Initial Update

[pyup-bot]

This is my first visit to this fine repo so I have bundled all updates in a single pull request to make things easier for you to merge.

Close this pull request and delete the branch if you want me to start with single pull requests right away

Here's the executive summary:

Updates

Here's a list of all the updates bundled in this pull request. I've added some links to make it easier for you to find all the information you need.

SQLAlchemy	1.0.4	»	1.1.4	PyPI | Homepage
Jinja2	2.7.3	»	2.8.1	PyPI | Changelog | Homepage
requests-oauthlib	0.5.0	»	0.7.0	PyPI | Changelog | Repo
Flask-Migrate	1.4.0	»	2.0.2	PyPI | Changelog | Repo | Docs
PyMySQL	0.6.6	»	0.7.9	PyPI | Changelog | Repo
six	1.9.0	»	1.10.0	PyPI | Changelog | Homepage | Docs
Flask-Admin	1.1.0	»	1.4.2	PyPI | Changelog | Repo | Docs
Werkzeug	0.10.4	»	0.11.15	PyPI | Changelog | Homepage
Flask-SQLAlchemy	2.0	»	2.1	PyPI | Changelog | Repo | Docs
alembic	0.7.6	»	0.8.9	PyPI | Repo | Docs
requests	2.7.0	»	2.12.4	PyPI | Changelog | Homepage
Flask-WTF	0.11	»	0.13.1	PyPI | Changelog | Repo | Docs
WTForms	2.0.2	»	2.1	PyPI | Changelog | Homepage | Docs
airbrake	1.1.4	»	1.3.3	PyPI | Repo
Flask-Bootstrap	3.3.4.1	»	3.3.7.0	PyPI | Changelog | Repo | Docs
Flask	0.10.1	»	0.12	PyPI | Changelog | Repo
Flask-OAuthlib	0.9.1	»	0.9.3	PyPI | Changelog | Repo
blinker	1.3	»	1.4	PyPI | Changelog | Homepage | Docs
Flask-Login	0.2.11	»	0.4.0	PyPI | Changelog | Repo | Docs
oauthlib	0.7.2	»	2.0.1	PyPI | Changelog | Repo
Mako	1.0.1	»	1.0.6	PyPI | Homepage

Changelogs

Jinja2 2.7.3 -> 2.8.1

2.8.1

---

(bugfix release, released on December 29th 2016)

• Fixed the for_qs flag for urlencode.
• Fixed regression when applying int to non-string values.
• SECURITY: if the sandbox mode is used format expressions are now sandboxed
  with the same rules as in Jinja. This solves various information leakage
  problems that can occur with format strings.

2.8

---

(codename Replacement, released on July 26th 2015)

• Added target parameter to urlize function.
• Added support for followsymlinks to the file system loader.
• The truncate filter now counts the length.
• Added equalto filter that helps with select filters.
• Changed cache keys to use absolute file names if available
  instead of load names.
• Fixed loop length calculation for some iterators.
• Changed how Jinja2 enforces strings to be native strings in
  Python 2 to work when people break their default encoding.
• Added :func:make_logging_undefined which returns an undefined
  object that logs failures into a logger.
• If unmarshalling of cached data fails the template will be
  reloaded now.
• Implemented a block set tag.
• Default cache size was increased to 400 from a low 50.
• Fixed is number test to accept long integers in all Python versions.
• Changed is number to accept Decimal as a number.
• Added a check for default arguments followed by non-default arguments. This
  change makes {% macro m(x, y=1, z) %}...{% endmacro %} a syntax error. The
  previous behavior for this code was broken anyway (resulting in the default
  value being applied to y).
• Add ability to use custom subclasses of jinja2.compiler.CodeGenerator and
  jinja2.runtime.Context by adding two new attributes to the environment
  (code_generator_class and context_class) (pull request 404).
• added support for context/environment/evalctx decorator functions on
  the finalize callback of the environment.
• escape query strings for urlencode properly. Previously slashes were not
  escaped in that place.
• Add 'base' parameter to 'int' filter.

requests-oauthlib 0.5.0 -> 0.7.0

0.7.0

++++++++++++++++++++++++++

• Allowed OAuth2Session.request to take the client_id and
  client_secret parameters for the purposes of automatic token refresh,
  which may need them.

0.6.2

+++++++++++++++++++++

• Use client_id and client_secret for the Authorization header if
  provided.
• Allow explicit bypass of the Authorization header by setting auth=False.
• Pass through the proxies kwarg when refreshing tokens.
• Miscellaneous cleanups.

0.6.1

+++++++++++++++++++++++++

• Fixed a bug when sending authorization in headers with no username and
  password present.
• Make sure we clear the session token before obtaining a new one.
• Some improvements to the Slack compliance fix.
• Avoid timing problems around token refresh.
• Allow passing arbitrary arguments to requests when calling
  fetch_request_token and fetch_access_token.

