Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial Update #1

merged 14 commits into from Apr 16, 2017


Copy link

commented Apr 16, 2017

This is my first visit to this fine repo so I have bundled all updates in a single pull request to make things easier for you to merge.

Close this pull request and delete the branch if you want me to start with single pull requests right away

Here's the executive summary:


Here's a list of all the updates bundled in this pull request. I've added some links to make it easier for you to find all the information you need.

Fabric 1.8.2 » 1.13.1 PyPI | Homepage
Flask 0.10.1 » 0.12.1 PyPI | Changelog | Repo
Flask-SQLAlchemy 1.0 » 2.2 PyPI | Changelog | Repo | Docs
Flask-WTF 0.9.4 » 0.14.2 PyPI | Changelog | Repo | Docs
Jinja2 2.7.2 » 2.9.6 PyPI | Changelog | Homepage
MarkupSafe 0.18 » 1.0 PyPI | Changelog | Repo
SQLAlchemy 0.9.3 » 1.1.9 PyPI | Homepage
WTForms 1.0.5 » 2.1 PyPI | Changelog | Homepage | Docs
Werkzeug 0.9.4 » 0.12.1 PyPI | Changelog | Homepage
coverage 3.7.1 » 4.3.4 PyPI | Changelog | Docs
ecdsa 0.10 » 0.13 PyPI | Changelog | Repo
gunicorn 19.3.0 » 19.7.1 PyPI | Changelog | Homepage
itsdangerous 0.23 » 0.24 PyPI | Changelog | Repo | Docs
paramiko 1.12.2 » 2.1.2 PyPI | Changelog | Repo


Flask 0.10.1 -> 0.12.1


Bugfix release, released on March 31st 2017

  • Prevent flask run from showing a NoAppException when an ImportError occurs
    within the imported application module.
  • Fix encoding behavior of app.config.from_pyfile for Python 3. Fix
  • Use the SERVER_NAME config if it is present as default values for 2109, 2152
  • Call ctx.auto_pop with the exception object instead of None, in the
    event that a BaseException such as KeyboardInterrupt is raised in a
    request handler.


Released on December 21st 2016, codename Punsch.

  • the cli command now responds to --version.
  • Mimetype guessing and ETag generation for file-like objects in send_file
    has been removed, as per issue 104. See pull request 1849.
  • Mimetype guessing in send_file now fails loudly and doesn't fall back to
    application/octet-stream. See pull request 1988.
  • Make flask.safe_join able to join multiple paths like os.path.join
    (pull request 1730).
  • Revert a behavior change that made the dev server crash instead of returning
    a Internal Server Error (pull request 2006).
  • Correctly invoke response handlers for both regular request dispatching as
    well as error handlers.
  • Disable logger propagation by default for the app logger.
  • Add support for range requests in send_file.
  • app.test_client includes preset default environment, which can now be
    directly set, instead of per client.get.


Bugfix release, unreleased

  • Fix crash when running under PyPy3, see pull request 1814.


Bugfix release, released on June 7th 2016.

  • Fixed a bug that prevented FLASK_APP=foobar/ from working. See
    pull request 1872.


Released on May 29th 2016, codename Absinthe.

  • Added support to serializing top-level arrays to :func:flask.jsonify. This
    introduces a security risk in ancient browsers. See
    :ref:json-security for details.
  • Added before_render_template signal.
  • Added **kwargs to :meth:flask.Test.test_client to support passing
    additional keyword arguments to the constructor of
  • Added SESSION_REFRESH_EACH_REQUEST config key that controls the
    set-cookie behavior. If set to True a permanent session will be
    refreshed each request and get their lifetime extended, if set to
    False it will only be modified if the session actually modifies.
    Non permanent sessions are not affected by this and will always
    expire if the browser window closes.
  • Made Flask support custom JSON mimetypes for incoming data.
  • Added support for returning tuples in the form (response, headers)
    from a view function.
  • Added :meth:flask.Config.from_json.
  • Added :attr:flask.Flask.config_class.
  • Added :meth:flask.Config.get_namespace.
  • Templates are no longer automatically reloaded outside of debug mode. This
    can be configured with the new TEMPLATES_AUTO_RELOAD config key.
  • Added a workaround for a limitation in Python 3.3's namespace loader.
  • Added support for explicit root paths when using Python 3.3's namespace
  • Added :command:flask and the flask.cli module to start the local
    debug server through the click CLI system. This is recommended over the old method as it works faster and more reliable due to a
    different design and also replaces Flask-Script.
  • Error handlers that match specific classes are now checked first,
    thereby allowing catching exceptions that are subclasses of HTTP
    exceptions (in werkzeug.exceptions). This makes it possible
    for an extension author to create exceptions that will by default
    result in the HTTP error of their choosing, but may be caught with
    a custom error handler if desired.
  • Added :meth:flask.Config.from_mapping.
  • Flask will now log by default even if debug is disabled. The log format is
    now hardcoded but the default log handling can be disabled through the
    LOGGER_HANDLER_POLICY configuration key.
  • Removed deprecated module functionality.
  • Added the EXPLAIN_TEMPLATE_LOADING config flag which when enabled will
    instruct Flask to explain how it locates templates. This should help
    users debug when the wrong templates are loaded.
  • Enforce blueprint handling in the order they were registered for template
  • Ported test suite to py.test.
  • Deprecated request.json in favour of request.get_json().
  • Add "pretty" and "compressed" separators definitions in jsonify() method.
    Reduces JSON response size when JSONIFY_PRETTYPRINT_REGULAR=False by removing
    unnecessary white space included by default after separators.
  • JSON responses are now terminated with a newline character, because it is a
    convention that UNIX text files end with a newline and some clients don't
    deal well when this newline is missing. See
    pallets/flask#1262 -- this came up originally as a
    part of postmanlabs/httpbin#168
  • The automatically provided OPTIONS method is now correctly disabled if
    the user registered an overriding rule with the lowercase-version
    options (issue 1288).
  • flask.json.jsonify now supports the type (pull request
  • Don't leak exception info of already catched exceptions to context teardown
    handlers (pull request 1393).
  • Allow custom Jinja environment subclasses (pull request 1422).
  • flask.g now has pop() and setdefault methods.
  • Turn on autoescape for flask.templating.render_template_string by default
    (pull request 1515).
  • flask.ext is now deprecated (pull request 1484).
  • send_from_directory now raises BadRequest if the filename is invalid on
    the server OS (pull request 1763).
  • Added the JSONIFY_MIMETYPE configuration variable (pull request 1728).
  • Exceptions during teardown handling will no longer leave bad application
    contexts lingering around.


