Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial Update #385

Merged
merged 23 commits into from
Oct 5, 2017
Merged

Initial Update #385

merged 23 commits into from
Oct 5, 2017

Conversation

pyup-bot
Copy link
Contributor

This is my first visit to this fine repo so I have bundled all updates in a single pull request to make things easier for you to merge.

Close this pull request and delete the branch if you want me to start with single pull requests right away

Here's the executive summary:

Updates

Here's a list of all the updates bundled in this pull request. I've added some links to make it easier for you to find all the information you need.

db-migrator 1.0.1 » 1.0.2 PyPI | Changelog | Repo
argparse 1.2.1 » 1.4.0 PyPI | Changelog | Repo
Beaker 1.8.0 » 1.9.0 PyPI | Changelog | Docs
Jinja2 2.7.3 » 2.9.6 PyPI | Changelog | Homepage
lxml 3.4.0 » 4.0.0 PyPI | Changelog | Homepage | Bugtracker
MarkupSafe 0.23 » 1.0 PyPI | Changelog | Repo
parsimonious 0.6.1 » 0.8.0 PyPI | Repo
Paste 1.7.5.1 » 2.0.3 PyPI | Changelog | Homepage
PasteScript 1.7.5 » 2.0.2 PyPI | Changelog | Homepage
pyramid 1.6a2 » 1.9.1 PyPI | Changelog | Homepage
pyramid-jinja2 2.6.2 » 2.7 PyPI | Changelog | Repo
pyramid-multiauth 0.8.0 » 0.9.0 PyPI | Changelog | Repo
python-memcached 1.53 » 1.58 PyPI | Homepage
repoze.lru 0.6 » 0.7 PyPI | Homepage
requests 2.7.0 » 2.18.4 PyPI | Changelog | Homepage
tzlocal 1.1.3 » 1.4 PyPI | Changelog | Repo
venusian 1.0 » 1.1.0 PyPI | Changelog | Homepage
webencodings 0.5 » 0.5.1 PyPI | Repo | Docs
WebOb 1.5.0a1 » 1.7.3 PyPI | Changelog | Homepage
zope.deprecation 4.1.2 » 4.3.0 PyPI | Changelog | Repo
zope.interface 4.1.2 » 4.4.3 PyPI | Changelog | Repo
cssselect 0.9.1 » 1.0.1 PyPI | Changelog | Repo | Docs
tinycss2 0.5 » 0.6.0 PyPI | Changelog | Docs

Changelogs

db-migrator 1.0.1 -> 1.0.2

1.0.2

  • create a savepoint around should_run - rollback on false, to restore db state
  • Add __version__ to dbmigrator

argparse 1.2.1 -> 1.4.0

1.4.0

  • make argparse behave for default args aka
    issue 12776, 11839: call argparse type function only once.
  • move to github:ThomasWaldmann/argparse
  • add TW as maintainer / give TW's email
  • add some usecase to README, clarify issue tracking
  • add a note to tox.ini about testing on dead snakes

1.3.0

  • added aliases support (thanks to Roland Kammerer!) + tests for it
  • use tox for testing python >= 2.6
  • tests successfully on 3.4 also (without random hash seed)
  • added argparse.external_lib = True so one can test one is really using /
    testing the external library (and not the builtin one in stdlib of recent
    Pythons)

1.2.2

  • added universal wheel support, built, signed and uploaded with:
    python setup.py sdist bdist_wheel upload --identity="Thomas Waldmann" --sign
  • host the files on pypi

Beaker 1.8.0 -> 1.9.0

1.9.0

==========================

  • Beaker now provides builtin ext:mongodb and ext:redis namespace managers.
    Both come with a Synchronizer implemented on the storage backend instead of relying on file one.
  • Fixed an issue where cookie options like Secure, Domain and so on where lost.
  • Improved support for cache entries expiration. NamespaceManagers that support it will expire their key automatically.
  • Pycryptodome can be used instead of pycrypto.
  • An issue with Cookie module import on case insensitive file systems should have been resolved.
  • Cryptography module is now as a crypto function provider instead of pycrypto

1.8.1

==========================

  • Sessions have a new option save_accessed_time which defaults to true for
    backwards compatibility. Set to false to tell beaker not to update
    _accessed_time if the session hasn't been changed, for non-cookie sessions
    stores. This lets you avoid needless datastore writes. _accessed_time will
    always be updated when the session is intentionally saved.
  • data_serializer parameter in Session accepts a custom object with dumps and loads methods.
  • Fixed a TypeError in exception reporting when failing to load a NamespaceManager
  • Allow to change Cookie Expiration from a value back to None, previously it had no effect.
  • Allow SessionMiddleware to setup a custom Session class through the session_class argument.
  • Added invalidate_corrupt option to CookieSessions too for valid cookies containing invalid data.

