Improvements:
* Template::Plugin::CGI removed to be used as a separate distro.
(Sawyer X)
* Avoid anonymous hash warnings starting with Perl 5.35.2 (Graham Ollis)
* Use Data::Dumper as an object. (Justin Wheeler)
* ttree: Rename --assets to --copy_dir. (Johan Vromans)
* ttree: Implement assets directories. (Johan Vromans)
Bug Fixes:
* Fix breakage when VMethods is loaded before Stash. (Felipe Gasper)
* Fix unicode issues in Plugin::Date (Nicolas R)
* Use "defined" instead of "//" because the latter is not available in
Perl v5.8. (Louis Strous)
* Fix FILTER redirect does not honor binmode (Louis Strous)
Tests:
* Fix t/zz-plugin-cycle.t errors (Nicolas R)
* Test for Dumper global vars. (Justin Wheeler)
* Remove unused _dump code (Nicolas R)
* Fixed tests failing on MacOS Catalina due to Dynaloader and relative
paths (Andy Wardley)
Documentation:
* Update README.md (philip r brenan)
* Add support group to README and Template.pm. (Johan Vromans)
* Make the process() documentation clearer. (Dave Cross)
CHangelog:
Fixed
* Fixed menu shortcuts for users of the JAWS screen reader.
* Fixed an occasional non-overridable certificate error when accessing device
configuration pages.
* Fixed an issue with Picture-in-Picture displaying in fullscreen on macOS.
The package changed with the addition of its libepoll-shim dependency.
Otherwise, we can get:
ERROR: libepoll-shim>=0.0.20210418 is not installed; can't buildlink files.
Mozilla Foundation Security Advisory 2022-29
Security Vulnerabilities fixed in Firefox ESR 91.12
#CVE-2022-36319: Mouse Position spoofing with CSS transforms
#CVE-2022-36318: Directory indexes for bundled resources reflected URL
parameters
Version 2.2.2
-------------
- Update Werkzeug dependency to >= 2.2.2. This includes fixes related
to the new faster router, header parsing, and the development
server. :pr:`4754`
- Fix the default value for ``app.env`` to be ``"production"``. This
attribute remains deprecated. :issue:`4740`
Version 2.2.2
-------------
- Fix router to restore the 2.1 ``strict_slashes == False`` behaviour
whereby leaf-requests match branch rules and vice
versa. :pr:`2489`
- Fix router to identify invalid rules rather than hang parsing them,
and to correctly parse ``/`` within converter arguments. :pr:`2489`
- Update subpackage imports in :mod:`werkzeug.routing` to use the
``import as`` syntax for explicitly re-exporting public attributes.
:pr:`2493`
- Parsing of some invalid header characters is more robust. :pr:`2494`
- When starting the development server, a warning not to use it in a
production deployment is always shown. :issue:`2480`
- ``LocalProxy.__wrapped__`` is always set to the wrapped object when
the proxy is unbound, fixing an issue in doctest that would cause it
to fail. :issue:`2485`
- Address one ``ResourceWarning`` related to the socket used by
``run_simple``. :issue:`2421`
Changes:
2.36.6
======
- Fix handling of touchpad scrolling on GTK4 builds.
- Fix WebKitGTK not allowing to be used from non-main threads.
- Fix several crashes and rendering issues.
do the automagic inside pre-patch. Also handle aarch64.
Require SSE2. It's probably not reasonable to patch -msse2 in everywhere,
and upstream has required SSE2 on x86 for years.
Version 2.2.1
-------------
- Setting or accessing ``json_encoder`` or ``json_decoder`` raises a
deprecation warning.
Version 2.2.0
-------------
- Remove previously deprecated code.
- Old names for some ``send_file`` parameters have been removed.
``download_name`` replaces ``attachment_filename``, ``max_age``
replaces ``cache_timeout``, and ``etag`` replaces ``add_etags``.
Additionally, ``path`` replaces ``filename`` in
``send_from_directory``.
- The ``RequestContext.g`` property returning ``AppContext.g`` is
removed.
- Update Werkzeug dependency to >= 2.2.
- The app and request contexts are managed using Python context vars
directly rather than Werkzeug's ``LocalStack``. This should result
in better performance and memory use.
