`, `async for`, and `async with` statements are now formatted consistently
compared to their non-async version. (3609)
- `with` statements that contain two context managers will be consistently wrapped in
parentheses (3589)
- Let string splitters respect [East Asian Width](https://www.unicode.org/reports/tr11/)
(3445)
- Now long string literals can be split after East Asian commas and periods (`、` U+3001
IDEOGRAPHIC COMMA, `。` U+3002 IDEOGRAPHIC FULL STOP, & `,` U+FF0C FULLWIDTH COMMA)
besides before spaces (3445)
- For stubs, enforce one blank line after a nested class with a body other than just
`...` (3564)
- Improve handling of multiline strings by changing line split behavior (1879)

Parser

- Added support for formatting files with invalid type comments (3594)

Integrations

- Update GitHub Action to use the version of Black equivalent to action's version if
version input is not specified (3543)
- Fix missing Python binary path in autoload script for vim (3508)

Documentation

- Document that only the most recent release is supported for security issues;
vulnerabilities should be reported through Tidelift (3612)

23.1.0

Highlights

This is the first release of 2023, and following our
[stability policy](https://black.readthedocs.io/en/stable/the_black_code_style/index.html#stability-policy),
it comes with a number of improvements to our stable style, including improvements to
empty line handling, removal of redundant parentheses in several contexts, and output
that highlights implicitly concatenated strings better.

There are also many changes to the preview style; try out `black --preview` and give us
feedback to help us set the stable style for next year.

In addition to style changes, Black now automatically infers the supported Python
versions from your `pyproject.toml` file, removing the need to set Black's target
versions separately.

Stable style

- Introduce the 2023 stable style, which incorporates most aspects of last year's
preview style (3418). Specific changes:
- Enforce empty lines before classes and functions with sticky leading comments
 (3302) (22.12.0)
- Reformat empty and whitespace-only files as either an empty file (if no newline is
 present) or as a single newline character (if a newline is present) (3348)
 (22.12.0)
- Implicitly concatenated strings used as function args are now wrapped inside
 parentheses (3307) (22.12.0)
- Correctly handle trailing commas that are inside a line's leading non-nested parens
 (3370) (22.12.0)
- `--skip-string-normalization` / `-S` now prevents docstring prefixes from being
 normalized as expected (3168) (since 22.8.0)
- When using `--skip-magic-trailing-comma` or `-C`, trailing commas are stripped from
 subscript expressions with more than 1 element (3209) (22.8.0)
- Implicitly concatenated strings inside a list, set, or tuple are now wrapped inside
 parentheses (3162) (22.8.0)
- Fix a string merging/split issue when a comment is present in the middle of
 implicitly concatenated strings on its own line (3227) (22.8.0)
- Docstring quotes are no longer moved if it would violate the line length limit
 (3044, 3430) (22.6.0)
- Parentheses around return annotations are now managed (2990) (22.6.0)
- Remove unnecessary parentheses around awaited objects (2991) (22.6.0)
- Remove unnecessary parentheses in `with` statements (2926) (22.6.0)
- Remove trailing newlines after code block open (3035) (22.6.0)
- Code cell separators `%%` are now standardised to ` %%` (2919) (22.3.0)
- Remove unnecessary parentheses from `except` statements (2939) (22.3.0)
- Remove unnecessary parentheses from tuple unpacking in `for` loops (2945) (22.3.0)
- Avoid magic-trailing-comma in single-element subscripts (2942) (22.3.0)
- Fix a crash when a colon line is marked between ` fmt: off` and ` fmt: on` (3439)

Preview style

- Format hex codes in unicode escape sequences in string literals (2916)
- Add parentheses around `if`-`else` expressions (2278)
- Improve performance on large expressions that contain many strings (3467)
- Fix a crash in preview style with assert + parenthesized string (3415)
- Fix crashes in preview style with walrus operators used in function return annotations
and except clauses (3423)
- Fix a crash in preview advanced string processing where mixed implicitly concatenated
regular and f-strings start with an empty span (3463)
- Fix a crash in preview advanced string processing where a standalone comment is placed
before a dict's value (3469)
- Fix an issue where extra empty lines are added when a decorator has ` fmt: skip`
applied or there is a standalone comment between decorators (3470)
- Do not put the closing quotes in a docstring on a separate line, even if the line is
too long (3430)
- Long values in dict literals are now wrapped in parentheses; correspondingly
unnecessary parentheses around short values in dict literals are now removed; long
string lambda values are now wrapped in parentheses (3440)
- Fix two crashes in preview style involving edge cases with docstrings (3451)
- Exclude string type annotations from improved string processing; fix crash when the
return type annotation is stringified and spans across multiple lines (3462)
- Wrap multiple context managers in parentheses when targeting Python 3.9+ (3489)
- Fix several crashes in preview style with walrus operators used in `with` statements
or tuples (3473)
- Fix an invalid quote escaping bug in f-string expressions where it produced invalid
code. Implicitly concatenated f-strings with different quotes can now be merged or
quote-normalized by changing the quotes used in expressions. (3509)
- Fix crash on `await (yield)` when Black is compiled with mypyc (3533)

