[pyup] Scheduled weekly dependency update for week 48

[pyup-bot]

Update argon2-cffi from 19.2.0 to 23.1.0.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/argon2-cffi

Update boto3 from 1.10.5 to 1.35.72.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/boto3
• Repo: https://github.com/boto/boto3

Update psycopg2 from 2.7.3.1 to 2.9.10.

Changelog

2.9.10

^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Add support for Python 3.13.
- Receive notifications on commit (:ticket:`1728`).
- `~psycopg2.errorcodes` map and `~psycopg2.errors` classes updated to
PostgreSQL 17.
- Drop support for Python 3.7.

2.9.9

^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Add support for Python 3.12.
- Drop support for Python 3.6.

2.9.8

^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Wheel package bundled with PostgreSQL 16 libpq in order to add support for
recent features, such as ``sslcertmode``.

2.9.7

^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Fix propagation of exceptions raised during module initialization
(:ticket:`1598`).
- Fix building when pg_config returns an empty string (:ticket:`1599`).
- Wheel package bundled with OpenSSL 1.1.1v.

2.9.6

^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Package manylinux 2014 for aarch64 and ppc64le platforms, in order to
include libpq 15 in the binary package (:ticket:`1396`).
- Wheel package bundled with OpenSSL 1.1.1t.

2.9.5

^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Add support for Python 3.11.
- Add support for rowcount in MERGE statements in binary packages
(:ticket:`1497`).
- Wheel package bundled with OpenSSL 1.1.1r and PostgreSQL 15 libpq.

2.9.4

^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Fix `~psycopg2.extras.register_composite()`,
`~psycopg2.extras.register_range()` with customized :sql:`search_path`
(:ticket:`1487`).
- Handle correctly composite types with names or in schemas requiring escape.
- Find ``pg_service.conf`` file in the ``/etc/postgresql-common`` directory in
binary packages (:ticket:`1365`).
- `~psycopg2.errorcodes` map and `~psycopg2.errors` classes updated to
PostgreSQL 15.
- Wheel package bundled with OpenSSL 1.1.1q and PostgreSQL 14.4 libpq.

2.9.3

^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Alpine (musl) wheels now available (:ticket:`1392`).
- macOS arm64 (Apple M1) wheels now available (:ticket:`1482`).

2.9.2

^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Raise `ValueError` for dates >= Y10k (:ticket:`1307`).
- `~psycopg2.errorcodes` map and `~psycopg2.errors` classes updated to
PostgreSQL 14.
- Add preliminary support for Python 3.11 (:tickets:`1376, 1386`).
- Wheel package bundled with OpenSSL 1.1.1l and PostgreSQL 14.1 libpq
(:ticket:`1388`).

2.9.1

^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Fix regression with named `~psycopg2.sql.Placeholder` (:ticket:`1291`).

2.9

-------------------------

- ``with connection`` starts a transaction on autocommit transactions too
(:ticket:`941`).
- Timezones with fractional minutes are supported on Python 3.7 and following
(:ticket:`1272`).
- Escape table and column names in `~cursor.copy_from()` and
`~cursor.copy_to()`.
- Connection exceptions with sqlstate ``08XXX`` reclassified as
`~psycopg2.OperationalError` (a subclass of the previously used
`~psycopg2.DatabaseError`) (:ticket:`1148`).
- Include library dirs required from libpq to work around MacOS build problems
(:ticket:`1200`).

Other changes:

- Dropped support for Python 2.7, 3.4, 3.5 (:tickets:`1198, 1000, 1197`).
- Dropped support for mx.DateTime.
- Use `datetime.timezone` objects by default in datetime objects instead of
`~psycopg2.tz.FixedOffsetTimezone`.
- The `psycopg2.tz` module is deprecated and scheduled to be dropped in the
next major release.
- Provide :pep:`599` wheels packages (manylinux2014 tag) for i686 and x86_64
platforms.
- Provide :pep:`600` wheels packages (manylinux_2_24 tag) for aarch64 and
ppc64le platforms.
- Wheel package bundled with OpenSSL 1.1.1k and PostgreSQL 13.3 libpq.
- Build system for Linux/MacOS binary packages moved to GitHub Actions.

2.8.7

^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Accept empty params as `~psycopg2.connect()` (:ticket:`1250`).
- Fix attributes refcount in `Column` initialisation (:ticket:`1252`).
- Allow re-initialisation of static variables in the C module (:ticket:`1267`).

2.8.6

^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Fixed memory leak changing connection encoding to the current one
(:ticket:`1101`).
- Fixed search of mxDateTime headers in virtualenvs (:ticket:`996`).
- Added missing values from errorcodes (:ticket:`1133`).
- `cursor.query` reports the query of the last :sql:`COPY` operation too
(:ticket:`1141`).
- `~psycopg2.errorcodes` map and `~psycopg2.errors` classes updated to
PostgreSQL 13.
- Added wheel packages for ARM architecture (:ticket:`1125`).
- Wheel package bundled with OpenSSL 1.1.1g.

2.8.5

^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Fixed use of `!connection_factory` and `!cursor_factory` together
(:ticket:`1019`).
- Added support for `~logging.LoggerAdapter` in
`~psycopg2.extras.LoggingConnection` (:ticket:`1026`).
- `~psycopg2.extensions.Column` objects in `cursor.description` can be sliced
(:ticket:`1034`).
- Added AIX support (:ticket:`1061`).
- Fixed `~copy.copy()` of `~psycopg2.extras.DictCursor` rows (:ticket:`1073`).

2.8.4

^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Fixed building with Python 3.8 (:ticket:`854`).
- Don't swallow keyboard interrupts on connect when a password is specified
in the connection string (:ticket:`898`).
- Don't advance replication cursor when the message wasn't confirmed
(:ticket:`940`).
- Fixed inclusion of ``time.h`` on linux (:ticket:`951`).
- Fixed int overflow for large values in `~psycopg2.extensions.Column.table_oid`
and `~psycopg2.extensions.Column.type_code` (:ticket:`961`).
- `~psycopg2.errorcodes` map and `~psycopg2.errors` classes updated to
PostgreSQL 12.
- Wheel package bundled with OpenSSL 1.1.1d and PostgreSQL at least 11.4.

2.8.3

^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Added *interval_status* parameter to
`~psycopg2.extras.ReplicationCursor.start_replication()` method and other
facilities to send automatic replication keepalives at periodic intervals
(:ticket:`913`).
- Fixed namedtuples caching introduced in 2.8 (:ticket:`928`).

2.8.2

^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Fixed `~psycopg2.extras.RealDictCursor` when there are repeated columns
(:ticket:`884`).
- Binary packages built with openssl 1.1.1b. Should fix concurrency problems
(:tickets:`543, 836`).

2.8.1

^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Fixed `~psycopg2.extras.RealDictRow` modifiability (:ticket:`886`).
- Fixed "there's no async cursor" error polling a connection with no cursor
(:ticket:`887`).

