Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial Update #100

Merged
merged 2 commits into from Jul 10, 2017
Merged

Initial Update #100

merged 2 commits into from Jul 10, 2017

Conversation

pyup-bot
Copy link
Contributor

This is my first visit to this fine repo so I have bundled all updates in a single pull request to make things easier for you to merge.

Close this pull request and delete the branch if you want me to start with single pull requests right away

Here's the executive summary:

Updates

Here's a list of all the updates bundled in this pull request. I've added some links to make it easier for you to find all the information you need.

pyramid 1.5.1 » 1.9 PyPI | Changelog | Homepage
waitress 0.8.9 » 1.0.2 PyPI | Changelog | Repo

Changelogs

pyramid 1.5.1 -> 1.9

1.9

================

  • No major changes from 1.9b1.
  • Updated documentation links for docs.pylonsproject.org to use HTTPS.

1.9b1

==================

  • Support _query=None and _anchor=None in request.route_url as well
    as query=None and anchor=None in request.resource_url.
    Previously this would cause an ? and a ``, respectively, in the url
    with nothing after it. Now the unnecessary parts are dropped from the
    generated URL. See refactor parse_url_overrides Pylons/pyramid#3034

1.9a2

==================

Backward Incompatibilities

  • request.exception and request.exc_info will only be set if the
    response was generated by the EXCVIEW tween. This is to avoid any confusion
    where a response was generated elsewhere in the pipeline and not in
    direct relation to the original exception. If anyone upstream wants to
    catch and render responses for exceptions they should set
    request.exception and request.exc_info themselves to indicate
    the exception that was squashed when generating the response.

Similar behavior occurs with request.invoke_exception_view in which
the exception properties are set to reflect the exception if a response
is successfully generated by the method.

This is a very minor incompatibility. Most tweens right now would give
priority to the raised exception and ignore request.exception. This
change just improves and clarifies that bookkeeping by trying to be
more clear about the relationship between the response and its squashed
exception. See Pylons/pyramid#3029 and
Pylons/pyramid#3031

1.9a1

==================

Major Features

  • The file format used by all p* command line scripts such as pserve
    and pshell, as well as the pyramid.paster.bootstrap function
    is now replaceable thanks to a new dependency on
    plaster <https://docs.pylonsproject.org/projects/plaster/en/latest/>_.

For now, Pyramid is still shipping with integrated support for the
PasteDeploy INI format by depending on the
plaster_pastedeploy <https://github.com/Pylons/plaster_pastedeploy>_
binding library. This may change in the future.

See Pylons/pyramid#2985

  • Added an execution policy hook to the request pipeline. An execution
    policy has the ability to control creation and execution of the request
    objects before they enter the rest of the pipeline. This means for a single
    request environ the policy may create more than one request object.

The first library to use this feature is
pyramid_retry <https://docs.pylonsproject.org/projects/pyramid-retry/en/latest/>_.

See Pylons/pyramid#2964

  • CSRF support has been refactored out of sessions and into its own
    independent API in the pyramid.csrf module. It supports a pluggable
    pyramid.interfaces.ICSRFStoragePolicy which can be used to define your
    own mechanism for generating and validating CSRF tokens. By default,
    Pyramid continues to use the pyramid.csrf.LegacySessionCSRFStoragePolicy
    that uses the request.session.get_csrf_token and
    request.session.new_csrf_token APIs under the hood to preserve
    compatibility. Two new policies are shipped as well,
    pyramid.csrf.SessionCSRFStoragePolicy and
    pyramid.csrf.CookieCSRFStoragePolicy which will store the CSRF tokens
    in the session and in a standalone cookie, respectively. The storage policy
    can be changed by using the new
    pyramid.config.Configurator.set_csrf_storage_policy config directive.

CSRF tokens should be used via the new pyramid.csrf.get_csrf_token,
pyramid.csrf.new_csrf_token and pyramid.csrf.check_csrf_token APIs
in order to continue working if the storage policy is changed. Also, the
pyramid.csrf.get_csrf_token function is injected into templates to be
used conveniently in UI code.

