samdobson / monzo-coffee

Intelligent transaction tagging for data-loving Monzonauts
8 stars 2 forks source link

Scheduled monthly dependency update for November #78

Closed pyup-bot closed 1 month ago

pyup-bot commented 10 months ago

Update alabaster from 0.7.12 to 0.7.13.

The bot wasn't able to find a changelog for this release. Got an idea?

Links - PyPI: https://pypi.org/project/alabaster - Changelog: https://data.safetycli.com/changelogs/alabaster/ - Docs: https://alabaster.readthedocs.io

Update argh from 0.26.2 to 0.30.3.

Changelog ### 0.30.3 ``` --------------------------- Bugs fixed: - Regression: a positional argument with an underscore used in `arg` decorator would cause Argh fail on the assembling stage. (208) ``` ### 0.30.2 ``` --------------------------- Bugs fixed: - As reported in 204 and 206, the new default name mapping policy in fact silently changed the CLI API of some scripts: arguments which were previously translated as CLI options became optional positionals. Although the instructions were supplied in the release notes, the upgrade may not necessarily be intentional, so a waste of users' time is quite likely. To alleviate this, the default value for `name_mapping_policy` in standard functions has been changed to `None`; if it's not specified, Argh falls back to the new default policy, but raises `ArgumentNameMappingError` with detailed instructions if it sees a non-kwonly argument with a default value. Please specify the policy explicitly in order to avoid this error if you need to infer optional positionals (``nargs="?"``) from function signature. ``` ### 0.30.1 ``` --------------------------- Bugs fixed: - Regression: certain special values in argument default value would cause an exception (204) Enhancements: - Improved the tutorial. - Added a more informative error message when the reason is likely to be related to the migration from Argh v0.29 to a version with a new argument name mapping policy. Other changes: - Added `py.typed` marker file for :pep:`561`. ``` ### 0.30.0 ``` --------------------------- Backwards incompatible changes: - A new policy for mapping function arguments to CLI arguments is used by default (see :class:`argh.assembling.NameMappingPolicy`). The following function does **not** map to ``func foo [--bar]`` anymore:: def func(foo, bar=None): ... Since this release it maps to ``func foo [bar]`` instead. Please update the function this way to keep `bar` an "option":: def func(foo, *, bar=None): ... If you cannot modify the function signature to use kwonly args for options, please consider explicitly specifying the legacy name mapping policy:: set_default_command( func, name_mapping_policy=NameMappingPolicy.BY_NAME_IF_HAS_DEFAULT ) - The name mapping policy `BY_NAME_IF_HAS_DEFAULT` slightly deviates from the old behaviour. Kwonly arguments without default values used to be marked as required options (``--foo FOO``), now they are treated as positionals (``foo``). Please consider the new default policy (`BY_NAME_IF_KWONLY`) for a better treatment of kwonly. - Removed previously deprecated features (184 → 188): - argument help string in annotations — reserved for type hints; - `argh.SUPPORTS_ALIASES`; - `argh.safe_input()`; - previously renamed arguments for `add_commands()`: `namespace`, `namespace_kwargs`, `title`, `description`, `help`; - `pre_call` argument in `dispatch()`. The basic usage remains simple but more granular functions are now available for more control. Instead of this:: argh.dispatch(..., pre_call=pre_call_hook) please use this:: func, ns = argh.parse_and_resolve(...) pre_call_hook(ns) argh.run_endpoint_function(func, ns, ...) Deprecated: - The `expects_obj` decorator. Rationale: it used to support the old, "un-pythonic" style of usage, which essentially lies outside the scope of Argh. If you are not using the mapping of function arguments onto CLI, then you aren't reducing the amount of code compared to vanilla Argparse. - The `add_help_command` argument in `dispatch()`. Rationale: it doesn't add much to user experience; it's not much harder to type ``--help`` than it is to type ``help``; moreover, the option can be added anywhere, unlike its positional counterpart. Enhancements: - Added support for Python 3.12. - Added type annotations to existing Argh code (185 → 189). - The `dispatch()` function has been refactored, so in case you need finer control over the process, two new, more granular functions can be used: - `endpoint_function, namespace = argh.parse_and_resolve(...)` - `argh.run_endpoint_function(endpoint_function, namespace, ...)` Please note that the names may change in the upcoming versions. - Configurable name mapping policy has been introduced for function argument to CLI argument translation (191 → 199): - `BY_NAME_IF_KWONLY` (default and recommended). - `BY_NAME_IF_HAS_DEFAULT` (close to pre-v.0.30 behaviour); Please check API docs on :class:`argh.assembling.NameMappingPolicy` for details. ``` ### 0.29.4 ``` --------------------------- Bugs fixed: - Test coverage reported as <100% when argcomplete is installed (187) ``` ### 0.29.3 ``` ------------------------------ Technical releases for packaging purposes. No changes in functionality. ``` ### 0.29.0 ``` --------------------------- Backwards incompatible changes: - Wrapped exceptions now cause ``dispatching.dispatch()`` to raise ``SystemExit(1)`` instead of returning without error. For most users, this means failed commands will now exit with a failure status instead of a success. (161) Deprecated: - Renamed arguments in `add_commands()` (165): - `namespace` → `group_name` - `namespace_kwargs` → `group_kwargs` The old names are deprecated and will be removed in v.0.30. Enhancements: - Can control exit status (see Backwards Incompatible Changes above) when raising ``CommandError`` using the ``code`` keyword arg. Bugs fixed: - Positional arguments should not lead to removal of short form of keyword arguments. (115) Other changes: - Avoid depending on iocapture by using pytest's built-in feature (177) ``` ### 0.28.1 ``` --------------------------- - Fixed bugs in tests (171, 172) ``` ### 0.28.0 ``` --------------------------- A major cleanup. Backward incompatible changes: - Dropped support for Python 2.7 and 3.7. Deprecated features, to be removed in v.0.30: - `argh.assembling.SUPPORTS_ALIASES`. - Always `True` for recent versions of Python. - `argh.io.safe_input()` AKA `argh.interaction.safe_input()`. - Not relevant anymore. Please use the built-in `input()` instead. - argument `pre_call` in `dispatch()`. Even though this hack seems to have been used in some projects, it was never part of the official API and never recommended. Describing your use case in the `discussion about shared arguments`_ can help improve the library to accomodate it in a proper way. .. _discussion about shared arguments: https://github.com/neithere/argh/issues/63 - Argument help as annotations. - Annotations will only be used for types after v.0.30. - Please replace any instance of:: def func(foo: "Foobar"): with the following:: arg('-f', '--foo', help="Foobar") def func(foo): It will be decided later how to keep this functionality "DRY" (don't repeat yourself) without conflicts with modern conventions and tools. - Added deprecation warnings for some arguments deprecated back in v.0.26. ``` ### 0.27.2 ``` --------------------------- Minor packaging fix: * chore: include file required by tox.ini in the sdist (155) ``` ### 0.27.1 ``` --------------------------- Minor building and packaging fixes: * docs: add Read the Docs config (160) * chore: include tox.ini in the sdist (155) ``` ### 0.27.0 ``` --------------------------- This is the last version to support Python 2.7. Backward incompatible changes: - Dropped support for Python 2.6. Enhancements: - Added support for Python 3.7 through 3.11. - Support introspection of function signature behind the `wraps` decorator (issue 111). Fixed bugs: - When command function signature contained ``**kwargs`` *and* positionals without defaults and with underscores in their names, a weird behaviour could be observed (issue 104). - Fixed introspection through decorators (issue 111). - Switched to Python's built-in `unittest.mock` (PR 154). - Fixed bug with `skip_unknown_args=True` (PR 134). - Fixed tests for Python 3.9.7+ (issue 148). Other changes: - Included the license files in manifest (PR 112). - Extended the list of similar projects (PR 87). - Fixed typos and links in documentation (PR 110, 116, 156). - Switched CI to Github Actions (PR 153). ```
Links - PyPI: https://pypi.org/project/argh - Changelog: https://data.safetycli.com/changelogs/argh/ - Docs: https://pythonhosted.org/argh/

Update babel from 2.6.0 to 2.13.1.