2.8

-------------------------

New features:

- Added `~psycopg2.errors` module. Every PostgreSQL error is converted into
a specific exception class (:ticket:`682`).
- Added `~psycopg2.extensions.encrypt_password()` function (:ticket:`576`).
- Added `~psycopg2.extensions.BYTES` adapter to manage databases with mixed
encodings on Python 3 (:ticket:`835`).
- Added `~psycopg2.extensions.Column.table_oid` and
`~psycopg2.extensions.Column.table_column` attributes on `cursor.description`
items (:ticket:`661`).
- Added `connection.info` object to retrieve various PostgreSQL connection
information (:ticket:`726`).
- Added `~connection.get_native_connection()` to expose the raw ``PGconn``
structure to C extensions via Capsule (:ticket:`782`).
- Added `~connection.pgconn_ptr` and `~cursor.pgresult_ptr` to expose raw
C structures to Python and interact with libpq via ctypes (:ticket:`782`).
- `~psycopg2.sql.Identifier` can represent qualified names in SQL composition
(:ticket:`732`).
- Added `!ReplicationCursor`.\ `~psycopg2.extras.ReplicationCursor.wal_end`
attribute (:ticket:`800`).
- Added *fetch* parameter to `~psycopg2.extras.execute_values()` function
(:ticket:`813`).
- `!str()` on `~psycopg2.extras.Range` produces a human-readable representation
(:ticket:`773`).
- `~psycopg2.extras.DictCursor` and `~psycopg2.extras.RealDictCursor` rows
maintain columns order (:ticket:`177`).
- Added `~psycopg2.extensions.Diagnostics.severity_nonlocalized` attribute on
the `~psycopg2.extensions.Diagnostics` object (:ticket:`783`).
- More efficient `~psycopg2.extras.NamedTupleCursor` (:ticket:`838`).

Bug fixes:

- Fixed connections occasionally broken by the unrelated use of the
multiprocessing module (:ticket:`829`).
- Fixed async communication blocking if results are returned in different
chunks, e.g. with notices interspersed to the results (:ticket:`856`).
- Fixed adaptation of numeric subclasses such as `~enum.IntEnum`
(:ticket:`591`).

Other changes:

- Dropped support for Python 2.6, 3.2, 3.3.
- Dropped `psycopg1` module.
- Dropped deprecated `!register_tstz_w_secs()` (was previously a no-op).
- Dropped deprecated `!PersistentConnectionPool`. This pool class was mostly
designed to interact with Zope. Use `!ZPsycopgDA.pool` instead.
- Binary packages no longer installed by default. The 'psycopg2-binary'
package must be used explicitly.
- Dropped `!PSYCOPG_DISPLAY_SIZE` build parameter.
- Dropped support for mxDateTime as the default date and time adapter.
mxDatetime support continues to be available as an alternative to Python's
builtin datetime.
- No longer use 2to3 during installation for Python 2 & 3 compatibility. All
source files are now compatible with Python 2 & 3 as is.
- The `!psycopg2.test` package is no longer installed by ``python setup.py
install``.
- Wheel package bundled with OpenSSL 1.0.2r and PostgreSQL 11.2 libpq.

2.7.7

^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Cleanup of the cursor results assignment code, which might have solved
double free and inconsistencies in concurrent usage (:tickets:`346, 384`).
- Wheel package bundled with OpenSSL 1.0.2q.

2.7.6.1

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Fixed binary package broken on OS X 10.12 (:ticket:`807`).
- Wheel package bundled with PostgreSQL 11.1 libpq.

2.7.6

^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Close named cursors if exist, even if `~cursor.execute()` wasn't called
(:ticket:`746`).
- Fixed building on modern FreeBSD versions with Python 3.7 (:ticket:`755`).
- Fixed hang trying to :sql:`COPY` via `~cursor.execute()` in asynchronous
connections (:ticket:`781`).
- Fixed adaptation of arrays of empty arrays (:ticket:`788`).
- Fixed segfault accessing the connection's `~connection.readonly` and
`~connection.deferrable` attributes repeatedly (:ticket:`790`).
- `~psycopg2.extras.execute_values()` accepts `~psycopg2.sql.Composable`
objects (:ticket:`794`).
- `~psycopg2.errorcodes` map updated to PostgreSQL 11.
- Wheel package bundled with PostgreSQL 10.5 libpq and OpenSSL 1.0.2p.

2.7.5

^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Allow non-ascii chars in namedtuple fields (regression introduced fixing
:ticket:`211`).
- Fixed adaptation of arrays of arrays of nulls (:ticket:`325`).
- Fixed building on Solaris 11 and derivatives such as SmartOS and illumos
(:ticket:`677`).
- Maybe fixed building on MSYS2 (as reported in :ticket:`658`).
- Allow string subclasses in connection and other places (:ticket:`679`).
- Don't raise an exception closing an unused named cursor (:ticket:`716`).
- Wheel package bundled with PostgreSQL 10.4 libpq and OpenSSL 1.0.2o.

2.7.4

^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Moving away from installing the wheel package by default.
Packages installed from wheel raise a warning on import. Added package
``psycopg2-binary`` to install from wheel instead (:ticket:`543`).
- Convert fields names into valid Python identifiers in
`~psycopg2.extras.NamedTupleCursor` (:ticket:`211`).
- Fixed Solaris 10 support (:ticket:`532`).
- `cursor.mogrify()` can be called on closed cursors (:ticket:`579`).
- Fixed setting session characteristics in corner cases on autocommit
connections (:ticket:`580`).
- Fixed `~psycopg2.extras.MinTimeLoggingCursor` on Python 3 (:ticket:`609`).
- Fixed parsing of array of points as floats (:ticket:`613`).
- Fixed `~psycopg2.__libpq_version__` building with libpq >= 10.1
(:ticket:`632`).
- Fixed `~cursor.rowcount` after `~cursor.executemany()` with :sql:`RETURNING`
statements (:ticket:`633`).
- Fixed compatibility problem with pypy3 (:ticket:`649`).
- Wheel packages bundled with PostgreSQL 10.1 libpq and OpenSSL 1.0.2n.
- Wheel packages for Python 2.6 no more available (support dropped from
wheel building infrastructure).

2.7.3.2

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Wheel package bundled with PostgreSQL 10.0 libpq and OpenSSL 1.0.2l
(:tickets:`601, 602`).

Links

• PyPI: https://pypi.org/project/psycopg2
• Changelog: https://data.safetycli.com/changelogs/psycopg2/
• Homepage: https://psycopg.org/

Update celery from 4.3.0 to 5.4.0.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/celery
• Homepage: https://docs.celeryq.dev/
• Docs: https://pythonhosted.org/celery/

Update cerberus from 1.3.2 to 1.3.5.

Changelog

1.3.5

-------------

Released on August 9, 2023.

New
~~~

- Support for Python 3.10 & 3.11
- The HTML documentation uses the *furo* theme

Fixed
~~~~~

- ``*of`` rules are skipped for ``None`` values (`582`_)
- Validations of mappings would raise an exception when the field's rules were
provided as reference to a registry item (`599`_)

.. _`582`: https://github.com/pyeve/cerberus/issues/582
.. _`599`: https://github.com/pyeve/cerberus/issues/599

Improved
~~~~~~~~

- Various minor improvements of the documentation

1.3.4

-------------

Released on May 5, 2021.

Fixed
~~~~~

- Reverts the unsatisfying fix for `557`_,
- instead a ``RuntimeError`` is thrown when Python is running with optimization
level 2 (`567`_)

.. _`567`: https://github.com/pyeve/cerberus/issues/567

1.3.3

-------------

Released on April 11, 2021.

