Changelog
### 0.18.0
```
New API:
* `curve_by_name` in `curves` module to get a `Curve` object by providing curve
name.
Bug fix:
* Make the `VerifyingKey` encoded with explicit parameters use the same
kind of point encoding for public key and curve generator.
* Better handling of malformed curve parameters (as in CVE-2022-0778);
make python-ecdsa raise `MalformedPointError` instead of `AssertionError`.
Doc fix:
* Publish the documentation on https://ecdsa.readthedocs.io/,
include explanation of basics of handling of ECC data formats and how to use
the library for elliptic curve arithmetic.
* Make object names more consistent, make them into hyperlinks on the
readthedocs documentation.
* Make security note more explicit (Ian Rodney)
* Fix the `explicit` vs `named_curve` confusion in `VerifyingKey` docs.
Maintenance:
* Updated black version; slight changes to formatting
* Include interoperability tests for Ed25519 and Ed448 with OpenSSL.
```
### 0.18.0beta2
```
New features:
* Support for point precomputation for EdDSA.
Maintenance:
* Fix few typos (thanks to Tim Gates and Kian Meng Ang).
Bug fix:
* Accept private EdDSA keys that include public key in the ASN.1 structure.
* Fix incompatibility with Python 3.3 in handling of memoryviews of empty
strings.
```
### 0.18.0beta1
```
New features:
* Support for EdDSA (Ed25519, Ed448) signature creation and verification.
* Support for Ed25519 and Ed448 in PKCS8 and public key files.
New API:
* CurveEdTw class to represent the Twisted Edwards curve parameters.
* PointEdwards class to represent points on Twisted Edwards curve and
provide point arithmetic on it.
```
### 0.17.0
```
New API:
* Keys that use explicit curve parameters can now be read and written.
Reading of explicit curves can be disabled by using the
`valid_curve_encodings` keyword argument in `VerifyingKey.from_pem()`,
`VerifyingKey.from_der()`, `SigningKey.from_pem()`, and
`SigningKey.from_der()`.
* Keys can now be written with use of explicit curve parameters,
use `curve_parameters_encoding` keyword argument of `VerifyingKey.to_pem()`,
`VerifyingKey.to_der()`, `SigningKey.to_pem(), or `SigningKey.to_der()` to
specify the format. By default `named_curve` will be used, unless the
curve doesn't have an associated OID (as will be the case for an unsupported
curve), then `explicit` encoding will be used.
* Allow specifying acceptable point formats when loading public keys
(this also fixes a minor bug where python-ecdsa would accept raw
encoding for points in PKCS8 files). Set of accepted encodings is controlled
by `valid_encodings` keyword argument in
`ECDH.load_received_public_key_bytes()`, `VerifyingKey.from_string()`,
`VerifyingKey.from_pem()`, VerifyingKey.from_der()`.
* `PointJacobi` and `Point` now inherit from `AbstractPoint` that implements
the methods for parsing points. That added `from_bytes()` and
`to_bytes()` methods to both of them.
* Curve parameters can now be read and written to PEM and DER files. The
`Curve` class supports new `to_der()`, `from_der()`, `to_pem()`, and
`from_pem()` methods.
Doc fix:
* Describe in detail which methods can raise `RSZeroError`, and that
`SigningKey.sign_deterministic()` won't raise it.
Bug fix:
* Correctly truncate hash values larger than the curve order (only impacted
custom curves and the curves added in this release).
* Correctly handle curves for which the order is larger than the prime
(only impacted custom curves and the secp160r1 curve added in this release).
* Fix the handling of `==` and `!=` for `Public_key`, `Private_key`, `Point`,
`PointJacobi`, `VerifyingKey`, and `SigningKey` so that it behaves
consistently and in the expected way both in Python 2 and Python 3.
* Implement lock-less algorithm inside PointJacobi for keeping shared state
so that when a calculation is aborted with KeyboardInterrupt, the state
doesn't become corrupted (this fixes the occasional breakage of ecdsa in
interactive shells).
New features:
* The `speed.py` script now provides performance for signature verification
without the use of precomputation.
* New curves supported: secp112r1, secp112r2, secp128r1, secp160r1.
Performance:
* Use 2-ary Non-Adjacent Form for the combined multiply-add. This speeds up
single-shot verify (i.e. without precomputation) by about 4 to 5%.
* Use native Python 3.8 support for calculating multiplicative inverses.
Maintenance:
* Include Python 3.9 in PyPI keywords.
* More realistic branch coverage counting (ignore Python version-specific
branches).
* Additional test coverage to many parts of the library.
* Migrate to Github Actions for Continuous Testing.
```
Links
- PyPI: https://pypi.org/project/ecdsa
- Changelog: https://data.safetycli.com/changelogs/ecdsa/
- Repo: http://github.com/tlsfuzzer/python-ecdsa
Changelog
### 2.31.0
```
-------------------
**Security**
- Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
forwarding of `Proxy-Authorization` headers to destination servers when
following HTTPS redirects.
When proxies are defined with user info (https://user:passproxy:8080), Requests
will construct a `Proxy-Authorization` header that is attached to the request to
authenticate with the proxy.
In cases where Requests receives a redirect response, it previously reattached
the `Proxy-Authorization` header incorrectly, resulting in the value being
sent through the tunneled connection to the destination server. Users who rely on
defining their proxy credentials in the URL are *strongly* encouraged to upgrade
to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
credentials once the change has been fully deployed.
Users who do not use a proxy or do not supply their proxy credentials through
the user information portion of their proxy URL are not subject to this
vulnerability.
Full details can be read in our [Github Security Advisory](https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q)
and [CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681).
```
### 2.30.0
```
-------------------
**Dependencies**
- ⚠️ Added support for urllib3 2.0. ⚠️
This may contain minor breaking changes so we advise careful testing and
reviewing https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html
prior to upgrading.
Users who wish to stay on urllib3 1.x can pin to `urllib3<2`.
```
### 2.29.0
```
-------------------
**Improvements**
- Requests now defers chunked requests to the urllib3 implementation to improve
standardization. (6226)
- Requests relaxes header component requirements to support bytes/str subclasses. (6356)
```
### 2.28.2
```
-------------------
**Dependencies**
- Requests now supports charset\_normalizer 3.x. (6261)
**Bugfixes**
- Updated MissingSchema exception to suggest https scheme rather than http. (6188)
```
### 2.28.1
```
-------------------
**Improvements**
- Speed optimization in `iter_content` with transition to `yield from`. (6170)
**Dependencies**
- Added support for chardet 5.0.0 (6179)
- Added support for charset-normalizer 2.1.0 (6169)
```
### 2.28.0
```
-------------------
**Deprecations**
- ⚠️ Requests has officially dropped support for Python 2.7. ⚠️ (6091)
- Requests has officially dropped support for Python 3.6 (including pypy3.6). (6091)
**Improvements**
- Wrap JSON parsing issues in Request's JSONDecodeError for payloads without
an encoding to make `json()` API consistent. (6097)
- Parse header components consistently, raising an InvalidHeader error in
all invalid cases. (6154)
- Added provisional 3.11 support with current beta build. (6155)
- Requests got a makeover and we decided to paint it black. (6095)
**Bugfixes**
- Fixed bug where setting `CURL_CA_BUNDLE` to an empty string would disable
cert verification. All Requests 2.x versions before 2.28.0 are affected. (6074)
- Fixed urllib3 exception leak, wrapping `urllib3.exceptions.SSLError` with
`requests.exceptions.SSLError` for `content` and `iter_content`. (6057)
- Fixed issue where invalid Windows registry entries caused proxy resolution
to raise an exception rather than ignoring the entry. (6149)
- Fixed issue where entire payload could be included in the error message for
JSONDecodeError. (6036)
```
### 2.27.1
```
-------------------
**Bugfixes**
- Fixed parsing issue that resulted in the `auth` component being
dropped from proxy URLs. (6028)
```
### 2.27.0
```
-------------------
**Improvements**
- Officially added support for Python 3.10. (5928)
- Added a `requests.exceptions.JSONDecodeError` to unify JSON exceptions between
Python 2 and 3. This gets raised in the `response.json()` method, and is
backwards compatible as it inherits from previously thrown exceptions.
Can be caught from `requests.exceptions.RequestException` as well. (5856)
- Improved error text for misnamed `InvalidSchema` and `MissingSchema`
exceptions. This is a temporary fix until exceptions can be renamed
(Schema->Scheme). (6017)
- Improved proxy parsing for proxy URLs missing a scheme. This will address
recent changes to `urlparse` in Python 3.9+. (5917)
**Bugfixes**
- Fixed defect in `extract_zipped_paths` which could result in an infinite loop
for some paths. (5851)
- Fixed handling for `AttributeError` when calculating length of files obtained
by `Tarfile.extractfile()`. (5239)
- Fixed urllib3 exception leak, wrapping `urllib3.exceptions.InvalidHeader` with
`requests.exceptions.InvalidHeader`. (5914)
- Fixed bug where two Host headers were sent for chunked requests. (5391)
- Fixed regression in Requests 2.26.0 where `Proxy-Authorization` was
incorrectly stripped from all requests sent with `Session.send`. (5924)
- Fixed performance regression in 2.26.0 for hosts with a large number of
proxies available in the environment. (5924)
- Fixed idna exception leak, wrapping `UnicodeError` with
`requests.exceptions.InvalidURL` for URLs with a leading dot (.) in the
domain. (5414)
**Deprecations**
- Requests support for Python 2.7 and 3.6 will be ending in 2022. While we
don't have exact dates, Requests 2.27.x is likely to be the last release
series providing support.
```
### 2.26.0
```
-------------------
**Improvements**
- Requests now supports Brotli compression, if either the `brotli` or
`brotlicffi` package is installed. (5783)
- `Session.send` now correctly resolves proxy configurations from both
the Session and Request. Behavior now matches `Session.request`. (5681)
**Bugfixes**
- Fixed a race condition in zip extraction when using Requests in parallel
from zip archive. (5707)
**Dependencies**
- Instead of `chardet`, use the MIT-licensed `charset_normalizer` for Python3
to remove license ambiguity for projects bundling requests. If `chardet`
is already installed on your machine it will be used instead of `charset_normalizer`
to keep backwards compatibility. (5797)
You can also install `chardet` while installing requests by
specifying `[use_chardet_on_py3]` extra as follows:
shell
pip install "requests[use_chardet_on_py3]"
Python2 still depends upon the `chardet` module.
- Requests now supports `idna` 3.x on Python 3. `idna` 2.x will continue to
be used on Python 2 installations. (5711)
**Deprecations**
- The `requests[security]` extra has been converted to a no-op install.