Configuration

- Black now tries to infer its `--target-version` from the project metadata specified in
`pyproject.toml` (3219)

Packaging

- Upgrade mypyc from `0.971` to `0.991` so mypycified _Black_ can be built on armv7
(3380)
- This also fixes some crashes while using compiled Black with a debug build of
 CPython
- Drop specific support for the `tomli` requirement on 3.11 alpha releases, working
around a bug that would cause the requirement not to be installed on any non-final
Python releases (3448)
- Black now depends on `packaging` version `22.0` or later. This is required for new
functionality that needs to parse part of the project metadata (3219)

Output

- Calling `black --help` multiple times will return the same help contents each time
(3516)
- Verbose logging now shows the values of `pyproject.toml` configuration variables
(3392)
- Fix false symlink detection messages in verbose output due to using an incorrect
relative path to the project root (3385)

Integrations

- Move 3.11 CI to normal flow now that all dependencies support 3.11 (3446)
- Docker: Add new `latest_prerelease` tag automation to follow latest black alpha
release on docker images (3465)

Documentation

- Expand `vim-plug` installation instructions to offer more explicit options (3468)
Links

Update cli-helpers[styles] from 2.3.0 to 2.3.1.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

Update click from 8.1.3 to 8.1.7.

Changelog

8.1.7

-------------

Released 2023-08-17

-   Fix issue with regex flags in shell completion. :issue:`2581`
-   Bash version detection issues a warning instead of an error. :issue:`2574`
-   Fix issue with completion script for Fish shell. :issue:`2567`

8.1.6

-------------

Released 2023-07-18

-   Fix an issue with type hints for ``click.group()``. :issue:`2558`

8.1.5

-------------

Released 2023-07-13

-   Fix an issue with type hints for ``click.command()``, ``click.option()``, and
 other decorators. Introduce typing tests. :issue:`2558`

8.1.4

-------------

Released 2023-07-06

-   Replace all ``typing.Dict`` occurrences to ``typing.MutableMapping`` for
 parameter hints. :issue:`2255`
-   Improve type hinting for decorators and give all generic types parameters.
 :issue:`2398`
-   Fix return value and type signature of `shell_completion.add_completion_class`
 function. :pr:`2421`
-   Bash version detection doesn't fail on Windows. :issue:`2461`
-   Completion works if there is a dot (``.``) in the program name. :issue:`2166`
-   Improve type annotations for pyright type checker. :issue:`2268`
-   Improve responsiveness of ``click.clear()``. :issue:`2284`
-   Improve command name detection when using Shiv or PEX. :issue:`2332`
-   Avoid showing empty lines if command help text is empty. :issue:`2368`
-   ZSH completion script works when loaded from ``fpath``. :issue:`2344`.
-   ``EOFError`` and ``KeyboardInterrupt`` tracebacks are not suppressed when
 ``standalone_mode`` is disabled. :issue:`2380`
-   ``group.command`` does not fail if the group was created with a custom
 ``command_class``. :issue:`2416`
-   ``multiple=True`` is allowed for flag options again and does not require
 setting ``default=()``. :issue:`2246, 2292, 2295`
-   Make the decorators returned by ``argument()`` and ``option()`` reusable when the
 ``cls`` parameter is used. :issue:`2294`
-   Don't fail when writing filenames to streams with strict errors. Replace invalid
 bytes with the replacement character (``�``). :issue:`2395`
-   Remove unnecessary attempt to detect MSYS2 environment. :issue:`2355`
-   Remove outdated and unnecessary detection of App Engine environment. :pr:`2554`
-   ``echo()`` does not fail when no streams are attached, such as with ``pythonw`` on
 Windows. :issue:`2415`
-   Argument with ``expose_value=False`` do not cause completion to fail. :issue:`2336`
Links

Update configobj from 5.0.6 to 5.0.9.