(bugfix release, release date to be announced)

  • Fixed broken test_appcontext_signals() test case.
  • Raise an :exc:AttributeError in :func:flask.helpers.find_package with a
    useful message explaining why it is raised when a PEP 302 import hook is used
    without an is_package() method.
  • Fixed an issue causing exceptions raised before entering a request or app
    context to be passed to teardown handlers.
  • Fixed an issue with query parameters getting removed from requests in
    the test client when absolute URLs were requested.
  • Made before_first_request into a decorator as intended.
  • Fixed an etags bug when sending a file streams with a name.
  • Fixed send_from_directory not expanding to the application root path
  • Changed logic of before first request handlers to flip the flag after
    invoking. This will allow some uses that are potentially dangerous but
    should probably be permitted.
  • Fixed Python 3 bug when a handler from app.url_build_error_handlers
    reraises the BuildError.

Flask-SQLAlchemy 1.0 -> 2.2


Released on February 27, 2017, codename Dubnium

  • Minimum SQLAlchemy version is 0.8 due to use of sqlalchemy.inspect.
  • Added support for custom query_class and model_class as args
    to the SQLAlchemy constructor. (328_)
  • Allow listening to SQLAlchemy events on db.session. (364_)
  • Allow __bind_key__ on abstract models. (373_)
  • Allow SQLALCHEMY_ECHO to be a string. (409_)
  • Warn when SQLALCHEMY_DATABASE_URI is not set. (443_)
  • Don't let pagination generate invalid page numbers. (460_)
  • Drop support of Flask < 0.10. This means the db session is always tied to
    the app context and its teardown event. (461_)
  • Tablename generation logic no longer accesses class properties unless they
    are declared_attr. (467_)

.. _328: pallets/flask-sqlalchemy#328
.. _364: pallets/flask-sqlalchemy#364
.. _373: pallets/flask-sqlalchemy#373
.. _409: pallets/flask-sqlalchemy#409
.. _443: pallets/flask-sqlalchemy#443
.. _460: pallets/flask-sqlalchemy#460
.. _461: pallets/flask-sqlalchemy#461
.. _467: pallets/flask-sqlalchemy#467


Released on October 23rd 2015, codename Caesium

  • Table names are automatically generated in more cases, including
    subclassing mixins and abstract models.
  • Allow using a custom MetaData object.
  • Add support for binds parameter to session.


Released on August 29th 2014, codename Bohrium

  • Changed how the builtin signals are subscribed to skip non Flask-SQLAlchemy
    sessions. This will also fix the attribute error about model changes
    not existing.
  • Added a way to control how signals for model modifications are tracked.
  • Made the SignallingSession a public interface and added a hook
    for customizing session creation.
  • If the bind parameter is given to the signalling session it will no
    longer cause an error that a parameter is given twice.
  • Added working table reflection support.
  • Enabled autoflush by default.
  • Consider SQLALCHEMY_COMMIT_ON_TEARDOWN harmful and remove from docs.

Flask-WTF 0.9.4 -> 0.14.2


Released 2017-01-10

  • Fix bug where FlaskForm assumed meta argument was not None if it
    was passed. (278_)

.. _278: lepture/flask-wtf#278


Released 2017-01-10

  • Fix bug where the file validators would incorrectly identify an empty file as
    valid data. (276, 277)
  • FileField is no longer deprecated. The data is checked during
    processing and only set if it's a valid file.
  • has_file is deprecated; it's now equivalent to bool(
  • FileRequired and FileAllowed work with both the Flask-WTF and
    WTForms FileField classes.
  • The Optional validator now works with FileField.

.. _276: lepture/flask-wtf#276
.. _277: lepture/flask-wtf#277


Released 2017-01-06

  • Use itsdangerous to sign CSRF tokens and check expiration instead of doing it
    ourselves. (264_)
  • All tokens are URL safe, removing the url_safe parameter from
    generate_csrf. (206_)
  • All tokens store a timestamp, which is checked in validate_csrf. The
    time_limit parameter of generate_csrf is removed.
  • Remove the app attribute from CsrfProtect, use current_app.
  • CsrfProtect protects the DELETE method by default. (264_)
  • The same CSRF token is generated for the lifetime of a request. It is exposed
    as request.csrf_token for use during testing. (227, 264)
  • CsrfProtect.error_handler is deprecated. (264_)
  • Handlers that return a response work in addition to those that raise an
    error. The behavior was not clear in previous docs.
  • (200, 209, 243, 252)
  • Use Form.Meta instead of deprecated SecureForm for CSRF (and
    everything else). (216, 271)
  • csrf_enabled parameter is still recognized but deprecated. All other
    attributes and methods from SecureForm are removed. (271_)
  • Provide WTF_CSRF_FIELD_NAME to configure the name of the CSRF token.
  • validate_csrf raises wtforms.ValidationError with specific messages
    instead of returning True or False. This breaks anything that was
    calling the method directly. (239, 271)
  • CSRF errors are logged as well as raised. (239_)
  • CsrfProtect is renamed to CSRFProtect. A deprecation warning is issued
    when using the old name. CsrfError is renamed to CSRFError without
    deprecation. (271_)
  • FileField is deprecated because it no longer provides functionality over
    the provided validators. Use wtforms.FileField directly. (272_)

