Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Scheduled daily dependency update on monday #3

wants to merge 2 commits into from


None yet
1 participant
Copy link

commented Jul 10, 2017


Here's a list of all the updates bundled in this pull request. I've added some links to make it easier for you to find all the information you need.

pyramid 1.5.1 » 1.9 PyPI | Changelog | Homepage
waitress 0.8.9 » 1.0.2 PyPI | Changelog | Repo


pyramid 1.5.1 -> 1.9



  • No major changes from 1.9b1.
  • Updated documentation links for to use HTTPS.



  • Add an informative error message when unknown predicates are supplied. The
    new message suggests alternatives based on the list of known predicates.
    See Pylons/pyramid#3054
  • Added integrity attributes for JavaScripts in cookiecutters, scaffolds, and
    resulting source files in tutorials.
    See Pylons/pyramid#2548
  • Update RELEASING.txt for updating cookiecutters. Change cookiecutter URLs to
    use shortcut.
    See Pylons/pyramid#3042
  • Ensure the correct threadlocals are pushed during view execution when
    invoked from request.invoke_exception_view.
    See Pylons/pyramid#3060
  • Fix a bug in which failed to return
    a valid iterator in its __iter__ implementation.
    See Pylons/pyramid#3074
  • Normalize the permission results to a proper class hierarchy. is now a subclass of and is now a
    subclass of
    See Pylons/pyramid#3084
  • Add a quote_via argument to pyramid.encode.urlencode to follow
    the stdlib's version and enable custom quoting functions.
    See Pylons/pyramid#3088
  • Support _query=None and _anchor=None in request.route_url as well
    as query=None and anchor=None in request.resource_url.
    Previously this would cause an ? and a ``, respectively, in the url
    with nothing after it. Now the unnecessary parts are dropped from the
    generated URL. See Pylons/pyramid#3034
  • Revamp the IRouter API used by IExecutionPolicy to force
    pushing/popping the request threadlocals. The
    IRouter.make_request(environ) API has been replaced by
    IRouter.request_context(environ) which should be used as a context
    manager. See Pylons/pyramid#3086



Backward Incompatibilities

  • request.exception and request.exc_info will only be set if the
    response was generated by the EXCVIEW tween. This is to avoid any confusion
    where a response was generated elsewhere in the pipeline and not in
    direct relation to the original exception. If anyone upstream wants to
    catch and render responses for exceptions they should set
    request.exception and request.exc_info themselves to indicate
    the exception that was squashed when generating the response.

Similar behavior occurs with request.invoke_exception_view in which
the exception properties are set to reflect the exception if a response
is successfully generated by the method.

This is a very minor incompatibility. Most tweens right now would give
priority to the raised exception and ignore request.exception. This
change just improves and clarifies that bookkeeping by trying to be
more clear about the relationship between the response and its squashed
exception. See Pylons/pyramid#3029 and



Major Features

  • The file format used by all p* command line scripts such as pserve
    and pshell, as well as the pyramid.paster.bootstrap function
    is now replaceable thanks to a new dependency on
    plaster <>_.

For now, Pyramid is still shipping with integrated support for the
PasteDeploy INI format by depending on the
plaster_pastedeploy <>_
binding library. This may change in the future.

See Pylons/pyramid#2985

  • Added an execution policy hook to the request pipeline. An execution
    policy has the ability to control creation and execution of the request
    objects before they enter the rest of the pipeline. This means for a single
    request environ the policy may create more than one request object.

The first library to use this feature is
pyramid_retry <>_.

See Pylons/pyramid#2964

  • CSRF support has been refactored out of sessions and into its own
    independent API in the pyramid.csrf module. It supports a pluggable
    pyramid.interfaces.ICSRFStoragePolicy which can be used to define your
    own mechanism for generating and validating CSRF tokens. By default,
    Pyramid continues to use the pyramid.csrf.LegacySessionCSRFStoragePolicy
    that uses the request.session.get_csrf_token and
    request.session.new_csrf_token APIs under the hood to preserve
    compatibility. Two new policies are shipped as well,
    pyramid.csrf.SessionCSRFStoragePolicy and
    pyramid.csrf.CookieCSRFStoragePolicy which will store the CSRF tokens
    in the session and in a standalone cookie, respectively. The storage policy
    can be changed by using the new
    pyramid.config.Configurator.set_csrf_storage_policy config directive.

CSRF tokens should be used via the new pyramid.csrf.get_csrf_token,
pyramid.csrf.new_csrf_token and pyramid.csrf.check_csrf_token APIs
in order to continue working if the storage policy is changed. Also, the
pyramid.csrf.get_csrf_token function is injected into templates to be
used conveniently in UI code.