0.6.0

+++++++++++++++++++++++++

• Add compliance fix for Slack.
• Add compliance fix for Mailchimp.
• TokenRequestDenied exceptions now carry the entire response, not just the
  status code.
• Pass through keyword arguments when refreshing tokens automatically.
• Send authorization in headers, not just body, to maximize compatibility.
• More getters/setters available for OAuth2 session client values.
• Allow sending custom headers when refreshing tokens, and set some defaults.

Flask-Migrate 1.4.0 -> 2.0.2

2.0.2

• Support passing alembic context kwargs from constructor into init_app (138)

2.0.1

• Fix flake8 warnings in Alembic templates (136)

2.0.0

• Added Travis CI builds for Python 3.5
• Support for the new Flask CLI based on Click

1.8.1

• Allow to init_app to work correctly when db is given in constructor (118)

1.8.0

• Allow db to be given in constructor, while app is given later in init_app
• Added missing Python 2 classifiers in setup script
• Various documentation updates

1.7.0

• Added migrate.configure decorator to register configuration callbacks
• Documentation updates

1.6.0

• Added support for Alembic's edit command
• Allow migration directory to be given in constructor and not in init_app

1.5.1

• Do not generate a migration if no schema changes are found
• Merge command now supports multiple arguments

1.5.0

• Support for multiple databases
• Added support for Alembic's -x option
• Added sane default for db downgrade --sql command

PyMySQL 0.6.6 -> 0.7.9

0.7.9

Release date: 2016-09-03

• Fix PyMySQL stop reading rows when first column is empty string (513)
  Reverts DEPRECATE_EOF introduced in 0.7.7.

0.7.8

Release date: 2016-09-01

• Revert error message change in 0.7.7.
  (SQLAlchemy parses error message, 507)

0.7.7

Release date: 2016-08-30

• Add new unicode collation (498)
• Fix conv option is not used for encoding objects.
• Experimental support for DEPRECATE_EOF protocol.

0.7.6

Release date: 2016-07-29

• Fix SELECT JSON type cause UnicodeError
• Avoid float convertion while parsing microseconds
• Warning has number
• SSCursor supports warnings

0.7.5

Release date: 2016-06-28

• Fix exception raised while importing when getpwuid() fails (472)
• SSCursor supports LOAD DATA LOCAL INFILE (473)
• Fix encoding error happen for JSON type (477)
• Fix test fail on Python 2.7 and MySQL 5.7 (478)

0.7.4

Release date: 2016-05-26

• Fix AttributeError may happen while Connection.del (463)
• Fix SyntaxError in test_cursor. (464)
• frozenset support for query value. (461)
• Start using readthedocs.io

0.7.3

Release date: 2016-05-19

• Add read_timeout and write_timeout option.
• Support serialization customization by conv option.
• Unknown type is converted by str(), for MySQLdb compatibility.
• Support '%%' in Cursor.executemany()
• Support REPLACE statement in Cursor.executemany()
• Fix handling incomplete row caused by 'SHOW SLAVE HOSTS'.
• Fix decode error when use_unicode=False on PY3
• Fix port option in my.cnf file is ignored.

0.7.2

Release date: 2016-02-24

• Fix misuse of max_allowed_packet parameter. (426, 407 and 397)
• Add %(name)s plceholder support to Cursor.executemany(). (427, thanks to
  WorldException)

0.7.1

Release date: 2016-01-14

• Fix auth fail with MySQL 5.1
• Fix escaping unicode fails on Python 2

0.7

Release date: 2016-01-10

• Faster binary escaping
• Add "_binary" prefix to string literal for binary types.
  binary types are: bytearray on Python 2, bytes and bytearray on Python 3.
  This is because recent MySQL show warnings when string literal is invalid for
  connection encoding.
• pymysql.Binary() returns bytearray on Python 2. This is required to distinguish
  binary and string.
• Auth plugin support.
• no_delay option is ignored. It will be removed in PyMySQL 0.8.

0.6.7

Release date: 2015-09-30

• Allow self signed certificate
• Add max_allowed_packet option
• Fix error when bytes in executemany
• Support geometry type
• Add coveralls badge to README
• Fix some bugs relating to warnings
• Add Cursor.mogrify() method
• no_delay option is deprecated and True by default
• Fix options from my.cnf overrides options from arguments
• Allow socket like object. (It's not feature for end users)
• Strip quotes while reading options from my.cnf file
• Fix encoding issue in executemany()

six 1.9.0 -> 1.10.0

1.10.0

---

• Issue 122: Improve the performance of six.int2byte on Python 3.

• Pull request 55 and issue 99: Don't add the winreg module to six.moves
  on non-Windows platforms.

• Pull request 60 and issue 108: Add six.moves.getcwd and
  six.moves.getcwdu.

• Pull request 64: Add create_unbound_method to create unbound methods.