PyOpenSSL is no longer the recommended secure option for Requests. (5867)
- Requests has officially dropped support for Python 3.5. (5867)
```
Links
- PyPI: https://pypi.org/project/requests
- Changelog: https://data.safetycli.com/changelogs/requests/
- Docs: https://requests.readthedocs.io
Changelog
### 1.7.0
```
- Renamed `mask` variable in ABNF to prevent name collision with `mask()` function (9b51f73)
- Fixed old http import of HTTPStatus in _handshake.py (9b51f73)
- Add `send_text()` and `send_bytes()` to _app.py (953)
- Improved typehint support (953, 9b51f73, 8b73d00)
- General readability improvements, made all string concatenations use f-strings (909, 780584f, 3eabc6e)
- Applied black formatting style to code (da7f286)
```
### 1.6.4
```
- Fix 952, add support for HTTP 307 and 308 redirect codes (69468ad)
```
### 1.6.3
```
- Fix type hints issues (949)
- Add support for Python beta release 3.12 in CI (946)
- Add maintainer email in setup.py (3d464fc)
```
### 1.6.2
```
- Add support for SSLKEYLOGFILE environment variable (943)
- Add support for callable header arguments (932)
- Change handling of proxy environment variables, is_secure set to true now prevents http_proxy from getting used (929)
```
### 1.6.1
```
- Fix Dispatcher keyboard interrupt. Should solve reconnect loop with rel (924)
```
### 1.6.0
```
- Fix teardown issue when ping thread is not properly ended (918)
- Fix double ping wait time on first ping (912)
- Minor type hints improvements (eda6724, 54b3013)
```
### 1.5.3
```
- Add logic to avoid error in the case where content-length header does not exist, bug introduced in 1.5.2 (911)
- Fix wsdump.py script typing, bug introduced in 1.5.2 (914)
```
### 1.5.2
```
- Add type hints (908)
- Fix pytype errors (906)
- Fix args passed to logging function (898)
- Standardize PEP 3101 formatting (c6a445f)
- Add more verbose exception for unsuccessful handshake for 900 (f85ae1f)
```
### 1.5.1
```
- Fix logic bug that can cause disconnects (893)
```
### 1.5.0
```
- Refactor and improve ping/pong logic to resolve several issues, including an infinite loop issue during reconnect (862)
- Fix issue where `skip_utf8_validation = True` is ignored (886)
- Fix issue where sslopt `is_ssl` is ignored (875)
- Downgrade "websocket connected" message from logging.warning to logging.info (888)
- Update github actions to newer versions (669fe1b)
```
### 1.4.2
```
- create_dispatcher is determined by URL ws/wss, NOT by presence of sslopt args, to maintain consistency (875)
- Remove redundant key generation line (864)
- Updated docs to fix old links and updated CI to include Python 3.11
```
### 1.4.1
```
- Fix stack growth bug when `run_forever` reconnects (854)
- Add doctest CI for sphinx docs code examples (d150099)
- General docs improvements
```
### 1.4.0
```
- Fix automatic reconnect with `run_forever` (838)
- Allow a timeout to be set when using a proxy (842)
```
### 1.3.3
```
- Fix unclosed socket error (826)
- Update header dict access (818)
- Add utf8 workaround to docs (fc9ee9f)
```
### 1.3.2
```
- Add support for pre-initialized stream socket in new WebSocketApp (804)
- Remove rel.saferead() in examples (f0bf03d)
- Increase scope of linting checks (dca4022)
- Start adding type hints (a8a4099)
```
### 1.3.1
```
- Fix 10 year old bug and improve dispatcher handling for run_forever (795)
- Fix run_forever to never return None, only return True or False, and add two tests (788)
- Remove Python 3.6 support, EOL in Dec 2021
```
### 1.3.0
```
- BREAKING: Set Origin header to use https:// scheme when wss:// WebSocket URL is passed (#787)
- Replace deprecated/broken WebSocket URLs with working ones (6ad5197)
- Add documentation referencing rel for automatic reconnection with run_forever()
- Add missing opcodes 1012, 1013 (771)
- Add errno.ENETUNREACH to improve error handling (da1b050)
- Minor documentation improvements and typo fixes
```
### 1.2.3
```
- Fix broken run_forever() functionality (769)
```
### 1.2.2
```
- Migrate wsdump script in setup.py from scripts to newer entry_points (763)
- Add support for ssl.SSLContext for arbitrary SSL parameters (762)
- Remove keep_running variable (752)
- Remove HAVE_CONTEXT_CHECK_HOSTNAME variable (dac1692)
- Replace deprecated ssl.PROTOCOL_TLS with ssl.PROTOCOL_TLS_CLIENT (760)
- Simplify code and improve Python 3 support (751, 750, 746)
- Fill default license template fields (748)
- Update CI tests
- Improve documentation (732, 733, 734, 737, 766, 768)
```
### 1.2.1
```
- Fix python-socks dependency issue mentioned in 728
- Replace echo.websocket.org with a local websockets echo server for unit tests (4951de2)
```
### 1.2.0
```
- Fix 697, 665: Transition from LGPL 2.1 license to Apache 2.0 license
- Revert 417 and reimplement SOCKS proxy support with python-socks instead of PySocks (fbcbd43)
```
### 1.1.1
```
- Fix 377: increase exception verbosity in _app.py callback exception
- Fix 717: race condition during connection close
- Fix 722: improve handling where credentials include symbols like
- Fix 711: improve handling if ssl is None
```
### 1.1.0
```
- Set enable_multithread to True by default (beb135a)
- Performance improvement in _mask() function (287970e, 433)
- Performance improvement in recv_strict() function (60e4711, 255)
- Performance improvement by removing numpy-related code (a462d45)
- Support uppercase no_proxy, http_proxy, https_proxy env vars (150df4f, 700)
- Add sslopt 'server_hostname' support (698)
- Replace deprecated ssl.PROTOCOL_SSLv23 with ssl.PROTOCOL_TLS (494564f)
- Update documentation, README (7c9d604, 704)
```
### 1.0.1
```
- Fix exception handling bug 694
```
### 1.0.0
```
- Removed Python 2 code, now only Python 3 compatible (d45343b, b7c5733, ff67af8)
- Use semver for release versions, unlike breaking release 0.58.0 (669)
- Enhance enableTrace output (13e83b4)
- Improve unit tests to over 80% code coverage (1679ab0, a00dd2d, etc.)
- Fix old _app.py close status code bug (resulted in on_close() requiring 3 args) (686)
- Replace select import with selectors (568)
```
### 0.59.0
```
- Last main release to support Python 2
- Fix Python 2 urlparse scheme (332)
- Add support for headers with multiple values (627)
- Add debug support for reserved custom status codes (639)
- Allow multiple Set-Cookie: headers (649)
- Simplified cookie sorting (662)
- Add no_proxy support (671)
- Add Host header to HTTP proxy request (677)
- Improve PEP8 style compliance (dc3f5c4)
```
Links
- PyPI: https://pypi.org/project/websocket-client
- Changelog: https://data.safetycli.com/changelogs/websocket-client/
- Repo: https://github.com/websocket-client/websocket-client/releases
Changelog
### 42.0.5
```
~~~~~~~~~~~~~~~~~~~
* Limit the number of name constraint checks that will be performed in
:mod:`X.509 path validation <cryptography.x509.verification>` to protect
against denial of service attacks.
* Upgrade ``pyo3`` version, which fixes building on PowerPC.
.. _v42-0-4:
```
### 42.0.4
```
~~~~~~~~~~~~~~~~~~~
* Fixed a null-pointer-dereference and segfault that could occur when creating
a PKCS12 bundle. Credit to **Alexander-Programming** for reporting the
issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
definitions in :rfc:`2633` :rfc:`3370`.
.. _v42-0-3:
```
### 42.0.3
```
~~~~~~~~~~~~~~~~~~~
* Fixed an initialization issue that caused key loading failures for some
users.
.. _v42-0-2:
```
### 42.0.2
```
~~~~~~~~~~~~~~~~~~~
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol objects in
``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
``X25519PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
``X448PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
and ``DHPrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.
.. _v42-0-1:
```
### 42.0.1
```
~~~~~~~~~~~~~~~~~~~
* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign`.
* Resolved compatibility issue with loading certain RSA public keys in
:func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`.
.. _v42-0-0:
```
### 42.0.0
```
~~~~~~~~~~~~~~~~~~~
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.7.
* **BACKWARDS INCOMPATIBLE:** Loading a PKCS7 with no content field using
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates`
or
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates`
will now raise a ``ValueError`` rather than return an empty list.
* Parsing SSH certificates no longer permits malformed critical options with
values, as documented in the 41.0.2 release notes.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.0.
* Updated the minimum supported Rust version (MSRV) to 1.63.0, from 1.56.0.
* We now publish both ``py37`` and ``py39`` ``abi3`` wheels. This should
resolve some errors relating to initializing a module multiple times per
process.
* Support :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` for
X.509 certificate signing requests and certificate revocation lists with the
keyword-only argument ``rsa_padding`` on the ``sign`` methods for
:class:`~cryptography.x509.CertificateSigningRequestBuilder` and
:class:`~cryptography.x509.CertificateRevocationListBuilder`.
* Added support for obtaining X.509 certificate signing request signature
algorithm parameters (including PSS) via
:meth:`~cryptography.x509.CertificateSigningRequest.signature_algorithm_parameters`.
* Added support for obtaining X.509 certificate revocation list signature
algorithm parameters (including PSS) via
:meth:`~cryptography.x509.CertificateRevocationList.signature_algorithm_parameters`.
* Added ``mgf`` property to
:class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`.
* Added ``algorithm`` and ``mgf`` properties to
:class:`~cryptography.hazmat.primitives.asymmetric.padding.OAEP`.
* Added the following properties that return timezone-aware ``datetime`` objects:
:meth:`~cryptography.x509.Certificate.not_valid_before_utc`,
:meth:`~cryptography.x509.Certificate.not_valid_after_utc`,
:meth:`~cryptography.x509.RevokedCertificate.revocation_date_utc`,
:meth:`~cryptography.x509.CertificateRevocationList.next_update_utc`,
:meth:`~cryptography.x509.CertificateRevocationList.last_update_utc`.
These are timezone-aware variants of existing properties that return naïve
``datetime`` objects.
* Deprecated the following properties that return naïve ``datetime`` objects:
:meth:`~cryptography.x509.Certificate.not_valid_before`,
:meth:`~cryptography.x509.Certificate.not_valid_after`,
:meth:`~cryptography.x509.RevokedCertificate.revocation_date`,
:meth:`~cryptography.x509.CertificateRevocationList.next_update`,
:meth:`~cryptography.x509.CertificateRevocationList.last_update`
in favor of the new timezone-aware variants mentioned above.
* Added support for
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20`
on LibreSSL.
* Added support for RSA PSS signatures in PKCS7 with
:meth:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder.add_signer`.
* In the next release (43.0.0) of cryptography, loading an X.509 certificate
with a negative serial number will raise an exception. This has been
deprecated since 36.0.0.
* Added support for
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCMSIV` when using
OpenSSL 3.2.0+.
* Added the :mod:`X.509 path validation <cryptography.x509.verification>` APIs
for :class:`~cryptography.x509.Certificate` chains. These APIs should be
considered unstable and not subject to our stability guarantees until
documented as such in a future release.
* Added support for
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.SM4`
:class:`~cryptography.hazmat.primitives.ciphers.modes.GCM`
when using OpenSSL 3.0 or greater.
.. _v41-0-7:
```
### 41.0.7
```
~~~~~~~~~~~~~~~~~~~
* Fixed compilation when using LibreSSL 3.8.2.
.. _v41-0-6:
```
### 41.0.6
```
~~~~~~~~~~~~~~~~~~~
* Fixed a null-pointer-dereference and segfault that could occur when loading
certificates from a PKCS7 bundle. Credit to **pkuzco** for reporting the
issue. **CVE-2023-49083**
.. _v41-0-5:
```
### 41.0.5
```
~~~~~~~~~~~~~~~~~~~
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4.
* Added a function to support an upcoming ``pyOpenSSL`` release.
.. _v41-0-4:
```
### 41.0.4
```
~~~~~~~~~~~~~~~~~~~
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3.
.. _v41-0-3:
```
### 41.0.3
```
~~~~~~~~~~~~~~~~~~~
* Fixed performance regression loading DH public keys.
* Fixed a memory leak when using
:class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.2.
.. _v41-0-2:
```
### 41.0.2
```
~~~~~~~~~~~~~~~~~~~
* Fixed bugs in creating and parsing SSH certificates where critical options
with values were handled incorrectly. Certificates are now created correctly
and parsing accepts correct values as well as the previously generated
invalid forms with a warning. In the next release, support for parsing these
invalid forms will be removed.
.. _v41-0-1:
```
### 41.0.1
```
~~~~~~~~~~~~~~~~~~~
* Temporarily allow invalid ECDSA signature algorithm parameters in X.509
certificates, which are generated by older versions of Java.
* Allow null bytes in pass phrases when serializing private keys.
.. _v41-0-0:
```
### 41.0.0
```
~~~~~~~~~~~~~~~~~~~
* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL less than 1.1.1d has been
removed. Users on older version of OpenSSL will need to upgrade.
* **BACKWARDS INCOMPATIBLE:** Support for Python 3.6 has been removed.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.6.
* Updated the minimum supported Rust version (MSRV) to 1.56.0, from 1.48.0.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.1.
* Added support for the :class:`~cryptography.x509.OCSPAcceptableResponses`
OCSP extension.
* Added support for the :class:`~cryptography.x509.MSCertificateTemplate`
proprietary Microsoft certificate extension.
* Implemented support for equality checks on all asymmetric public key types.
* Added support for ``aes256-gcmopenssh.com`` encrypted keys in
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`.
* Added support for obtaining X.509 certificate signature algorithm parameters
(including PSS) via
:meth:`~cryptography.x509.Certificate.signature_algorithm_parameters`.
* Support signing :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`
X.509 certificates via the new keyword-only argument ``rsa_padding`` on
:meth:`~cryptography.x509.CertificateBuilder.sign`.
* Added support for
:class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`
on BoringSSL.
.. _v40-0-2:
```
### 40.0.2
```
~~~~~~~~~~~~~~~~~~~
* Fixed compilation when using LibreSSL 3.7.2.
* Added some functions to support an upcoming ``pyOpenSSL`` release.
.. _v40-0-1:
```
### 40.0.1
```
~~~~~~~~~~~~~~~~~~~
* Fixed a bug where certain operations would fail if an object happened to be
in the top-half of the memory-space. This only impacted 32-bit systems.
.. _v40-0-0:
```
### 40.0.0
```
~~~~~~~~~~~~~~~~~~~
* **BACKWARDS INCOMPATIBLE:** As announced in the 39.0.0 changelog, the way
``cryptography`` links OpenSSL has changed. This only impacts users who
build ``cryptography`` from source (i.e., not from a ``wheel``), and
specify their own version of OpenSSL. For those users, the ``CFLAGS``,
``LDFLAGS``, ``INCLUDE``, ``LIB``, and ``CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS``
environment variables are no longer valid. Instead, users need to configure
their builds `as documented here`_.
* Support for Python 3.6 is deprecated and will be removed in the next
release.
* Deprecated the current minimum supported Rust version (MSRV) of 1.48.0.
In the next release we will raise MSRV to 1.56.0. Users with the latest
``pip`` will typically get a wheel and not need Rust installed, but check
:doc:`/installation` for documentation on installing a newer ``rustc`` if
required.
* Deprecated support for OpenSSL less than 1.1.1d. The next release of
``cryptography`` will drop support for older versions.
* Deprecated support for DSA keys in
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key`
and
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`.
* Deprecated support for OpenSSH serialization in
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`
and
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`.
* The minimum supported version of PyPy3 is now 7.3.10.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.0.
* Added support for parsing SSH certificates in addition to public keys with
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_identity`.
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key`
continues to support only public keys.
* Added support for generating SSH certificates with
:class:`~cryptography.hazmat.primitives.serialization.SSHCertificateBuilder`.
* Added :meth:`~cryptography.x509.Certificate.verify_directly_issued_by` to
:class:`~cryptography.x509.Certificate`.
* Added a check to :class:`~cryptography.x509.NameConstraints` to ensure that
:class:`~cryptography.x509.DNSName` constraints do not contain any ``*``
wildcards.
* Removed many unused CFFI OpenSSL bindings. This will not impact you unless
you are using ``cryptography`` to directly invoke OpenSSL's C API. Note that
these have never been considered a stable, supported, public API by
``cryptography``, this note is included as a courtesy.
* The X.509 builder classes now raise ``UnsupportedAlgorithm`` instead of
``ValueError`` if an unsupported hash algorithm is passed.