Changelog

5.0.9

"""""""""""""

* drop support for Python 2 and <3.7
* fix CVE-2023-26112, ReDoS attack

5.0.8

"""""""""""""

* fixing/test for a regression introduced in 5.0.7 that prevented ``import validate`` from working

5.0.7

"""""""""""""

* update testing to validate against python version 2.7 and 3.5-3.11
* update broken links / non-existent services and references

Older Releases
""""""""""""""
Links

Update coverage from 7.0.1 to 7.6.8.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

Update django from 4.1.4 to 5.1.3.

Changelog

5.1.3

==========================

*November 5, 2024*

Django 5.1.3 fixes several bugs in 5.1.2 and adds compatibility with Python
3.13.

Bugfixes
========

* Fixed a bug in Django 5.1 where
:class:`~django.core.validators.DomainNameValidator` accepted any input value
that contained a valid domain name, rather than only input values that were a
valid domain name (:ticket:`35845`).

* Fixed a regression in Django 5.1 that prevented the use of DB-IP databases
with :class:`~django.contrib.gis.geoip2.GeoIP2` (:ticket:`35841`).

* Fixed a regression in Django 5.1 where non-ASCII fieldset names were not
displayed when rendering admin fieldsets (:ticket:`35876`).


==========================

5.1.2

==========================

*October 8, 2024*

Django 5.1.2 fixes several bugs in 5.1.1. Also, the latest string translations
from Transifex are incorporated.

Bugfixes
========

* Fixed a regression in Django 5.1 that caused a crash when using the
PostgreSQL lookup :lookup:`trigram_similar` on output fields from ``Concat``
(:ticket:`35732`).

* Fixed a regression in Django 5.1 that caused a crash of ``JSONObject()``
when using server-side binding with PostgreSQL 16+ (:ticket:`35734`).

* Fixed a regression in Django 5.1 that made selected items in multi-select
widgets indistinguishable from non-selected items in the admin dark theme
(:ticket:`35809`).


==========================

5.1.1

==========================

*September 3, 2024*

Django 5.1.1 fixes one security issue with severity "moderate", one security
issue with severity "low", and several bugs in 5.1.

CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

CVE-2024-45231: Potential user email enumeration via response status on password reset
======================================================================================

Due to unhandled email sending failures, the
:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote
attackers to enumerate user emails by issuing password reset requests and
observing the outcomes.

To mitigate this risk, exceptions occurring during password reset email sending
are now handled and logged using the :ref:`django-contrib-auth-logger` logger.

Bugfixes
========

* Fixed a regression in Django 5.1 that caused a crash of ``Window()`` when
passing an empty sequence to the ``order_by`` parameter, and a crash of
``Prefetch()`` for a sliced queryset without ordering (:ticket:`35665`).

* Fixed a regression in Django 5.1 where a new ``usable_password`` field was
included in :class:`~django.contrib.auth.forms.BaseUserCreationForm` (and
children). A new :class:`~django.contrib.auth.forms.AdminUserCreationForm`
including this field was added, isolating the feature to the admin where it
was intended (:ticket:`35678`).

* Adjusted the deprecation warning ``stacklevel`` in :meth:`.Model.save` and
:meth:`.Model.asave` to correctly point to the offending call site
(:ticket:`35060`).

* Adjusted the deprecation warning ``stacklevel`` when using ``OS_OPEN_FLAGS``
in :class:`~django.core.files.storage.FileSystemStorage` to correctly point
to the offending call site (:ticket:`35326`).

* Adjusted the deprecation warning ``stacklevel`` in
``FieldCacheMixin.get_cache_name()`` to correctly point to the offending call
site (:ticket:`35405`).

* Restored, following a regression in Django 5.1, the ability to override the
timezone and role setting behavior used within the ``init_connection_state``
method of the PostgreSQL backend (:ticket:`35688`).

* Fixed a bug in Django 5.1 where variable lookup errors were logged when
rendering admin fieldsets (:ticket:`35716`).


========================

5.1

========================

*August 7, 2024*

Welcome to Django 5.1!

These release notes cover the :ref:`new features <whats-new-5.1>`, as well as
some :ref:`backwards incompatible changes <backwards-incompatible-5.1>` you
should be aware of when upgrading from Django 5.0 or earlier. We've
:ref:`begun the deprecation process for some features
<deprecated-features-5.1>`.

See the :doc:`/howto/upgrade-version` guide if you're updating an existing
project.

