Scheduled monthly dependency update for February

[pyup-bot]

Update alabaster from 0.7.12 to 0.7.13.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

- PyPI: https://pypi.org/project/alabaster - Changelog: https://pyup.io/changelogs/alabaster/ - Docs: https://alabaster.readthedocs.io

Update babel from 2.6.0 to 2.11.0.

Changelog

### 2.11.0 ``` -------------- Upcoming deprecation ~~~~~~~~~~~~~~~~~~~~ * This version, Babel 2.11, is the last version of Babel to support Python 3.6. Babel 2.12 will require Python 3.7 or newer. Improvements ~~~~~~~~~~~~ * Support for hex escapes in JavaScript string literals :gh:`877` - Przemyslaw Wegrzyn * Add support for formatting decimals in compact form :gh:`909` - Jonah Lawrence * Adapt parse_date to handle ISO dates in ASCII format :gh:`842` - Eric L. * Use `ast` instead of `eval` for Python string extraction :gh:`915` - Aarni Koskela * This also enables extraction from static f-strings. F-strings with expressions are silently ignored (but won't raise an error as they used to). Infrastructure ~~~~~~~~~~~~~~ * Tests: Use regular asserts and ``pytest.raises()`` :gh:`875` – Aarni Koskela * Wheels are now built in GitHub Actions :gh:`888` – Aarni Koskela * Small improvements to the CLDR downloader script :gh:`894` – Aarni Koskela * Remove antiquated `__nonzero__` methods :gh:`896` - Nikita Sobolev * Remove superfluous `__unicode__` declarations :gh:`905` - Lukas Juhrich * Mark package compatible with Python 3.11 :gh:`913` - Aarni Koskela * Quiesce pytest warnings :gh:`916` - Aarni Koskela Bugfixes ~~~~~~~~ * Use email.Message for pofile header parsing instead of the deprecated ``cgi.parse_header`` function. :gh:`876` – Aarni Koskela * Remove determining time zone via systemsetup on macOS :gh:`914` - Aarni Koskela Documentation ~~~~~~~~~~~~~ * Update Python versions in documentation :gh:`898` - Raphael Nestler * Align BSD-3 license with OSI template :gh:`912` - Lukas Kahwe Smith ``` ### 2.10.3 ``` -------------- This is a bugfix release for Babel 2.10.2, which was mistakenly packaged with outdated locale data. Thanks to Michał Górny for pointing this out and Jun Omae for verifying. This and future Babel PyPI packages will be built by a more automated process, which should make problems like this less likely to occur. ``` ### 2.10.2 ``` -------------- This is a bugfix release for Babel 2.10.1. * Fallback count="other" format in format_currency() (:gh:`872`) - Jun Omae * Fix get_period_id() with ``dayPeriodRule`` across 0:00 (:gh:`871`) - Jun Omae * Add support for ``b`` and ``B`` period symbols in time format (:gh:`869`) - Jun Omae * chore(docs/typo): Fixes a minor typo in a function comment (:gh:`864`) - Frank Harrison ``` ### 2.10.1 ``` -------------- This is a bugfix release for Babel 2.10.0. * Messages: Fix ``distutils`` import. Regressed in :gh:`843`. (:gh:`852`) - Nehal J Wani * The wheel file is no longer marked as universal, since Babel only supports Python 3. ``` ### 2.10.0 ``` -------------- Upcoming deprecation ~~~~~~~~~~~~~~~~~~~~ * The ``get_next_timezone_transition()`` function is marked deprecated in this version and will be removed likely as soon as Babel 2.11. No replacement for this function is planned; based on discussion in :gh:`716`, it's likely the function is not used in any real code. (:gh:`852`) - Aarni Koskela, Paul Ganssle Improvements ~~~~~~~~~~~~ * CLDR: Upgrade to CLDR 41.0. (:gh:`853`) - Aarni Koskela * The ``c`` and ``e`` plural form operands introduced in CLDR 40 are parsed, but otherwise unsupported. (:gh:`826`) * Non-nominative forms of units are currently ignored. * Messages: Implement ``--init-missing`` option for ``pybabel update`` (:gh:`785`) - ruro * Messages: For ``extract``, you can now replace the built-in ``.*`` / ``_*`` ignored directory patterns with ones of your own. (:gh:`832`) - Aarni Koskela, Kinshuk Dua * Messages: Add ``--check`` to verify if catalogs are up-to-date (:gh:`831`) - Krzysztof Jagiełło * Messages: Add ``--header-comment`` to override default header comment (:gh:`720`) - Mohamed Hafez Morsy, Aarni Koskela * Dates: ``parse_time`` now supports 12-hour clock, and is better at parsing partial times. (:gh:`834`) - Aarni Koskela, David Bauer, Arthur Jovart * Dates: ``parse_date`` and ``parse_time`` now raise ``ParseError``, a subclass of ``ValueError``, in certain cases. (:gh:`834`) - Aarni Koskela * Dates: ``parse_date`` and ``parse_time`` now accept the ``format`` parameter. (:gh:`834`) - Juliette Monsel, Aarni Koskela Infrastructure ~~~~~~~~~~~~~~ * The internal ``babel/_compat.py`` module is no more (:gh:`808`) - Hugo van Kemenade * Python 3.10 is officially supported (:gh:`809`) - Hugo van Kemenade * There's now a friendly GitHub issue template. (:gh:`800`) – Álvaro Mondéjar Rubio * Don't use the deprecated format_number function internally or in tests - Aarni Koskela * Add GitHub URL for PyPi (:gh:`846`) - Andrii Oriekhov * Python 3.12 compatibility: Prefer setuptools imports to distutils imports (:gh:`843`) - Aarni Koskela * Python 3.11 compatibility: Add deprecations to l*gettext variants (:gh:`835`) - Aarni Koskela * CI: Babel is now tested with PyPy 3.7. (:gh:`851`) - Aarni Koskela Bugfixes ~~~~~~~~ * Date formatting: Allow using ``other`` as fallback form (:gh:`827`) - Aarni Koskela * Locales: ``Locale.parse()`` normalizes variant tags to upper case (:gh:`829`) - Aarni Koskela * A typo in the plural format for Maltese is fixed. (:gh:`796`) - Lukas Winkler * Messages: Catalog date parsing is now timezone independent. (:gh:`701`) - rachele-collin * Messages: Fix duplicate locations when writing without lineno (:gh:`837`) - Sigurd Ljødal * Messages: Fix missing trailing semicolon in plural form headers (:gh:`848`) - farhan5900 * CLI: Fix output of ``--list-locales`` to not be a bytes repr (:gh:`845`) - Morgan Wahl Documentation ~~~~~~~~~~~~~ * Documentation is now correctly built again, and up to date (:gh:`830`) - Aarni Koskela ``` ### 2.9.1 ``` ------------- Bugfixes ~~~~~~~~ * The internal locale-data loading functions now validate the name of the locale file to be loaded and only allow files within Babel's data directory. Thank you to Chris Lyne of Tenable, Inc. for discovering the issue! ``` ### 2.9.0 ``` ------------- Upcoming version support changes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * This version, Babel 2.9, is the last version of Babel to support Python 2.7, Python 3.4, and Python 3.5. Improvements ~~~~~~~~~~~~ * CLDR: Use CLDR 37 – Aarni Koskela (:gh:`734`) * Dates: Handle ZoneInfo objects in get_timezone_location, get_timezone_name - Alessio Bogon (:gh:`741`) * Numbers: Add group_separator feature in number formatting - Abdullah Javed Nesar (:gh:`726`) Bugfixes ~~~~~~~~ * Dates: Correct default Format().timedelta format to 'long' to mute deprecation warnings – Aarni Koskela * Import: Simplify iteration code in "import_cldr.py" – Felix Schwarz * Import: Stop using deprecated ElementTree methods "getchildren()" and "getiterator()" – Felix Schwarz * Messages: Fix unicode printing error on Python 2 without TTY. – Niklas Hambüchen * Messages: Introduce invariant that _invalid_pofile() takes unicode line. – Niklas Hambüchen * Tests: fix tests when using Python 3.9 – Felix Schwarz * Tests: Remove deprecated 'sudo: false' from Travis configuration – Jon Dufresne * Tests: Support Py.test 6.x – Aarni Koskela * Utilities: LazyProxy: Handle AttributeError in specified func – Nikiforov Konstantin (:gh:`724`) * Utilities: Replace usage of parser.suite with ast.parse – Miro Hrončok Documentation ~~~~~~~~~~~~~ * Update parse_number comments – Brad Martin (:gh:`708`) * Add __iter__ to Catalog documentation – CyanNani123 ``` ### 2.8.1 ``` ------------- This is solely a patch release to make running tests on Py.test 6+ possible. Bugfixes ~~~~~~~~ * Support Py.test 6 - Aarni Koskela (:gh:`747`, :gh:`750`, :gh:`752`) ``` ### 2.8.0 ``` ------------- Improvements ~~~~~~~~~~~~ * CLDR: Upgrade to CLDR 36.0 - Aarni Koskela (:gh:`679`) * Messages: Don't even open files with the "ignore" extraction method - sebleblanc (:gh:`678`) Bugfixes ~~~~~~~~ * Numbers: Fix formatting very small decimals when quantization is disabled - Lev Lybin, miluChen (:gh:`662`) * Messages: Attempt to sort all messages – Mario Frasca (:gh:`651`, :gh:`606`) Docs ~~~~ * Add years to changelog - Romuald Brunet * Note that installation requires pytz - Steve (Gadget) Barnes ``` ### 2.7.0 ``` ------------- Possibly incompatible changes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ These may be backward incompatible in some cases, as some more-or-less internal APIs have changed. Please feel free to file issues if you bump into anything strange and we'll try to help! * General: Internal uses of ``babel.util.odict`` have been replaced with ``collections.OrderedDict`` from The Python standard library. Improvements ~~~~~~~~~~~~ * CLDR: Upgrade to CLDR 35.1 - Alberto Mardegan, Aarni Koskela (:gh:`626`, :gh:`643`) * General: allow anchoring path patterns to the start of a string - Brian Cappello (:gh:`600`) * General: Bumped version requirement on pytz - chrisbrake (:gh:`592`) * Messages: `pybabel compile`: exit with code 1 if errors were encountered - Aarni Koskela (:gh:`647`) * Messages: Add omit-header to update_catalog - Cédric Krier (:gh:`633`) * Messages: Catalog update: keep user comments from destination by default - Aarni Koskela (:gh:`648`) * Messages: Skip empty message when writing mo file - Cédric Krier (:gh:`564`) * Messages: Small fixes to avoid crashes on badly formatted .po files - Bryn Truscott (:gh:`597`) * Numbers: `parse_decimal()` `strict` argument and `suggestions` - Charly C (:gh:`590`) * Numbers: don't repeat suggestions in parse_decimal strict - Serban Constantin (:gh:`599`) * Numbers: implement currency formatting with long display names - Luke Plant (:gh:`585`) * Numbers: parse_decimal(): assume spaces are equivalent to non-breaking spaces when not in strict mode - Aarni Koskela (:gh:`649`) * Performance: Cache locale_identifiers() - Aarni Koskela (:gh:`644`) Bugfixes ~~~~~~~~ * CLDR: Skip alt=... for week data (minDays, firstDay, weekendStart, weekendEnd) - Aarni Koskela (:gh:`634`) * Dates: Fix wrong weeknumber for 31.12.2018 - BT-sschmid (:gh:`621`) * Locale: Avoid KeyError trying to get data on WindowsXP - mondeja (:gh:`604`) * Locale: get_display_name(): Don't attempt to concatenate variant information to None - Aarni Koskela (:gh:`645`) * Messages: pofile: Add comparison operators to _NormalizedString - Aarni Koskela (:gh:`646`) * Messages: pofile: don't crash when message.locations can't be sorted - Aarni Koskela (:gh:`646`) Tooling & docs ~~~~~~~~~~~~~~ * Docs: Remove all references to deprecated easy_install - Jon Dufresne (:gh:`610`) * Docs: Switch print statement in docs to print function - NotAFile * Docs: Update all pypi.python.org URLs to pypi.org - Jon Dufresne (:gh:`587`) * Docs: Use https URLs throughout project where available - Jon Dufresne (:gh:`588`) * Support: Add testing and document support for Python 3.7 - Jon Dufresne (:gh:`611`) * Support: Test on Python 3.8-dev - Aarni Koskela (:gh:`642`) * Support: Using ABCs from collections instead of collections.abc is deprecated. - Julien Palard (:gh:`609`) * Tests: Fix conftest.py compatibility with pytest 4.3 - Miro Hrončok (:gh:`635`) * Tests: Update pytest and pytest-cov - Miro Hrončok (:gh:`635`) ```

