Update dependency Werkzeug to v3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
Werkzeug (changelog)	==1.0.0 -> ==3.1.4

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-23934

Browsers may allow "nameless" cookies that look like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad for another subdomain.

Werkzeug <= 2.2.2 will parse the cookie =__Host-test=bad as __Host-test=bad. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.

CVE-2023-25577

Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses request.data, request.form, request.files, or request.get_data(parse_form_data=False), it can cause unexpectedly high resource usage.

This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.

CVE-2023-46136

Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer.

This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.

CVE-2024-34069

The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.

CVE-2024-49766

On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.

CVE-2024-49767

Applications using Werkzeug to parse multipart/form-data requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the Request.max_form_memory_size setting.

The Request.max_content_length setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.

CVE-2025-66221

Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.

---

Release Notes

pallets/werkzeug (Werkzeug)

v3.1.4

Compare Source

Released 2025-11-28

• safe_join on Windows does not allow special device names. This prevents
  reading from these when using send_from_directory. secure_filename
  already prevented writing to these. :ghsa:hgf8-39gv-g3f2
• The debugger pin fails after 10 attempts instead of 11. :pr:3020
• The multipart form parser handles a \r\n sequence at a chunk boundary.
  :issue:3065
• Improve CPU usage during Watchdog reloader. :issue:3054
• Request.json annotation is more accurate. :issue:3067
• Traceback rendering handles when the line number is beyond the available
  source lines. :issue:3044
• HTTPException.get_response annotation and doc better conveys the
  distinction between WSGI and sans-IO responses. :issue:3056

v3.1.3

Compare Source

Released 2024-11-08

• Initial data passed to MultiDict and similar interfaces only accepts
  list, tuple, or set when passing multiple values. It had been
  changed to accept any Collection, but this matched types that should be
  treated as single values, such as bytes. :issue:2994
• When the Host header is not set and Request.host falls back to the
  WSGI SERVER_NAME value, if that value is an IPv6 address it is wrapped
  in [] to match the Host header. :issue:2993

v3.1.2

Compare Source

Released 2024-11-04

• Improve type annotation for TypeConversionDict.get to allow the type
  parameter to be a callable. :issue:2988
• Headers does not inherit from MutableMapping, as it is does not
  exactly match that interface. :issue:2989

v3.1.1

Compare Source

Released 2024-11-01

• Fix an issue that caused str(Request.headers) to always appear empty.
  :issue:2985

v3.1.0

Compare Source

Released 2024-10-31

• Drop support for Python 3.8. :pr:2966

• Remove previously deprecated code. :pr:2967

• Request.max_form_memory_size defaults to 500kB instead of unlimited.
  Non-file form fields over this size will cause a RequestEntityTooLarge
  error. :issue:2964

• OrderedMultiDict and ImmutableOrderedMultiDict are deprecated.
  Use MultiDict and ImmutableMultiDict instead. :issue:2968

• Behavior of properties on request.cache_control and
  response.cache_control has been significantly adjusted.

  • Dict values are always str | None. Setting properties will convert
    the value to a string. Setting a property to False is equivalent to
    setting it to None. Getting typed properties will return None if
    conversion raises ValueError, rather than the string. :issue:2980
  • max_age is None if present without a value, rather than -1.
    :issue:2980
  • no_cache is a boolean for requests, it is True instead of
    "*" when present. It remains a string for responses. :issue:2980
  • max_stale is True if present without a value, rather
    than "*". :issue:2980
  • no_transform is a boolean. Previously it was mistakenly always
    None. :issue:2881
  • min_fresh is None if present without a value, rather than
    "*". :issue:2881
  • private is True if present without a value, rather than "*".
    :issue:2980
  • Added the must_understand property. :issue:2881
  • Added the stale_while_revalidate, and stale_if_error
    properties. :issue:2948
  • Type annotations more accurately reflect the values. :issue:2881

• Support Cookie CHIPS (Partitioned Cookies). :issue:2797

• Add 421 MisdirectedRequest HTTP exception. :issue:2850

• Increase default work factor for PBKDF2 to 1,000,000 iterations.
  :issue:2969

• Inline annotations for datastructures, removing stub files.
  :issue:2970

• MultiDict.getlist catches TypeError in addition to ValueError
  when doing type conversion. :issue:2976

