Version 2.3.6
-------------
- ``FileStorage.content_length`` does not fail if the form data did not provide a
value. :issue:`2726`
Version 2.3.5
-------------
- Python 3.12 compatibility. :issue:`2704`
- Fix handling of invalid base64 values in ``Authorization.from_header``. :issue:`2717`
- The debugger escapes the exception message in the page title. :pr:`2719`
- When binding ``routing.Map``, a long IDNA ``server_name`` with a port does not fail
encoding. :issue:`2700`
- ``iri_to_uri`` shows a deprecation warning instead of an error when passing bytes.
:issue:`2708`
- When parsing numbers in HTTP request headers such as ``Content-Length``, only ASCII
digits are accepted rather than any format that Python's ``int`` and ``float``
accept. :issue:`2716`
<ChangeLog>
*) Feature: the "http2" directive, which enables HTTP/2 on a per-server
basis; the "http2" parameter of the "listen" directive is now
deprecated.
*) Change: HTTP/2 server push support has been removed.
*) Change: the deprecated "ssl" directive is not supported anymore.
*) Bugfix: in HTTP/3 when using OpenSSL.
</ChangeLog>
htmlwidgets 1.6.2
------------------------------------------------------
* Closed#452: `as.tag.htmlwidget()` now includes `...` in it's
function signature (for compatibility with the `htmltools::as.tags`
generic).
Update DEPENDS
Upstream changes:
1.27 02.07.2021
- fix various failures reported by cpantesters
1.26 01.07.2021
- fix directories where to find basic Perl docs
1.25 20.06.2021
- migrated to Plack architecture
- generate fulltext index from within the application
- use CPAN::Common::Index for knowing the latest CPAN version of a module
- general reorganization of code and documentation
1.24 07.02.2021
- fixed encoding problems when source code is UTF-8
- startup options to specify additional module dirs and script dirs
- drop links to AnnoCPAN (unfortunately that project is dead)
- various improvements in doc and repository structure (Paul Cochrane)
- return 403 on absent module (Ben Bullock)
1.5.3
- Add logic to avoid error in the case where content-length header does not exist, bug introduced in 1.5.2
- Fix wsdump.py script typing, bug introduced in 1.5.2
# googledrive 2.1.0
## Syncing up with gargle
Version 1.3.0 of gargle introduced some changes around OAuth and
googledrive is syncing up that:
* `drive_oauth_client()` is a new function to replace the
now-deprecated `drive_oauth_app()`.
* The new `client` argument of `drive_auth_configure()` replaces the
now-deprecated `app` argument.
* The documentation of `drive_auth_configure()` emphasizes that the
preferred way to "bring your own OAuth client" is by providing the
JSON downloaded from Google Developers Console.
## Shared drives
`drive_ls(recursive = TRUE)` now works when the target folder is on a
shared drive (#265, @Falnesio).
`drive_mv()` no longer errors with "A shared drive item must have
exactly one parent." when moving a file on a shared drive (#377).
## Other
`drive_auth()` now warns if the user specifies both `email` and
`path`, because this is almost always an error (#420).
`drive_auth_config()` was deprecated in googledrive 1.0.0 (released
2019-08-19) and is now defunct.
`drive_example()` was deprecated in googledrive 2.0.0 (released
2021-07-08) and is now defunct.
# gargle 1.4.0
## Google Compute Engine
* `credentials_gce(scopes = NULL)` is now equivalent to
`credentials_gce(scopes =
"https://www.googleapis.com/auth/cloud-platform")`, i.e. there's an
even stronger current towards the recommended "cloud-platform"
scope.
* `credentials_gce(scopes =)` now includes those `scopes` in its
request to the metadata server for an access token (#216). Note that
the scopes for a GCE access token are generally pre-determined for
the instance and its associated service account at creation/launch
time and these requested `scopes` will have no effect. But this
seems to do no harm and it is possible that there are contexts where
this is useful.
* `credentials_gce()` now emits considerably more information when the
`"gargle_verbosity"` option is set to `"debug"`. For example, it
reports mismatches between requested scopes and instance scopes and
between requested scopes and the access token's actual scopes.
* `credentials_gce()` stores the actual scopes of the received access
token, which can differ from the requested scopes. This is also
noted when the `"gargle_verbosity"` option is set to `"debug"`.
* The `GceToken` R6 class gains a better `$print()` method that is
more similar to gargle's treatment of tokens obtained with other
flows.
## Behaviour in a cloud/server context
* gargle is better able to detect when it's running on Posit Workbench
or RStudio Server, e.g., in a subprocess.
* `gargle_oauth_client_type()` is a new function that returns either
"installed" or "web". It returns the value of the new global option
by the same name (`"gargle_oauth_client_type"`), if defined. If the
option is not defined, returns "web" on RStudio Server, Posit
Workbench, Posit Cloud, or Google Colaboratory and "installed"
otherwise. In the context of out-of-band (OOB) auth, an "installed"
client type leads to the conventional OOB flow (only available for GCP
projects in testing mode) and a "web" client leads to the new
pseudo-OOB flow. The option and accessor have been added to cover
contexts other than those mentioned above where it is helpful to
request a "web" client.
* `credentials_user_oauth2()` now works in Google Colaboratory (#140).
## Everything else
* gargle now elicits user input via `readline()`, instead of via
`utils::menu()`, which is favorable for interacting with the user in
a Jupyter notebook (#242).
* The roxygen templating functions that wrapper packages can use to
generate standardized documentation around auth have been updated to
reflect gargle's pivot from OAuth "app" to "client". Changes of note:
- `PREFIX_auth_configure_description()` crosslinks to `PREFIX_oauth_client()`
now, not `PREFIX_oauth_app()`. So this assumes the package has indeed
introduced the `PREFIX_oauth_client()` function (and, presumably, has
deprecated `PREFIX_oauth_app()`).