New
~~~

- Adds a benchmark to observe overall performance between code changes (`531`_)
- Adds support for Python 3.9
- The Continuous Integration now runs on GitHub Actions

Fixed
~~~~~

- Fixed unresolved registry references when getting a constraint for an error
(`562`_)
- Fixed crash when submitting non-hashable values to ``allowed`` (`524`_)
- Fixed schema validation for rules specifications with space (`527`_)
- Replaced deprecated rule name ``validator`` with ``check_with`` in the docs
(`527`_)
- Use the UnconcernedValidator when the Python interpreter is executed with
an optimization flag (`557`_)
- Several fixes and refinements of the docs

.. _`524`: https://github.com/pyeve/cerberus/issues/524
.. _`527`: https://github.com/pyeve/cerberus/issues/527
.. _`531`: https://github.com/pyeve/cerberus/issues/531
.. _`557`: https://github.com/pyeve/cerberus/issues/557
.. _`562`: https://github.com/pyeve/cerberus/issues/562

Links

• PyPI: https://pypi.org/project/cerberus
• Changelog: https://data.safetycli.com/changelogs/cerberus/

Update colorama from 0.4.1 to 0.4.6.

Changelog

0.4.6

* https://github.com/tartley/colorama/pull/139 Add alternative to 'init()',
 called 'just_fix_windows_console'. This fixes many longstanding problems
 with 'init', such as working incorrectly on modern Windows terminals, and
 wonkiness when init gets called multiple times. The intention is that it
 just makes all Windows terminals treat ANSI the same way as other terminals
 do. Many thanks the njsmith for fixing our messes. 
* https://github.com/tartley/colorama/pull/352 Support Windows 10's ANSI/VT
 console. This didn't exist when Colorama was created, and avoiding us
 causing havok there is long overdue. Thanks to segeviner for the initial
 approach, and to njsmith for getting it merged.
* https://github.com/tartley/colorama/pull/338 Internal overhaul of package
 metadata declaration, which abolishes our use of the now heavily
 discouraged setuptools (and hence setup.py, setup.cfg and MANIFEST.in), in
 favor of hatchling (and hence pyproject.toml), generously contributed by
 ofek (author of hatchling). This includes dropping support Python3.5 and
 3.6, which are EOL, and were already dropped from setuptools, so this
 should not affect our users.
* https://github.com/tartley/colorama/pull/353 Attention to detail award to
 LqdBcnAtWork for a spelling fix in demo06

0.4.5

* Catch a racy ValueError that could occur on exit.
* Create README-hacking.md, for Colorama contributors.
* Tweak some README unicode characters that don't render correctly on PyPI.
* Fix some tests that were failing on some operating systems.
* Add support for Python 3.9.
* Add support for PyPy3.
* Add support for pickling with the ``dill`` module.

0.4.4

* Re-org of README, to put the most insteresting parts near the top.
* Added Linux makefile targets and Windows powershell scripts to automate
 bootstrapping a development environment, and automate the process of
 testing wheels before they are uploaded to PyPI.
* Use stdlib unittest.mock where available
* Travis CI now also builds on arm64
* Demo06 demonstrates existing cursor positioning feature
* Fix OSC regex & handling to prevent hang or crash
* Document enterprise support by Tidelift

0.4.3

* Fix release 0.4.2 which was uploaded with missing files.

0.4.2

* 228: Drop support for EOL Python 3.4, and add 3.7 and 3.8. Thanks to
 hugovk.
* Several additions and fixes to documentation and metadata.
* Added Tidelift subscription information.

Links

• PyPI: https://pypi.org/project/colorama
• Changelog: https://data.safetycli.com/changelogs/colorama/

Update django from 2.2.6 to 5.1.3.

Changelog

5.1.3

==========================

*November 5, 2024*

Django 5.1.3 fixes several bugs in 5.1.2 and adds compatibility with Python
3.13.

Bugfixes
========

* Fixed a bug in Django 5.1 where
:class:`~django.core.validators.DomainNameValidator` accepted any input value
that contained a valid domain name, rather than only input values that were a
valid domain name (:ticket:`35845`).

* Fixed a regression in Django 5.1 that prevented the use of DB-IP databases
with :class:`~django.contrib.gis.geoip2.GeoIP2` (:ticket:`35841`).

* Fixed a regression in Django 5.1 where non-ASCII fieldset names were not
displayed when rendering admin fieldsets (:ticket:`35876`).


==========================

5.1.2

==========================

*October 8, 2024*

Django 5.1.2 fixes several bugs in 5.1.1. Also, the latest string translations
from Transifex are incorporated.

Bugfixes
========

* Fixed a regression in Django 5.1 that caused a crash when using the
PostgreSQL lookup :lookup:`trigram_similar` on output fields from ``Concat``
(:ticket:`35732`).

* Fixed a regression in Django 5.1 that caused a crash of ``JSONObject()``
when using server-side binding with PostgreSQL 16+ (:ticket:`35734`).

* Fixed a regression in Django 5.1 that made selected items in multi-select
widgets indistinguishable from non-selected items in the admin dark theme
(:ticket:`35809`).


==========================

5.1.1

==========================

*September 3, 2024*

Django 5.1.1 fixes one security issue with severity "moderate", one security
issue with severity "low", and several bugs in 5.1.

CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

CVE-2024-45231: Potential user email enumeration via response status on password reset
======================================================================================

Due to unhandled email sending failures, the
:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote
attackers to enumerate user emails by issuing password reset requests and
observing the outcomes.

To mitigate this risk, exceptions occurring during password reset email sending
are now handled and logged using the :ref:`django-contrib-auth-logger` logger.

Bugfixes
========

* Fixed a regression in Django 5.1 that caused a crash of ``Window()`` when
passing an empty sequence to the ``order_by`` parameter, and a crash of
``Prefetch()`` for a sliced queryset without ordering (:ticket:`35665`).

* Fixed a regression in Django 5.1 where a new ``usable_password`` field was
included in :class:`~django.contrib.auth.forms.BaseUserCreationForm` (and
children). A new :class:`~django.contrib.auth.forms.AdminUserCreationForm`
including this field was added, isolating the feature to the admin where it
was intended (:ticket:`35678`).

* Adjusted the deprecation warning ``stacklevel`` in :meth:`.Model.save` and
:meth:`.Model.asave` to correctly point to the offending call site
(:ticket:`35060`).

* Adjusted the deprecation warning ``stacklevel`` when using ``OS_OPEN_FLAGS``
in :class:`~django.core.files.storage.FileSystemStorage` to correctly point
to the offending call site (:ticket:`35326`).

* Adjusted the deprecation warning ``stacklevel`` in
``FieldCacheMixin.get_cache_name()`` to correctly point to the offending call
site (:ticket:`35405`).

* Restored, following a regression in Django 5.1, the ability to override the
timezone and role setting behavior used within the ``init_connection_state``
method of the PostgreSQL backend (:ticket:`35688`).

* Fixed a bug in Django 5.1 where variable lookup errors were logged when
rendering admin fieldsets (:ticket:`35716`).


========================

5.1

========================

*August 7, 2024*

Welcome to Django 5.1!

