Scheduled weekly dependency update for week 32

[pyup-bot]

Update dj-database-url from 2.1.0 to 2.2.0.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/dj-database-url
• Changelog: https://data.safetycli.com/changelogs/dj-database-url/
• Repo: https://github.com/jazzband/dj-database-url

Update django from 5.0.4 to 5.1.

Changelog

5.1

========================

*August 7, 2024*

Welcome to Django 5.1!

These release notes cover the :ref:`new features <whats-new-5.1>`, as well as
some :ref:`backwards incompatible changes <backwards-incompatible-5.1>` you
should be aware of when upgrading from Django 5.0 or earlier. We've
:ref:`begun the deprecation process for some features
<deprecated-features-5.1>`.

See the :doc:`/howto/upgrade-version` guide if you're updating an existing
project.

Python compatibility
====================

Django 5.1 supports Python 3.10, 3.11, and 3.12. We **highly recommend** and
only officially support the latest release of each series.

.. _whats-new-5.1:

What's new in Django 5.1
========================

``{% querystring %}`` template tag
-----------------------------------

Django 5.1 introduces the :ttag:`{% querystring %} <querystring>` template
tag, simplifying the modification of query parameters in URLs, making it easier
to generate links that maintain existing query parameters while adding or
changing specific ones.

For instance, navigating pagination and query strings in templates can be
cumbersome. Consider this template fragment that dynamically generates a URL
for navigating to the next page within a paginated view:

.. code-block:: html+django

 { Linebreaks added for readability, this should be one, long line. }
 <a href="?{% for key, values in request.GET.iterlists %}
   {% if key != "page" %}
     {% for value in values %}
       {{ key }}={{ value }}&
     {% endfor %}
   {% endif %}
 {% endfor %}page={{ page.next_page_number }}">Next page</a>

When switching to using this new template tag, the above magically becomes:

.. code-block:: html+django

 <a href="{% querystring page=page.next_page_number %}">Next page</a>

PostgreSQL Connection Pools
---------------------------

Django 5.1 also introduces :ref:`connection pool <postgresql-pool>` support for
PostgreSQL. As the time to establish a new connection can be relatively long,
keeping connections open can reduce latency.

To use a connection pool with `psycopg`_, you can set the ``"pool"`` option
inside :setting:`OPTIONS` to be a dict to be passed to
:class:`~psycopg:psycopg_pool.ConnectionPool`, or to ``True`` to use the
``ConnectionPool`` defaults::

 DATABASES = {
     "default": {
         "ENGINE": "django.db.backends.postgresql",
          ...
         "OPTIONS": {
             "pool": {
                 "min_size": 2,
                 "max_size": 4,
                 "timeout": 10,
             }
         },
     },
 }

.. _psycopg: https://www.psycopg.org/

Middleware to require authentication by default
-----------------------------------------------

The new :class:`~django.contrib.auth.middleware.LoginRequiredMiddleware`
redirects all unauthenticated requests to a login page. Views can allow
unauthenticated requests by using the new
:func:`~django.contrib.auth.decorators.login_not_required` decorator.

The :class:`~django.contrib.auth.middleware.LoginRequiredMiddleware` respects
the ``login_url`` and ``redirect_field_name`` values set via the
:func:`~.django.contrib.auth.decorators.login_required` decorator, but does not
support setting ``login_url`` or ``redirect_field_name`` via the
:class:`~django.contrib.auth.mixins.LoginRequiredMixin`.

Minor features
--------------

:mod:`django.contrib.admin`
~~~~~~~~~~~~~~~~~~~~~~~~~~~

* :attr:`.ModelAdmin.list_display` now supports using ``__`` lookups to list
fields from related models.

:mod:`django.contrib.auth`
~~~~~~~~~~~~~~~~~~~~~~~~~~

* The default iteration count for the PBKDF2 password hasher is increased from
720,000 to 870,000.

* The default ``parallelism`` of the ``ScryptPasswordHasher`` is 
increased from 1 to 5, to follow OWASP recommendations.

* :class:`~django.contrib.auth.forms.BaseUserCreationForm` and
:class:`~django.contrib.auth.forms.AdminPasswordChangeForm` now support
disabling password-based authentication by setting an unusable password on
form save. This is now available in the admin when visiting the user creation
and password change pages.

* :func:`~.django.contrib.auth.decorators.login_required`,
:func:`~.django.contrib.auth.decorators.permission_required`, and
:func:`~.django.contrib.auth.decorators.user_passes_test` decorators now
support wrapping asynchronous view functions.

* ``ReadOnlyPasswordHashWidget`` now includes a button to reset the user's
password, which replaces the link previously embedded in the
``ReadOnlyPasswordHashField``'s help text, improving the overall
accessibility of the
:class:`~django.contrib.auth.forms.UserChangeForm`.

