Skip to content

Release

Latest

Choose a tag to compare

@snowflake-connectors-app snowflake-connectors-app released this 08 Jul 08:52
5a6f87f
  • v1.11.0 (July 7, 2026)

  • Sensitive connection parameters: We curated a set of connector kwargs (host, protocol, token_file_path, private_key_file, ocsp_response_cache_filename, connection_diag_log_path, crl_cache_dir, unsafe_file_write, unsafe_skip_file_permissions_check) that can no longer be supplied via the URL query string — pass them via connect_args= in create_engine() instead (applications already doing so are unaffected). If you encounter a possible behavioral change, set SNOWFLAKE_SQLALCHEMY_LEGACY_URL_PARAMS=1 and follow the instructions at Sensitive connection parameters.

  • Improve _url() helper and create_connect_args connection-parameter handling:

    • account and region values are now validated against an allowlist of DNS-safe characters (alphanumeric, -, ., _) before being interpolated into the connection URL, preventing URL-authority corruption from unexpected characters.
    • user values are percent-encoded before being placed in the URL userinfo component, preserving the original value delivered to the connector while preventing @, ?, and # from being misinterpreted as URL delimiters.
  • ClusterByOption now raises TypeError at DDL compile time when an expression element is neither a str nor a sqlalchemy.sql.expression.TextClause. Previously, such values were silently coerced via str(), which produced malformed DDL (e.g. bind-parameter placeholders like :id_1) for any expression beyond a bare column name. The accepted types match the documented constructor signature; code using only str or text(...) is unaffected.

  • Improve identifier quoting and string-literal escaping for caller-supplied values across the DDL compiler so they are rendered consistently with the rest of the dialect. Column keys in MERGE INTO (both the WHEN NOT MATCHED … INSERT list and WHEN MATCHED … SET targets), stage namespaces/names, format_name, and file_format are now routed through the identifier preparer, and a quote=False schema or column label is quoted when it contains characters that would otherwise require quoting instead of being emitted verbatim. Cloud-storage URIs, CREDENTIALS, and ENCRYPTION clauses (shared by COPY INTO and CREATE STAGE) and FILES=(…) entries now apply the dialect's standard literal escaping (''', \\\); CREATE STAGE builds its SQL from the container's fields rather than repr(container). Legal identifiers — including upper-case names that Snowflake folds — still render bare, so existing DDL is unchanged.

  • Improve escaping in CopyIntoStorage / CreateStage / CreateFileFormat and add secret redaction (SNOW-3656048):

    • FILE_FORMAT option string values (e.g. CSVFormatter().date_format(...), file_extension, timestamp_format) are now escaped before being embedded in the compiled SQL, improving single-quote escaping (SNOW-3649888).
    • repr() of AWSBucket, AzureContainer, GCSBucket (and, transitively, CopyIntoStorage) now masks cloud secrets — AWS_SECRET_KEY, AWS_KEY_ID, AWS_TOKEN, AZURE_SAS_TOKEN, MASTER_KEY are rendered as '***' (SNOW-3649782). Compiled SQL is unchanged.
    • Added an opt-in logging redactor for engine logs that contain inline credentials: SnowflakeSecretRedactionFilter, add_secret_redaction_filter(), and redact_secrets(). Prefer STORAGE_INTEGRATION to avoid putting secrets in SQL at all (SNOW-3649850).
  • Fix get_view_definition silently truncating or failing for view names that contain a single quote or backslash (e.g. o'brien). The name is now SQL-escaped (''', \\\) before being embedded in the SHOW VIEWS LIKE '...' literal, so such views are found correctly and no query manipulation is possible via a crafted view name.

  • Optimise single-table reflection (SNOW-3720548): reflecting one table no longer scans the entire schema, reducing latency and Snowflake credit usage for targeted Inspector calls.