Changelog ### 2.13.1 ``` -------------- This is a patch release to fix a few bugs. Fixes ~~~~~ * Fix a typo in ``_locales_to_names`` by Dl84 in :gh:`1038` (issue :gh:`1037`) * Fix ``setuptools`` dependency for Python 3.12 by opryprin in :gh:`1033` ``` ### 2.13.0 ``` -------------- Upcoming deprecation ~~~~~~~~~~~~~~~~~~~~ * This version, Babel 2.13, is the last version of Babel to support Python 3.7. Babel 2.14 will require Python 3.8 or newer. Features ~~~~~~~~ * Add flag to ignore POT-Creation-Date for updates by joeportela in :gh:`999` * Support 't' specifier in keywords by jeanas in :gh:`1015` * Add f-string parsing for Python 3.12 (PEP 701) by encukou in :gh:`1027` Fixes ~~~~~ * Various typing-related fixes by akx in :gh:`979`, in :gh:`978`, :gh:`981`, :gh:`983` * babel.messages.catalog: deduplicate _to_fuzzy_match_key logic by akx in :gh:`980` * Freeze format_time() tests to a specific date to fix test failures by mgorny in :gh:`998` * Spelling and grammar fixes by scop in :gh:`1008` * Renovate lint tools by akx in :gh:`1017`, :gh:`1028` * Use SPDX license identifier by vargenau in :gh:`994` * Use aware UTC datetimes internally by scop in :gh:`1009` New Contributors ~~~~~~~~~~~~~~~~ * mgorny made their first contribution in :gh:`998` * vargenau made their first contribution in :gh:`994` * joeportela made their first contribution in :gh:`999` * encukou made their first contribution in :gh:`1027` ``` ### 2.12.1 ``` -------------- Fixes ~~~~~ * Version 2.12.0 was missing the ``py.typed`` marker file. Thanks to Alex Waygood for the fix! :gh:`975` * The copyright year in all files was bumped to 2023. ``` ### 2.12.0 ``` -------------- Deprecations & breaking changes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Python 3.6 is no longer supported (:gh:`919`) - Aarni Koskela * The `get_next_timezone_transition` function is no more (:gh:`958`) - Aarni Koskela * `Locale.parse()` will no longer return `None`; it will always return a Locale or raise an exception. Passing in `None`, though technically allowed by the typing, will raise. (:gh:`966`) New features ~~~~~~~~~~~~ * CLDR: Babel now uses CLDR 42 (:gh:`951`) - Aarni Koskela * Dates: `pytz` is now optional; Babel will prefer it but will use `zoneinfo` when available. (:gh:`940`) - ds-cbo * General: Babel now ships type annotations, thanks to Jonah Lawrence's work in multiple PRs. * Locales: modifiers are now retained when parsing locales (:gh:`947`) - martin f. krafft * Messages: JavaScript template string expression extraction is now smarter. (:gh:`939`) - Johannes Wilm * Numbers: NaN and Infinity are now better supported (:gh:`955`) - Jonah Lawrence * Numbers: Short compact currency formats are now supported (:gh:`926`) - Jonah Lawrence * Numbers: There's now a `Format.compact_decimal` utility function. (:gh:`921`) - Jonah Lawrence Bugfixes ~~~~~~~~ * Dates: The cache for parsed datetime patterns is now bounded (:gh:`967`) - Aarni Koskela * Messages: Fuzzy candidate matching accuracy is improved (:gh:`970`) - Jean Abou Samra * Numbers: Compact singular formats and patterns with no numbers work correctly (:gh:`930`, :gh:`932`) - Jonah Lawrence, Jun Omae Improvements & cleanup ~~~~~~~~~~~~~~~~~~~~~~ * Dates: `babel.dates.UTC` is now an alias for `datetime.timezone.utc` (:gh:`957`) - Aarni Koskela * Dates: `babel.localtime` was slightly cleaned up. (:gh:`952`) - Aarni Koskela * Documentation: Documentation was improved by Maciej Olko, Jonah Lawrence, lilinjie, and Aarni Koskela. * Infrastructure: Babel is now being linted with pre-commit and ruff. - Aarni Koskela ``` ### 2.11.0 ``` -------------- Upcoming deprecation ~~~~~~~~~~~~~~~~~~~~ * This version, Babel 2.11, is the last version of Babel to support Python 3.6. Babel 2.12 will require Python 3.7 or newer. Improvements ~~~~~~~~~~~~ * Support for hex escapes in JavaScript string literals :gh:`877` - Przemyslaw Wegrzyn * Add support for formatting decimals in compact form :gh:`909` - Jonah Lawrence * Adapt parse_date to handle ISO dates in ASCII format :gh:`842` - Eric L. * Use `ast` instead of `eval` for Python string extraction :gh:`915` - Aarni Koskela * This also enables extraction from static f-strings. F-strings with expressions are silently ignored (but won't raise an error as they used to). Infrastructure ~~~~~~~~~~~~~~ * Tests: Use regular asserts and ``pytest.raises()`` :gh:`875` – Aarni Koskela * Wheels are now built in GitHub Actions :gh:`888` – Aarni Koskela * Small improvements to the CLDR downloader script :gh:`894` – Aarni Koskela * Remove antiquated `__nonzero__` methods :gh:`896` - Nikita Sobolev * Remove superfluous `__unicode__` declarations :gh:`905` - Lukas Juhrich * Mark package compatible with Python 3.11 :gh:`913` - Aarni Koskela * Quiesce pytest warnings :gh:`916` - Aarni Koskela Bugfixes ~~~~~~~~ * Use email.Message for pofile header parsing instead of the deprecated ``cgi.parse_header`` function. :gh:`876` – Aarni Koskela * Remove determining time zone via systemsetup on macOS :gh:`914` - Aarni Koskela Documentation ~~~~~~~~~~~~~ * Update Python versions in documentation :gh:`898` - Raphael Nestler * Align BSD-3 license with OSI template :gh:`912` - Lukas Kahwe Smith ``` ### 2.10.3 ``` -------------- This is a bugfix release for Babel 2.10.2, which was mistakenly packaged with outdated locale data. Thanks to Michał Górny for pointing this out and Jun Omae for verifying. This and future Babel PyPI packages will be built by a more automated process, which should make problems like this less likely to occur. ``` ### 2.10.2 ``` -------------- This is a bugfix release for Babel 2.10.1. * Fallback count="other" format in format_currency() (:gh:`872`) - Jun Omae * Fix get_period_id() with ``dayPeriodRule`` across 0:00 (:gh:`871`) - Jun Omae * Add support for ``b`` and ``B`` period symbols in time format (:gh:`869`) - Jun Omae * chore(docs/typo): Fixes a minor typo in a function comment (:gh:`864`) - Frank Harrison ``` ### 2.10.1 ``` -------------- This is a bugfix release for Babel 2.10.0. * Messages: Fix ``distutils`` import. Regressed in :gh:`843`. (:gh:`852`) - Nehal J Wani * The wheel file is no longer marked as universal, since Babel only supports Python 3. ``` ### 2.10.0 ``` -------------- Upcoming deprecation ~~~~~~~~~~~~~~~~~~~~ * The ``get_next_timezone_transition()`` function is marked deprecated in this version and will be removed likely as soon as Babel 2.11. No replacement for this function is planned; based on discussion in :gh:`716`, it's likely the function is not used in any real code. (:gh:`852`) - Aarni Koskela, Paul Ganssle Improvements ~~~~~~~~~~~~ * CLDR: Upgrade to CLDR 41.0. (:gh:`853`) - Aarni Koskela * The ``c`` and ``e`` plural form operands introduced in CLDR 40 are parsed, but otherwise unsupported. (:gh:`826`) * Non-nominative forms of units are currently ignored. * Messages: Implement ``--init-missing`` option for ``pybabel update`` (:gh:`785`) - ruro * Messages: For ``extract``, you can now replace the built-in ``.