:mod:`django.contrib.gis`
~~~~~~~~~~~~~~~~~~~~~~~~~

* :class:`~django.contrib.gis.db.models.functions.BoundingCircle` is now
supported on SpatiaLite 5.1+.

* :class:`~django.contrib.gis.db.models.Collect` is now supported on MySQL
8.0.24+.

* :class:`~django.contrib.gis.geoip2.GeoIP2` now allows querying using
:class:`ipaddress.IPv4Address` or :class:`ipaddress.IPv6Address` objects.

* :meth:`.GeoIP2.country` now exposes the ``continent_code``,
``continent_name``, and ``is_in_european_union`` values.

* :meth:`.GeoIP2.city` now exposes the ``accuracy_radius`` and ``region_name``
values. In addition, the ``dma_code`` and ``region`` values are now exposed
as ``metro_code`` and ``region_code``, but the previous keys are also
retained for backward compatibility.

* :class:`~django.contrib.gis.measure.Area` now supports the ``ha`` unit.

* The new :attr:`.OGRGeometry.is_3d` attribute allows checking if a geometry
has a ``Z`` coordinate dimension.

* The new :meth:`.OGRGeometry.set_3d` method allows addition and removal of the
``Z`` coordinate dimension.

* :class:`~django.contrib.gis.gdal.OGRGeometry`,
:class:`~django.contrib.gis.gdal.Point`,
:class:`~django.contrib.gis.gdal.LineString`,
:class:`~django.contrib.gis.gdal.Polygon`, and
:class:`~django.contrib.gis.gdal.GeometryCollection` and its subclasses now
support measured geometries via the new :attr:`.OGRGeometry.is_measured` and
``m`` properties, and the :meth:`.OGRGeometry.set_measured` method.

* :attr:`.OGRGeometry.centroid` is now available on all supported geometry
types.

* :class:`FromWKB() <django.contrib.gis.db.models.functions.FromWKB>` and
:class:`FromWKT() <django.contrib.gis.db.models.functions.FromWKT>` functions
now support the optional ``srid`` argument (except for Oracle where it is
ignored).

:mod:`django.contrib.postgres`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* :class:`~django.contrib.postgres.indexes.BTreeIndex` now supports the
``deduplicate_items`` parameter.

:mod:`django.contrib.sessions`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* :class:`django.contrib.sessions.backends.cached_db.SessionStore` now handles
exceptions when storing session information in the cache, logging proper
error messages with their traceback via the newly added
:ref:`sessions logger <django-contrib-sessions-logger>`.

* :class:`django.contrib.sessions.backends.base.SessionBase` and all built-in
session engines now provide async API. The new asynchronous methods all have
``a`` prefixed names, e.g. ``aget()``, ``akeys()``, or ``acycle_key()``.

Database backends
~~~~~~~~~~~~~~~~~

* ``"init_command"`` option is now supported in :setting:`OPTIONS` on SQLite
to allow specifying :ref:`pragma options <sqlite-init-command>` to set upon
connection.

* ``"transaction_mode"`` option is now supported in :setting:`OPTIONS` on
SQLite to allow specifying the :ref:`sqlite-transaction-behavior`.

* ``"pool"`` option is now supported in :setting:`OPTIONS` on PostgreSQL to
allow using :ref:`connection pools <postgresql-pool>`.

Error Reporting
~~~~~~~~~~~~~~~

* In order to improve accessibility, the technical 404 and 500 error pages now
use HTML landmark elements for the header, footer, and main content areas.

File Storage
~~~~~~~~~~~~

* The :attr:`~django.core.files.storage.FileSystemStorage.allow_overwrite`
parameter of :class:`~django.core.files.storage.FileSystemStorage` now allows
saving new files over existing ones.

Forms
~~~~~

* In order to improve accessibility and enable screen readers to associate
fieldsets with their help text, the form fieldset now includes the
``aria-describedby`` HTML attribute.

Management Commands
~~~~~~~~~~~~~~~~~~~

* The :djadmin:`makemigrations` command now displays meaningful symbols for
each operation to highlight :class:`operation categories
<django.db.migrations.operations.base.OperationCategory>`.

Migrations
~~~~~~~~~~

* The new ``Operation.category`` attribute allows specifying an
:class:`operation category
<django.db.migrations.operations.base.OperationCategory>` used by the
:djadmin:`makemigrations` to display a meaningful symbol for the operation.

Models
~~~~~~

* :meth:`.QuerySet.explain` now supports the ``generic_plan`` option on
PostgreSQL 16+.

* :class:`~django.db.models.expressions.RowRange` now accepts positive integers
for the ``start`` argument and negative integers for the ``end`` argument.

* The new ``exclusion`` argument of
:class:`~django.db.models.expressions.RowRange` and
:class:`~django.db.models.expressions.ValueRange` allows excluding rows,
groups, and ties from the window frames.

* :meth:`.QuerySet.order_by` now supports ordering by annotation transforms
such as ``JSONObject`` keys and ``ArrayAgg`` indices.

* :class:`F() <django.db.models.F>` and :class:`OuterRef()
<django.db.models.OuterRef>` expressions that output
:class:`~django.db.models.CharField`, :class:`~django.db.models.EmailField`,
:class:`~django.db.models.SlugField`, :class:`~django.db.models.URLField`,
:class:`~django.db.models.TextField`, or
:class:`~django.contrib.postgres.fields.ArrayField` can now be :ref:`sliced
<slicing-using-f>`.

* The new ``from_queryset`` argument of :meth:`.Model.refresh_from_db` and
:meth:`.Model.arefresh_from_db`  allows customizing the queryset used to
reload a model's value. This can be used to lock the row before reloading or
to select related objects.

* The new :attr:`.Expression.constraint_validation_compatible` attribute allows
specifying that the expression should be ignored during a constraint
validation.