See Pylons/pyramid#2854 and
Pylons/pyramid#3019

Minor Features

  • Support an open_url config setting in the pserve section of the
    config file. This url is used to open a web browser when pserve --browser
    is invoked. When this setting is unavailable the pserve script will
    attempt to guess the port the server is using from the
    server:<server_name> section of the config file but there is no
    requirement that the server is being run in this format so it may fail.
    See pserve open_url config setting Pylons/pyramid#2984
  • The pyramid.config.Configurator can now be used as a context manager
    which will automatically push/pop threadlocals (similar to
    config.begin() and config.end()). It will also automatically perform
    a config.commit() and thus it is only recommended to be used at the
    top-level of your app. See turn the Configurator into a context manager Pylons/pyramid#2874
  • The threadlocals are now available inside any function invoked via
    config.include. This means the only config-time code that cannot rely
    on threadlocals is code executed from non-actions inside the main. This
    can be alleviated by invoking config.begin() and config.end()
    appropriately or using the new context manager feature of the configurator.
    See push threadlocals while executing config.include functions Pylons/pyramid#2989

Bug Fixes

Deprecations

  • Pyramid currently depends on plaster_pastedeploy to simplify the
    transition to plaster by maintaining integrated support for INI files.
    This dependency on plaster_pastedeploy should be considered subject to
    Pyramid's deprecation policy and may be removed in the future.
    Applications should depend on the appropriate plaster binding to satisfy
    their needs.
  • Retrieving CSRF token from the session has been deprecated in favor of
    equivalent methods in the pyramid.csrf module. The CSRF methods
    (ISession.get_csrf_token and ISession.new_csrf_token) are no longer
    required on the ISession interface except when using the default
    pyramid.csrf.LegacySessionCSRFStoragePolicy.

Also, pyramid.session.check_csrf_token is now located at
pyramid.csrf.check_csrf_token.

See Pylons/pyramid#2854 and
Pylons/pyramid#3019

Documentation Changes

1.8

================

  • No major changes from 1.8b1.

1.8b1

==================

Features

Documentation Changes

1.8a1

==================

Backward Incompatibilities

  • Following the Pyramid deprecation period (1.6 -> 1.8),
    daemon support for pserve has been removed. This includes removing the
    daemon commands (start, stop, restart, status) as well as the following
    arguments: --daemon, --pid-file, --log-file,
    --monitor-restart, --status, --user, --group,
    --stop-daemon

To run your server as a daemon you should use a process manager instead of
pserve.

See Pylons/pyramid#2615

  • Change static view to avoid setting the Content-Encoding response header
    to an encoding guessed using Python's mimetypes module. This was causing
    clients to decode the content of gzipped files when downloading them. The
    client would end up with a foo.txt.gz file on disk that was already
    decoded, thus should really be foo.txt. Also, the Content-Encoding
    should only have been used if the client itself broadcast support for the
    encoding via Accept-Encoding request headers.
    See Avoid setting Content-Encoding header for static view responses. Pylons/pyramid#2810