Flask-Admin 1.1.0 -> 1.4.2

1.4.2

---

• Small bug fix release. Fixes regression that prevented usage of "virtual" columns with a custom formatter.

1.4.1

---

• Official Python 3.5 support
• Customizable row actions
• Tablib support (exporting to XLS, XLSX, CSV, etc)
• Updated external dependencies (jQuery, x-editable, etc)
• Added settings that allows exceptions to be raised on view errors
• Bug fixes

1.4.0

---

• Updated and reworked documentation
• FileAdmin went through minor refactoring and now supports remote file systems. Comes with the new, optional, AWS S3 file management interface
• Configurable CSV export for model views
• Added overridable URL generation logic. Allows using custom URLs with parameters for administrative views
• Added column_display_actions to ModelView control visibility of the action column without overriding the template
• Added support for the latest MongoEngine
• New SecureForm base class for easier CSRF validation
• Lots of translation-related fixes and updated translations
• Bug fixes

1.3.0

---

• New feature: Edit models in the list view in a popup
• New feature: Read-only model details view
• Fixed XSS in column_editable_list values
• Improved navigation consistency in model create and edit views
• Ability to choose page size in model list view
• Updated client-side dependencies (jQuery, Select2, etc)
• Updated documentation and examples
• Updated translations
• Bug fixes

Werkzeug 0.10.4 -> 0.11.15

0.11.14

---

Released on December 30th 2016.

• Check if platform can fork before importing ForkingMixIn, raise exception
  when creating ForkingWSGIServer on such a platform, see PR 999.

0.11.13

---

Released on December 26th 2016.

• Correct fix for the reloader issuer on certain Windows installations.

0.11.12

---

Released on December 26th 2016.

• Fix more bugs in multidicts regarding empty lists. See 1000.
• Add some docstrings to some EnvironBuilder properties that were previously
  unintentionally missing.
• Added a workaround for the reloader on windows.

0.11.11

---

Released on August 31st 2016.

• Fix JSONRequestMixin for Python3. See 731
• Fix broken string handling in test client when passing integers. See 852
• Fix a bug in parse_options_header where an invalid content type
  starting with comma or semi-colon would result in an invalid return value,
  see issue 995.
• Fix a bug in multidicts when passing empty lists as values, see issue
  979.
• Fix a security issue that allows XSS on the Werkzeug debugger. See 1001.

0.11.10

---

Released on May 24th 2016.

• Fixed a bug that occurs when running on Python 2.6 and using a broken locale.
  See pull request 912.
• Fixed a crash when running the debugger on Google App Engine. See issue 925.
• Fixed an issue with multipart parsing that could cause memory exhaustion.

0.11.9

---

Released on April 24th 2016.

• Corrected an issue that caused the debugger not to use the
  machine GUID on POSIX systems.
• Corrected a Unicode error on Python 3 for the debugger's
  PIN usage.
• Corrected the timestamp verification in the pin debug code.
  Without this fix the pin was remembered for too long.

0.11.8

---

Released on April 15th 2016.

• fixed a problem with the machine GUID detection code on OS X
  on Python 3.

0.11.7

---

Released on April 14th 2016.

• fixed a regression on Python 3 for the debugger.

0.11.6

---

Released on April 14th 2016.

• werkzeug.serving: Still show the client address on bad requests.
• improved the PIN based protection for the debugger to make it harder to
  brute force via trying cookies. Please keep in mind that the debugger
  is not intended for running on production environments
• increased the pin timeout to a week to make it less annoying for people
  which should decrease the chance that users disable the pin check
  entirely.
• werkzeug.serving: Fix broken HTTP_HOST when path starts with double slash.

0.11.5

---

Released on March 22nd 2016.

• werkzeug.serving: Fix crash when attempting SSL connection to HTTP server.

0.11.4

---

Released on February 14th 2016.

• Fixed werkzeug.serving not working from -m flag.
• Fixed incorrect weak etag handling.

0.11.3

---

Released on December 20th 2015.

• Fixed an issue with copy operations not working against
  proxies.
• Changed the logging operations of the development server to
  correctly log where the server is running in all situations
  again.
• Fixed another regression with SSL wrapping similar to the
  fix in 0.11.2 but for a different code path.

0.11.2

---

Released on November 12th 2015.

• Fix inheritable sockets on Windows on Python 3.
• Fixed an issue with the forking server not starting any longer.
• Fixed SSL wrapping on platforms that supported opening sockets
  by file descriptor.
• No longer log from the watchdog reloader.
• Unicode errors in hosts are now better caught or converted into
  bad request errors.

0.11.1

---

Released on November 10th 2015.

• Fixed a regression on Python 3 in the debugger.

0.11

---

Released on November 8th 2015, codename Gleisbaumaschine.

