This is a feature release, which includes new features and removes previously deprecated features. The 2.2.x branch is now the supported bugfix branch, the 2.1.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades.
This is a feature release, which includes new features and removes previously deprecated features. The 2.1.x branch is now the supported bugfix branch, the 2.0.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades.
Ensure that URL rules using path converters will redirect with strict slashes when
the trailing slash is missing. :issue:2533
Type signature for get_json specifies that return type is not optional when
silent=False. :issue:2508
parse_content_range_header returns None for a value like bytes */-1
where the length is invalid, instead of raising an AssertionError. :issue:2531
Address remaining ResourceWarning related to the socket used by run_simple.
Remove prepare_socket, which now happens when creating the server. :issue:2421
Update pre-existing headers for multipart/form-data requests with the test
client. :issue:2549
Fix handling of header extended parameters such that they are no longer quoted.
:issue:2529
LimitedStream.read works correctly when wrapping a stream that may not return
the requested size in one read call. :issue:2558
A cookie header that starts with = is treated as an empty key and discarded,
rather than stripping the leading ==.
Specify a maximum number of multipart parts, default 1000, after which a
RequestEntityTooLarge exception is raised on parsing. This mitigates a DoS
attack where a larger number of form/file parts would result in disproportionate
resource use.
Version 2.2.2
Released 2022-08-08
Fix router to restore the 2.1 strict_slashes == False behaviour
whereby leaf-requests match branch rules and vice
versa. :pr:2489
Fix router to identify invalid rules rather than hang parsing them,
and to correctly parse / within converter arguments. :pr:2489
Update subpackage imports in :mod:werkzeug.routing to use the
import as syntax for explicitly re-exporting public attributes.
:pr:2493
Parsing of some invalid header characters is more robust. :pr:2494
When starting the development server, a warning not to use it in a
production deployment is always shown. :issue:2480
LocalProxy.__wrapped__ is always set to the wrapped object when
the proxy is unbound, fixing an issue in doctest that would cause it
to fail. :issue:2485
Address one ResourceWarning related to the socket used by
run_simple. :issue:2421
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/vinneyto/junk/network/alerts).
Bumps werkzeug from 2.0.2 to 2.2.3.
Release notes
Sourced from werkzeug's releases.
Changelog
Sourced from werkzeug's changelog.
... (truncated)
Commits
22a254f
release version 2.2.3517cac5
Merge pull request from GHSA-xg9f-g7g7-2323babc8d9
rewrite docs about request data limits09449ee
clean up docsfe899d0
limit the maximum number of multipart form partscf275f4
Merge pull request from GHSA-px8h-6qxv-m22q8c2b4b8
don't strip leading = when parsing cookie7c7ce5c
[pre-commit.ci] pre-commit autoupdate (#2585)19ae03e
[pre-commit.ci] auto fixes from pre-commit.com hooksa83d3b8
[pre-commit.ci] pre-commit autoupdateDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/vinneyto/junk/network/alerts).