• Implement | and |= operators for MultiDict, Headers, and
  CallbackDict, and disallow |= on immutable types. :issue:2977

v3.0.6

Compare Source

Released 2024-10-25

• Fix how max_form_memory_size is applied when parsing large non-file
  fields. :ghsa:q34m-jh98-gwm2
• safe_join catches certain paths on Windows that were not caught by
  ntpath.isabs on Python < 3.11. :ghsa:f9vj-2wh5-fj8j

v3.0.5

Compare Source

Released 2024-10-24

• The Watchdog reloader ignores file closed no write events. :issue:2945
• Logging works with client addresses containing an IPv6 scope :issue:2952
• Ignore invalid authorization parameters. :issue:2955
• Improve type annotation fore SharedDataMiddleware. :issue:2958
• Compatibility with Python 3.13 when generating debugger pin and the current
  UID does not have an associated name. :issue:2957

v3.0.4

Compare Source

Released 2024-08-21

• Restore behavior where parsing multipart/x-www-form-urlencoded data with
  invalid UTF-8 bytes in the body results in no form data parsed rather than a
  413 error. :issue:2930
• Improve parse_options_header performance when parsing unterminated
  quoted string values. :issue:2904
• Debugger pin auth is synchronized across threads/processes when tracking
  failed entries. :issue:2916
• Dev server handles unexpected SSLEOFError due to issue in Python < 3.13.
  :issue:2926
• Debugger pin auth works when the URL already contains a query string.
  :issue:2918

v3.0.3

Compare Source

Released 2024-05-05

• Only allow localhost, .localhost, 127.0.0.1, or the specified
  hostname when running the dev server, to make debugger requests. Additional
  hosts can be added by using the debugger middleware directly. The debugger
  UI makes requests using the full URL rather than only the path.
  :ghsa:2g68-c3qc-8985
• Make reloader more robust when "" is in sys.path. :pr:2823
• Better TLS cert format with adhoc dev certs. :pr:2891
• Inform Python < 3.12 how to handle itms-services URIs correctly, rather
  than using an overly-broad workaround in Werkzeug that caused some redirect
  URIs to be passed on without encoding. :issue:2828
• Type annotation for Rule.endpoint and other uses of endpoint is
  Any. :issue:2836
• Make reloader more robust when "" is in sys.path. :pr:2823

v3.0.2

Compare Source

Released 2024-04-01

• Ensure setting merge_slashes to False results in NotFound for
  repeated-slash requests against single slash routes. :issue:2834
• Fix handling of TypeError in TypeConversionDict.get() to match
  ValueError. :issue:2843
• Fix response_wrapper type check in test client. :issue:2831
• Make the return type of MultiPartParser.parse more precise.
  :issue:2840
• Raise an error if converter arguments cannot be parsed. :issue:2822

v3.0.1

Compare Source

Released 2023-10-24

• Fix slow multipart parsing for large parts potentially enabling DoS attacks.

v3.0.0

Compare Source

Released 2023-09-30

• Remove previously deprecated code. :pr:2768
• Deprecate the __version__ attribute. Use feature detection, or
  importlib.metadata.version("werkzeug"), instead. :issue:2770
• generate_password_hash uses scrypt by default. :issue:2769
• Add the "werkzeug.profiler" item to the WSGI environ dictionary
  passed to ProfilerMiddleware's filename_format function. It contains
  the elapsed and time values for the profiled request. :issue:2775
• Explicitly marked the PathConverter as non path isolating. :pr:2784

v2.3.8

Compare Source

Released 2023-11-08

• Fix slow multipart parsing for large parts potentially enabling DoS
  attacks.

v2.3.7

Compare Source

Released 2023-08-14

• Use flit_core instead of setuptools as build backend.
• Fix parsing of multipart bodies. :issue:2734
• Adjust index of last newline in data start. :issue:2761
• Parsing ints from header values strips spacing first. :issue:2734
• Fix empty file streaming when testing. :issue:2740
• Clearer error message when URL rule does not start with slash. :pr:2750
• Accept q value can be a float without a decimal part. :issue:2751

v2.3.6

Compare Source

Released 2023-06-08

• FileStorage.content_length does not fail if the form data did not provide a
  value. :issue:2726

v2.3.5

Compare Source

Released 2023-06-07

• Python 3.12 compatibility. :issue:2704
• Fix handling of invalid base64 values in Authorization.from_header. :issue:2717
• The debugger escapes the exception message in the page title. :pr:2719
• When binding routing.Map, a long IDNA server_name with a port does not fail
  encoding. :issue:2700
• iri_to_uri shows a deprecation warning instead of an error when passing bytes.
  :issue:2708
• When parsing numbers in HTTP request headers such as Content-Length, only ASCII
  digits are accepted rather than any format that Python's int and float
  accept. :issue:2716

v2.3.4

Compare Source

Released 2023-05-08

• Authorization.from_header and WWWAuthenticate.from_header detects tokens
  that end with base64 padding (=). :issue:2685
• Remove usage of warnings.catch_warnings. :issue:2690
• Remove max_form_parts restriction from standard form data parsing and only use
  if for multipart content. :pr:2694
• Response will avoid converting the Location header in some cases to preserve
  invalid URL schemes like itms-services. :issue:2691