Links

- PyPI: https://pypi.org/project/babel - Changelog: https://pyup.io/changelogs/babel/ - Homepage: https://babel.pocoo.org/ - Docs: https://pythonhosted.org/Babel/

Update certifi from 2018.11.29 to 2022.12.7.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

- PyPI: https://pypi.org/project/certifi - Repo: https://github.com/certifi/python-certifi

Update chardet from 3.0.4 to 5.1.0.

Changelog

### 5.1.0 ``` Features - Add `should_rename_legacy` argument to most functions, which will rename older encodings to their more modern equivalents (e.g., `GB2312` becomes `GB18030`) (264, dan-blanchard) - Add capital letter sharp S and ISO-8859-15 support (222, SimonWaldherr) - Add a prober for MacRoman encoding (5 updated as c292b52a97e57c95429ef559af36845019b88b33, Rob Speer and dan-blanchard ) - Add `--minimal` flag to `chardetect` command (214, dan-blanchard) - Add type annotations to the project and run mypy on CI (261, jdufresne) - Add support for Python 3.11 (274, hugovk) Fixes - Clarify LGPL version in License trove classifier (255, musicinmybrain) - Remove support for EOL Python 3.6 (260, jdufresne) - Remove unnecessary guards for non-falsey values (259, jdufresne) Misc changes - Switch to Python 3.10 release in GitHub actions (257, jdufresne) - Remove setup.py in favor of build package (262, jdufresne) - Run tests on macos, Windows, and 3.11-dev (267, dan-blanchard) ``` ### 5.0.0 ``` ⚠️ This release is the first release of chardet that no longer supports Python < 3.6 ⚠️ In addition to that change, it features the following user-facing changes: - Added a prober for Johab Korean (207, grizlupo) - Added a prober for UTF-16/32 BE/LE (109, 206, jpz) - Added test data for Croatian, Czech, Hungarian, Polish, Slovak, Slovene, Greek, and Turkish, which should help prevent future errors with those languages - Improved XML tag filtering, which should improve accuracy for XML files (208) - Tweaked `SingleByteCharSetProber` confidence to match latest uchardet (209) - Made `detect_all` return child prober confidences (210) - Updated examples in docs (223, domdfcoding) - Documentation fixes (212, 224, 225, 226, 220, 221, 244 from too many to mention) - Minor performance improvements (252, deedy5) - Add support for Python 3.10 when testing (232, jdufresne) - Lots of little development cycle improvements, mostly thanks to jdufresne ``` ### 4.0.0 ``` Benchmarking chardet 4.0.0 on CPython 3.7.5 (default, Sep 8 2020, 12:19:42) [Clang 11.0.3 (clang-1103.0.32.62)] -------------------------------------------------------------------------------- ....................................................................................................................................................................................................................................................................................................................................................................... Calls per second for each encoding: ```

Links

- PyPI: https://pypi.org/project/chardet - Changelog: https://pyup.io/changelogs/chardet/ - Repo: https://github.com/chardet/chardet

Update dj-database-url from 0.5.0 to 1.2.0.