Features

  • The _get_credentials private method of BasicAuthAuthenticationPolicy
    has been extracted into standalone function extract_http_basic_credentials
    in pyramid.authentication module, this function extracts HTTP Basic
    credentials from a request object, and returns them as a named tuple.
    See ref #2659 public HTTP Basic credentials extraction Pylons/pyramid#2662
  • Added pyramid.config.Configurator.add_exception_view and the
    pyramid.view.exception_view_config decorator. It is now possible using
    these methods or via the new exception_only=True option to add_view
    to add a view which will only be matched when handling an exception.
    Previously any exception views were also registered for a traversal
    context that inherited from the exception class which prevented any
    exception-only optimizations.
    See Exception-only option when registering views Pylons/pyramid#2660
  • Added the exception_only boolean to
    pyramid.interfaces.IViewDeriverInfo which can be used by view derivers
    to determine if they are wrapping a view which only handles exceptions.
    This means that it is no longer necessary to perform request-time checks
    for request.exception to determine if the view is handling an exception
  • the pipeline can be optimized at config-time.
    See Exception-only option when registering views Pylons/pyramid#2660
  • pserve --reload now uses the
    hupper <http://docs.pylonsproject.org/projects/hupper/en/latest/>
    library to monitor file changes. This comes with many improvements:
  • If the watchdog <http://pythonhosted.org/watchdog/>_ package is
    installed then monitoring will be done using inotify instead of
    cpu and disk-intensive polling.
  • The monitor is now a separate process that will not crash and starts up
    before any of your code.
  • The monitor will not restart the process after a crash until a file is
    saved.
  • The monitor works on windows.
  • You can now trigger a reload manually from a pyramid view or any other
    code via hupper.get_reloader().trigger_reload(). Kind of neat.
  • You can trigger a reload by issuing a SIGHUP to the monitor process.

See Pylons/pyramid#2805

  • Allow streaming responses to be made from subclasses of
    pyramid.httpexceptions.HTTPException. Previously the response would
    be unrolled while testing for a body, making it impossible to stream
    a response.
    See Bugfix: streaming exceptions Pylons/pyramid#2863
  • config.begin() will propagate the current threadlocal request through
    as long as the registry is the same. For example:

.. code-block:: python

request = Request.blank(...)
config.begin(request)   pushes a request
config.begin()          propagates the previous request through unchanged
assert get_current_request() is request

See Pylons/pyramid#2873

Bug Fixes

  • Fix a RuntimeWarning emitted by WebOb when using arbitrary objects
    as the userid in the AuthTktAuthenticationPolicy. This is now caught
    by the policy and the object is serialized as a base64 string to avoid
    the cryptic warning. Since the userid will be read back as a string on
    subsequent requests a more useful warning is emitted encouraging you to
    use a primitive type instead.
    See Fix AuthTktCookieHelper so that it doesn't create bad cookies Pylons/pyramid#2715
  • Pyramid 1.6 introduced the ability for an action to invoke another action.
    There was a bug in the way that config.add_view would interact with
    custom view derivers introduced in Pyramid 1.7 because the view's
    discriminator cannot be computed until view derivers and view predicates
    have been created in earlier orders. Invoking an action from another action
    would trigger an unrolling of the pipeline and would compute discriminators
    before they were ready. The new behavior respects the order of the action
    and ensures the discriminators are not computed until dependent actions
    from previous orders have executed.
    See handle deferred discriminators when using re-entrant actions Pylons/pyramid#2757

Deprecations

  • The pcreate script and related scaffolds have been deprecated in favor
    of the popular
    cookiecutter <https://cookiecutter.readthedocs.io/en/latest/>_ project.

All of Pyramid's official scaffolds as well as the tutorials have been
ported to cookiecutters:

  • pyramid-cookiecutter-starter <https://github.com/Pylons/pyramid-cookiecutter-starter>_
  • pyramid-cookiecutter-alchemy <https://github.com/Pylons/pyramid-cookiecutter-alchemy>_
  • pyramid-cookiecutter-zodb <https://github.com/Pylons/pyramid-cookiecutter-zodb>_

See Pylons/pyramid#2780

Documentation Changes

  • The SQLAlchemy + URL Dispatch + Jinja2 (wiki2) and
    ZODB + Traversal + Chameleon (wiki) tutorials have been updated to
    utilize the new cookiecutters and drop support for the pcreate
    scaffolds.

See Pylons/pyramid#2881 and
Pylons/pyramid#2883.

1.7

================

1.7b4

==================

  • Exposed the pyramid.interfaces.IRequestFactory interface to mirror
    the public pyramid.interfaces.IResponseFactory interface.