*`` / ``_*`` ignored directory patterns with ones of your own. (:gh:`832`) - Aarni Koskela, Kinshuk Dua * Messages: Add ``--check`` to verify if catalogs are up-to-date (:gh:`831`) - Krzysztof Jagiełło * Messages: Add ``--header-comment`` to override default header comment (:gh:`720`) - Mohamed Hafez Morsy, Aarni Koskela * Dates: ``parse_time`` now supports 12-hour clock, and is better at parsing partial times. (:gh:`834`) - Aarni Koskela, David Bauer, Arthur Jovart * Dates: ``parse_date`` and ``parse_time`` now raise ``ParseError``, a subclass of ``ValueError``, in certain cases. (:gh:`834`) - Aarni Koskela * Dates: ``parse_date`` and ``parse_time`` now accept the ``format`` parameter. (:gh:`834`) - Juliette Monsel, Aarni Koskela Infrastructure ~~~~~~~~~~~~~~ * The internal ``babel/_compat.py`` module is no more (:gh:`808`) - Hugo van Kemenade * Python 3.10 is officially supported (:gh:`809`) - Hugo van Kemenade * There's now a friendly GitHub issue template. (:gh:`800`) – Álvaro Mondéjar Rubio * Don't use the deprecated format_number function internally or in tests - Aarni Koskela * Add GitHub URL for PyPi (:gh:`846`) - Andrii Oriekhov * Python 3.12 compatibility: Prefer setuptools imports to distutils imports (:gh:`843`) - Aarni Koskela * Python 3.11 compatibility: Add deprecations to l*gettext variants (:gh:`835`) - Aarni Koskela * CI: Babel is now tested with PyPy 3.7. (:gh:`851`) - Aarni Koskela Bugfixes ~~~~~~~~ * Date formatting: Allow using ``other`` as fallback form (:gh:`827`) - Aarni Koskela * Locales: ``Locale.parse()`` normalizes variant tags to upper case (:gh:`829`) - Aarni Koskela * A typo in the plural format for Maltese is fixed. (:gh:`796`) - Lukas Winkler * Messages: Catalog date parsing is now timezone independent. (:gh:`701`) - rachele-collin * Messages: Fix duplicate locations when writing without lineno (:gh:`837`) - Sigurd Ljødal * Messages: Fix missing trailing semicolon in plural form headers (:gh:`848`) - farhan5900 * CLI: Fix output of ``--list-locales`` to not be a bytes repr (:gh:`845`) - Morgan Wahl Documentation ~~~~~~~~~~~~~ * Documentation is now correctly built again, and up to date (:gh:`830`) - Aarni Koskela ``` ### 2.9.1 ``` ------------- Bugfixes ~~~~~~~~ * The internal locale-data loading functions now validate the name of the locale file to be loaded and only allow files within Babel's data directory. Thank you to Chris Lyne of Tenable, Inc. for discovering the issue! ``` ### 2.9.0 ``` ------------- Upcoming version support changes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * This version, Babel 2.9, is the last version of Babel to support Python 2.7, Python 3.4, and Python 3.5. Improvements ~~~~~~~~~~~~ * CLDR: Use CLDR 37 – Aarni Koskela (:gh:`734`) * Dates: Handle ZoneInfo objects in get_timezone_location, get_timezone_name - Alessio Bogon (:gh:`741`) * Numbers: Add group_separator feature in number formatting - Abdullah Javed Nesar (:gh:`726`) Bugfixes ~~~~~~~~ * Dates: Correct default Format().timedelta format to 'long' to mute deprecation warnings – Aarni Koskela * Import: Simplify iteration code in "import_cldr.py" – Felix Schwarz * Import: Stop using deprecated ElementTree methods "getchildren()" and "getiterator()" – Felix Schwarz * Messages: Fix unicode printing error on Python 2 without TTY. – Niklas Hambüchen * Messages: Introduce invariant that _invalid_pofile() takes unicode line. – Niklas Hambüchen * Tests: fix tests when using Python 3.9 – Felix Schwarz * Tests: Remove deprecated 'sudo: false' from Travis configuration – Jon Dufresne * Tests: Support Py.test 6.x – Aarni Koskela * Utilities: LazyProxy: Handle AttributeError in specified func – Nikiforov Konstantin (:gh:`724`) * Utilities: Replace usage of parser.suite with ast.parse – Miro Hrončok Documentation ~~~~~~~~~~~~~ * Update parse_number comments – Brad Martin (:gh:`708`) * Add __iter__ to Catalog documentation – CyanNani123 ``` ### 2.8.1 ``` ------------- This is solely a patch release to make running tests on Py.test 6+ possible. Bugfixes ~~~~~~~~ * Support Py.test 6 - Aarni Koskela (:gh:`747`, :gh:`750`, :gh:`752`) ``` ### 2.8.0 ``` ------------- Improvements ~~~~~~~~~~~~ * CLDR: Upgrade to CLDR 36.0 - Aarni Koskela (:gh:`679`) * Messages: Don't even open files with the "ignore" extraction method - sebleblanc (:gh:`678`) Bugfixes ~~~~~~~~ * Numbers: Fix formatting very small decimals when quantization is disabled - Lev Lybin, miluChen (:gh:`662`) * Messages: Attempt to sort all messages – Mario Frasca (:gh:`651`, :gh:`606`) Docs ~~~~ * Add years to changelog - Romuald Brunet * Note that installation requires pytz - Steve (Gadget) Barnes ``` ### 2.7.0 ``` ------------- Possibly incompatible changes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ These may be backward incompatible in some cases, as some more-or-less internal APIs have changed. Please feel free to file issues if you bump into anything strange and we'll try to help! * General: Internal uses of ``babel.util.odict`` have been replaced with ``collections.OrderedDict`` from The Python standard library. Improvements ~~~~~~~~~~~~ * CLDR: Upgrade to CLDR 35.1 - Alberto Mardegan, Aarni Koskela (:gh:`626`, :gh:`643`) * General: allow anchoring path patterns to the start of a string - Brian Cappello (:gh:`600`) * General: Bumped version requirement on pytz - chrisbrake (:gh:`592`) * Messages: `pybabel compile`: exit with code 1 if errors were encountered - Aarni Koskela (:gh:`647`) * Messages: Add omit-header to update_catalog - Cédric Krier (:gh:`633`) * Messages: Catalog update: keep user comments from destination by default - Aarni Koskela (:gh:`648`) * Messages: Skip empty message when writing mo file - Cédric Krier (:gh:`564`) * Messages: Small fixes to avoid crashes on badly formatted .po files - Bryn Truscott (:gh:`597`) * Numbers: `parse_decimal()` `strict` argument and `suggestions` - Charly C (:gh:`590`) * Numbers: don't repeat suggestions in parse_decimal strict - Serban Constantin (:gh:`599`) * Numbers: implement currency formatting with long display names - Luke Plant (:gh:`585`) * Numbers: parse_decimal(): assume spaces are equivalent to non-breaking spaces when not in strict mode - Aarni Koskela (:gh:`649`) * Performance: Cache locale_identifiers() - Aarni Koskela (:gh:`644`) Bugfixes ~~~~~~~~ * CLDR: Skip alt=... for week data (minDays, firstDay, weekendStart, weekendEnd) - Aarni Koskela (:gh:`634`) * Dates: Fix wrong weeknumber for 31.12.2018 - BT-sschmid (:gh:`621`) * Locale: Avoid KeyError trying to get data on WindowsXP - mondeja (:gh:`604`) * Locale: get_display_name(): Don't attempt to concatenate variant information to None - Aarni Koskela (:gh:`645`) * Messages: pofile: Add comparison operators to _NormalizedString - Aarni Koskela (:gh:`646`) * Messages: pofile: don't crash when message.locations can't be sorted - Aarni Koskela (:gh:`646`) Tooling & docs ~~~~~~~~~~~~~~ * Docs: Remove all references to deprecated easy_install - Jon Dufresne (:gh:`610`) * Docs: Switch print statement in docs to print function - NotAFile * Docs: Update all pypi.python.org URLs to pypi.org - Jon Dufresne (:gh:`587`) * Docs: Use https URLs throughout project where available - Jon Dufresne (:gh:`588`) * Support: Add testing and document support for Python 3.7 - Jon Dufresne (:gh:`611`) * Support: Test on Python 3.8-dev - Aarni Koskela (:gh:`642`) * Support: Using ABCs from collections instead of collections.abc is deprecated. - Julien Palard (:gh:`609`) * Tests: Fix conftest.py compatibility with pytest 4.3 - Miro Hrončok (:gh:`635`) * Tests: Update pytest and pytest-cov - Miro Hrončok (:gh:`635`) ```
Links - PyPI: https://pypi.org/project/babel - Changelog: https://data.safetycli.com/changelogs/babel/ - Homepage: https://babel.pocoo.org/ - Docs: https://pythonhosted.org/Babel/

