Sourced from requests's\r\nreleases.
\r\n\r\n\r\nv2.32.0
\r\n2.32.0 (2024-05-20)
\r\n🐍 PYCON US 2024 EDITION 🐍
\r\nSecurity
\r\n\r\n
\r\n- Fixed an issue where setting
\r\nverify=False
on the first\r\nrequest from a\r\nSession will cause subsequent requests to the same origin to\r\nalso ignore\r\ncert verification, regardless of the value ofverify
.\r\n(https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)Improvements
\r\n\r\n
\r\n- \r\n
verify=True
now reuses a global SSLContext which should\r\nimprove\r\nrequest time variance between first and subsequent requests. It should\r\nalso minimize certificate load time on Windows systems when using a\r\nPython\r\nversion built with OpenSSL 3.x. (#6667)- Requests now supports optional use of character detection\r\n(
\r\nchardet
orcharset_normalizer
) when\r\nrepackaged or vendored.\r\nThis enablespip
and other projects to minimize their\r\nvendoring\r\nsurface area. TheResponse.text()
and\r\napparent_encoding
APIs\r\nwill default toutf-8
if neither library is present. (#6702)Bugfixes
\r\n\r\n
\r\n- Fixed bug in length detection where emoji length was incorrectly\r\ncalculated in the request content-length. (#6589)
\r\n- Fixed deserialization bug in JSONDecodeError. (#6629)
\r\n- Fixed bug where an extra leading
\r\n/
(path separator)\r\ncould lead\r\nurllib3 to unnecessarily reparse the request URI. (#6644)Deprecations
\r\n\r\n
\r\n- Requests has officially added support for CPython 3.12 (#6503)
\r\n- Requests has officially added support for PyPy 3.9 and 3.10 (#6641)
\r\n- Requests has officially dropped support for CPython 3.7 (#6642)
\r\n- Requests has officially dropped support for PyPy 3.7 and 3.8 (#6641)
\r\nDocumentation
\r\n\r\n
\r\n- Various typo fixes and doc improvements.
\r\nPackaging
\r\n\r\n
\r\n- Requests has started adopting some modern packaging practices.\r\nThe source files for the projects (formerly
\r\nrequests
) is\r\nnow located\r\ninsrc/requests
in the Requests sdist. (#6506)- Starting in Requests 2.33.0, Requests will migrate to a PEP 517\r\nbuild system\r\nusing
\r\nhatchling
. This should not impact the average user,\r\nbut extremely old\r\nversions of packaging utilities may have issues with the new packaging\r\nformat.New Contributors
\r\n\r\n
\r\n\r\n- \r\n
@matthewarmand
\r\nmade their first contribution in psf/requests#6258- \r\n
@cpzt
made their\r\nfirst contribution in psf/requests#6456
... (truncated)
\r\nSourced from requests's\r\nchangelog.
\r\n\r\n\r\n2.32.0 (2024-05-20)
\r\nSecurity
\r\n\r\n
\r\n- Fixed an issue where setting
\r\nverify=False
on the first\r\nrequest from a\r\nSession will cause subsequent requests to the same origin to\r\nalso ignore\r\ncert verification, regardless of the value ofverify
.\r\n(https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)Improvements
\r\n\r\n
\r\n- \r\n
verify=True
now reuses a global SSLContext which should\r\nimprove\r\nrequest time variance between first and subsequent requests. It should\r\nalso minimize certificate load time on Windows systems when using a\r\nPython\r\nversion built with OpenSSL 3.x. (#6667)- Requests now supports optional use of character detection\r\n(
\r\nchardet
orcharset_normalizer
) when\r\nrepackaged or vendored.\r\nThis enablespip
and other projects to minimize their\r\nvendoring\r\nsurface area. TheResponse.text()
and\r\napparent_encoding
APIs\r\nwill default toutf-8
if neither library is present. (#6702)Bugfixes
\r\n\r\n
\r\n- Fixed bug in length detection where emoji length was incorrectly\r\ncalculated in the request content-length. (#6589)
\r\n- Fixed deserialization bug in JSONDecodeError. (#6629)
\r\n- Fixed bug where an extra leading
\r\n/
(path separator)\r\ncould lead\r\nurllib3 to unnecessarily reparse the request URI. (#6644)Deprecations
\r\n\r\n
\r\n- Requests has officially added support for CPython 3.12 (#6503)
\r\n- Requests has officially added support for PyPy 3.9 and 3.10 (#6641)
\r\n- Requests has officially dropped support for CPython 3.7 (#6642)
\r\n- Requests has officially dropped support for PyPy 3.7 and 3.8 (#6641)
\r\nDocumentation
\r\n\r\n
\r\n- Various typo fixes and doc improvements.