See Pylons/pyramid#2854 and

Minor Features

  • Support an open_url config setting in the pserve section of the
    config file. This url is used to open a web browser when pserve --browser
    is invoked. When this setting is unavailable the pserve script will
    attempt to guess the port the server is using from the
    server:<server_name> section of the config file but there is no
    requirement that the server is being run in this format so it may fail.
    See Pylons/pyramid#2984
  • The pyramid.config.Configurator can now be used as a context manager
    which will automatically push/pop threadlocals (similar to
    config.begin() and config.end()). It will also automatically perform
    a config.commit() and thus it is only recommended to be used at the
    top-level of your app. See Pylons/pyramid#2874
  • The threadlocals are now available inside any function invoked via
    config.include. This means the only config-time code that cannot rely
    on threadlocals is code executed from non-actions inside the main. This
    can be alleviated by invoking config.begin() and config.end()
    appropriately or using the new context manager feature of the configurator.
    See Pylons/pyramid#2989

Bug Fixes

  • HTTPException's accepts a detail kwarg that may be used to pass additional
    details to the exception. You may now pass objects so long as they have a
    valid str method. See Pylons/pyramid#2951
  • Fix a reference cycle causing memory leaks in which the registry
    would keep a Configurator instance alive even after the configurator
    was discarded. Another fix was also added for the global_registries
    object in which the registry was stored in a closure preventing it from
    being deallocated. See Pylons/pyramid#2967
  • Fix a bug directly invoking pyramid.scripts.pserve.main with the
    --reload option in which sys.argv is always used in the subprocess
    instead of the supplied argv.
    See Pylons/pyramid#2962


  • Pyramid currently depends on plaster_pastedeploy to simplify the
    transition to plaster by maintaining integrated support for INI files.
    This dependency on plaster_pastedeploy should be considered subject to
    Pyramid's deprecation policy and may be removed in the future.
    Applications should depend on the appropriate plaster binding to satisfy
    their needs.
  • Retrieving CSRF token from the session has been deprecated in favor of
    equivalent methods in the pyramid.csrf module. The CSRF methods
    (ISession.get_csrf_token and ISession.new_csrf_token) are no longer
    required on the ISession interface except when using the default

Also, pyramid.session.check_csrf_token is now located at

See Pylons/pyramid#2854 and

Documentation Changes

  • Added the execution policy to the routing diagram in the Request Processing
    chapter. See Pylons/pyramid#2993



  • No major changes from 1.8b1.




  • Added an override option to config.add_translation_dirs to allow
    later calls to place translation directories at a higher priority than
    earlier calls. See Pylons/pyramid#2902

Documentation Changes

  • Improve registry documentation to discuss uses as a component registry
    and as a dictionary. See Pylons/pyramid#2893
  • Fix unittests in wiki2 to work without different dependencies between
    py2 and py3. See Pylons/pyramid#2899
  • Update Windows documentation to track newer Python 3 improvements to the
    installer. See Pylons/pyramid#2900



Backward Incompatibilities

  • Support for the IContextURL interface that was deprecated in Pyramid 1.3
    has been removed. See Pylons/pyramid#2822
  • Following the Pyramid deprecation period (1.6 -> 1.8),
    daemon support for pserve has been removed. This includes removing the
    daemon commands (start, stop, restart, status) as well as the following
    arguments: --daemon, --pid-file, --log-file,
    --monitor-restart, --status, --user, --group,

To run your server as a daemon you should use a process manager instead of

See Pylons/pyramid#2615

  • pcreate is now interactive by default. You will be prompted if a file
    already exists with different content. Previously if there were similar
    files it would silently skip them unless you specified --interactive
    or --overwrite.
    See Pylons/pyramid#2775
  • Removed undocumented argument cachebust_match from
    pyramid.static.static_view. This argument was shipped accidentally
    in Pyramid 1.6. See Pylons/pyramid#2681
  • Change static view to avoid setting the Content-Encoding response header
    to an encoding guessed using Python's mimetypes module. This was causing
    clients to decode the content of gzipped files when downloading them. The
    client would end up with a foo.txt.gz file on disk that was already
    decoded, thus should really be foo.txt. Also, the Content-Encoding
    should only have been used if the client itself broadcast support for the
    encoding via Accept-Encoding request headers.
    See Pylons/pyramid#2810
  • Settings are no longer accessible as attributes on the settings object
    (e.g. This was deprecated in Pyramid 1.2.
    See Pylons/pyramid#2823