Changelog

### 1.2.0 ``` * Add the ability to add test databases. * Improve url parsing and encoding. * Fix missing parameter conn_health_check in check function. ``` ### 1.1.0 ``` * Option for connection health checks parameter. * Update supported version python 3.11. * Code changes, various improvments. * Add project links to setup.py ``` ### 1.0.0 ``` Initial release of code now dj-database-urls is part of jazzband. * Add support for cockroachdb. * Add support for the offical MSSQL connector. * Update License to be compatible with Jazzband. * Remove support for Python < 3.5 including Python 2.7 * Update source code to Black format. * Update CI using pre-commit ```

Links

- PyPI: https://pypi.org/project/dj-database-url - Changelog: https://pyup.io/changelogs/dj-database-url/ - Repo: https://github.com/jazzband/dj-database-url

Update django from 2.1.4 to 4.1.6.

Changelog

### 4.1.5 ``` ========================== *January 2, 2023* Django 4.1.5 fixes a bug in 4.1.4. Also, the latest string translations from Transifex are incorporated. Bugfixes ======== * Fixed a long standing bug in the ``__len`` lookup for ``ArrayField`` that caused a crash of model validation on :attr:`Meta.constraints <django.db.models.Options.constraints>` (:ticket:`34205`). ========================== ``` ### 4.1.4 ``` ========================== *December 6, 2022* Django 4.1.4 fixes several bugs in 4.1.3. Bugfixes ======== * Fixed a regression in Django 4.1 that caused an unnecessary table rebuild when adding a ``ManyToManyField`` on SQLite (:ticket:`34138`). * Fixed a bug in Django 4.1 that caused a crash of the sitemap index view with an empty :meth:`Sitemap.items() <django.contrib.sitemaps.Sitemap.items>` and a callable :attr:`~django.contrib.sitemaps.Sitemap.lastmod` (:ticket:`34088`). * Fixed a bug in Django 4.1 that caused a crash using ``acreate()``, ``aget_or_create()``, and ``aupdate_or_create()`` asynchronous methods of related managers (:ticket:`34139`). * Fixed a bug in Django 4.1 that caused a crash of ``QuerySet.bulk_create()`` with ``"pk"`` in ``unique_fields`` (:ticket:`34177`). * Fixed a bug in Django 4.1 that caused a crash of ``QuerySet.bulk_create()`` on fields with ``db_column`` (:ticket:`34171`). ========================== ``` ### 4.1.3 ``` ========================== *November 1, 2022* Django 4.1.3 fixes a bug in 4.1.2 and adds compatibility with Python 3.11. Bugfixes ======== * Fixed a bug in Django 4.1 that caused non-Python files created by ``startproject`` and ``startapp`` management commands from custom templates to be incorrectly formatted using the ``black`` command (:ticket:`34085`). ========================== ``` ### 4.1.2 ``` ========================== *October 4, 2022* Django 4.1.2 fixes a security issue with severity "medium" and several bugs in 4.1.1. CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs =================================================================================== Internationalized URLs were subject to potential denial of service attack via the locale parameter. Bugfixes ======== * Fixed a regression in Django 4.1 that caused a migration crash on PostgreSQL when adding a model with ``ExclusionConstraint`` (:ticket:`33982`). * Fixed a regression in Django 4.1 that caused aggregation over a queryset that contained an ``Exists`` annotation to crash due to too many selected columns (:ticket:`33992`). * Fixed a bug in Django 4.1 that caused an incorrect validation of ``CheckConstraint`` on ``NULL`` values (:ticket:`33996`). * Fixed a regression in Django 4.1 that caused a ``QuerySet.values()/values_list()`` crash on ``ArrayAgg()`` and ``JSONBAgg()`` (:ticket:`34016`). * Fixed a bug in Django 4.1 that caused :attr:`.ModelAdmin.autocomplete_fields` to be incorrectly selected after adding/changing related instances via popups (:ticket:`34025`). * Fixed a regression in Django 4.1 where the app registry was not populated when running parallel tests with the ``multiprocessing`` start method ``spawn`` (:ticket:`34010`). * Fixed a regression in Django 4.1 where the ``--debug-mode`` argument to ``test`` did not work when running parallel tests with the ``multiprocessing`` start method ``spawn`` (:ticket:`34010`). * Fixed a regression in Django 4.1 that didn't alter a sequence type when altering type of pre-Django 4.1 serial columns on PostgreSQL (:ticket:`34058`). * Fixed a regression in Django 4.1 that caused a crash for :class:`View` subclasses with asynchronous handlers when handling non-allowed HTTP methods (:ticket:`34062`). * Reverted caching related managers for ``ForeignKey``, ``ManyToManyField``, and ``GenericRelation`` that caused the incorrect refreshing of related objects (:ticket:`33984`). * Relaxed the system check added in Django 4.1 for the same name used for multiple template tag modules to a warning (:ticket:`32987`). ========================== ``` ### 4.1.1 ``` ========================== *September 5, 2022* Django 4.1.1 fixes several bugs in 4.1. Bugfixes ======== * Reallowed, following a regression in Django 4.1, using ``GeoIP2()`` when GEOS is not installed (:ticket:`33886`). * Fixed a regression in Django 4.1 that caused a crash of admin's autocomplete widgets when translations are deactivated (:ticket:`33888`). * Fixed a regression in Django 4.1 that caused a crash of the ``test`` management command when running in parallel and ``multiprocessing`` start method is ``spawn`` (:ticket:`33891`). * Fixed a regression in Django 4.1 that caused an incorrect redirection to the admin changelist view when using *"Save and continue editing"* and *"Save and add another"* options (:ticket:`33893`). * Fixed a regression in Django 4.1 that caused a crash of :class:`~django.db.models.expressions.Window` expressions with :class:`~django.contrib.postgres.aggregates.ArrayAgg` (:ticket:`33898`). * Fixed a regression in Django 4.1 that caused a migration crash on SQLite 3.35.5+ when removing an indexed field (:ticket:`33899`). * Fixed a bug in Django 4.1 that caused a crash of model validation on ``UniqueConstraint()`` with field names in ``expressions`` (:ticket:`33902`). * Fixed a bug in Django 4.1 that caused an incorrect validation of ``CheckConstraint()`` with range fields on PostgreSQL (:ticket:`33905`). * Fixed a regression in Django 4.1 that caused an incorrect migration when adding ``AutoField``, ``BigAutoField``, or ``SmallAutoField`` on PostgreSQL (:ticket:`33919`). * Fixed a regression in Django 4.1 that caused a migration crash on PostgreSQL when altering ``AutoField``, ``BigAutoField``, or ``SmallAutoField`` to ``OneToOneField`` (:ticket:`33932`). * Fixed a migration crash on ``ManyToManyField`` fields with ``through`` referencing models in different apps (:ticket:`33938`). * Fixed a regression in Django 4.1 that caused an incorrect migration when renaming a model with ``ManyToManyField`` and ``db_table`` (:ticket:`33953`). * Reallowed, following a regression in Django 4.1, creating reverse foreign key managers on unsaved instances (:ticket:`33952`). * Fixed a regression in Django 4.1 that caused a migration crash on SQLite < 3.20 (:ticket:`33960`). * Fixed a regression in Django 4.1 that caused an admin crash when the :mod:`~django.contrib.admindocs` app was used (:ticket:`33955`, :ticket:`33971`). ======================== ``` ### 4.1 ``` ======================== *August 3, 2022* Welcome to Django 4.1! These release notes cover the :ref:`new features <whats-new-4.1>`, as well as some :ref:`backwards incompatible changes <backwards-incompatible-4.1>` you'll want to be aware of when upgrading from Django 4.0 or earlier. We've :ref:`begun the deprecation process for some features <deprecated-features-4.1>`. See the :doc:`/howto/upgrade-version` guide if you're updating an existing project. Python compatibility ==================== Django 4.1 supports Python 3.8, 3.9, 3.10, and 3.11 (as of 4.1.3). We **highly recommend** and only officially support the latest release of each series. .. _whats-new-4.1: What's new in Django 4.1 ======================== Asynchronous handlers for class-based views ------------------------------------------- View subclasses may now define async HTTP method handlers:: import asyncio from django.http import HttpResponse from django.views import View class AsyncView(View): async def get(self, request, *args, **kwargs): Perform view logic using await. await asyncio.sleep(1) return HttpResponse("Hello async world!") See :ref:`async-class-based-views` for more details. Asynchronous ORM interface -------------------------- ``QuerySet`` now provides an asynchronous interface for all data access operations. These are named as-per the existing synchronous operations but with an ``a`` prefix, for example ``acreate()``, ``aget()``, and so on. The new interface allows you to write asynchronous code without needing to wrap ORM operations in ``sync_to_async()``:: async for author in Author.objects.filter(name__startswith="A"): book = await author.books.afirst() Note that, at this stage, the underlying database operations remain synchronous, with contributions ongoing to push asynchronous support down into the SQL compiler, and integrate asynchronous database drivers. The new asynchronous queryset interface currently encapsulates the necessary ``sync_to_async()`` operations for you, and will allow your code to take advantage of developments in the ORM's asynchronous support as it evolves. See :ref:`async-queries` for details and limitations. Validation of Constraints ------------------------- :class:`Check <django.db.models.CheckConstraint>`, :class:`unique <django.db.models.UniqueConstraint>`, and :class:`exclusion <django.contrib.postgres.constraints.ExclusionConstraint>` constraints defined in the :attr:`Meta.constraints <django.db.models.Options.constraints>` option are now checked during :ref:`model validation <validating-objects>`. Form rendering accessibility ---------------------------- In order to aid users with screen readers, and other assistive technology, new ``<div>`` based form templates are available from this release. These provide more accessible navigation than the older templates, and are able to correctly group related controls, such as radio-lists, into fieldsets. The new templates are recommended, and will become the default form rendering style when outputting a form, like ``{{ form }}`` in a template, from Django 5.0. In order to ease adopting the new output style, the default form and formset templates are now configurable at the project level via the :setting:`FORM_RENDERER` setting. See :ref:`the Forms section (below)<forms-4.1>` for full details. .. _csrf-cookie-masked-usage: ``CSRF_COOKIE_MASKED`` setting ------------------------------ The new :setting:`CSRF_COOKIE_MASKED` transitional setting allows specifying whether to mask the CSRF cookie. :class:`~django.middleware.csrf.CsrfViewMiddleware` no longer masks the CSRF cookie like it does the CSRF token in the DOM. If you are upgrading multiple instances of the same project to Django 4.1, you should set :setting:`CSRF_COOKIE_MASKED` to ``True`` during the transition, in order to allow compatibility with the older versions of Django. Once the transition to 4.1 is complete you can stop overriding :setting:`CSRF_COOKIE_MASKED`. This setting is deprecated as of this release and will be removed in Django 5.0. Minor features -------------- :mod:`django.contrib.admin` ~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The admin :ref:`dark mode CSS variables <admin-theming>` are now applied in a separate stylesheet and template block. * :ref:`modeladmin-list-filters` providing custom ``FieldListFilter`` subclasses can now control the query string value separator when filtering for multiple values using the ``__in`` lookup. * The admin :meth:`history view <django.contrib.admin.ModelAdmin.history_view>` is now paginated. * Related widget wrappers now have a link to object's change form. * The :meth:`.AdminSite.get_app_list` method now allows changing the order of apps and models on the admin index page. :mod:`django.contrib.auth` ~~~~~~~~~~~~~~~~~~~~~~~~~~ * The default iteration count for the PBKDF2 password hasher is increased from 320,000 to 390,000. * The :meth:`.RemoteUserBackend.configure_user` method now allows synchronizing user attributes with attributes in a remote system such as an LDAP directory. :mod:`django.contrib.gis` ~~~~~~~~~~~~~~~~~~~~~~~~~ * The new :meth:`.GEOSGeometry.make_valid()` method allows converting invalid geometries to valid ones. * The new ``clone`` argument for :meth:`.GEOSGeometry.normalize` allows creating a normalized clone of the geometry. :mod:`django.contrib.postgres` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The new :class:`BitXor() <django.contrib.postgres.aggregates.BitXor>` aggregate function returns an ``int`` of the bitwise ``XOR`` of all non-null input values. * :class:`~django.contrib.postgres.indexes.SpGistIndex` now supports covering indexes on PostgreSQL 14+. * :class:`~django.contrib.postgres.constraints.ExclusionConstraint` now supports covering exclusion constraints using SP-GiST indexes on PostgreSQL 14+. * The new ``default_bounds`` attribute of :attr:`DateTimeRangeField <django.contrib.postgres.fields.DateTimeRangeField.default_bounds>` and :attr:`DecimalRangeField <django.contrib.postgres.fields.DecimalRangeField.default_bounds>` allows specifying bounds for list and tuple inputs. * :class:`~django.contrib.postgres.constraints.ExclusionConstraint` now allows specifying operator classes with the :class:`OpClass() <django.contrib.postgres.indexes.OpClass>` expression. :mod:`django.contrib.sitemaps` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The default sitemap index template ``<sitemapindex>`` now includes the ``<lastmod>`` timestamp where available, through the new :meth:`~django.contrib.sitemaps.Sitemap.get_latest_lastmod` method. Custom sitemap index templates should be updated for the adjusted :ref:`context variables <sitemap-index-context-variables>`. :mod:`django.contrib.staticfiles` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * :class:`~django.contrib.staticfiles.storage.ManifestStaticFilesStorage` now replaces paths to CSS source map references with their hashed counterparts. Database backends ~~~~~~~~~~~~~~~~~ * Third-party database backends can now specify the minimum required version of the database using the ``DatabaseFeatures.minimum_database_version`` attribute which is a tuple (e.g. ``(10, 0)`` means "10.0"). If a minimum version is specified, backends must also implement ``DatabaseWrapper.get_database_version()``, which returns a tuple of the current database version. The backend's ``DatabaseWrapper.init_connection_state()`` method must call ``super()`` in order for the check to run. .. _forms-4.1: Forms ~~~~~ * The default template used to render forms when cast to a string, e.g. in templates as ``{{ form }}``, is now configurable at the project-level by setting :attr:`~django.forms.renderers.BaseRenderer.form_template_name` on the class provided for :setting:`FORM_RENDERER`. :attr:`.Form.template_name` is now a property deferring to the renderer, but may be overridden with a string value to specify the template name per-form class. Similarly, the default template used to render formsets can be specified via the matching :attr:`~django.forms.renderers.BaseRenderer.formset_template_name` renderer attribute. * The new ``div.html`` form template, referencing :attr:`.Form.template_name_div` attribute, and matching :meth:`.Form.as_div` method, render forms using HTML ``<div>`` elements. This new