Templates
~~~~~~~~~

* Custom tags may now set extra data on the ``Parser`` object that will later
be made available on the ``Template`` instance. Such data may be used, for
example, by the template loader, or other template clients.

* :ref:`Template engines <field-checking>` now implement a ``check()`` method
that is already registered with the check framework.

Tests
~~~~~

* :meth:`~django.test.SimpleTestCase.assertContains`,
:meth:`~django.test.SimpleTestCase.assertNotContains`, and
:meth:`~django.test.SimpleTestCase.assertInHTML` assertions now add haystacks
to assertion error messages.

* The :class:`~django.test.RequestFactory`,
:class:`~django.test.AsyncRequestFactory`, :class:`~django.test.Client`, and
:class:`~django.test.AsyncClient` classes now support the ``query_params``
parameter, which accepts a dictionary of query string keys and values. This
allows setting query strings on any HTTP methods more easily.

.. code-block:: python

  self.client.post("/items/1", query_params={"action": "delete"})
  await self.async_client.post("/items/1", query_params={"action": "delete"})

* The new :meth:`.SimpleTestCase.assertNotInHTML` assertion allows testing that
an HTML fragment is not contained in the given HTML haystack.

* In order to enforce test isolation, database connections inside threads are
no longer allowed in :class:`~django.test.SimpleTestCase`.