• Added reloader_paths option to run_simple and other functions in
  werkzeug.serving. This allows the user to completely override the Python
  module watching of Werkzeug with custom paths.
• Many custom cached properties of Werkzeug's classes are now subclasses of
  Python's property type (issue 616).
• bind_to_environ now doesn't differentiate between implicit and explicit
  default port numbers in HTTP_HOST (pull request 204).
• BuildErrors are now more informative. They come with a complete sentence
  as error message, and also provide suggestions (pull request 691).
• Fix a bug in the user agent parser where Safari's build number instead of
  version would be extracted (pull request 703).
• Fixed issue where RedisCache set_many was broken for twemproxy, which doesn't
  support the default MULTI command (pull request 702).
• mimetype parameters on request and response classes are now always
  converted to lowercase.
• Changed cache so that cache never expires if timeout is 0. This also fixes
  an issue with redis setex (issue 550)
• Werkzeug now assumes UTF-8 as filesystem encoding on Unix if Python
  detected it as ASCII.
• New optional has method on caches.
• Fixed various bugs in parse_options_header (pull request 643).
• If the reloader is enabled the server will now open the socket in the parent
  process if this is possible. This means that when the reloader kicks in
  the connection from client will wait instead of tearing down. This does
  not work on all Python versions.
• Implemented PIN based authentication for the debugger. This can optionally
  be disabled but is discouraged. This change was necessary as it has been
  discovered that too many people run the debugger in production.
• Devserver no longer requires SSL module to be installed.

0.10.5

---

(bugfix release, release date yet to be decided)

• Reloader: Correctly detect file changes made by moving temporary files over
  the original, which is e.g. the case with PyCharm (pull request 722).
• Fix bool behavior of werkzeug.datastructures.ETags under Python 3 (issue
  744).

Flask-SQLAlchemy 2.0 -> 2.1

2.1

---

Released on October 23rd 2015, codename Caesium

• Table names are automatically generated in more cases, including
  subclassing mixins and abstract models.
• Allow using a custom MetaData object.
• Add support for binds parameter to session.

requests 2.7.0 -> 2.12.4

2.12.4

+++++++++++++++++++

Bugfixes

• Fixed regression from 2.12.2 where non-string types were rejected in the
  basic auth parameters. While support for this behaviour has been readded,
  the behaviour is deprecated and will be removed in the future.

2.12.3

+++++++++++++++++++

Bugfixes

• Fixed regression from v2.12.1 for URLs with schemes that begin with "http".
  These URLs have historically been processed as though they were HTTP-schemed
  URLs, and so have had parameters added. This was removed in v2.12.2 in an
  overzealous attempt to resolve problems with IDNA-encoding those URLs. This
  change was reverted: the other fixes for IDNA-encoding have been judged to
  be sufficient to return to the behaviour Requests had before v2.12.0.

2.12.2

+++++++++++++++++++

Bugfixes

• Fixed several issues with IDNA-encoding URLs that are technically invalid but
  which are widely accepted. Requests will now attempt to IDNA-encode a URL if
  it can but, if it fails, and the host contains only ASCII characters, it will
  be passed through optimistically. This will allow users to opt-in to using
  IDNA2003 themselves if they want to, and will also allow technically invalid
  but still common hostnames.
• Fixed an issue where URLs with leading whitespace would raise
  InvalidSchema errors.
• Fixed an issue where some URLs without the HTTP or HTTPS schemes would still
  have HTTP URL preparation applied to them.
• Fixed an issue where Unicode strings could not be used in basic auth.
• Fixed an issue encountered by some Requests plugins where constructing a
  Response object would cause Response.content to raise an
  AttributeError.

2.12.1

+++++++++++++++++++

Bugfixes

• Updated setuptools 'security' extra for the new PyOpenSSL backend in urllib3.

Miscellaneous

• Updated bundled urllib3 to 1.19.1.

2.12.0

+++++++++++++++++++

Improvements

• Updated support for internationalized domain names from IDNA2003 to IDNA2008.
  This updated support is required for several forms of IDNs and is mandatory
  for .de domains.
• Much improved heuristics for guessing content lengths: Requests will no
  longer read an entire StringIO into memory.
• Much improved logic for recalculating Content-Length headers for
  PreparedRequest objects.
• Improved tolerance for file-like objects that have no tell method but
  do have a seek method.
• Anything that is a subclass of Mapping is now treated like a dictionary
  by the data= keyword argument.
• Requests now tolerates empty passwords in proxy credentials, rather than
  stripping the credentials.
• If a request is made with a file-like object as the body and that request is
  redirected with a 307 or 308 status code, Requests will now attempt to
  rewind the body object so it can be replayed.

Bugfixes

• When calling response.close, the call to close will be propagated
  through to non-urllib3 backends.
• Fixed issue where the ALL_PROXY environment variable would be preferred
  over scheme-specific variables like HTTP_PROXY.
• Fixed issue where non-UTF8 reason phrases got severely mangled by falling
  back to decoding using ISO 8859-1 instead.
• Fixed a bug where Requests would not correctly correlate cookies set when
  using custom Host headers if those Host headers did not use the native
  string type for the platform.