* Added public union type aliases for type hinting:
* Asymmetric types:
:const:`~cryptography.hazmat.primitives.asymmetric.types.PublicKeyTypes`,
:const:`~cryptography.hazmat.primitives.asymmetric.types.PrivateKeyTypes`,
:const:`~cryptography.hazmat.primitives.asymmetric.types.CertificatePublicKeyTypes`,
:const:`~cryptography.hazmat.primitives.asymmetric.types.CertificateIssuerPublicKeyTypes`,
:const:`~cryptography.hazmat.primitives.asymmetric.types.CertificateIssuerPrivateKeyTypes`.
* SSH keys:
:const:`~cryptography.hazmat.primitives.serialization.SSHPublicKeyTypes`,
:const:`~cryptography.hazmat.primitives.serialization.SSHPrivateKeyTypes`,
:const:`~cryptography.hazmat.primitives.serialization.SSHCertPublicKeyTypes`,
:const:`~cryptography.hazmat.primitives.serialization.SSHCertPrivateKeyTypes`.
* PKCS12:
:const:`~cryptography.hazmat.primitives.serialization.pkcs12.PKCS12PrivateKeyTypes`
* PKCS7:
:const:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7HashTypes`,
:const:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7PrivateKeyTypes`.
* Two-factor:
:const:`~cryptography.hazmat.primitives.twofactor.hotp.HOTPHashTypes`
* Deprecated previously undocumented but not private type aliases in the
``cryptography.hazmat.primitives.asymmetric.types`` module in favor of new
ones above.
.. _v39-0-2:
```
### 39.0.2
```
~~~~~~~~~~~~~~~~~~~
* Fixed a bug where the content type header was not properly encoded for
PKCS7 signatures when using the ``Text`` option and ``SMIME`` encoding.
.. _v39-0-1:
```
### 39.0.1
```
~~~~~~~~~~~~~~~~~~~
* **SECURITY ISSUE** - Fixed a bug where ``Cipher.update_into`` accepted Python
buffer protocol objects, but allowed immutable buffers. **CVE-2023-23931**
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.8.
.. _v39-0-0:
```
### 39.0.0
```
~~~~~~~~~~~~~~~~~~~
* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.0 has been removed.
Users on older version of OpenSSL will need to upgrade.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.5. The new
minimum LibreSSL version is 3.5.0. Going forward our policy is to support
versions of LibreSSL that are available in versions of OpenBSD that are
still receiving security support.
* **BACKWARDS INCOMPATIBLE:** Removed the ``encode_point`` and
``from_encoded_point`` methods on
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers`,
which had been deprecated for several years.
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.public_bytes`
and
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point`
should be used instead.
* **BACKWARDS INCOMPATIBLE:** Support for using MD5 or SHA1 in
:class:`~cryptography.x509.CertificateBuilder`, other X.509 builders, and
PKCS7 has been removed.
* **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.10 and 10.11, macOS
users must upgrade to 10.12 or newer.
* **ANNOUNCEMENT:** The next version of ``cryptography`` (40.0) will change
the way we link OpenSSL. This will only impact users who build
``cryptography`` from source (i.e., not from a ``wheel``), and specify their
own version of OpenSSL. For those users, the ``CFLAGS``, ``LDFLAGS``,
``INCLUDE``, ``LIB``, and ``CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS`` environment
variables will no longer be respected. Instead, users will need to
configure their builds `as documented here`_.
* Added support for
:ref:`disabling the legacy provider in OpenSSL 3.0.x<legacy-provider>`.
* Added support for disabling RSA key validation checks when loading RSA
keys via
:func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`,
:func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`,
and
:meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers.private_key`.
This speeds up key loading but is :term:`unsafe` if you are loading potentially
attacker supplied keys.
* Significantly improved performance for
:class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`
when repeatedly calling ``encrypt`` or ``decrypt`` with the same key.
* Added support for creating OCSP requests with precomputed hashes using
:meth:`~cryptography.x509.ocsp.OCSPRequestBuilder.add_certificate_by_hash`.
* Added support for loading multiple PEM-encoded X.509 certificates from
a single input via :func:`~cryptography.x509.load_pem_x509_certificates`.
.. _v38-0-4:
```
### 38.0.4
```
~~~~~~~~~~~~~~~~~~~
* Fixed compilation when using LibreSSL 3.6.0.
* Fixed error when using ``py2app`` to build an application with a
``cryptography`` dependency.
.. _v38-0-3:
```
### 38.0.3
```
~~~~~~~~~~~~~~~~~~~
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.7,
which resolves *CVE-2022-3602* and *CVE-2022-3786*.
.. _v38-0-2:
```
### 38.0.2
```
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. attention::
This release was subsequently yanked from PyPI due to a regression in OpenSSL.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.6.
.. _v38-0-1:
```
### 38.0.1
```
~~~~~~~~~~~~~~~~~~~
* Fixed parsing TLVs in ASN.1 with length greater than 65535 bytes (typically
seen in large CRLs).
.. _v38-0-0:
```
### 38.0.0
```
~~~~~~~~~~~~~~~~~~~
* Final deprecation of OpenSSL 1.1.0. The next release of ``cryptography``
will drop support.
* We no longer ship ``manylinux2010`` wheels. Users should upgrade to the
latest ``pip`` to ensure this doesn't cause issues downloading wheels on
their platform. We now ship ``manylinux_2_28`` wheels for users on new
enough platforms.
* Updated the minimum supported Rust version (MSRV) to 1.48.0, from 1.41.0.
Users with the latest ``pip`` will typically get a wheel and not need Rust
installed, but check :doc:`/installation` for documentation on installing a
newer ``rustc`` if required.
* :meth:`~cryptography.fernet.Fernet.decrypt` and related methods now accept
both ``str`` and ``bytes`` tokens.
* Parsing ``CertificateSigningRequest`` restores the behavior of enforcing
that the ``Extension`` ``critical`` field must be correctly encoded DER. See
`the issue <https://github.com/pyca/cryptography/issues/6368>`_ for complete
details.
* Added two new OpenSSL functions to the bindings to support an upcoming
``pyOpenSSL`` release.
* When parsing :class:`~cryptography.x509.CertificateRevocationList` and
:class:`~cryptography.x509.CertificateSigningRequest` values, it is now
enforced that the ``version`` value in the input must be valid according to
the rules of :rfc:`2986` and :rfc:`5280`.
* Using MD5 or SHA1 in :class:`~cryptography.x509.CertificateBuilder` and
other X.509 builders is deprecated and support will be removed in the next
version.
* Added additional APIs to
:class:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp`, including
:attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature_hash_algorithm`,
:attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature_algorithm`,
:attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature`, and
:attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.extension_bytes`.
* Added :attr:`~cryptography.x509.Certificate.tbs_precertificate_bytes`, allowing
users to access the to-be-signed pre-certificate data needed for signed
certificate timestamp verification.
* :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFHMAC` and
:class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC` now support
:attr:`~cryptography.hazmat.primitives.kdf.kbkdf.CounterLocation.MiddleFixed`
counter location.
* Fixed :rfc:`4514` name parsing to reverse the order of the RDNs according
to the section 2.1 of the RFC, affecting method
:meth:`~cryptography.x509.Name.from_rfc4514_string`.
* It is now possible to customize some aspects of encryption when serializing
private keys, using
:meth:`~cryptography.hazmat.primitives.serialization.PrivateFormat.encryption_builder`.
* Removed several legacy symbols from our OpenSSL bindings. Users of pyOpenSSL
versions older than 22.0 will need to upgrade.
* Added
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES128` and
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES256` classes.
These classes do not replace
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES` (which
allows all AES key lengths), but are intended for applications where
developers want to be explicit about key length.
.. _v37-0-4:
```
### 37.0.4
```
~~~~~~~~~~~~~~~~~~~
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.5.
.. _v37-0-3:
```
### 37.0.3
```
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. attention::
This release was subsequently yanked from PyPI due to a regression in OpenSSL.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.4.
.. _v37-0-2:
```
### 37.0.2
```
~~~~~~~~~~~~~~~~~~~
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.3.
* Added a constant needed for an upcoming pyOpenSSL release.
.. _v37-0-1:
```
### 37.0.1
```
~~~~~~~~~~~~~~~~~~~
* Fixed an issue where parsing an encrypted private key with the public
loader functions would hang waiting for console input on OpenSSL 3.0.x rather
than raising an error.
* Restored some legacy symbols for older ``pyOpenSSL`` users. These will be
removed again in the future, so ``pyOpenSSL`` users should still upgrade
to the latest version of that package when they upgrade ``cryptography``.
.. _v37-0-0:
```
### 37.0.0
```
~~~~~~~~~~~~~~~~~~~
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.2.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.9.x and 3.0.x.
The new minimum LibreSSL version is 3.1+.
* **BACKWARDS INCOMPATIBLE:** Removed ``signer`` and ``verifier`` methods
from the public key and private key classes. These methods were originally
deprecated in version 2.0, but had an extended deprecation timeline due
to usage. Any remaining users should transition to ``sign`` and ``verify``.
* Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer supported by
the OpenSSL project. The next release of ``cryptography`` will be the last
to support compiling with OpenSSL 1.1.0.
* Deprecated Python 3.6 support. Python 3.6 is no longer supported by the
Python core team. Support for Python 3.6 will be removed in a future
``cryptography`` release.
* Deprecated the current minimum supported Rust version (MSRV) of 1.41.0.
In the next release we will raise MSRV to 1.48.0. Users with the latest
``pip`` will typically get a wheel and not need Rust installed, but check
:doc:`/installation` for documentation on installing a newer ``rustc`` if
required.
* Deprecated
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`,
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`,
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`, and
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish` because
they are legacy algorithms with extremely low usage. These will be removed
in a future version of ``cryptography``.
* Added limited support for distinguished names containing a bit string.
* We now ship ``universal2`` wheels on macOS, which contain both ``arm64``
and ``x86_64`` architectures. Users on macOS should upgrade to the latest
``pip`` to ensure they can use this wheel, although we will continue to
ship ``x86_64`` specific wheels for now to ease the transition.
* This will be the final release for which we ship ``manylinux2010`` wheels.
Going forward the minimum supported ``manylinux`` ABI for our wheels will
be ``manylinux2014``. The vast majority of users will continue to receive
``manylinux`` wheels provided they have an up to date ``pip``. For PyPy
wheels this release already requires ``manylinux2014`` for compatibility
with binaries distributed by upstream.
* Added support for multiple
:class:`~cryptography.x509.ocsp.OCSPSingleResponse` in a
:class:`~cryptography.x509.ocsp.OCSPResponse`.
* Restored support for signing certificates and other structures in
:doc:`/x509/index` with SHA3 hash algorithms.
* :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` is
disabled in FIPS mode.
* Added support for serialization of PKCS12 CA friendly names/aliases in
:func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates`
* Added support for 12-15 byte (96 to 120 bit) nonces to
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`. This class
previously supported only 12 byte (96 bit).
* Added support for
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESSIV` when using
OpenSSL 3.0.0+.
* Added support for serializing PKCS7 structures from a list of
certificates with
:class:`~cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates`.
* Added support for parsing :rfc:`4514` strings with
:meth:`~cryptography.x509.Name.from_rfc4514_string`.
* Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.AUTO` to
:class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This can
be used to verify a signature where the salt length is not already known.
* Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.DIGEST_LENGTH`
to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This
constant will set the salt length to the same length as the ``PSS`` hash
algorithm.
* Added support for loading RSA-PSS key types with
:func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`
and
:func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`.
This functionality is limited to OpenSSL 1.1.1e+ and loads the key as a
normal RSA private key, discarding the PSS constraint information.
.. _v36-0-2:
```
### 36.0.2
```
~~~~~~~~~~~~~~~~~~~
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1n.
.. _v36-0-1:
```
### 36.0.1
```
~~~~~~~~~~~~~~~~~~~
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1m.
.. _v36-0-0:
```
### 36.0.0
```
~~~~~~~~~~~~~~~~~~~
* **FINAL DEPRECATION** Support for ``verifier`` and ``signer`` on our
asymmetric key classes was deprecated in version 2.0. These functions had an
extended deprecation due to usage, however the next version of
``cryptography`` will drop support. Users should migrate to ``sign`` and
``verify``.
* The entire :doc:`/x509/index` layer is now written in Rust. This allows
alternate asymmetric key implementations that can support cloud key
management services or hardware security modules provided they implement
the necessary interface (for example:
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`).
* :ref:`Deprecated the backend argument<faq-missing-backend>` for all
functions.
* Added support for
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`.
* Added support for iterating over arbitrary request
:attr:`~cryptography.x509.CertificateSigningRequest.attributes`.
* Deprecated the ``get_attribute_for_oid`` method on
:class:`~cryptography.x509.CertificateSigningRequest` in favor of
:meth:`~cryptography.x509.Attributes.get_attribute_for_oid` on the new
:class:`~cryptography.x509.Attributes` object.
* Fixed handling of PEM files to allow loading when certificate and key are
in the same file.
* Fixed parsing of :class:`~cryptography.x509.CertificatePolicies` extensions
containing legacy ``BMPString`` values in their ``explicitText``.
* Allow parsing of negative serial numbers in certificates. Negative serial
numbers are prohibited by :rfc:`5280` so a deprecation warning will be
raised whenever they are encountered. A future version of ``cryptography``
will drop support for parsing them.
* Added support for parsing PKCS12 files with friendly names for all
certificates with
:func:`~cryptography.hazmat.primitives.serialization.pkcs12.load_pkcs12`,
which will return an object of type
:class:`~cryptography.hazmat.primitives.serialization.pkcs12.PKCS12KeyAndCertificates`.