Validators
~~~~~~~~~~

* The new :class:`~django.core.validators.DomainNameValidator` validates domain
names, including internationalized domain names. The new
:func:`~django.core.validators.validate_domain_name` function returns an
instance of :class:`~django.core.validators.DomainNameValidator`.

.. _backwards-incompatible-5.1:

Backwards incompatible changes in 5.1
=====================================

:mod:`django.contrib.gis`
-------------------------

* Support for PostGIS 2.5 is removed.

* Support for PROJ < 6 is removed.

* Support for GDAL 2.4 is removed.

* :class:`~django.contrib.gis.geoip2.GeoIP2` no longer opens both city and
country databases when a directory path is provided, preferring the city
database, if it is available. The country database is a subset of the city
database and both are not typically needed. If you require use of the country
database when in the same directory as the city database, explicitly pass the
country database path to the constructor.

Dropped support for MariaDB 10.4
--------------------------------

Upstream support for MariaDB 10.4 ends in June 2024. Django 5.1 supports
MariaDB 10.5 and higher.

Dropped support for PostgreSQL 12
---------------------------------

Upstream support for PostgreSQL 12 ends in November 2024. Django 5.1 supports
PostgreSQL 13 and higher.

Miscellaneous
-------------

* In order to improve accessibility, the admin's changelist filter is now
rendered in a ``<nav>`` tag instead of a ``<div>``.

* In order to improve accessibility, the admin's footer is now rendered in
a ``<footer>`` tag instead of a ``<div>``, and also moved below the
``<div id="main">`` element.

* In order to improve accessibility, the expandable widget used for
:attr:`ModelAdmin.fieldsets <django.contrib.admin.ModelAdmin.fieldsets>` and
:attr:`InlineModelAdmin.fieldsets <django.contrib.admin.InlineModelAdmin>`,
when the fieldset has a name and use the ``collapse`` class, now includes
``<details>`` and ``<summary>`` elements.

* The JavaScript file ``collapse.js`` is removed since it is no longer needed
in the Django admin site.

* :meth:`.SimpleTestCase.assertURLEqual` and
:meth:`~django.test.SimpleTestCase.assertInHTML` now add ``": "`` to the
``msg_prefix``. This is consistent with the behavior of other assertions.

* ``django.utils.text.Truncator`` used by :tfilter:`truncatechars_html` and
:tfilter:`truncatewords_html` template filters now uses
:py:class:`html.parser.HTMLParser` subclasses. This results in a more robust
and faster operation, but there may be small differences in the output.

* The undocumented ``django.urls.converters.get_converter()`` function is
removed.

* The minimum supported version of SQLite is increased from 3.27.0 to 3.31.0.

* :class:`~django.db.models.FileField` now raises a
:class:`~django.core.exceptions.FieldError` when saving a file without a
``name``.

* ``ImageField.update_dimension_fields(force=True)`` is no longer called after
saving the image to storage. If your storage backend resizes images, the
``width_field`` and ``height_field`` will not match the width and height of
the image.

* The minimum supported version of ``asgiref`` is increased from 3.7.0 to
3.8.1.

.. _deprecated-features-5.1:

Features deprecated in 5.1
==========================

Miscellaneous
-------------

* The ``ModelAdmin.log_deletion()`` and ``LogEntryManager.log_action()``
methods are deprecated. Subclasses should implement
``ModelAdmin.log_deletions()`` and  ``LogEntryManager.log_actions()``
instead.

* The undocumented ``django.utils.itercompat.is_iterable()`` function and the
``django.utils.itercompat`` module are deprecated. Use
``isinstance(..., collections.abc.Iterable)`` instead.

* The ``django.contrib.gis.geoip2.GeoIP2.coords()`` method is deprecated. Use
``django.contrib.gis.geoip2.GeoIP2.lon_lat()`` instead.

* The ``django.contrib.gis.geoip2.GeoIP2.open()`` method is deprecated. Use the
:class:`~django.contrib.gis.geoip2.GeoIP2` constructor instead.

* Passing positional arguments to :meth:`.Model.save` and :meth:`.Model.asave`
is deprecated in favor of keyword-only arguments.

* Setting ``django.contrib.gis.gdal.OGRGeometry.coord_dim`` is deprecated. Use
:meth:`~django.contrib.gis.gdal.OGRGeometry.set_3d` instead.

* Overriding existing converters with ``django.urls.register_converter()`` is
deprecated.

* The ``check`` keyword argument of ``CheckConstraint`` is deprecated in favor
of ``condition``.

* The undocumented ``OS_OPEN_FLAGS`` property of
:class:`~django.core.files.storage.FileSystemStorage` is deprecated. To allow
overwriting files in storage, set the new
:attr:`~django.core.files.storage.FileSystemStorage.allow_overwrite` option
to ``True`` instead.

* The ``get_cache_name()`` method of ``FieldCacheMixin`` is deprecated in favor
of the ``cache_name`` cached property.

Features removed in 5.1
=======================

These features have reached the end of their deprecation cycle and are removed
in Django 5.1.

See :ref:`deprecated-features-4.2` for details on these changes, including how
to remove usage of these features.

* The ``BaseUserManager.make_random_password()`` method is removed.

* The model's ``Meta.index_together`` option is removed.

* The ``length_is`` template filter is removed.

* The ``django.contrib.auth.hashers.SHA1PasswordHasher``,
``django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher``, and
``django.contrib.auth.hashers.UnsaltedMD5PasswordHasher`` are removed.

* The model ``django.contrib.postgres.fields.CICharField``,
``django.contrib.postgres.fields.CIEmailField``, and
``django.contrib.postgres.fields.CITextField`` are removed, except for
support in historical migrations.

* The ``django.contrib.postgres.fields.CIText`` mixin is removed.

* The ``map_width`` and ``map_height`` attributes of ``BaseGeometryWidget`` are
removed.

* The ``SimpleTestCase.assertFormsetError()`` method is removed.

* The ``TransactionTestCase.assertQuerysetEqual()`` method is removed.

* Support for passing encoded JSON string literals to ``JSONField`` and
associated lookups and expressions is removed.