  • pcreate learned about --package-name to allow you to create a new
    project in an existing folder with a different package name than the project
    name. See Pylons/pyramid#2783
  • The _get_credentials private method of BasicAuthAuthenticationPolicy
    has been extracted into standalone function extract_http_basic_credentials
    in pyramid.authentication module, this function extracts HTTP Basic
    credentials from a request object, and returns them as a named tuple.
    See Pylons/pyramid#2662
  • Pyramid 1.4 silently dropped a feature of the configurator that has been
    restored. It's again possible for action discriminators to conflict across
    different action orders.
    See Pylons/pyramid#2757
  • pyramid.paster.bootstrap and its sibling pyramid.scripting.prepare
    can now be used as context managers to automatically invoke the closer
    and pop threadlocals off of the stack to prevent memory leaks.
    See Pylons/pyramid#2760
  • Added pyramid.config.Configurator.add_exception_view and the
    pyramid.view.exception_view_config decorator. It is now possible using
    these methods or via the new exception_only=True option to add_view
    to add a view which will only be matched when handling an exception.
    Previously any exception views were also registered for a traversal
    context that inherited from the exception class which prevented any
    exception-only optimizations.
    See Pylons/pyramid#2660
  • Added the exception_only boolean to
    pyramid.interfaces.IViewDeriverInfo which can be used by view derivers
    to determine if they are wrapping a view which only handles exceptions.
    This means that it is no longer necessary to perform request-time checks
    for request.exception to determine if the view is handling an exception
  • the pipeline can be optimized at config-time.
    See Pylons/pyramid#2660
  • pserve should now work with gevent and other workers that need
    to monkeypatch the process, assuming the server and / or the app do so
    as soon as possible before importing the rest of pyramid.
    See Pylons/pyramid#2797
  • Pyramid no longer copies the settings object passed to the
    pyramid.config.Configurator(settings=). The original dict is kept.
    See Pylons/pyramid#2823
  • The csrf trusted origins setting may now be a whitespace-separated list of
    domains. Previously only a python list was allowed. Also, it can now be set
    using the PYRAMID_CSRF_TRUSTED_ORIGINS environment variable similar to
    other settings. See Pylons/pyramid#2823
  • pserve --reload now uses the
    hupper <>
    library to monitor file changes. This comes with many improvements:
  • If the watchdog <>_ package is
    installed then monitoring will be done using inotify instead of
    cpu and disk-intensive polling.
  • The monitor is now a separate process that will not crash and starts up
    before any of your code.
  • The monitor will not restart the process after a crash until a file is
  • The monitor works on windows.
  • You can now trigger a reload manually from a pyramid view or any other
    code via hupper.get_reloader().trigger_reload(). Kind of neat.
  • You can trigger a reload by issuing a SIGHUP to the monitor process.

See Pylons/pyramid#2805

  • A new [pserve] section is supported in your config files with a
    watch_files key that can configure pserve --reload to monitor custom
    file paths. See Pylons/pyramid#2827
  • Allow streaming responses to be made from subclasses of
    pyramid.httpexceptions.HTTPException. Previously the response would
    be unrolled while testing for a body, making it impossible to stream
    a response.
    See Pylons/pyramid#2863
  • Update starter, alchemy and zodb scaffolds to support IPv6 by using the
    new listen directives in waitress.
    See Pylons/pyramid#2853
  • All p* scripts now use argparse instead of optparse. This improves their
    --help output as well as enabling nicer documentation of their options.
    See Pylons/pyramid#2864
  • Any deferred configuration action registered via config.action may now
    depend on threadlocal state, such as asset overrides, being active when
    the action is executed.
    See Pylons/pyramid#2873
  • Asset specifications for directories passed to
    config.add_translation_dirs now support overriding the entire asset
    specification, including the folder name. Previously only the package name
    was supported and the folder would always need to have the same name.
    See Pylons/pyramid#2873
  • config.begin() will propagate the current threadlocal request through
    as long as the registry is the same. For example:

.. code-block:: python

request = Request.blank(...)
config.begin(request)   pushes a request
config.begin()          propagates the previous request through unchanged
assert get_current_request() is request

See Pylons/pyramid#2873

  • Added a new callback option to config.set_default_csrf_options which
    can be used to determine per-request whether CSRF checking should be enabled
    to allow for a mix authentication methods. Only cookie-based methods
    generally require CSRF checking.
    See Pylons/pyramid#2778

Bug Fixes

  • Fixed bug in proutes such that it now shows the correct view when a
    class and attr is involved.
    See: Pylons/pyramid#2687
  • Fix a FutureWarning in Python 3.5 when using re.split on the
    format setting to the proutes script.
    See Pylons/pyramid#2714
  • Fix a RuntimeWarning emitted by WebOb when using arbitrary objects
    as the userid in the AuthTktAuthenticationPolicy. This is now caught
    by the policy and the object is serialized as a base64 string to avoid
    the cryptic warning. Since the userid will be read back as a string on
    subsequent requests a more useful warning is emitted encouraging you to
    use a primitive type instead.
    See Pylons/pyramid#2715
  • Pyramid 1.6 introduced the ability for an action to invoke another action.
    There was a bug in the way that config.add_view would interact with
    custom view derivers introduced in Pyramid 1.7 because the view's
    discriminator cannot be computed until view derivers and view predicates
    have been created in earlier orders. Invoking an action from another action
    would trigger an unrolling of the pipeline and would compute discriminators
    before they were ready. The new behavior respects the order of the action
    and ensures the discriminators are not computed until dependent actions
    from previous orders have executed.
    See Pylons/pyramid#2757
  • Fix bug in i18n where the default domain would always use the Germanic plural
    style, even if a different plural function is defined in the relevant
    messages file. See Pylons/pyramid#2859
  • The config.override_asset method now occurs during
    pyramid.config.PHASE1_CONFIG such that it is ordered to execute before
    any calls to config.add_translation_dirs.
    See Pylons/pyramid#2873


  • The pcreate script and related scaffolds have been deprecated in favor
    of the popular
    cookiecutter <>_ project.