Miscellaneous

• Updated bundled urllib3 to 1.19.
• Updated bundled certifi certs to 2016.09.26.

2.11.1

+++++++++++++++++++

Bugfixes

• Fixed a bug when using iter_content with decode_unicode=True for
  streamed bodies would raise AttributeError. This bug was introduced in
  2.11.
• Strip Content-Type and Transfer-Encoding headers from the header block when
  following a redirect that transforms the verb from POST/PUT to GET.

2.11.0

+++++++++++++++++++

Improvements

• Added support for the ALL_PROXY environment variable.
• Reject header values that contain leading whitespace or newline characters to
  reduce risk of header smuggling.

Bugfixes

• Fixed occasional TypeError when attempting to decode a JSON response that
  occurred in an error case. Now correctly returns a ValueError.
• Requests would incorrectly ignore a non-CIDR IP address in the NO_PROXY
  environment variables: Requests now treats it as a specific IP.
• Fixed a bug when sending JSON data that could cause us to encounter obscure
  OpenSSL errors in certain network conditions (yes, really).
• Added type checks to ensure that iter_content only accepts integers and
  None for chunk sizes.
• Fixed issue where responses whose body had not been fully consumed would have
  the underlying connection closed but not returned to the connection pool,
  which could cause Requests to hang in situations where the HTTPAdapter
  had been configured to use a blocking connection pool.

Miscellaneous

• Updated bundled urllib3 to 1.16.
• Some previous releases accidentally accepted non-strings as acceptable header values. This release does not.

2.10.0

+++++++++++++++++++

New Features

• SOCKS Proxy Support! (requires PySocks; $ pip install requests[socks])

Miscellaneous

• Updated bundled urllib3 to 1.15.1.

2.9.2

++++++++++++++++++

Improvements

• Change built-in CaseInsensitiveDict (used for headers) to use OrderedDict
  as its underlying datastore.

Bugfixes

• Don't use redirect_cache if allow_redirects=False
• When passed objects that throw exceptions from tell(), send them via
  chunked transfer encoding instead of failing.
• Raise a ProxyError for proxy related connection issues.

2.9.1

++++++++++++++++++

Bugfixes

• Resolve regression introduced in 2.9.0 that made it impossible to send binary
  strings as bodies in Python 3.
• Fixed errors when calculating cookie expiration dates in certain locales.

Miscellaneous

• Updated bundled urllib3 to 1.13.1.

2.9.0

++++++++++++++++++

Minor Improvements (Backwards compatible)

• The verify keyword argument now supports being passed a path to a
  directory of CA certificates, not just a single-file bundle.
• Warnings are now emitted when sending files opened in text mode.
• Added the 511 Network Authentication Required status code to the status code
  registry.

Bugfixes

• For file-like objects that are not seeked to the very beginning, we now
  send the content length for the number of bytes we will actually read, rather
  than the total size of the file, allowing partial file uploads.
• When uploading file-like objects, if they are empty or have no obvious
  content length we set Transfer-Encoding: chunked rather than
  Content-Length: 0.
• We correctly receive the response in buffered mode when uploading chunked
  bodies.
• We now handle being passed a query string as a bytestring on Python 3, by
  decoding it as UTF-8.
• Sessions are now closed in all cases (exceptional and not) when using the
  functional API rather than leaking and waiting for the garbage collector to
  clean them up.
• Correctly handle digest auth headers with a malformed qop directive that
  contains no token, by treating it the same as if no qop directive was
  provided at all.
• Minor performance improvements when removing specific cookies by name.

Miscellaneous

• Updated urllib3 to 1.13.

2.8.1

++++++++++++++++++

Bugfixes

• Update certificate bundle to match certifi 2015.9.6.2's weak certificate
  bundle.
• Fix a bug in 2.8.0 where requests would raise ConnectTimeout instead of
  ConnectionError
• When using the PreparedRequest flow, requests will now correctly respect the
  json parameter. Broken in 2.8.0.
• When using the PreparedRequest flow, requests will now correctly handle a
  Unicode-string method name on Python 2. Broken in 2.8.0.

2.8.0

++++++++++++++++++

Minor Improvements (Backwards Compatible)

• Requests now supports per-host proxies. This allows the proxies
  dictionary to have entries of the form
  {'<scheme>://<hostname>': '<proxy>'}. Host-specific proxies will be used
  in preference to the previously-supported scheme-specific ones, but the
  previous syntax will continue to work.
• Response.raise_for_status now prints the URL that failed as part of the
  exception message.
• requests.utils.get_netrc_auth now takes an raise_errors kwarg,
  defaulting to False. When True, errors parsing .netrc files cause
  exceptions to be thrown.
• Change to bundled projects import logic to make it easier to unbundle
  requests downstream.
• Changed the default User-Agent string to avoid leaking data on Linux: now
  contains only the requests version.