* Support for passing positional arguments to ``Signer`` and
``TimestampSigner`` is removed.

* The ``DEFAULT_FILE_STORAGE`` and ``STATICFILES_STORAGE`` settings is removed.

* The ``django.core.files.storage.get_storage_class()`` function is removed.








==========================

5.0.8

==========================

*August 6, 2024*

Django 5.0.8 fixes three security issues with severity "moderate", one security
issue with severity "high", and several bugs in 5.0.7.

CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
================================================================================

If :tfilter:`floatformat` received a string representation of a number in
scientific notation with a large exponent, it could lead to significant memory
consumption.

To avoid this, decimals with more than 200 digits are now returned as is.

CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` and ``AdminURLFieldWidget``
=======================================================================================================================

:tfilter:`urlize`, :tfilter:`urlizetrunc`, and ``AdminURLFieldWidget`` were
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.

CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
======================================================================================

:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
with a ``JSONField`` were subject to SQL injection in column aliases, via a
crafted JSON object key as a passed ``*arg``.

Bugfixes
========

* Added missing validation for ``UniqueConstraint(nulls_distinct=False)`` when
using ``*expressions`` (:ticket:`35594`).

* Fixed a regression in Django 5.0 where ``ModelAdmin.action_checkbox`` could
break the admin changelist HTML page when rendering a model instance with a
``__html__`` method (:ticket:`35606`).

* Fixed a crash when creating a model with a ``Field.db_default`` and a
``Meta.constraints`` constraint composed of ``__endswith``, ``__startswith``,
or ``__contains`` lookups (:ticket:`35625`).

* Fixed a regression in Django 5.0.7 that caused a crash in
``LocaleMiddleware`` when processing a language code over 500 characters
(:ticket:`35627`).

* Fixed a bug in Django 5.0 that caused a system check crash when
``ModelAdmin.date_hierarchy`` was a ``GeneratedField`` with an
``output_field`` of ``DateField`` or ``DateTimeField`` (:ticket:`35628`).

* Fixed a bug in Django 5.0 which caused constraint validation to either crash
or incorrectly raise validation errors for constraints referring to fields
using ``Field.db_default`` (:ticket:`35638`).

* Fixed a crash in Django 5.0 when saving a model containing a ``FileField``
with a ``db_default`` set (:ticket:`35657`).


==========================

5.0.7

==========================

*July 9, 2024*

Django 5.0.7 fixes two security issues with severity "moderate", two security
issues with severity "low", and one bug in 5.0.6.

CVE-2024-38875: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via certain inputs with a very large number of
brackets.

CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
================================================================================================

The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
allowed remote attackers to enumerate users via a timing attack involving login
requests for users with unusable passwords.

CVE-2024-39330: Potential directory-traversal via ``Storage.save()``
====================================================================

Derived classes of the :class:`~django.core.files.storage.Storage` base class
which override :meth:`generate_filename()
<django.core.files.storage.Storage.generate_filename()>` without replicating
the file path validations existing in the parent class, allowed for potential
directory-traversal via certain inputs when calling :meth:`save()
<django.core.files.storage.Storage.save()>`.

Built-in ``Storage`` sub-classes were not affected by this vulnerability.

CVE-2024-39614: Potential denial-of-service vulnerability in ``get_supported_language_variant()``
=================================================================================================

:meth:`~django.utils.translation.get_supported_language_variant` was subject to
a potential denial-of-service attack when used with very long strings
containing specific characters.

To mitigate this vulnerability, the language code provided to
:meth:`~django.utils.translation.get_supported_language_variant` is now parsed
up to a maximum length of 500 characters.

When the language code is over 500 characters, a :exc:`ValueError` will now be
raised if ``strict`` is ``True``, or if there is no generic variant and
``strict`` is ``False``.

Bugfixes
========

* Fixed a bug in Django 5.0 that caused a crash of ``Model.full_clean()`` on
unsaved model instances with a ``GeneratedField`` and certain defined
:attr:`Meta.constraints <django.db.models.Options.constraints>`
(:ticket:`35560`).


==========================

5.0.6

==========================

*May 7, 2024*

Django 5.0.6 fixes a packaging error in 5.0.5.


==========================

5.0.5

==========================

*May 6, 2024*

Django 5.0.5 fixes several bugs in 5.0.4.

Bugfixes
========

* Fixed a bug in Django 5.0 that caused a crash of ``Model.save()`` when
creating an instance of a model with a ``GeneratedField`` and providing a
primary key (:ticket:`35350`).

* Fixed a compatibility issue encountered in Python 3.11.9+ and 3.12.3+ when
validating email max line lengths with content decoded using the
``surrogateescape`` error handling scheme (:ticket:`35361`).

* Fixed a bug in Django 5.0 that caused a crash when applying migrations
including alterations to ``GeneratedField`` such as setting ``db_index=True``
on SQLite (:ticket:`35373`).

* Allowed importing ``aprefetch_related_objects`` from ``django.db.models``
(:ticket:`35392`).

* Fixed a bug in Django 5.0 that caused a migration crash when a
``GeneratedField`` was added before any of the referenced fields from its
``expression`` definition (:ticket:`35359`).

* Fixed a bug in Django 5.0 that caused a migration crash when altering a