v2.3.3

Compare Source

Released 2023-05-01

• Fix parsing of large multipart bodies. Remove invalid leading newline, and restore
  parsing speed. :issue:2658, 2675
• The cookie Path attribute is set to / by default again, to prevent clients
  from falling back to RFC 6265's default-path behavior. :issue:2672, 2679

v2.3.2

Compare Source

Released 2023-04-28

• Parse the cookie Expires attribute correctly in the test client. :issue:2669
• max_content_length can only be enforced on streaming requests if the server
  sets wsgi.input_terminated. :issue:2668

v2.3.1

Compare Source

Released 2023-04-27

• Percent-encode plus (+) when building URLs and in test requests. :issue:2657
• Cookie values don't quote characters defined in RFC 6265. :issue:2659
• Include pyi files for datastructures type annotations. :issue:2660
• Authorization and WWWAuthenticate objects can be compared for equality.
  :issue:2665

v2.3.0

Compare Source

Released 2023-04-25

• Drop support for Python 3.7. :pr:2648

• Remove previously deprecated code. :pr:2592

• Passing bytes where strings are expected is deprecated, as well as the charset
  and errors parameters in many places. Anywhere that was annotated, documented,
  or tested to accept bytes shows a warning. Removing this artifact of the transition
  from Python 2 to 3 removes a significant amount of overhead in instance checks and
  encoding cycles. In general, always work with UTF-8, the modern HTML, URL, and HTTP
  standards all strongly recommend this. :issue:2602

• Deprecate the werkzeug.urls module, except for the uri_to_iri and
  iri_to_uri functions. Use the urllib.parse library instead. :issue:2600

• Update which characters are considered safe when using percent encoding in URLs,
  based on the WhatWG URL Standard. :issue:2601

• Update which characters are considered safe when using percent encoding for Unicode
  filenames in downloads. :issue:2598

• Deprecate the safe_conversion parameter of iri_to_uri. The Location
  header is converted to IRI using the same process as everywhere else. :issue:2609

• Deprecate werkzeug.wsgi.make_line_iter and make_chunk_iter. :pr:2613

• Use modern packaging metadata with pyproject.toml instead of setup.cfg.
  :pr:2574

• Request.get_json() will raise a 415 Unsupported Media Type error if the
  Content-Type header is not application/json, instead of a generic 400.
  :issue:2550

• A URL converter's part_isolating defaults to False if its regex contains
  a /. :issue:2582

• A custom converter's regex can have capturing groups without breaking the router.
  :pr:2596

• The reloader can pick up arguments to python like -X dev, and does not
  require heuristics to determine how to reload the command. Only available
  on Python >= 3.10. :issue:2589

• The Watchdog reloader ignores file opened events. Bump the minimum version of
  Watchdog to 2.3.0. :issue:2603

• When using a Unix socket for the development server, the path can start with a dot.
  :issue:2595

• Increase default work factor for PBKDF2 to 600,000 iterations. :issue:2611

• parse_options_header is 2-3 times faster. It conforms to :rfc:9110, some
  invalid parts that were previously accepted are now ignored. :issue:1628

• The is_filename parameter to unquote_header_value is deprecated. :pr:2614

• Deprecate the extra_chars parameter and passing bytes to quote_header_value,
  the allow_token parameter to dump_header, and the cls parameter and
  passing bytes to parse_dict_header. :pr:2618

• Improve parse_accept_header implementation. Parse according to :rfc:9110.
  Discard items with invalid q values. :issue:1623

• quote_header_value quotes the empty string. :pr:2618

• dump_options_header skips None values rather than using a bare key.
  :pr:2618

• dump_header and dump_options_header will not quote a value if the key ends
  with an asterisk *.

• parse_dict_header will decode values with charsets. :pr:2618

• Refactor the Authorization and WWWAuthenticate header data structures.
  :issue:1769, :pr:2619

  • Both classes have type, parameters, and token attributes. The
    token attribute supports auth schemes that use a single opaque token rather
    than key=value parameters, such as Bearer.
  • Neither class is a dict anymore, although they still implement getting,
    setting, and deleting auth[key] and auth.key syntax, as well as
    auth.get(key) and key in auth.
  • Both classes have a from_header class method. parse_authorization_header
    and parse_www_authenticate_header are deprecated.
  • The methods WWWAuthenticate.set_basic and set_digest are deprecated.
    Instead, an instance should be created and assigned to
    response.www_authenticate.
  • A list of instances can be assigned to response.www_authenticate to set
    multiple header values. However, accessing the property only returns the first
    instance.

• Refactor parse_cookie and dump_cookie. :pr:2637

  • parse_cookie is up to 40% faster, dump_cookie is up to 60% faster.
  • Passing bytes to parse_cookie and dump_cookie is deprecated. The
    dump_cookie charset parameter is deprecated.
  • dump_cookie allows domain values that do not include a dot ., and
    strips off a leading dot.
  • dump_cookie does not set path="/" unnecessarily by default.