All of Pyramid's official scaffolds as well as the tutorials have been
ported to cookiecutters:

  • pyramid-cookiecutter-starter <>_
  • pyramid-cookiecutter-alchemy <>_
  • pyramid-cookiecutter-zodb <>_

See Pylons/pyramid#2780

Documentation Changes

  • Add pyramid_nacl_session <>_
    to session factories. See Pylons/pyramid#2791
  • Update HACKING.txt from stale branch that was never merged to master.
    See Pylons/pyramid#2782
  • Fix an inconsistency in the documentation between view predicates and
    route predicates and highlight the differences in their APIs.
    See Pylons/pyramid#2764
  • Clarify a possible misuse of the headers kwarg to subclasses of
    pyramid.httpexceptions.HTTPException in which more appropriate
    kwargs from the parent class pyramid.response.Response should be
    used instead. See Pylons/pyramid#2750
  • The SQLAlchemy + URL Dispatch + Jinja2 (wiki2) and
    ZODB + Traversal + Chameleon (wiki) tutorials have been updated to
    utilize the new cookiecutters and drop support for the pcreate

See Pylons/pyramid#2881 and

  • Quick Tour updated to use cookiecutters instead of pcreate and scaffolds.
    See Pylons/pyramid#2888



  • Fix a bug in the wiki2 tutorial where bcrypt is always expecting byte
    strings. See Pylons/pyramid#2576



  • Fixed the exception view tween to re-raise the original exception if
    no exception view could be found to handle the exception. This better
    allows tweens further up the chain to handle exceptions that were
    left unhandled. Previously they would be converted into a
    PredicateMismatch exception if predicates failed to allow the view to
    handle the exception.
    See Pylons/pyramid#2567
  • Exposed the pyramid.interfaces.IRequestFactory interface to mirror
    the public pyramid.interfaces.IResponseFactory interface.



  • Fix request.invoke_exception_view to raise an HTTPNotFound
    exception if no view is matched. Previously None would be returned
    if no views were matched and a PredicateMismatch would be raised if
    a view "almost" matched (a view was found matching the context).
    See Pylons/pyramid#2564
  • Add defaults for py.test configuration and coverage to all three scaffolds,
    and update documentation accordingly.
    See Pylons/pyramid#2550
  • Add linkcheck to Makefile for Sphinx. To check the documentation for
    broken links, use the command make linkcheck SPHINXBUILD=$VENV/bin/sphinx-build. Also removed and fixed dozens of broken
    external links.
  • Fix the internal runner for scaffold tests to ensure they work with pip
    and py.test.
    See Pylons/pyramid#2565



  • Removed inclusion of pyramid_tm in development.ini for alchemy scaffold
    See Pylons/pyramid#2538
  • A default permission set via config.set_default_permission will no
    longer be enforced on an exception view. This has been the case for a while
    with the default exception views (config.add_notfound_view and
    config.add_forbidden_view), however for any other exception view a
    developer had to remember to set permission=NO_PERMISSION_REQUIRED or
    be surprised when things didn't work. It is still possible to force a
    permission check on an exception view by setting the permission argument
    manually to config.add_view. This behavior is consistent with the new
    CSRF features added in the 1.7 series.
    See Pylons/pyramid#2534



  • This release announces the beta period for 1.7.
  • Fix an issue where some files were being included in the alchemy scafffold
    which had been removed from the 1.7 series.
    See Pylons/pyramid#2525




  • Automatic CSRF checks are now disabled by default on exception views. They
    can be turned back on by setting the appropriate require_csrf option on
    the view.
    See Pylons/pyramid#2517
  • The automatic CSRF API was reworked to use a config directive for
    setting the options. The pyramid.require_default_csrf setting is
    no longer supported. Instead, a new config.set_default_csrf_options
    directive has been introduced that allows the developer to specify
    the default value for require_csrf as well as change the CSRF token,
    header and safe request methods. The pyramid.csrf_trusted_origins
    setting is still supported.
    See Pylons/pyramid#2518

Bug fixes



Backward Incompatibilities

  • Following the Pyramid deprecation period (1.4 -> 1.6),
    AuthTktAuthenticationPolicy's default hashing algorithm is changing from md5
    to sha512. If you are using the authentication policy and need to continue
    using md5, please explicitly set hashalg to 'md5'.

This change does mean that any existing auth tickets (and associated cookies)
will no longer be valid, and users will no longer be logged in, and have to
login to their accounts again.

See Pylons/pyramid#2496

  • The check_csrf_token function no longer validates a csrf token in the
    query string of a request. Only headers and request bodies are supported.
    See Pylons/pyramid#2500


  • Added a new setting, pyramid.require_default_csrf which may be used
    to turn on CSRF checks globally for every POST request in the application.
    This should be considered a good default for websites built on Pyramid.
    It is possible to opt-out of CSRF checks on a per-view basis by setting
    require_csrf=False on those views.
    See Pylons/pyramid#2413
  • Added a require_csrf view option which will enforce CSRF checks on any
    request with an unsafe method as defined by RFC2616. If the CSRF check fails
    a BadCSRFToken exception will be raised and may be caught by exception
    views (the default response is a 400 Bad Request). This option should be
    used in place of the deprecated check_csrf view predicate which would
    normally result in unexpected 404 Not Found response to the client
    instead of a catchable exception. See
    Pylons/pyramid#2413 and
  • Added an additional CSRF validation that checks the origin/referrer of a
    request and makes sure it matches the current request.domain. This
    particular check is only active when accessing a site over HTTPS as otherwise
    browsers don't always send the required information. If this additional CSRF
    validation fails a BadCSRFOrigin exception will be raised and may be
    caught by exception views (the default response is 400 Bad Request).
    Additional allowed origins may be configured by setting
    pyramid.csrf_trusted_origins to a list of domain names (with ports if on
    a non standard port) to allow. Subdomains are not allowed unless the domain
    name has been prefixed with a .. See
  • Added a new pyramid.session.check_csrf_origin API for validating the
    origin or referrer headers against the request's domain.
    See Pylons/pyramid#2501
  • Pyramid HTTPExceptions will now take into account the best match for the
    clients Accept header, and depending on what is requested will return
    text/html, application/json or text/plain. The default for / is still
    text/html, but if application/json is explicitly mentioned it will now
    receive a valid JSON response. See
  • Add a new "view deriver" concept to Pyramid to allow framework authors to
    inject elements into the standard Pyramid view pipeline and affect all
    views in an application. This is similar to a decorator except that it
    has access to options passed to config.add_view and can affect other
    stages of the pipeline such as the raw response from a view or prior to
    security checks. See Pylons/pyramid#2021
  • Allow a leading = on the key of the request param predicate.
    For example, '=abc=1' is equivalent down to
    request.params['=abc'] == '1'.
    See Pylons/pyramid#1370
  • A new request.invoke_exception_view(...) method which can be used to
    invoke an exception view and get back a response. This is useful for
    rendering an exception view outside of the context of the excview tween
    where you may need more control over the request.
    See Pylons/pyramid#2393
  • Allow using variable substitutions like %(LOGGING_LOGGER_ROOT_LEVEL)s
    for logging sections of the .ini file and populate these variables from
    the pserve command line -- e.g.:
    pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG
    See Pylons/pyramid#2399

Documentation Changes

  • A complete overhaul of the docs:
  • Use pip instead of easy_install.
  • Become opinionated by preferring Python 3.4 or greater to simplify
    installation of Python and its required packaging tools.
  • Use venv for the tool, and virtual environment for the thing created,
    instead of virtualenv.
  • Use py.test and pytest-cov instead of nose and coverage.
  • Further updates to the scaffolds as well as tutorials and their src files.

See Pylons/pyramid#2468

  • A complete overhaul of the alchemy scaffold as well as the
    Wiki2 SQLAlchemy + URLDispatch tutorial to introduce more modern features
    into the usage of SQLAlchemy with Pyramid and provide a better starting
    point for new projects.
    See Pylons/pyramid#2024

Bug Fixes

  • Fix pserve --browser to use the --server-name instead of the
    app name when selecting a section to use. This was only working for people
    who had server and app sections with the same name, for example
    [app:main] and [server:main].
    See Pylons/pyramid#2292


  • The check_csrf view predicate has been deprecated. Use the
    new require_csrf option or the pyramid.require_default_csrf setting
    to ensure that the BadCSRFToken exception is raised.
    See Pylons/pyramid#2413




  • Continue removal of pserve daemon/process management features
    by deprecating --user and --group options.
    See Pylons/pyramid#2190



Backward Incompatibilities

  • Remove the cachebust option from config.add_static_view. See
    config.add_cache_buster for the new way to attach cache busters to
    static assets.
    See Pylons/pyramid#2186
  • Modify the pyramid.interfaces.ICacheBuster API to be a simple callable
    instead of an object with match and pregenerate methods. Cache
    busters are now focused solely on generation. Matching has been dropped.

Note this affects usage of pyramid.static.QueryStringCacheBuster and

See Pylons/pyramid#2186


  • Add a new config.add_cache_buster API for attaching cache busters to
    static assets. See Pylons/pyramid#2186

Bug Fixes

  • Ensure that IAssetDescriptor.abspath always returns an absolute path.
    There were cases depending on the process CWD that a relative path would
    be returned. See Pylons/pyramid#2188




  • Allow asset specifications to be supplied to
    pyramid.static.ManifestCacheBuster instead of requiring a
    filesystem path.



Backward Incompatibilities

  • IPython and BPython support have been removed from pshell in the core.
    To continue using them on Pyramid 1.6+ you must install the binding
    packages explicitly::

$ pip install pyramid_ipython


$ pip install pyramid_bpython

  • Remove default cache busters introduced in 1.6a1 including
    PathSegmentCacheBuster, PathSegmentMd5CacheBuster, and
    See Pylons/pyramid#2116


  • The variables injected into pshell are now displayed with their
    docstrings instead of the default str(obj) when possible.
    See Pylons/pyramid#1929
  • Add new pyramid.static.ManifestCacheBuster for use with external
    asset pipelines as well as examples of common usages in the narrative.
    See Pylons/pyramid#2116
  • Fix an issue when user passes unparsed strings to pyramid.session.CookieSession
    and pyramid.authentication.AuthTktCookieHelper for time related parameters
    timeout, reissue_time, max_age that expect an integer value.
    See Pylons/pyramid#2050

Bug Fixes

  • pyramid.httpexceptions.HTTPException now defaults to
    520 Unknown Error instead of None None to conform with changes in
    WebOb 1.5.
    See Pylons/pyramid#1865
  • pshell will now preserve the capitalization of variables in the
    [pshell] section of the INI file. This makes exposing classes to the
    shell a little more straightfoward.
    See Pylons/pyramid#1883
  • Fixed usage of pserve --monitor-restart --daemon which would fail in
    horrible ways. See Pylons/pyramid#2118
  • Explicitly prevent pserve --reload --daemon from being used. It's never
    been supported but would work and fail in weird ways.
    See Pylons/pyramid#2119
  • Fix an issue on Windows when running pserve --reload in which the
    process failed to fork because it could not find the pserve script to
    run. See Pylons/pyramid#2138


  • Deprecate pserve --monitor-restart in favor of user's using a real
    process manager such as Systemd or Upstart as well as Python-based
    solutions like Circus and Supervisor.
    See Pylons/pyramid#2120



Bug Fixes

  • Ensure that pyramid.httpexceptions.exception_response returns the
    appropriate "concrete" class for 400 and 500 status codes.
    See Pylons/pyramid#1832
  • Fix an infinite recursion bug introduced in 1.6a1 when
    pyramid.view.render_view_to_response was called directly or indirectly.
    See Pylons/pyramid#1643
  • Further fix the JSONP renderer by prefixing the returned content with
    a comment. This should mitigate attacks from Flash (See CVE-2014-4671).
    See Pylons/pyramid#1649
  • Allow periods and brackets ([]) in the JSONP callback. The original
    fix was overly-restrictive and broke Angular.
    See Pylons/pyramid#1649




  • pcreate will now ask for confirmation if invoked with
    an argument for a project name that already exists or
    is importable in the current environment.
    See Pylons/pyramid#1357 and
  • Make it possible to subclass pyramid.request.Request and also use
    pyramid.request.Request.add_request.method. See
  • The pyramid.config.Configurator has grown the ability to allow
    actions to call other actions during a commit-cycle. This enables much more
    logic to be placed into actions, such as the ability to invoke other actions
    or group them for improved conflict detection. We have also exposed and
    documented the config phases that Pyramid uses in order to further assist
    in building conforming addons.
    See Pylons/pyramid#1513
  • Add pyramid.request.apply_request_extensions function which can be
    used in testing to apply any request extensions configured via
    config.add_request_method. Previously it was only possible to test
    the extensions by going through Pyramid's router.
    See Pylons/pyramid#1581
  • Automate code coverage metrics across py2 and py3 instead of just py2.
    See Pylons/pyramid#1471
  • Cache busting for static resources has been added and is available via a new
    argument to pyramid.config.Configurator.add_static_view: cachebust.
    Core APIs are shipped for both cache busting via query strings and
    path segments and may be extended to fit into custom asset pipelines.
    See Pylons/pyramid#1380 and
  • Add pyramid.config.Configurator.root_package attribute and init
    parameter to assist with includeable packages that wish to resolve
    resources relative to the package in which the Configurator was created.
    This is especially useful for addons that need to load asset specs from
    settings, in which case it is may be natural for a developer to define
    imports or assets relative to the top-level package.
    See Pylons/pyramid#1337
  • Added line numbers to the log formatters in the scaffolds to assist with
    debugging. See Pylons/pyramid#1326
  • The pshell script will now load a PYTHONSTARTUP file if one is
    defined in the environment prior to launching the interpreter.
    See Pylons/pyramid#1448
  • Make it simple to define notfound and forbidden views that wish to use
    the default exception-response view but with altered predicates and other
    configuration options. The view argument is now optional in
    config.add_notfound_view and config.add_forbidden_view..
    See Pylons/pyramid#494
  • Improve robustness to timing attacks in the AuthTktCookieHelper and
    the SignedCookieSessionFactory classes by using the stdlib's
    hmac.compare_digest if it is available (such as Python 2.7.7+ and 3.3+).
    See Pylons/pyramid#1457
  • Assets can now be overidden by an absolute path on the filesystem when using
    the config.override_asset API. This makes it possible to fully support
    serving up static content from a mutable directory while still being able
    to use the request.static_url API and config.add_static_view.
    Previously it was not possible to use config.add_static_view with an
    absolute path and generate urls to the content. This change replaces
    the call, config.add_static_view('/abs/path', 'static'), with
    config.add_static_view('myapp:static', 'static') and
    config.override_asset(to_override='myapp:static/', override_with='/abs/path/'). The myapp:static asset spec is completely
    made up and does not need to exist - it is used for generating urls
    via request.static_url('myapp:static/foo.png').
    See Pylons/pyramid#1252
  • Added pyramid.config.Configurator.set_response_factory and the
    response_factory keyword argument to the Configurator for defining
    a factory that will return a custom Response class.
    See Pylons/pyramid#1499
  • Allow an iterator to be returned from a renderer. Previously it was only
    possible to return bytes or unicode.
    See Pylons/pyramid#1417
  • pserve can now take a -b or --browser option to open the server
    URL in a web browser. See Pylons/pyramid#1533
  • Overall improvments for the proutes command. Added --format and
    --glob arguments to the command, introduced the method
    column for displaying available request methods, and improved the view
    output by showing the module instead of just __repr__.
    See Pylons/pyramid#1488
  • Support keyword-only arguments and function annotations in views in
    Python 3. See Pylons/pyramid#1556
  • request.response will no longer be mutated when using the
    pyramid.renderers.render_to_response() API. It is now necessary to
    pass in a response= argument to render_to_response if you wish to
    supply the renderer with a custom response object for it to use. If you
    do not pass one then a response object will be created using the
    application's IResponseFactory. Almost all renderers
    mutate the request.response response object (for example, the JSON
    renderer sets request.response.content_type to application/json).
    However, when invoking render_to_response it is not expected that the
    response object being returned would be the same one used later in the
    request. The response object returned from render_to_response is now
    explicitly different from request.response. This does not change the
    API of a renderer. See Pylons/pyramid#1563
  • The append_slash argument of ```Configurator().add_notfound_view()will now accept anything that implements theIResponse`` interface and will use
    that as the response class instead of the default ``HTTPFound``. See

Bug Fixes

  • The JSONP renderer created JavaScript code in such a way that a callback
    variable could be used to arbitrarily inject javascript into the response
    object. Pylons/pyramid#1627
  • pyramid.wsgi.wsgiapp and pyramid.wsgi.wsgiapp2 now raise
    ValueError when accidentally passed None.
    See Pylons/pyramid#1320
  • Fix an issue whereby predicates would be resolved as maybe_dotted in the
    introspectable but not when passed for registration. This would mean that
    add_route_predicate for example can not take a string and turn it into
    the actual callable function.
    See Pylons/pyramid#1306
  • Fix pyramid.testing.setUp to return a Configurator with a proper
    package. Previously it was not possible to do package-relative includes
    using the returned Configurator during testing. There is now a
    package argument that can override this behavior as well.
    See Pylons/pyramid#1322
  • Fix an issue where a pyramid.response.FileResponse may apply a charset
    where it does not belong. See Pylons/pyramid#1251
  • Work around a bug introduced in Python 2.7.7 on Windows where
    mimetypes.guess_type returns Unicode rather than str for the content
    type, unlike any previous version of Python. See
    Pylons/pyramid#1360 for more information.
  • pcreate now normalizes the package name by converting hyphens to
    underscores. See Pylons/pyramid#1376
  • Fix an issue with the final response/finished callback being unable to
    add another callback to the list. See
  • Fix a failing unittest caused by differing mimetypes across various OSs.
    See Pylons/pyramid#1405
  • Fix route generation for static view asset specifications having no path.
    See Pylons/pyramid#1377
  • Allow the pyramid.renderers.JSONP renderer to work even if there is no
    valid request object. In this case it will not wrap the object in a
    callback and thus behave just like the pyramid.renderers.JSON renderer.
    See Pylons/pyramid#1561
  • Prevent "parameters to load are deprecated" DeprecationWarning
    from setuptools>=11.3. See Pylons/pyramid#1541
  • Avoiding sharing the IRenderer objects across threads when attached to
    a view using the renderer= argument. These renderers were instantiated
    at time of first render and shared between requests, causing potentially
    subtle effects like pyramid.reload_templates = true failing to work
    in pyramid_mako. See Pylons/pyramid#1575
    and Pylons/pyramid#1268
  • request.finished_callbacks and request.response_callbacks now
    default to an iterable instead of None. It may be checked for a length
    of 0. This was the behavior in 1.5.


  • The pserve command's daemonization features have been deprecated. This
    includes the [start,stop,restart,status] subcommands as well as the
    --daemon, --stop-server, --pid-file, and --status flags.

Please use a real process manager in the future instead of relying on the
pserve to daemonize itself. Many options exist including your Operating
System's services such as Systemd or Upstart, as well as Python-based
solutions like Circus and Supervisor.

See Pylons/pyramid#1641

  • Renamed the principal argument to to
    userid in order to clarify its intended purpose.
    See Pylons/pyramid#1399


  • Moved the documentation for accept on Configurator.add_view to no
    longer be part of the predicate list. See
    Pylons/pyramid#1391 for a bug report stating
    not_ was failing on accept. Discussion with mcdonc led to the
    conclusion that it should not be documented as a predicate.
    See Pylons/pyramid#1487 for this PR
  • Removed logging configuration from Quick Tutorial ini files except for
    scaffolding- and logging-related chapters to avoid needing to explain it too
  • Clarify a previously-implied detail of the ISession.invalidate API
  • Improve and clarify the documentation on what Pyramid defines as a
    principal and a userid in its security APIs.
    See Pylons/pyramid#1399


  • Update scaffold generating machinery to return the version of pyramid and
    pyramid docs for use in scaffolds. Updated starter, alchemy and zodb
    templates to have links to correctly versioned documentation and reflect
    which pyramid was used to generate the scaffold.
  • Removed non-ascii copyright symbol from templates, as this was
    causing the scaffolds to fail for project generation.
  • You can now run the scaffolding func tests via tox py2-scaffolds and
    tox py3-scaffolds.

waitress 0.8.9 -> 1.0.2



  • Python 3.6 is now officially supported in Waitress


  • Add a work-around for libc issue on Linux not following the documented
    standards. If getnameinfo() fails because of DNS not being available it
    should return the IP address instead of the reverse DNS entry, however
    instead getnameinfo() raises. We catch this, and ask getnameinfo()
    for the same information again, explicitly asking for IP address instead of
    reverse DNS hostname. See Pylons/waitress#149 and



  • IPv6 support on Windows was broken due to missing constants in the socket
    module. This has been resolved by setting the constants on Windows if they
    are missing. See Pylons/waitress#138
  • A ValueError was raised on Windows when passing a string for the port, on
    Windows in Python 2 using service names instead of port numbers doesn't work
    with getaddrinfo. This has been resolved by attempting to convert the port
    number to an integer, if that fails a ValueError will be raised. See



  • Removed AI_ADDRCONFIG from the call to getaddrinfo, this resolves an
    issue whereby getaddrinfo wouldn't return any addresses to bind to on
    hosts where there is no internet connection but localhost is requested to be
    bound to. See Pylons/waitress#131 for more


  • Python 2.6 is no longer supported.


  • IPv6 support
  • Waitress is now able to listen on multiple sockets, including IPv4 and IPv6.
    Instead of passing in a host/port combination you now provide waitress with a
    space delineated list, and it will create as many sockets as required.

.. code-block:: python

from waitress import serve
serve(wsgiapp, listen=' [::]:9090 *:6543')




  • Python 3.2 is no longer supported by Waitress.
  • Python 2.6 will no longer be supported by Waitress in future releases.


  • Building on the changes made in pull request 117, add in checking for line
    feed/carriage return HTTP Response Splitting in the status line, as well as
    the key of a header. See Pylons/waitress#124 and


  • FileBasedBuffer and more important ReadOnlyFileBasedBuffer no longer report
    False when tested with bool(), instead always returning True, and becoming
    more iterator like.
    See: Pylons/waitress#82 and
  • Call prune() on the output buffer at the end of a request so that it doesn't
    continue to grow without bounds. See
    Pylons/waitress#111 for more information.


  • Add support for Python 3.4, 3.5b2, and PyPy3.
  • Use a nonglobal asyncore socket map by default, trying to prevent conflicts
    with apps and libs that use the asyncore global socket map ala
    Pylons/waitress#63. You can get the old
    use-global-socket-map behavior back by passing asyncore.socket_map to the
    create_server function as the map argument.
  • Waitress violated PEP 3333 with respect to reraising an exception when
    start_response was called with an exc_info argument. It would
    reraise the exception even if no data had been sent to the client. It now
    only reraises the exception if data has actually been sent to the client.
    See Pylons/waitress#52 and
  • Add a docs section to tox.ini that, when run, ensures docs can be built.
  • If an application value of None is supplied to the create_server
    constructor function, a ValueError is now raised eagerly instead of an error
    occuring during runtime. See Pylons/waitress#60
  • Switch from the low level Python thread/_thread module to the threading
  • Improved exception information should module import go awry.

That's it for now!

Happy merging! 🤖

pyup-bot added some commits Jul 10, 2017


This comment has been minimized.

Copy link

commented Jul 11, 2017

Closing this in favor of #4

@pyup-bot pyup-bot closed this Jul 11, 2017

@mozsvcpyup mozsvcpyup deleted the pyup-scheduled-update-07-10-2017 branch Jul 11, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.