Update certifi from 2018.11.29 to 2023.7.22.

The bot wasn't able to find a changelog for this release. Got an idea?

Links - PyPI: https://pypi.org/project/certifi - Repo: https://github.com/certifi/python-certifi

Update chardet from 3.0.4 to 5.2.0.

Changelog ### 5.2.0 ``` Adds support for running chardet CLI via `python -m chardet` (0e9b7bc20366163efcc221281201baff4100fe19, dan-blanchard) ``` ### 5.1.0 ``` Features - Add `should_rename_legacy` argument to most functions, which will rename older encodings to their more modern equivalents (e.g., `GB2312` becomes `GB18030`) (264, dan-blanchard) - Add capital letter sharp S and ISO-8859-15 support (222, SimonWaldherr) - Add a prober for MacRoman encoding (5 updated as c292b52a97e57c95429ef559af36845019b88b33, Rob Speer and dan-blanchard ) - Add `--minimal` flag to `chardetect` command (214, dan-blanchard) - Add type annotations to the project and run mypy on CI (261, jdufresne) - Add support for Python 3.11 (274, hugovk) Fixes - Clarify LGPL version in License trove classifier (255, musicinmybrain) - Remove support for EOL Python 3.6 (260, jdufresne) - Remove unnecessary guards for non-falsey values (259, jdufresne) Misc changes - Switch to Python 3.10 release in GitHub actions (257, jdufresne) - Remove setup.py in favor of build package (262, jdufresne) - Run tests on macos, Windows, and 3.11-dev (267, dan-blanchard) ``` ### 5.0.0 ``` ⚠️ This release is the first release of chardet that no longer supports Python < 3.6 ⚠️ In addition to that change, it features the following user-facing changes: - Added a prober for Johab Korean (207, grizlupo) - Added a prober for UTF-16/32 BE/LE (109, 206, jpz) - Added test data for Croatian, Czech, Hungarian, Polish, Slovak, Slovene, Greek, and Turkish, which should help prevent future errors with those languages - Improved XML tag filtering, which should improve accuracy for XML files (208) - Tweaked `SingleByteCharSetProber` confidence to match latest uchardet (209) - Made `detect_all` return child prober confidences (210) - Updated examples in docs (223, domdfcoding) - Documentation fixes (212, 224, 225, 226, 220, 221, 244 from too many to mention) - Minor performance improvements (252, deedy5) - Add support for Python 3.10 when testing (232, jdufresne) - Lots of little development cycle improvements, mostly thanks to jdufresne ``` ### 4.0.0 ``` Benchmarking chardet 4.0.0 on CPython 3.7.5 (default, Sep 8 2020, 12:19:42) [Clang 11.0.3 (clang-1103.0.32.62)] -------------------------------------------------------------------------------- ....................................................................................................................................................................................................................................................................................................................................................................... Calls per second for each encoding: ```
Links - PyPI: https://pypi.org/project/chardet - Changelog: https://data.safetycli.com/changelogs/chardet/ - Repo: https://github.com/chardet/chardet

Update dj-database-url from 0.5.0 to 2.1.0.

Changelog ### 2.1.0 ``` * Add value to int parsing when deconstructing url string. ``` ### 2.0.0 ``` * Update project setup such that we now install as a package. _Notes_: while this does not alter the underlying application code, we are bumping to 2.0 incase there are unforeseen knock on use-case issues. ``` ### 1.3.0 ``` * Cosmetic changes to the generation of schemes. * Bump isort version - 5.11.5. * raise warning message if database_url is not set. * CONN_MAX_AGE fix type - Optional[int]. ``` ### 1.2.0 ``` * Add the ability to add test databases. * Improve url parsing and encoding. * Fix missing parameter conn_health_check in check function. ``` ### 1.1.0 ``` * Option for connection health checks parameter. * Update supported version python 3.11. * Code changes, various improvments. * Add project links to setup.py ``` ### 1.0.0 ``` Initial release of code now dj-database-urls is part of jazzband. * Add support for cockroachdb. * Add support for the offical MSSQL connector. * Update License to be compatible with Jazzband. * Remove support for Python < 3.5 including Python 2.7 * Update source code to Black format. * Update CI using pre-commit ```
Links - PyPI: https://pypi.org/project/dj-database-url - Changelog: https://data.safetycli.com/changelogs/dj-database-url/ - Repo: https://github.com/jazzband/dj-database-url

Update django from 2.1.4 to 4.2.7.

