All Versions
Latest Version
Avg Release Cycle
70 days
Latest Release

Changelog History
Page 1

  • v2.3.0 Changes

    ๐Ÿš€ Unreleased

  • v2.2.2 Changes

    ๐Ÿš€ Released 2022-08-08

    • โช Fix router to restore the 2.1 strict_slashes == False behaviour whereby leaf-requests match branch rules and vice versa. :pr:2489
    • ๐Ÿ“œ Fix router to identify invalid rules rather than hang parsing them, and to correctly parse / within converter arguments. :pr:2489
    • โšก๏ธ Update subpackage imports in :mod:werkzeug.routing to use the import as syntax for explicitly re-exporting public attributes. :pr:2493
    • ๐Ÿ“œ Parsing of some invalid header characters is more robust. :pr:2494
    • โš  When starting the development server, a warning not to use it in a production deployment is always shown. :issue:2480
    • LocalProxy.__wrapped__ is always set to the wrapped object when the proxy is unbound, fixing an issue in doctest that would cause it to fail. :issue:2485
    • โš  Address one ResourceWarning related to the socket used by run_simple. :issue:2421
  • v2.2.1 Changes

    ๐Ÿš€ Released 2022-07-27

    • Fix router so that /path/ will match a rule /path if strict slashes mode is disabled for the rule. :issue:2467
    • Fix router so that partial part matches are not allowed i.e. /2df does not match /<int>. :pr:2470
    • Fix router static part weighting, so that simpler routes are matched before more complex ones. :issue:2471
    • โช Restore ValidationError to be importable from werkzeug.routing. :issue:2465
  • v2.2.0 Changes

    ๐Ÿš€ Released 2022-07-23

    • Deprecated get_script_name, get_query_string, peek_path_info, pop_path_info, and extract_path_info. :pr:2461
    • ๐Ÿšš Remove previously deprecated code. :pr:2461
    • Add MarkupSafe as a dependency and use it to escape values when rendering HTML. :issue:2419
    • Added the werkzeug.debug.preserve_context mechanism for restoring context-local data for a request when running code in the debug console. :pr:2439
    • Fix compatibility with Python 3.11 by ensuring that end_lineno and end_col_offset are present on AST nodes. :issue:2425
    • Add a new faster matching router based on a state machine. :pr:2433
    • Fix branch leaf path masking branch paths when strict-slashes is disabled. :issue:1074
    • Names within options headers are always converted to lowercase. This matches :rfc:6266 that the case is not relevant. :issue:2442
    • ๐Ÿ— AnyConverter validates the value passed for it when building URLs. :issue:2388
    • The debugger shows enhanced error locations in tracebacks in Python 3.11. :issue:2407
    • Added Sans-IO is_resource_modified and parse_cookie functions based on WSGI versions. :issue:2408
    • Added Sans-IO get_content_length function. :pr:2415
    • โœ… Don't assume a mimetype for test responses. :issue:2450
    • Type checking FileStorage accepts os.PathLike. :pr:2418
  • v2.1.2 Changes

    ๐Ÿš€ Released 2022-04-28

    • The development server does not set Transfer-Encoding: chunked for 1xx, 204, 304, and HEAD responses. :issue:2375
    • Response HTML for exceptions and redirects starts with <!doctype html> and <html lang=en>. :issue:2390
    • Fix ability to set some cache_control attributes to False. :issue:2379
    • Disable keep-alive connections in the development server, which are not supported sufficiently by Python's http.server. :issue:2397
  • v2.1.1 Changes

    ๐Ÿš€ Released 2022-04-01

    • ResponseCacheControl.s_maxage converts its value to an int, like max_age. :issue:2364
  • v2.1.0 Changes

    ๐Ÿš€ Released 2022-03-28

    • ๐Ÿ‘ Drop support for Python 3.6. :pr:2277
    • Using gevent or eventlet requires greenlet>=1.0 or PyPy>=7.3.7. werkzeug.locals and contextvars will not work correctly with older versions. :pr:2278
    • ๐Ÿšš Remove previously deprecated code. :pr:2276

      • Remove the non-standard shutdown function from the WSGI environ when running the development server. See the docs for alternatives.
      • Request and response mixins have all been merged into the Request and Response classes.
      • The user agent parser and the useragents module is removed. The user_agent module provides an interface that can be subclassed to add a parser, such as ua-parser. By default it only stores the whole string.
      • The test client returns TestResponse instances and can no longer be treated as a tuple. All data is available as properties on the response.
      • Remove locals.get_ident and related thread-local code from locals, it no longer makes sense when moving to a contextvars-based implementation.
      • Remove the python -m werkzeug.serving CLI.
      • The has_key method on some mapping datastructures; use key in data instead.
      • Request.disable_data_descriptor is removed, pass shallow=True instead.
      • Remove the no_etag parameter from Response.freeze().
      • Remove the HTTPException.wrap class method.
      • Remove the cookie_date function. Use http_date instead.
      • Remove the pbkdf2_hex, pbkdf2_bin, and safe_str_cmp functions. Use equivalents in hashlib and hmac modules instead.
      • Remove the Href class.
      • Remove the HTMLBuilder class.
      • Remove the invalidate_cached_property function. Use del obj.attr instead.
      • Remove bind_arguments and validate_arguments. Use :meth:Signature.bind and :func:inspect.signature instead.
      • Remove detect_utf_encoding, it's built-in to json.loads.
      • Remove format_string, use :class:string.Template instead.
      • Remove escape and unescape. Use MarkupSafe instead.
    • The multiple parameter of parse_options_header is deprecated. :pr:2357

    • Rely on :pep:538 and :pep:540 to handle decoding file names with the correct filesystem encoding. The filesystem module is removed. :issue:1760