These release notes cover the :ref:`new features <whats-new-5.1>`, as well as
some :ref:`backwards incompatible changes <backwards-incompatible-5.1>` you
should be aware of when upgrading from Django 5.0 or earlier. We've
:ref:`begun the deprecation process for some features
<deprecated-features-5.1>`.

See the :doc:`/howto/upgrade-version` guide if you're updating an existing
project.

Python compatibility
====================

Django 5.1 supports Python 3.10, 3.11, 3.12, and 3.13 (as of 5.1.3). We
**highly recommend** and only officially support the latest release of each
series.

.. _whats-new-5.1:

What's new in Django 5.1
========================

``{% querystring %}`` template tag
-----------------------------------

Django 5.1 introduces the :ttag:`{% querystring %} <querystring>` template
tag, simplifying the modification of query parameters in URLs, making it easier
to generate links that maintain existing query parameters while adding or
changing specific ones.

For instance, navigating pagination and query strings in templates can be
cumbersome. Consider this template fragment that dynamically generates a URL
for navigating to the next page within a paginated view:

.. code-block:: html+django

 { Linebreaks added for readability, this should be one, long line. }
 <a href="?{% for key, values in request.GET.iterlists %}
   {% if key != "page" %}
     {% for value in values %}
       {{ key }}={{ value }}&
     {% endfor %}
   {% endif %}
 {% endfor %}page={{ page.next_page_number }}">Next page</a>

When switching to using this new template tag, the above magically becomes:

.. code-block:: html+django

 <a href="{% querystring page=page.next_page_number %}">Next page</a>

PostgreSQL Connection Pools
---------------------------

Django 5.1 also introduces :ref:`connection pool <postgresql-pool>` support for
PostgreSQL. As the time to establish a new connection can be relatively long,
keeping connections open can reduce latency.

To use a connection pool with `psycopg`_, you can set the ``"pool"`` option
inside :setting:`OPTIONS` to be a dict to be passed to
:class:`~psycopg:psycopg_pool.ConnectionPool`, or to ``True`` to use the
``ConnectionPool`` defaults::

 DATABASES = {
     "default": {
         "ENGINE": "django.db.backends.postgresql",
          ...
         "OPTIONS": {
             "pool": {
                 "min_size": 2,
                 "max_size": 4,
                 "timeout": 10,
             }
         },
     },
 }

.. _psycopg: https://www.psycopg.org/

Middleware to require authentication by default
-----------------------------------------------

The new :class:`~django.contrib.auth.middleware.LoginRequiredMiddleware`
redirects all unauthenticated requests to a login page. Views can allow
unauthenticated requests by using the new
:func:`~django.contrib.auth.decorators.login_not_required` decorator.

``LoginRequiredMiddleware`` respects the ``login_url`` and
``redirect_field_name`` values set via the
:func:`~.django.contrib.auth.decorators.login_required` decorator, but does not
support setting ``login_url`` or ``redirect_field_name`` via the
:class:`~django.contrib.auth.mixins.LoginRequiredMixin`.

To enable this, add ``"django.contrib.auth.middleware.LoginRequiredMiddleware"``
to your :setting:`MIDDLEWARE` setting.

Minor features
--------------

:mod:`django.contrib.admin`
~~~~~~~~~~~~~~~~~~~~~~~~~~~

* :attr:`.ModelAdmin.list_display` now supports using ``__`` lookups to list
fields from related models.

:mod:`django.contrib.auth`
~~~~~~~~~~~~~~~~~~~~~~~~~~

* The default iteration count for the PBKDF2 password hasher is increased from
720,000 to 870,000.

* The default ``parallelism`` of the ``ScryptPasswordHasher`` is 
increased from 1 to 5, to follow OWASP recommendations.

* The new :class:`~django.contrib.auth.forms.AdminUserCreationForm` and
the existing :class:`~django.contrib.auth.forms.AdminPasswordChangeForm` now
support disabling password-based authentication by setting an unusable
password on form save. This is now available in the admin when visiting the
user creation and password change pages.

* :func:`~.django.contrib.auth.decorators.login_required`,
:func:`~.django.contrib.auth.decorators.permission_required`, and
:func:`~.django.contrib.auth.decorators.user_passes_test` decorators now
support wrapping asynchronous view functions.

* ``ReadOnlyPasswordHashWidget`` now includes a button to reset the user's
password, which replaces the link previously embedded in the
``ReadOnlyPasswordHashField``'s help text, improving the overall
accessibility of the
:class:`~django.contrib.auth.forms.UserChangeForm`.

:mod:`django.contrib.gis`
~~~~~~~~~~~~~~~~~~~~~~~~~

* :class:`~django.contrib.gis.db.models.functions.BoundingCircle` is now
supported on SpatiaLite 5.1+.

* :class:`~django.contrib.gis.db.models.Collect` is now supported on MySQL
8.0.24+.

* :class:`~django.contrib.gis.geoip2.GeoIP2` now allows querying using
:class:`ipaddress.IPv4Address` or :class:`ipaddress.IPv6Address` objects.

* :meth:`.GeoIP2.country` now exposes the ``continent_code``,
``continent_name``, and ``is_in_european_union`` values.

* :meth:`.GeoIP2.city` now exposes the ``accuracy_radius`` and ``region_name``
values. In addition, the ``dma_code`` and ``region`` values are now exposed
as ``metro_code`` and ``region_code``, but the previous keys are also
retained for backward compatibility.

* :class:`~django.contrib.gis.measure.Area` now supports the ``ha`` unit.

* The new :attr:`.OGRGeometry.is_3d` attribute allows checking if a geometry
has a ``Z`` coordinate dimension.

* The new :meth:`.OGRGeometry.set_3d` method allows addition and removal of the
``Z`` coordinate dimension.

* :class:`~django.contrib.gis.gdal.OGRGeometry`,
:class:`~django.contrib.gis.gdal.Point`,
:class:`~django.contrib.gis.gdal.LineString`,
:class:`~django.contrib.gis.gdal.Polygon`, and
:class:`~django.contrib.gis.gdal.GeometryCollection` and its subclasses now
support measured geometries via the new :attr:`.OGRGeometry.is_measured` and
``m`` properties, and the :meth:`.OGRGeometry.set_measured` method.

* :attr:`.OGRGeometry.centroid` is now available on all supported geometry
types.

* :class:`FromWKB() <django.contrib.gis.db.models.functions.FromWKB>` and
:class:`FromWKT() <django.contrib.gis.db.models.functions.FromWKT>` functions
now support the optional ``srid`` argument (except for Oracle where it is
ignored).

:mod:`django.contrib.postgres`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* :class:`~django.contrib.postgres.indexes.BTreeIndex` now supports the
``deduplicate_items`` parameter.

:mod:`django.contrib.sessions`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* :class:`django.contrib.sessions.backends.cached_db.SessionStore` now handles
exceptions when storing session information in the cache, logging proper
error messages with their traceback via the newly added
:ref:`sessions logger <django-contrib-sessions-logger>`.

* :class:`django.contrib.sessions.backends.base.SessionBase` and all built-in
session engines now provide async API. The new asynchronous methods all have
``a`` prefixed names, e.g. ``aget()``, ``akeys()``, or ``acycle_key()``.

Database backends
~~~~~~~~~~~~~~~~~

* ``"init_command"`` option is now supported in :setting:`OPTIONS` on SQLite
to allow specifying :ref:`pragma options <sqlite-init-command>` to set upon
connection.