\r\nPackaging
\r\n\r\n
\r\n- Requests has started adopting some modern packaging practices.\r\nThe source files for the projects (formerly
\r\nrequests
) is\r\nnow located\r\ninsrc/requests
in the Requests sdist. (#6506)- Starting in Requests 2.33.0, Requests will migrate to a PEP 517\r\nbuild system\r\nusing
\r\nhatchling
. This should not impact the average user,\r\nbut extremely old\r\nversions of packaging utilities may have issues with the new packaging\r\nformat.
d6ebc4a
\r\nv2.32.09a40d12
\r\nAvoid reloading root certificates to improve concurrent performance (#6667)0c030f7
\r\nMerge pull request #6702\r\nfrom nateprewitt/no_char_detection555b870
\r\nAllow character detection dependencies to be optional in post-packaging\r\nstepsd6dded3
\r\nMerge pull request #6700\r\nfrom franekmagiera/update-redirect-to-invalid-uri-testbf24b7d
\r\nUse an invalid URI that will not cause httpbin to throw 5002d5f547
\r\nPin 3.8 and 3.9 runners back to macos-13 (#6688)f1bb07d
\r\nMerge pull request #6687\r\nfrom psf/dependabot/github_actions/github/codeql-act...60047ad
\r\nBump github/codeql-action from 3.24.0 to 3.25.031ebb81
\r\nMerge pull request #6682\r\nfrom frenzymadness/pytest8Sourced from jinja2's\r\nreleases.
\r\n\r\n\r\n3.1.4
\r\nThis is the Jinja 3.1.4 security release, which fixes security issues\r\nand bugs but does not otherwise change behavior and should not result in\r\nbreaking changes.
\r\nPyPI: https://pypi.org/project/Jinja2/3.1.4/\r\nChanges: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4
\r\n\r\n
\r\n- The
\r\nxmlattr
filter does not allow keys with\r\n/
solidus,>
greater-than sign, or\r\n=
equals sign, in addition to disallowing spaces.\r\nRegardless of any validation done by Jinja, user input should never be\r\nused as keys to this filter, or must be separately validated first.\r\nGHSA-h75v-3vvj-5mfj
Sourced from jinja2's\r\nchangelog.
\r\n\r\n\r\nVersion 3.1.4
\r\nReleased 2024-05-05
\r\n\r\n
\r\n- The
\r\nxmlattr
filter does not allow keys with\r\n/
solidus,>
\r\ngreater-than sign, or=
equals sign, in addition to\r\ndisallowing spaces.\r\nRegardless of any validation done by Jinja, user input should never be\r\nused\r\nas keys to this filter, or must be separately validated first.\r\n:ghsa:h75v-3vvj-5mfj
dd4a8b5
\r\nrelease version 3.1.40668239
\r\nMerge pull request from GHSA-h75v-3vvj-5mfjd655030
\r\ndisallow invalid characters in keys to xmlattr filtera7863ba
\r\nadd ghsa linksb5c98e7
\r\nstart version 3.1.4da3a9f0
\r\nupdate project files (#1968)0ee5eb4
\r\nsatisfy formatter, linter, and strict mypy20477c6
\r\nupdate project files (#5457)e491223
\r\nupdate pyyaml dev dependency36f9885
\r\nfix pr linkSourced from werkzeug's\r\nreleases.