.. _200: lepture/flask-wtf#200
.. _209: lepture/flask-wtf#209
.. _216: lepture/flask-wtf#216
.. _227: lepture/flask-wtf#227
.. _239: lepture/flask-wtf#239
.. _243: lepture/flask-wtf#243
.. _252: lepture/flask-wtf#252
.. _264: lepture/flask-wtf#264
.. _271: lepture/flask-wtf#271
.. _272: lepture/flask-wtf#272


Released 2016/10/6

  • Deprecation warning for Form is shown during __init__ instead of immediately when subclassing. (262_)
  • Don't use pkg_resources to get version, for compatibility with GAE. (261_)

.. _261: lepture/flask-wtf#261
.. _262: lepture/flask-wtf#262


Released 2016/09/29

  • Form is renamed to FlaskForm in order to avoid name collision with WTForms's base class. Using Form will show a deprecation warning. (250_)
  • hidden_tag no longer wraps the hidden inputs in a hidden div. This is valid HTML5 and any modern HTML parser will behave correctly. (217, 193)
  • flask_wtf.html5 is deprecated. Import directly from wtforms.fields.html5. (251_)
  • is_submitted is true for PATCH and DELETE in addition to POST and PUT. (187_)
  • generate_csrf takes a token_key parameter to specify the key stored in the session. (206_)
  • generate_csrf takes a url_safe parameter to allow the token to be used in URLs. (206_)
  • can be accessed multiple times without raising an exception. (248_)
  • File extension with multiple parts (.tar.gz) can be used in the FileAllowed validator. (201_)

.. _187: lepture/flask-wtf#187
.. _193: lepture/flask-wtf#193
.. _201: lepture/flask-wtf#201
.. _206: lepture/flask-wtf#206
.. _217: lepture/flask-wtf#217
.. _248: lepture/flask-wtf#248
.. _250: lepture/flask-wtf#250
.. _251: lepture/flask-wtf#251


Released 2015/07/09

  • Abstract protect_csrf() into a separate method
  • Update reCAPTCHA configuration
  • Fix reCAPTCHA error handle


Released 2015/01/21

  • Use the new reCAPTCHA API via 164_.

.. _164: lepture/flask-wtf#164


Released 2014/11/16

  • Add configuration: WTF_CSRF_HEADERS via 159_.
  • Support customize hidden tags via 150_.
  • And many more bug fixes

.. _150: lepture/flask-wtf#150
.. _159: lepture/flask-wtf#159


Released 2014/09/03

  • Update translation for reCaptcha via 146_.

.. _146: lepture/flask-wtf#146


Released 2014/08/26

  • Update RECAPTCHA API SERVER URL via 145_.
  • Update requirement Werkzeug>=0.9.5
  • Fix CsrfProtect exempt for blueprints via 143_.

.. _145: lepture/flask-wtf#145
.. _143: lepture/flask-wtf#143


Released 2014/07/16

  • Add configuration: WTF_CSRF_METHODS
  • Support WTForms 2.0 now
  • Fix csrf validation without time limit (time_limit=False)
  • CSRF exempt supports blueprint 111_.

.. _111: lepture/flask-wtf#111


Released 2014/03/21

  • csrf_token for all template types 112_.
  • Make FileRequired a subclass of InputRequired 108_.

.. _108: lepture/flask-wtf#108
.. _112: lepture/flask-wtf#112

Jinja2 2.7.2 -> 2.9.6


(bugfix release, released on April 3rd 2017)

  • Fixed custom context behavior in fast resolve mode (675)


(bugfix release, released on January 28th 2017)

  • Restored the original repr of the internal _GroupTuple because this
    caused issues with ansible and it was an unintended change. (654)
  • Added back support for custom contexts that override the old resolve
    method since it was hard for people to spot that this could cause a
  • Correctly use the buffer for the else block of for loops. This caused
    invalid syntax errors to be caused on 2.x and completely wrong behavior
    on Python 3 (669)
  • Resolve an issue where the {% extends %} tag could not be used with
    async environments. (668)
  • Reduce memory footprint slightly by reducing our unicode database dump
    we use for identifier matching on Python 3 (666)
  • Fixed autoescaping not working for macros in async compilation mode. (671)


(bugfix release, released on January 10th 2017)

  • Solved some warnings for string literals. (646)
  • Increment the bytecode cache version which was not done due to an
    oversight before.
  • Corrected bad code generation and scoping for filtered loops. (649)
  • Resolved an issue where top-level output silencing after known extend
    blocks could generate invalid code when blocks where contained in if
    statements. (651)
  • Made the truncate.leeway default configurable to improve compatibility
    with older templates.


(bugfix release, released on January 8th 2017)

  • Restored the use of blocks in macros to the extend that was possible
    before. On Python 3 it would render a generator repr instead of
    the block contents. (645)
  • Set a consistent behavior for assigning of variables in inner scopes
    when the variable is also read from an outer scope. This now sets the
    intended behavior in all situations however it does not restore the
    old behavior where limited assignments to outer scopes was possible.
    For more information and a discussion see 641
  • Resolved an issue where block scoped would not take advantage of the
    new scoping rules. In some more exotic cases a variable overriden in a
    local scope would not make it into a block.
  • Change the code generation of the with statement to be in line with the
    new scoping rules. This resolves some unlikely bugs in edge cases. This
    also introduces a new internal With node that can be used by extensions.


(bugfix release, released on January 8th 2017)

  • Fixed a regression that caused for loops to not be able to use the same
    variable for the target as well as source iterator. (640)
  • Add support for a previously unknown behavior of macros. It used to be
    possible in some circumstances to explicitly provide a caller argument
    to macros. While badly buggy and unintended it turns out that this is a
    common case that gets copy pasted around. To not completely break backwards
    compatibility with the most common cases it's now possible to provide an
    explicit keyword argument for caller if it's given an explicit default.


(bugfix release, released on January 7th 2017)

  • Resolved a regression with call block scoping for macros. Nested caller
    blocks that used the same identifiers as outer macros could refer to the
    wrong variable incorrectly.


(codename Derivation, released on January 7th 2017)

  • Change cache key definition in environment. This fixes a performance
    regression introduced in 2.8.
  • Added support for generator_stop on supported Python versions
    (Python 3.5 and later)
  • Corrected a long standing issue with operator precedence of math operations
    not being what was expected.
  • Added support for Python 3.6 async iterators through a new async mode.
  • Added policies for filter defaults and similar things.
  • urlize now sets "rel noopener" by default.
  • Support attribute fallback for old-style classes in 2.x.
  • Support toplevel set statements in extend situations.
  • Restored behavior of Cycler for Python 3 users.
  • Subtraction now follows the same behavior as other operators on undefined
  • map and friends will now give better error messages if you forgot to
    quote the parameter.
  • Depend on MarkupSafe 0.23 or higher.
  • Improved the truncate filter to support better truncation in case
    the string is barely truncated at all.
  • Change the logic for macro autoescaping to be based on the runtime
    autoescaping information at call time instead of macro define time.
  • Ported a modified version of the tojson filter from Flask to Jinja2
    and hooked it up with the new policy framework.
  • Block sets are now marked safe by default.
  • On Python 2 the asciification of ASCII strings can now be disabled with
    the compiler.ascii_str policy.
  • Tests now no longer accept an arbitrary expression as first argument but
    a restricted one. This means that you can now properly use multiple
    tests in one expression without extra parentheses. In particular you can
    now write foo is divisibleby 2 or foo is divisibleby 3
    as you would expect.
  • Greatly changed the scoping system to be more consistent with what template
    designers and developers expect. There is now no more magic difference
    between the different include and import constructs. Context is now always
    propagated the same way. The only remaining differences is the defaults
    for with context and without context.
  • The with and autoescape tags are now built-in.
  • Added the new select_autoescape function which helps configuring better
    autoescaping easier.


(bugfix release, unreleased)

  • Fixed a runtime error in the sandbox when attributes of async generators
    were accessed.


(bugfix release, released on December 29th 2016)

  • Fixed the for_qs flag for urlencode.
  • Fixed regression when applying int to non-string values.
  • SECURITY: if the sandbox mode is used format expressions are now sandboxed
    with the same rules as in Jinja. This solves various information leakage
    problems that can occur with format strings.


(codename Replacement, released on July 26th 2015)

  • Added target parameter to urlize function.
  • Added support for followsymlinks to the file system loader.
  • The truncate filter now counts the length.
  • Added equalto filter that helps with select filters.
  • Changed cache keys to use absolute file names if available
    instead of load names.
  • Fixed loop length calculation for some iterators.
  • Changed how Jinja2 enforces strings to be native strings in
    Python 2 to work when people break their default encoding.
  • Added :func:make_logging_undefined which returns an undefined
    object that logs failures into a logger.
  • If unmarshalling of cached data fails the template will be
    reloaded now.
  • Implemented a block set tag.
  • Default cache size was increased to 400 from a low 50.
  • Fixed is number test to accept long integers in all Python versions.
  • Changed is number to accept Decimal as a number.
  • Added a check for default arguments followed by non-default arguments. This
    change makes {% macro m(x, y=1, z) %}...{% endmacro %} a syntax error. The
    previous behavior for this code was broken anyway (resulting in the default
    value being applied to y).
  • Add ability to use custom subclasses of jinja2.compiler.CodeGenerator and
    jinja2.runtime.Context by adding two new attributes to the environment
    (code_generator_class and context_class) (pull request 404).
  • added support for context/environment/evalctx decorator functions on
    the finalize callback of the environment.
  • escape query strings for urlencode properly. Previously slashes were not
    escaped in that place.
  • Add 'base' parameter to 'int' filter.


(bugfix release, released on June 6th 2014)

  • Security issue: Corrected the security fix for the cache folder. This
    fix was provided by RedHat.

MarkupSafe 0.18 -> 1.0


  • Fixed custom types not invoking __unicode__ when used
    with format().
  • Added __version__ module attribute
  • Improve unescape code to leave lone ampersands alone.

WTForms 1.0.5 -> 2.1


Released December 15, 2015

  • Added render_kw to allow default rendering time options.
  • Updated / added a number of localizations
  • Updated docs
  • Allow widgets to set flags


Released January 18, 2015

  • Added more localizations and updated some.
  • Validators for email and URL can validate IDNA-encoded domain names and new TLDs
  • Better DeprecationWarnings
  • Support localization files in /usr/share/locale (for distro packaging)


Released July 1, 2014

  • Update wheel install to conditionally install ordereddict for python 2.6.
  • Doc improvements


Released May 20, 2014

  • Add new class Meta paradigm for much more powerful customization
    of WTForms.
  • Move i18n into core. Deprecate wtforms.ext.i18n.
  • Move CSRF into core. Deprecate wtforms.ext.csrf.
  • Fix issue rendering SelectFields with value=True
  • Make DecimalField able to use babel locale-based number formatting.
  • Drop Python 3.2 support (Python3 support for 3.3+ only)
  • passing attr=False to WTForms widgets causes the value to be ignored.
  • Unique validator in wtforms.ext.sqlalchemy has been removed.

Werkzeug 0.9.4 -> 0.12.1


Released on March 15th 2017

  • Fix crash of reloader (used on debug mode) on Windows.
    (OSError: [WinError 10038]). See pull request 1081
  • Partially revert change to class hierarchy of Headers. See 1084.


Released on March 10th 2017

  • Spit out big deprecation warnings for werkzeug.script
  • Use inspect.getfullargspec internally when available as
    inspect.getargspec is gone in 3.6
  • Added support for status code 451 and 423
  • Improved the build error suggestions. In particular only if
    someone stringifies the error will the suggestions be calculated.
  • Added support for uWSGI's caching backend.
  • Fix a bug where iterating over a FileStorage would result in an infinite
  • Datastructures now inherit from the relevant baseclasses from the
    collections module in the stdlib. See 794.
  • Add support for recognizing NetBSD, OpenBSD, FreeBSD, DragonFlyBSD platforms
    in the user agent string.
  • Recognize SeaMonkey browser name and version correctly
  • Recognize Baiduspider, and bingbot user agents
  • If LocalProxy's wrapped object is a function, refer to it with wrapped
  • The defaults of generate_password_hash have been changed to more secure
    ones, see pull request 753.
  • Add support for encoding in options header parsing, see pull request
  • test.Client now properly handles Location headers with relative URLs, see
    pull request 879.
  • When HTTPException is raised, it now prints the description, for easier
  • Werkzeug's dict-like datastructures now have view-methods under Python 2,
    see pull request 968.
  • Fix a bug in MultiPartParser when no stream_factory was provided
    during initialization, see pull request 973.
  • Disable autocorrect and spellchecker in the debugger middleware's Python
    prompt, see pull request 994.
  • Don't redirect to slash route when method doesn't match, see pull request
  • Fix a bug when using SharedDataMiddleware with frozen packages, see pull
    request 959.
  • Range header parsing function fixed for invalid values 974.
  • Add support for byte Range Requests, see pull request 978.
  • Use modern cryptographic defaults in the dev servers 1004.
  • the post() method of the test client now accept file object through the data
  • Color run_simple's terminal output based on HTTP codes 1013.
  • Fix self-XSS in debugger console, see 1031.
  • Fix IPython 5.x shell support, see 1033.


  • werkzeug.serving: set CONTENT_TYPE / CONTENT_LENGTH if only they're provided by the client
  • werkzeug.serving: Fix crash of reloader when using python -m werkzeug.serving.


Released on December 30th 2016.

  • Bugfix for the bugfix in the previous release.


Released on December 30th 2016.

  • Check if platform can fork before importing ForkingMixIn, raise exception
    when creating ForkingWSGIServer on such a platform, see PR 999.


Released on December 26th 2016.

  • Correct fix for the reloader issuer on certain Windows installations.


Released on December 26th 2016.

  • Fix more bugs in multidicts regarding empty lists. See 1000.
  • Add some docstrings to some EnvironBuilder properties that were previously
    unintentionally missing.
  • Added a workaround for the reloader on windows.


Released on August 31st 2016.

  • Fix JSONRequestMixin for Python3. See 731
  • Fix broken string handling in test client when passing integers. See 852
  • Fix a bug in parse_options_header where an invalid content type
    starting with comma or semi-colon would result in an invalid return value,
    see issue 995.
  • Fix a bug in multidicts when passing empty lists as values, see issue
  • Fix a security issue that allows XSS on the Werkzeug debugger. See 1001.


Released on May 24th 2016.

  • Fixed a bug that occurs when running on Python 2.6 and using a broken locale.
    See pull request 912.
  • Fixed a crash when running the debugger on Google App Engine. See issue 925.
  • Fixed an issue with multipart parsing that could cause memory exhaustion.


Released on April 24th 2016.

  • Corrected an issue that caused the debugger not to use the
    machine GUID on POSIX systems.
  • Corrected a Unicode error on Python 3 for the debugger's
    PIN usage.
  • Corrected the timestamp verification in the pin debug code.
    Without this fix the pin was remembered for too long.


Released on April 15th 2016.

  • fixed a problem with the machine GUID detection code on OS X
    on Python 3.


Released on April 14th 2016.

  • fixed a regression on Python 3 for the debugger.


Released on April 14th 2016.

  • werkzeug.serving: Still show the client address on bad requests.
  • improved the PIN based protection for the debugger to make it harder to
    brute force via trying cookies. Please keep in mind that the debugger
    is not intended for running on production environments
  • increased the pin timeout to a week to make it less annoying for people
    which should decrease the chance that users disable the pin check
  • werkzeug.serving: Fix broken HTTP_HOST when path starts with double slash.


Released on March 22nd 2016.

  • werkzeug.serving: Fix crash when attempting SSL connection to HTTP server.


Released on February 14th 2016.

  • Fixed werkzeug.serving not working from -m flag.
  • Fixed incorrect weak etag handling.


Released on December 20th 2015.

  • Fixed an issue with copy operations not working against
  • Changed the logging operations of the development server to
    correctly log where the server is running in all situations
  • Fixed another regression with SSL wrapping similar to the
    fix in 0.11.2 but for a different code path.


Released on November 12th 2015.

  • Fix inheritable sockets on Windows on Python 3.
  • Fixed an issue with the forking server not starting any longer.
  • Fixed SSL wrapping on platforms that supported opening sockets
    by file descriptor.
  • No longer log from the watchdog reloader.
  • Unicode errors in hosts are now better caught or converted into
    bad request errors.


Released on November 10th 2015.

  • Fixed a regression on Python 3 in the debugger.


Released on November 8th 2015, codename Gleisbaumaschine.

  • Added reloader_paths option to run_simple and other functions in
    werkzeug.serving. This allows the user to completely override the Python
    module watching of Werkzeug with custom paths.
  • Many custom cached properties of Werkzeug's classes are now subclasses of
    Python's property type (issue 616).
  • bind_to_environ now doesn't differentiate between implicit and explicit
    default port numbers in HTTP_HOST (pull request 204).
  • BuildErrors are now more informative. They come with a complete sentence
    as error message, and also provide suggestions (pull request 691).
  • Fix a bug in the user agent parser where Safari's build number instead of
    version would be extracted (pull request 703).
  • Fixed issue where RedisCache set_many was broken for twemproxy, which doesn't
    support the default MULTI command (pull request 702).
  • mimetype parameters on request and response classes are now always
    converted to lowercase.
  • Changed cache so that cache never expires if timeout is 0. This also fixes
    an issue with redis setex (issue 550)
  • Werkzeug now assumes UTF-8 as filesystem encoding on Unix if Python
    detected it as ASCII.
  • New optional has method on caches.
  • Fixed various bugs in parse_options_header (pull request 643).
  • If the reloader is enabled the server will now open the socket in the parent
    process if this is possible. This means that when the reloader kicks in
    the connection from client will wait instead of tearing down. This does
    not work on all Python versions.
  • Implemented PIN based authentication for the debugger. This can optionally
    be disabled but is discouraged. This change was necessary as it has been
    discovered that too many people run the debugger in production.
  • Devserver no longer requires SSL module to be installed.


(bugfix release, release date yet to be decided)

  • Reloader: Correctly detect file changes made by moving temporary files over
    the original, which is e.g. the case with PyCharm (pull request 722).
  • Fix bool behavior of werkzeug.datastructures.ETags under Python 3 (issue


(bugfix release, released on March 26th 2015)

  • Re-release of 0.10.3 with packaging artifacts manually removed.


(bugfix release, released on March 26th 2015)

  • Re-release of 0.10.2 without packaging artifacts.


(bugfix release, released on March 26th 2015)

  • Fixed issue where empty could break third-party libraries that relied on
    keyword arguments (pull request 675)
  • Improved Rule.empty by providing a ```get_empty_kwargsto allow setting custom kwargs without having to override entireempty`` method. (pull
    request ``675``)
  • Fixed extra_files parameter for reloader to not cause startup
    to crash when included in server params
  • Using MultiDict when building URLs is now not supported again. The behavior
    introduced several regressions.
  • Fix performance problems with stat-reloader (pull request 715).


(bugfix release, released on February 3rd 2015)

  • Fixed regression with multiple query values for URLs (pull request 667).
  • Fix issues with eventlet's monkeypatching and the builtin server (pull
    request 663).


Released on January 30th 2015, codename Bagger.

  • Changed the error handling of and improved testsuite for the caches in
  • Fixed a bug on Python 3 when creating adhoc ssl contexts, due to sys.maxint
    not being defined.
  • Fixed a bug on Python 3, that caused
    :func:~werkzeug.serving.make_ssl_devcert to fail with an exception.
  • Added exceptions for 504 and 505.
  • Added support for ChromeOS detection.
  • Added UUID converter to the routing system.
  • Added message that explains how to quit the server.
  • Fixed a bug on Python 2, that caused len for
    :class:werkzeug.datastructures.CombinedMultiDict to crash.
  • Added support for stdlib pbkdf2 hmac if a compatible digest
    is found.
  • Ported testsuite to use py.test.
  • Minor optimizations to various middlewares (pull requests 496 and
  • Use stdlib ssl module instead of OpenSSL for the builtin server
    (issue 434). This means that OpenSSL contexts are not supported anymore,
    but instead ssl.SSLContext from the stdlib.
  • Allow protocol-relative URLs when building external URLs.
  • Fixed Atom syndication to print time zone offset for tz-aware datetime
    objects (pull request 254).
  • Improved reloader to track added files and to recover from broken
    sys.modules setups with syntax errors in packages.
  • cache.RedisCache now supports arbitrary **kwargs for the redis
  • werkzeug.test.Client now uses the original request method when resolving
    307 redirects (pull request 556).
  • werkzeug.datastructures.MIMEAccept now properly deals with mimetype
    parameters (pull request 205).
  • werkzeug.datastructures.Accept now handles a quality of 0 as
    intolerable, as per RFC 2616 (pull request 536).
  • werkzeug.urls.url_fix now properly encodes hostnames with idna
    encoding (issue 559). It also doesn't crash on malformed URLs anymore
    (issue 582).
  • werkzeug.routing.MapAdapter.match now recognizes the difference between
    the path / and an empty one (issue 360).
  • The interactive debugger now tries to decode non-ascii filenames (issue
  • Increased default key size of generated SSL certificates to 1024 bits (issue
  • Added support for specifying a Response subclass to use when calling
    :func:~werkzeug.utils.redirect\ .
  • werkzeug.test.EnvironBuilder now doesn't use the request method anymore
    to guess the content type, and purely relies on the form, files and
    input_stream properties (issue 620).
  • Added Symbian to the user agent platform list.
  • Fixed make_conditional to respect automatically_set_content_length
  • Unset Content-Length when writing to (issue 451)
  • wrappers.Request.method is now always uppercase, eliminating
    inconsistencies of the WSGI environment (issue 647).
  • routing.Rule.empty now works correctly with subclasses of Rule (pull
    request 645).
  • Made map updating safe in light of concurrent updates.
  • Allow multiple values for the same field for url building (issue 658).


  • Fixed uri_to_iri() not re-encoding hashes in query string parameters.


(bugfix release, released on June 7th 2014)

  • Added a safe conversion for IRI to URI conversion and use that
    internally to work around issues with spec violations for
    protocols such as itms-service.


(bugfix release, released on June 7th 2014)

  • Forward charset argument from request objects to the environ
  • Fixed error handling for missing boundaries in multipart data.
  • Fixed session creation on systems without os.urandom().
  • Fixed pluses in dictionary keys not being properly URL encoded.
  • Fixed a problem with deepcopy not working for multi dicts.
  • Fixed a double quoting issue on redirects.
  • Fixed a problem with unicode keys appearing in headers on 2.x.
  • Fixed a bug with unicode strings in the test builder.
  • Fixed a unicode bug on Python 3 in the WSGI profiler.
  • Fixed an issue with the safe string compare function on
    Python 2.7.7 and Python 3.4.

coverage 3.7.1 -> 4.3.4


  • Fixing 2.6 in version 4.3.3 broke other things, because the too-tricky
    exception wasn't properly derived from Exception, described in issue 556_.
    A newb mistake; it hasn't been a good few days.

.. _issue 556:

.. _changes_433:


  • Python 2.6 support was broken due to a testing exception imported for the
    benefit of the test suite. Properly conditionalizing it fixed
    issue 554_ so that Python 2.6 works again.

.. _issue 554:

.. _changes_432:


  • Using the --skip-covered option on an HTML report with 100% coverage
    would cause a "No data to report" error, as reported in issue 549_. This is
    now fixed; thanks, Loïc Dachary.
  • If-statements can be optimized away during compilation, for example, if 0:
    or if __debug__:. had problems properly understanding these
    statements which existed in the source, but not in the compiled bytecode.
    This problem, reported in issue 522_, is now fixed.
  • If you specified --source as a directory, then would look for
    importable Python files in that directory, and could identify ones that had
    never been executed at all. But if you specified it as a package name, that
    detection wasn't performed. Now it is, closing issue 426_. Thanks to Loïc
    Dachary for the fix.
  • If you started and stopped coverage measurement thousands of times in your
    process, you could crash Python with a "Fatal Python error: deallocating
    None" error. This is now fixed. Thanks to Alex Groce for the bug report.
  • On PyPy, measuring coverage in subprocesses could produce a warning: "Trace
    function changed, measurement is likely wrong: None". This was spurious, and
    has been suppressed.
  • Previously, couldn't start on Jython, due to that implementation
    missing the multiprocessing module (issue 551). This problem has now been
    fixed. Also, issue 322
    about not being able to invoke coverage
    conveniently, seems much better: jython -m coverage run works
  • Let's say you ran the HTML report over and over again in the same output
    directory, with --skip-covered. And imagine due to your heroic
    test-writing efforts, a file just acheived the goal of 100% coverage. With 4.3, the old HTML file with the less-than-100% coverage would be
    left behind. This file is now properly deleted.

.. _issue 322:
.. issue 426:
.. issue 522:

.. _issue 549:
.. _issue 551:

.. _changes_431:


  • Some environments couldn't install 4.3, as described in issue 540_. This is
    now fixed.
  • The check for conflicting --source and --include was too simple in a
    few different ways, breaking a few perfectly reasonable use cases, described
    in issue 541. The check has been reverted while we re-think the fix for
    issue 265

.. _issue 540:
.. _issue 541:

.. _changes_43:


Special thanks to Loïc Dachary, who took an extraordinary interest in and contributed a number of improvements in this release.

  • Subprocesses that are measured with automatic subprocess measurement_ used
    to read in any pre-existing data file. This meant data would be incorrectly
    carried forward from run to run. Now those files are not read, so each
    subprocess only writes its own data. Fixes issue 510_.
  • The coverage combine command will now fail if there are no data files to
    combine. The combine changes in 4.2 meant that multiple combines could lose
    data, leaving you with an empty .coverage data file. Fixes
    issue 525, issue 412, issue 516, and probably issue 511.
  • wouldn't execute sys.excepthook_ when an exception happened in
    your program. Now it does, thanks to Andrew Hoos. Closes issue 535_.
  • Branch coverage fixes:
  • Branch coverage could misunderstand a finally clause on a try block that
    never continued on to the following statement, as described in issue 493_. This is now fixed. Thanks to Joe Doherty for the report and Loïc
    Dachary for the fix.
  • A while loop with a constant condition (while True) and a continue
    statement would be mis-analyzed, as described in issue 496_. This is now
    fixed, thanks to a bug report by Eli Skeggs and a fix by Loïc Dachary.
  • While loops with constant conditions that were never executed could result
    in a non-zero coverage report. Artem Dayneko reported this in issue 502_, and Loïc Dachary provided the fix.
  • The HTML report now supports a --skip-covered option like the other
    reporting commands. Thanks, Loïc Dachary for the implementation, closing
    issue 433_.
  • Options can now be read from a tox.ini file, if any. Like setup.cfg, sections
    are prefixed with "coverage:", so [run] options will be read from the
    [coverage:run] section of tox.ini. Implements part of issue 519_.
    Thanks, Stephen Finucane.
  • Specifying both --source and --include no longer silently ignores the
    include setting, instead it fails with a message. Thanks, Nathan Land and
    Loïc Dachary. Closes issue 265_.
  • The Coverage.combine method has a new parameter, strict=False, to
    support failing if there are no data files to combine.
  • When forking subprocesses, the coverage data files would have the same random
    number appended to the file name. This didn't cause problems, because the
    file names had the process id also, making collisions (nearly) impossible.
    But it was disconcerting. This is now fixed.
  • The text report now properly sizes headers when skipping some files, fixing
    issue 524_. Thanks, Anthony Sottile and Loïc Dachary.
  • can now search .pex files for source, just as it can .zip and
    .egg. Thanks, Peter Ebden.
  • Data files are now about 15% smaller.
  • Improvements in the [run] debug setting:
  • The "dataio" debug setting now also logs when data files are deleted during
    combining or erasing.
  • A new debug option, "multiproc", for logging the behavior of
  • If you used the debug options "config" and "callers" together, you'd get a
    call stack printed for every line in the multi-line config output. This is
    now fixed.
  • Fixed an unusual bug involving multiple coding declarations affecting code
    containing code in multi-line strings: issue 529_.
  • will no longer be misled into thinking that a plain file is a
    package when interpreting --source options. Thanks, Cosimo Lupo.
  • If you try to run a non-Python file with, you will now get a more
    useful error message. Issue 514_.
  • The default pragma regex changed slightly, but this will only matter to you
    if you are deranged and use mixed-case pragmas.
  • Deal properly with non-ASCII file names in an ASCII-only world, issue 533_.
  • Programs that set Unicode configuration values could cause UnicodeErrors when
    generating HTML reports. Pytest-cov is one example. This is now fixed.
  • Prevented deprecation warnings from configparser that happened in some
    circumstances, closing issue 530_.
  • Corrected the name of the library. Thanks,
    Ben Finney. Closes issue 505_.
  • Testing against PyPy 5.6 and PyPy3 5.5.
  • Switched to pytest from nose for running the tests.
  • Renamed AUTHORS.txt to CONTRIBUTORS.txt, since there are other ways to
    contribute than by writing code. Also put the count of contributors into the
    author string in, though this might be too cute.

.. _sys.excepthook:
.. _issue 265:
.. _issue 412:
.. _issue 433:
.. _issue 493:
.. _issue 496:
.. _issue 502:
.. _issue 505:
.. _issue 514:
.. _issue 510:
.. _issue 511:
.. _issue 516:
.. _issue 519:
.. _issue 524:
.. _issue 525:
.. _issue 529:
.. _issue 530:
.. _issue 533:
.. _issue 535:

.. _changes_42:


  • Since concurrency=multiprocessing uses subprocesses, options specified on
    the command line will not be communicated down to them. Only
    options in the configuration file will apply to the subprocesses.
    Previously, the options didn't apply to the subprocesses, but there was no
    indication. Now it is an error to use --concurrency=multiprocessing and
    other run-affecting options on the command line. This prevents
    failures like those reported in issue 495_.
  • Filtering the HTML report is now faster, thanks to Ville Skyttä.

.. _issue 495:


Work from the PyCon 2016 Sprints!

  • BACKWARD INCOMPATIBILITY: the coverage combine command now ignores an
    existing .coverage data file. It used to include that file in its
    combining. This caused confusing results, and extra tox "clean" steps. If
    you want the old behavior, use the new coverage combine --append option.
  • The concurrency option can now take multiple values, to support programs
    using multiprocessing and another library such as eventlet. This is only
    possible in the configuration file, not from the command line. The
    configuration file is the only way for sub-processes to all run with the same
    options. Fixes issue 484_. Thanks to Josh Williams for prototyping.
  • Using a concurrency setting of multiprocessing now implies
    --parallel so that the main program is measured similarly to the
  • When using automatic subprocess measurement, running coverage commands
    would create spurious data files. This is now fixed, thanks to diagnosis and
    testing by Dan Riti. Closes issue 492
  • A new configuration option, report:sort, controls what column of the
    text report is used to sort the rows. Thanks to Dan Wandschneider, this
    closes issue 199_.
  • The HTML report has a more-visible indicator for which column is being
    sorted. Closes issue 298_, thanks to Josh Williams.
  • If the HTML report cannot find the source for a file, the message now
    suggests using the -i flag to allow the report to continue. Closes
    issue 231_, thanks, Nathan Land.
  • When reports are ignoring errors, there's now a warning if a file cannot be
    parsed, rather than being silently ignored. Closes issue 396_. Thanks,
    Matthew Boehm.
  • A new option for coverage debug is available: coverage debug config
    shows the current configuration. Closes issue 454_, thanks to Matthew
  • Running coverage as a module (python -m coverage) no longer shows the
    program name as Fixes issue 478_. Thanks, Scott Belden.
  • The test_helpers module has been moved into a separate pip-installable
    package: unittest-mixins_.

.. _automatic subprocess measurement:
.. _issue 199:
.. _issue 231:
.. _issue 298:
.. _issue 396:
.. _issue 454:
.. _issue 478:
.. _issue 484:
.. _issue 492:
.. _unittest-mixins:

.. _changes_41:


  • The internal attribute Reporter.file_reporters was removed in 4.1b3. It
    should have come has no surprise that there were third-party tools out there
    using that attribute. It has been restored, but with a deprecation warning.


  • When running your program, execution can jump from an except X: line to
    some other line when an exception other than X happens. This jump is no
    longer considered a branch when measuring branch coverage.
  • When measuring branch coverage, yield statements that were never resumed
    were incorrectly marked as missing, as reported in issue 440_. This is now
  • During branch coverage of single-line callables like lambdas and generator
    expressions, can now distinguish between them never being called,
    or being called but not completed. Fixes issue 90, issue 460 and
    issue 475_.
  • The HTML report now has a map of the file along the rightmost edge of the
    page, giving an overview of where the missed lines are. Thanks, Dmitry
  • The HTML report now uses different monospaced fonts, favoring Consolas over
    Courier. Along the way, issue 472_ about not properly handling one-space
    indents was fixed. The index page also has slightly different styling, to
    try to make the clickable detail pages more apparent.
  • Missing branches reported with coverage report -m will now say -&gt;exit
    for missed branches to the exit of a function, rather than a negative number.
    Fixes issue 469_.
  • coverage --help and coverage --version now mention which tracer is
    installed, to help diagnose problems. The docs mention which features need
    the C extension. (issue 479_)
  • Officially support PyPy 5.1, which required no changes, just updates to the
  • The function had two parameters with non-None defaults,
    which have been changed. show_missing used to default to True, but now
    defaults to None. If you had been calling without
    specifying show_missing, you'll need to explicitly set it to True to keep
    the same behavior. skip_covered used to default to False. It is now None,
    which doesn't change the behavior. This fixes issue 485_.
  • It's never been possible to pass a namespace module to one of the analysis
    functions, but now at least we raise a more specific error message, rather
    than getting confused. (issue 456_)
  • The coverage.process_startup function now returns the Coverage instance
    it creates, as suggested in issue 481_.
  • Make a small tweak to how we compare threads, to avoid buggy custom
    comparison code in thread classes. (issue 245_)

.. _issue 90:
.. _issue 245:
.. _issue 440:
.. _issue 456:
.. _issue 460:
.. _issue 469:
.. _issue 472:
.. _issue 475:
.. _issue 479:
.. _issue 481:
.. _issue 485:


  • Problems with the new branch measurement in 4.1 beta 1 were fixed:
  • Class docstrings were considered executable. Now they no longer are.
  • yield from and await were considered returns from functions, since
    they could tranfer control to the caller. This produced unhelpful "missing
    branch" reports in a number of circumstances. Now they no longer are
    considered returns.
  • In unusual situations, a missing branch to a negative number was reported.
    This has been fixed
Copy link

left a comment


@b-reich b-reich merged commit ac5fce5 into master Apr 16, 2017

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
continuous-integration/travis-ci/push The Travis CI build passed

@b-reich b-reich deleted the pyup-initial-update branch Apr 17, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
2 participants
You can’t perform that action at this time.