output style is recommended over the existing :meth:`~.Form.as_table`, :meth:`~.Form.as_p` and :meth:`~.Form.as_ul` styles, as the template implements ``<fieldset>`` and ``<legend>`` to group related inputs and is easier for screen reader users to navigate. The div-based output will become the default rendering style from Django 5.0. * In order to smooth adoption of the new ``<div>`` output style, two transitional form renderer classes are available: :class:`django.forms.renderers.DjangoDivFormRenderer` and :class:`django.forms.renderers.Jinja2DivFormRenderer`, for the Django and Jinja2 template backends respectively. You can apply one of these via the :setting:`FORM_RENDERER` setting. For example:: FORM_RENDERER = "django.forms.renderers.DjangoDivFormRenderer" Once the ``<div>`` output style is the default, from Django 5.0, these transitional renderers will be deprecated, for removal in Django 6.0. The ``FORM_RENDERER`` declaration can be removed at that time. * If the new ``<div>`` output style is not appropriate for your project, you should define a renderer subclass specifying :attr:`~django.forms.renderers.BaseRenderer.form_template_name` and :attr:`~django.forms.renderers.BaseRenderer.formset_template_name` for your required style, and set :setting:`FORM_RENDERER` accordingly. For example, for the ``<p>`` output style used by :meth:`~.Form.as_p`, you would define a form renderer setting ``form_template_name`` to ``"django/forms/p.html"`` and ``formset_template_name`` to ``"django/forms/formsets/p.html"``. * The new :meth:`~django.forms.BoundField.legend_tag` allows rendering field labels in ``<legend>`` tags via the new ``tag`` argument of :meth:`~django.forms.BoundField.label_tag`. * The new ``edit_only`` argument for :func:`.modelformset_factory` and :func:`.inlineformset_factory` allows preventing new objects creation. * The ``js`` and ``css`` class attributes of :doc:`Media </topics/forms/media>` now allow using hashable objects, not only path strings, as long as those objects implement the ``__html__()`` method (typically when decorated with the :func:`~django.utils.html.html_safe` decorator). * The new :attr:`.BoundField.use_fieldset` and :attr:`.Widget.use_fieldset` attributes help to identify widgets where its inputs should be grouped in a ``<fieldset>`` with a ``<legend>``. * The :ref:`formsets-error-messages` argument for :class:`~django.forms.formsets.BaseFormSet` now allows customizing error messages for invalid number of forms by passing ``'too_few_forms'`` and ``'too_many_forms'`` keys. * :class:`~django.forms.IntegerField`, :class:`~django.forms.FloatField`, and :class:`~django.forms.DecimalField` now optionally accept a ``step_size`` argument. This is used to set the ``step`` HTML attribute, and is validated on form submission. Internationalization ~~~~~~~~~~~~~~~~~~~~ * The :func:`~django.conf.urls.i18n.i18n_patterns` function now supports languages with both scripts and regions. Management Commands ~~~~~~~~~~~~~~~~~~~ * :option:`makemigrations --no-input` now logs default answers and reasons why migrations cannot be created. * The new :option:`makemigrations --scriptable` option diverts log output and input prompts to ``stderr``, writing only paths of generated migration files to ``stdout``. * The new :option:`migrate --prune` option allows deleting nonexistent migrations from the ``django_migrations`` table. * Python files created by :djadmin:`startproject`, :djadmin:`startapp`, :djadmin:`optimizemigration`, :djadmin:`makemigrations`, and :djadmin:`squashmigrations` are now formatted using the ``black`` command if it is present on your ``PATH``. * The new :djadmin:`optimizemigration` command allows optimizing operations for a migration. Migrations ~~~~~~~~~~ * The new :class:`~django.db.migrations.operations.RenameIndex` operation allows renaming indexes defined in the :attr:`Meta.indexes <django.db.models.Options.indexes>` or :attr:`~django.db.models.Options.index_together` options. * The migrations autodetector now generates :class:`~django.db.migrations.operations.RenameIndex` operations instead of ``RemoveIndex`` and ``AddIndex``, when renaming indexes defined in the :attr:`Meta.indexes <django.db.models.Options.indexes>`. * The migrations autodetector now generates :class:`~django.db.migrations.operations.RenameIndex` operations instead of ``AlterIndexTogether`` and ``AddIndex``, when moving indexes defined in the :attr:`Meta.index_together <django.db.models.Options.index_together>` to the :attr:`Meta.indexes <django.db.models.Options.indexes>`. Models ~~~~~~ * The ``order_by`` argument of the :class:`~django.db.models.expressions.Window` expression now accepts string references to fields and transforms. * The new :setting:`CONN_HEALTH_CHECKS` setting allows enabling health checks for :ref:`persistent database connections <persistent-database-connections>` in order to reduce the number of failed requests, e.g. after database server restart. * :meth:`.QuerySet.bulk_create` now supports updating fields when a row insertion fails uniqueness constraints. This is supported on MariaDB, MySQL, PostgreSQL, and SQLite 3.24+. * :meth:`.QuerySet.iterator` now supports prefetching related objects as long as the ``chunk_size`` argument is provided. In older versions, no prefetching was done. * :class:`~django.db.models.Q` objects and querysets can now be combined using ``^`` as the exclusive or (``XOR``) operator. ``XOR`` is natively supported on MariaDB and MySQL. For databases that do not support ``XOR``, the query will be converted to an equivalent using ``AND``, ``OR``, and ``NOT``. * The new :ref:`Field.non_db_attrs <custom-field-non_db_attrs>` attribute allows customizing attributes of fields that don't affect a column definition. * On PostgreSQL, ``AutoField``, ``BigAutoField``, and ``SmallAutoField`` are now created as identity columns rather than serial columns with sequences. Requests and Responses ~~~~~~~~~~~~~~~~~~~~~~ * :meth:`.HttpResponse.set_cookie` now supports :class:`~datetime.timedelta` objects for the ``max_age`` argument. Security ~~~~~~~~ * The new :setting:`SECRET_KEY_FALLBACKS` setting allows providing a list of values for secret key rotation. * The :setting:`SECURE_PROXY_SSL_HEADER` setting now supports a comma-separated list of protocols in the header value. Signals ~~~~~~~ * The :data:`~django.db.models.signals.pre_delete` and :data:`~django.db.models.signals.post_delete` signals now dispatch the ``origin`` of the deletion. .. _templates-4.1: Templates ~~~~~~~~~ * The HTML ``<script>`` element ``id`` attribute is no longer required when wrapping the :tfilter:`json_script` template filter. * The :class:`cached template loader <django.template.loaders.cached.Loader>` is now enabled in development, when :setting:`DEBUG` is ``True``, and :setting:`OPTIONS['loaders'] <TEMPLATES-OPTIONS>` isn't specified. You may specify ``OPTIONS['loaders']`` to override this, if necessary. Tests ~~~~~ * The :class:`.DiscoverRunner` now supports running tests in parallel on macOS, Windows, and any other systems where the default :mod:`multiprocessing` start method is ``spawn``. * A nested atomic block marked as durable in :class:`django.test.TestCase` now raises a ``RuntimeError``, the same as outside of tests. * :meth:`.SimpleTestCase.assertFormError` and :meth:`assertFormsetError() <django.test.SimpleTestCase.assertFormSetError>` now support passing a form/formset object directly. URLs ~~~~ * The new :attr:`.ResolverMatch.captured_kwargs` attribute stores the captured keyword arguments, as parsed from the URL. * The new :attr:`.ResolverMatch.extra_kwargs` attribute stores the additional keyword arguments passed to the view function. Utilities ~~~~~~~~~ * ``SimpleLazyObject`` now supports addition operations. * :func:`~django.utils.safestring.mark_safe` now