Bugfixes

• The json parameter to post() and friends will now only be used if
  neither data nor files are present, consistent with the
  documentation.
• We now ignore empty fields in the NO_PROXY environment variable.
• Fixed problem where httplib.BadStatusLine would get raised if combining
  stream=True with contextlib.closing.
• Prevented bugs where we would attempt to return the same connection back to
  the connection pool twice when sending a Chunked body.
• Miscellaneous minor internal changes.
• Digest Auth support is now thread safe.

Updates

• Updated urllib3 to 1.12.

Flask-WTF 0.11 -> 0.13.1

0.13.1

---

Released 2016/10/6

• Deprecation warning for Form is shown during __init__ instead of immediately when subclassing. (262_)
• Don't use pkg_resources to get version, for compatibility with GAE. (261_)

.. _261: wtforms/flask-wtf#261
.. _262: wtforms/flask-wtf#262

0.13

---

Released 2016/09/29

• Form is renamed to FlaskForm in order to avoid name collision with WTForms's base class. Using Form will show a deprecation warning. (250_)
• hidden_tag no longer wraps the hidden inputs in a hidden div. This is valid HTML5 and any modern HTML parser will behave correctly. (217, 193)
• flask_wtf.html5 is deprecated. Import directly from wtforms.fields.html5. (251_)
• is_submitted is true for PATCH and DELETE in addition to POST and PUT. (187_)
• generate_csrf takes a token_key parameter to specify the key stored in the session. (206_)
• generate_csrf takes a url_safe parameter to allow the token to be used in URLs. (206_)
• form.data can be accessed multiple times without raising an exception. (248_)
• File extension with multiple parts (.tar.gz) can be used in the FileAllowed validator. (201_)

.. _187: wtforms/flask-wtf#187
.. _193: wtforms/flask-wtf#193
.. _201: wtforms/flask-wtf#201
.. _206: wtforms/flask-wtf#206
.. _217: wtforms/flask-wtf#217
.. _248: wtforms/flask-wtf#248
.. _250: wtforms/flask-wtf#250
.. _251: wtforms/flask-wtf#251

0.12

---

Released 2015/07/09

• Abstract protect_csrf() into a separate method
• Update reCAPTCHA configuration
• Fix reCAPTCHA error handle

WTForms 2.0.2 -> 2.1

2.1

---

Released December 15, 2015

• Added render_kw to allow default rendering time options.
• Updated / added a number of localizations
• Updated docs
• Allow widgets to set flags

Flask-Bootstrap 3.3.4.1 -> 3.3.7.0

3.3.7.0

---

• Most likely to be the last major Bootstrap 3 release (see
  Getting to v4 twbs/bootstrap#20631). Make sure you pin
  Flask-Bootstrap's version to <4 to avoid inadvertent updates.

3.3.5.7

---

• IE-specific meta information and viewport meta tags have been added to the
  base template.
• The flashed messages are no longer considered "safe", which means HTML-markup
  will be escaped. See :func:flashed_messages for more information.
• The title block now contains an empty-by-default title variable.

3.3.5.3

---

• Support for Flask-Nav <http://pythonhosted.org/flask-nav>_ added:
  :doc:nav.
• The sample application has been rewritten to finally resemble a somewhat
  educative piece of code.

3.3.5.2

---

• action finally settled on "".

3.3.5.1

---

• The action default value of :func:quick_form changed to ..
• An enctype value of :func:quick_form, which is the default, will
  automatically add the correct type if a :class:~wtforms.fields.FileField
  is present.
• The main bootstrap css file is no longer linked for just media="screen".

Flask 0.10.1 -> 0.12

0.12

---

Released on December 21st 2016, codename Punsch.

• the cli command now responds to --version.
• Mimetype guessing and ETag generation for file-like objects in send_file
  has been removed, as per issue 104. See pull request 1849.
• Mimetype guessing in send_file now fails loudly and doesn't fall back to
  application/octet-stream. See pull request 1988.
• Make flask.safe_join able to join multiple paths like os.path.join
  (pull request 1730).
• Revert a behavior change that made the dev server crash instead of returning
  a Internal Server Error (pull request 2006).
• Correctly invoke response handlers for both regular request dispatching as
  well as error handlers.
• Disable logger propagation by default for the app logger.
• Add support for range requests in send_file.
• app.test_client includes preset default environment, which can now be
  directly set, instead of per client.get.

0.11.2

---

Bugfix release, unreleased

• Fix crash when running under PyPy3, see pull request 1814.

0.11.1

---

Bugfix release, released on June 7th 2016.

• Fixed a bug that prevented FLASK_APP=foobar/__init__.py from working. See
  pull request 1872.