* ``"transaction_mode"`` option is now supported in :setting:`OPTIONS` on
SQLite to allow specifying the :ref:`sqlite-transaction-behavior`.

* ``"pool"`` option is now supported in :setting:`OPTIONS` on PostgreSQL to
allow using :ref:`connection pools <postgresql-pool>`.

Error Reporting
~~~~~~~~~~~~~~~

* In order to improve accessibility, the technical 404 and 500 error pages now
use HTML landmark elements for the header, footer, and main content areas.

File Storage
~~~~~~~~~~~~

* The :attr:`~django.core.files.storage.FileSystemStorage.allow_overwrite`
parameter of :class:`~django.core.files.storage.FileSystemStorage` now allows
saving new files over existing ones.

Forms
~~~~~

* In order to improve accessibility and enable screen readers to associate
fieldsets with their help text, the form fieldset now includes the
``aria-describedby`` HTML attribute.

Management Commands
~~~~~~~~~~~~~~~~~~~

* The :djadmin:`makemigrations` command now displays meaningful symbols for
each operation to highlight :class:`operation categories
<django.db.migrations.operations.base.OperationCategory>`.

Migrations
~~~~~~~~~~

* The new ``Operation.category`` attribute allows specifying an
:class:`operation category
<django.db.migrations.operations.base.OperationCategory>` used by the
:djadmin:`makemigrations` to display a meaningful symbol for the operation.

Models
~~~~~~

* :meth:`.QuerySet.explain` now supports the ``generic_plan`` option on
PostgreSQL 16+.

* :class:`~django.db.models.expressions.RowRange` now accepts positive integers
for the ``start`` argument and negative integers for the ``end`` argument.

* The new ``exclusion`` argument of
:class:`~django.db.models.expressions.RowRange` and
:class:`~django.db.models.expressions.ValueRange` allows excluding rows,
groups, and ties from the window frames.

* :meth:`.QuerySet.order_by` now supports ordering by annotation transforms
such as ``JSONObject`` keys and ``ArrayAgg`` indices.

* :class:`F() <django.db.models.F>` and :class:`OuterRef()
<django.db.models.OuterRef>` expressions that output
:class:`~django.db.models.CharField`, :class:`~django.db.models.EmailField`,
:class:`~django.db.models.SlugField`, :class:`~django.db.models.URLField`,
:class:`~django.db.models.TextField`, or
:class:`~django.contrib.postgres.fields.ArrayField` can now be :ref:`sliced
<slicing-using-f>`.

* The new ``from_queryset`` argument of :meth:`.Model.refresh_from_db` and
:meth:`.Model.arefresh_from_db`  allows customizing the queryset used to
reload a model's value. This can be used to lock the row before reloading or
to select related objects.

* The new :attr:`.Expression.constraint_validation_compatible` attribute allows
specifying that the expression should be ignored during a constraint
validation.

Templates
~~~~~~~~~

* Custom tags may now set extra data on the ``Parser`` object that will later
be made available on the ``Template`` instance. Such data may be used, for
example, by the template loader, or other template clients.

* :ref:`Template engines <field-checking>` now implement a ``check()`` method
that is already registered with the check framework.

Tests
~~~~~

* :meth:`~django.test.SimpleTestCase.assertContains`,
:meth:`~django.test.SimpleTestCase.assertNotContains`, and
:meth:`~django.test.SimpleTestCase.assertInHTML` assertions now add haystacks
to assertion error messages.

* The :class:`~django.test.RequestFactory`,
:class:`~django.test.AsyncRequestFactory`, :class:`~django.test.Client`, and
:class:`~django.test.AsyncClient` classes now support the ``query_params``
parameter, which accepts a dictionary of query string keys and values. This
allows setting query strings on any HTTP methods more easily.

.. code-block:: python

  self.client.post("/items/1", query_params={"action": "delete"})
  await self.async_client.post("/items/1", query_params={"action": "delete"})

* The new :meth:`.SimpleTestCase.assertNotInHTML` assertion allows testing that
an HTML fragment is not contained in the given HTML haystack.

* In order to enforce test isolation, database connections inside threads are
no longer allowed in :class:`~django.test.SimpleTestCase`.