preserves lazy objects. Validators ~~~~~~~~~~ * The new :class:`~django.core.validators.StepValueValidator` checks if a value is an integral multiple of a given step size. This new validator is used for the new ``step_size`` argument added to form fields representing numeric values. .. _backwards-incompatible-4.1: Backwards incompatible changes in 4.1 ===================================== Database backend API -------------------- This section describes changes that may be needed in third-party database backends. * ``BaseDatabaseFeatures.has_case_insensitive_like`` is changed from ``True`` to ``False`` to reflect the behavior of most databases. * ``DatabaseIntrospection.get_key_columns()`` is removed. Use ``DatabaseIntrospection.get_relations()`` instead. * ``DatabaseOperations.ignore_conflicts_suffix_sql()`` method is replaced by ``DatabaseOperations.on_conflict_suffix_sql()`` that accepts the ``fields``, ``on_conflict``, ``update_fields``, and ``unique_fields`` arguments. * The ``ignore_conflicts`` argument of the ``DatabaseOperations.insert_statement()`` method is replaced by ``on_conflict`` that accepts ``django.db.models.constants.OnConflict``. * ``DatabaseOperations._convert_field_to_tz()`` is replaced by ``DatabaseOperations._convert_sql_to_tz()`` that accepts the ``sql``, ``params``, and ``tzname`` arguments. * Several date and time methods on ``DatabaseOperations`` now take ``sql`` and ``params`` arguments instead of ``field_name`` and return 2-tuple containing some SQL and the parameters to be interpolated into that SQL. The changed methods have these new signatures: * ``DatabaseOperations.date_extract_sql(lookup_type, sql, params)`` * ``DatabaseOperations.datetime_extract_sql(lookup_type, sql, params, tzname)`` * ``DatabaseOperations.time_extract_sql(lookup_type, sql, params)`` * ``DatabaseOperations.date_trunc_sql(lookup_type, sql, params, tzname=None)`` * ``DatabaseOperations.datetime_trunc_sql(self, lookup_type, sql, params, tzname)`` * ``DatabaseOperations.time_trunc_sql(lookup_type, sql, params, tzname=None)`` * ``DatabaseOperations.datetime_cast_date_sql(sql, params, tzname)`` * ``DatabaseOperations.datetime_cast_time_sql(sql, params, tzname)`` :mod:`django.contrib.gis` ------------------------- * Support for GDAL 2.1 is removed. * Support for PostGIS 2.4 is removed. Dropped support for PostgreSQL 10 --------------------------------- Upstream support for PostgreSQL 10 ends in November 2022. Django 4.1 supports PostgreSQL 11 and higher. Dropped support for MariaDB 10.2 -------------------------------- Upstream support for MariaDB 10.2 ends in May 2022. Django 4.1 supports MariaDB 10.3 and higher. Admin changelist searches spanning multi-valued relationships changes --------------------------------------------------------------------- Admin changelist searches using multiple search terms are now applied in a single call to ``filter()``, rather than in sequential ``filter()`` calls. For multi-valued relationships, this means that rows from the related model must match all terms rather than any term. For example, if ``search_fields`` is set to ``['child__name', 'child__age']``, and a user searches for ``'Jamal 17'``, parent rows will be returned only if there is a relationship to some 17-year-old child named Jamal, rather than also returning parents who merely have a younger or older child named Jamal in addition to some other 17-year-old. See the :ref:`spanning-multi-valued-relationships` topic for more discussion of this difference. In Django 4.0 and earlier, :meth:`~django.contrib.admin.ModelAdmin.get_search_results` followed the second example query, but this undocumented behavior led to queries with excessive joins. Reverse foreign key changes for unsaved model instances ------------------------------------------------------- In order to unify the behavior with many-to-many relations for unsaved model instances, a reverse foreign key now raises ``ValueError`` when calling :class:`related managers <django.db.models.fields.related.RelatedManager>` for unsaved objects. Miscellaneous ------------- * Related managers for :class:`~django.db.models.ForeignKey`, :class:`~django.db.models.ManyToManyField`, and :class:`~django.contrib.contenttypes.fields.GenericRelation` are now cached on the :class:`~django.db.models.Model` instance to which they belong. *This change was reverted in Django 4.1.2.* * The Django test runner now returns a non-zero error code for unexpected successes from tests marked with :py:func:`unittest.expectedFailure`. * :class:`~django.middleware.csrf.CsrfViewMiddleware` no longer masks the CSRF cookie like it does the CSRF token in the DOM. * :class:`~django.middleware.csrf.CsrfViewMiddleware` now uses ``request.META['CSRF_COOKIE']`` for storing the unmasked CSRF secret rather than a masked version. This is an undocumented, private API. * The :attr:`.ModelAdmin.actions` and :attr:`~django.contrib.admin.ModelAdmin.inlines` attributes now default to an empty tuple rather than an empty list to discourage unintended mutation. * The ``type="text/css"`` attribute is no longer included in ``<link>`` tags for CSS :doc:`form media </topics/forms/media>`. * ``formset:added`` and ``formset:removed`` JavaScript events are now pure JavaScript events and don't depend on jQuery. See :ref:`admin-javascript-inline-form-events` for more details on the change. * The ``exc_info`` argument of the undocumented ``django.utils.log.log_response()`` function is replaced by ``exception``. * The ``size`` argument of the undocumented ``django.views.static.was_modified_since()`` function is removed. * The admin log out UI now uses ``POST`` requests. * The undocumented ``InlineAdminFormSet.non_form_errors`` property is replaced by the ``non_form_errors()`` method. This is consistent with ``BaseFormSet``. * As per :ref:`above<templates-4.1>`, the cached template loader is now enabled in development. You may specify ``OPTIONS['loaders']`` to override this, if necessary. * The undocumented ``django.contrib.auth.views.SuccessURLAllowedHostsMixin`` mixin is replaced by ``RedirectURLMixin``. * :class:`~django.db.models.BaseConstraint` subclasses must implement :meth:`~django.db.models.BaseConstraint.validate` method to allow those constraints to be used for validation. * The undocumented ``URLResolver._is_callback()``, ``URLResolver._callback_strs``, and ``URLPattern.lookup_str()`` are moved to ``django.contrib.admindocs.utils``. * The :meth:`.Model.full_clean` method now converts an ``exclude`` value to a ``set``. It’s also preferable to pass an ``exclude`` value as a ``set`` to the :meth:`.Model.clean_fields`, :meth:`.Model.full_clean`, :meth:`.Model.validate_unique`, and :meth:`.Model.validate_constraints` methods. * The minimum supported version of ``asgiref`` is increased from 3.4.1 to 3.5.2. * Combined expressions no longer use the error-prone behavior of guessing ``output_field`` when argument types match. As a consequence, resolving an ``output_field`` for database functions and combined expressions may now crash with mixed types. You will need to explicitly set the ``output_field`` in such cases. .. _deprecated-features-4.1: Features deprecated in 4.1 ========================== Log out via GET --------------- Logging out via ``GET`` requests to the :py:class:`built-in logout view <django.contrib.auth.views.LogoutView>` is deprecated. Use ``POST`` requests instead. If you want to retain the user experience of an HTML link, you can use a form that is styled to appear as a link: .. code-block:: html <form id="logout-form" method="post" action="{% url 'admin:logout' %}"> {% csrf_token %} <button type="submit">{% translate "Log out" %}</button> </form> .. code-block:: css logout-form { display: inline; } logout-form button { background: none; border: none; cursor: pointer; padding: 0; text-decoration: underline; } Miscellaneous ------------- * The context for sitemap index templates of a flat list of URLs is deprecated. Custom sitemap index templates should be updated for the adjusted :ref:`context variables <sitemap-index-context-variables>`, expecting a list of objects with ``location`` and optional ``lastmod`` attributes. * ``CSRF_COOKIE_MASKED`` transitional setting is deprecated. * The ``name`` argument of :func:`django.utils.functional.cached_property` is deprecated as it's unnecessary as of Python 3.6. * The ``opclasses`` argument of ``django.contrib.postgres.constraints.ExclusionConstraint`` is deprecated in favor of using :class:`OpClass() <django.contrib.postgres.indexes.OpClass>` in :attr:`.ExclusionConstraint.expressions`. To use it, you need to add ``'django.contrib.postgres'`` in your :setting:`INSTALLED_APPS`. After making this change, :djadmin:`makemigrations` will generate a new migration with two operations: ``RemoveConstraint`` and ``AddConstraint``. Since this change has no effect on the database schema, the :class:`~django.db.migrations.operations.SeparateDatabaseAndState` operation can be used to only update the migration state without running any SQL. Move the generated operations into the ``state_operations`` argument of :class:`~django.db.migrations.operations.SeparateDatabaseAndState`. For example:: class Migration(migrations.Migration): ... operations = [ migrations.SeparateDatabaseAndState( database_operations=[], state_operations=[ migrations.RemoveConstraint( ... ), migrations.AddConstraint( ... ), ], ), ] * The undocumented ability to pass ``errors=None`` to :meth:`.SimpleTestCase.assertFormError` and :meth:`assertFormsetError() <django.test.SimpleTestCase.assertFormSetError>` is deprecated. Use ``errors=[]`` instead. * ``django.contrib.sessions.serializers.PickleSerializer`` is deprecated due to the risk of remote code execution. * The usage of ``QuerySet.iterator()`` on a queryset that prefetches related objects without providing the ``chunk_size`` argument is deprecated. In older versions, no prefetching was done. Providing a value for ``chunk_size`` signifies that the additional query per chunk needed to prefetch is desired. * Passing unsaved model instances to related filters is deprecated. In Django 5.0, the exception will be raised. * ``created=True`` is added to the signature of :meth:`.RemoteUserBackend.configure_user`. Support for ``RemoteUserBackend`` subclasses that do not accept this argument is deprecated. * The :data:`django.utils.timezone.utc` alias to :attr:`datetime.timezone.utc` is deprecated. Use :attr:`datetime.timezone.utc` directly. * Passing a response object and a form/formset name to ``SimpleTestCase.assertFormError()`` and ``assertFormsetError()`` is deprecated. Use:: assertFormError(response.context['form_name'], …) assertFormsetError(response.context['formset_name'], …) or pass the form/formset object directly instead. * The undocumented ``django.contrib.gis.admin.OpenLayersWidget`` is deprecated. * ``django.contrib.auth.hashers.CryptPasswordHasher`` is deprecated. * The ability to pass ``nulls_first=False`` or ``nulls_last=False`` to ``Expression.asc()`` and ``Expression.desc()`` methods, and the ``OrderBy`` expression is deprecated. Use ``None`` instead. * The ``"django/forms/default.html"`` and ``"django/forms/formsets/default.html"`` templates which are a proxy to the table-based templates are deprecated. Use the specific template instead. * The undocumented ``LogoutView.get_next_page()`` method is renamed to ``get_success_url()``. Features removed in 4.1 ======================= These features have reached the end of their deprecation cycle and are removed in Django 4.1. See :ref:`deprecated-features-3.2` for details on these changes, including how to remove usage of these features. * Support for assigning objects which don't support creating deep copies with ``copy.deepcopy()`` to class attributes in ``TestCase.setUpTestData()`` is removed. * Support for using a boolean value in :attr:`.BaseCommand.requires_system_checks` is removed. * The ``whitelist`` argument and ``domain_whitelist`` attribute of ``django.core.validators.EmailValidator`` are removed. * The ``default_app_config`` application configuration variable is removed. * ``TransactionTestCase.assertQuerysetEqual()`` no longer calls ``repr()`` on a queryset when compared to string values. * The ``django.core.cache.backends.memcached.MemcachedCache`` backend is removed. * Support for the pre-Django 3.2 format of messages used by ``django.contrib.messages.storage.cookie.CookieStorage`` is removed. ========================== ``` ### 4.0.8 ``` ========================== *October 4, 2022* Django 4.0.8 fixes a security issue with severity "medium" in 4.0.7. CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs =================================================================================== Internationalized URLs were subject to potential denial of service attack via the locale parameter. ========================== ``` ### 4.0.7 ``` ========================== *August 3, 2022* Django 4.0.7 fixes a security issue with severity "high" in 4.0.6. CVE-2022-36359: Potential reflected file download vulnerability in ``FileResponse`` =================================================================================== An application may have been vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a :class:`~django.http.FileResponse` when the ``filename`` was derived from user-supplied input. The ``filename`` is now escaped to avoid this possibility. ========================== ``` ### 4.0.6 ``` ========================== *July 4, 2022* Django 4.0.6 fixes a security issue with severity "high" in 4.0.5. CVE-2022-34265: Potential SQL injection via ``Trunc(kind)`` and ``Extract(lookup_name)`` arguments ================================================================================================== :class:`Trunc() <django.db.models.functions.Trunc>` and :class:`Extract() <django.db.models.functions.Extract>` database functions were subject to SQL injection if untrusted data was used as a ``kind``/``lookup_name`` value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected. ========================== ``` ### 4.0.5 ``` ========================== *June 1, 2022* Django 4.0.5 fixes several bugs in 4.0.4. Bugfixes ======== * Fixed a bug in Django 4.0 where not all :setting:`OPTIONS <CACHES-OPTIONS>` were passed to a Redis client (:ticket:`33681`). * Fixed a bug in Django 4.0 that caused a crash of ``QuerySet.filter()`` on ``IsNull()`` expressions (:ticket:`33705`). * Fixed a bug in Django 4.0 where a hidden quick filter toolbar in the admin's navigation sidebar was focusable (:ticket:`33725`). ========================== ``` ### 4.0.4 ``` ========================== *April 11, 2022* Django 4.0.4 fixes two security issues with severity "high" and two bugs in 4.0.3. CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()`` ==================================================================================================== :meth:`.QuerySet.annotate`, :meth:`~.QuerySet.aggregate`, and :meth:`~.QuerySet.extra` methods were subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the ``**kwargs`` passed to these methods. CVE-2022-28347: Potential SQL injection via ``QuerySet.explain(**options)`` on PostgreSQL ========================================================================================= :meth:`.QuerySet.explain` method was subject to SQL injection in option names, using a suitably crafted dictionary, with dictionary expansion, as the ``**options`` argument. Bugfixes ======== * Fixed a regression in Django 4.0 that caused ignoring multiple ``FilteredRelation()`` relationships to