• Refactor the test client cookie implementation. :issue:1060, 1680

  • The cookie_jar attribute is deprecated. http.cookiejar is no longer used
    for storage.
  • Domain and path matching is used when sending cookies in requests. The
    domain and path parameters default to localhost and /.
  • Added a get_cookie method to inspect cookies.
  • Cookies have decoded_key and decoded_value attributes to match what the
    app sees rather than the encoded values a client would see.
  • The first positional server_name parameter to set_cookie and
    delete_cookie is deprecated. Use the domain parameter instead.
  • Other parameters to delete_cookie besides domain, path, and
    value are deprecated.

• If request.max_content_length is set, it is checked immediately when accessing
  the stream, and while reading from the stream in general, rather than only during
  form parsing. :issue:1513

• The development server, which must not be used in production, will exhaust the
  request stream up to 10GB or 1000 reads. This allows clients to see a 413 error if
  max_content_length is exceeded, instead of a "connection reset" failure.
  :pr:2620

• The development server discards header keys that contain underscores _, as they
  are ambiguous with dashes - in WSGI. :pr:2622

• secure_filename looks for more Windows reserved file names. :pr:2623

• Update type annotation for best_match to make default parameter clearer.
  :issue:2625

• Multipart parser handles empty fields correctly. :issue:2632

• The Map charset parameter and Request.url_charset property are
  deprecated. Percent encoding in URLs must always represent UTF-8 bytes. Invalid
  bytes are left percent encoded rather than replaced. :issue:2602

• The Request.charset, Request.encoding_errors, Response.charset, and
  Client.charset attributes are deprecated. Request and response data must always
  use UTF-8. :issue:2602

• Header values that have charset information only allow ASCII, UTF-8, and ISO-8859-1.
  :pr:2614, 2641

• Update type annotation for ProfilerMiddleware stream parameter.
  :issue:2642

• Use postponed evaluation of annotations. :pr:2644

• The development server escapes ASCII control characters in decoded URLs before
  logging the request to the terminal. :pr:2652

• The FormDataParser parse_functions attribute and get_parse_func method,
  and the invalid application/x-url-encoded content type, are deprecated.
  :pr:2653

• generate_password_hash supports scrypt. Plain hash methods are deprecated, only
  scrypt and pbkdf2 are supported. :issue:2654

v2.2.3

Compare Source

Released 2023-02-14

• Ensure that URL rules using path converters will redirect with strict slashes when
  the trailing slash is missing. :issue:2533
• Type signature for get_json specifies that return type is not optional when
  silent=False. :issue:2508
• parse_content_range_header returns None for a value like bytes */-1
  where the length is invalid, instead of raising an AssertionError. :issue:2531
• Address remaining ResourceWarning related to the socket used by run_simple.
  Remove prepare_socket, which now happens when creating the server. :issue:2421
• Update pre-existing headers for multipart/form-data requests with the test
  client. :issue:2549
• Fix handling of header extended parameters such that they are no longer quoted.
  :issue:2529
• LimitedStream.read works correctly when wrapping a stream that may not return
  the requested size in one read call. :issue:2558
• A cookie header that starts with = is treated as an empty key and discarded,
  rather than stripping the leading ==.
• Specify a maximum number of multipart parts, default 1000, after which a
  RequestEntityTooLarge exception is raised on parsing. This mitigates a DoS
  attack where a larger number of form/file parts would result in disproportionate
  resource use.

v2.2.2

Compare Source

Released 2022-08-08

• Fix router to restore the 2.1 strict_slashes == False behaviour
  whereby leaf-requests match branch rules and vice
  versa. :pr:2489
• Fix router to identify invalid rules rather than hang parsing them,
  and to correctly parse / within converter arguments. :pr:2489
• Update subpackage imports in :mod:werkzeug.routing to use the
  import as syntax for explicitly re-exporting public attributes.
  :pr:2493
• Parsing of some invalid header characters is more robust. :pr:2494
• When starting the development server, a warning not to use it in a
  production deployment is always shown. :issue:2480
• LocalProxy.__wrapped__ is always set to the wrapped object when
  the proxy is unbound, fixing an issue in doctest that would cause it
  to fail. :issue:2485
• Address one ResourceWarning related to the socket used by
  run_simple. :issue:2421

v2.2.1

Compare Source

Released 2022-07-27

• Fix router so that /path/ will match a rule /path if strict
  slashes mode is disabled for the rule. :issue:2467
• Fix router so that partial part matches are not allowed
  i.e. /2df does not match /<int>. :pr:2470
• Fix router static part weighting, so that simpler routes are matched
  before more complex ones. :issue:2471
• Restore ValidationError to be importable from
  werkzeug.routing. :issue:2465