Validators
~~~~~~~~~~

* The new :class:`~django.core.validators.DomainNameValidator` validates domain
names, including internationalized domain names. The new
:func:`~django.core.validators.validate_domain_name` function returns an
instance of :class:`~django.core.validators.DomainNameValidator`.

.. _backwards-incompatible-5.1:

Backwards incompatible changes in 5.1
=====================================

:mod:`django.contrib.gis`
-------------------------

* Support for PostGIS 2.5 is removed.

* Support for PROJ < 6 is removed.

* Support for GDAL 2.4 is removed.

* :class:`~django.contrib.gis.geoip2.GeoIP2` no longer opens both city and
country databases when a directory path is provided, preferring the city
database, if it is available. The country database is a subset of the city
database and both are not typically needed. If you require use of the country
database when in the same directory as the city database, explicitly pass the
country database path to the constructor.

Dropped support for MariaDB 10.4
--------------------------------

Upstream support for MariaDB 10.4 ends in June 2024. Django 5.1 supports
MariaDB 10.5 and higher.

Dropped support for PostgreSQL 12
---------------------------------

Upstream support for PostgreSQL 12 ends in November 2024. Django 5.1 supports
PostgreSQL 13 and higher.

Miscellaneous
-------------

* In order to improve accessibility, the admin's changelist filter is now
rendered in a ``<nav>`` tag instead of a ``<div>``.

* In order to improve accessibility, the admin's footer is now rendered in
a ``<footer>`` tag instead of a ``<div>``, and also moved below the
``<div id="main">`` element.

* In order to improve accessibility, the expandable widget used for
:attr:`ModelAdmin.fieldsets <django.contrib.admin.ModelAdmin.fieldsets>` and
:attr:`InlineModelAdmin.fieldsets <django.contrib.admin.InlineModelAdmin>`,
when the fieldset has a name and use the ``collapse`` class, now includes
``<details>`` and ``<summary>`` elements.

* The JavaScript file ``collapse.js`` is removed since it is no longer needed
in the Django admin site.

* :meth:`.SimpleTestCase.assertURLEqual` and
:meth:`~django.test.SimpleTestCase.assertInHTML` now add ``": "`` to the
``msg_prefix``. This is consistent with the behavior of other assertions.

* ``django.utils.text.Truncator`` used by :tfilter:`truncatechars_html` and
:tfilter:`truncatewords_html` template filters now uses
:py:class:`html.parser.HTMLParser` subclasses. This results in a more robust
and faster operation, but there may be small differences in the output.

* The undocumented ``django.urls.converters.get_converter()`` function is
removed.

* The minimum supported version of SQLite is increased from 3.27.0 to 3.31.0.

* :class:`~django.db.models.FileField` now raises a
:class:`~django.core.exceptions.FieldError` when saving a file without a
``name``.

* ``ImageField.update_dimension_fields(force=True)`` is no longer called after
saving the image to storage. If your storage backend resizes images, the
``width_field`` and ``height_field`` will not match the width and height of
the image.

* The minimum supported version of ``asgiref`` is increased from 3.7.0 to
3.8.1.

.. _deprecated-features-5.1:

Features deprecated in 5.1
==========================

Miscellaneous
-------------

* The ``ModelAdmin.log_deletion()`` and ``LogEntryManager.log_action()``
methods are deprecated. Subclasses should implement
``ModelAdmin.log_deletions()`` and  ``LogEntryManager.log_actions()``
instead.

* The undocumented ``django.utils.itercompat.is_iterable()`` function and the
``django.utils.itercompat`` module are deprecated. Use
``isinstance(..., collections.abc.Iterable)`` instead.

* The ``django.contrib.gis.geoip2.GeoIP2.coords()`` method is deprecated. Use
``django.contrib.gis.geoip2.GeoIP2.lon_lat()`` instead.

* The ``django.contrib.gis.geoip2.GeoIP2.open()`` method is deprecated. Use the
:class:`~django.contrib.gis.geoip2.GeoIP2` constructor instead.

* Passing positional arguments to :meth:`.Model.save` and :meth:`.Model.asave`
is deprecated in favor of keyword-only arguments.

* Setting ``django.contrib.gis.gdal.OGRGeometry.coord_dim`` is deprecated. Use
:meth:`~django.contrib.gis.gdal.OGRGeometry.set_3d` instead.

* Overriding existing converters with ``django.urls.register_converter()`` is
deprecated.

* The ``check`` keyword argument of ``CheckConstraint`` is deprecated in favor
of ``condition``.

* The undocumented ``OS_OPEN_FLAGS`` property of
:class:`~django.core.files.storage.FileSystemStorage` is deprecated. To allow
overwriting files in storage, set the new
:attr:`~django.core.files.storage.FileSystemStorage.allow_overwrite` option
to ``True`` instead.

* The ``get_cache_name()`` method of ``FieldCacheMixin`` is deprecated in favor
of the ``cache_name`` cached property.

Features removed in 5.1
=======================

These features have reached the end of their deprecation cycle and are removed
in Django 5.1.

See :ref:`deprecated-features-4.2` for details on these changes, including how
to remove usage of these features.

* The ``BaseUserManager.make_random_password()`` method is removed.

* The model's ``Meta.index_together`` option is removed.

* The ``length_is`` template filter is removed.

* The ``django.contrib.auth.hashers.SHA1PasswordHasher``,
``django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher``, and
``django.contrib.auth.hashers.UnsaltedMD5PasswordHasher`` are removed.

* The model ``django.contrib.postgres.fields.CICharField``,
``django.contrib.postgres.fields.CIEmailField``, and
``django.contrib.postgres.fields.CITextField`` are removed, except for
support in historical migrations.

* The ``django.contrib.postgres.fields.CIText`` mixin is removed.

* The ``map_width`` and ``map_height`` attributes of ``BaseGeometryWidget`` are
removed.

* The ``SimpleTestCase.assertFormsetError()`` method is removed.

* The ``TransactionTestCase.assertQuerysetEqual()`` method is removed.

* Support for passing encoded JSON string literals to ``JSONField`` and
associated lookups and expressions is removed.

* Support for passing positional arguments to ``Signer`` and
``TimestampSigner`` is removed.

* The ``DEFAULT_FILE_STORAGE`` and ``STATICFILES_STORAGE`` settings is removed.

* The ``django.core.files.storage.get_storage_class()`` function is removed.








===========================

5.0.9

===========================

*September 3, 2024*

Django 5.0.9 fixes one security issue with severity "moderate" and one security
issue with severity "low" in 5.0.8.

CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

CVE-2024-45231: Potential user email enumeration via response status on password reset
======================================================================================

Due to unhandled email sending failures, the
:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote
attackers to enumerate user emails by issuing password reset requests and
observing the outcomes.

To mitigate this risk, exceptions occurring during password reset email sending
are now handled and logged using the :ref:`django-contrib-auth-logger` logger.


==========================

5.0.8

==========================

*August 6, 2024*

Django 5.0.8 fixes three security issues with severity "moderate", one security
issue with severity "high", and several bugs in 5.0.7.

CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
================================================================================

If :tfilter:`floatformat` received a string representation of a number in
scientific notation with a large exponent, it could lead to significant memory
consumption.

To avoid this, decimals with more than 200 digits are now returned as is.

CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` and ``AdminURLFieldWidget``
=======================================================================================================================

:tfilter:`urlize`, :tfilter:`urlizetrunc`, and ``AdminURLFieldWidget`` were
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.

CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
======================================================================================

:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
with a ``JSONField`` were subject to SQL injection in column aliases, via a
crafted JSON object key as a passed ``*arg``.

Bugfixes
========

* Added missing validation for ``UniqueConstraint(nulls_distinct=False)`` when
using ``*expressions`` (:ticket:`35594`).

* Fixed a regression in Django 5.0 where ``ModelAdmin.action_checkbox`` could
break the admin changelist HTML page when rendering a model instance with a
``__html__`` method (:ticket:`35606`).

* Fixed a crash when creating a model with a ``Field.db_default`` and a
``Meta.constraints`` constraint composed of ``__endswith``, ``__startswith``,