Jinja2 2.7.3 -> 2.9.6

2.9.6

(bugfix release, released on April 3rd 2017)

  • Fixed custom context behavior in fast resolve mode (675)

2.9.5

(bugfix release, released on January 28th 2017)

  • Restored the original repr of the internal _GroupTuple because this
    caused issues with ansible and it was an unintended change. (654)
  • Added back support for custom contexts that override the old resolve
    method since it was hard for people to spot that this could cause a
    regression.
  • Correctly use the buffer for the else block of for loops. This caused
    invalid syntax errors to be caused on 2.x and completely wrong behavior
    on Python 3 (669)
  • Resolve an issue where the {% extends %} tag could not be used with
    async environments. (668)
  • Reduce memory footprint slightly by reducing our unicode database dump
    we use for identifier matching on Python 3 (666)
  • Fixed autoescaping not working for macros in async compilation mode. (671)

2.9.4

(bugfix release, released on January 10th 2017)

  • Solved some warnings for string literals. (646)
  • Increment the bytecode cache version which was not done due to an
    oversight before.
  • Corrected bad code generation and scoping for filtered loops. (649)
  • Resolved an issue where top-level output silencing after known extend
    blocks could generate invalid code when blocks where contained in if
    statements. (651)
  • Made the truncate.leeway default configurable to improve compatibility
    with older templates.

2.9.3

(bugfix release, released on January 8th 2017)

  • Restored the use of blocks in macros to the extend that was possible
    before. On Python 3 it would render a generator repr instead of
    the block contents. (645)
  • Set a consistent behavior for assigning of variables in inner scopes
    when the variable is also read from an outer scope. This now sets the
    intended behavior in all situations however it does not restore the
    old behavior where limited assignments to outer scopes was possible.
    For more information and a discussion see 641
  • Resolved an issue where block scoped would not take advantage of the
    new scoping rules. In some more exotic cases a variable overriden in a
    local scope would not make it into a block.
  • Change the code generation of the with statement to be in line with the
    new scoping rules. This resolves some unlikely bugs in edge cases. This
    also introduces a new internal With node that can be used by extensions.

2.9.2

(bugfix release, released on January 8th 2017)

  • Fixed a regression that caused for loops to not be able to use the same
    variable for the target as well as source iterator. (640)
  • Add support for a previously unknown behavior of macros. It used to be
    possible in some circumstances to explicitly provide a caller argument
    to macros. While badly buggy and unintended it turns out that this is a
    common case that gets copy pasted around. To not completely break backwards
    compatibility with the most common cases it's now possible to provide an
    explicit keyword argument for caller if it's given an explicit default.
    (642)

2.9.1

(bugfix release, released on January 7th 2017)

  • Resolved a regression with call block scoping for macros. Nested caller
    blocks that used the same identifiers as outer macros could refer to the
    wrong variable incorrectly.

2.9

(codename Derivation, released on January 7th 2017)

  • Change cache key definition in environment. This fixes a performance
    regression introduced in 2.8.
  • Added support for generator_stop on supported Python versions
    (Python 3.5 and later)
  • Corrected a long standing issue with operator precedence of math operations
    not being what was expected.
  • Added support for Python 3.6 async iterators through a new async mode.
  • Added policies for filter defaults and similar things.
  • urlize now sets "rel noopener" by default.
  • Support attribute fallback for old-style classes in 2.x.
  • Support toplevel set statements in extend situations.
  • Restored behavior of Cycler for Python 3 users.
  • Subtraction now follows the same behavior as other operators on undefined
    values.
  • map and friends will now give better error messages if you forgot to
    quote the parameter.
  • Depend on MarkupSafe 0.23 or higher.
  • Improved the truncate filter to support better truncation in case
    the string is barely truncated at all.
  • Change the logic for macro autoescaping to be based on the runtime
    autoescaping information at call time instead of macro define time.
  • Ported a modified version of the tojson filter from Flask to Jinja2
    and hooked it up with the new policy framework.
  • Block sets are now marked safe by default.
  • On Python 2 the asciification of ASCII strings can now be disabled with
    the compiler.ascii_str policy.
  • Tests now no longer accept an arbitrary expression as first argument but
    a restricted one. This means that you can now properly use multiple
    tests in one expression without extra parentheses. In particular you can
    now write foo is divisibleby 2 or foo is divisibleby 3
    as you would expect.
  • Greatly changed the scoping system to be more consistent with what template
    designers and developers expect. There is now no more magic difference
    between the different include and import constructs. Context is now always
    propagated the same way. The only remaining differences is the defaults
    for with context and without context.
  • The with and autoescape tags are now built-in.
  • Added the new select_autoescape function which helps configuring better
    autoescaping easier.

2.8.2

(bugfix release, unreleased)

  • Fixed a runtime error in the sandbox when attributes of async generators
    were accessed.

2.8.1

(bugfix release, released on December 29th 2016)

  • Fixed the for_qs flag for urlencode.
  • Fixed regression when applying int to non-string values.
  • SECURITY: if the sandbox mode is used format expressions are now sandboxed
    with the same rules as in Jinja. This solves various information leakage
    problems that can occur with format strings.