Changelog ### 4.2.7 ``` ========================== *November 1, 2023* Django 4.2.7 fixes a security issue with severity "moderate" and several bugs in 4.2.6. CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows ========================================================================================= The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was subject to a potential denial of service attack via certain inputs with a very large number of Unicode characters. In order to avoid the vulnerability, invalid values longer than ``UsernameField.max_length`` are no longer normalized, since they cannot pass validation anyway. Bugfixes ======== * Fixed a regression in Django 4.2 that caused a crash of ``QuerySet.aggregate()`` with aggregates referencing expressions containing subqueries (:ticket:`34798`). * Restored, following a regression in Django 4.2, creating ``varchar/text_pattern_ops`` indexes on ``CharField`` and ``TextField`` with deterministic collations on PostgreSQL (:ticket:`34932`). ========================== ``` ### 4.2.6 ``` ========================== *October 4, 2023* Django 4.2.6 fixes a security issue with severity "moderate" and several bugs in 4.2.5. CVE-2023-43665: Denial-of-service possibility in ``django.utils.text.Truncator`` ================================================================================ Following the fix for :cve:`2019-14232`, the regular expressions used in the implementation of ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods (with ``html=True``) were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability. The ``chars()`` and ``words()`` methods are used to implement the :tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template filters, which were thus also vulnerable. The input processed by ``Truncator``, when operating in HTML mode, has been limited to the first five million characters in order to avoid potential performance and memory issues. Bugfixes ======== * Fixed a regression in Django 4.2.5 where overriding the deprecated ``DEFAULT_FILE_STORAGE`` and ``STATICFILES_STORAGE`` settings in tests caused the main ``STORAGES`` to mutate (:ticket:`34821`). * Fixed a regression in Django 4.2 that caused unnecessary casting of string based fields (``CharField``, ``EmailField``, ``TextField``, ``CICharField``, ``CIEmailField``, and ``CITextField``) used with the ``__isnull`` lookup on PostgreSQL. As a consequence, indexes using an ``__isnull`` expression or condition created before Django 4.2 wouldn't be used by the query planner, leading to a performance regression (:ticket:`34840`). You may need to recreate such indexes created in your database with Django 4.2 to 4.2.5, as they contain unnecessary ``::text`` casting. Find candidate indexes with this query: .. code-block:: sql SELECT indexname, indexdef FROM pg_indexes WHERE indexdef LIKE '%::text IS %NULL'; ========================== ``` ### 4.2.5 ``` ========================== *September 4, 2023* Django 4.2.5 fixes a security issue with severity "moderate" and several bugs in 4.2.4. CVE-2023-41164: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()`` =================================================================================================== ``django.utils.encoding.uri_to_iri()`` was subject to potential denial of service attack via certain inputs with a very large number of Unicode characters. Bugfixes ======== * Fixed a regression in Django 4.2 that caused an incorrect validation of ``CheckConstraints`` on ``__isnull`` lookups against ``JSONField`` (:ticket:`34754`). * Fixed a bug in Django 4.2 where the deprecated ``DEFAULT_FILE_STORAGE`` and ``STATICFILES_STORAGE`` settings were not synced with ``STORAGES`` (:ticket:`34773`). * Fixed a regression in Django 4.2.2 that caused an unnecessary selection of a non-nullable ``ManyToManyField`` without a natural key during serialization (:ticket:`34779`). * Fixed a regression in Django 4.2 that caused a crash of a queryset when filtering against deeply nested ``OuterRef()`` annotations (:ticket:`34803`). ========================== ``` ### 4.2.4 ``` ========================== *August 1, 2023* Django 4.2.4 fixes several bugs in 4.2.3. Bugfixes ======== * Fixed a regression in Django 4.2 that caused a crash of ``QuerySet.aggregate()`` with aggregates referencing window functions (:ticket:`34717`). * Fixed a regression in Django 4.2 that caused a crash when grouping by a reference in a subquery (:ticket:`34748`). * Fixed a regression in Django 4.2 that caused aggregation over query that uses explicit grouping by multi-valued annotations to group against the wrong columns (:ticket:`34750`). ========================== ``` ### 4.2.3 ``` ========================== *July 3, 2023* Django 4.2.3 fixes a security issue with severity "moderate" and several bugs in 4.2.2. CVE-2023-36053: Potential regular expression denial of service vulnerability in ``EmailValidator``/``URLValidator`` =================================================================================================================== ``EmailValidator`` and ``URLValidator`` were subject to potential regular expression denial of service attack via a very large number of domain name labels of emails and URLs. Bugfixes ======== * Fixed a regression in Django 4.2 that caused incorrect alignment of timezone warnings for ``DateField`` and ``TimeField`` in the admin (:ticket:`34645`). * Fixed a regression in Django 4.2 that caused incorrect highlighting of rows in the admin changelist view when ``ModelAdmin.list_editable`` contained a ``BooleanField`` (:ticket:`34638`). ========================== ``` ### 4.2.2 ``` ========================== *June 5, 2023* Django 4.2.2 fixes several bugs in 4.2.1. Bugfixes ======== * Fixed a regression in Django 4.2 that caused an unnecessary ``DBMS_LOB.SUBSTR()`` wrapping in the ``__isnull`` and ``__exact=None`` lookups for ``TextField()``/``BinaryField()`` on Oracle (:ticket:`34544`). * Restored, following a regression in Django 4.2, ``get_prep_value()`` call in ``JSONField`` subclasses (:ticket:`34539`). * Fixed a regression in Django 4.2 that caused a crash of ``QuerySet.defer()`` when passing a ``ManyToManyField`` or ``GenericForeignKey`` reference. While doing so is a no-op, it was allowed in older version (:ticket:`34570`). * Fixed a regression in Django 4.2 that caused a crash of ``QuerySet.only()`` when passing a reverse ``OneToOneField`` reference (:ticket:`34612`). * Fixed a bug in Django 4.2 where :option:`makemigrations --update` didn't respect the ``--name`` option (:ticket:`34568`). * Fixed a performance regression in Django 4.2 when compiling queries without ordering (:ticket:`34580`). * Fixed a regression in Django 4.2 where nonexistent stylesheet was linked on a “Congratulations!” page (:ticket:`34588`). * Fixed a regression in Django 4.2 that caused a crash of ``QuerySet.aggregate()`` with expressions referencing other aggregates (:ticket:`34551`). * Fixed a regression in Django 4.2 that caused a crash of ``QuerySet.aggregate()`` with aggregates referencing subqueries (:ticket:`34551`). * Fixed a regression in Django 4.2 that caused a crash of querysets on SQLite when filtering on ``DecimalField`` against values outside of the defined range (:ticket:`34590`). * Fixed a regression in Django 4.2 that caused a serialization crash on a ``ManyToManyField`` without a natural key when its ``Manager``’s base ``QuerySet`` used ``select_related()`` (:ticket:`34620`). ========================== ``` ### 4.2.1 ``` ========================== *May 3, 2023* Django 4.2.1 fixes a security issue with severity "low" and several bugs in 4.2. CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field ================================================================================================= Uploading multiple files using one form field has never been supported by :class:`.forms.FileField` or :class:`.forms.ImageField` as only the last uploaded file was validated. Unfortunately, :ref:`uploading_multiple_files` topic suggested otherwise. In order to avoid the vulnerability, :class:`~django.forms.ClearableFileInput` and :class:`~django.forms.FileInput` form widgets