- Extension maintainers, be aware that ``_app_ctx_stack.top``
and ``_request_ctx_stack.top`` are deprecated. Store data on
``g`` instead using a unique prefix, like
``g._extension_name_attr``.
- The ``FLASK_ENV`` environment variable and ``app.env`` attribute are
deprecated, removing the distinction between development and debug
mode. Debug mode should be controlled directly using the ``--debug``
option or ``app.run(debug=True)``.
- Some attributes that proxied config keys on ``app`` are deprecated:
``session_cookie_name``, ``send_file_max_age_default``,
``use_x_sendfile``, ``propagate_exceptions``, and
``templates_auto_reload``. Use the relevant config keys instead.
- Add new customization points to the ``Flask`` app object for many
previously global behaviors.
- ``flask.url_for`` will call ``app.url_for``.
- ``flask.abort`` will call ``app.aborter``.
``Flask.aborter_class`` and ``Flask.make_aborter`` can be used
to customize this aborter.
- ``flask.redirect`` will call ``app.redirect``.
- ``flask.json`` is an instance of ``JSONProvider``. A different
provider can be set to use a different JSON library.
``flask.jsonify`` will call ``app.json.response``, other
functions in ``flask.json`` will call corresponding functions in
``app.json``.
- JSON configuration is moved to attributes on the default
``app.json`` provider. ``JSON_AS_ASCII``, ``JSON_SORT_KEYS``,
``JSONIFY_MIMETYPE``, and ``JSONIFY_PRETTYPRINT_REGULAR`` are
deprecated.
- Setting custom ``json_encoder`` and ``json_decoder`` classes on the
app or a blueprint, and the corresponding ``json.JSONEncoder`` and
``JSONDecoder`` classes, are deprecated. JSON behavior can now be
overridden using the ``app.json`` provider interface.
- ``json.htmlsafe_dumps`` and ``json.htmlsafe_dump`` are deprecated,
the function is built-in to Jinja now.
- Refactor ``register_error_handler`` to consolidate error checking.
Rewrite some error messages to be more consistent.
- Use Blueprint decorators and functions intended for setup after
registering the blueprint will show a warning. In the next version,
this will become an error just like the application setup methods.
- ``before_first_request`` is deprecated. Run setup code when creating
the application instead.
- Added the ``View.init_every_request`` class attribute. If a view
subclass sets this to ``False``, the view will not create a new
instance on every request.
- A ``flask.cli.FlaskGroup`` Click group can be nested as a
sub-command in a custom CLI.
- Add ``--app`` and ``--debug`` options to the ``flask`` CLI, instead
of requiring that they are set through environment variables.
- Add ``--env-file`` option to the ``flask`` CLI. This allows
specifying a dotenv file to load in addition to ``.env`` and
``.flaskenv``.
- It is no longer required to decorate custom CLI commands on
``app.cli`` or ``blueprint.cli`` with ``@with_appcontext``, an app
context will already be active at that point.
- ``SessionInterface.get_expiration_time`` uses a timezone-aware
value.
- View functions can return generators directly instead of wrapping
them in a ``Response``.
- Add ``stream_template`` and ``stream_template_string`` functions to
render a template as a stream of pieces.
- A new implementation of context preservation during debugging and
testing.
- ``request``, ``g``, and other context-locals point to the
correct data when running code in the interactive debugger
console.
- Teardown functions are always run at the end of the request,
even if the context is preserved. They are also run after the
preserved context is popped.
- ``stream_with_context`` preserves context separately from a
``with client`` block. It will be cleaned up when
``response.get_data()`` or ``response.close()`` is called.
- Allow returning a list from a view function, to convert it to a
JSON response like a dict is.
- When type checking, allow ``TypedDict`` to be returned from view
functions.
- Remove the ``--eager-loading/--lazy-loading`` options from the
``flask run`` command. The app is always eager loaded the first
time, then lazily loaded in the reloader. The reloader always prints
errors immediately but continues serving. Remove the internal
``DispatchingApp`` middleware used by the previous implementation.
Version 2.2.1
-------------
- Fix router so that ``/path/`` will match a rule ``/path`` if strict
slashes mode is disabled for the rule.
- Fix router so that partial part matches are not allowed
i.e. ``/2df`` does not match ``/<int>``.
- Fix router static part weighting, so that simpler routes are matched
before more complex ones.