the same field (:ticket:`33598`). * Fixed a regression in Django 3.2.4 that caused the auto-reloader to no longer detect changes when the ``DIRS`` option of the ``TEMPLATES`` setting contained an empty string (:ticket:`33628`). ========================== ``` ### 4.0.3 ``` ========================== *March 1, 2022* Django 4.0.3 fixes several bugs in 4.0.2. Also, all Python code in Django is reformatted with `black`_. .. _black: https://pypi.org/project/black/ Bugfixes ======== * Prevented, following a regression in Django 4.0.1, :djadmin:`makemigrations` from generating infinite migrations for a model with ``ManyToManyField`` to a lowercased swappable model such as ``'auth.user'`` (:ticket:`33515`). * Fixed a regression in Django 4.0 that caused a crash when rendering invalid inlines with :attr:`~django.contrib.admin.ModelAdmin.readonly_fields` in the admin (:ticket:`33547`). ========================== ``` ### 4.0.2 ``` ========================== *February 1, 2022* Django 4.0.2 fixes two security issues with severity "medium" and several bugs in 4.0.1. Also, the latest string translations from Transifex are incorporated, with a special mention for Bulgarian (fully translated). CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag ============================================================= The ``{% debug %}`` template tag didn't properly encode the current context, posing an XSS attack vector. In order to avoid this vulnerability, ``{% debug %}`` no longer outputs information when the ``DEBUG`` setting is ``False``, and it ensures all context variables are correctly escaped when the ``DEBUG`` setting is ``True``. CVE-2022-23833: Denial-of-service possibility in file uploads ============================================================= Passing certain inputs to multipart forms could result in an infinite loop when parsing files. Bugfixes ======== * Fixed a bug in Django 4.0 where ``TestCase.captureOnCommitCallbacks()`` could execute callbacks multiple times (:ticket:`33410`). * Fixed a regression in Django 4.0 where ``help_text`` was HTML-escaped in automatically-generated forms (:ticket:`33419`). * Fixed a regression in Django 4.0 that caused displaying an incorrect name for class-based views on the technical 404 debug page (:ticket:`33425`). * Fixed a regression in Django 4.0 that caused an incorrect ``repr`` of ``ResolverMatch`` for class-based views (:ticket:`33426`). * Fixed a regression in Django 4.0 that caused a crash of ``makemigrations`` on models without ``Meta.order_with_respect_to`` but with a field named ``_order`` (:ticket:`33449`). * Fixed a regression in Django 4.0 that caused incorrect :attr:`.ModelAdmin.radio_fields` layout in the admin (:ticket:`33407`). * Fixed a duplicate operation regression in Django 4.0 that caused a migration crash when altering a primary key type for a concrete parent model referenced by a foreign key (:ticket:`33462`). * Fixed a bug in Django 4.0 that caused a crash of ``QuerySet.aggregate()`` after ``annotate()`` on an aggregate function with a :ref:`default <aggregate-default>` (:ticket:`33468`). * Fixed a regression in Django 4.0 that caused a crash of ``makemigrations`` when renaming a field of a renamed model (:ticket:`33480`). ========================== ``` ### 4.0.1 ``` ========================== *January 4, 2022* Django 4.0.1 fixes one security issue with severity "medium", two security issues with severity "low", and several bugs in 4.0. CVE-2021-45115: Denial-of-service possibility in ``UserAttributeSimilarityValidator`` ===================================================================================== :class:`.UserAttributeSimilarityValidator` incurred significant overhead evaluating submitted password that were artificially large in relative to the comparison values. On the assumption that access to user registration was unrestricted this provided a potential vector for a denial-of-service attack. In order to mitigate this issue, relatively long values are now ignored by ``UserAttributeSimilarityValidator``. This issue has severity "medium" according to the :ref:`Django security policy <security-disclosure>`. CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter ================================================================================ Due to leveraging the Django Template Language's variable resolution logic, the :tfilter:`dictsort` template filter was potentially vulnerable to information disclosure or unintended method calls, if passed a suitably crafted key. In order to avoid this possibility, ``dictsort`` now works with a restricted resolution logic, that will not call methods, nor allow indexing on dictionaries. As a reminder, all untrusted user input should be validated before use. This issue has severity "low" according to the :ref:`Django security policy <security-disclosure>`. CVE-2021-45452: Potential directory-traversal via ``Storage.save()`` ==================================================================== ``Storage.save()`` allowed directory-traversal if directly passed suitably crafted file names. This issue has severity "low" according to the :ref:`Django security policy <security-disclosure>`. Bugfixes ======== * Fixed a regression in Django 4.0 that caused a crash of ``assertFormsetError()`` on a formset named ``form`` (:ticket:`33346`). * Fixed a bug in Django 4.0 that caused a crash on booleans with the ``RedisCache`` backend (:ticket:`33361`). * Relaxed the check added in Django 4.0 to reallow use of a duck-typed ``HttpRequest`` in ``django.views.decorators.cache.cache_control()`` and ``never_cache()`` decorators (:ticket:`33350`). * Fixed a regression in Django 4.0 that caused creating bogus migrations for models that reference swappable models such as ``auth.User`` (:ticket:`33366`). * Fixed a long standing bug in :ref:`geos-geometry-collections` and :class:`~django.contrib.gis.geos.Polygon` that caused a crash on some platforms (reported on macOS based on the ``ARM64`` architecture) (:ticket:`32600`). ======================== ``` ### 4.0 ``` ======================== *December 7, 2021* Welcome to Django 4.0! These release notes cover the :ref:`new features <whats-new-4.0>`, as well as some :ref:`backwards incompatible changes <backwards-incompatible-4.0>` you'll want to be aware of when upgrading from Django 3.2 or earlier. We've :ref:`begun the deprecation process for some features <deprecated-features-4.0>`. See the :doc:`/howto/upgrade-version` guide if you're updating an existing project. Python compatibility ==================== Django 4.0 supports Python 3.8, 3.9, and 3.10. We **highly recommend** and only officially support the latest release of each series. The Django 3.2.x series is the last to support Python 3.6 and 3.7. .. _whats-new-4.0: What's new in Django 4.0 ======================== ``zoneinfo`` default timezone implementation -------------------------------------------- The Python standard library's :mod:`zoneinfo` is now the default timezone implementation in Django. This is the next step in the migration from using ``pytz`` to using :mod:`zoneinfo`. Django 3.2 allowed the use of non-``pytz`` time zones. Django 4.0 makes ``zoneinfo`` the default implementation. Support for ``pytz`` is now deprecated and will be removed in Django 5.0. :mod:`zoneinfo` is part of the Python standard library from Python 3.9. The ``backports.zoneinfo`` package is automatically installed alongside Django if you are using Python 3.8. The move to ``zoneinfo`` should be largely transparent. Selection of the current timezone, conversion of datetime instances to the current timezone in forms and templates, as well as operations on aware datetimes in UTC are unaffected. However, if you are working with non-UTC time zones, and us

[pyup-bot]

Closing this in favor of #74