Python compatibility
====================

Django 5.1 supports Python 3.10, 3.11, 3.12, and 3.13 (as of 5.1.3). We
**highly recommend** and only officially support the latest release of each
series.

.. _whats-new-5.1:

What's new in Django 5.1
========================

``{% querystring %}`` template tag
-----------------------------------

Django 5.1 introduces the :ttag:`{% querystring %} <querystring>` template
tag, simplifying the modification of query parameters in URLs, making it easier
to generate links that maintain existing query parameters while adding or
changing specific ones.

For instance, navigating pagination and query strings in templates can be
cumbersome. Consider this template fragment that dynamically generates a URL
for navigating to the next page within a paginated view:

.. code-block:: html+django

 { Linebreaks added for readability, this should be one, long line. }
 <a href="?{% for key, values in request.GET.iterlists %}
   {% if key != "page" %}
     {% for value in values %}
       {{ key }}={{ value }}&
     {% endfor %}
   {% endif %}
 {% endfor %}page={{ page.next_page_number }}">Next page</a>

When switching to using this new template tag, the above magically becomes:

.. code-block:: html+django

 <a href="{% querystring page=page.next_page_number %}">Next page</a>

PostgreSQL Connection Pools
---------------------------

Django 5.1 also introduces :ref:`connection pool <postgresql-pool>` support for
PostgreSQL. As the time to establish a new connection can be relatively long,
keeping connections open can reduce latency.

To use a connection pool with `psycopg`_, you can set the ``"pool"`` option
inside :setting:`OPTIONS` to be a dict to be passed to
:class:`~psycopg:psycopg_pool.ConnectionPool`, or to ``True`` to use the
``ConnectionPool`` defaults::

 DATABASES = {
     "default": {
         "ENGINE": "django.db.backends.postgresql",
          ...
         "OPTIONS": {
             "pool": {
                 "min_size": 2,
                 "max_size": 4,
                 "timeout": 10,
             }
         },
     },
 }

.. _psycopg: https://www.psycopg.org/

Middleware to require authentication by default
-----------------------------------------------

The new :class:`~django.contrib.auth.middleware.LoginRequiredMiddleware`
redirects all unauthenticated requests to a login page. Views can allow
unauthenticated requests by using the new
:func:`~django.contrib.auth.decorators.login_not_required` decorator.

``LoginRequiredMiddleware`` respects the ``login_url`` and
``redirect_field_name`` values set via the
:func:`~.django.contrib.auth.decorators.login_required` decorator, but does not
support setting ``login_url`` or ``redirect_field_name`` via the
:class:`~django.contrib.auth.mixins.LoginRequiredMixin`.

To enable this, add ``"django.contrib.auth.middleware.LoginRequiredMiddleware"``
to your :setting:`MIDDLEWARE` setting.

Minor features
--------------

:mod:`django.contrib.admin`
~~~~~~~~~~~~~~~~~~~~~~~~~~~

* :attr:`.ModelAdmin.list_display` now supports using ``__`` lookups to list
fields from related models.

:mod:`django.contrib.auth`
~~~~~~~~~~~~~~~~~~~~~~~~~~

* The default iteration count for the PBKDF2 password hasher is increased from
720,000 to 870,000.

* The default ``parallelism`` of the ``ScryptPasswordHasher`` is 
increased from 1 to 5, to follow OWASP recommendations.

* The new :class:`~django.contrib.auth.forms.AdminUserCreationForm` and
the existing :class:`~django.contrib.auth.forms.AdminPasswordChangeForm` now
support disabling password-based authentication by setting an unusable
password on form save. This is now available in the admin when visiting the
user creation and password change pages.

* :func:`~.django.contrib.auth.decorators.login_required`,
:func:`~.django.contrib.auth.decorators.permission_required`, and
:func:`~.django.contrib.auth.decorators.user_passes_test` decorators now
support wrapping asynchronous view functions.

* ``ReadOnlyPasswordHashWidget`` now includes a button to reset the user's
password, which replaces the link previously embedded in the
``ReadOnlyPasswordHashField``'s help text, improving the overall
accessibility of the
:class:`~django.contrib.auth.forms.UserChangeForm`.