or ``__contains`` lookups (:ticket:`35625`).

* Fixed a regression in Django 5.0.7 that caused a crash in
``LocaleMiddleware`` when processing a language code over 500 characters
(:ticket:`35627`).

* Fixed a bug in Django 5.0 that caused a system check crash when
``ModelAdmin.date_hierarchy`` was a ``GeneratedField`` with an
``output_field`` of ``DateField`` or ``DateTimeField`` (:ticket:`35628`).

* Fixed a bug in Django 5.0 which caused constraint validation to either crash
or incorrectly raise validation errors for constraints referring to fields
using ``Field.db_default`` (:ticket:`35638`).

* Fixed a crash in Django 5.0 when saving a model containing a ``FileField``
with a ``db_default`` set (:ticket:`35657`).


==========================

5.0.7

==========================

*July 9, 2024*

Django 5.0.7 fixes two security issues with severity "moderate", two security
issues with severity "low", and one bug in 5.0.6.

CVE-2024-38875: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via certain inputs with a very large number of
brackets.

CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
================================================================================================

The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
allowed remote attackers to enumerate users via a timing attack involving login
requests for users with unusable passwords.

CVE-2024-39330: Potential directory-traversal via ``Storage.save()``
====================================================================

Derived classes of the :class:`~django.core.files.storage.Storage` base class
which override :meth:`generate_filename()
<django.core.files.storage.Storage.generate_filename()>` without replicating
the file path validations existing in the parent class, allowed for potential
directory-traversal via certain inputs when calling :meth:`save()
<django.core.files.storage.Storage.save()>`.

Built-in ``Storage`` sub-classes were not affected by this vulnerability.

CVE-2024-39614: Potential denial-of-service vulnerability in ``get_supported_language_variant()``
=================================================================================================

:meth:`~django.utils.translation.get_supported_language_variant` was subject to
a potential denial-of-service attack when used with very long strings
containing specific characters.

To mitigate this vulnerability, the language code provided to
:meth:`~django.utils.translation.get_supported_language_variant` is now parsed
up to a maximum length of 500 characters.

When the language code is over 500 characters, a :exc:`ValueError` will now be
raised if ``strict`` is ``True``, or if there is no generic variant and
``strict`` is ``False``.

Bugfixes
========

* Fixed a bug in Django 5.0 that caused a crash of ``Model.full_clean()`` on
unsaved model instances with a ``GeneratedField`` and certain defined
:attr:`Meta.constraints <django.db.models.Options.constraints>`
(:ticket:`35560`).


==========================

5.0.6

==========================

*May 7, 2024*

Django 5.0.6 fixes a packaging error in 5.0.5.


==========================

5.0.5

==========================

*May 6, 2024*

Django 5.0.5 fixes several bugs in 5.0.4.

Bugfixes
========

* Fixed a bug in Django 5.0 that caused a crash of ``Model.save()`` when
creating an instance of a model with a ``GeneratedField`` and providing a
primary key (:ticket:`35350`).

* Fixed a compatibility issue encountered in Python 3.11.9+ and 3.12.3+ when
validating email max line lengths with content decoded using the
``surrogateescape`` error handling scheme (:ticket:`35361`).

* Fixed a bug in Django 5.0 that caused a crash when applying migrations
including alterations to ``GeneratedField`` such as setting ``db_index=True``
on SQLite (:ticket:`35373`).

* Allowed importing ``aprefetch_related_objects`` from ``django.db.models``
(:ticket:`35392`).

* Fixed a bug in Django 5.0 that caused a migration crash when a
``GeneratedField`` was added before any of the referenced fields from its
``expression`` definition (:ticket:`35359`).

* Fixed a bug in Django 5.0 that caused a migration crash when altering a
``GeneratedField`` referencing a renamed field (:ticket:`35422`).

* Fixed a bug in Django 5.0 where the ``querysets`` argument of
``GenericPrefetch`` was not required (:ticket:`35426`).


==========================

5.0.4

==========================

*April 3, 2024*

Django 5.0.4 fixes several bugs in 5.0.3.

Bugfixes
========

* Fixed a bug in Django 5.0 that caused a crash of ``Model.full_clean()`` on
fields with expressions in ``db_default``. As a consequence,
``Model.full_clean()`` no longer validates for empty values in fields with
``db_default`` (:ticket:`35223`).

* Fixed a regression in Django 5.0 where the ``AdminFileWidget`` could be
rendered with two ``id`` attributes on the "Clear" checkbox
(:ticket:`35273`).

* Fixed a bug in Django 5.0 that caused a migration crash on PostgreSQL 15+
when adding a partial ``UniqueConstraint`` with ``nulls_distinct``
(:ticket:`35329`).

* Fixed a crash in Django 5.0 when performing queries involving table aliases
and lookups on a ``GeneratedField`` of the aliased table (:ticket:`35344`).

* Fixed a bug in Django 5.0 that caused a migration crash when adding a
``GeneratedField`` relying on the ``__contains`` or ``__icontains``
lookups or using a ``Value`` containing a ``"%"`` (:ticket:`35336`).


==========================

5.0.3

==========================

*March 4, 2024*

Django 5.0.3 fixes a security issue with severity "moderate" and several bugs
in 5.0.2.

CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()``
=========================================================================================================

``django.utils.text.Truncator.words()`` method (with ``html=True``) and
:tfilter:`truncatewords_html` template filter were subject to a potential
regular expression denial-of-service attack using a suitably crafted string
(follow up to :cve:`2019-14232` and :cve:`2023-43665`).

Bugfixes
========

* Fixed a regression in Django 5.0.2 where ``intcomma`` template filter could
return a leading comma for string representation of floats (:ticket:`35172`).

* Fixed a bug in Django 5.0 that caused a crash of ``Signal.asend()`` and
``asend_robust()`` when all receivers were asynchronous functions
(:ticket:`35174`).

* Fixed a regression in Django 5.0.1 where :meth:`.ModelAdmin.lookup_allowed`
would prevent filtering against foreign keys using lookups like ``__isnull``
when the field was not included in :attr:`.ModelAdmin.list_filter`
(:ticket:`35173`).

* Fixed a regression in Django 5.0 that caused a crash of
``sensitive_variables`` and ``sensitive_post_parameters`` decorators on
functions loaded from ``.pyc`` files (:ticket:`35187`).

* Fixed a regression in Django 5.0 that caused a crash when reloading a test
database and a base queryset for a base manager used ``prefetch_related()``
(:ticket:`35238`).

* Fixed a bug in Django 5.0 where facet filters in the admin would crash on a
``SimpleListFilter`` using a queryset without primary keys (:ticket:`35198`).


==========================

5.0.2

==========================

*February 6, 2024*

Django 5.0.2 fixes a security issue with severity "moderate" and several bugs
in 5.0.1. Also, the latest string translations from Transifex are incorporated.

CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter
===========================================================================

The ``intcomma`` template filter was subject to a potential denial-of-service
attack when used with very long strings.

Bugfixes
========

* Reallowed, following a regression in Django 5.0.1, filtering against local
foreign keys not included in :attr:`.ModelAdmin.list_filter`
(:ticket:`35087`).

* Fixed a regression in Django 5.0 where links in the admin had an incorrect
color (:ticket:`35121`).

* Fixed a bug in Django 5.0 that caused a crash of ``Model.full_clean()`` on
models with a ``GeneratedField`` (:ticket:`35127`).

* Fixed a regression in Django 5.0 that caused a crash of
``FilteredRelation()`` with querysets as right-hand sides (:ticket:`35135`).
``FilteredRelation()`` now raises a ``ValueError`` on querysets as right-hand
sides.

* Fixed a regression in Django 5.0 that caused a crash of the ``dumpdata``
management command when a base queryset used ``prefetch_related()``
(:ticket:`35159`).

* Fixed a regression in Django 5.0 that caused the ``request_finished`` signal to
sometimes not be fired when running Django through an ASGI server, resulting
in potential resource leaks (:ticket:`35059`).

* Fixed a bug in Django 5.0 that caused a migration crash on MySQL when adding
a ``BinaryField``, ``TextField``, ``JSONField``, or ``GeometryField`` with a
``db_default`` (:ticket:`35162`).