- Restore ``ValidationError`` to be importable from
``werkzeug.routing``.
Version 2.2.0
-------------
- Deprecated ``get_script_name``, ``get_query_string``,
``peek_path_info``, ``pop_path_info``, and
``extract_path_info``.
- Remove previously deprecated code.
- Add MarkupSafe as a dependency and use it to escape values when
rendering HTML.
- Added the ``werkzeug.debug.preserve_context`` mechanism for
restoring context-local data for a request when running code in the
debug console.
- Fix compatibility with Python 3.11 by ensuring that ``end_lineno``
and ``end_col_offset`` are present on AST nodes.
- Add a new faster matching router based on a state
machine.
- Names within options headers are always converted to lowercase. This
matches :rfc:`6266` that the case is not relevant.
- ``AnyConverter`` validates the value passed for it when building
URLs.
- The debugger shows enhanced error locations in tracebacks in Python
3.11.
- Added Sans-IO ``is_resource_modified`` and ``parse_cookie`` functions
based on WSGI versions.
- Added Sans-IO ``get_content_length`` function.
- Don't assume a mimetype for test responses.
- Type checking ``FileStorage`` accepts ``os.PathLike``.
Security Vulnerabilities fixed in Firefox ESR 102.1
#CVE-2022-36319: Mouse Position spoofing with CSS transforms
#CVE-2022-36318: Directory indexes for bundled resources reflected URL
parameters
#CVE-2022-36314: Opening local <code>.lnk</code> files could cause
unexpected network loads
#CVE-2022-2505: Memory safety bugs fixed in Firefox 103 and 102.1
Firefox that functioned on NetBSD 8, but it's now so far gone, many
dependencies of this aren't compiling with the old toolchain and
userspace... Users of platforms like NetBSD 8 might have an easier
time using arcticfox instead.
Changelog:
103.0.1:
New
* Enabled hardware acceleration on newer AMD cards.
Fixed
* Fixed a crash on Firefox shutdown caused by a bug in the audio manager.
103.0:
New
* Improved responsiveness on macOS during periods of high CPU load by
switching to a modern lock API.
* Do you always forget something? Required fields are now highlighted in PDF
forms.
* Improved performance on high-refresh rate monitors (120Hz+).
* Enjoying Picture-in-Picture subtitles feature? It just got better: you can
now change subtitles font size directly from the PiP window. Additionally,
PiP subtitles are now available at Funimation, Dailymotion, Tubi, Hotstar,
and SonyLIV.
* Buttons in the Tabs toolbar can now be reached with Tab, Shift+Tab, and
Arrow keys. View this article for additional details.
* Windows' "Make text bigger" accessibility setting now affects all the UI
and content pages, rather than only applying to system font sizes.
* Rejoice! You can now conveniently access Firefox, which will now be pinned
to the Windows taskbar during installation on Windows 10 and 11. (This will
also allow for Firefox to be launched quicker after installing.)
Fixed
* Non-breaking spaces are now preserved --- preventing automatic line
breaks --- when copying text from a form control.
* Fixed WebGL performance issues on NVIDIA binary drivers via DMA-Buf on
Linux.
* Fixed an issue in which Firefox startup could be significantly slowed down
by the processing of Web content local storage. This had the greatest
impact on users with platter hard drives and significant local storage.
* Various security fixes.
Changed
* Removed a configuration option to allow SHA-1 signatures in certificates:
SHA-1 signatures in certificates --- long since determined to no longer be
secure enough --- are now not supported.
Security fixes:
#CVE-2022-36319: Mouse Position spoofing with CSS transforms
#CVE-2022-36318: Directory indexes for bundled resources reflected URL
parameters
#CVE-2022-36314: Opening local <code>.lnk</code> files could cause unexpected
network loads
#CVE-2022-36315: Preload Cache Bypasses Subresource Integrity
#CVE-2022-36316: Performance API leaked whether a cross-site resource is
redirecting
#CVE-2022-2505: Memory safety bugs fixed in Firefox 103 and 102.1
What's Changed
Exciting New Features
Add toc position setting by @Builditluc in #65
Add more toc settings by @Builditluc in #66
Bug Fixes
Fix toc not having scrollbars by @Builditluc in #64
Fix Word Spacing by @Builditluc in #68
Fix the crash that occurs when no links or headers exist by @Builditluc in #70
Breaking Changes
Move Parser Configuration into a Feature Option by @Builditluc in #63
Exciting New Features
Add option to change the keybindings via configuration by @Builditluc in #38
Add AUR install option by @ThomasFrans in #42
Add a desktop-entry for packaging by @ThomasFrans in #44
Add checksums for the release assets by @Builditluc in #59
Bug Fixes
Fix Header Selection by @Builditluc in #41
Fix Keybinding Crash by @Builditluc in #46
Add missing element after line split by @ThomasFrans in #48
Disable stdout logging for release builds by @ThomasFrans in #47
Fix publish action in the cd workflow by @Builditluc in #60
Fix toc not having scrollbars by @Builditluc in #64
Other Changes
Update Bug Report Issue Template by @Builditluc in #40
Add label requirement to ci workflow by @Builditluc in #52
Add documentation job to ci workflow by @Builditluc in #55
Fix typo in search.rs by @eltociear in #56
Add yashinghcodes/wik project to similar projects by @Builditluc in #58
Increase Stale Days to 365 by @Builditluc in #61
9.3.20 (2022-07-28)
This is a patch (bugfix) release of Drupal 9 and is ready for use on
production sites. Learn more about Drupal 9.
* Drupal core uses the third-party Diactoros library as its PSR-7
implementation. Diactoros has issued a security advisory:
* CVE-2022-31109: Diactoros before 2.11.1 vulnerable to HTTP Host Header
Attack
Drupal core is unlikely to be vulnerable. This bugfix release updates the
version of Diactoros used in drupal/core-recommended to a secure version as
a precaution.
9.3.19 (2022-07-20)
This is a security release of the Drupal 9 series.
This release fixes security vulnerabilities. Sites are urged to update
immediately after reading the notes below and the security announcement:
* Drupal core - Moderately critical - Information Disclosure -
SA-CORE-2022-012
* Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013
* Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014
* Drupal core - Moderately critical - Multiple vulnerabilities -
SA-CORE-2022-015
No other changes are included.
7.91 (2022-07-20)
Maintenance and security release of the Drupal 7 series.
This release fixes security vulnerabilities. Sites are urged to update
immediately after reading the notes below and the security announcement:
* Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012
No other changes are included.
0.18.2 - 2022-06-27
Fixed
Add default log_config on uvicorn.run()
Revert logging file name modification
0.18.1 - 2022-06-23
Fixed
Use DEFAULT_MAX_INCOMPLETE_EVENT_SIZE as default to h11_max_incomplete_event_size on the CLI
0.18.0 - 2022-06-23
Added
The reload flag prioritizes watchfiles instead of the deprecated watchgod
Annotate uvicorn.run() function
Allow configuring max_incomplete_event_size for h11 implementation
Removed
Remove asgiref dependency
Fixed
Turn raw_path into bytes on both websockets implementations
Revert log exception traceback in case of invalid HTTP request
Set asyncio.WindowsSelectorEventLoopPolicy() when using multiple workers to avoid "WinError 87"
Logswan 2.1.13 (2022-07-28)
- Remove useless backslashes in usage()
- Add entries with IPv6 remote hosts to exercise the IPv6 code paths
- Add an invalid.log log file with invalid lines, for testing purposes
- Add a few more test cases in CMakeLists.txt
- Also generate data for IPv6 addresses in the MMDB test database
- Regenerate the example MMDB database and JSON example output
Motyl 1.0.3 (2022-07-28)
- Fix an off-by-one error, we want 20 posts in the Atom feed
- Raise the default to 30 posts in the Atom feed
- Remove unused feedItems directive from motyl.conf
- Add Motyl ASCii logo header (Thanks H7!)
- Add SPDX short license identifier in source file
Changes:
2.36.5
======
- Add support for PAC proxy in the WebDriver implementation.
- Fix video playback when loaded through custom URIs, this fixes video
playback in the Yelp documentation browser.
- Fix WebKitWebView::context-menu when using GTK4.
- Fix LTO builds with GCC.
- Fix several crashes and rendering issues.
1.26.11 (2022-07-25)
--------------------
* Fixed an issue where reading more than 2 GiB in a call to ``HTTPResponse.read`` would
raise an ``OverflowError`` on Python 3.9 and earlier.