now raise ``ValueError`` when the ``multiple`` HTML attribute is set on them. To prevent the exception and keep the old behavior, set ``allow_multiple_selected`` to ``True``. For more details on using the new attribute and handling of multiple files through a single field, see :ref:`uploading_multiple_files`. Bugfixes ======== * Fixed a regression in Django 4.2 that caused a crash of ``QuerySet.defer()`` when deferring fields by attribute names (:ticket:`34458`). * Fixed a regression in Django 4.2 that caused a crash of :class:`~django.contrib.postgres.search.SearchVector` function with ``%`` characters (:ticket:`34459`). * Fixed a regression in Django 4.2 that caused aggregation over query that uses explicit grouping to group against the wrong columns (:ticket:`34464`). * Reallowed, following a regression in Django 4.2, setting the ``"cursor_factory"`` option in :setting:`OPTIONS` on PostgreSQL (:ticket:`34466`). * Enforced UTF-8 client encoding on PostgreSQL, following a regression in Django 4.2 (:ticket:`34470`). * Fixed a regression in Django 4.2 where ``i18n_patterns()`` didn't respect the ``prefix_default_language`` argument when a fallback language of the default language was used (:ticket:`34455`). * Fixed a regression in Django 4.2 where translated URLs of the default language from ``i18n_patterns()`` with ``prefix_default_language`` set to ``False`` raised 404 errors for a request with a different language (:ticket:`34515`). * Fixed a regression in Django 4.2 where creating copies and deep copies of ``HttpRequest``, ``HttpResponse``, and their subclasses didn't always work correctly (:ticket:`34482`, :ticket:`34484`). * Fixed a regression in Django 4.2 where ``timesince`` and ``timeuntil`` template filters returned incorrect results for a datetime with a non-UTC timezone when a time difference is less than 1 day (:ticket:`34483`). * Fixed a regression in Django 4.2 that caused a crash of :class:`~django.contrib.postgres.search.SearchHeadline` function with ``psycopg`` 3 (:ticket:`34486`). * Fixed a regression in Django 4.2 that caused incorrect ``ClearableFileInput`` margins in the admin (:ticket:`34506`). * Fixed a regression in Django 4.2 where breadcrumbs didn't appear on admin site app index views (:ticket:`34512`). * Made squashing migrations reduce ``AddIndex``, ``RemoveIndex``, ``RenameIndex``, and ``CreateModel`` operations which allows removing a deprecated ``Meta.index_together`` option from historical migrations and use ``Meta.indexes`` instead (:ticket:`34525`). ======================== ``` ### 4.2 ``` ======================== *April 3, 2023* Welcome to Django 4.2! These release notes cover the :ref:`new features <whats-new-4.2>`, as well as some :ref:`backwards incompatible changes <backwards-incompatible-4.2>` you'll want to be aware of when upgrading from Django 4.1 or earlier. We've :ref:`begun the deprecation process for some features <deprecated-features-4.2>`. See the :doc:`/howto/upgrade-version` guide if you're updating an existing project. Django 4.2 is designated as a :term:`long-term support release <Long-term support release>`. It will receive security updates for at least three years after its release. Support for the previous LTS, Django 3.2, will end in April 2024. Python compatibility ==================== Django 4.2 supports Python 3.8, 3.9, 3.10, and 3.11. We **highly recommend** and only officially support the latest release of each series. .. _whats-new-4.2: What's new in Django 4.2 ======================== Psycopg 3 support ----------------- Django now supports `psycopg`_ version 3.1.8 or higher. To update your code, install the :pypi:`psycopg library <psycopg>`, you don't need to change the :setting:`ENGINE <DATABASE-ENGINE>` as ``django.db.backends.postgresql`` supports both libraries. Support for ``psycopg2`` is likely to be deprecated and removed at some point in the future. Be aware that ``psycopg`` 3 introduces some breaking changes over ``psycopg2``. As a consequence, you may need to make some changes to account for `differences from psycopg2`_. .. _psycopg: https://www.psycopg.org/psycopg3/ .. _differences from psycopg2: https://www.psycopg.org/psycopg3/docs/basic/from_pg2.html Comments on columns and tables ------------------------------ The new :attr:`Field.db_comment <django.db.models.Field.db_comment>` and :attr:`Meta.db_table_comment <django.db.models.Options.db_table_comment>` options allow creating comments on columns and tables, respectively. For example:: from django.db import models class Question(models.Model): text = models.TextField(db_comment="Poll question") pub_date = models.DateTimeField( db_comment="Date and time when the question was published", ) class Meta: db_table_comment = "Poll questions" class Answer(models.Model): question = models.ForeignKey( Question, on_delete=models.CASCADE, db_comment="Reference to a question", ) answer = models.TextField(db_comment="Question answer") class Meta: db_table_comment = "Question answers" Also, the new :class:`~django.db.migrations.operations.AlterModelTableComment` operation allows changing table comments defined in the :attr:`Meta.db_table_comment <django.db.models.Options.db_table_comment>`. Mitigation for the BREACH attack -------------------------------- :class:`~django.middleware.gzip.GZipMiddleware` now includes a mitigation for the BREACH attack. It will add up to 100 random bytes to gzip responses to make BREACH attacks harder. Read more about the mitigation technique in the `Heal The Breach (HTB) paper`_. .. _Heal The Breach (HTB) paper: https://ieeexplore.ieee.org/document/9754554 In-memory file storage ---------------------- The new :class:`django.core.files.storage.InMemoryStorage` class provides a non-persistent storage useful for speeding up tests by avoiding disk access. Custom file storages -------------------- The new :setting:`STORAGES` setting allows configuring multiple custom file storage backends. It also controls storage engines for managing :doc:`files </topics/files>` (the ``"default"`` key) and :doc:`static files </ref/contrib/staticfiles>` (the ``"staticfiles"`` key). The old ``DEFAULT_FILE_STORAGE`` and ``STATICFILES_STORAGE`` settings are deprecated as of this release. Minor features -------------- :mod:`django.contrib.admin` ~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The light or dark color theme of the admin can now be toggled in the UI, as well as being set to follow the system setting. * The admin's font stack now prefers system UI fonts and no longer requires downloading fonts. Additionally, CSS variables are available to more easily override the default font families. * The :source:`admin/delete_confirmation.html <django/contrib/admin/templates/admin/delete_confirmation.html>` template now has some additional blocks and scripting hooks to ease customization. * The chosen options of :attr:`~django.contrib.admin.ModelAdmin.filter_horizontal` and :attr:`~django.contrib.admin.ModelAdmin.filter_vertical` widgets are now filterable. * The ``admin/base.html`` template now has a new block ``nav-breadcrumbs`` which contains the navigation landmark and the ``breadcrumbs`` block. * :attr:`.ModelAdmin.list_editable` now uses atomic transactions when making edits. * jQuery is upgraded from version 3.6.0 to 3.6.4. :mod:`django.contrib.auth` ~~~~~~~~~~~~~~~~~~~~~~~~~~ * The default iteration count for the PBKDF2 password hasher is increased from 390,000 to 600,000. * :class:`~django.contrib.auth.forms.UserCreationForm` now saves many-to-many form fields for a custom user model. * The new :class:`~django.contrib.auth.forms.BaseUserCreationForm` is now the recommended base class for customizing the user creation form. :mod:`django.contrib.gis` ~~~~~~~~~~~~~~~~~~~~~~~~~ * The :doc:`GeoJSON serializer </ref/contrib/gis/serializers>` now outputs the ``id`` key for serialized features, which defaults to the primary key of objects. * The :class:`~django.contrib.gis.gdal.GDALRaster` class now supports :class:`pathlib.Path`. * The :class:`~django.contrib.gis.geoip2.GeoIP2` class now supports ``.mmdb`` files downloaded from DB-IP. * The OpenLayers template widget no longer includes