* Fixed a bug in Django 5.0 that caused a migration crash on models with a
literal ``db_default`` of a complex type such as ``dict`` instance of a
``JSONField``. Running ``makemigrations`` might generate no-op ``AlterField``
operations for fields using ``db_default`` (:ticket:`35149`).


==========================

5.0.1

==========================

*January 2, 2024*

Django 5.0.1 fixes several bugs in 5.0.

Bugfixes
========

* Reallowed, following a regression in Django 5.0, using a foreign key to a
model with a primary key that is not ``AutoField`` in
:attr:`.ModelAdmin.list_filter` (:ticket:`35020`).

* Fixed a long standing bug in handling the ``RETURNING INTO`` clause that
caused a crash when creating a model instance with a ``GeneratedField`` which
``output_field`` had backend-specific converters (:ticket:`35024`).

* Fixed a regression in Django 5.0 that caused a crash of ``Model.save()`` for
models with both ``GeneratedField`` and ``ForeignKey`` fields
(:ticket:`35019`).

* Fixed a bug in Django 5.0 that caused a migration crash on Oracle < 23c when
adding a ``GeneratedField`` with ``output_field=BooleanField``
(:ticket:`35018`).

* Fixed a regression in Django 5.0 where admin fields on the same line could
overflow the page and become non-interactive (:ticket:`35012`).

* Added compatibility for ``oracledb`` 2.0.0 (:ticket:`35054`).

* Fixed a regression in Django 5.0 where querysets referenced incorrect field
names from ``FilteredRelation()`` (:ticket:`35050`).

* Fixed a regression in Django 5.0 that caused a system check crash when
``ModelAdmin.filter_horizontal`` or ``filter_vertical`` contained a reverse
many-to-many relation with ``related_name`` (:ticket:`35056`).


========================

5.0

========================

*December 4, 2023*

Welcome to Django 5.0!

These release notes cover the :ref:`new features <whats-new-5.0>`, as well as
some :ref:`backwards incompatible changes <backwards-incompatible-5.0>` you'll
want to be aware of when upgrading from Django 4.2 or earlier. We've
:ref:`begun the deprecation process for some features
<deprecated-features-5.0>`.

See the :doc:`/howto/upgrade-version` guide if you're updating an existing
project.

Python compatibility
====================

Django 5.0 supports Python 3.10, 3.11, and 3.12. We **highly recommend** and
only officially support the latest release of each series.

The Django 4.2.x series is the last to support Python 3.8 and 3.9.

Third-party library support for older version of Django
=======================================================

Following the release of Django 5.0, we suggest that third-party app authors
drop support for all versions of Django prior to 4.2. At that time, you should
be able to run your package's tests using ``python -Wd`` so that deprecation
warnings appear. After making the deprecation warning fixes, your app should be
compatible with Django 5.0.

.. _whats-new-5.0:

What's new in Django 5.0
========================

Facet filters in the admin
--------------------------

Facet counts are now shown for applied filters in the admin changelist when
toggled on via the UI. This behavior can be changed via the new
:attr:`.ModelAdmin.show_facets` attribute. For more information see
:ref:`facet-filters`.

Simplified templates for form field rendering
---------------------------------------------

Django 5.0 introduces the concept of a field group, and field group templates.
This simplifies rendering of the related elements of a Django form field such
as its label, widget, help text, and errors.

For example, the template below:

.. code-block:: html+django

 <form>
 ...
 <div>
   {{ form.name.label_tag }}
   {% if form.name.help_text %}
     <div class="helptext" id="{{ form.name.auto_id }}_helptext">
       {{ form.name.help_text|safe }}
     </div>
   {% endif %}
   {{ form.name.errors }}
   {{ form.name }}
   <div class="row">
     <div class="col">
       {{ form.email.label_tag }}
       {% if form.email.help_text %}
         <div class="helptext" id="{{ form.email.auto_id }}_helptext">
           {{ form.email.help_text|safe }}
         </div>
       {% endif %}
       {{ form.email.errors }}
       {{ form.email }}
     </div>
     <div class="col">
       {{ form.password.label_tag }}
       {% if form.password.help_text %}
         <div class="helptext" id="{{ form.password.auto_id }}_helptext">
           {{ form.password.help_text|safe }}
         </div>
       {% endif %}
       {{ form.password.errors }}
       {{ form.password }}
     </div>
   </div>
 </div>
 ...
 </form>

Can now be simplified to:

.. code-block:: html+django

 <form>
 ...
 <div>
   {{ form.name.as_field_group }}
   <div class="row">
     <div class="col">{{ form.email.as_field_group }}</div>
     <div class="col">{{ form.password.as_field_group }}</div>
   </div>
 </div>
 ...
 </form>

:meth:`~django.forms.BoundField.as_field_group` renders fields with the
``"django/forms/field.html"`` template by default and can be customized on a
per-project, per-field, or per-request basis. See
:ref:`reusable-field-group-templates`.

Database-computed default values
--------------------------------

The new :attr:`Field.db_default <django.db.models.Field.db_default>` parameter
sets a database-computed default value. For example::

 from django.db import models
 from django.db.models.functions import Now, Pi


 class MyModel(models.Model):
     age = models.IntegerField(db_default=18)
     created = models.DateTimeField(db_default=Now())
     circumference = models.FloatField(db_default=2 * Pi())

Database generated model field
------------------------------

The new :class:`~django.db.models.GeneratedField` allows creation of database
generated columns. This field can be used on all supported database backends
to create a field that is always computed from other fields. For example::

 from django.db import models
 from django.db.models import F


 class Square(models.Model):
     side = models.IntegerField()
     area = models.GeneratedField(
         expression=F("side") * F("side"),
         output_field=models.BigIntegerField(),
         db_persist=True,
     )

More options for declaring field choices
----------------------------------------

:attr:`.Field.choices` *(for model fields)* and :attr:`.ChoiceField.choices`
*(for form fields)* allow for more flexibility when declaring their values. In
previous versions of Django, ``choices`` should either be a list of 2-tuples,
or an :ref:`field-choices-enum-types` subclass, but the latter required
accessing the ``.choices`` attribute to provide the values in the expected
form::

 from django.db import models

 Medal = models.TextChoices("Medal", "GOLD SILVER BRONZE")

 SPORT_CHOICES = [
     ("Martial Arts", [("judo", "Judo"), ("karate", "Karate")]),
     ("Racket", [("badminton", "Badminton"), ("tennis", "Tennis")]),
     ("unknown", "Unknown"),
 ]


 class Winner(models.Model):
     name = models.CharField(...)
     medal = models.CharField(..., choices=Medal.choices)
     sport = models.CharField(..., choices=SPORT_CHOICES)

Django 5.0 adds support for accepting a mapping or a callable instead of an
iterable, and also no longer requires ``.choices`` to be used directly to
expand :ref:`enumeration types <field-choices-enum-types>`::

 from django.db import models

 Medal = models.TextChoices("Medal", "GOLD SILVER BRONZE")

 SPORT_CHOICES = {   Using a mapping instead of a list of 2-tuples.
     "Martial Arts": {"judo": "Judo", "karate": "Karate"},
     "Racket": {"badminton": "Badminton", "tennis": "Tennis"},
     "unknown": "Unknown",
 }


 def get_scores():
     return [(i, str(i)) for i in range(10)]


 class Winner(models.Model):
     name = models.CharField(...)
     medal = models.CharField(..., choices=Medal)   Using `.choices` not required.
     sport = models.CharField(..., choices=SPORT_CHOICES)
     score = models.IntegerField(choices=get_scores)   A callable is allowed.

Under the hood the provided ``choices`` are normalized into a list of 2-tuples
as the canonical form whenever the ``choices`` value is updated. For more
information, please check the :ref:`model field reference on choices
<field-choices>`.

Minor features
--------------

:mod:`django.contrib.admin`
~~~~~~~~~~~~~~~~~~~~~~~~~~~

* The new :meth:`.AdminSite.get_log_entries` method allows customizing the
queryset for the site's listed log entries.

* The ``django.contrib.admin.AllValuesFieldListFilter``,
``ChoicesFieldListFilter``, ``RelatedFieldListFilter``, and
``RelatedOnlyFieldListFilter`` admin filters now handle multi-valued query
parameters.

* ``XRegExp`` is upgraded from version 3.2.0 to 5.1.1.

* The new :meth:`.AdminSite.get_model_admin` method returns an admin class for
the given model class.

* Properties in :attr:`.ModelAdmin.list_display` now support ``boolean``
attribute.

* jQuery