* :meth:`~cryptography.x509.Name.rfc4514_string` and related methods now have
an optional ``attr_name_overrides`` parameter to supply custom OID to name
mappings, which can be used to match vendor-specific extensions.
* **BACKWARDS INCOMPATIBLE:** Reverted the nonstandard formatting of
email address fields as ``E`` in
:meth:`~cryptography.x509.Name.rfc4514_string` methods from version 35.0.
The previous behavior can be restored with:
``name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})``
* Allow
:class:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey`
and
:class:`~cryptography.hazmat.primitives.asymmetric.x448.X448PublicKey` to
be used as public keys when parsing certificates or creating them with
:class:`~cryptography.x509.CertificateBuilder`. These key types must be
signed with a different signing algorithm as ``X25519`` and ``X448`` do
not support signing.
* Extension values can now be serialized to a DER byte string by calling
:func:`~cryptography.x509.ExtensionType.public_bytes`.
* Added experimental support for compiling against BoringSSL. As BoringSSL
does not commit to a stable API, ``cryptography`` tests against the
latest commit only. Please note that several features are not available
when building against BoringSSL.
* Parsing ``CertificateSigningRequest`` from DER and PEM now, for a limited
time period, allows the ``Extension`` ``critical`` field to be incorrectly
encoded. See `the issue <https://github.com/pyca/cryptography/issues/6368>`_
for complete details. This will be reverted in a future ``cryptography``
release.
* When :class:`~cryptography.x509.OCSPNonce` are parsed and generated their
value is now correctly wrapped in an ASN.1 ``OCTET STRING``. This conforms
to :rfc:`6960` but conflicts with the original behavior specified in
:rfc:`2560`. For a temporary period for backwards compatibility, we will
also parse values that are encoded as specified in :rfc:`2560` but this
behavior will be removed in a future release.
.. _v35-0-0:
```
### 35.0.0
```
~~~~~~~~~~~~~~~~~~~
* Changed the :ref:`version scheme <api-stability:versioning>`. This will
result in us incrementing the major version more frequently, but does not
change our existing backwards compatibility policy.
* **BACKWARDS INCOMPATIBLE:** The :doc:`/x509/index` PEM parsers now require
that the PEM string passed have PEM delimiters of the correct type. For
example, parsing a private key PEM concatenated with a certificate PEM will
no longer be accepted by the PEM certificate parser.
* **BACKWARDS INCOMPATIBLE:** The X.509 certificate parser no longer allows
negative serial numbers. :rfc:`5280` has always prohibited these.
* **BACKWARDS INCOMPATIBLE:** Additional forms of invalid ASN.1 found during
:doc:`/x509/index` parsing will raise an error on initial parse rather than
when the malformed field is accessed.
* Rust is now required for building ``cryptography``, the
``CRYPTOGRAPHY_DONT_BUILD_RUST`` environment variable is no longer
respected.
* Parsers for :doc:`/x509/index` no longer use OpenSSL and have been
rewritten in Rust. This should be backwards compatible (modulo the items
listed above) and improve both security and performance.
* Added support for OpenSSL 3.0.0 as a compilation target.
* Added support for
:class:`~cryptography.hazmat.primitives.hashes.SM3` and
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.SM4`,
when using OpenSSL 1.1.1. These algorithms are provided for compatibility
in regions where they may be required, and are not generally recommended.
* We now ship ``manylinux_2_24`` and ``musllinux_1_1`` wheels, in addition to
our ``manylinux2010`` and ``manylinux2014`` wheels. Users on distributions
like Alpine Linux should ensure they upgrade to the latest ``pip`` to
correctly receive wheels.
* Added ``rfc4514_attribute_name`` attribute to :attr:`x509.NameAttribute
<cryptography.x509.NameAttribute.rfc4514_attribute_name>`.
* Added :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC`.
.. _v3-4-8:
```
### 3.4.8
```
~~~~~~~~~~~~~~~~~~
* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1l.
.. _v3-4-7:
```
Links
- PyPI: https://pypi.org/project/cryptography
- Changelog: https://data.safetycli.com/changelogs/cryptography/
Changelog
### 5.1.0
```
-----
- bpo-44185: :func:`unittest.mock.mock_open` will call the :func:`close`
method of the file handle mock when it is exiting from the context
manager. Patch by Samet Yaslan.
- gh-94924: :func:`unittest.mock.create_autospec` now properly returns
coroutine functions compatible with :func:`inspect.iscoroutinefunction`
- bpo-17013: Add ``ThreadingMock`` to :mod:`unittest.mock` that can be used
to create Mock objects that can wait until they are called. Patch by
Karthikeyan Singaravelan and Mario Corchero.
- bpo-41768: :mod:`unittest.mock` speccing no longer calls class properties.
Patch by Melanie Witt.
```
### 5.0.2
```
-----
- gh-102978: Fixes :func:`unittest.mock.patch` not enforcing function
signatures for methods decorated with ``classmethod`` or
``staticmethod`` when patch is called with ``autospec=True``.
- gh-103329: Regression tests for the behaviour of
``unittest.mock.PropertyMock`` were added.
```
### 5.0.1
```
-----
- gh-100740: Fix ``unittest.mock.Mock`` not respecting the spec for
attribute names prefixed with ``assert``.
- gh-100690: ``Mock`` objects which are not unsafe will now raise an
``AttributeError`` when accessing an attribute that matches the name of an
assertion but without the prefix ``assert_``, e.g. accessing
``called_once`` instead of ``assert_called_once``. This is in addition to
this already happening for accessing attributes with prefixes ``assert``,
``assret``, ``asert``, ``aseert``, and ``assrt``.
- gh-96127: ``inspect.signature`` was raising ``TypeError`` on call with
mock objects. Now it correctly returns ``(*args, **kwargs)`` as infered
signature.
```
### 5.0.0
```
-----
- gh-98624: Add a mutex to unittest.mock.NonCallableMock to protect
concurrent access to mock attributes.
- bpo-43478: Mocks can no longer be used as the specs for other Mocks. As a
result, an already-mocked object cannot have an attribute mocked using
`autospec=True` or be the subject of a `create_autospec(...)` call. This
can uncover bugs in tests since these Mock-derived Mocks will always pass
certain tests (e.g. isinstance) and builtin assert functions (e.g.
assert_called_once_with) will unconditionally pass.
- bpo-45156: Fixes infinite loop on :func:`unittest.mock.seal` of mocks
created by :func:`~unittest.create_autospec`.
- bpo-41403: Make :meth:`mock.patch` raise a :exc:`TypeError` with a
relevant error message on invalid arg. Previously it allowed a cryptic
:exc:`AttributeError` to escape.
- gh-91803: Fix an error when using a method of objects mocked with
:func:`unittest.mock.create_autospec` after it was sealed with
:func:`unittest.mock.seal` function.
- bpo-41877: AttributeError for suspected misspellings of assertions on
mocks are now pointing out that the cause are misspelled assertions and
also what to do if the misspelling is actually an intended attribute name.
The unittest.mock document is also updated to reflect the current set of
recognised misspellings.
- bpo-43478: Mocks can no longer be provided as the specs for other Mocks.
As a result, an already-mocked object cannot be passed to `mock.Mock()`.
This can uncover bugs in tests since these Mock-derived Mocks will always
pass certain tests (e.g. isinstance) and builtin assert functions (e.g.
assert_called_once_with) will unconditionally pass.
- bpo-45010: Remove support of special method ``__div__`` in
:mod:`unittest.mock`. It is not used in Python 3.
- gh-84753: :func:`inspect.iscoroutinefunction` now properly returns
``True`` when an instance of :class:`unittest.mock.AsyncMock` is passed to
it. This makes it consistent with behavior of
:func:`asyncio.iscoroutinefunction`. Patch by Mehdi ABAAKOUK.
- bpo-46852: Remove the undocumented private ``float.__set_format__()``
method, previously known as ``float.__setformat__()`` in Python 3.7. Its
docstring said: "You probably don't want to use this function. It exists
mainly to be used in Python's test suite." Patch by Victor Stinner.
- gh-98086: Make sure ``patch.dict()`` can be applied on async functions.
- gh-100287: Fix the interaction of :func:`unittest.mock.seal` with
:class:`unittest.mock.AsyncMock`.
- gh-83076: Instantiation of ``Mock()`` and ``AsyncMock()`` is now 3.8x
faster.
- bpo-41877: A check is added against misspellings of autospect, auto_spec
and set_spec being passed as arguments to patch, patch.object and
create_autospec.
```
Links
- PyPI: https://pypi.org/project/mock
- Changelog: https://data.safetycli.com/changelogs/mock/
- Docs: http://mock.readthedocs.org/en/latest/
Changelog
### 8.1.7
```
-------------
Released 2023-08-17
- Fix issue with regex flags in shell completion. :issue:`2581`
- Bash version detection issues a warning instead of an error. :issue:`2574`
- Fix issue with completion script for Fish shell. :issue:`2567`
```
### 8.1.6
```
-------------
Released 2023-07-18
- Fix an issue with type hints for ``click.group()``. :issue:`2558`
```
### 8.1.5
```
-------------
Released 2023-07-13
- Fix an issue with type hints for ``click.command()``, ``click.option()``, and
other decorators. Introduce typing tests. :issue:`2558`
```
### 8.1.4
```
-------------
Released 2023-07-06
- Replace all ``typing.Dict`` occurrences to ``typing.MutableMapping`` for
parameter hints. :issue:`2255`
- Improve type hinting for decorators and give all generic types parameters.
:issue:`2398`
- Fix return value and type signature of `shell_completion.add_completion_class`
function. :pr:`2421`
- Bash version detection doesn't fail on Windows. :issue:`2461`
- Completion works if there is a dot (``.``) in the program name. :issue:`2166`
- Improve type annotations for pyright type checker. :issue:`2268`
- Improve responsiveness of ``click.clear()``. :issue:`2284`
- Improve command name detection when using Shiv or PEX. :issue:`2332`
- Avoid showing empty lines if command help text is empty. :issue:`2368`
- ZSH completion script works when loaded from ``fpath``. :issue:`2344`.
- ``EOFError`` and ``KeyboardInterrupt`` tracebacks are not suppressed when
``standalone_mode`` is disabled. :issue:`2380`
- ``group.command`` does not fail if the group was created with a custom
``command_class``. :issue:`2416`
- ``multiple=True`` is allowed for flag options again and does not require
setting ``default=()``. :issue:`2246, 2292, 2295`
- Make the decorators returned by ``argument()`` and ``option()`` reusable when the
``cls`` parameter is used. :issue:`2294`
- Don't fail when writing filenames to streams with strict errors. Replace invalid
bytes with the replacement character (``�``). :issue:`2395`
- Remove unnecessary attempt to detect MSYS2 environment. :issue:`2355`
- Remove outdated and unnecessary detection of App Engine environment. :pr:`2554`
- ``echo()`` does not fail when no streams are attached, such as with ``pythonw`` on
Windows. :issue:`2415`
- Argument with ``expose_value=False`` do not cause completion to fail. :issue:`2336`
```
### 8.1.3
```
-------------
Released 2022-04-28
- Use verbose form of ``typing.Callable`` for ``command`` and
``group``. :issue:`2255`
- Show error when attempting to create an option with
``multiple=True, is_flag=True``. Use ``count`` instead.
:issue:`2246`
```
### 8.1.2
```
-------------
Released 2022-03-31
- Fix error message for readable path check that was mixed up with the
executable check. :pr:`2236`
- Restore parameter order for ``Path``, placing the ``executable``
parameter at the end. It is recommended to use keyword arguments
instead of positional arguments. :issue:`2235`
```
### 8.1.1
```
-------------
Released 2022-03-30
- Fix an issue with decorator typing that caused type checking to
report that a command was not callable. :issue:`2227`
```
### 8.1.0
```
-------------
Released 2022-03-28
- Drop support for Python 3.6. :pr:`2129`
- Remove previously deprecated code. :pr:`2130`
- ``Group.resultcallback`` is renamed to ``result_callback``.
- ``autocompletion`` parameter to ``Command`` is renamed to
``shell_complete``.
- ``get_terminal_size`` is removed, use
``shutil.get_terminal_size`` instead.
- ``get_os_args`` is removed, use ``sys.argv[1:]`` instead.
- Rely on :pep:`538` and :pep:`540` to handle selecting UTF-8 encoding
instead of ASCII. Click's locale encoding detection is removed.
:issue:`2198`
- Single options boolean flags with ``show_default=True`` only show
the default if it is ``True``. :issue:`1971`
- The ``command`` and ``group`` decorators can be applied with or
without parentheses. :issue:`1359`
- The ``Path`` type can check whether the target is executable.
:issue:`1961`
- ``Command.show_default`` overrides ``Context.show_default``, instead
of the other way around. :issue:`1963`
- Parameter decorators and ``group`` handles ``cls=None`` the same as
not passing ``cls``. ``option`` handles ``help=None`` the same as
not passing ``help``. :issue:`1959`
- A flag option with ``required=True`` requires that the flag is
passed instead of choosing the implicit default value. :issue:`1978`
- Indentation in help text passed to ``Option`` and ``Command`` is
cleaned the same as using the ``option`` and ``command``
decorators does. A command's ``epilog`` and ``short_help`` are also
processed. :issue:`1985`
- Store unprocessed ``Command.help``, ``epilog`` and ``short_help``
strings. Processing is only done when formatting help text for
output. :issue:`2149`
- Allow empty str input for ``prompt()`` when
``confir
Update future from 0.18.2 to 1.0.0.
The bot wasn't able to find a changelog for this release. Got an idea?