inline CSS (which also removes the former ``map_css`` block) to better comply with a strict Content Security Policy. * :class:`~django.contrib.gis.forms.widgets.OpenLayersWidget` is now based on OpenLayers 7.2.2 (previously 4.6.5). * The new :lookup:`isempty` lookup and :class:`IsEmpty() <django.contrib.gis.db.models.functions.IsEmpty>` expression allow filtering empty geometries on PostGIS. * The new :class:`FromWKB() <django.contrib.gis.db.models.functions.FromWKB>` and :class:`FromWKT() <django.contrib.gis.db.models.functions.FromWKT>` functions allow creating geometries from Well-known binary (WKB) and Well-known text (WKT) representations. :mod:`django.contrib.postgres` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The new :lookup:`trigram_strict_word_similar` lookup, and the :class:`TrigramStrictWordSimilarity() <django.contrib.postgres.search.TrigramStrictWordSimilarity>` and :class:`TrigramStrictWordDistance() <django.contrib.postgres.search.TrigramStrictWordDistance>` expressions allow using trigram strict word similarity. * The :lookup:`arrayfield.overlap` lookup now supports ``QuerySet.values()`` and ``values_list()`` as a right-hand side. :mod:`django.contrib.sitemaps` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The new :meth:`.Sitemap.get_languages_for_item` method allows customizing the list of languages for which the item is displayed. :mod:`django.contrib.staticfiles` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * :class:`~django.contrib.staticfiles.storage.ManifestStaticFilesStorage` now has experimental support for replacing paths to JavaScript modules in ``import`` and ``export`` statements with their hashed counterparts. If you want to try it, subclass ``ManifestStaticFilesStorage`` and set the ``support_js_module_import_aggregation`` attribute to ``True``. * The new :attr:`.ManifestStaticFilesStorage.manifest_hash` attribute provides a hash over all files in the manifest and changes whenever one of the files changes. Database backends ~~~~~~~~~~~~~~~~~ * The new ``"assume_role"`` option is now supported in :setting:`OPTIONS` on PostgreSQL to allow specifying the :ref:`session role <database-role>`. * The new ``"server_side_binding"`` option is now supported in :setting:`OPTIONS` on PostgreSQL with ``psycopg`` 3.1.8+ to allow using :ref:`server-side binding cursors <database-server-side-parameters-binding>`. Error Reporting ~~~~~~~~~~~~~~~ * The debug page now shows :pep:`exception notes <678>` and :pep:`fine-grained error locations <657>` on Python 3.11+. * Session cookies are now treated as credentials and therefore hidden and replaced with stars (``**********``) in error reports. Forms ~~~~~ * :class:`~django.forms.ModelForm` now accepts the new ``Meta`` option ``formfield_callback`` to customize form fields. * :func:`~django.forms.models.modelform_factory` now respects the ``formfield_callback`` attribute of the ``form``’s ``Meta``. Internationalization ~~~~~~~~~~~~~~~~~~~~ * Added support and translations for the Central Kurdish (Sorani) language. Logging ~~~~~~~ * The :ref:`django-db-logger` logger now logs transaction management queries (``BEGIN``, ``COMMIT``, and ``ROLLBACK``) at the ``DEBUG`` level. Management Commands ~~~~~~~~~~~~~~~~~~~ * :djadmin:`makemessages` command now supports locales with private sub-tags such as ``nl_NL-x-informal``. * The new :option:`makemigrations --update` option merges model changes into the latest migration and optimizes the resulting operations. Migrations ~~~~~~~~~~ * Migrations now support serialization of ``enum.Flag`` objects. Models ~~~~~~ * ``QuerySet`` now extensively supports filtering against :ref:`window-functions` with the exception of disjunctive filter lookups against window functions when performing aggregation. * :meth:`~.QuerySet.prefetch_related` now supports :class:`~django.db.models.Prefetch` objects with sliced querysets. * :ref:`Registering lookups <lookup-registration-api>` on :class:`~django.db.models.Field` instances is now supported. * The new ``robust`` argument for :func:`~django.db.transaction.on_commit` allows performing actions that can fail after a database transaction is successfully committed. * The new :class:`KT() <django.db.models.fields.json.KT>` expression represents the text value of a key, index, or path transform of :class:`~django.db.models.JSONField`. * :class:`~django.db.models.functions.Now` now supports microsecond precision on MySQL and millisecond precision on SQLite. * :class:`F() <django.db.models.F>` expressions that output ``BooleanField`` can now be negated using ``~F()`` (inversion operator). * ``Model`` now provides asynchronous versions of some methods that use the database, using an ``a`` prefix: :meth:`~.Model.adelete`, :meth:`~.Model.arefresh_from_db`, and :meth:`~.Model.asave`. * Related managers now provide asynchronous versions of methods that change a set of related objects, using an ``a`` prefix: :meth:`~.RelatedManager.aadd`, :meth:`~.RelatedManager.aclear`, :meth:`~.RelatedManager.aremove`, and :meth:`~.RelatedManager.aset`. * :attr:`CharField.max_length <django.db.models.CharField.max_length>` is no longer required to be set on PostgreSQL, which supports unlimited ``VARCHAR`` columns. Requests and Responses ~~~~~~~~~~~~~~~~~~~~~~ * :class:`~django.http.StreamingHttpResponse` now supports async iterators when Django is served via ASGI. Tests ~~~~~ * The :option:`test --debug-sql` option now formats SQL queries with ``sqlparse``. * The :class:`~django.test.RequestFactory`, :class:`~django.test.AsyncRequestFactory`, :class:`~django.test.Client`, and :class:`~django.test.AsyncClient` classes now support the ``headers`` parameter, which accepts a dictionary of header names and values. This allows a more natural syntax for declaring headers. .. code-block:: python Before: self.client.get("/home/", HTTP_ACCEPT_LANGUAGE="fr") await self.async_client.get("/home/", ACCEPT_LANGUAGE="fr") After: self.client.get("/home/", headers={"accept-language": "fr"}) await self.async_client.get("/home/", headers={"accept-language": "fr"}) Utilities ~~~~~~~~~ * The new ``encoder`` parameter for :meth:`django.utils.html.json_script` function allows customizing a JSON encoder class. * The private internal vendored copy of ``urllib.parse.urlsplit()`` now strips ``'\r'``, ``'\n'``, and ``'\t'`` (see :cve:`2022-0391` and :bpo:`43882`). This is to protect projects that may be incorrectly using the internal ``url_has_allowed_host_and_scheme()`` function, instead of using one of the documented functions for handling URL redirects. The Django functions were not affected. * The new :func:`django.utils.http.content_disposition_header` function returns a ``Content-Disposition`` HTTP header value as specified by :rfc:`6266`. Validators ~~~~~~~~~~ * The list of common passwords used by ``CommonPasswordValidator`` is updated to the most recent version. .. _backwards-incompatible-4.2: Backwards incompatible changes in 4.2 ===================================== Database backend API -------------------- This section describes changes that may be needed in third-party database backends. * ``DatabaseFeatures.allows_group_by_pk`` is removed as it only remained to accommodate a MySQL extension that has been supplanted by proper functional dependency detection in MySQL 5.7.15. Note that ``DatabaseFeatures.allows_group_by_selected_pks`` is still supported and should be enabled if your backend supports functional dependency detection in ``GROUP BY`` clauses as specified by the ``SQL:1999`` standard. * :djadmin:`inspectdb` now uses ``display_size`` from ``DatabaseIntrospection.get_table_description()`` rather than ``internal_size`` for ``CharField``. Dropped support for MariaDB 10.3 -------------------------------- Upstream support for MariaDB 10.3 ends in May 2023. Django 4.2 supports MariaDB 10.4 and higher. Dropped support for MySQL 5.7 ----------------------------- Upstream support for MySQL 5.7 ends in October 2023. Django 4.2 supports MySQL 8 and higher. Dropped support for PostgreSQL 11 --------------------------------- Upstream support for PostgreSQL 11 ends in November 2023. Django 4.2 supports PostgreSQL 12 