    • 0๏ธโƒฃ Default values passed to Headers are validated the same way values added later are. :issue:1608

    • Setting CacheControl int properties, such as max_age, will convert the value to an int. :issue:2230

    • Always use socket.fromfd when restarting the dev server. :pr:2287

    • ๐Ÿ— When passing a dict of URL values to, list values do not filter out None or collapse to a single value. Passing a MultiDict does collapse single items. This undoes a previous change that made it difficult to pass a list, or None values in a list, to custom URL converters. :issue:2249

    • run_simple shows instructions for dealing with "address already in use" errors, including extra instructions for macOS. :pr:2321

    • Extend list of characters considered always safe in URLs based on :rfc:3986. :issue:2319

    • โšก๏ธ Optimize the stat reloader to avoid watching unnecessary files in more cases. The watchdog reloader is still recommended for performance and accuracy. :issue:2141

    • The development server uses Transfer-Encoding: chunked for streaming responses when it is configured for HTTP/1.1. :issue:2090, 1327, :pr:2091

    • The development server uses HTTP/1.1, which enables keep-alive connections and chunked streaming responses, when threaded or processes is enabled. :pr:2323

    • cached_property works for classes with __slots__ if a corresponding _cache_{name} slot is added. :pr:2332

    • ๐Ÿ”จ Refactor the debugger traceback formatter to use Python's built-in traceback module as much as possible. :issue:1753

    • โœ… The TestResponse.text property is a shortcut for r.get_data(as_text=True), for convenient testing against text instead of bytes. :pr:2337

    • safe_join ensures that the path remains relative if the trusted directory is the empty string. :pr:2349

    • Percent-encoded newlines (%0a), which are decoded by WSGI servers, are considered when routing instead of terminating the match early. :pr:2350

    • โœ… The test client doesn't set duplicate headers for CONTENT_LENGTH and CONTENT_TYPE. :pr:2348

    • append_slash_redirect handles PATH_INFO with internal slashes. :issue:1972, :pr:2338

    • The default status code for append_slash_redirect is 308 instead of 301. This preserves the request body, and matches a previous change to strict_slashes in routing. :issue:2351

    • โœ… Fix ValueError: I/O operation on closed file. with the test client when following more than one redirect. :issue:2353

    • Response.autocorrect_location_header is disabled by default. The Location header URL will remain relative, and exclude the scheme and domain, by default. :issue:2352

    • Request.get_json() will raise a 400 BadRequest error if the Content-Type header is not application/json. This makes a very common source of confusion more visible. :issue:2339

  • v2.0.3 Changes

    ๐Ÿš€ Released 2022-02-07

    • ๐Ÿ‘ ProxyFix supports IPv6 addresses. :issue:2262
    • Type annotation for Response.make_conditional, HTTPException.get_response, and Map.bind_to_environ accepts Request in addition to WSGIEnvironment for the first parameter. :pr:2290
    • Fix type annotation for Request.user_agent_class. :issue:2273
    • Accessing LocalProxy.__class__ and __doc__ on an unbound proxy returns the fallback value instead of a method object. :issue:2188
    • Redirects with the test client set RAW_URI and REQUEST_URI correctly. :issue:2151
  • v2.0.2 Changes

    ๐Ÿš€ Released 2021-10-05

    • Handle multiple tokens in Connection header when routing WebSocket requests. :issue:2131
    • ๐Ÿ“Œ Set the debugger pin cookie secure flag when on https. :pr:2150
    • โšก๏ธ Fix type annotation for MultiDict.update to accept iterable values :pr:2142
    • ๐Ÿ”€ Prevent double encoding of redirect URL when merge_slash=True for Rule.match. :issue:2157
    • CombinedMultiDict.to_dict with flat=False considers all component dicts when building value lists. :issue:2189
    • send_file only sets a detected Content-Encoding if as_attachment is disabled to avoid browsers saving decompressed .tar.gz files. :issue:2149
    • Fix type annotations for TypeConversionDict.get to not return an Optional value if both default and type are not None. :issue:2169
    • Fix type annotation for routing rule factories to accept Iterable[RuleFactory] instead of Iterable[Rule] for the rules parameter. :issue:2183
    • Add missing type annotation for FileStorage.__getattr__ :issue:2155
    • ๐Ÿ“Œ The debugger pin cookie is set with SameSite set to Strict instead of None to be compatible with modern browser security. :issue:2156
    • Type annotations use IO[bytes] and IO[str] instead of BinaryIO and TextIO for wider type compatibility. :issue:2130
    • Ad-hoc TLS certs are generated with SAN matching CN. :issue:2158
    • Fix memory usage for locals when using Python 3.6 or pre 0.4.17 greenlet versions. :pr:2212
    • Fix type annotation in CallbackDict, because it is not utilizing a bound TypeVar. :issue:2235
    • Fix setting CSP header options on the response. :pr:2237
    • Fix an issue with with the interactive debugger where lines would not expand on click for very long tracebacks. :pr:2239
    • ๐Ÿ‘ป The interactive debugger handles displaying an exception that does not have a traceback, such as from ProcessPoolExecutor. :issue:2217
  • v2.0.1 Changes

    ๐Ÿš€ Released 2021-05-17

    • Fix type annotation for send_file max_age callable. Don't pass pathlib.Path to max_age. :issue:2119
    • Mark top-level names as exported so type checking understands imports in user projects. :issue:2122
    • Fix some types that weren't available in Python 3.6.0. :issue:2123
    • cached_property is generic over its return type, properties decorated with it report the correct type. :issue:2113
    • ๐Ÿ“œ Fix multipart parsing bug when boundary contains special regex characters. :issue:2125
    • Type checking understands that calling headers.get with a string default will always return a string. :issue:2128
    • If HTTPException.description is not a string, get_description will convert it to a string. :issue:2115