0.11

---

Released on May 29th 2016, codename Absinthe.

• Added support to serializing top-level arrays to :func:flask.jsonify. This
  introduces a security risk in ancient browsers. See
  :ref:json-security for details.
• Added before_render_template signal.
• Added **kwargs to :meth:flask.Test.test_client to support passing
  additional keyword arguments to the constructor of
  :attr:flask.Flask.test_client_class.
• Added SESSION_REFRESH_EACH_REQUEST config key that controls the
  set-cookie behavior. If set to True a permanent session will be
  refreshed each request and get their lifetime extended, if set to
  False it will only be modified if the session actually modifies.
  Non permanent sessions are not affected by this and will always
  expire if the browser window closes.
• Made Flask support custom JSON mimetypes for incoming data.
• Added support for returning tuples in the form (response, headers)
  from a view function.
• Added :meth:flask.Config.from_json.
• Added :attr:flask.Flask.config_class.
• Added :meth:flask.Config.get_namespace.
• Templates are no longer automatically reloaded outside of debug mode. This
  can be configured with the new TEMPLATES_AUTO_RELOAD config key.
• Added a workaround for a limitation in Python 3.3's namespace loader.
• Added support for explicit root paths when using Python 3.3's namespace
  packages.
• Added :command:flask and the flask.cli module to start the local
  debug server through the click CLI system. This is recommended over the old
  flask.run() method as it works faster and more reliable due to a
  different design and also replaces Flask-Script.
• Error handlers that match specific classes are now checked first,
  thereby allowing catching exceptions that are subclasses of HTTP
  exceptions (in werkzeug.exceptions). This makes it possible
  for an extension author to create exceptions that will by default
  result in the HTTP error of their choosing, but may be caught with
  a custom error handler if desired.
• Added :meth:flask.Config.from_mapping.
• Flask will now log by default even if debug is disabled. The log format is
  now hardcoded but the default log handling can be disabled through the
  LOGGER_HANDLER_POLICY configuration key.
• Removed deprecated module functionality.
• Added the EXPLAIN_TEMPLATE_LOADING config flag which when enabled will
  instruct Flask to explain how it locates templates. This should help
  users debug when the wrong templates are loaded.
• Enforce blueprint handling in the order they were registered for template
  loading.
• Ported test suite to py.test.
• Deprecated request.json in favour of request.get_json().
• Add "pretty" and "compressed" separators definitions in jsonify() method.
  Reduces JSON response size when JSONIFY_PRETTYPRINT_REGULAR=False by removing
  unnecessary white space included by default after separators.
• JSON responses are now terminated with a newline character, because it is a
  convention that UNIX text files end with a newline and some clients don't
  deal well when this newline is missing. See
  Add JSONIFY_END_WITH_NEWLINE config variable pallets/flask#1262 -- this came up originally as a
  part of https://github.com/kennethreitz/httpbin/issues/168
• The automatically provided OPTIONS method is now correctly disabled if
  the user registered an overriding rule with the lowercase-version
  options (issue 1288).
• flask.json.jsonify now supports the datetime.date type (pull request
  1326).
• Don't leak exception info of already catched exceptions to context teardown
  handlers (pull request 1393).
• Allow custom Jinja environment subclasses (pull request 1422).
• flask.g now has pop() and setdefault methods.
• Turn on autoescape for flask.templating.render_template_string by default
  (pull request 1515).
• flask.ext is now deprecated (pull request 1484).
• send_from_directory now raises BadRequest if the filename is invalid on
  the server OS (pull request 1763).
• Added the JSONIFY_MIMETYPE configuration variable (pull request 1728).
• Exceptions during teardown handling will no longer leave bad application
  contexts lingering around.

0.10.2

---

(bugfix release, release date to be announced)

• Fixed broken test_appcontext_signals() test case.
• Raise an :exc:AttributeError in :func:flask.helpers.find_package with a
  useful message explaining why it is raised when a PEP 302 import hook is used
  without an is_package() method.
• Fixed an issue causing exceptions raised before entering a request or app
  context to be passed to teardown handlers.
• Fixed an issue with query parameters getting removed from requests in
  the test client when absolute URLs were requested.
• Made before_first_request into a decorator as intended.
• Fixed an etags bug when sending a file streams with a name.
• Fixed send_from_directory not expanding to the application root path
  correctly.
• Changed logic of before first request handlers to flip the flag after
  invoking. This will allow some uses that are potentially dangerous but
  should probably be permitted.
• Fixed Python 3 bug when a handler from app.url_build_error_handlers
  reraises the BuildError.