1.7b3

==================

  • Add linkcheck to Makefile for Sphinx. To check the documentation for
    broken links, use the command make linkcheck SPHINXBUILD=$VENV/bin/sphinx-build. Also removed and fixed dozens of broken
    external links.

1.7b2

==================

  • A default permission set via config.set_default_permission will no
    longer be enforced on an exception view. This has been the case for a while
    with the default exception views (config.add_notfound_view and
    config.add_forbidden_view), however for any other exception view a
    developer had to remember to set permission=NO_PERMISSION_REQUIRED or
    be surprised when things didn't work. It is still possible to force a
    permission check on an exception view by setting the permission argument
    manually to config.add_view. This behavior is consistent with the new
    CSRF features added in the 1.7 series.
    See do not enforce default permissions on exception views Pylons/pyramid#2534

1.7b1

==================

  • This release announces the beta period for 1.7.

1.7a2

==================

Features

  • The automatic CSRF API was reworked to use a config directive for
    setting the options. The pyramid.require_default_csrf setting is
    no longer supported. Instead, a new config.set_default_csrf_options
    directive has been introduced that allows the developer to specify
    the default value for require_csrf as well as change the CSRF token,
    header and safe request methods. The pyramid.csrf_trusted_origins
    setting is still supported.
    See replace pyramid.require_default_csrf setting with config.set_default_csrf_options Pylons/pyramid#2518

Bug fixes

1.7a1

==================

Backward Incompatibilities

  • Following the Pyramid deprecation period (1.4 -> 1.6),
    AuthTktAuthenticationPolicy's default hashing algorithm is changing from md5
    to sha512. If you are using the authentication policy and need to continue
    using md5, please explicitly set hashalg to 'md5'.

This change does mean that any existing auth tickets (and associated cookies)
will no longer be valid, and users will no longer be logged in, and have to
login to their accounts again.

See Pylons/pyramid#2496

Features

  • Added a new setting, pyramid.require_default_csrf which may be used
    to turn on CSRF checks globally for every POST request in the application.
    This should be considered a good default for websites built on Pyramid.
    It is possible to opt-out of CSRF checks on a per-view basis by setting
    require_csrf=False on those views.
    See require_csrf to replace check_csrf Pylons/pyramid#2413
  • Added an additional CSRF validation that checks the origin/referrer of a
    request and makes sure it matches the current request.domain. This
    particular check is only active when accessing a site over HTTPS as otherwise
    browsers don't always send the required information. If this additional CSRF
    validation fails a BadCSRFOrigin exception will be raised and may be
    caught by exception views (the default response is 400 Bad Request).
    Additional allowed origins may be configured by setting
    pyramid.csrf_trusted_origins to a list of domain names (with ports if on
    a non standard port) to allow. Subdomains are not allowed unless the domain
    name has been prefixed with a .. See
    In addition to CSRF token, verify the origin too Pylons/pyramid#2501
  • Pyramid HTTPExceptions will now take into account the best match for the
    clients Accept header, and depending on what is requested will return
    text/html, application/json or text/plain. The default for / is still
    text/html, but if application/json is explicitly mentioned it will now
    receive a valid JSON response. See
    Feature: JSON exceptions Pylons/pyramid#2489
  • Add a new "view deriver" concept to Pyramid to allow framework authors to
    inject elements into the standard Pyramid view pipeline and affect all
    views in an application. This is similar to a decorator except that it
    has access to options passed to config.add_view and can affect other
    stages of the pipeline such as the raw response from a view or prior to
    security checks. See configurable view deriver Pylons/pyramid#2021
  • A new request.invoke_exception_view(...) method which can be used to
    invoke an exception view and get back a response. This is useful for
    rendering an exception view outside of the context of the excview tween
    where you may need more control over the request.
    See request.invoke exception view Pylons/pyramid#2393
  • Allow using variable substitutions like %(LOGGING_LOGGER_ROOT_LEVEL)s
    for logging sections of the .ini file and populate these variables from
    the pserve command line -- e.g.:
    pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG
    See Pass vars to logging.config.fileConfig Pylons/pyramid#2399

Documentation Changes

  • A complete overhaul of the docs:
  • Use pip instead of easy_install.
  • Become opinionated by preferring Python 3.4 or greater to simplify
    installation of Python and its required packaging tools.
  • Use venv for the tool, and virtual environment for the thing created,
    instead of virtualenv.
  • Use py.test and pytest-cov instead of nose and coverage.
  • Further updates to the scaffolds as well as tutorials and their src files.