v2.2.0

Compare Source

Released 2022-07-23

• Deprecated get_script_name, get_query_string,
  peek_path_info, pop_path_info, and
  extract_path_info. :pr:2461
• Remove previously deprecated code. :pr:2461
• Add MarkupSafe as a dependency and use it to escape values when
  rendering HTML. :issue:2419
• Added the werkzeug.debug.preserve_context mechanism for
  restoring context-local data for a request when running code in the
  debug console. :pr:2439
• Fix compatibility with Python 3.11 by ensuring that end_lineno
  and end_col_offset are present on AST nodes. :issue:2425
• Add a new faster URL matching router based on a state machine. If a custom converter
  needs to match a / it must set the class variable part_isolating = False.
  :pr:2433
• Fix branch leaf path masking branch paths when strict-slashes is
  disabled. :issue:1074
• Names within options headers are always converted to lowercase. This
  matches :rfc:6266 that the case is not relevant. :issue:2442
• AnyConverter validates the value passed for it when building
  URLs. :issue:2388
• The debugger shows enhanced error locations in tracebacks in Python
  3.11. :issue:2407
• Added Sans-IO is_resource_modified and parse_cookie functions
  based on WSGI versions. :issue:2408
• Added Sans-IO get_content_length function. :pr:2415
• Don't assume a mimetype for test responses. :issue:2450
• Type checking FileStorage accepts os.PathLike. :pr:2418

v2.1.2

Compare Source

Released 2022-04-28

• The development server does not set Transfer-Encoding: chunked
  for 1xx, 204, 304, and HEAD responses. :issue:2375
• Response HTML for exceptions and redirects starts with
  <!doctype html> and <html lang=en>. :issue:2390
• Fix ability to set some cache_control attributes to False.
  :issue:2379
• Disable keep-alive connections in the development server, which
  are not supported sufficiently by Python's http.server.
  :issue:2397

v2.1.1

Compare Source

Released 2022-04-01

• ResponseCacheControl.s_maxage converts its value to an int, like
  max_age. :issue:2364

v2.1.0

Compare Source

Released 2022-03-28

• Drop support for Python 3.6. :pr:2277

• Using gevent or eventlet requires greenlet>=1.0 or PyPy>=7.3.7.
  werkzeug.locals and contextvars will not work correctly with
  older versions. :pr:2278

• Remove previously deprecated code. :pr:2276

  • Remove the non-standard shutdown function from the WSGI
    environ when running the development server. See the docs for
    alternatives.
  • Request and response mixins have all been merged into the
    Request and Response classes.
  • The user agent parser and the useragents module is removed.
    The user_agent module provides an interface that can be
    subclassed to add a parser, such as ua-parser. By default it
    only stores the whole string.
  • The test client returns TestResponse instances and can no
    longer be treated as a tuple. All data is available as
    properties on the response.
  • Remove locals.get_ident and related thread-local code from
    locals, it no longer makes sense when moving to a
    contextvars-based implementation.
  • Remove the python -m werkzeug.serving CLI.
  • The has_key method on some mapping datastructures; use
    key in data instead.
  • Request.disable_data_descriptor is removed, pass
    shallow=True instead.
  • Remove the no_etag parameter from Response.freeze().
  • Remove the HTTPException.wrap class method.
  • Remove the cookie_date function. Use http_date instead.
  • Remove the pbkdf2_hex, pbkdf2_bin, and safe_str_cmp
    functions. Use equivalents in hashlib and hmac modules
    instead.
  • Remove the Href class.
  • Remove the HTMLBuilder class.
  • Remove the invalidate_cached_property function. Use
    del obj.attr instead.
  • Remove bind_arguments and validate_arguments. Use
    :meth:Signature.bind and :func:inspect.signature instead.
  • Remove detect_utf_encoding, it's built-in to json.loads.
  • Remove format_string, use :class:string.Template instead.
  • Remove escape and unescape. Use MarkupSafe instead.

• The multiple parameter of parse_options_header is
  deprecated. :pr:2357

• Rely on :pep:538 and :pep:540 to handle decoding file names
  with the correct filesystem encoding. The filesystem module is
  removed. :issue:1760

• Default values passed to Headers are validated the same way
  values added later are. :issue:1608

• Setting CacheControl int properties, such as max_age, will
  convert the value to an int. :issue:2230

• Always use socket.fromfd when restarting the dev server.
  :pr:2287

• When passing a dict of URL values to Map.build, list values do
  not filter out None or collapse to a single value. Passing a
  MultiDict does collapse single items. This undoes a previous
  change that made it difficult to pass a list, or None values in
  a list, to custom URL converters. :issue:2249

• run_simple shows instructions for dealing with "address already
  in use" errors, including extra instructions for macOS. :pr:2321

• Extend list of characters considered always safe in URLs based on
  :rfc:3986. :issue:2319