Flask-OAuthlib 0.9.1 -> 0.9.3

0.9.3

---

Released on Jun 2, 2016

• Revert the wrong implement of non credential oauth2 require auth
• Catch all exceptions in OAuth2 providers
• Bugfix for examples, docs and other things

0.9.2

---

Released on Nov 3, 2015

• Bugfix in client parse_response when body is none.
• Update contrib client by tonyseek
• Typo fix for OAuth1 provider
• Fix OAuth2 provider on non credential clients by Fleurer

blinker 1.3 -> 1.4

1.4

---

Released July 23, 2015

• Verified Python 3.4 support (no changes needed)
• Additional bookkeeping cleanup for non-ANY connections at disconnect
  time.
• Added Signal._cleanup_bookeeping() to prune stale bookkeeping on
  demand

Flask-Login 0.2.11 -> 0.4.0

0.4.0

---

Released on October 26th, 2016

• Fixes OPTIONS exemption from login. 244
• Fixes use of MD5 by replacing with SHA512. 264
• BREAKING: The login_manager.token_handler function, get_auth_token method
  on the User class, and the utils.make_secure_token utility function have
  been removed to prevent users from creating insecure auth implementations.
  Use the Alternative Tokens example from the docs instead. 291

0.3.2

---

Released on October 8th, 2015

• Fixes Python 2.6 compatibility.
• Updates SESSION_KEYS to include "remember".

0.3.1

---

Released on September 30th, 2015

• Fixes removal of non-Flask-Login keys from session object when using 'strong'
  protection.

0.3.0

---

Released on September 10th, 2015

• Fixes handling of X-Forward-For header.
• Update to use SHA512 instead of MD5 for session identifier creation.
• Fixes session creation for every view.
• BREAKING: UTC used to set cookie duration.
• BREAKING: Non-fresh logins now returns HTTP 401.
• Support unicode user IDs in cookie.
• Fixes user_logged_out signal invocation.
• Support for per-Blueprint login views.
• BREAKING: The is_authenticated, is_active, and is_anonymous members of
  the user class are now properties, not methods. Applications should update
  their user classes accordingly.
• Various other improvements including documentation and code clean up.

oauthlib 0.7.2 -> 2.0.1

2.0.1

---

• (FIX) Normalize handling of request.scopes list

2.0.0

---

• (New Feature) OpenID support.
• Documentation improvements and fixes.

1.1.2

---

• (Fix) Query strings should be able to include colons.
• (Fix) Cast body to a string to ensure that we can perform a regex substitution on it.

1.1.1

---

• (Enhancement) Better sanitisation of Request objects repr.

1.1.0

---

• (Fix) '(', ')', '/' and '?' are now safe characters in url encoded strings.
• (Enhancement) Added support for specifying if refresh tokens should be created on authorization code grants.
• (Fix) OAuth2Token now handles None scopes correctly.
• (Fix) Request token is now available for OAuth 1.
• (Enhancement) OAuth2Token is declared with slots for smaller memory footprint.
• (Enhancement) RefreshTokenGrant now allows to set issue_new_refresh_tokens.
• Documentation improvements and fixes.

1.0.3

---

• (Fix) Changed the documented return type of the invalidate_request_token() method from the RSA key to None since nobody is using the return type.
• (Enhancement) Added a validator log that will store what the endpoint has computed for debugging and logging purposes (OAuth 1 only for now).

1.0.2

---

• (Fix) Allow client secret to be null for public applications that do not mandate it's specification in the query parameters.
• (Fix) Encode request body before hashing in order to prevent encoding errors in Python 3.

1.0.1

---

• (Fix) Added token_type_hint to the list of default Request parameters.

1.0.0

---

• (Breaking Change) Replace pycrypto with cryptography from https://cryptography.io
• (Breaking Change) Update jwt to 1.0.0 (which is backwards incompatible) no oauthlib api changes
  were made.
• (Breaking Change) Raise attribute error for non-existing attributes in the Request object.
• (Fix) Strip whitespace off of scope string.
• (Change) Don't require to return the state in the access token response.
• (Change) Hide password in logs.
• (Fix) Fix incorrect invocation of prepare_refresh_body in the OAuth2 client.
• (Fix) Handle empty/non-parsable query strings.
• (Fix) Check if an RSA key is actually needed before requiring it.
• (Change) Allow tuples for list_to_scope as well as sets and lists.
• (Change) Add code to determine if client authentication is required for OAuth2.
• (Fix) Fix error message on invalid Content-Type header for OAtuh1 signing.
• (Fix) Allow ! character in query strings.
• (Fix) OAuth1 now includes the body hash for requests that specify any content-type that isn't x-www-form-urlencoded.
• (Fix) Fixed error description in oauth1 endpoint.
• (Fix) Revocation endpoint for oauth2 will now return an empty string in the response body instead of 'None'.
• Increased test coverage.
• Performance improvements.
• Documentation improvements and fixes.

Once you have closed this pull request, I'll create seperate pull requests for every update as soon as I find them.

That's it for now!

Happy merging! 🤖

[ninewise]

Cool stuff thanks @pyup-bot.