Links
- PyPI: https://pypi.org/project/future - Homepage: https://python-future.org - Docs: https://pythonhosted.org/future/Update ecdsa from 0.16.1 to 0.18.0.
Changelog
### 0.18.0 ``` New API: * `curve_by_name` in `curves` module to get a `Curve` object by providing curve name. Bug fix: * Make the `VerifyingKey` encoded with explicit parameters use the same kind of point encoding for public key and curve generator. * Better handling of malformed curve parameters (as in CVE-2022-0778); make python-ecdsa raise `MalformedPointError` instead of `AssertionError`. Doc fix: * Publish the documentation on https://ecdsa.readthedocs.io/, include explanation of basics of handling of ECC data formats and how to use the library for elliptic curve arithmetic. * Make object names more consistent, make them into hyperlinks on the readthedocs documentation. * Make security note more explicit (Ian Rodney) * Fix the `explicit` vs `named_curve` confusion in `VerifyingKey` docs. Maintenance: * Updated black version; slight changes to formatting * Include interoperability tests for Ed25519 and Ed448 with OpenSSL. ``` ### 0.18.0beta2 ``` New features: * Support for point precomputation for EdDSA. Maintenance: * Fix few typos (thanks to Tim Gates and Kian Meng Ang). Bug fix: * Accept private EdDSA keys that include public key in the ASN.1 structure. * Fix incompatibility with Python 3.3 in handling of memoryviews of empty strings. ``` ### 0.18.0beta1 ``` New features: * Support for EdDSA (Ed25519, Ed448) signature creation and verification. * Support for Ed25519 and Ed448 in PKCS8 and public key files. New API: * CurveEdTw class to represent the Twisted Edwards curve parameters. * PointEdwards class to represent points on Twisted Edwards curve and provide point arithmetic on it. ``` ### 0.17.0 ``` New API: * Keys that use explicit curve parameters can now be read and written. Reading of explicit curves can be disabled by using the `valid_curve_encodings` keyword argument in `VerifyingKey.from_pem()`, `VerifyingKey.from_der()`, `SigningKey.from_pem()`, and `SigningKey.from_der()`. * Keys can now be written with use of explicit curve parameters, use `curve_parameters_encoding` keyword argument of `VerifyingKey.to_pem()`, `VerifyingKey.to_der()`, `SigningKey.to_pem(), or `SigningKey.to_der()` to specify the format. By default `named_curve` will be used, unless the curve doesn't have an associated OID (as will be the case for an unsupported curve), then `explicit` encoding will be used. * Allow specifying acceptable point formats when loading public keys (this also fixes a minor bug where python-ecdsa would accept raw encoding for points in PKCS8 files). Set of accepted encodings is controlled by `valid_encodings` keyword argument in `ECDH.load_received_public_key_bytes()`, `VerifyingKey.from_string()`, `VerifyingKey.from_pem()`, VerifyingKey.from_der()`. * `PointJacobi` and `Point` now inherit from `AbstractPoint` that implements the methods for parsing points. That added `from_bytes()` and `to_bytes()` methods to both of them. * Curve parameters can now be read and written to PEM and DER files. The `Curve` class supports new `to_der()`, `from_der()`, `to_pem()`, and `from_pem()` methods. Doc fix: * Describe in detail which methods can raise `RSZeroError`, and that `SigningKey.sign_deterministic()` won't raise it. Bug fix: * Correctly truncate hash values larger than the curve order (only impacted custom curves and the curves added in this release). * Correctly handle curves for which the order is larger than the prime (only impacted custom curves and the secp160r1 curve added in this release). * Fix the handling of `==` and `!=` for `Public_key`, `Private_key`, `Point`, `PointJacobi`, `VerifyingKey`, and `SigningKey` so that it behaves consistently and in the expected way both in Python 2 and Python 3. * Implement lock-less algorithm inside PointJacobi for keeping shared state so that when a calculation is aborted with KeyboardInterrupt, the state doesn't become corrupted (this fixes the occasional breakage of ecdsa in interactive shells). New features: * The `speed.py` script now provides performance for signature verification without the use of precomputation. * New curves supported: secp112r1, secp112r2, secp128r1, secp160r1. Performance: * Use 2-ary Non-Adjacent Form for the combined multiply-add. This speeds up single-shot verify (i.e. without precomputation) by about 4 to 5%. * Use native Python 3.8 support for calculating multiplicative inverses. Maintenance: * Include Python 3.9 in PyPI keywords. * More realistic branch coverage counting (ignore Python version-specific branches). * Additional test coverage to many parts of the library. * Migrate to Github Actions for Continuous Testing. ```Links
- PyPI: https://pypi.org/project/ecdsa - Changelog: https://data.safetycli.com/changelogs/ecdsa/ - Repo: http://github.com/tlsfuzzer/python-ecdsaUpdate requests from 2.25.1 to 2.31.0.
Changelog
### 2.31.0 ``` ------------------- **Security** - Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential forwarding of `Proxy-Authorization` headers to destination servers when following HTTPS redirects. When proxies are defined with user info (https://user:passproxy:8080), Requests will construct a `Proxy-Authorization` header that is attached to the request to authenticate with the proxy. In cases where Requests receives a redirect response, it previously reattached the `Proxy-Authorization` header incorrectly, resulting in the value being sent through the tunneled connection to the destination server. Users who rely on defining their proxy credentials in the URL are *strongly* encouraged to upgrade to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy credentials once the change has been fully deployed. Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability. Full details can be read in our [Github Security Advisory](https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q) and [CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681). ``` ### 2.30.0 ``` ------------------- **Dependencies** - ⚠️ Added support for urllib3 2.0. ⚠️ This may contain minor breaking changes so we advise careful testing and reviewing https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html prior to upgrading. Users who wish to stay on urllib3 1.x can pin to `urllib3<2`. ``` ### 2.29.0 ``` ------------------- **Improvements** - Requests now defers chunked requests to the urllib3 implementation to improve standardization. (6226) - Requests relaxes header component requirements to support bytes/str subclasses. (6356) ``` ### 2.28.2 ``` ------------------- **Dependencies** - Requests now supports charset\_normalizer 3.x. (6261) **Bugfixes** - Updated MissingSchema exception to suggest https scheme rather than http. (6188) ``` ### 2.28.1 ``` ------------------- **Improvements** - Speed optimization in `iter_content` with transition to `yield from`. (6170) **Dependencies** - Added support for chardet 5.0.0 (6179) - Added support for charset-normalizer 2.1.0 (6169) ``` ### 2.28.0 ``` ------------------- **Deprecations** - ⚠️ Requests has officially dropped support for Python 2.7. ⚠️ (6091) - Requests has officially dropped support for Python 3.6 (including pypy3.6). (6091) **Improvements** - Wrap JSON parsing issues in Request's JSONDecodeError for payloads without an encoding to make `json()` API consistent. (6097) - Parse header components consistently, raising an InvalidHeader error in all invalid cases. (6154) - Added provisional 3.11 support with current beta build. (6155) - Requests got a makeover and we decided to paint it black. (6095) **Bugfixes** - Fixed bug where setting `CURL_CA_BUNDLE` to an empty string would disable cert verification. All Requests 2.x versions before 2.28.0 are affected. (6074) - Fixed urllib3 exception leak, wrapping `urllib3.exceptions.SSLError` with `requests.exceptions.SSLError` for `content` and `iter_content`. (6057) - Fixed issue where invalid Windows registry entries caused proxy resolution to raise an exception rather than ignoring the entry. (6149) - Fixed issue where entire payload could be included in the error message for JSONDecodeError. (6036) ``` ### 2.27.1 ``` ------------------- **Bugfixes** - Fixed parsing issue that resulted in the `auth` component being dropped from proxy URLs. (6028) ``` ### 2.27.0 ``` ------------------- **Improvements** - Officially added support for Python 3.10. (5928) - Added a `requests.exceptions.JSONDecodeError` to unify JSON exceptions between Python 2 and 3. This gets raised in the `response.json()` method, and is backwards compatible as it inherits from previously thrown exceptions. Can be caught from `requests.exceptions.RequestException` as well. (5856) - Improved error text for misnamed `InvalidSchema` and `MissingSchema` exceptions. This is a temporary fix until exceptions can be renamed (Schema->Scheme). (6017) - Improved proxy parsing for proxy URLs missing a scheme. This will address recent changes to `urlparse` in Python 3.9+. (5917) **Bugfixes** - Fixed defect in `extract_zipped_paths` which could result in an infinite loop for some paths. (5851) - Fixed handling for `AttributeError` when calculating length of files obtained by `Tarfile.extractfile()`. (5239) - Fixed urllib3 exception leak, wrapping `urllib3.exceptions.InvalidHeader` with `requests.exceptions.InvalidHeader`. (5914) - Fixed bug where two Host headers were sent for chunked requests. (5391) - Fixed regression in Requests 2.26.0 where `Proxy-Authorization` was incorrectly stripped from all requests sent with `Session.send`. (5924) - Fixed performance regression in 2.26.0 for hosts with a large number of proxies available in the environment. (5924) - Fixed idna exception leak, wrapping `UnicodeError` with `requests.exceptions.InvalidURL` for URLs with a leading dot (.) in the domain. (5414) **Deprecations** - Requests support for Python 2.7 and 3.6 will be ending in 2022. While we don't have exact dates, Requests 2.27.x is likely to be the last release series providing support. ``` ### 2.26.0 ``` ------------------- **Improvements** - Requests now supports Brotli compression, if either the `brotli` or `brotlicffi` package is installed. (5783) - `Session.send` now correctly resolves proxy configurations from both the Session and Request. Behavior now matches `Session.request`. (5681) **Bugfixes** - Fixed a race condition in zip extraction when using Requests in parallel from zip archive. (5707) **Dependencies** - Instead of `chardet`, use the MIT-licensed `charset_normalizer` for Python3 to remove license ambiguity for projects bundling requests. If `chardet` is already installed on your machine it will be used instead of `charset_normalizer` to keep backwards compatibility. (5797) You can also install `chardet` while installing requests by specifying `[use_chardet_on_py3]` extra as follows: shell pip install "requests[use_chardet_on_py3]" Python2 still depends upon the `chardet` module. - Requests now supports `idna` 3.x on Python 3. `idna` 2.x will continue to be used on Python 2 installations. (5711) **Deprecations** - The `requests[security]` extra has been converted to a no-op install. PyOpenSSL is no longer the recommended secure option for Requests. (5867) - Requests has officially dropped support for Python 3.5. (5867) ```Links
- PyPI: https://pypi.org/project/requests - Changelog: https://data.safetycli.com/changelogs/requests/ - Docs: https://requests.readthedocs.ioUpdate websocket-client from 0.58.0 to 1.7.0.