See Pylons/pyramid#2468

  • A complete overhaul of the alchemy scaffold as well as the
    Wiki2 SQLAlchemy + URLDispatch tutorial to introduce more modern features
    into the usage of SQLAlchemy with Pyramid and provide a better starting
    point for new projects.
    See alchemy scaffold updates Pylons/pyramid#2024

Bug Fixes

Deprecations

1.6

================

Deprecations

1.6b3

==================

Backward Incompatibilities

  • Modify the pyramid.interfaces.ICacheBuster API to be a simple callable
    instead of an object with match and pregenerate methods. Cache
    busters are now focused solely on generation. Matching has been dropped.

Note this affects usage of pyramid.static.QueryStringCacheBuster and
pyramid.static.ManifestCacheBuster.

See Pylons/pyramid#2186

Features

Bug Fixes

1.6b2

==================

Features

  • Allow asset specifications to be supplied to
    pyramid.static.ManifestCacheBuster instead of requiring a
    filesystem path.

1.6b1

==================

Backward Incompatibilities

  • IPython and BPython support have been removed from pshell in the core.
    To continue using them on Pyramid 1.6+ you must install the binding
    packages explicitly::

$ pip install pyramid_ipython

or

$ pip install pyramid_bpython

Features

Bug Fixes

Deprecations

1.6a2

==================

Bug Fixes

1.6a1

==================

Features

  • The pyramid.config.Configurator has grown the ability to allow
    actions to call other actions during a commit-cycle. This enables much more
    logic to be placed into actions, such as the ability to invoke other actions
    or group them for improved conflict detection. We have also exposed and
    documented the config phases that Pyramid uses in order to further assist
    in building conforming addons.
    See re-entrant configurator! Pylons/pyramid#1513
  • Add pyramid.config.Configurator.root_package attribute and init
    parameter to assist with includeable packages that wish to resolve
    resources relative to the package in which the Configurator was created.
    This is especially useful for addons that need to load asset specs from
    settings, in which case it is may be natural for a developer to define
    imports or assets relative to the top-level package.
    See add config.root_package attribute Pylons/pyramid#1337
  • Assets can now be overidden by an absolute path on the filesystem when using
    the config.override_asset API. This makes it possible to fully support
    serving up static content from a mutable directory while still being able
    to use the request.static_url API and config.add_static_view.
    Previously it was not possible to use config.add_static_view with an
    absolute path and generate urls to the content. This change replaces
    the call, config.add_static_view('/abs/path', 'static'), with
    config.add_static_view('myapp:static', 'static') and
    config.override_asset(to_override='myapp:static/', override_with='/abs/path/'). The myapp:static asset spec is completely
    made up and does not need to exist - it is used for generating urls
    via request.static_url('myapp:static/foo.png').
    See add support for using an absolute path to override an asset Pylons/pyramid#1252
  • Added pyramid.config.Configurator.set_response_factory and the
    response_factory keyword argument to the Configurator for defining
    a factory that will return a custom Response class.
    See Expose response class Pylons/pyramid#1499
  • request.response will no longer be mutated when using the
    pyramid.renderers.render_to_response() API. It is now necessary to
    pass in a response= argument to render_to_response if you wish to
    supply the renderer with a custom response object for it to use. If you
    do not pass one then a response object will be created using the
    application's IResponseFactory. Almost all renderers
    mutate the request.response response object (for example, the JSON
    renderer sets request.response.content_type to application/json).
    However, when invoking render_to_response it is not expected that the
    response object being returned would be the same one used later in the
    request. The response object returned from render_to_response is now
    explicitly different from request.response. This does not change the
    API of a renderer. See update render_to_response to prevent renderers from mutating request.response Pylons/pyramid#1563