:mod:`django.contrib.gis`
~~~~~~~~~~~~~~~~~~~~~~~~~

* :class:`~django.contrib.gis.db.models.functions.BoundingCircle` is now
supported on SpatiaLite 5.1+.

* :class:`~django.contrib.gis.db.models.Collect` is now supported on MySQL
8.0.24+.

* :class:`~django.contrib.gis.geoip2.GeoIP2` now allows querying using
:class:`ipaddress.IPv4Address` or :class:`ipaddress.IPv6Address` objects.

* :meth:`.GeoIP2.country` now exposes the ``continent_code``,
``continent_name``, and ``is_in_european_union`` values.

* :meth:`.GeoIP2.city` now exposes the ``accuracy_radius`` and ``region_name``
values. In addition, the ``dma_code`` and ``region`` values are now exposed
as ``metro_code`` and ``region_code``, but the previous keys are also
retained for backward compatibility.

* :class:`~django.contrib.gis.measure.Area` now supports the ``ha`` unit.

* The new :attr:`.OGRGeometry.is_3d` attribute allows checking if a geometry
has a ``Z`` coordinate dimension.

* The new :meth:`.OGRGeometry.set_3d` method allows addition and removal of the
``Z`` coordinate dimension.

* :class:`~django.contrib.gis.gdal.OGRGeometry`,
:class:`~django.contrib.gis.gdal.Point`,
:class:`~django.contrib.gis.gdal.LineString`,
:class:`~django.contrib.gis.gdal.Polygon`, and
:class:`~django.contrib.gis.gdal.GeometryCollection` and its subclasses now
support measured geometries via the new :attr:`.OGRGeometry.is_measured` and
``m`` properties, and the :meth:`.OGRGeometry.set_measured` method.

* :attr:`.OGRGeometry.centroid` is now available on all supported geometry
types.

* :class:`FromWKB() <django.contrib.gis.db.models.functions.FromWKB>` and
:class:`FromWKT() <django.contrib.gis.db.models.functions.FromWKT>` functions
now support the optional ``srid`` argument (except for Oracle where it is
ignored).

:mod:`django.contrib.postgres`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* :class:`~django.contrib.postgres.indexes.BTreeIndex` now supports the
``deduplicate_items`` parameter.

:mod:`django.contrib.sessions`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* :class:`django.contrib.sessions.backends.cached_db.SessionStore` now handles
exceptions when storing session information in the cache, logging proper
error messages with their traceback via the newly added
:ref:`sessions logger <django-contrib-sessions-logger>`.

* :class:`django.contrib.sessions.backends.base.SessionBase` and all built-in
session engines now provide async API. The new asynchronous methods all have
``a`` prefixed names, e.g. ``aget()``, ``akeys()``, or ``acycle_key()``.

Database backends
~~~~~~~~~~~~~~~~~

* ``"init_command"`` option is now supported in :setting:`OPTIONS` on SQLite
to allow specifying :ref:`pragma options <sqlite-init-command>` to set upon
connection.

* ``"transaction_mode"`` option is now supported in :setting:`OPTIONS` on
SQLite to allow specifying the :ref:`sqlite-transaction-behavior`.

* ``"pool"`` option is now supported in :setting:`OPTIONS` on PostgreSQL to
allow using :ref:`connection pools <postgresql-pool>`.

Error Reporting
~~~~~~~~~~~~~~~

* In order to improve accessibility, the technical 404 and 500 error pages now
use HTML landmark elements for the header, footer, and main content areas.

File Storage
~~~~~~~~~~~~

* The :attr:`~django.core.files.storage.FileSystemStorage.allow_overwrite`
parameter of :class:`~django.core.files.storage.FileSystemStorage` now allows
saving new files over existing ones.

Forms
~~~~~

* In order to improve accessibility and enable screen readers to associate
fieldsets with their help text, the form fieldset now includes the
``aria-describedby`` HTML attribute.

Management Commands
~~~~~~~~~~~~~~~~~~~

* The :djadmin:`makemigrations` command now displays meaningful symbols for
each operation to highlight :class:`operation categories
<django.db.migrations.operations.base.OperationCategory>`.

Migrations
~~~~~~~~~~

* The new ``Operation.category`` attribute allows specifying an
:class:`operation category
<django.db.migrations.operations.base.OperationCategory>` used by the
:djadmin:`makemigrations` to display a meaningful symbol for the operation.

Models
~~~~~~

* :meth:`.QuerySet.explain` now supports the ``generic_plan`` option on
PostgreSQL 16+.

* :class:`~django.db.models.expressions.RowRange` now accepts positive integers
for the ``start`` argument and negative integers for the ``end`` argument.

* The new ``exclusion`` argument of
:class:`~django.db.models.expressions.RowRange` and
:class:`~django.db.models.expressions.ValueRange` allows excluding rows,
groups, and ties from the window frames.