• Optimize the stat reloader to avoid watching unnecessary files in
  more cases. The watchdog reloader is still recommended for
  performance and accuracy. :issue:2141

• The development server uses Transfer-Encoding: chunked for
  streaming responses when it is configured for HTTP/1.1.
  :issue:2090, 1327, :pr:2091

• The development server uses HTTP/1.1, which enables keep-alive
  connections and chunked streaming responses, when threaded or
  processes is enabled. :pr:2323

• cached_property works for classes with __slots__ if a
  corresponding _cache_{name} slot is added. :pr:2332

• Refactor the debugger traceback formatter to use Python's built-in
  traceback module as much as possible. :issue:1753

• The TestResponse.text property is a shortcut for
  r.get_data(as_text=True), for convenient testing against text
  instead of bytes. :pr:2337

• safe_join ensures that the path remains relative if the trusted
  directory is the empty string. :pr:2349

• Percent-encoded newlines (%0a), which are decoded by WSGI
  servers, are considered when routing instead of terminating the
  match early. :pr:2350

• The test client doesn't set duplicate headers for CONTENT_LENGTH
  and CONTENT_TYPE. :pr:2348

• append_slash_redirect handles PATH_INFO with internal
  slashes. :issue:1972, :pr:2338

• The default status code for append_slash_redirect is 308 instead
  of 301. This preserves the request body, and matches a previous
  change to strict_slashes in routing. :issue:2351

• Fix ValueError: I/O operation on closed file. with the test
  client when following more than one redirect. :issue:2353

• Response.autocorrect_location_header is disabled by default.
  The Location header URL will remain relative, and exclude the
  scheme and domain, by default. :issue:2352

• Request.get_json() will raise a 400 BadRequest error if the
  Content-Type header is not application/json. This makes a
  very common source of confusion more visible. :issue:2339

v2.0.3

Compare Source

Released 2022-02-07

• ProxyFix supports IPv6 addresses. :issue:2262
• Type annotation for Response.make_conditional,
  HTTPException.get_response, and Map.bind_to_environ accepts
  Request in addition to WSGIEnvironment for the first
  parameter. :pr:2290
• Fix type annotation for Request.user_agent_class. :issue:2273
• Accessing LocalProxy.__class__ and __doc__ on an unbound
  proxy returns the fallback value instead of a method object.
  :issue:2188
• Redirects with the test client set RAW_URI and REQUEST_URI
  correctly. :issue:2151

v2.0.2

Compare Source

Released 2021-10-05

• Handle multiple tokens in Connection header when routing
  WebSocket requests. :issue:2131
• Set the debugger pin cookie secure flag when on https. :pr:2150
• Fix type annotation for MultiDict.update to accept iterable
  values :pr:2142
• Prevent double encoding of redirect URL when merge_slash=True
  for Rule.match. :issue:2157
• CombinedMultiDict.to_dict with flat=False considers all
  component dicts when building value lists. :issue:2189
• send_file only sets a detected Content-Encoding if
  as_attachment is disabled to avoid browsers saving
  decompressed .tar.gz files. :issue:2149
• Fix type annotations for TypeConversionDict.get to not return an
  Optional value if both default and type are not
  None. :issue:2169
• Fix type annotation for routing rule factories to accept
  Iterable[RuleFactory] instead of Iterable[Rule] for the
  rules parameter. :issue:2183
• Add missing type annotation for FileStorage.__getattr__
  :issue:2155
• The debugger pin cookie is set with SameSite set to Strict
  instead of None to be compatible with modern browser security.
  :issue:2156
• Type annotations use IO[bytes] and IO[str] instead of
  BinaryIO and TextIO for wider type compatibility.
  :issue:2130
• Ad-hoc TLS certs are generated with SAN matching CN. :issue:2158
• Fix memory usage for locals when using Python 3.6 or pre 0.4.17
  greenlet versions. :pr:2212
• Fix type annotation in CallbackDict, because it is not
  utilizing a bound TypeVar. :issue:2235
• Fix setting CSP header options on the response. :pr:2237
• Fix an issue with with the interactive debugger where lines would
  not expand on click for very long tracebacks. :pr:2239
• The interactive debugger handles displaying an exception that does
  not have a traceback, such as from ProcessPoolExecutor.
  :issue:2217

v2.0.1

Compare Source

Released 2021-05-17

• Fix type annotation for send_file max_age callable. Don't
  pass pathlib.Path to max_age. :issue:2119
• Mark top-level names as exported so type checking understands
  imports in user projects. :issue:2122
• Fix some types that weren't available in Python 3.6.0. :issue:2123
• cached_property is generic over its return type, properties
  decorated with it report the correct type. :issue:2113
• Fix multipart parsing bug when boundary contains special regex
  characters. :issue:2125
• Type checking understands that calling headers.get with a string
  default will always return a string. :issue:2128
• If HTTPException.description is not a string,
  get_description will convert it to a string. :issue:2115