Bug Fixes

  • Fix an issue whereby predicates would be resolved as maybe_dotted in the
    introspectable but not when passed for registration. This would mean that
    add_route_predicate for example can not take a string and turn it into
    the actual callable function.
    See Fix: add predicates maybe dotted Pylons/pyramid#1306
  • request.finished_callbacks and request.response_callbacks now
    default to an iterable instead of None. It may be checked for a length
    of 0. This was the behavior in 1.5.

Deprecations

  • The pserve command's daemonization features have been deprecated. This
    includes the [start,stop,restart,status] subcommands as well as the
    --daemon, --stop-server, --pid-file, and --status flags.

Please use a real process manager in the future instead of relying on the
pserve to daemonize itself. Many options exist including your Operating
System's services such as Systemd or Upstart, as well as Python-based
solutions like Circus and Supervisor.

See Pylons/pyramid#1641

Docs

  • Removed logging configuration from Quick Tutorial ini files except for
    scaffolding- and logging-related chapters to avoid needing to explain it too
    early.
  • Clarify a previously-implied detail of the ISession.invalidate API
    documentation.

Scaffolds

  • Update scaffold generating machinery to return the version of pyramid and
    pyramid docs for use in scaffolds. Updated starter, alchemy and zodb
    templates to have links to correctly versioned documentation and reflect
    which pyramid was used to generate the scaffold.
  • Removed non-ascii copyright symbol from templates, as this was
    causing the scaffolds to fail for project generation.
  • You can now run the scaffolding func tests via tox py2-scaffolds and
    tox py3-scaffolds.

waitress 0.8.9 -> 1.0.2

1.0.2

Features

  • Python 3.6 is now officially supported in Waitress

Bugfixes

1.0.1

Bugfixes

  • A ValueError was raised on Windows when passing a string for the port, on
    Windows in Python 2 using service names instead of port numbers doesn't work
    with getaddrinfo. This has been resolved by attempting to convert the port
    number to an integer, if that fails a ValueError will be raised. See
    Invalid host/port specified error on Windows Pylons/waitress#139

1.0.0

Bugfixes

Deprecations

  • Python 2.6 is no longer supported.

Features

  • IPv6 support
  • Waitress is now able to listen on multiple sockets, including IPv4 and IPv6.
    Instead of passing in a host/port combination you now provide waitress with a
    space delineated list, and it will create as many sockets as required.

.. code-block:: python

from waitress import serve
serve(wsgiapp, listen='0.0.0.0:8080 [::]:9090 *:6543')

Security

0.9.0

Deprecations

  • Python 3.2 is no longer supported by Waitress.
  • Python 2.6 will no longer be supported by Waitress in future releases.

Security/Protections

Bugfixes

0.8.10

  • Add support for Python 3.4, 3.5b2, and PyPy3.
  • Use a nonglobal asyncore socket map by default, trying to prevent conflicts
    with apps and libs that use the asyncore global socket map ala
    Error with cassandra Pylons/waitress#63. You can get the old
    use-global-socket-map behavior back by passing asyncore.socket_map to the
    create_server function as the map argument.
  • Add a docs section to tox.ini that, when run, ensures docs can be built.
  • Switch from the low level Python thread/_thread module to the threading
    module.
  • Improved exception information should module import go awry.

Once you have closed this pull request, I'll create separate pull requests for every update as soon as I find them.

That's it for now!

Happy merging! 🤖

@groovecoder groovecoder mentioned this pull request Jul 7, 2017
Merged
@groovecoder groovecoder merged commit 00885ba into master Jul 10, 2017
@groovecoder groovecoder deleted the pyup-initial-update branch July 10, 2017 16:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@pyup-bot @groovecoder