2.8

(codename Replacement, released on July 26th 2015)

  • Added target parameter to urlize function.
  • Added support for followsymlinks to the file system loader.
  • The truncate filter now counts the length.
  • Added equalto filter that helps with select filters.
  • Changed cache keys to use absolute file names if available
    instead of load names.
  • Fixed loop length calculation for some iterators.
  • Changed how Jinja2 enforces strings to be native strings in
    Python 2 to work when people break their default encoding.
  • Added :func:make_logging_undefined which returns an undefined
    object that logs failures into a logger.
  • If unmarshalling of cached data fails the template will be
    reloaded now.
  • Implemented a block set tag.
  • Default cache size was increased to 400 from a low 50.
  • Fixed is number test to accept long integers in all Python versions.
  • Changed is number to accept Decimal as a number.
  • Added a check for default arguments followed by non-default arguments. This
    change makes {% macro m(x, y=1, z) %}...{% endmacro %} a syntax error. The
    previous behavior for this code was broken anyway (resulting in the default
    value being applied to y).
  • Add ability to use custom subclasses of jinja2.compiler.CodeGenerator and
    jinja2.runtime.Context by adding two new attributes to the environment
    (code_generator_class and context_class) (pull request 404).
  • added support for context/environment/evalctx decorator functions on
    the finalize callback of the environment.
  • escape query strings for urlencode properly. Previously slashes were not
    escaped in that place.
  • Add 'base' parameter to 'int' filter.

lxml 3.4.0 -> 4.0.0

4.0.0

==================

Features added

  • The ElementPath implementation is now compiled using Cython,
    which speeds up the .find*() methods quite significantly.
  • The modules lxml.builder, lxml.html.diff and lxml.html.clean
    are also compiled using Cython in order to speed them up.
  • xmlfile() supports async coroutines using async with and await.
  • iterwalk() has a new method skip_subtree() that prevents walking into
    the descendants of the current element.
  • RelaxNG.from_rnc_string() accepts a base_url argument to
    allow relative resource lookups.
  • The XSLT result object has a new method .write_output(file) that serialises
    output data into a file according to the <xsl:output> configuration.

Bugs fixed

  • GH251: HTML comments were handled incorrectly by the soupparser.
    Patch by mozbugbox.
  • LP1654544: The html5parser no longer passes the useChardet option
    if the input is a Unicode string, unless explicitly requested. When parsing
    files, the default is to enable it when a URL or file path is passed (because
    the file is then opened in binary mode), and to disable it when reading from
    a file(-like) object.

Note: This is a backwards incompatible change of the default configuration.
If your code parses byte strings/streams and depends on character detection,
please pass the option guess_charset=True explicitly, which already worked
in older lxml versions.

  • LP1703810: etree.fromstring() failed to parse UTF-32 data with BOM.
  • LP1526522: Some RelaxNG errors were not reported in the error log.
  • LP1567526: Empty and plain text input raised a TypeError in soupparser.
  • LP1710429: Uninitialised variable usage in HTML diff.
  • LP1415643: The closing tags context manager in xmlfile() could continue
    to output end tags even after writing failed with an exception.
  • LP1465357: xmlfile.write() now accepts and ignores None as input argument.
  • Compilation under Py3.7-pre failed due to a modified function signature.

Other changes

  • The main module source files were renamed from lxml.*.pyx to plain
    *.pyx (e.g. etree.pyx) to simplify their handling in the build
    process. Care was taken to keep the old header files as fallbacks for
    code that compiles against the public C-API of lxml, but it might still
    be worth validating that third-party code does not notice this change.

3.8.0

==================

Features added

  • ElementTree.write() has a new option doctype that writes out a
    doctype string before the serialisation, in the same way as tostring().
  • GH220: xmlfile allows switching output methods at an element level.
    Patch by Burak Arslan.
  • LP1595781, GH240: added a PyCapsule Python API and C-level API for
    passing externally generated libxml2 documents into lxml.
  • GH244: error log entries have a new property path with an XPath
    expression (if known, None otherwise) that points to the tree element
    responsible for the error. Patch by Bob Kline.
  • The namespace prefix mapping that can be used in ElementPath now injects
    a default namespace when passing a None prefix.

Bugs fixed

  • GH238: Character escapes were not hex-encoded in the xmlfile serialiser.
    Patch by matejcik.
  • GH229: fix for externally created XML documents. Patch by Theodore Dubois.
  • LP1665241, GH228: Form data handling in lxml.html no longer strips the
    option values specified in form attributes but only the text values.
    Patch by Ashish Kulkarni.
  • LP1551797: revert previous fix for XSLT error logging as it breaks
    multi-threaded XSLT processing.
  • LP1673355, GH233: fromstring() html5parser failed to parse byte strings.

Other changes

  • The previously undocumented docstring option in ElementTree.write()
    produces a deprecation warning and will eventually be removed.

3.7.4

==================

Bugs fixed

  • LP1551797: revert previous fix for XSLT error logging as it breaks
    multi-threaded XSLT processing.
  • LP1673355, GH233: fromstring() html5parser failed to parse byte strings.

3.7.3

==================

Bugs fixed

  • GH218 was ineffective in Python 3.
  • GH222: lxml.html.submit_form() failed in Python 3.
    Patch by Jakub Wilk.

3.7.2

==================

  • GH220: xmlfile allows switching output methods at an element level.
    Patch by Burak Arslan.

Bugs fixed

  • Work around installation problems in recent Python 2.7 versions
    due to FTP download failures.
  • GH219: xmlfile.element() was not properly quoting attribute values.
    Patch by Burak Arslan.
  • GH218: xmlfile.element() was not properly escaping text content of
    script/style tags. Patch by Burak Arslan.