``GeneratedField`` referencing a renamed field (:ticket:`35422`).

* Fixed a bug in Django 5.0 where the ``querysets`` argument of
``GenericPrefetch`` was not required (:ticket:`35426`).


==========================

Links

• PyPI: https://pypi.org/project/django
• Changelog: https://data.safetycli.com/changelogs/django/

Update django-storages from 1.14.3 to 1.14.4.

Changelog

1.14.4

*******************

S3
--

- Pull ``AWS_SESSION_TOKEN`` from the environment (`1399`_)
- Fix newline handling for text mode files (`1381`_)
- Do not sign URLs when ``querystring_auth=False`` e.g public buckets or static files (`1402`_)
- Cache CloudFront Signers (`1417`_)

Azure
-----

- Fix ``collectstatic --clear`` (`1403`_)
- Add ``mode`` kwarg to ``.url()`` to support creation of signed URLs for upload (`1414`_)
- Fix fetching user delegation key when custom domain is enabled (`1418`_)

SFTP
----

- Add implementations of ``get_(modified|accessed)_time`` (`1347`_)

Dropbox
-------

- Add support for Python 3.12 (`1421`_)

FTP
---

- Conform to ``BaseStorage`` interface (`1423`_)
- Add ``FTP_ALLOW_OVERWRITE`` setting (`1424`_)

.. _1399: https://github.com/jschneier/django-storages/pull/1399
.. _1381: https://github.com/jschneier/django-storages/pull/1381
.. _1402: https://github.com/jschneier/django-storages/pull/1402
.. _1403: https://github.com/jschneier/django-storages/pull/1403
.. _1414: https://github.com/jschneier/django-storages/pull/1414
.. _1417: https://github.com/jschneier/django-storages/pull/1417
.. _1418: https://github.com/jschneier/django-storages/pull/1418
.. _1347: https://github.com/jschneier/django-storages/pull/1347
.. _1421: https://github.com/jschneier/django-storages/pull/1421
.. _1423: https://github.com/jschneier/django-storages/pull/1423
.. _1424: https://github.com/jschneier/django-storages/pull/1424

Links

• PyPI: https://pypi.org/project/django-storages
• Changelog: https://data.safetycli.com/changelogs/django-storages/

Update flake8 from 7.0.0 to 7.1.1.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/flake8
• Repo: https://github.com/pycqa/flake8

Update gunicorn from 22.0.0 to 23.0.0.

Changelog

23.0.0

===================

- minor docs fixes (:pr:`3217`, :pr:`3089`, :pr:`3167`)
- worker_class parameter accepts a class (:pr:`3079`)
- fix deadlock if request terminated during chunked parsing (:pr:`2688`)
- permit receiving Transfer-Encodings: compress, deflate, gzip (:pr:`3261`)
- permit Transfer-Encoding headers specifying multiple encodings. note: no parameters, still (:pr:`3261`)
- sdist generation now explicitly excludes sphinx build folder (:pr:`3257`)
- decode bytes-typed status (as can be passed by gevent) as utf-8 instead of raising `TypeError` (:pr:`2336`)
- raise correct Exception when encounting invalid chunked requests (:pr:`3258`)
- the SCRIPT_NAME and PATH_INFO headers, when received from allowed forwarders, are no longer restricted for containing an underscore (:pr:`3192`)
- include IPv6 loopback address ``[::1]`` in default for :ref:`forwarded-allow-ips` and :ref:`proxy-allow-ips` (:pr:`3192`)

** NOTE **

- The SCRIPT_NAME change mitigates a regression that appeared first in the 22.0.0 release
- Review your :ref:`forwarded-allow-ips` setting if you are still not seeing the SCRIPT_NAME transmitted
- Review your :ref:`forwarder-headers` setting if you are missing headers after upgrading from a version prior to 22.0.0

** Breaking changes **

- refuse requests where the uri field is empty (:pr:`3255`)
- refuse requests with invalid CR/LR/NUL in heade field values (:pr:`3253`)
- remove temporary ``--tolerate-dangerous-framing`` switch from 22.0 (:pr:`3260`)
- If any of the breaking changes affect you, be aware that now refused requests can post a security problem, especially so in setups involving request pipe-lining and/or proxies.

Links

• PyPI: https://pypi.org/project/gunicorn
• Changelog: https://data.safetycli.com/changelogs/gunicorn/

Update pillow from 10.3.0 to 10.4.0.

Changelog

10.4.0

-------------------

- Raise FileNotFoundError if show_file() path does not exist 8178
[radarhere]

- Improved reading 16-bit TGA images with colour 7965
[Yay295, radarhere]

- Deprecate non-image ImageCms modes 8031
[radarhere]

- Fixed processing multiple JPEG EXIF markers 8127
[radarhere]

- Do not preserve EXIFIFD tag by default when saving TIFF images 8110
[radarhere]

- Added ImageFont.load_default_imagefont() 8086
[radarhere]

- Added Image.WARN_POSSIBLE_FORMATS 8063
[radarhere]

- Remove zero-byte end padding when parsing any XMP data 8171
[radarhere]

- Do not detect Ultra HDR images as MPO 8056
[radarhere]

- Raise SyntaxError specific to JP2 8146
[Yay295, radarhere]

- Do not use first frame duration for other frames when saving APNG images 8104
[radarhere]

- Consider I;16 pixel size when using a 1 mode mask 8112
[radarhere]

- When saving multiple PNG frames, convert to mode rather than raw mode 8087
[radarhere]

- Added byte support to FreeTypeFont 8141
[radarhere]

- Allow float center for rotate operations 8114
[radarhere]

- Do not read layers immediately when opening PSD images 8039
[radarhere]

- Restore original thread state 8065
[radarhere]

- Read IM and TIFF images as RGB, rather than RGBX 7997
[radarhere]

- Only preserve TIFF IPTC_NAA_CHUNK tag if type is BYTE or UNDEFINED 7948
[radarhere]

- Clarify ImageDraw2 error message when size is missing 8165
[radarhere]

- Support unpacking more rawmodes to RGBA palettes 7966
[radarhere]

- Removed support for Qt 5 8159
[radarhere]

- Improve ``ImageFont.freetype`` support for XDG directories on Linux 8135
[mamg22, radarhere]

- Improved consistency of XMP handling 8069
[radarhere]

- Use pkg-config to help find libwebp and raqm 8142
[radarhere]

- Accept 't' suffix for libtiff version 8126, 8129
[radarhere]

- Deprecate ImageDraw.getdraw hints parameter 8124
[radarhere, hugovk]

- Added ImageDraw circle() 8085
[void4, hugovk, radarhere]

- Add mypy target to Makefile 8077
[Yay295]

- Added more modes to Image.MODES 7984
[radarhere]

- Deprecate BGR;15, BGR;16 and BGR;24 modes 7978
[radarhere, hugovk]