and higher. Setting ``update_fields`` in ``Model.save()`` may now be required ----------------------------------------------------------------- In order to avoid updating unnecessary columns, :meth:`.QuerySet.update_or_create` now passes ``update_fields`` to the :meth:`Model.save() <django.db.models.Model.save>` calls. As a consequence, any fields modified in the custom ``save()`` methods should be added to the ``update_fields`` keyword argument before calling ``super()``. See :ref:`overriding-model-methods` for more details. Miscellaneous ------------- * The undocumented ``django.http.multipartparser.parse_header()`` function is removed. Use ``django.utils.http.parse_header_parameters()`` instead. * :ttag:`{% blocktranslate asvar … %}<blocktranslate>` result is now marked as safe for (HTML) output purposes. * The ``autofocus`` HTML attribute in the admin search box is removed as it can be confusing for screen readers. * The :option:`makemigrations --check` option no longer creates missing migration files. * The ``alias`` argument for :meth:`.Expression.get_group_by_cols` is removed. * The minimum supported version of ``sqlparse`` is increased from 0.2.2 to 0.3.1. * The undocumented ``negated`` parameter of the :class:`~django.db.models.Exists` expression is removed. * The ``is_summary`` argument of the undocumented ``Query.add_annotation()`` method is removed. * The minimum supported version of SQLite is increased from 3.9.0 to 3.21.0. * The minimum supported version of ``asgiref`` is increased from 3.5.2 to 3.6.0. * :class:`~django.contrib.auth.forms.UserCreationForm` now rejects usernames that differ only in case. If you need the previous behavior, use :class:`~django.contrib.auth.forms.BaseUserCreationForm` instead. * The minimum supported version of ``mysqlclient`` is increased from 1.4.0 to 1.4.3. * The minimum supported version of ``argon2-cffi`` is increased from 19.1.0 to 19.2.0. * The minimum supported version of ``Pillow`` is increased from 6.2.0 to 6.2.1. * The minimum supported version of ``jinja2`` is increased from 2.9.2 to 2.11.0. * The minimum supported version of :pypi:`redis-py <redis>` is increased from 3.0.0 to 3.4.0. * Manually instantiated ``WSGIRequest`` objects must be provided a file-like object for ``wsgi.input``. Previously, Django was more lax than the expected behavior as specified by the WSGI specification. * Support for ``PROJ`` < 5 is removed. * :class:`~django.core.mail.backends.smtp.EmailBackend` now verifies a :py:attr:`hostname <ssl.SSLContext.check_hostname>` and :py:attr:`certificates <ssl.SSLContext.verify_mode>`. If you need the previous behavior that is less restrictive and not recommended, subclass ``EmailBackend`` and override the ``ssl_context`` property. .. _deprecated-features-4.2: Features deprecated in 4.2 ========================== ``index_together`` option is deprecated in favor of ``indexes`` --------------------------------------------------------------- The ``Meta.index_together`` option is deprecated in favor of the :attr:`~django.db.models.Options.indexes` option. Migrating existing ``index_together`` should be handled as a migration. For example:: class Author(models.Model): rank = models.IntegerField() name = models.CharField(max_length=30) class Meta: index_together = [["rank", "name"]] Should become:: class Author(models.Model): rank = models.IntegerField() name = models.CharField(max_length=30) class Meta: indexes = [models.Index(fields=["rank", "name"])] Running the :djadmin:`makemigrations` command will generate a migration containing a :class:`~django.db.migrations.operations.RenameIndex` operation which will rename the existing index. Next, consider squashing migrations to remove ``index_together`` from historical migrations. The ``AlterIndexTogether`` migration operation is now officially supported only for pre-Django 4.2 migration files. For backward compatibility reasons, it's still part of the public API, and there's no plan to deprecate or remove it, but it should not be used for new migrations. Use :class:`~django.db.migrations.operations.AddIndex` and :class:`~django.db.migrations.operations.RemoveIndex` operations instead. Passing encoded JSON string literals to ``JSONField`` is deprecated ------------------------------------------------------------------- ``JSONField`` and its associated lookups and aggregates used to allow passing JSON encoded string literals which caused ambiguity on whether string literals were already encoded from database backend's perspective. During the deprecation period string literals will be attempted to be JSON decoded and a warning will be emitted on success that points at passing non-encoded forms instead. Code that used to pass JSON encoded string literals:: Document.objects.bulk_create( Document(data=Value("null")), Document(data=Value("[]")), Document(data=Value('"foo-bar"')), ) Document.objects.annotate( JSONBAgg("field", default=Value("[]")), ) Should become:: Document.objects.bulk_create( Document(data=Value(None, JSONField())), Document(data=[]), Document(data="foo-bar"), ) Document.objects.annotate( JSONBAgg("field", default=[]), ) From Django 5.1+ string literals will be implicitly interpreted as JSON string literals. Miscellaneous ------------- * The ``BaseUserManager.make_random_password()`` method is deprecated. See `recipes and best practices <https://docs.python.org/3/library/secrets.html#recipes-and-best-practices>`_ for using Python's :py:mod:`secrets` module to generate passwords. * The ``length_is`` template filter is deprecated in favor of :tfilter:`length` and the ``==`` operator within an :ttag:`{% if %}<if>` tag. For example .. code-block:: html+django {% if value|length == 4 %}…{% endif %} {% if value|length == 4 %}True{% else %}False{% endif %} instead of: .. code-block:: html+django {% if value|length_is:4 %}…{% endif %} {{ value|length_is:4 }} * ``django.contrib.auth.hashers.SHA1PasswordHasher``, ``django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher``, and ``django.contrib.auth.hashers.UnsaltedMD5PasswordHasher`` are deprecated. * ``django.contrib.postgres.fields.CICharField`` is deprecated in favor of ``CharField(db_collation="…")`` with a case-insensitive non-deterministic collation. * ``django.contrib.postgres.fields.CIEmailField`` is deprecated in favor of ``EmailField(db_collation="…")`` with a case-insensitive non-deterministic collation. * ``django.contrib.postgres.fields.CITextField`` is deprecated in favor of ``TextField(db_collation="…")`` with a case-insensitive non-deterministic collation. * ``django.contrib.postgres.fields.CIText`` mixin is deprecated. * The ``map_height`` and ``map_width`` attributes of ``BaseGeometryWidget`` are deprecated, use CSS to size map widgets instead. * ``SimpleTestCase.assertFormsetError()`` is deprecated in favor of ``assertFormSetError()``. * ``TransactionTestCase.assertQuerysetEqual()`` is deprecated in favor of ``assertQuerySetEqual()``. * Passing positional arguments to ``Signer`` and ``TimestampSigner`` is deprecated in favor of keyword-only arguments. * The ``DEFAULT_FILE_STORAGE`` setting is deprecated in favor of ``STORAGES["default"]``. * The ``STATICFILES_STORAGE`` setting is deprecated in favor of ``STORAGES["staticfiles"]``. * The ``django.core.files.storage.get_storage_class()`` function is deprecated. =========================== ``` ### 4.1.13 ``` =========================== *November 1, 2023* Django 4.1.13 fixes a security issue with severity "moderate" in 4.1.12. CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows ========================================================================================= The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was subject to a potential denial of service attack via certain inputs with a very large number of Unicode characters. In order to avoid the vulnerability, invalid values longer than ``UsernameField.max_length`` are no longer normalized, since they cannot pass validation anyway. =========================== ``` ### 4.1.12 ``` =========================== *October 4, 2023* Django 4.1.12 fixes a security i
pyup-bot commented 1 month ago

Closing this in favor of #74