* :meth:`.QuerySet.order_by` now supports ordering by annotation transforms
such as ``JSONObject`` keys and ``ArrayAgg`` indices.

* :class:`F() <django.db.models.F>` and :class:`OuterRef()
<django.db.models.OuterRef>` expressions that output
:class:`~django.db.models.CharField`, :class:`~django.db.models.EmailField`,
:class:`~django.db.models.SlugField`, :class:`~django.db.models.URLField`,
:class:`~django.db.models.TextField`, or
:class:`~django.contrib.postgres.fields.ArrayField` can now be :ref:`sliced
<slicing-using-f>`.

* The new ``from_queryset`` argument of :meth:`.Model.refresh_from_db` and
:meth:`.Model.arefresh_from_db`  allows customizing the queryset used to
reload a model's value. This can be used to lock the row before reloading or
to select related objects.

* The new :attr:`.Expression.constraint_validation_compatible` attribute allows
specifying that the expression should be ignored during a constraint
validation.

Templates
~~~~~~~~~

* Custom tags may now set extra data on the ``Parser`` object that will later
be made available on the ``Template`` instance. Such data may be used, for
example, by the template loader, or other template clients.

* :ref:`Template engines <field-checking>` now implement a ``check()`` method
that is already registered with the check framework.

Tests
~~~~~

* :meth:`~django.test.SimpleTestCase.assertContains`,
:meth:`~django.test.SimpleTestCase.assertNotContains`, and
:meth:`~django.test.SimpleTestCase.assertInHTML` assertions now add haystacks
to assertion error messages.

* The :class:`~django.test.RequestFactory`,
:class:`~django.test.AsyncRequestFactory`, :class:`~django.test.Client`, and
:class:`~django.test.AsyncClient` classes now support the ``query_params``
parameter, which accepts a dictionary of query string keys and values. This
allows setting query strings on any HTTP methods more easily.

.. code-block:: python

  self.client.post("/items/1", query_params={"action": "delete"})
  await self.async_client.post("/items/1", query_params={"action": "delete"})

* The new :meth:`.SimpleTestCase.assertNotInHTML` assertion allows testing that
an HTML fragment is not contained in the given HTML haystack.

* In order to enforce test isolation, database connections inside threads are
no longer allowed in :class:`~django.test.SimpleTestCase`.