- Fix ImagingAccess for I;16N on big-endian 7921
[Yay295, radarhere]

- Support reading P mode TIFF images with padding 7996
[radarhere]

- Deprecate support for libtiff < 4 7998
[radarhere, hugovk]

- Corrected ImageShow UnixViewer command 7987
[radarhere]

- Use functools.cached_property in ImageStat 7952
[nulano, hugovk, radarhere]

- Add support for reading BITMAPV2INFOHEADER and BITMAPV3INFOHEADER 7956
[Cirras, radarhere]

- Support reading CMYK JPEG2000 images 7947
[radarhere]

Links

• PyPI: https://pypi.org/project/pillow
• Changelog: https://data.safetycli.com/changelogs/pillow/

Update pycodestyle from 2.11.1 to 2.12.1.

Changelog

2.12.1

-------------------

Changes:

* Properly preserve escaped `{` and `}` in fstrings in logical lines in 3.12+.
PR 1252.

2.12.0

-------------------

Changes:

* E721: Fix false positive of the form `x.type(...) ==`.  PR 1228.
* E502: Fix false-negative with a backslash escape in a comment.  PR 1234.
* E204: New lint forbidding whitespace after decorator ``.  PR 1247.

Links

• PyPI: https://pypi.org/project/pycodestyle
• Changelog: https://data.safetycli.com/changelogs/pycodestyle/
• Homepage: https://pycodestyle.pycqa.org/

Update setuptools from 69.5.1 to 72.1.0.

Changelog

72.1.0

=======

Features
--------

- Restore the tests command and deprecate access to the module. (4519) (4520)

72.0.0

=======

Deprecations and Removals
-------------------------

- The test command has been removed. Users relying on 'setup.py test' will need to migrate to another test runner or pin setuptools before this version. (931)

71.1.0

=======

Features
--------

- Added return types to typed public functions -- by :user:`Avasam`

Marked `pkg_resources` as ``py.typed`` -- by :user:`Avasam` (4409)


Misc
----

- 4492

71.0.4

=======

Bugfixes
--------

- Removed lingering unused code around Distribution._patched_dist. (4489)

71.0.3

=======

Bugfixes
--------

- Reset the backports module when enabling vendored packages. (4476)

71.0.2

=======

Bugfixes
--------

- Include all vendored files in the sdist. (4480)

71.0.1

=======

Bugfixes
--------

- Restored package data that went missing in 71.0. This change also incidentally causes tests to be installed once again. (4475)

71.0.0

=======

Deprecations and Removals
-------------------------

- Now setuptools declares its own dependencies in the ``core`` extra. Dependencies are still vendored for bootstrapping purposes, but setuptools will prefer installed dependencies if present. The ``core`` extra is used for informational purposes and should *not* be declared in package metadata (e.g. ``build-requires``). Downstream packagers can de-vendor by simply removing the ``setuptools/_vendor`` directory. Since Setuptools now prefers installed dependencies, those installing to an environment with old, incompatible dependencies will not work. In that case, either uninstall the incompatible dependencies or upgrade them to satisfy those declared in ``core``. (2825)

70.3.0

=======

Features
--------

- Support for loading distutils from the standard library is now deprecated, including use of SETUPTOOLS_USE_DISTUTILS=stdlib and importing distutils before importing setuptools. (4137)


Bugfixes
--------

- Bugfix for building Cython extension on Windows (pypa/distutils268).

70.2.0

=======

Features
--------

- Updated distutils including significant changes to support Cygwin and mingw compilers. (4444)


Bugfixes
--------

- Fix distribution name normalisation (:pep:`625`) for valid versions that are
not canonical (e.g. ``1.0-2``). (4434)

70.1.1

=======

Misc
----

- 4429

70.1.0

=======

Features
--------

- Adopted the ``bdist_wheel`` command from the ``wheel`` project -- by :user:`agronholm` (1386)
- Improve error message when ``pkg_resources.ZipProvider`` tries to extract resources with a missing Egg -- by :user:`Avasam`

Added variables and parameter type annotations to ``pkg_resources`` to be nearly on par with typeshed.\* -- by :user:`Avasam`
\* Excluding ``TypeVar`` and ``overload``. Return types are currently inferred. (4246)
- Migrated Setuptools' own config to pyproject.toml (4310)


Bugfixes
--------

- Prevent a ``TypeError: 'NoneType' object is not callable`` when ``shutil_rmtree`` is called without an ``onexc`` parameter on Python<=3.11 -- by :user:`Avasam` (4382)
- Replace use of mktemp with can_symlink from the stdlib test suite. (4403)
- Improvement for ``attr:`` directives in configuration to handle
more edge cases related to complex ``package_dir``. (4405)
- Fix accidental implicit string concatenation. (4411)


Misc
----

- 4365, 4422

70.0.0

=======

Features
--------

- Emit a warning when ``[tools.setuptools]`` is present in ``pyproject.toml`` and will be ignored. -- by :user:`SnoopJ` (4150)
- Improved `AttributeError` error message if ``pkg_resources.EntryPoint.require`` is called without extras or distribution
Gracefully "do nothing" when trying to activate a ``pkg_resources.Distribution`` with a `None` location, rather than raising a `TypeError`
-- by :user:`Avasam` (4262)
- Typed the dynamically defined variables from `pkg_resources` -- by :user:`Avasam` (4267)
- Modernized and refactored VCS handling in package_index. (4332)


Bugfixes
--------

- In install command, use super to call the superclass methods. Avoids race conditions when monkeypatching from _distutils_system_mod occurs late. (4136)
- Fix finder template for lenient editable installs of implicit nested namespaces
constructed by using ``package_dir`` to reorganise directory structure. (4278)
- Fix an error with `UnicodeDecodeError` handling in ``pkg_resources`` when trying to read files in UTF-8 with a fallback -- by :user:`Avasam` (4348)


Improved Documentation
----------------------

- Uses RST substitution to put badges in 1 line. (4312)


Deprecations and Removals
-------------------------

- Further adoption of UTF-8 in ``setuptools``.
This change regards mostly files produced and consumed during the build process
(e.g. metadata files, script wrappers, automatically updated config files, etc..)
Although precautions were taken to minimize disruptions, some edge cases might