\r\n\r\n\r\n3.0.3
\r\nThis is the Werkzeug 3.0.3 security release, which fixes security\r\nissues and bugs but does not otherwise change behavior and should not\r\nresult in breaking changes.
\r\nPyPI: https://pypi.org/project/Werkzeug/3.0.3/\r\nChanges: https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-3\r\nMilestone: https://github.com/pallets/werkzeug/milestone/35?closed=1
\r\n\r\n
\r\n- Only allow
\r\nlocalhost
,.localhost
,\r\n127.0.0.1
, or the specified hostname when running the dev\r\nserver, to make debugger requests. Additional hosts can be added by\r\nusing the debugger middleware directly. The debugger UI makes requests\r\nusing the full URL rather than only the path. GHSA-2g68-c3qc-8985- Make reloader more robust when
\r\n""
is in\r\nsys.path
. #2823- Better TLS cert format with
\r\nadhoc
dev certs. #2891- Inform Python < 3.12 how to handle
\r\nitms-services
\r\nURIs correctly, rather than using an overly-broad workaround in Werkzeug\r\nthat caused some redirect URIs to be passed on without encoding. #2828- Type annotation for
\r\nRule.endpoint
and other uses of\r\nendpoint
isAny
. #28363.0.2
\r\nThis is a fix release for the 3.0.x feature branch.
\r\n\r\n
\r\n- Changes: https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-2
\r\n
Sourced from werkzeug's\r\nchangelog.
\r\n\r\n\r\nVersion 3.0.3
\r\nReleased 2024-05-05
\r\n\r\n
\r\n- \r\n
\r\nOnly allow
\r\nlocalhost
,.localhost
,\r\n127.0.0.1
, or the specified\r\nhostname when running the dev server, to make debugger requests.\r\nAdditional\r\nhosts can be added by using the debugger middleware directly. The\r\ndebugger\r\nUI makes requests using the full URL rather than only the path.\r\n:ghsa:2g68-c3qc-8985
- \r\n
\r\nMake reloader more robust when
\r\n""
is in\r\nsys.path
. :pr:2823
- \r\n
\r\nBetter TLS cert format with
\r\nadhoc
dev certs.\r\n:pr:2891
- \r\n
\r\nInform Python < 3.12 how to handle
\r\nitms-services
URIs\r\ncorrectly, rather\r\nthan using an overly-broad workaround in Werkzeug that caused some\r\nredirect\r\nURIs to be passed on without encoding. :issue:2828
- \r\n
\r\nType annotation for
\r\nRule.endpoint
and other uses of\r\nendpoint
is\r\nAny
. :issue:2836
- \r\n
\r\nMake reloader more robust when
\r\n""
is in\r\nsys.path
. :pr:2823
Version 3.0.2
\r\nReleased 2024-04-01
\r\n\r\n
\r\n- Ensure setting
\r\nmerge_slashes
toFalse
\r\nresults inNotFound
for\r\nrepeated-slash requests against single slash routes.\r\n:issue:2834
- Fix handling of
\r\nTypeError
in\r\nTypeConversionDict.get()
to match\r\nValueError
. :issue:2843
- Fix
\r\nresponse_wrapper
type check in test client.\r\n:issue:2831
- Make the return type of
\r\nMultiPartParser.parse
more\r\nprecise.\r\n:issue:2840
- Raise an error if converter arguments cannot be parsed.\r\n:issue:
\r\n2822
f9995e9
\r\nrelease version 3.0.33386395
\r\nMerge pull request from GHSA-2g68-c3qc-8985890b6b6
\r\nonly require trusted host for evalex71b69df
\r\nrestrict debugger trusted hostsd2d3869
\r\nendpoint type is Any (#2895)7080b55
\r\nendpoint type is Any7555eff
\r\nremove iri_to_uri redirect workaround (#2894)97fb2f7
\r\nremove _invalid_iri_to_uri workaround249527f
\r\nmake cn field a valid single hostname, and use wildcard in SANs field.\r\n(#2892)793be47
\r\nupdate adhoc tls dev cert format