Validators
~~~~~~~~~~

* The new :class:`~django.core.validators.DomainNameValidator` validates domain
names, including internationalized domain names. The new
:func:`~django.core.validators.validate_domain_name` function returns an
instance of :class:`~django.core.validators.DomainNameValidator`.

.. _backwards-incompatible-5.1:

Backwards incompatible changes in 5.1
=====================================

:mod:`django.contrib.gis`
-------------------------

* Support for PostGIS 2.5 is removed.

* Support for PROJ < 6 is removed.

* Support for GDAL 2.4 is removed.

* :class:`~django.contrib.gis.geoip2.GeoIP2` no longer opens both city and
country databases when a directory path is provided, preferring the city
database, if it is available. The country database is a subset of the city
database and both are not typically needed. If you require use of the country
database when in the same directory as the city database, explicitly pass the
country database path to the constructor.

Dropped support for MariaDB 10.4
--------------------------------

Upstream support for MariaDB 10.4 ends in June 2024. Django 5.1 supports
MariaDB 10.5 and higher.

Dropped support for PostgreSQL 12
---------------------------------

Upstream support for PostgreSQL 12 ends in November 2024. Django 5.1 supports
PostgreSQL 13 and higher.

Miscellaneous
-------------

* In order to improve accessibility, the admin's changelist filter is now
rendered in a ``<nav>`` tag instead of a ``<div>``.

* In order to improve accessibility, the admin's footer is now rendered in
a ``<footer>`` tag instead of a ``<div>``, and also moved below the
``<div id="main">`` element.

* In order to improve accessibility, the expandable widget used for
:attr:`ModelAdmin.fieldsets <django.contrib.admin.ModelAdmin.fieldsets>` and
:attr:`InlineModelAdmin.fieldsets <django.contrib.admin.InlineModelAdmin>`,
when the fieldset has a name and use the ``collapse`` class, now includes
``<details>`` and ``<summary>`` elements.

* The JavaScript file ``collapse.js`` is removed since it is no longer needed
in the Django admin site.

* :meth:`.SimpleTestCase.assertURLEqual` and
:meth:`~django.test.SimpleTestCase.assertInHTML` now add ``": "`` to the
``msg_prefix``. This is consistent with the behavior of other assertions.

* ``django.utils.text.Truncator`` used by :tfilter:`truncatechars_html` and
:tfilter:`truncatewords_html` template filters now uses
:py:class:`html.parser.HTMLParser` subclasses. This results in a more robust
and faster operation, but there may be small differences in the output.

* The undocumented ``django.urls.converters.get_converter()`` function is
removed.

* The minimum supported version of SQLite is increased from 3.27.0 to 3.31.0.

* :class:`~django.db.models.FileField` now raises a
:class:`~django.core.exceptions.FieldError` when saving a file without a
``name``.

* ``ImageField.update_dimension_fields(force=True)`` is no longer called after
saving the image to storage. If your storage backend resizes images, the
``width_field`` and ``height_field`` will not match the width and height of
the image.

* The minimum supported version of ``asgiref`` is increased from 3.7.0 to
3.8.1.

.. _deprecated-features-5.1:

Features deprecated in 5.1
==========================

Miscellaneous
-------------

* The ``ModelAdmin.log_deletion()`` and ``LogEntryManager.log_action()``
methods are deprecated. Subclasses should implement
``ModelAdmin.log_deletions()`` and  ``LogEntryManager.log_actions()``
instead.

* The undocumented ``django.utils.itercompat.is_iterable()`` function and the
``django.utils.itercompat`` module are deprecated. Use
``isinstance(..., collections.abc.Iterable)`` instead.

* The ``django.contrib.gis.geoip2.GeoIP2.coords()`` method is deprecated. Use
``django.contrib.gis.geoip2.GeoIP2.lon_lat()`` instead.

* The ``django.contrib.gis.geoip2.GeoIP2.open()`` method is deprecated. Use the
:class:`~django.contrib.gis.geoip2.GeoIP2` constructor instead.

* Passing positional arguments to :meth:`.Model.save` and :meth:`.Model.asave`
is deprecated in favor of keyword-only arguments.

* Setting ``django.contrib.gis.gdal.OGRGeometry.coord_dim`` is deprecated. Use
:meth:`~django.contrib.gis.gdal.OGRGeometry.set_3d` instead.

* Overriding existing converters with ``django.urls.register_converter()`` is
deprecated.

* The ``check`` keyword argument of ``CheckConstraint`` is deprecated in favor
of ``condition``.

* The undocumented ``OS_OPEN_FLAGS`` property of
:class:`~django.core.files.storage.FileSystemStorage` is deprecated. To allow
overwriting files in storage, set the new
:attr:`~django.core.files.storage.FileSystemStorage.allow_overwrite` option
to ``True`` instead.

* The ``get_cache_name()`` method of ``FieldCacheMixin`` is deprecated in favor
of the ``cache_name`` cached property.

Features removed in 5.1
=======================

These features have reached the end of their deprecation cycle and are removed
in Django 5.1.

See :ref:`deprecated-features-4.2` for details on these changes, including how
to remove usage of these features.

* The ``BaseUserManager.make_random_password()`` method is removed.

* The model's ``Meta.index_together`` option is removed.

* The ``length_is`` template filter is removed.

* The ``django.contrib.auth.hashers.SHA1PasswordHasher``,
``django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher``, and
``django.contrib.auth.hashers.UnsaltedMD5PasswordHasher`` are removed.

* The model ``django.contrib.postgres.fields.CICharField``,
``django.contrib.postgres.fields.CIEmailField``, and
``django.contrib.postgres.fields.CITextField`` are removed, except for
support in historical migrations.

* The ``django.contrib.postgres.fields.CIText`` mixin is removed.

* The ``map_width`` and ``map_height`` attributes of ``BaseGeometryWidget`` are
removed.

* The ``SimpleTestCase.assertFormsetError()`` method is removed.

* The ``TransactionTestCase.assertQuerysetEqual()`` method is removed.

* Support for passing encoded JSON string literals to ``JSONField`` and
associated lookups and expressions is removed.