be subject to backwards incompatibility.

Support for ``"locale"`` encoding is now **deprecated**. (4309)
- Remove ``setuptools.convert_path`` after long deprecation period.
This function was never defined by ``setuptools`` itself, but rather a
side-effect of an import for internal usage. (4322)
- Remove fallback for customisations of ``distutils``' ``build.sub_command`` after long
deprecated period.
Users are advised to import ``build`` directly from ``setuptools.command.build``. (4322)
- Removed ``typing_extensions`` from vendored dependencies -- by :user:`Avasam` (4324)
- Remove deprecated ``setuptools.dep_util``.
The provided alternative is ``setuptools.modified``. (4360)


Misc
----

- 4255, 4280, 4282, 4308, 4348

Links

• PyPI: https://pypi.org/project/setuptools
• Changelog: https://data.safetycli.com/changelogs/setuptools/

Update sqlparse from 0.5.0 to 0.5.1.

Changelog

0.5.1

----------------------------

Enhancements

* New "compact" option for formatter. If set, the formatter tries to produce
a more compact output by avoiding some line breaks (issue783).

Bug Fixes

* The strip comments filter was a bit greedy and removed too much
whitespace (issue772).
Note: In some cases you might want to add `strip_whitespace=True` where you
previously used just `strip_comments=True`. `strip_comments` did some of the
work that `strip_whitespace` should do.
* Fix error when splitting statements that contain multiple CASE clauses
within a BEGIN block (issue784).
* Fix whitespace removal with nested expressions (issue782).
* Fix parsing and formatting of ORDER clauses containing NULLS FIRST or
NULLS LAST (issue532).

Links

• PyPI: https://pypi.org/project/sqlparse
• Changelog: https://data.safetycli.com/changelogs/sqlparse/

Update typing-extensions from 4.11.0 to 4.12.2.

Changelog

4.12.2

- Fix regression in v4.12.0 where specialization of certain
generics with an overridden `__eq__` method would raise errors.
Patch by Jelle Zijlstra.
- Fix tests so they pass on 3.13.0b2

4.12.1

- Preliminary changes for compatibility with the draft implementation
of PEP 649 in Python 3.14. Patch by Jelle Zijlstra.
- Fix regression in v4.12.0 where nested `Annotated` types would cause
`TypeError` to be raised if the nested `Annotated` type had unhashable
metadata. Patch by Alex Waygood.

4.12.0

This release is mostly the same as 4.12.0rc1 but fixes one more
longstanding bug.

- Fix incorrect behaviour of `typing_extensions.ParamSpec` on Python 3.8 and
3.9 that meant that
`isinstance(typing_extensions.ParamSpec("P"), typing.TypeVar)` would have a
different result in some situations depending on whether or not a profiling
function had been set using `sys.setprofile`. Patch by Alex Waygood.

4.12.0rc1

This release focuses on compatibility with the upcoming release of
Python 3.13. Most changes are related to the implementation of type
parameter defaults (PEP 696).

Thanks to all of the people who contributed patches, especially Alex
Waygood, who did most of the work adapting typing-extensions to the
CPython PEP 696 implementation.

Full changelog:

- Improve the implementation of type parameter defaults (PEP 696)
- Backport the `typing.NoDefault` sentinel object from Python 3.13.
 TypeVars, ParamSpecs and TypeVarTuples without default values now have
 their `__default__` attribute set to this sentinel value.
- TypeVars, ParamSpecs and TypeVarTuples now have a `has_default()`
 method, matching `typing.TypeVar`, `typing.ParamSpec` and
 `typing.TypeVarTuple` on Python 3.13+.
- TypeVars, ParamSpecs and TypeVarTuples with `default=None` passed to
 their constructors now have their `__default__` attribute set to `None`
 at runtime rather than `types.NoneType`.
- Fix most tests for `TypeVar`, `ParamSpec` and `TypeVarTuple` on Python
 3.13.0b1 and newer.
- Backport CPython PR [118774](https://github.com/python/cpython/pull/118774),
 allowing type parameters without default values to follow those with
 default values in some type parameter lists. Patch by Alex Waygood,
 backporting a CPython PR by Jelle Zijlstra.
- It is now disallowed to use a `TypeVar` with a default value after a
 `TypeVarTuple` in a type parameter list. This matches the CPython
 implementation of PEP 696 on Python 3.13+.
- Fix bug in PEP-696 implementation where a default value for a `ParamSpec`
 would be cast to a tuple if a list was provided.
 Patch by Alex Waygood.
- Fix `Protocol` tests on Python 3.13.0a6 and newer. 3.13.0a6 adds a new
`__static_attributes__` attribute to all classes in Python,
which broke some assumptions made by the implementation of
`typing_extensions.Protocol`. Similarly, 3.13.0b1 adds the new
`__firstlineno__` attribute to all classes.
- Fix `AttributeError` when using `typing_extensions.runtime_checkable`
in combination with `typing.Protocol` on Python 3.12.2 or newer.
Patch by Alex Waygood.
- At runtime, `assert_never` now includes the repr of the argument
in the `AssertionError`. Patch by Hashem, backporting of the original
fix https://github.com/python/cpython/pull/91720 by Jelle Zijlstra.
- The second and third parameters of `typing_extensions.Generator`,
and the second parameter of `typing_extensions.AsyncGenerator`,
now default to `None`. This matches the behaviour of `typing.Generator`
and `typing.AsyncGenerator` on Python 3.13+.
- `typing_extensions.ContextManager` and
`typing_extensions.AsyncContextManager` now have an optional second
parameter, which defaults to `Optional[bool]`. The new parameter
signifies the return type of the `__(a)exit__` method, matching
`typing.ContextManager` and `typing.AsyncContextManager` on Python
3.13+.
- Backport `types.CapsuleType` from Python 3.13.
- Releases are now made using [Trusted Publishers](https://docs.pypi.org/trusted-publishers/)
improving the security of the release process. Patch by Jelle Zijlstra.

4.12.0a1

These releases primarily test a revised release workflow. If all goes
well, release 4.12.0rc1 will follow soon.

Links

• PyPI: https://pypi.org/project/typing-extensions
• Changelog: https://data.safetycli.com/changelogs/typing-extensions/

[pyup-bot]

Closing this in favor of #136