v2.0.0

Compare Source

Released 2021-05-11

• Drop support for Python 2 and 3.5. :pr:1693
• Deprecate :func:utils.format_string, use :class:string.Template
  instead. :issue:1756
• Deprecate :func:utils.bind_arguments and
  :func:utils.validate_arguments, use :meth:Signature.bind and
  :func:inspect.signature instead. :issue:1757
• Deprecate :class:utils.HTMLBuilder. :issue:1761
• Deprecate :func:utils.escape and :func:utils.unescape, use
  MarkupSafe instead. :issue:1758
• Deprecate the undocumented python -m werkzeug.serving CLI.
  :issue:1834
• Deprecate the environ["werkzeug.server.shutdown"] function
  that is available when running the development server. :issue:1752
• Deprecate the useragents module and the built-in user agent
  parser. Use a dedicated parser library instead by subclassing
  user_agent.UserAgent and setting Request.user_agent_class.
  :issue:2078
• Remove the unused, internal posixemulation module. :issue:1759
• All datetime values are timezone-aware with
  tzinfo=timezone.utc. This applies to anything using
  http.parse_date: Request.date, .if_modified_since,
  .if_unmodified_since; Response.date, .expires,
  .last_modified, .retry_after; parse_if_range_header, and
  IfRange.date. When comparing values, the other values must also
  be aware, or these values must be made naive. When passing
  parameters or setting attributes, naive values are still assumed to
  be in UTC. :pr:2040
• Merge all request and response wrapper mixin code into single
  Request and Response classes. Using the mixin classes is no
  longer necessary and will show a deprecation warning. Checking
  isinstance or issubclass against BaseRequest and
  BaseResponse will show a deprecation warning and check against
  Request or Response instead. :issue:1963
• JSON support no longer uses simplejson if it's installed. To use
  another JSON module, override Request.json_module and
  Response.json_module. :pr:1766
• Response.get_json() no longer caches the result, and the
  cache parameter is removed. :issue:1698
• Response.freeze() generates an ETag header if one is not
  set. The no_etag parameter (which usually wasn't visible
  anyway) is no longer used. :issue:1963
• Add a url_scheme argument to :meth:~routing.MapAdapter.build
  to override the bound scheme. :pr:1721
• Passing an empty list as a query string parameter to build()
  won't append an unnecessary ?. Also drop any number of None
  items in a list. :issue:1992
• When passing a Headers object to a test client method or
  EnvironBuilder, multiple values for a key are joined into one
  comma separated value. This matches the HTTP spec on multi-value
  headers. :issue:1655
• Setting Response.status and status_code uses identical
  parsing and error checking. :issue:1658, :pr:1728
• MethodNotAllowed and RequestedRangeNotSatisfiable take a
  response kwarg, consistent with other HTTP errors. :pr:1748
• The response generated by :exc:~exceptions.Unauthorized produces
  one WWW-Authenticate header per value in www_authenticate,
  rather than joining them into a single value, to improve
  interoperability with browsers and other clients. :pr:1755
• If parse_authorization_header can't decode the header value, it
  returns None instead of raising a UnicodeDecodeError.
  :issue:1816
• The debugger no longer uses jQuery. :issue:1807
• The test client includes the query string in REQUEST_URI and
  RAW_URI. :issue:1781
• Switch the parameter order of default_stream_factory to match
  the order used when calling it. :pr:1085
• Add send_file function to generate a response that serves a
  file. Adapted from Flask's implementation. :issue:265, :pr:1850
• Add send_from_directory function to safely serve an untrusted
  path within a trusted directory. Adapted from Flask's
  implementation. :issue:1880
• send_file takes download_name, which is passed even if
  as_attachment=False by using Content-Disposition: inline.
  download_name replaces Flask's attachment_filename.
  :issue:1869
• send_file sets conditional=True and max_age=None by
  default. Cache-Control is set to no-cache if max_age is
  not set, otherwise public. This tells browsers to validate
  conditional requests instead of using a timed cache.
  max_age=None replaces Flask's cache_timeout=43200.
  :issue:1882
• send_file can be called with etag="string" to set a custom
  ETag instead of generating one. etag replaces Flask's
  add_etags. :issue:1868
• send_file sets the Content-Encoding header if an encoding is
  returned when guessing mimetype from download_name.
  :pr:3896
• Update the defaults used by generate_password_hash. Increase
  PBKDF2 iterations to 260000 from 150000. Increase salt length to 16
  from 8. Use secrets module to generate salt. :pr:1935
• The reloader doesn't crash if sys.stdin is somehow None.
  :pr:1915
• Add arguments to delete_cookie to match set_cookie and the
  attributes modern browsers expect. :pr:1889
• utils.cookie_date is deprecated, use utils.http_date
  instead. The value for Set-Cookie expires is no longer "-"
  delimited. :pr:2040
• Use request.headers instead of request.environ to look up