3.7.1

==================

  • No source changes, issued only to solve problems with the
    binary packages released for 3.7.0.

3.7.0

==================

Features added

  • GH217: XMLSyntaxError now behaves more like its SyntaxError
    baseclass. Patch by Philipp A.
  • GH216: HTMLParser() now supports the same collect_ids parameter
    as XMLParser(). Patch by Burak Arslan.
  • GH210: Allow specifying a serialisation method in xmlfile.write().
    Patch by Burak Arslan.
  • GH203: New option default_doctype in HTMLParser that allows
    disabling the automatic doctype creation. Patch by Shadab Zafar.
  • GH201: Calling the method .set('attrname') without value argument
    (or None) on HTML elements creates an attribute without value that
    serialises like <div attrname></div>. Patch by Daniel Holth.
  • GH197: Ignore form input fields in form_values() when they are
    marked as disabled in HTML. Patch by Kristian Klemon.

Bugs fixed

  • GH206: File name and line number were missing from XSLT error messages.
    Patch by Marcus Brinkmann.

Other changes

  • Log entries no longer allow anything but plain string objects as message text
    and file name.
  • zlib is included in the list of statically built libraries.

3.6.4

==================

  • GH204, LP1614693: build fix for MacOS-X.

3.6.3

==================

  • LP1614603: change linker flags to build multi-linux wheels

3.6.2

==================

  • LP1614603: release without source changes to provide cleanly built Linux wheels

3.6.1

==================

Features added

  • GH180: Separate option inline_style for Cleaner that only removes style
    attributes instead of all styles. Patch by Christian Pedersen.
  • GH196: Windows build support for Python 3.5. Contribution by Maximilian Hils.

Bugs fixed

  • GH199: Exclude file fields from FormElement.form_values (as browsers do).
    Patch by Tomas Divis.
  • GH198, LP1568167: Try to provide base URL from Resolver.resolve_string().
    Patch by Michael van Tellingen.
  • GH191: More accurate float serialisation in objectify.FloatElement.
    Patch by Holger Joukl.
  • LP1551797: Repair XSLT error logging. Patch by Marcus Brinkmann.

3.6.0

==================

Features added

  • GH187: Now supports (only) version 5.x and later of PyPy.
    Patch by Armin Rigo.
  • GH181: Direct support for .rnc files in RelaxNG() if rnc2rng
    is installed. Patch by Dirkjan Ochtman.

Bugs fixed

  • GH189: Static builds honour FTP proxy configurations when downloading
    the external libs. Patch by Youhei Sakurai.
  • GH186: Soupparser failed to process entities in Python 3.x.
    Patch by Duncan Morris.
  • GH185: Rare encoding related TypeError on import was fixed.
    Patch by Petr Demin.

3.5.0

==================

Bugs fixed

  • Unicode string results failed XPath queries in PyPy.
  • LP1497051: HTML target parser failed to terminate on exceptions
    and continued parsing instead.
  • Deprecated API usage in doctestcompare.

3.5.0b1

====================

Features added

  • cleanup_namespaces() accepts a new argument keep_ns_prefixes
    that does not remove definitions of the provided prefix-namespace
    mapping from the tree.
  • cleanup_namespaces() accepts a new argument top_nsmap that
    moves definitions of the provided prefix-namespace mapping to the
    top of the tree.
  • LP1490451: Element objects gained a cssselect() method as
    known from lxml.html. Patch by Simon Sapin.
  • API functions and methods behave and look more like Python functions,
    which allows introspection on them etc. One side effect to be aware of
    is that the functions now bind as methods when assigned to a class
    variable. A quick fix is to wrap them in staticmethod() (as for
    normal Python functions).
  • ISO-Schematron support gained an option error_finder that allows
    passing a filter function for picking validation errors from reports.
  • LP1243600: Elements in lxml.html gained a classes property
    that provides a set-like interface to the class attribute.
    Original patch by masklinn.
  • LP1341964: The soupparser now handles DOCTYPE declarations, comments
    and processing instructions outside of the root element.
    Patch by Olli Pottonen.
  • LP1421512: The docinfo of a tree was made editable to allow
    setting and removing the public ID and system ID of the DOCTYPE.
    Patch by Olli Pottonen.
  • LP1442427: More work-arounds for quirks and bugs in pypy and pypy3.
  • lxml.html.soupparser now uses BeautifulSoup version 4 instead
    of version 3 if available.

Bugs fixed

  • Memory errors that occur during tree adaptations (e.g. moving subtrees
    to foreign documents) could leave the tree in a crash prone state.
  • Calling process_children() in an XSLT extension element without
    an output_parent argument failed with a TypeError.
    Fix by Jens Tröger.
  • GH162: Image data in HTML data URLs is considered safe and
    no longer removed by lxml.html.clean JavaScript cleaner.
  • GH166: Static build could link libraries in wrong order.
  • GH172: Rely a bit more on libxml2 for encoding detection rather than
    rolling our own in some cases. Patch by Olli Pottonen.
  • GH159: Validity checks for names and string content were tightened
    to detect the use of illegal characters early. Patch by Olli Pottonen.
  • LP1421921: Comments/PIs before the DOCTYPE declaration were not
    serialised. Patch by Olli Pottonen.
  • LP659367: Some HTML DOCTYPE declarations were not serialised.
    Patch by Olli Pottonen.
  • LP1238503: lxml.doctestcompare is now consistent with stdlib's doctest
    in how it uses + and - to refer to unexpected and missing output.
  • Empty prefixes are explicitly rejected when a namespace mapping is used
    with ElementPath to avoid hiding bugs in user code.
  • Several problems with PyPy were fixed by switching to Cython 0.23.

3.4.4

==================

Bugs fixed

  • An ElementTree compatibility test added in lxml 3.4.3 that failed in
    Python 3.4+ was removed again.

3.4.3

==================

Bugs fixed

  • Expression cache in ElementPath was ignored. Fix by Changaco.
  • LP1426868: Passing a default namespace and a prefixed namespace mapping
    as nsmap into xmlfile.element() raised a TypeError.
  • LP1421927: DOCTYPE system URLs were incorrectly quoted when containing
    double quotes. Patch by Olli Pottonen.
  • LP1419354: meta-redirect URLs were incorrectly processed by
    iterlinks() if preceded by whitespace.

3.4.2

==================

Bugs fixed

  • LP1415907: Crash when creating an XMLSchema from a non-root element
    of an XML document.
  • LP1369362: HTML cleaning failed when hitting processing instructions
    with pseudo-attributes.
  • CDATA() wrapped content was rejected for tail text.
  • CDATA sections were not serialised as tail text of the top-level element.

3.4.1

==================

Features added

  • New htmlfile HTML generator to accompany the incremental xmlfile
    serialisation API. Patch by Burak Arslan.

Bugs fixed

  • lxml.sax.ElementTreeContentHandler did not initialise its superclass.

MarkupSafe 0.23 -> 1.0

1.0

  • Fixed custom types not invoking __unicode__ when used
    with format().
  • Added __version__ module attribute
  • Improve unescape code to leave lone ampersands alone.

Paste 1.7.5.1 -> 2.0.3

2.0.3

2.0.2

2.0.1

  • Fix setup.py for six dependency: move the six dependency from extras_require
    to install_requires.
  • Port paste.proxy to Python 3.
  • Fix paste.exceptions.serial_number_generator.hash_identifier() on Python 3.
  • Fix paste.util.threadedprint.uninstall(). Rename duplicated uninstall()
    function to uninstall_stdin() and fix typo in variable name (_oldstin =>
    _oldstdin).
  • Add README.rst file.

2.0

  • Experimental Python 3 support.
  • paste now requires the six module.
  • Drop support of Python 2.5 and older.
  • Fixed egg:Pastecgi
  • In paste.httpserver: give a 100 Continue response even when the
    server has been configured as an HTTP/1.0 server (clients may send
    Expect: 100-Continue before they know the version), and wrap
    100 Continue environ['wsgi.input'] files with LimitedLengthFile
    just like normal request bodies are wrapped, keeping WSGI
    applications from over-reading from the socket.
  • Fixed parsing of paths beginning with multiple forward slashes.
  • Add tox.ini to run tests with tox on Python 2.6, 2.7 and 3.4.

PasteScript 1.7.5 -> 2.0.2

2.0.2

  • Issue 20: Fix "paster points --list" on Python 3.
  • Fix cgi_server on Python 3.
  • Fix usage of the sort() method on Python 3.
  • Fix grep on Python 3.

2.0.1

  • Fix --help command on Python 3. Patch written by Atsushi Odagiri (aodag).
  • Fix "paster create --template=basic_package test" command on Python 3.
    Patch written by Atsushi Odagiri (aodag).
  • Fix error when 'paster create --list-template' on Python 3. Patch written by
    FGtatsuro.
  • Create universal wheel package.

2.0

  • Experimental Python 3 support.
  • six module is now required.
  • Drop support of Python 2.5 and older

pyramid 1.6a2 -> 1.9.1

1.9

================

  • No major changes from 1.9b1.
  • Updated documentation links for docs.pylonsproject.org to use HTTPS.

1.9b1

==================

  • Support _query=None and _anchor=None in request.route_url as well
    as query=None and anchor=None in request.resource_url.
    Previously this would cause an ? and a ``, respectively, in the url
    with nothing after it. Now the unnecessary parts are dropped from the
    generated URL. See refactor parse_url_overrides Pylons/pyramid#3034

1.9a2

==================

Backward Incompatibilities

  • request.exception and request.exc_info will only be set if the
    response was generated by the EXCVIEW tween. This is to avoid any confusion
    where a response was generated elsewhere in the pipeline and not in
    direct relation to the original exception. If anyone upstream wants to
    catch and render responses for exceptions they should set
    request.exception and request.exc_info themselves to indicate
    the exception that was squashed when generating the response.

Similar behavior occurs with request.invoke_exception_view in which
the exception properties are set to reflect the exception if a response
is successfully generated by the method.

This is a very minor incompatibility. Most tweens right now would give
priority to the raised exception and ignore request.exception. This
change just improves and clarifies that bookkeeping by trying to be
more clear about the relationship between the response and its squashed
exception. See Pylons/pyramid#3029 and
Pylons/pyramid#3031

1.9a1

==================

Major Features

  • The file format used by all p* command line scripts such as pserve
    and pshell, as well as the pyramid.paster.bootstrap function
    is now replaceable thanks to a new dependency on
    plaster <https://docs.pylonsproject.org/projects/plaster/en/latest/>_.

For now, Pyramid is still shipping with integrated support for the
PasteDeploy INI format by depending on the
plaster_pastedeploy <https://github.com/Pylons/plaster_pastedeploy>_
binding library. This may change in the future.

See Pylons/pyramid#2985

  • Added an execution policy hook to the request pipeline. An execution
    policy has the ability to control creation and execution of the request
    objects before they enter the rest of the pipeline. This means for a single
    request environ the policy may create more than one request object.

The first library to use this feature is
pyramid_retry <https://docs.pylonsproject.org/projects/pyramid-retry/en/latest/>_.

See Pylons/pyramid#2964

  • CSRF support has been refactored out of sessions and into its own
    independent API in the pyramid.csrf module. It supports a pluggable
    pyramid.interfaces.ICSRFStoragePolicy which can be used to define your
    own mechanism for generating and validating CSRF tokens. By default,
    Pyramid continues to use the pyramid.csrf.LegacySessionCSRFStoragePolicy
    that uses the request.session.get_csrf_token and
    request.session.new_csrf_token APIs under the hood to preserve
    compatibility. Two new policies are shipped as well,
    pyramid.csrf.SessionCSRFStoragePolicy and
    pyramid.csrf.CookieCSRFStoragePolicy which will store the CSRF tokens
    in the session and in a standalone cookie, respectively. The storage policy
    can be changed by using the new
    pyramid.config.Configurator.set_csrf_storage_policy config directive.

CSRF tokens should be used via the new pyramid.csrf.get_csrf_token,
pyramid.csrf.new_csrf_token and pyramid.csrf.check_csrf_token APIs
in order to continue working if the storage policy is changed. Also, the
pyramid.csrf.get_csrf_token function is injected into templates to be
used conveniently in UI code.

See Pylons/pyramid#2854 and
Pylons/pyramid#3019

Minor Features

  • Support an open_url config setting in the pserve section of the
    config file. This url is used to open a web browser when pserve --browser
    is invoked. When this setting is unavailable the pserve script will
    attempt to guess the port the server is using from the
    server:<server_name> section of the config file but there is no
    requirement that the server is being run in this format so it may fail.
    See pserve open_url config setting Pylons/pyramid#2984
  • The pyramid.config.Configurator can now be used as a context manager
    which will automatically push/pop threadlocals (similar to
    config.begin() and config.end()). It will also automatically perform
    a config.commit() and thus it is only recommended to be used at the
    top-level of your app. See turn the Configurator into a context manager Pylons/pyramid#2874
  • The threadlocals are now available inside any function invoked via
    config.include. This means the only config-time code that cannot rely
    on threadlocals is code executed from non-actions inside the main. This
    can be alleviated by invoking config.begin() and config.end()
    appropriately or using the new context manager feature of the configurator.
    See push threadlocals while executing config.include functions Pylons/pyramid#2989

Bug Fixes

Deprecations

  • Pyramid currently depends on plaster_pastedeploy to simplify the
    transition to plaster by maintaining integrated support for INI files.
    This dependency on plaster_pastedeploy should be considered subject to
    Pyramid's deprecation policy and may be removed in the future.
    Applications should depend on the appropriate plaster binding to satisfy
    their needs.
  • Retrieving CSRF token from the session has been deprecated in favor of
    equivalent methods in the pyramid.csrf module. The CSRF methods
    (ISession.get_csrf_token and ISession.new_csrf_token) are no longer
    required on the ISession interface except when using the default
    pyramid.csrf.LegacySessionCSRFStoragePolicy.

Also, pyramid.session.check_csrf_token is now located at
pyramid.csrf.check_csrf_token.

See Pylons/pyramid#2854 and
Pylons/pyramid#3019

Documentation Changes

1.8

================

  • No major changes from 1.8b1.

1.8b1

==================

Features

Documentation Changes

1.8a1

==================

Backward Incompatibilities

  • Following the Pyramid deprecation period (1.6 -> 1.8),
    daemon support for pserve has been removed. This includes removing the
    daemon commands (start, stop, restart, status) as well as the following
    arguments: --daemon, --pid-file, --log-file,
    --monitor-restart, --status, --user, --group,
    --stop-daemon

To run your server as a daemon you should use a process manager instead of
pserve.

See Pylons/pyramid#2615

  • Change static view to avoid setting the Content-Encoding response header
    to an encoding guessed using Python's mimetypes module. This was causing
    clients to decode the content of gzipped files when downloading them. The
    client would end up with a foo.txt.gz file on disk that was already
    decoded, thus should really be foo.txt. Also, the Content-Encoding
    should only have been used if the client itself broadcast support for the
    encoding via Accept-Encoding request headers.
    See Avoid setting Content-Encoding header for static view responses. Pylons/pyramid#2810

Features

  • The _get_credentials private method of BasicAuthAuthenticationPolicy
    has been extracted into standalone function extract_http_basic_credentials
    in pyramid.authentication module, this function extracts HTTP Basic
    credentials from a request object, and returns them as a named tuple.
    See ref #2659 public HTTP Basic credentials extraction Pylons/pyramid#2662
  • Added pyramid.config.Configurator.add_exception_view and the
    pyramid.view.exception_view_config decorator. It is now possible using
    these methods or via the new exception_only=True option to add_view
    to add a view which will only be matched when handling an exception.
    Previously any exception views were also registered for a traversal
    context that inherited from the exception class which prevented any
    exception-only optimizations.
    See Exception-only option when registering views Pylons/pyramid#2660
  • Added the exception_only boolean to
    pyramid.interfaces.IViewDeriverInfo which can be used by view derivers
    to determine if they are wrapping a view which only handles exceptions.
    This means that it is no longer necessary to perform request-time checks
    for request.exception to determine if the view is handling an exception
  • the pipeline can be optimized at config-time.
    See Exception-only option when registering views Pylons/pyramid#2660
  • pserve --reload now uses the
    hupper <http://docs.pylonsproject.org/projects/hupper/en/latest/>
    library to monitor file changes. This comes with many improvements:
  • If the watchdog <http://pythonhosted.org/watchdog/>_ package is
    installed then monitoring will be done using inotify instead of
    cpu and disk-intensive polling.
  • The monitor is now a separate process that will not crash and starts up
    before any of your code.
  • The monitor will not restart the process after a crash until a file is
    saved.
  • The monitor works on windows.
  • You can now trigger a reload manually from a pyramid view or any other
    code via hupper.get_reloader().trigger_reload(). Kind of neat.
  • You can trigger a reload by issuing a SIGHUP to the monitor process.

See Pylons/pyramid#2805

  • Allow streaming responses to be made from subclasses of
    pyramid.httpexceptions.HTTPException. Previously the response would
    be unrolled while testing for a body, making it impossible to stream
    a response.
    See Bugfix: streaming exceptions Pylons/pyramid#2863
  • config.begin() will propagate the current threadlocal request through
    as long as the registry is the same. For example:

.. code-block:: python

request = Request.blank(...)
config.begin(request)   pushes a request
config.begin()          propagates the previous request through unchanged
assert get_current_request() is request

See Pylons/pyramid#2873

Bug Fixes

  • Fix a RuntimeWarning emitted by WebOb when using arbitrary objects
    as the userid in the AuthTktAuthenticationPolicy. This is now caught
    by the policy and the object is serialized as a base64 string to avoid
    the cryptic warning. Since the userid will be read back as a string on
    subsequent requests a more useful warning is emitted encouraging you to
    use a primitive type instead.
    See Fix AuthTktCookieHelper so that it doesn't create bad cookies Pylons/pyramid#2715
  • Pyramid 1.6 introduced the ability for an action to invoke another action.
    There was a bug in the way that config.add_view would interact with
    custom view derivers introduced in Pyramid 1.7 because the view's
    discriminator cannot be computed until view derivers and view predicates
    have been created in earlier orders. Invoking an action from another action
    would trigger an unrolling of the pipeline and would compute discriminators
    before they were ready. The new behavior respects the order of the action
    and ensures the discriminators are not computed until dependent actions
    from previous orders have executed.
    See handle deferred discriminators when using re-entrant actions Pylons/pyramid#2757

Deprecations

  • The pcreate script and related scaffolds have been deprecated in favor
    of the popular
    cookiecutter <https://cookiecutter.readthedocs.io/en/latest/>_ project.

All of Pyramid's official scaffolds as well as the tutorials have been
ported to cookiecutters:

  • pyramid-cookiecutter-starter <https://github.com/Pylons/pyramid-cookiecutter-starter>_
  • pyramid-cookiecutter-alchemy <https://github.com/Pylons/pyramid-cookiecutter-alchemy>_
  • pyramid-cookiecutter-zodb <https://github.com/Pylons/pyramid-cookiecutter-zodb>_

See Pylons/pyramid#2780

Documentation Changes

  • The SQLAlchemy + URL Dispatch + Jinja2 (wiki2) and
    ZODB + Traversal + Chameleon (wiki) tutorials have been updated to
    utilize the new cookiecutters and drop support for the pcreate
    scaffolds.

See Pylons/pyramid#2881 and
Pylons/pyramid#2883.

1.7

================

1.7b4

==================

  • Exposed the pyramid.interfaces.IRequestFactory interface to mirror
    the public pyramid.interfaces.IResponseFactory interface.

1.7b3

==================

  • Add linkcheck to Makefile for Sphinx. To check the documentation for
    broken links, use the command make linkcheck SPHINXBUILD=$VENV/bin/sphinx-build. Also removed and fixed dozens of broken
    external links.

