-
v1.11.0 (July 7, 2026)
-
Sensitive connection parameters: We curated a set of connector kwargs (
host,protocol,token_file_path,private_key_file,ocsp_response_cache_filename,connection_diag_log_path,crl_cache_dir,unsafe_file_write,unsafe_skip_file_permissions_check) that can no longer be supplied via the URL query string — pass them viaconnect_args=increate_engine()instead (applications already doing so are unaffected). If you encounter a possible behavioral change, setSNOWFLAKE_SQLALCHEMY_LEGACY_URL_PARAMS=1and follow the instructions at Sensitive connection parameters. -
Improve
_url()helper andcreate_connect_argsconnection-parameter handling:accountandregionvalues are now validated against an allowlist of DNS-safe characters (alphanumeric,-,.,_) before being interpolated into the connection URL, preventing URL-authority corruption from unexpected characters.uservalues are percent-encoded before being placed in the URL userinfo component, preserving the original value delivered to the connector while preventing@,?, and#from being misinterpreted as URL delimiters.
-
ClusterByOptionnow raisesTypeErrorat DDL compile time when an expression element is neither astrnor asqlalchemy.sql.expression.TextClause. Previously, such values were silently coerced viastr(), which produced malformed DDL (e.g. bind-parameter placeholders like:id_1) for any expression beyond a bare column name. The accepted types match the documented constructor signature; code using onlystrortext(...)is unaffected. -
Improve identifier quoting and string-literal escaping for caller-supplied values across the DDL compiler so they are rendered consistently with the rest of the dialect. Column keys in
MERGE INTO(both theWHEN NOT MATCHED … INSERTlist andWHEN MATCHED … SETtargets), stage namespaces/names,format_name, andfile_formatare now routed through the identifier preparer, and aquote=Falseschema or column label is quoted when it contains characters that would otherwise require quoting instead of being emitted verbatim. Cloud-storage URIs,CREDENTIALS, andENCRYPTIONclauses (shared byCOPY INTOandCREATE STAGE) andFILES=(…)entries now apply the dialect's standard literal escaping ('→'',\→\\);CREATE STAGEbuilds its SQL from the container's fields rather thanrepr(container). Legal identifiers — including upper-case names that Snowflake folds — still render bare, so existing DDL is unchanged. -
Improve escaping in
CopyIntoStorage/CreateStage/CreateFileFormatand add secret redaction (SNOW-3656048):FILE_FORMAToption string values (e.g.CSVFormatter().date_format(...),file_extension,timestamp_format) are now escaped before being embedded in the compiled SQL, improving single-quote escaping (SNOW-3649888).repr()ofAWSBucket,AzureContainer,GCSBucket(and, transitively,CopyIntoStorage) now masks cloud secrets —AWS_SECRET_KEY,AWS_KEY_ID,AWS_TOKEN,AZURE_SAS_TOKEN,MASTER_KEYare rendered as'***'(SNOW-3649782). Compiled SQL is unchanged.- Added an opt-in logging redactor for engine logs that contain inline credentials:
SnowflakeSecretRedactionFilter,add_secret_redaction_filter(), andredact_secrets(). PreferSTORAGE_INTEGRATIONto avoid putting secrets in SQL at all (SNOW-3649850).
-
Fix
get_view_definitionsilently truncating or failing for view names that contain a single quote or backslash (e.g.o'brien). The name is now SQL-escaped ('→'',\→\\) before being embedded in theSHOW VIEWS LIKE '...'literal, so such views are found correctly and no query manipulation is possible via a crafted view name. -
Optimise single-table reflection (SNOW-3720548): reflecting one table no longer scans the entire schema, reducing latency and Snowflake credit usage for targeted
Inspectorcalls.