  header attributes. :pr:1808
• The test Client request methods (client.get, etc.) always
  return an instance of TestResponse. In addition to the normal
  behavior of Response, this class provides request with the
  request that produced the response, and history to track
  intermediate responses when follow_redirects is used.
  :issue:763, 1894
• The test Client request methods takes an auth parameter to
  add an Authorization header. It can be an Authorization
  object or a (username, password) tuple for Basic auth.
  :pr:1809
• Calling response.close() on a response from the test Client
  will close the request input stream. This matches file behavior
  and can prevent a ResourceWarning in some cases. :issue:1785
• EnvironBuilder.from_environ decodes values encoded for WSGI, to
  avoid double encoding the new values. :pr:1959
• The default stat reloader will watch Python files under
  non-system/virtualenv sys.path entries, which should contain
  most user code. It will also watch all Python files under
  directories given in extra_files. :pr:1945
• The reloader ignores __pycache__ directories again. :pr:1945
• run_simple takes exclude_patterns a list of fnmatch
  patterns that will not be scanned by the reloader. :issue:1333
• Cookie names are no longer unquoted. This was against :rfc:6265
  and potentially allowed setting __Secure prefixed cookies.
  :pr:1965
• Fix some word matches for user agent platform when the word can be a
  substring. :issue:1923
• The development server logs ignored SSL errors. :pr:1967
• Temporary files for form data are opened in rb+ instead of
  wb+ mode for better compatibility with some libraries.
  :issue:1961
• Use SHA-1 instead of MD5 for generating ETags and the debugger pin,
  and in some tests. MD5 is not available in some environments, such
  as FIPS 140. This may invalidate some caches since the ETag will be
  different. :issue:1897
• Add Cross-Origin-Opener-Policy and
  Cross-Origin-Embedder-Policy response header properties.
  :pr:2008
• run_simple tries to show a valid IP address when binding to all
  addresses, instead of 0.0.0.0 or ::. It also warns about not
  running the development server in production in this case.
  :issue:1964
• Colors in the development server log are displayed if Colorama is
  installed on Windows. For all platforms, style support no longer
  requires Click. :issue:1832
• A range request for an empty file (or other data with length 0) will
  return a 200 response with the empty file instead of a 416 error.
  :issue:1937
• New sans-IO base classes for Request and Response have been
  extracted to contain all the behavior that is not WSGI or IO
  dependent. These are not a public API, they are part of an ongoing
  refactor to let ASGI frameworks use Werkzeug. :pr:2005
• Parsing multipart/form-data has been refactored to use sans-io
  patterns. This should also make parsing forms with large binary file
  uploads significantly faster. :issue:1788, 875
• LocalProxy matches the current Python data model special
  methods, including all r-ops, in-place ops, and async. __class__
  is proxied, so the proxy will look like the object in more cases,
  including isinstance. Use issubclass(type(obj), LocalProxy)
  to check if an object is actually a proxy. :issue:1754
• Local uses ContextVar on Python 3.7+ instead of
  threading.local. :pr:1778
• request.values does not include form for GET requests (even
  though GET bodies are undefined). This prevents bad caching proxies
  from caching form data instead of query strings. :pr:2037
• The development server adds the underlying socket to environ as
  werkzeug.socket. This is non-standard and specific to the dev
  server, other servers may expose this under their own key. It is
  useful for handling a WebSocket upgrade request. :issue:2052
• URL matching assumes websocket=True mode for WebSocket upgrade
  requests. :issue:2052
• Updated UserAgentParser to handle more cases. :issue:1971
• werzeug.DechunkedInput.readinto will not read beyond the size of
  the buffer. :issue:2021
• Fix connection reset when exceeding max content size. :pr:2051
• pbkdf2_hex, pbkdf2_bin, and safe_str_cmp are deprecated.
  hashlib and hmac provide equivalents. :pr:2083
• invalidate_cached_property is deprecated. Use del obj.name
  instead. :pr:2084
• Href is deprecated. Use werkzeug.routing instead.
  :pr:2085
• Request.disable_data_descriptor is deprecated. Create the
  request with shallow=True instead. :pr:2085
• HTTPException.wrap is deprecated. Create a subclass manually
  instead. :pr:2085

v1.0.1

Compare Source

Released 2020-03-31

• Make the argument to RequestRedirect.get_response optional.
  :issue:1718
• Only allow a single access control allow origin value. :pr:1723
• Fix crash when trying to parse a non-existent Content Security
  Policy header. :pr:1731
• http_date zero fills years < 1000 to always output four digits.
  :issue:1739
• Fix missing local variables in interactive debugger console.
  :issue:1746
• Fix passing file-like objects like io.BytesIO to
  FileStorage.save. :issue:1733

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.