1.7b2

==================

  • A default permission set via config.set_default_permission will no
    longer be enforced on an exception view. This has been the case for a while
    with the default exception views (config.add_notfound_view and
    config.add_forbidden_view), however for any other exception view a
    developer had to remember to set permission=NO_PERMISSION_REQUIRED or
    be surprised when things didn't work. It is still possible to force a
    permission check on an exception view by setting the permission argument
    manually to config.add_view. This behavior is consistent with the new
    CSRF features added in the 1.7 series.
    See do not enforce default permissions on exception views Pylons/pyramid#2534

1.7b1

==================

  • This release announces the beta period for 1.7.

1.7a2

==================

Features

  • The automatic CSRF API was reworked to use a config directive for
    setting the options. The pyramid.require_default_csrf setting is
    no longer supported. Instead, a new config.set_default_csrf_options
    directive has been introduced that allows the developer to specify
    the default value for require_csrf as well as change the CSRF token,
    header and safe request methods. The pyramid.csrf_trusted_origins
    setting is still supported.
    See replace pyramid.require_default_csrf setting with config.set_default_csrf_options Pylons/pyramid#2518

Bug fixes

1.7a1

==================

Backward Incompatibilities

  • Following the Pyramid deprecation period (1.4 -> 1.6),
    AuthTktAuthenticationPolicy's default hashing algorithm is changing from md5
    to sha512. If you are using the authentication policy and need to continue
    using md5, please explicitly set hashalg to 'md5'.

This change does mean that any existing auth tickets (and associated cookies)
will no longer be valid, and users will no longer be logged in, and have to
login to their accounts again.

See Pylons/pyramid#2496

Features

  • Added a new setting, pyramid.require_default_csrf which may be used
    to turn on CSRF checks globally for every POST request in the application.
    This should be considered a good default for websites built on Pyramid.
    It is possible to opt-out of CSRF checks on a per-view basis by setting
    require_csrf=False on those views.
    See require_csrf to replace check_csrf Pylons/pyramid#2413
  • Added an additional CSRF validation that checks the origin/referrer of a
    request and makes sure it matches the current request.domain. This
    particular check is only active when accessing a site over HTTPS as otherwise
    browsers don't always send the required information. If this additional CSRF
    validation fails a BadCSRFOrigin exception will be raised and may be
    caught by exception views (the default response is 400 Bad Request).
    Additional allowed origins may be configured by setting

mmulich
mmulich approved these changes Sep 29, 2017
View reviewed changes
Copy link
Contributor

@mmulich mmulich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's merge this and see if we can get another release/deploy happening sometime next week.

@karenc karenc self-assigned this Oct 4, 2017
karenc
karenc reviewed Oct 4, 2017
View reviewed changes
Copy link
Contributor

@karenc karenc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm just going to test this before merging it.

@pyup-bot @karenc
Update db-migrator from 1.0.1 to 1.0.2
c9a7874
@pyup-bot @karenc
Update argparse from 1.2.1 to 1.4.0
afd94e7
@pyup-bot @karenc
Update beaker from 1.8.0 to 1.9.0
7170825
@pyup-bot @karenc
Update jinja2 from 2.7.3 to 2.9.6
15692d2
@pyup-bot @karenc
Update lxml from 3.4.0 to 4.0.0
f910ab9
@pyup-bot @karenc
Update markupsafe from 0.23 to 1.0
47d7513
@pyup-bot @karenc
Update parsimonious from 0.6.1 to 0.8.0
4c19145
@pyup-bot @karenc
Update paste from 1.7.5.1 to 2.0.3
8fed91e
@pyup-bot @karenc
Update pastescript from 1.7.5 to 2.0.2
71b12eb
@pyup-bot @karenc
Update pyramid from 1.6a2 to 1.9.1
6ea7cd7
@pyup-bot @karenc
Update pyramid-jinja2 from 2.6.2 to 2.7
8c6f20a
@pyup-bot @karenc
Update pyramid-multiauth from 0.8.0 to 0.9.0
98f9b2b
@pyup-bot @karenc
Update python-memcached from 1.53 to 1.58
c1ada82
@pyup-bot @karenc
Update repoze.lru from 0.6 to 0.7
f7f6fbc
@pyup-bot @karenc
Update requests from 2.7.0 to 2.18.4
2408319
@pyup-bot @karenc
Update tzlocal from 1.1.3 to 1.4
7501fe0
@pyup-bot @karenc
Update venusian from 1.0 to 1.1.0
21b4032
@pyup-bot @karenc
Update webencodings from 0.5 to 0.5.1
6a371b8
@pyup-bot @karenc
Update webob from 1.5.0a1 to 1.7.3
a73618a
@pyup-bot @karenc
Update zope.deprecation from 4.1.2 to 4.3.0
602f6a9
@pyup-bot @karenc
Update zope.interface from 4.1.2 to 4.4.3
5a3e0e5
@pyup-bot @karenc
Update cssselect from 0.9.1 to 1.0.1
a7df038
@pyup-bot @karenc
Update tinycss2 from 0.5 to 0.6.0
7de6e8f
@karenc karenc merged commit c7ebb35 into master Oct 5, 2017
@karenc karenc deleted the pyup-initial-update branch October 5, 2017 19:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@karenc karenc karenc approved these changes

@mmulich mmulich mmulich approved these changes

Assignees

@karenc karenc

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pyup-bot @karenc @mmulich