* Support for passing positional arguments to ``Signer`` and
``TimestampSigner`` is removed.

* The ``DEFAULT_FILE_STORAGE`` and ``STATICFILES_STORAGE`` settings is removed.

* The ``django.core.files.storage.get_storage_class()`` function is removed.








===========================

5.0.9

===========================

*September 3, 2024*

Django 5.0.9 fixes one security issue with severity "moderate" and one security
issue with severity "low" in 5.0.8.

CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

CVE-2024-45231: Potential user email enumeration via response status on password reset
======================================================================================

Due to unhandled email sending failures, the
:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote
attackers to enumerate user emails by issuing password reset requests and
observing the outcomes.

To mitigate this risk, exceptions occurring during password reset email sending
are now handled and logged using the :ref:`django-contrib-auth-logger` logger.


==========================

5.0.8

==========================

*August 6, 2024*

Django 5.0.8 fixes three security issues with severity "moderate", one security
issue with severity "high", and several bugs in 5.0.7.

CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
================================================================================

If :tfilter:`floatformat` received a string representation of a number in
scientific notation with a large exponent, it could lead to significant memory
consumption.

To avoid this, decimals with more than 200 digits are now returned as is.

CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` and ``AdminURLFieldWidget``
=======================================================================================================================

:tfilter:`urlize`, :tfilter:`urlizetrunc`, and ``AdminURLFieldWidget`` were
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.

CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
======================================================================================

:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
with a ``JSONField`` were subject to SQL injection in column aliases, via a
crafted JSON object key as a passed ``*arg``.

Bugfixes
========

* Added missing validation for ``UniqueConstraint(nulls_distinct=False)`` when
using ``*expressions`` (:ticket:`35594`).

* Fixed a regression in Django 5.0 where ``ModelAdmin.action_checkbox`` could
break the admin changelist HTML page when rendering a model instance with a
``__html__`` method (:ticket:`35606`).

* Fixed a crash when creating a model with a ``Field.db_default`` and a
``Meta.constraints`` constraint composed of ``__endswith``, ``__startswith``,
or ``__contains`` lookups (:ticket:`35625`).

* Fixed a regression in Django 5.0.7 that caused a crash in
``LocaleMiddleware`` when processing a language code over 500 characters
(:ticket:`35627`).

* Fixed a bug in Django 5.0 that caused a system check crash when
``ModelAdmin.date_hierarchy`` was a ``GeneratedField`` with an
``output_field`` of ``DateField`` or ``DateTimeField`` (:ticket:`35628`).

* Fixed a bug in Django 5.0 which caused constraint validation to either crash
or incorrectly raise validation errors for constraints referring to fields
using ``Field.db_default`` (:ticket:`35638`).

* Fixed a crash in Django 5.0 when saving a model containing a ``FileField``
with a ``db_default`` set (:ticket:`35657`).


==========================

5.0.7

==========================

*July 9, 2024*

Django 5.0.7 fixes two security issues with severity "moderate", two security
issues with severity "low", and one bug in 5.0.6.

CVE-2024-38875: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via certain inputs with a very large number of
brackets.

CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
================================================================================================

The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
allowed remote attackers to enumerate users via a timing attack involving login
requests for users with unusable passwords.

CVE-2024-39330: Potential directory-traversal via ``Storage.save()``
====================================================================

Derived classes of the :class:`~django.core.files.storage.Storage` base class
which override :meth:`generate_filename()
<django.core.files.storage.Storage.generate_filename()>` without replicating
the file path validations existing in the parent class, allowed for potential
directory-traversal via certain inputs when calling :meth:`save()
<django.core.files.storage.Storage.save()>`.

Built-in ``Storage`` sub-classes were not affected by this vulnerability.

CVE-2024-39614: Potential denial-of-service vulnerability in ``get_supported_language_variant()``
=================================================================================================

:meth:`~django.utils.translation.get_supported_language_variant` was subject to
a potential denial-of-service attack when used with very long strings
containing specific characters.

To mitigate this vulnerability, the language code provided to
:meth:`~django.utils.translation.get_supported_language_variant` is now parsed
up to a maximum length of 500 characters.

When the language code is over 500 characters, a :exc:`ValueError` will now be
raised if ``strict`` is ``True``, or if there is no generic variant and
``strict`` is ``False``.

Bugfixes
========

* Fixed a bug in Django 5.0 that caused a crash of ``Model.full_clean()`` on
unsaved model instances with a ``GeneratedField`` and certain defined
:attr:`Meta.constraints <django.db.models.Options.constraints>`
(:ticket:`35560`).


==========================

5.0.6

==========================

*May 7, 2024*

Django 5.0.6 fixes a packaging error in 5.0.5.


==========================

5.0.5

==========================

*May 6, 2024*

Django 5.0.5 fixes several bugs in 5.0.4.

Bugfixes
========

* Fixed a bug in Django 5.0 tha

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant