Initial Update

[pyup-bot]

This is my first visit to this fine repo so I have bundled all updates in a single pull request to make things easier for you to merge.

Close this pull request and delete the branch if you want me to start with single pull requests right away

Here's the executive summary:

Updates

Here's a list of all the updates bundled in this pull request. I've added some links to make it easier for you to find all the information you need.

chartkick	0.4.2	»	0.5.0	PyPI | Changelog | Repo
Flask	0.10.1	»	0.12	PyPI | Changelog | Repo
Flask-HTTPAuth	2.7.0	»	3.2.2	PyPI | Changelog | Repo | Docs
Flask-Login	0.3.2	»	0.4.0	PyPI | Changelog | Repo | Docs
Flask-SQLAlchemy	2.1	»	2.2	PyPI | Changelog | Repo | Docs
gunicorn	19.4.5	»	19.6.0	PyPI | Homepage
Jinja2	2.8	»	2.9.5	PyPI | Changelog | Homepage
psycopg2	2.6.1	»	2.7	PyPI | Changelog | Homepage | Docs
pygal	2.0.9	»	2.3.1	PyPI | Changelog | Homepage
PyMySQL	0.6.7	»	0.7.10	PyPI | Changelog | Repo
requests	2.8.1	»	2.13.0	PyPI | Changelog | Homepage
SQLAlchemy	1.0.9	»	1.1.6	PyPI | Homepage
Werkzeug	0.10.4	»	0.11.15	PyPI | Changelog | Homepage
wheel	0.24.0	»	0.29.0	PyPI | Changelog | Repo

Changelogs

Flask 0.10.1 -> 0.12

0.12

---

Released on December 21st 2016, codename Punsch.

• the cli command now responds to --version.
• Mimetype guessing and ETag generation for file-like objects in send_file
  has been removed, as per issue 104. See pull request 1849.
• Mimetype guessing in send_file now fails loudly and doesn't fall back to
  application/octet-stream. See pull request 1988.
• Make flask.safe_join able to join multiple paths like os.path.join
  (pull request 1730).
• Revert a behavior change that made the dev server crash instead of returning
  a Internal Server Error (pull request 2006).
• Correctly invoke response handlers for both regular request dispatching as
  well as error handlers.
• Disable logger propagation by default for the app logger.
• Add support for range requests in send_file.
• app.test_client includes preset default environment, which can now be
  directly set, instead of per client.get.

0.11.2

---

Bugfix release, unreleased

• Fix crash when running under PyPy3, see pull request 1814.

0.11.1

---

Bugfix release, released on June 7th 2016.

• Fixed a bug that prevented FLASK_APP=foobar/__init__.py from working. See
  pull request 1872.

0.11

---

Released on May 29th 2016, codename Absinthe.

• Added support to serializing top-level arrays to :func:flask.jsonify. This
  introduces a security risk in ancient browsers. See
  :ref:json-security for details.
• Added before_render_template signal.
• Added **kwargs to :meth:flask.Test.test_client to support passing
  additional keyword arguments to the constructor of
  :attr:flask.Flask.test_client_class.
• Added SESSION_REFRESH_EACH_REQUEST config key that controls the
  set-cookie behavior. If set to True a permanent session will be
  refreshed each request and get their lifetime extended, if set to
  False it will only be modified if the session actually modifies.
  Non permanent sessions are not affected by this and will always
  expire if the browser window closes.
• Made Flask support custom JSON mimetypes for incoming data.
• Added support for returning tuples in the form (response, headers)
  from a view function.
• Added :meth:flask.Config.from_json.
• Added :attr:flask.Flask.config_class.
• Added :meth:flask.Config.get_namespace.
• Templates are no longer automatically reloaded outside of debug mode. This
  can be configured with the new TEMPLATES_AUTO_RELOAD config key.
• Added a workaround for a limitation in Python 3.3's namespace loader.
• Added support for explicit root paths when using Python 3.3's namespace
  packages.
• Added :command:flask and the flask.cli module to start the local
  debug server through the click CLI system. This is recommended over the old
  flask.run() method as it works faster and more reliable due to a
  different design and also replaces Flask-Script.
• Error handlers that match specific classes are now checked first,
  thereby allowing catching exceptions that are subclasses of HTTP
  exceptions (in werkzeug.exceptions). This makes it possible
  for an extension author to create exceptions that will by default
  result in the HTTP error of their choosing, but may be caught with
  a custom error handler if desired.
• Added :meth:flask.Config.from_mapping.
• Flask will now log by default even if debug is disabled. The log format is
  now hardcoded but the default log handling can be disabled through the
  LOGGER_HANDLER_POLICY configuration key.
• Removed deprecated module functionality.
• Added the EXPLAIN_TEMPLATE_LOADING config flag which when enabled will
  instruct Flask to explain how it locates templates. This should help
  users debug when the wrong templates are loaded.
• Enforce blueprint handling in the order they were registered for template
  loading.
• Ported test suite to py.test.
• Deprecated request.json in favour of request.get_json().
• Add "pretty" and "compressed" separators definitions in jsonify() method.
  Reduces JSON response size when JSONIFY_PRETTYPRINT_REGULAR=False by removing
  unnecessary white space included by default after separators.
• JSON responses are now terminated with a newline character, because it is a
  convention that UNIX text files end with a newline and some clients don't
  deal well when this newline is missing. See
  Add JSONIFY_END_WITH_NEWLINE config variable pallets/flask#1262 -- this came up originally as a
  part of https://github.com/kennethreitz/httpbin/issues/168
• The automatically provided OPTIONS method is now correctly disabled if
  the user registered an overriding rule with the lowercase-version
  options (issue 1288).
• flask.json.jsonify now supports the datetime.date type (pull request
  1326).
• Don't leak exception info of already catched exceptions to context teardown
  handlers (pull request 1393).
• Allow custom Jinja environment subclasses (pull request 1422).
• flask.g now has pop() and setdefault methods.
• Turn on autoescape for flask.templating.render_template_string by default
  (pull request 1515).
• flask.ext is now deprecated (pull request 1484).
• send_from_directory now raises BadRequest if the filename is invalid on
  the server OS (pull request 1763).
• Added the JSONIFY_MIMETYPE configuration variable (pull request 1728).
• Exceptions during teardown handling will no longer leave bad application
  contexts lingering around.

0.10.2

---

(bugfix release, release date to be announced)

• Fixed broken test_appcontext_signals() test case.
• Raise an :exc:AttributeError in :func:flask.helpers.find_package with a
  useful message explaining why it is raised when a PEP 302 import hook is used
  without an is_package() method.
• Fixed an issue causing exceptions raised before entering a request or app
  context to be passed to teardown handlers.
• Fixed an issue with query parameters getting removed from requests in
  the test client when absolute URLs were requested.
• Made before_first_request into a decorator as intended.
• Fixed an etags bug when sending a file streams with a name.
• Fixed send_from_directory not expanding to the application root path
  correctly.
• Changed logic of before first request handlers to flip the flag after
  invoking. This will allow some uses that are potentially dangerous but
  should probably be permitted.
• Fixed Python 3 bug when a handler from app.url_build_error_handlers
  reraises the BuildError.

Flask-HTTPAuth 2.7.0 -> 3.2.2

3.2.2

• Validate authorization header in multi auth (51)

3.2.1

• Added __version__ to top-level package
• Added readme and license files to package

3.2.0

• Changed license to MIT
• Fix TCP Connection reset by peer error (39)

3.1.2

• Make password check more robust.

3.1.1

• MultiAuth class did not pass parameters to decorated function. (35)

3.1.0

• Added MultiAuth class, to allow the combination of multiple authentication methods.
• Added additional test for token authentication
• Added a few examples

3.0.2

• Invoke verify_password callback with no authentication when the provided authentication does not match the scheme

3.0.1

• Prevented crash when client sends an invalid authorization header for token auth

3.0.0

• Added token authentication support
• Switch Travis CI builds to use tox
• Refactored tests into separate test packages for each authentication method
• Added explicit Python 2 and 3 classifiers to setup script

2.7.1

• Correctly obtain nonce and opaque values in authenticate_header function
• Documentation updates

Flask-Login 0.3.2 -> 0.4.0

0.4.0

---

Released on October 26th, 2016

• Fixes OPTIONS exemption from login. 244
• Fixes use of MD5 by replacing with SHA512. 264
• BREAKING: The login_manager.token_handler function, get_auth_token method
  on the User class, and the utils.make_secure_token utility function have
  been removed to prevent users from creating insecure auth implementations.
  Use the Alternative Tokens example from the docs instead. 291

Flask-SQLAlchemy 2.1 -> 2.2

2.2

---

Released on February 27, 2017, codename Dubnium

• Minimum SQLAlchemy version is 0.8 due to use of sqlalchemy.inspect.
• Added support for custom query_class and model_class as args
  to the SQLAlchemy constructor. (328_)
• Allow listening to SQLAlchemy events on db.session. (364_)
• Allow __bind_key__ on abstract models. (373_)
• Allow SQLALCHEMY_ECHO to be a string. (409_)
• Warn when SQLALCHEMY_DATABASE_URI is not set. (443_)
• Don't let pagination generate invalid page numbers. (460_)
• Drop support of Flask < 0.10. This means the db session is always tied to
  the app context and its teardown event. (461_)
• Tablename generation logic no longer accesses class properties unless they
  are declared_attr. (467_)

.. _328: pallets-eco/flask-sqlalchemy#328
.. _364: pallets-eco/flask-sqlalchemy#364
.. _373: pallets-eco/flask-sqlalchemy#373
.. _409: pallets-eco/flask-sqlalchemy#409
.. _443: pallets-eco/flask-sqlalchemy#443
.. _460: pallets-eco/flask-sqlalchemy#460
.. _461: pallets-eco/flask-sqlalchemy#461
.. _467: pallets-eco/flask-sqlalchemy#467

Jinja2 2.8 -> 2.9.5

2.9.5

---

(bugfix release, released on January 28th 2017)

• Restored the original repr of the internal _GroupTuple because this
  caused issues with ansible and it was an unintended change. (654)
• Added back support for custom contexts that override the old resolve
  method since it was hard for people to spot that this could cause a
  regression.
• Correctly use the buffer for the else block of for loops. This caused
  invalid syntax errors to be caused on 2.x and completely wrong behavior
  on Python 3 (669)
• Resolve an issue where the {% extends %} tag could not be used with
  async environments. (668)
• Reduce memory footprint slightly by reducing our unicode database dump
  we use for identifier matching on Python 3 (666)
• Fixed autoescaping not working for macros in async compilation mode. (671)

2.9.4

---

(bugfix release, released on January 10th 2017)

• Solved some warnings for string literals. (646)
• Increment the bytecode cache version which was not done due to an
  oversight before.
• Corrected bad code generation and scoping for filtered loops. (649)
• Resolved an issue where top-level output silencing after known extend
  blocks could generate invalid code when blocks where contained in if
  statements. (651)
• Made the truncate.leeway default configurable to improve compatibility
  with older templates.

2.9.3

---

(bugfix release, released on January 8th 2017)

• Restored the use of blocks in macros to the extend that was possible
  before. On Python 3 it would render a generator repr instead of
  the block contents. (645)
• Set a consistent behavior for assigning of variables in inner scopes
  when the variable is also read from an outer scope. This now sets the
  intended behavior in all situations however it does not restore the
  old behavior where limited assignments to outer scopes was possible.
  For more information and a discussion see 641
• Resolved an issue where block scoped would not take advantage of the
  new scoping rules. In some more exotic cases a variable overriden in a
  local scope would not make it into a block.
• Change the code generation of the with statement to be in line with the
  new scoping rules. This resolves some unlikely bugs in edge cases. This
  also introduces a new internal With node that can be used by extensions.

2.9.2

---

(bugfix release, released on January 8th 2017)

• Fixed a regression that caused for loops to not be able to use the same
  variable for the target as well as source iterator. (640)
• Add support for a previously unknown behavior of macros. It used to be
  possible in some circumstances to explicitly provide a caller argument
  to macros. While badly buggy and unintended it turns out that this is a
  common case that gets copy pasted around. To not completely break backwards
  compatibility with the most common cases it's now possible to provide an
  explicit keyword argument for caller if it's given an explicit default.
  (642)

2.9.1

---

(bugfix release, released on January 7th 2017)

• Resolved a regression with call block scoping for macros. Nested caller
  blocks that used the same identifiers as outer macros could refer to the
  wrong variable incorrectly.

2.9

---

(codename Derivation, released on January 7th 2017)

• Change cache key definition in environment. This fixes a performance
  regression introduced in 2.8.
• Added support for generator_stop on supported Python versions
  (Python 3.5 and later)
• Corrected a long standing issue with operator precedence of math operations
  not being what was expected.
• Added support for Python 3.6 async iterators through a new async mode.
• Added policies for filter defaults and similar things.
• urlize now sets "rel noopener" by default.
• Support attribute fallback for old-style classes in 2.x.
• Support toplevel set statements in extend situations.
• Restored behavior of Cycler for Python 3 users.
• Subtraction now follows the same behavior as other operators on undefined
  values.
• map and friends will now give better error messages if you forgot to
  quote the parameter.
• Depend on MarkupSafe 0.23 or higher.
• Improved the truncate filter to support better truncation in case
  the string is barely truncated at all.
• Change the logic for macro autoescaping to be based on the runtime
  autoescaping information at call time instead of macro define time.
• Ported a modified version of the tojson filter from Flask to Jinja2
  and hooked it up with the new policy framework.
• Block sets are now marked safe by default.
• On Python 2 the asciification of ASCII strings can now be disabled with
  the compiler.ascii_str policy.
• Tests now no longer accept an arbitrary expression as first argument but
  a restricted one. This means that you can now properly use multiple
  tests in one expression without extra parentheses. In particular you can
  now write foo is divisibleby 2 or foo is divisibleby 3
  as you would expect.
• Greatly changed the scoping system to be more consistent with what template
  designers and developers expect. There is now no more magic difference
  between the different include and import constructs. Context is now always
  propagated the same way. The only remaining differences is the defaults
  for with context and without context.
• The with and autoescape tags are now built-in.
• Added the new select_autoescape function which helps configuring better
  autoescaping easier.

2.8.2

---

(bugfix release, unreleased)

• Fixed a runtime error in the sandbox when attributes of async generators
  were accessed.

2.8.1

---

(bugfix release, released on December 29th 2016)

• Fixed the for_qs flag for urlencode.
• Fixed regression when applying int to non-string values.
• SECURITY: if the sandbox mode is used format expressions are now sandboxed
  with the same rules as in Jinja. This solves various information leakage
  problems that can occur with format strings.

psycopg2 2.6.1 -> 2.7

2.7

---

New features:

• Added ~psycopg2.sql module to generate SQL dynamically (:ticket:308).
• Added :ref:replication-support (:ticket:322). Main authors are
  Oleksandr Shulgin and Craig Ringer, who deserve a huge thank you.
• Added ~psycopg2.extensions.parse_dsn() and
  ~psycopg2.extensions.make_dsn() functions (:tickets:321, 363).
  ~psycopg2.connect() now can take both dsn and keyword arguments, merging
  them together.
• Added ~psycopg2.__libpq_version__ and
  ~psycopg2.extensions.libpq_version() to inspect the version of the
  libpq library the module was compiled/loaded with
  (:tickets:35, 323).
• The attributes ~connection.notices and ~connection.notifies can be
  customized replacing them with any object exposing an !append() method
  (:ticket:326).
• Adapt network types to ipaddress objects when available. When not
  enabled, convert arrays of network types to lists by default. The old !Inet
  adapter is deprecated (:tickets:317, 343, 387).
• Added ~psycopg2.extensions.quote_ident() function (:ticket:359).
• Added ~connection.get_dsn_parameters() connection method (:ticket:364).
• ~cursor.callproc() now accepts a dictionary of parameters (:ticket:381).
• Give precedence to !__conform__() over superclasses to choose an object
  adapter (:ticket:456).
• Using Python C API decoding functions and codecs caching for faster
  unicode encoding/decoding (:ticket:473).
• ~cursor.executemany() slowness addressed by
  ~psycopg2.extras.execute_batch() and ~psycopg2.extras.execute_values()
  (:ticket:491).
• Added async_ as an alias for async to support Python 3.7 where
  async will become a keyword (:ticket:495).
• Unless in autocommit, do not use :sql:default_transaction_* settings to
  control the session characteristics as it may create problems with external
  connection pools such as pgbouncer; use :sql:BEGIN options instead
  (:ticket:503).
• ~connection.isolation_level is now writable and entirely separated from
  ~connection.autocommit; added ~connection.readonly,
  ~connection.deferrable writable attributes.

Bug fixes:

• Fixed error caused by missing decoding ~psycopg2.extras.LoggingConnection
  (:ticket:483).
• Fixed integer overflow in :sql:interval seconds (:ticket:512).

Other changes:

• Dropped support for Python 2.5 and 3.1.
• Dropped support for client library older than PostgreSQL 9.1 (but older
  server versions are still supported).
• ~connection.isolation_level doesn't read from the database but will return
  ~psycopg2.extensions.ISOLATION_LEVEL_DEFAULT if no value was set on the
  connection.
• Empty arrays no more converted into lists if they don't have a type attached
  (:ticket:506)

2.6.3

^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Throw an exception trying to pass NULL chars as parameters
  (:ticket:420).
• Make ~psycopg2.extras.Range objects picklable (:ticket:462).

2.6.2

^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Report the server response status on errors (such as 🎫281).
• Raise !NotSupportedError on unhandled server response status
  (:ticket:352).
• Allow overriding string adapter encoding with no connection (:ticket:331).
• The ~psycopg2.extras.wait_select callback allows interrupting a
  long-running query in an interactive shell using :kbd:Ctrl-C
  (:ticket:333).
• Fixed !PersistentConnectionPool on Python 3 (:ticket:348).
• Fixed segfault on repr() of an unitialized connection (:ticket:361).
• Allow adapting bytes using QuotedString on Python 3 too (:ticket:365).
• Added support for setuptools/wheel (:ticket:370).
• Fix build on Windows with Python 3.5, VS 2015 (:ticket:380).
• Fixed !errorcodes.lookup initialization thread-safety (:ticket:382).
• Fixed !read() exception propagation in copy_from (:ticket:412).
• Fixed possible NULL TZ decref (:ticket:424).
• ~psycopg2.errorcodes map updated to PostgreSQL 9.5.

pygal 2.0.9 -> 2.3.1

2.3.1

=====

This is a micro release and I have very little time on my hands right now sorry

• Fix crash with no values when the print_values_position param is set (thanks cristen)

2.3.0

=====

• New call API: chart = Line(fill=True); chart.add('title', [1, 3, 12]); chart.render() can now be replaced with Line(fill=True)(1, 3, 12, title='title').render()
• Drop python 2.6 support

2.2.3

=====

• Fix bar static value positioning (315)
• Add stroke_opacity style (321)
• Remove useless js in sparklines. (312)

2.2.2

=====

• Add classes option.
• Handle ellipsis in list type configs to auto-extend parent. (Viva python3)

2.2.0

=====

• Support interruptions in line charts (thanks piotrmaslanka 300)
• Fix confidence interval reactiveness (thanks chartique 296)
• Add horizontal line charts (thanks chartique 301)
• There is now a formatter config option to format values as specified. The formatter callable may or may not take chart, serie and index as argument. The default value formatting is now chart dependent and is value_formatter for most graph but could be a combination of value_formatter and x_value_formatter for dual charts.
• The human_readable option has been removed. Now you have to use the pygal.formatters.human_readable formatter (value_formatter=human_readable instead of human_readable=True)
• New chart type: SolidGauge (thanks chartique 295)
• Fix range option for some Charts (297 298)
• Fix timezones for DateTimeLine for python 2 (306, 302)
• Set default uri protocol to https (should fix a lot of "no tooltips" bugs).

2.1.1

=====

• Import scipy as a last resort in stats.py (should workaround bugs like 294 if scipy is installed but not used)

2.1.0

=====

• Bar print value positioning with print_values_position. Can be top, center or bottom (thanks chartique 291) ci doc <documentation/configuration/value.htmlconfidence-intervals>_
• Confidence intervals (thanks chartique 292) data doc <documentation/configuration/data.htmlprint-values-position>_

2.0.12

======

• Use custom xml_declaration avoiding conflict with processing instructions

2.0.11

======

• lxml 3.5 compatibility (282)

2.0.10

======

• Fix transposable_node in case all attributes are not there. (thanks yobuntu).

PyMySQL 0.6.7 -> 0.7.10

0.7.10

Release date: 2017-02-14

• SECURITY FIX: Raise RuntimeError when received LOAD_LOCAL packet while
  loacal_infile=False. (Thanks to Bryan Helmig)

• Raise SERVER_LOST error for MariaDB's shutdown packet (540)

• Change default connect_timeout to 10.

• Add bind_address option (529)

0.7.9

Release date: 2016-09-03

• Fix PyMySQL stop reading rows when first column is empty string (513)
  Reverts DEPRECATE_EOF introduced in 0.7.7.

0.7.8

Release date: 2016-09-01

• Revert error message change in 0.7.7.
  (SQLAlchemy parses error message, 507)

0.7.7

Release date: 2016-08-30

• Add new unicode collation (498)
• Fix conv option is not used for encoding objects.
• Experimental support for DEPRECATE_EOF protocol.

0.7.6

Release date: 2016-07-29

• Fix SELECT JSON type cause UnicodeError
• Avoid float convertion while parsing microseconds
• Warning has number
• SSCursor supports warnings

0.7.5

Release date: 2016-06-28

• Fix exception raised while importing when getpwuid() fails (472)
• SSCursor supports LOAD DATA LOCAL INFILE (473)
• Fix encoding error happen for JSON type (477)
• Fix test fail on Python 2.7 and MySQL 5.7 (478)

0.7.4

Release date: 2016-05-26

• Fix AttributeError may happen while Connection.del (463)
• Fix SyntaxError in test_cursor. (464)
• frozenset support for query value. (461)
• Start using readthedocs.io

0.7.3

Release date: 2016-05-19

• Add read_timeout and write_timeout option.
• Support serialization customization by conv option.
• Unknown type is converted by str(), for MySQLdb compatibility.
• Support '%%' in Cursor.executemany()
• Support REPLACE statement in Cursor.executemany()
• Fix handling incomplete row caused by 'SHOW SLAVE HOSTS'.
• Fix decode error when use_unicode=False on PY3
• Fix port option in my.cnf file is ignored.

0.7.2

Release date: 2016-02-24

• Fix misuse of max_allowed_packet parameter. (426, 407 and 397)
• Add %(name)s plceholder support to Cursor.executemany(). (427, thanks to
  WorldException)

0.7.1

Release date: 2016-01-14

• Fix auth fail with MySQL 5.1
• Fix escaping unicode fails on Python 2

0.7

Release date: 2016-01-10

• Faster binary escaping
• Add "_binary" prefix to string literal for binary types.
  binary types are: bytearray on Python 2, bytes and bytearray on Python 3.
  This is because recent MySQL show warnings when string literal is invalid for
  connection encoding.
• pymysql.Binary() returns bytearray on Python 2. This is required to distinguish
  binary and string.
• Auth plugin support.
• no_delay option is ignored. It will be removed in PyMySQL 0.8.

requests 2.8.1 -> 2.13.0

2.13.0

+++++++++++++++++++

Features

• Only load the idna library when we've determined we need it. This will
  save some memory for users.

Miscellaneous

• Updated bundled urllib3 to 1.20.
• Updated bundled idna to 2.2.

2.12.5

+++++++++++++++++++

Bugfixes

• Fixed an issue with JSON encoding detection, specifically detecting
  big-endian UTF-32 with BOM.

2.12.4

+++++++++++++++++++

Bugfixes

• Fixed regression from 2.12.2 where non-string types were rejected in the
  basic auth parameters. While support for this behaviour has been readded,
  the behaviour is deprecated and will be removed in the future.

2.12.3

+++++++++++++++++++

Bugfixes

• Fixed regression from v2.12.1 for URLs with schemes that begin with "http".
  These URLs have historically been processed as though they were HTTP-schemed
  URLs, and so have had parameters added. This was removed in v2.12.2 in an
  overzealous attempt to resolve problems with IDNA-encoding those URLs. This
  change was reverted: the other fixes for IDNA-encoding have been judged to
  be sufficient to return to the behaviour Requests had before v2.12.0.

2.12.2

+++++++++++++++++++

Bugfixes

• Fixed several issues with IDNA-encoding URLs that are technically invalid but
  which are widely accepted. Requests will now attempt to IDNA-encode a URL if
  it can but, if it fails, and the host contains only ASCII characters, it will
  be passed through optimistically. This will allow users to opt-in to using
  IDNA2003 themselves if they want to, and will also allow technically invalid
  but still common hostnames.
• Fixed an issue where URLs with leading whitespace would raise
  InvalidSchema errors.
• Fixed an issue where some URLs without the HTTP or HTTPS schemes would still
  have HTTP URL preparation applied to them.
• Fixed an issue where Unicode strings could not be used in basic auth.
• Fixed an issue encountered by some Requests plugins where constructing a
  Response object would cause Response.content to raise an
  AttributeError.

2.12.1

+++++++++++++++++++

Bugfixes

• Updated setuptools 'security' extra for the new PyOpenSSL backend in urllib3.

Miscellaneous

• Updated bundled urllib3 to 1.19.1.

2.12.0

+++++++++++++++++++

Improvements

• Updated support for internationalized domain names from IDNA2003 to IDNA2008.
  This updated support is required for several forms of IDNs and is mandatory
  for .de domains.
• Much improved heuristics for guessing content lengths: Requests will no
  longer read an entire StringIO into memory.
• Much improved logic for recalculating Content-Length headers for
  PreparedRequest objects.
• Improved tolerance for file-like objects that have no tell method but
  do have a seek method.
• Anything that is a subclass of Mapping is now treated like a dictionary
  by the data= keyword argument.
• Requests now tolerates empty passwords in proxy credentials, rather than
  stripping the credentials.
• If a request is made with a file-like object as the body and that request is
  redirected with a 307 or 308 status code, Requests will now attempt to
  rewind the body object so it can be replayed.

Bugfixes

• When calling response.close, the call to close will be propagated
  through to non-urllib3 backends.
• Fixed issue where the ALL_PROXY environment variable would be preferred
  over scheme-specific variables like HTTP_PROXY.
• Fixed issue where non-UTF8 reason phrases got severely mangled by falling
  back to decoding using ISO 8859-1 instead.
• Fixed a bug where Requests would not correctly correlate cookies set when
  using custom Host headers if those Host headers did not use the native
  string type for the platform.

Miscellaneous

• Updated bundled urllib3 to 1.19.
• Updated bundled certifi certs to 2016.09.26.

2.11.1

+++++++++++++++++++

Bugfixes

• Fixed a bug when using iter_content with decode_unicode=True for
  streamed bodies would raise AttributeError. This bug was introduced in
  2.11.
• Strip Content-Type and Transfer-Encoding headers from the header block when
  following a redirect that transforms the verb from POST/PUT to GET.

2.11.0

+++++++++++++++++++

Improvements

• Added support for the ALL_PROXY environment variable.
• Reject header values that contain leading whitespace or newline characters to
  reduce risk of header smuggling.

Bugfixes

• Fixed occasional TypeError when attempting to decode a JSON response that
  occurred in an error case. Now correctly returns a ValueError.
• Requests would incorrectly ignore a non-CIDR IP address in the NO_PROXY
  environment variables: Requests now treats it as a specific IP.
• Fixed a bug when sending JSON data that could cause us to encounter obscure
  OpenSSL errors in certain network conditions (yes, really).
• Added type checks to ensure that iter_content only accepts integers and
  None for chunk sizes.
• Fixed issue where responses whose body had not been fully consumed would have
  the underlying connection closed but not returned to the connection pool,
  which could cause Requests to hang in situations where the HTTPAdapter
  had been configured to use a blocking connection pool.

Miscellaneous

• Updated bundled urllib3 to 1.16.
• Some previous releases accidentally accepted non-strings as acceptable header values. This release does not.

2.10.0

+++++++++++++++++++

New Features

• SOCKS Proxy Support! (requires PySocks; $ pip install requests[socks])

Miscellaneous

• Updated bundled urllib3 to 1.15.1.

2.9.2

++++++++++++++++++

Improvements

• Change built-in CaseInsensitiveDict (used for headers) to use OrderedDict
  as its underlying datastore.

Bugfixes

• Don't use redirect_cache if allow_redirects=False
• When passed objects that throw exceptions from tell(), send them via
  chunked transfer encoding instead of failing.
• Raise a ProxyError for proxy related connection issues.

2.9.1

++++++++++++++++++

Bugfixes

• Resolve regression introduced in 2.9.0 that made it impossible to send binary
  strings as bodies in Python 3.
• Fixed errors when calculating cookie expiration dates in certain locales.

Miscellaneous

• Updated bundled urllib3 to 1.13.1.

2.9.0

++++++++++++++++++

Minor Improvements (Backwards compatible)

• The verify keyword argument now supports being passed a path to a
  directory of CA certificates, not just a single-file bundle.
• Warnings are now emitted when sending files opened in text mode.
• Added the 511 Network Authentication Required status code to the status code
  registry.

Bugfixes

• For file-like objects that are not seeked to the very beginning, we now
  send the content length for the number of bytes we will actually read, rather
  than the total size of the file, allowing partial file uploads.
• When uploading file-like objects, if they are empty or have no obvious
  content length we set Transfer-Encoding: chunked rather than
  Content-Length: 0.
• We correctly receive the response in buffered mode when uploading chunked
  bodies.
• We now handle being passed a query string as a bytestring on Python 3, by
  decoding it as UTF-8.
• Sessions are now closed in all cases (exceptional and not) when using the
  functional API rather than leaking and waiting for the garbage collector to
  clean them up.
• Correctly handle digest auth headers with a malformed qop directive that
  contains no token, by treating it the same as if no qop directive was
  provided at all.
• Minor performance improvements when removing specific cookies by name.

Miscellaneous

• Updated urllib3 to 1.13.

Werkzeug 0.10.4 -> 0.11.15

0.11.14

---

Released on December 30th 2016.

• Check if platform can fork before importing ForkingMixIn, raise exception
  when creating ForkingWSGIServer on such a platform, see PR 999.

0.11.13

---

Released on December 26th 2016.

• Correct fix for the reloader issuer on certain Windows installations.

0.11.12

---

Released on December 26th 2016.

• Fix more bugs in multidicts regarding empty lists. See 1000.
• Add some docstrings to some EnvironBuilder properties that were previously
  unintentionally missing.
• Added a workaround for the reloader on windows.

0.11.11

---

Released on August 31st 2016.

• Fix JSONRequestMixin for Python3. See 731
• Fix broken string handling in test client when passing integers. See 852
• Fix a bug in parse_options_header where an invalid content type
  starting with comma or semi-colon would result in an invalid return value,
  see issue 995.
• Fix a bug in multidicts when passing empty lists as values, see issue
  979.
• Fix a security issue that allows XSS on the Werkzeug debugger. See 1001.

0.11.10

---

Released on May 24th 2016.

• Fixed a bug that occurs when running on Python 2.6 and using a broken locale.
  See pull request 912.
• Fixed a crash when running the debugger on Google App Engine. See issue 925.
• Fixed an issue with multipart parsing that could cause memory exhaustion.

0.11.9

---

Released on April 24th 2016.

• Corrected an issue that caused the debugger not to use the
  machine GUID on POSIX systems.
• Corrected a Unicode error on Python 3 for the debugger's
  PIN usage.
• Corrected the timestamp verification in the pin debug code.
  Without this fix the pin was remembered for too long.

0.11.8

---

Released on April 15th 2016.

• fixed a problem with the machine GUID detection code on OS X
  on Python 3.

0.11.7

---

Released on April 14th 2016.

• fixed a regression on Python 3 for the debugger.

0.11.6

---

Released on April 14th 2016.

• werkzeug.serving: Still show the client address on bad requests.
• improved the PIN based protection for the debugger to make it harder to
  brute force via trying cookies. Please keep in mind that the debugger
  is not intended for running on production environments
• increased the pin timeout to a week to make it less annoying for people
  which should decrease the chance that users disable the pin check
  entirely.
• werkzeug.serving: Fix broken HTTP_HOST when path starts with double slash.

0.11.5

---

Released on March 22nd 2016.

• werkzeug.serving: Fix crash when attempting SSL connection to HTTP server.

0.11.4

---

Released on February 14th 2016.

• Fixed werkzeug.serving not working from -m flag.
• Fixed incorrect weak etag handling.

0.11.3

---

Released on December 20th 2015.

• Fixed an issue with copy operations not working against
  proxies.
• Changed the logging operations of the development server to
  correctly log where the server is running in all situations
  again.
• Fixed another regression with SSL wrapping similar to the
  fix in 0.11.2 but for a different code path.

0.11.2

---

Released on November 12th 2015.

• Fix inheritable sockets on Windows on Python 3.
• Fixed an issue with the forking server not starting any longer.
• Fixed SSL wrapping on platforms that supported opening sockets
  by file descriptor.
• No longer log from the watchdog reloader.
• Unicode errors in hosts are now better caught or converted into
  bad request errors.

0.11.1

---

Released on November 10th 2015.

• Fixed a regression on Python 3 in the debugger.

0.11

---

Released on November 8th 2015, codename Gleisbaumaschine.

• Added reloader_paths option to run_simple and other functions in
  werkzeug.serving. This allows the user to completely override the Python
  module watching of Werkzeug with custom paths.
• Many custom cached properties of Werkzeug's classes are now subclasses of
  Python's property type (issue 616).
• bind_to_environ now doesn't differentiate between implicit and explicit
  default port numbers in HTTP_HOST (pull request 204).
• BuildErrors are now more informative. They come with a complete sentence
  as error message, and also provide suggestions (pull request 691).
• Fix a bug in the user agent parser where Safari's build number instead of
  version would be extracted (pull request 703).
• Fixed issue where RedisCache set_many was broken for twemproxy, which doesn't
  support the default MULTI command (pull request 702).
• mimetype parameters on request and response classes are now always
  converted to lowercase.
• Changed cache so that cache never expires if timeout is 0. This also fixes
  an issue with redis setex (issue 550)
• Werkzeug now assumes UTF-8 as filesystem encoding on Unix if Python
  detected it as ASCII.
• New optional has method on caches.
• Fixed various bugs in parse_options_header (pull request 643).
• If the reloader is enabled the server will now open the socket in the parent
  process if this is possible. This means that when the reloader kicks in
  the connection from client will wait instead of tearing down. This does
  not work on all Python versions.
• Implemented PIN based authentication for the debugger. This can optionally
  be disabled but is discouraged. This change was necessary as it has been
  discovered that too many people run the debugger in production.
• Devserver no longer requires SSL module to be installed.

0.10.5

---

(bugfix release, release date yet to be decided)

• Reloader: Correctly detect file changes made by moving temporary files over
  the original, which is e.g. the case with PyCharm (pull request 722).
• Fix bool behavior of werkzeug.datastructures.ETags under Python 3 (issue
  744).

wheel 0.24.0 -> 0.29.0

0.29.0

======

• Fix compression type of files in archive (Issue 155, Pull Request 62,
  thanks Xavier Fernandez)

0.28.0

======

• Fix file modes in archive (Issue 154)

0.27.0

======

• Support forcing a platform tag using --plat-name on pure-Python wheels, as
  well as nonstandard platform tags on non-pure wheels (Pull Request 60, Issue
  144, thanks Andrés Díaz)
• Add SOABI tags to platform-specific wheels built for Python 2.X (Pull Request
  55, Issue 63, Issue 101)
• Support reproducible wheel files, wheels that can be rebuilt and will hash to
  the same values as previous builds (Pull Request 52, Issue 143, thanks
  Barry Warsaw)
• Support for changes in keyring >= 8.0 (Pull Request 61, thanks Jason R.
  Coombs)
• Use the file context manager when checking if dependency_links.txt is empty,
  fixes problems building wheels under PyPy on Windows (Issue 150, thanks
  Cosimo Lupo)
• Don't attempt to (recursively) create a build directory ending with ..
  (invalid on all platforms, but code was only executed on Windows) (Issue 91)
• Added the PyPA Code of Conduct (Pull Request 56)

0.26.0

======

• Fix multiple entrypoint comparison failure on Python 3 (Issue 148)

0.25.0

======

• Add Python 3.5 to tox configuration
• Deterministic (sorted) metadata
• Fix tagging for Python 3.5 compatibility
• Support py2-none-'arch' and py3-none-'arch' tags
• Treat data-only wheels as pure
• Write to temporary file and rename when using wheel install --force

Once you have closed this pull request, I'll create seperate pull requests for every update as soon as I find them.

That's it for now!

Happy merging! 🤖