Changelog
### 1.7.0 ``` - Renamed `mask` variable in ABNF to prevent name collision with `mask()` function (9b51f73) - Fixed old http import of HTTPStatus in _handshake.py (9b51f73) - Add `send_text()` and `send_bytes()` to _app.py (953) - Improved typehint support (953, 9b51f73, 8b73d00) - General readability improvements, made all string concatenations use f-strings (909, 780584f, 3eabc6e) - Applied black formatting style to code (da7f286) ``` ### 1.6.4 ``` - Fix 952, add support for HTTP 307 and 308 redirect codes (69468ad) ``` ### 1.6.3 ``` - Fix type hints issues (949) - Add support for Python beta release 3.12 in CI (946) - Add maintainer email in setup.py (3d464fc) ``` ### 1.6.2 ``` - Add support for SSLKEYLOGFILE environment variable (943) - Add support for callable header arguments (932) - Change handling of proxy environment variables, is_secure set to true now prevents http_proxy from getting used (929) ``` ### 1.6.1 ``` - Fix Dispatcher keyboard interrupt. Should solve reconnect loop with rel (924) ``` ### 1.6.0 ``` - Fix teardown issue when ping thread is not properly ended (918) - Fix double ping wait time on first ping (912) - Minor type hints improvements (eda6724, 54b3013) ``` ### 1.5.3 ``` - Add logic to avoid error in the case where content-length header does not exist, bug introduced in 1.5.2 (911) - Fix wsdump.py script typing, bug introduced in 1.5.2 (914) ``` ### 1.5.2 ``` - Add type hints (908) - Fix pytype errors (906) - Fix args passed to logging function (898) - Standardize PEP 3101 formatting (c6a445f) - Add more verbose exception for unsuccessful handshake for 900 (f85ae1f) ``` ### 1.5.1 ``` - Fix logic bug that can cause disconnects (893) ``` ### 1.5.0 ``` - Refactor and improve ping/pong logic to resolve several issues, including an infinite loop issue during reconnect (862) - Fix issue where `skip_utf8_validation = True` is ignored (886) - Fix issue where sslopt `is_ssl` is ignored (875) - Downgrade "websocket connected" message from logging.warning to logging.info (888) - Update github actions to newer versions (669fe1b) ``` ### 1.4.2 ``` - create_dispatcher is determined by URL ws/wss, NOT by presence of sslopt args, to maintain consistency (875) - Remove redundant key generation line (864) - Updated docs to fix old links and updated CI to include Python 3.11 ``` ### 1.4.1 ``` - Fix stack growth bug when `run_forever` reconnects (854) - Add doctest CI for sphinx docs code examples (d150099) - General docs improvements ``` ### 1.4.0 ``` - Fix automatic reconnect with `run_forever` (838) - Allow a timeout to be set when using a proxy (842) ``` ### 1.3.3 ``` - Fix unclosed socket error (826) - Update header dict access (818) - Add utf8 workaround to docs (fc9ee9f) ``` ### 1.3.2 ``` - Add support for pre-initialized stream socket in new WebSocketApp (804) - Remove rel.saferead() in examples (f0bf03d) - Increase scope of linting checks (dca4022) - Start adding type hints (a8a4099) ``` ### 1.3.1 ``` - Fix 10 year old bug and improve dispatcher handling for run_forever (795) - Fix run_forever to never return None, only return True or False, and add two tests (788) - Remove Python 3.6 support, EOL in Dec 2021 ``` ### 1.3.0 ``` - BREAKING: Set Origin header to use https:// scheme when wss:// WebSocket URL is passed (#787) - Replace deprecated/broken WebSocket URLs with working ones (6ad5197) - Add documentation referencing rel for automatic reconnection with run_forever() - Add missing opcodes 1012, 1013 (771) - Add errno.ENETUNREACH to improve error handling (da1b050) - Minor documentation improvements and typo fixes ``` ### 1.2.3 ``` - Fix broken run_forever() functionality (769) ``` ### 1.2.2 ``` - Migrate wsdump script in setup.py from scripts to newer entry_points (763) - Add support for ssl.SSLContext for arbitrary SSL parameters (762) - Remove keep_running variable (752) - Remove HAVE_CONTEXT_CHECK_HOSTNAME variable (dac1692) - Replace deprecated ssl.PROTOCOL_TLS with ssl.PROTOCOL_TLS_CLIENT (760) - Simplify code and improve Python 3 support (751, 750, 746) - Fill default license template fields (748) - Update CI tests - Improve documentation (732, 733, 734, 737, 766, 768) ``` ### 1.2.1 ``` - Fix python-socks dependency issue mentioned in 728 - Replace echo.websocket.org with a local websockets echo server for unit tests (4951de2) ``` ### 1.2.0 ``` - Fix 697, 665: Transition from LGPL 2.1 license to Apache 2.0 license - Revert 417 and reimplement SOCKS proxy support with python-socks instead of PySocks (fbcbd43) ``` ### 1.1.1 ``` - Fix 377: increase exception verbosity in _app.py callback exception - Fix 717: race condition during connection close - Fix 722: improve handling where credentials include symbols like - Fix 711: improve handling if ssl is None ``` ### 1.1.0 ``` - Set enable_multithread to True by default (beb135a) - Performance improvement in _mask() function (287970e, 433) - Performance improvement in recv_strict() function (60e4711, 255) - Performance improvement by removing numpy-related code (a462d45) - Support uppercase no_proxy, http_proxy, https_proxy env vars (150df4f, 700) - Add sslopt 'server_hostname' support (698) - Replace deprecated ssl.PROTOCOL_SSLv23 with ssl.PROTOCOL_TLS (494564f) - Update documentation, README (7c9d604, 704) ``` ### 1.0.1 ``` - Fix exception handling bug 694 ``` ### 1.0.0 ``` - Removed Python 2 code, now only Python 3 compatible (d45343b, b7c5733, ff67af8) - Use semver for release versions, unlike breaking release 0.58.0 (669) - Enhance enableTrace output (13e83b4) - Improve unit tests to over 80% code coverage (1679ab0, a00dd2d, etc.) - Fix old _app.py close status code bug (resulted in on_close() requiring 3 args) (686) - Replace select import with selectors (568) ``` ### 0.59.0 ``` - Last main release to support Python 2 - Fix Python 2 urlparse scheme (332) - Add support for headers with multiple values (627) - Add debug support for reserved custom status codes (639) - Allow multiple Set-Cookie: headers (649) - Simplified cookie sorting (662) - Add no_proxy support (671) - Add Host header to HTTP proxy request (677) - Improve PEP8 style compliance (dc3f5c4) ```Links
- PyPI: https://pypi.org/project/websocket-client - Changelog: https://data.safetycli.com/changelogs/websocket-client/ - Repo: https://github.com/websocket-client/websocket-client/releasesUpdate pytz from 2021.1 to 2024.1.
The bot wasn't able to find a changelog for this release. Got an idea?
Links
- PyPI: https://pypi.org/project/pytz - Homepage: http://pythonhosted.org/pytz - Docs: https://pythonhosted.org/pytz/Update pycryptodomex from 3.10.1 to 3.20.0.
The bot wasn't able to find a changelog for this release. Got an idea?
Links
- PyPI: https://pypi.org/project/pycryptodomex - Homepage: https://www.pycryptodome.orgUpdate scrypt from 0.8.18 to 0.8.21.
Changelog
### 0.8.21 ``` Build wheels for pypi ``` ### 0.8.20 ``` * Fix 8 by adding missing gettimeofday.c to MANIFEST.in ```Links
- PyPI: https://pypi.org/project/scrypt - Changelog: https://data.safetycli.com/changelogs/scrypt/ - Repo: https://github.com/holgern/py-scryptUpdate cryptography from 3.4.7 to 42.0.5.
Changelog
### 42.0.5 ``` ~~~~~~~~~~~~~~~~~~~ * Limit the number of name constraint checks that will be performed in :mod:`X.509 path validation <cryptography.x509.verification>` to protect against denial of service attacks. * Upgrade ``pyo3`` version, which fixes building on PowerPC. .. _v42-0-4: ``` ### 42.0.4 ``` ~~~~~~~~~~~~~~~~~~~ * Fixed a null-pointer-dereference and segfault that could occur when creating a PKCS12 bundle. Credit to **Alexander-Programming** for reporting the issue. **CVE-2024-26130** * Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities`` and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the definitions in :rfc:`2633` :rfc:`3370`. .. _v42-0-3: ``` ### 42.0.3 ``` ~~~~~~~~~~~~~~~~~~~ * Fixed an initialization issue that caused key loading failures for some users. .. _v42-0-2: ``` ### 42.0.2 ``` ~~~~~~~~~~~~~~~~~~~ * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1. * Fixed an issue that prevented the use of Python buffer protocol objects in ``sign`` and ``verify`` methods on asymmetric keys. * Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey`` :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`, ``X25519PrivateKey`` :meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`, ``X448PrivateKey`` :meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`, and ``DHPrivateKey`` :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`. .. _v42-0-1: ``` ### 42.0.1 ``` ~~~~~~~~~~~~~~~~~~~ * Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey`` :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign`. * Resolved compatibility issue with loading certain RSA public keys in :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`. .. _v42-0-0: ``` ### 42.0.0 ``` ~~~~~~~~~~~~~~~~~~~ * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.7. * **BACKWARDS INCOMPATIBLE:** Loading a PKCS7 with no content field using :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates` or :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates` will now raise a ``ValueError`` rather than return an empty list. * Parsing SSH certificates no longer permits malformed critical options with values, as documented in the 41.0.2 release notes. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.0. * Updated the minimum supported Rust version (MSRV) to 1.63.0, from 1.56.0. * We now publish both ``py37`` and ``py39`` ``abi3`` wheels. This should resolve some errors relating to initializing a module multiple times per process. * Support :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` for X.509 certificate signing requests and certificate revocation lists with the keyword-only argument ``rsa_padding`` on the ``sign`` methods for :class:`~cryptography.x509.CertificateSigningRequestBuilder` and :class:`~cryptography.x509.CertificateRevocationListBuilder`. * Added support for obtaining X.509 certificate signing request signature algorithm parameters (including PSS) via :meth:`~cryptography.x509.CertificateSigningRequest.signature_algorithm_parameters`. * Added support for obtaining X.509 certificate revocation list signature algorithm parameters (including PSS) via :meth:`~cryptography.x509.CertificateRevocationList.signature_algorithm_parameters`. * Added ``mgf`` property to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. * Added ``algorithm`` and ``mgf`` properties to :class:`~cryptography.hazmat.primitives.asymmetric.padding.OAEP`. * Added the following properties that return timezone-aware ``datetime`` objects: :meth:`~cryptography.x509.Certificate.not_valid_before_utc`, :meth:`~cryptography.x509.Certificate.not_valid_after_utc`, :meth:`~cryptography.x509.RevokedCertificate.revocation_date_utc`, :meth:`~cryptography.x509.CertificateRevocationList.next_update_utc`, :meth:`~cryptography.x509.CertificateRevocationList.last_update_utc`. These are timezone-aware variants of existing properties that return naïve ``datetime`` objects. * Deprecated the following properties that return naïve ``datetime`` objects: :meth:`~cryptography.x509.Certificate.not_valid_before`, :meth:`~cryptography.x509.Certificate.not_valid_after`, :meth:`~cryptography.x509.RevokedCertificate.revocation_date`, :meth:`~cryptography.x509.CertificateRevocationList.next_update`, :meth:`~cryptography.x509.CertificateRevocationList.last_update` in favor of the new timezone-aware variants mentioned above. * Added support for :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20` on LibreSSL. * Added support for RSA PSS signatures in PKCS7 with :meth:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder.add_signer`. * In the next release (43.0.0) of cryptography, loading an X.509 certificate with a negative serial number will raise an exception. This has been deprecated since 36.0.0. * Added support for :class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCMSIV` when using OpenSSL 3.2.0+. * Added the :mod:`X.509 path validation <cryptography.x509.verification>` APIs for :class:`~cryptography.x509.Certificate` chains. These APIs should be considered unstable and not subject to our stability guarantees until documented as such in a future release. * Added support for :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SM4` :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` when using OpenSSL 3.0 or greater. .. _v41-0-7: ``` ### 41.0.7 ``` ~~~~~~~~~~~~~~~~~~~ * Fixed compilation when using LibreSSL 3.8.2. .. _v41-0-6: ``` ### 41.0.6 ``` ~~~~~~~~~~~~~~~~~~~ * Fixed a null-pointer-dereference and segfault that could occur when loading certificates from a PKCS7 bundle. Credit to **pkuzco** for reporting the issue. **CVE-2023-49083** .. _v41-0-5: ``` ### 41.0.5 ``` ~~~~~~~~~~~~~~~~~~~ * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4. * Added a function to support an upcoming ``pyOpenSSL`` release. .. _v41-0-4: ``` ### 41.0.4 ``` ~~~~~~~~~~~~~~~~~~~ * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3. .. _v41-0-3: ``` ### 41.0.3 ``` ~~~~~~~~~~~~~~~~~~~ * Fixed performance regression loading DH public keys. * Fixed a memory leak when using :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.2. .. _v41-0-2: ``` ### 41.0.2 ``` ~~~~~~~~~~~~~~~~~~~ * Fixed bugs in creating and parsing SSH certificates where critical options with values were handled incorrectly. Certificates are now created correctly and parsing accepts correct values as well as the previously generated invalid forms with a warning. In the next release, support for parsing these invalid forms will be removed. .. _v41-0-1: ``` ### 41.0.1 ``` ~~~~~~~~~~~~~~~~~~~ * Temporarily allow invalid ECDSA signature algorithm parameters in X.509 certificates, which are generated by older versions of Java. * Allow null bytes in pass phrases when serializing private keys. .. _v41-0-0: ``` ### 41.0.0 ``` ~~~~~~~~~~~~~~~~~~~ * **BACKWARDS INCOMPATIBLE:** Support for OpenSSL less than 1.1.1d has been removed. Users on older version of OpenSSL will need to upgrade. * **BACKWARDS INCOMPATIBLE:** Support for Python 3.6 has been removed. * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.6. * Updated the minimum supported Rust version (MSRV) to 1.56.0, from 1.48.0. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.1. * Added support for the :class:`~cryptography.x509.OCSPAcceptableResponses` OCSP extension. * Added support for the :class:`~cryptography.x509.MSCertificateTemplate` proprietary Microsoft certificate extension. * Implemented support for equality checks on all asymmetric public key types. * Added support for ``aes256-gcmopenssh.com`` encrypted keys in :func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`. * Added support for obtaining X.509 certificate signature algorithm parameters (including PSS) via :meth:`~cryptography.x509.Certificate.signature_algorithm_parameters`. * Support signing :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` X.509 certificates via the new keyword-only argument ``rsa_padding`` on :meth:`~cryptography.x509.CertificateBuilder.sign`. * Added support for :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305` on BoringSSL. .. _v40-0-2: ``` ### 40.0.2 ``` ~~~~~~~~~~~~~~~~~~~ * Fixed compilation when using LibreSSL 3.7.2. * Added some functions to support an upcoming ``pyOpenSSL`` release. .. _v40-0-1: ``` ### 40.0.1 ``` ~~~~~~~~~~~~~~~~~~~ * Fixed a bug where certain operations would fail if an object happened to be in the top-half of the memory-space. This only impacted 32-bit systems. .. _v40-0-0: ``` ### 40.0.0 ``` ~~~~~~~~~~~~~~~~~~~ * **BACKWARDS INCOMPATIBLE:** As announced in the 39.0.0 changelog, the way ``cryptography`` links OpenSSL has changed. This only impacts users who build ``cryptography`` from source (i.e., not from a ``wheel``), and specify their own version of OpenSSL. For those users, the ``CFLAGS``, ``LDFLAGS``, ``INCLUDE``, ``LIB``, and ``CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS`` environment variables are no longer valid. Instead, users need to configure their builds `as documented here`_. * Support for Python 3.6 is deprecated and will be removed in the next release. * Deprecated the current minimum supported Rust version (MSRV) of 1.48.0. In the next release we will raise MSRV to 1.56.0. Users with the latest ``pip`` will typically get a wheel and not need Rust installed, but check :doc:`/installation` for documentation on installing a newer ``rustc`` if required. * Deprecated support for OpenSSL less than 1.1.1d. The next release of ``cryptography`` will drop support for older versions. * Deprecated support for DSA keys in :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` and :func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`. * Deprecated support for OpenSSH serialization in :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` and :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`. * The minimum supported version of PyPy3 is now 7.3.10. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.0. * Added support for parsing SSH certificates in addition to public keys with :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_identity`. :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` continues to support only public keys. * Added support for generating SSH certificates with :class:`~cryptography.hazmat.primitives.serialization.SSHCertificateBuilder`. * Added :meth:`~cryptography.x509.Certificate.verify_directly_issued_by` to :class:`~cryptography.x509.Certificate`. * Added a check to :class:`~cryptography.x509.NameConstraints` to ensure that :class:`~cryptography.x509.DNSName` constraints do not contain any ``*`` wildcards. * Removed many unused CFFI OpenSSL bindings. This will not impact you unless you are using ``cryptography`` to directly invoke OpenSSL's C API. Note that these have never been considered a stable, supported, public API by ``cryptography``, this note is included as a courtesy. * The X.509 builder classes now raise ``UnsupportedAlgorithm`` instead of ``ValueError`` if an unsupported hash algorithm is passed. * Added public union type aliases for type hinting: * Asymmetric types: :const:`~cryptography.hazmat.primitives.asymmetric.types.PublicKeyTypes`, :const:`~cryptography.hazmat.primitives.asymmetric.types.PrivateKeyTypes`, :const:`~cryptography.hazmat.primitives.asymmetric.types.CertificatePublicKeyTypes`, :const:`~cryptography.hazmat.primitives.asymmetric.types.CertificateIssuerPublicKeyTypes`, :const:`~cryptography.hazmat.primitives.asymmetric.types.CertificateIssuerPrivateKeyTypes`. * SSH keys: :const:`~cryptography.hazmat.primitives.serialization.SSHPublicKeyTypes`, :const:`~cryptography.hazmat.primitives.serialization.SSHPrivateKeyTypes`, :const:`~cryptography.hazmat.primitives.serialization.SSHCertPublicKeyTypes`, :const:`~cryptography.hazmat.primitives.serialization.SSHCertPrivateKeyTypes`. * PKCS12: :const:`~cryptography.hazmat.primitives.serialization.pkcs12.PKCS12PrivateKeyTypes` * PKCS7: :const:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7HashTypes`, :const:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7PrivateKeyTypes`. * Two-factor: :const:`~cryptography.hazmat.primitives.twofactor.hotp.HOTPHashTypes` * Deprecated previously undocumented but not private type aliases in the ``cryptography.hazmat.primitives.asymmetric.types`` module in favor of new ones above. .. _v39-0-2: ``` ### 39.0.2 ``` ~~~~~~~~~~~~~~~~~~~ * Fixed a bug where the content type header was not properly encoded for PKCS7 signatures when using the ``Text`` option and ``SMIME`` encoding. .. _v39-0-1: ``` ### 39.0.1 ``` ~~~~~~~~~~~~~~~~~~~ * **SECURITY ISSUE** - Fixed a bug where ``Cipher.update_into`` accepted Python buffer protocol objects, but allowed immutable buffers. **CVE-2023-23931** * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.8. .. _v39-0-0: ``` ### 39.0.0 ``` ~~~~~~~~~~~~~~~~~~~ * **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.0 has been removed. Users on older version of OpenSSL will need to upgrade. * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.5. The new minimum LibreSSL version is 3.5.0. Going forward our policy is to support versions of LibreSSL that are available in versions of OpenBSD that are still receiving security support. * **BACKWARDS INCOMPATIBLE:** Removed the ``encode_point`` and ``from_encoded_point`` methods on :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers`, which had been deprecated for several years. :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.public_bytes` and :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point` should be used instead. * **BACKWARDS INCOMPATIBLE:** Support for using MD5 or SHA1 in :class:`~cryptography.x509.CertificateBuilder`, other X.509 builders, and PKCS7 has been removed. * **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.10 and 10.11, macOS users must upgrade to 10.12 or newer. * **ANNOUNCEMENT:** The next version of ``cryptography`` (40.0) will change the way we link OpenSSL. This will only impact users who build ``cryptography`` from source (i.e., not from a ``wheel``), and specify their own version of OpenSSL. For those users, the ``CFLAGS``, ``LDFLAGS``, ``INCLUDE``, ``LIB``, and ``CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS`` environment variables will no longer be respected. Instead, users will need to configure their builds `as documented here`_. * Added support for :ref:`disabling the legacy provider in OpenSSL 3.0.x<legacy-provider>`. * Added support for disabling RSA key validation checks when loading RSA keys via :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`, :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`, and :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers.private_key`. This speeds up key loading but is :term:`unsafe` if you are loading potentially attacker supplied keys. * Significantly improved performance for :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305` when repeatedly calling ``encrypt`` or ``decrypt`` with the same key. * Added support for creating OCSP requests with precomputed hashes using :meth:`~cryptography.x509.ocsp.OCSPRequestBuilder.add_certificate_by_hash`. * Added support for loading multiple PEM-encoded X.509 certificates from a single input via :func:`~cryptography.x509.load_pem_x509_certificates`. .. _v38-0-4: ``` ### 38.0.4 ``` ~~~~~~~~~~~~~~~~~~~ * Fixed compilation when using LibreSSL 3.6.0. * Fixed error when using ``py2app`` to build an application with a ``cryptography`` dependency. .. _v38-0-3: ``` ### 38.0.3 ``` ~~~~~~~~~~~~~~~~~~~ * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.7, which resolves *CVE-2022-3602* and *CVE-2022-3786*. .. _v38-0-2: ``` ### 38.0.2 ``` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. attention:: This release was subsequently yanked from PyPI due to a regression in OpenSSL. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.6. .. _v38-0-1: ``` ### 38.0.1 ``` ~~~~~~~~~~~~~~~~~~~ * Fixed parsing TLVs in ASN.1 with length greater than 65535 bytes (typically seen in large CRLs). .. _v38-0-0: ``` ### 38.0.0 ``` ~~~~~~~~~~~~~~~~~~~ * Final deprecation of OpenSSL 1.1.0. The next release of ``cryptography`` will drop support. * We no longer ship ``manylinux2010`` wheels. Users should upgrade to the latest ``pip`` to ensure this doesn't cause issues downloading wheels on their platform. We now ship ``manylinux_2_28`` wheels for users on new enough platforms. * Updated the minimum supported Rust version (MSRV) to 1.48.0, from 1.41.0. Users with the latest ``pip`` will typically get a wheel and not need Rust installed, but check :doc:`/installation` for documentation on installing a newer ``rustc`` if required. * :meth:`~cryptography.fernet.Fernet.decrypt` and related methods now accept both ``str`` and ``bytes`` tokens. * Parsing ``CertificateSigningRequest`` restores the behavior of enforcing that the ``Extension`` ``critical`` field must be correctly encoded DER. See `the issue <https://github.com/pyca/cryptography/issues/6368>`_ for complete details. * Added two new OpenSSL functions to the bindings to support an upcoming ``pyOpenSSL`` release. * When parsing :class:`~cryptography.x509.CertificateRevocationList` and :class:`~cryptography.x509.CertificateSigningRequest` values, it is now enforced that the ``version`` value in the input must be valid according to the rules of :rfc:`2986` and :rfc:`5280`. * Using MD5 or SHA1 in :class:`~cryptography.x509.CertificateBuilder` and other X.509 builders is deprecated and support will be removed in the next version. * Added additional APIs to :class:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp`, including :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature_hash_algorithm`, :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature_algorithm`, :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature`, and :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.extension_bytes`. * Added :attr:`~cryptography.x509.Certificate.tbs_precertificate_bytes`, allowing users to access the to-be-signed pre-certificate data needed for signed certificate timestamp verification. * :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFHMAC` and :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC` now support :attr:`~cryptography.hazmat.primitives.kdf.kbkdf.CounterLocation.MiddleFixed` counter location. * Fixed :rfc:`4514` name parsing to reverse the order of the RDNs according to the section 2.1 of the RFC, affecting method :meth:`~cryptography.x509.Name.from_rfc4514_string`. * It is now possible to customize some aspects of encryption when serializing private keys, using :meth:`~cryptography.hazmat.primitives.serialization.PrivateFormat.encryption_builder`. * Removed several legacy symbols from our OpenSSL bindings. Users of pyOpenSSL versions older than 22.0 will need to upgrade. * Added :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES128` and :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES256` classes. These classes do not replace :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES` (which allows all AES key lengths), but are intended for applications where developers want to be explicit about key length. .. _v37-0-4: ``` ### 37.0.4 ``` ~~~~~~~~~~~~~~~~~~~ * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.5. .. _v37-0-3: ``` ### 37.0.3 ``` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. attention:: This release was subsequently yanked from PyPI due to a regression in OpenSSL. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.4. .. _v37-0-2: ``` ### 37.0.2 ``` ~~~~~~~~~~~~~~~~~~~ * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.3. * Added a constant needed for an upcoming pyOpenSSL release. .. _v37-0-1: ``` ### 37.0.1 ``` ~~~~~~~~~~~~~~~~~~~ * Fixed an issue where parsing an encrypted private key with the public loader functions would hang waiting for console input on OpenSSL 3.0.x rather than raising an error. * Restored some legacy symbols for older ``pyOpenSSL`` users. These will be removed again in the future, so ``pyOpenSSL`` users should still upgrade to the latest version of that package when they upgrade ``cryptography``. .. _v37-0-0: ``` ### 37.0.0 ``` ~~~~~~~~~~~~~~~~~~~ * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.2. * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.9.x and 3.0.x. The new minimum LibreSSL version is 3.1+. * **BACKWARDS INCOMPATIBLE:** Removed ``signer`` and ``verifier`` methods from the public key and private key classes. These methods were originally deprecated in version 2.0, but had an extended deprecation timeline due to usage. Any remaining users should transition to ``sign`` and ``verify``. * Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer supported by the OpenSSL project. The next release of ``cryptography`` will be the last to support compiling with OpenSSL 1.1.0. * Deprecated Python 3.6 support. Python 3.6 is no longer supported by the Python core team. Support for Python 3.6 will be removed in a future ``cryptography`` release. * Deprecated the current minimum supported Rust version (MSRV) of 1.41.0. In the next release we will raise MSRV to 1.48.0. Users with the latest ``pip`` will typically get a wheel and not need Rust installed, but check :doc:`/installation` for documentation on installing a newer ``rustc`` if required. * Deprecated :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`, :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`, :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`, and :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish` because they are legacy algorithms with extremely low usage. These will be removed in a future version of ``cryptography``. * Added limited support for distinguished names containing a bit string. * We now ship ``universal2`` wheels on macOS, which contain both ``arm64`` and ``x86_64`` architectures. Users on macOS should upgrade to the latest ``pip`` to ensure they can use this wheel, although we will continue to ship ``x86_64`` specific wheels for now to ease the transition. * This will be the final release for which we ship ``manylinux2010`` wheels. Going forward the minimum supported ``manylinux`` ABI for our wheels will be ``manylinux2014``. The vast majority of users will continue to receive ``manylinux`` wheels provided they have an up to date ``pip``. For PyPy wheels this release already requires ``manylinux2014`` for compatibility with binaries distributed by upstream. * Added support for multiple :class:`~cryptography.x509.ocsp.OCSPSingleResponse` in a :class:`~cryptography.x509.ocsp.OCSPResponse`. * Restored support for signing certificates and other structures in :doc:`/x509/index` with SHA3 hash algorithms. * :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` is disabled in FIPS mode. * Added support for serialization of PKCS12 CA friendly names/aliases in :func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates` * Added support for 12-15 byte (96 to 120 bit) nonces to :class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`. This class previously supported only 12 byte (96 bit). * Added support for :class:`~cryptography.hazmat.primitives.ciphers.aead.AESSIV` when using OpenSSL 3.0.0+. * Added support for serializing PKCS7 structures from a list of certificates with :class:`~cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates`. * Added support for parsing :rfc:`4514` strings with :meth:`~cryptography.x509.Name.from_rfc4514_string`. * Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.AUTO` to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This can be used to verify a signature where the salt length is not already known. * Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.DIGEST_LENGTH` to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This constant will set the salt length to the same length as the ``PSS`` hash algorithm. * Added support for loading RSA-PSS key types with :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key` and :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`. This functionality is limited to OpenSSL 1.1.1e+ and loads the key as a normal RSA private key, discarding the PSS constraint information. .. _v36-0-2: ``` ### 36.0.2 ``` ~~~~~~~~~~~~~~~~~~~ * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1n. .. _v36-0-1: ``` ### 36.0.1 ``` ~~~~~~~~~~~~~~~~~~~ * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1m. .. _v36-0-0: ``` ### 36.0.0 ``` ~~~~~~~~~~~~~~~~~~~ * **FINAL DEPRECATION** Support for ``verifier`` and ``signer`` on our asymmetric key classes was deprecated in version 2.0. These functions had an extended deprecation due to usage, however the next version of ``cryptography`` will drop support. Users should migrate to ``sign`` and ``verify``. * The entire :doc:`/x509/index` layer is now written in Rust. This allows alternate asymmetric key implementations that can support cloud key management services or hardware security modules provided they implement the necessary interface (for example: :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`). * :ref:`Deprecated the backend argument<faq-missing-backend>` for all functions. * Added support for :class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`. * Added support for iterating over arbitrary request :attr:`~cryptography.x509.CertificateSigningRequest.attributes`. * Deprecated the ``get_attribute_for_oid`` method on :class:`~cryptography.x509.CertificateSigningRequest` in favor of :meth:`~cryptography.x509.Attributes.get_attribute_for_oid` on the new :class:`~cryptography.x509.Attributes` object. * Fixed handling of PEM files to allow loading when certificate and key are in the same file. * Fixed parsing of :class:`~cryptography.x509.CertificatePolicies` extensions containing legacy ``BMPString`` values in their ``explicitText``. * Allow parsing of negative serial numbers in certificates. Negative serial numbers are prohibited by :rfc:`5280` so a deprecation warning will be raised whenever they are encountered. A future version of ``cryptography`` will drop support for parsing them. * Added support for parsing PKCS12 files with friendly names for all certificates with :func:`~cryptography.hazmat.primitives.serialization.pkcs12.load_pkcs12`, which will return an object of type :class:`~cryptography.hazmat.primitives.serialization.pkcs12.PKCS12KeyAndCertificates`. * :meth:`~cryptography.x509.Name.rfc4514_string` and related methods now have an optional ``attr_name_overrides`` parameter to supply custom OID to name mappings, which can be used to match vendor-specific extensions. * **BACKWARDS INCOMPATIBLE:** Reverted the nonstandard formatting of email address fields as ``E`` in :meth:`~cryptography.x509.Name.rfc4514_string` methods from version 35.0. The previous behavior can be restored with: ``name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})`` * Allow :class:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey` and :class:`~cryptography.hazmat.primitives.asymmetric.x448.X448PublicKey` to be used as public keys when parsing certificates or creating them with :class:`~cryptography.x509.CertificateBuilder`. These key types must be signed with a different signing algorithm as ``X25519`` and ``X448`` do not support signing. * Extension values can now be serialized to a DER byte string by calling :func:`~cryptography.x509.ExtensionType.public_bytes`. * Added experimental support for compiling against BoringSSL. As BoringSSL does not commit to a stable API, ``cryptography`` tests against the latest commit only. Please note that several features are not available when building against BoringSSL. * Parsing ``CertificateSigningRequest`` from DER and PEM now, for a limited time period, allows the ``Extension`` ``critical`` field to be incorrectly encoded. See `the issue <https://github.com/pyca/cryptography/issues/6368>`_ for complete details. This will be reverted in a future ``cryptography`` release. * When :class:`~cryptography.x509.OCSPNonce` are parsed and generated their value is now correctly wrapped in an ASN.1 ``OCTET STRING``. This conforms to :rfc:`6960` but conflicts with the original behavior specified in :rfc:`2560`. For a temporary period for backwards compatibility, we will also parse values that are encoded as specified in :rfc:`2560` but this behavior will be removed in a future release. .. _v35-0-0: ``` ### 35.0.0 ``` ~~~~~~~~~~~~~~~~~~~ * Changed the :ref:`version scheme <api-stability:versioning>`. This will result in us incrementing the major version more frequently, but does not change our existing backwards compatibility policy. * **BACKWARDS INCOMPATIBLE:** The :doc:`/x509/index` PEM parsers now require that the PEM string passed have PEM delimiters of the correct type. For example, parsing a private key PEM concatenated with a certificate PEM will no longer be accepted by the PEM certificate parser. * **BACKWARDS INCOMPATIBLE:** The X.509 certificate parser no longer allows negative serial numbers. :rfc:`5280` has always prohibited these. * **BACKWARDS INCOMPATIBLE:** Additional forms of invalid ASN.1 found during :doc:`/x509/index` parsing will raise an error on initial parse rather than when the malformed field is accessed. * Rust is now required for building ``cryptography``, the ``CRYPTOGRAPHY_DONT_BUILD_RUST`` environment variable is no longer respected. * Parsers for :doc:`/x509/index` no longer use OpenSSL and have been rewritten in Rust. This should be backwards compatible (modulo the items listed above) and improve both security and performance. * Added support for OpenSSL 3.0.0 as a compilation target. * Added support for :class:`~cryptography.hazmat.primitives.hashes.SM3` and :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SM4`, when using OpenSSL 1.1.1. These algorithms are provided for compatibility in regions where they may be required, and are not generally recommended. * We now ship ``manylinux_2_24`` and ``musllinux_1_1`` wheels, in addition to our ``manylinux2010`` and ``manylinux2014`` wheels. Users on distributions like Alpine Linux should ensure they upgrade to the latest ``pip`` to correctly receive wheels. * Added ``rfc4514_attribute_name`` attribute to :attr:`x509.NameAttribute <cryptography.x509.NameAttribute.rfc4514_attribute_name>`. * Added :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC`. .. _v3-4-8: ``` ### 3.4.8 ``` ~~~~~~~~~~~~~~~~~~ * Updated Windows, macOS, and ``manylinux`` wheels to be compiled with OpenSSL 1.1.1l. .. _v3-4-7: ```Links
- PyPI: https://pypi.org/project/cryptography - Changelog: https://data.safetycli.com/changelogs/cryptography/Update mock from 4.0.3 to 5.1.0.
Changelog
### 5.1.0 ``` ----- - bpo-44185: :func:`unittest.mock.mock_open` will call the :func:`close` method of the file handle mock when it is exiting from the context manager. Patch by Samet Yaslan. - gh-94924: :func:`unittest.mock.create_autospec` now properly returns coroutine functions compatible with :func:`inspect.iscoroutinefunction` - bpo-17013: Add ``ThreadingMock`` to :mod:`unittest.mock` that can be used to create Mock objects that can wait until they are called. Patch by Karthikeyan Singaravelan and Mario Corchero. - bpo-41768: :mod:`unittest.mock` speccing no longer calls class properties. Patch by Melanie Witt. ``` ### 5.0.2 ``` ----- - gh-102978: Fixes :func:`unittest.mock.patch` not enforcing function signatures for methods decorated with ``classmethod`` or ``staticmethod`` when patch is called with ``autospec=True``. - gh-103329: Regression tests for the behaviour of ``unittest.mock.PropertyMock`` were added. ``` ### 5.0.1 ``` ----- - gh-100740: Fix ``unittest.mock.Mock`` not respecting the spec for attribute names prefixed with ``assert``. - gh-100690: ``Mock`` objects which are not unsafe will now raise an ``AttributeError`` when accessing an attribute that matches the name of an assertion but without the prefix ``assert_``, e.g. accessing ``called_once`` instead of ``assert_called_once``. This is in addition to this already happening for accessing attributes with prefixes ``assert``, ``assret``, ``asert``, ``aseert``, and ``assrt``. - gh-96127: ``inspect.signature`` was raising ``TypeError`` on call with mock objects. Now it correctly returns ``(*args, **kwargs)`` as infered signature. ``` ### 5.0.0 ``` ----- - gh-98624: Add a mutex to unittest.mock.NonCallableMock to protect concurrent access to mock attributes. - bpo-43478: Mocks can no longer be used as the specs for other Mocks. As a result, an already-mocked object cannot have an attribute mocked using `autospec=True` or be the subject of a `create_autospec(...)` call. This can uncover bugs in tests since these Mock-derived Mocks will always pass certain tests (e.g. isinstance) and builtin assert functions (e.g. assert_called_once_with) will unconditionally pass. - bpo-45156: Fixes infinite loop on :func:`unittest.mock.seal` of mocks created by :func:`~unittest.create_autospec`. - bpo-41403: Make :meth:`mock.patch` raise a :exc:`TypeError` with a relevant error message on invalid arg. Previously it allowed a cryptic :exc:`AttributeError` to escape. - gh-91803: Fix an error when using a method of objects mocked with :func:`unittest.mock.create_autospec` after it was sealed with :func:`unittest.mock.seal` function. - bpo-41877: AttributeError for suspected misspellings of assertions on mocks are now pointing out that the cause are misspelled assertions and also what to do if the misspelling is actually an intended attribute name. The unittest.mock document is also updated to reflect the current set of recognised misspellings. - bpo-43478: Mocks can no longer be provided as the specs for other Mocks. As a result, an already-mocked object cannot be passed to `mock.Mock()`. This can uncover bugs in tests since these Mock-derived Mocks will always pass certain tests (e.g. isinstance) and builtin assert functions (e.g. assert_called_once_with) will unconditionally pass. - bpo-45010: Remove support of special method ``__div__`` in :mod:`unittest.mock`. It is not used in Python 3. - gh-84753: :func:`inspect.iscoroutinefunction` now properly returns ``True`` when an instance of :class:`unittest.mock.AsyncMock` is passed to it. This makes it consistent with behavior of :func:`asyncio.iscoroutinefunction`. Patch by Mehdi ABAAKOUK. - bpo-46852: Remove the undocumented private ``float.__set_format__()`` method, previously known as ``float.__setformat__()`` in Python 3.7. Its docstring said: "You probably don't want to use this function. It exists mainly to be used in Python's test suite." Patch by Victor Stinner. - gh-98086: Make sure ``patch.dict()`` can be applied on async functions. - gh-100287: Fix the interaction of :func:`unittest.mock.seal` with :class:`unittest.mock.AsyncMock`. - gh-83076: Instantiation of ``Mock()`` and ``AsyncMock()`` is now 3.8x faster. - bpo-41877: A check is added against misspellings of autospect, auto_spec and set_spec being passed as arguments to patch, patch.object and create_autospec. ```Links
- PyPI: https://pypi.org/project/mock - Changelog: https://data.safetycli.com/changelogs/mock/ - Docs: http://mock.readthedocs.org/en/latest/Update Click from 7.1.2 to 8.1.7.
Changelog
### 8.1.7 ``` ------------- Released 2023-08-17 - Fix issue with regex flags in shell completion. :issue:`2581` - Bash version detection issues a warning instead of an error. :issue:`2574` - Fix issue with completion script for Fish shell. :issue:`2567` ``` ### 8.1.6 ``` ------------- Released 2023-07-18 - Fix an issue with type hints for ``click.group()``. :issue:`2558` ``` ### 8.1.5 ``` ------------- Released 2023-07-13 - Fix an issue with type hints for ``click.command()``, ``click.option()``, and other decorators. Introduce typing tests. :issue:`2558` ``` ### 8.1.4 ``` ------------- Released 2023-07-06 - Replace all ``typing.Dict`` occurrences to ``typing.MutableMapping`` for parameter hints. :issue:`2255` - Improve type hinting for decorators and give all generic types parameters. :issue:`2398` - Fix return value and type signature of `shell_completion.add_completion_class` function. :pr:`2421` - Bash version detection doesn't fail on Windows. :issue:`2461` - Completion works if there is a dot (``.``) in the program name. :issue:`2166` - Improve type annotations for pyright type checker. :issue:`2268` - Improve responsiveness of ``click.clear()``. :issue:`2284` - Improve command name detection when using Shiv or PEX. :issue:`2332` - Avoid showing empty lines if command help text is empty. :issue:`2368` - ZSH completion script works when loaded from ``fpath``. :issue:`2344`. - ``EOFError`` and ``KeyboardInterrupt`` tracebacks are not suppressed when ``standalone_mode`` is disabled. :issue:`2380` - ``group.command`` does not fail if the group was created with a custom ``command_class``. :issue:`2416` - ``multiple=True`` is allowed for flag options again and does not require setting ``default=()``. :issue:`2246, 2292, 2295` - Make the decorators returned by ``argument()`` and ``option()`` reusable when the ``cls`` parameter is used. :issue:`2294` - Don't fail when writing filenames to streams with strict errors. Replace invalid bytes with the replacement character (``�``). :issue:`2395` - Remove unnecessary attempt to detect MSYS2 environment. :issue:`2355` - Remove outdated and unnecessary detection of App Engine environment. :pr:`2554` - ``echo()`` does not fail when no streams are attached, such as with ``pythonw`` on Windows. :issue:`2415` - Argument with ``expose_value=False`` do not cause completion to fail. :issue:`2336` ``` ### 8.1.3 ``` ------------- Released 2022-04-28 - Use verbose form of ``typing.Callable`` for ``command`` and ``group``. :issue:`2255` - Show error when attempting to create an option with ``multiple=True, is_flag=True``. Use ``count`` instead. :issue:`2246` ``` ### 8.1.2 ``` ------------- Released 2022-03-31 - Fix error message for readable path check that was mixed up with the executable check. :pr:`2236` - Restore parameter order for ``Path``, placing the ``executable`` parameter at the end. It is recommended to use keyword arguments instead of positional arguments. :issue:`2235` ``` ### 8.1.1 ``` ------------- Released 2022-03-30 - Fix an issue with decorator typing that caused type checking to report that a command was not callable. :issue:`2227` ``` ### 8.1.0 ``` ------------- Released 2022-03-28 - Drop support for Python 3.6. :pr:`2129` - Remove previously deprecated code. :pr:`2130` - ``Group.resultcallback`` is renamed to ``result_callback``. - ``autocompletion`` parameter to ``Command`` is renamed to ``shell_complete``. - ``get_terminal_size`` is removed, use ``shutil.get_terminal_size`` instead. - ``get_os_args`` is removed, use ``sys.argv[1:]`` instead. - Rely on :pep:`538` and :pep:`540` to handle selecting UTF-8 encoding instead of ASCII. Click's locale encoding detection is removed. :issue:`2198` - Single options boolean flags with ``show_default=True`` only show the default if it is ``True``. :issue:`1971` - The ``command`` and ``group`` decorators can be applied with or without parentheses. :issue:`1359` - The ``Path`` type can check whether the target is executable. :issue:`1961` - ``Command.show_default`` overrides ``Context.show_default``, instead of the other way around. :issue:`1963` - Parameter decorators and ``group`` handles ``cls=None`` the same as not passing ``cls``. ``option`` handles ``help=None`` the same as not passing ``help``. :issue:`1959` - A flag option with ``required=True`` requires that the flag is passed instead of choosing the implicit default value. :issue:`1978` - Indentation in help text passed to ``Option`` and ``Command`` is cleaned the same as using the ``option`` and ``command`` decorators does. A command's ``epilog`` and ``short_help`` are also processed. :issue:`1985` - Store unprocessed ``Command.help``, ``epilog`` and ``short_help`` strings. Processing is only done when formatting help text for output. :issue:`2149` - Allow empty str input for ``prompt()`` when ``confir