Deprecate utils.format_string, use string.Template instead. 1756
Deprecate utils.bind_arguments and utils.validate_arguments, use Signature.bind and inspect.signature instead. 1757
Deprecate utils.HTMLBuilder. 1761
Deprecate utils.escape and utils.unescape, use MarkupSafe instead. 1758
Deprecate the undocumented python -m werkzeug.serving CLI. 1834
Deprecate the environ["werkzeug.server.shutdown"] function that is available when running the development server. 1752
Deprecate the useragents module and the built-in user agent parser. Use a dedicated parser library instead by subclassing user_agent.UserAgent and setting Request.user_agent_class. 2078
Remove the unused, internal posixemulation module. 1759
All datetime values are timezone-aware with tzinfo=timezone.utc. This applies to anything using http.parse_date: Request.date, .if_modified_since, .if_unmodified_since; Response.date, .expires, .last_modified, .retry_after; parse_if_range_header, and IfRange.date. When comparing values, the other values must also be aware, or these values must be made naive. When passing parameters or setting attributes, naive values are still assumed to be in UTC. 2040
Merge all request and response wrapper mixin code into single Request and Response classes. Using the mixin classes is no longer necessary and will show a deprecation warning. Checking isinstance or issubclass against BaseRequest and BaseResponse will show a deprecation warning and check against Request or Response instead. 1963
JSON support no longer uses simplejson if it's installed. To use another JSON module, override Request.json_module and Response.json_module. 1766
Response.get_json() no longer caches the result, and the cache parameter is removed. 1698
Response.freeze() generates an ETag header if one is not set. The no_etag parameter (which usually wasn't visible anyway) is no longer used. 1963
Add a url_scheme argument to ~routing.MapAdapter.build to override the bound scheme. 1721
Passing an empty list as a query string parameter to build() won't append an unnecessary ?. Also drop any number of None items in a list. 1992
When passing a Headers object to a test client method or EnvironBuilder, multiple values for a key are joined into one comma separated value. This matches the HTTP spec on multi-value headers. 1655
Setting Response.status and status_code uses identical parsing and error checking. 1658, 1728
MethodNotAllowed and RequestedRangeNotSatisfiable take a response kwarg, consistent with other HTTP errors. 1748
The response generated by ~exceptions.Unauthorized produces one WWW-Authenticate header per value in www_authenticate, rather than joining them into a single value, to improve interoperability with browsers and other clients. 1755
If parse_authorization_header can't decode the header value, it returns None instead of raising a UnicodeDecodeError. 1816
The debugger no longer uses jQuery. 1807
The test client includes the query string in REQUEST_URI and RAW_URI. 1781
Switch the parameter order of default_stream_factory to match the order used when calling it. 1085
Add send_file function to generate a response that serves a file. Adapted from Flask's implementation. 265, 1850
Add send_from_directory function to safely serve an untrusted path within a trusted directory. Adapted from Flask's implementation. 1880
send_file takes download_name, which is passed even if as_attachment=False by using Content-Disposition: inline. download_name replaces Flask's attachment_filename. 1869
send_file sets conditional=True and max_age=None by default. Cache-Control is set to no-cache if max_age is not set, otherwise public. This tells browsers to validate conditional requests instead of using a timed cache. max_age=None replaces Flask's cache_timeout=43200. 1882
send_file can be called with etag="string" to set a custom ETag instead of generating one. etag replaces Flask's add_etags. 1868
send_file sets the Content-Encoding header if an encoding is returned when guessing mimetype from download_name. 3896
Update the defaults used by generate_password_hash. Increase PBKDF2 iterations to 260000 from 150000. Increase salt length to 16 from 8. Use secrets module to generate salt. 1935
The reloader doesn't crash if sys.stdin is somehow None. 1915
Add arguments to delete_cookie to match set_cookie and the attributes modern browsers expect. 1889
utils.cookie_date is deprecated, use utils.http_date instead. The value for Set-Cookie expires is no longer "-" delimited. 2040
Use request.headers instead of request.environ to look up header attributes. 1808
The test Client request methods (client.get, etc.) always return an instance of TestResponse. In addition to the normal behavior of Response, this class provides request with the request that produced the response, and history to track intermediate responses when follow_redirects is used. 763, 1894
The test Client request methods takes an auth parameter to add an Authorization header. It can be an Authorization object or a (username, password) tuple for Basic auth. 1809
Calling response.close() on a response from the test Client will close the request input stream. This matches file behavior and can prevent a ResourceWarning in some cases. 1785
EnvironBuilder.from_environ decodes values encoded for WSGI, to avoid double encoding the new values. 1959
The default stat reloader will watch Python files under non-system/virtualenv sys.path entries, which should contain most user code. It will also watch all Python files under directories given in extra_files. 1945
The reloader ignores __pycache__ directories again. 1945
run_simple takes exclude_patterns a list of fnmatch patterns that will not be scanned by the reloader. 1333
Cookie names are no longer unquoted. This was against 6265 and potentially allowed setting __Secure prefixed cookies. 1965
Fix some word matches for user agent platform when the word can be a substring. 1923
The development server logs ignored SSL errors. 1967
... (truncated)
Commits
af160e0 Merge pull request #2111 from pallets/release-2.0.0
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Bumps werkzeug from 0.16.0 to 2.0.0.
Release notes
Sourced from werkzeug's releases.
... (truncated)
Changelog
Sourced from werkzeug's changelog.
... (truncated)
Commits
af160e0
Merge pull request #2111 from pallets/release-2.0.0c987e02
release version 2.0.0d6a0f17
update requirements13b8520
Merge pull request #2110 from pallets/pre-commit-ci-schedule264446f
update pre-commit monthlyd6f89ee
Merge pull request #2109 from pallets/more-typing2dfb6dc
enable more mypy checks30ce9ee
Merge pull request #2108 from pallets/pre-commit-ci-update-config6212134
[pre-commit.ci] pre-commit autoupdate4970558
Merge pull request #2107 from TrizlyBear/patch-1Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)