- `PREFIX_auth_configure_params()` gains `client` argument.
- `PREFIX_auth_configure_params()` deprecates the `app` argument and uses a
lifecycle badge. It is assumed that the badge SVG is present, which can be
achieved with `usethis::use_lifecycle()`.
- `PREFIX_auth_configure_params()` crosslinks to
`gargle::gargle_oauth_client_from_json()`. The wrapper package therefore
needs to state a minimum version for gargle, e.g. `gargle (>= 1.3.0)` (or
higher).
* `credentials_byo_oauth2()` works now for (variations of) service
account tokens, as intended, not just for user tokens (#250). It
also emits more information about scopes when the
`"gargle_verbosity"` option is set to `"debug"`.
# gargle 1.3.0
## (Partial) deprecation out-of-band (OOB) auth flow
On February 16, 2022, Google announced the gradual deprecation of the
out-of-band (OOB) OAuth flow. OOB **still works** if the OAuth client
is associated with a GCP project that is in testing mode and this is
not going away. But OOB is no longer supported for projects in
production mode. To be more accurate, some production-mode projects
have gotten an extension to permit the use of OOB auth for a bit
longer, but that's just a temporary reprieve.
The typical user who will (eventually) be impacted is:
* Using R via RStudio Server, Posit Workbench, or Posit Cloud.
* Using tidyverse packages such as googledrive, googlesheets4, or bigrquery.
* Relying on the built-in OAuth client. Importantly, this client is associated
with a GCP project that is in production mode.
The phased deprecation of OOB is nearly complete and we expect
conventional OOB to stop working with the built-in tidyverse OAuth
client on February 1, 2023, at the latest.
**In preparation for this, gargle has gained support for a new flow,
which we call pseudo-OOB (in contrast to conventional OOB)**. The
pseudo-OOB flow is triggered when `use_oob = TRUE` (an existing
convention in gargle and gargle-using packages) and the configured
OAuth client is of "Web application" type. The
gargle/googledrive/googlesheets4/bigrquery packages should now default
to a "Web application" client on RStudio Server, Posit Workbench and
Posit Cloud, leading the user through the pseudo-OOB flow. Other than
needing to re-auth once, affected users should still find that things
"just work".
Read the `vignette("auth-from-web")` for more.
## gargle-specific notion of OAuth client
`gargle_oauth_client()` is a new constructor for an S3 class by the same name.
There are two motivations:
- To adjust to Google's deprecation of conventional OOB and to support
gargle's new pseudo-OOB flow, it is helpful for gargle to know whether an
OAuth client ID is of type "Web application" or "Desktop app". That means we
need a Google- and gargle-specific notion of an OAuth client, so we can
introduce a `type` field.
- A transition from httr to httr2 is on the horizon, so it makes sense to
look more toward `httr2:oauth_client()` than to `httr::oauth_app()`.
gargle's vocabulary is generally shifting towards "client" and away from
"app".
`oauth_app_from_json()` has therefore been (soft) deprecated, in favor
of a new function `gargle_oauth_client_from_json()`, which is the
preferred way to instantiate an OAuth client, since the downloaded
JSON conveys the client type and redirect URI(s). As a bridging
measure, `gargle_oauth_client` currently inherits from httr's
`oauth_app`, but this probably won't be true in the long-term.
`gargle_client(type =)` replaces `gargle_app()`.
## Google Compute Engine and Google Kubernetes Engine
`credentials_gce()` no longer asks the user about initiating an OAuth
cache, which is not relevant to that flow (#221).
`gce_instance_service_accounts()` is a newly exported utility that
exposes the service accounts available from the metadata server for
the current instance (#234).
The global option `"gargle.gce.timeout"` is newly documented in
`credentials_gce()`. This controls the timeout, in seconds, for
requests to the metadata server. The default value (or strategy) for
setting this should often suffice, but the option exists for those
with an empirical need to increase the timeout (#186, #195).
`vignette("non-interactive-auth")` has a new section "Workload
Identity on Google Kubernetes Engine (GKE)" that explains how gargle
supports the use of workload identity for applications running on
GKE. This is the recommended method of auth in R code running on GKE
that needs to access other Google Cloud services, such as the BigQuery
API (#197, #223, @MarkEdmondson1234).
## Credential function registry
It's gotten a bit easier to work with the credential registry.
The primary motivation is that, for example, on Google Compute Engine, you might
actually want to suppress auth with the default service account and auth as a
normal user instead.
This is especially likely to come up with gmailr / the Gmail API.
* The credential-fetcher `credentials_byo_oauth2()` has been moved to the very
beginning of the default registry. The logic is that a user who has specified
a non-`NULL` value of `token` must mean business and does not want automagic
auth methods like ADC or GCE to be tried before using their `token`
(#187, #225).
* The `...` in `cred_funs_all()` are now
[dynamic dots](https://rlang.r-lib.org/reference/dyn-dots.html) (#224).
* Every registered credential function must have a unique name now.
This is newly enforced by `cred_funs_add()` and `cred_funs_set()` (#224).
* `cred_funs_list_default()` is a new function that returns gargle's default
list of credential functions (#226).
* `cred_funs_add(cred_fun = NULL)` is now available to remove a credential
function from the registry (#224).
* `with_cred_funs()` and `local_cred_funs()` are new helpers for making narrowly
scoped changes to the registry (#226).
* The `ls` argument of `cred_funs_set()` has been renamed to `funs` (#226).
* In general, credential registry functions now return the current registry,
invisibly (#224).
# gargle 1.2.1
* Help files below `man/` have been re-generated, so that they give
rise to valid HTML5. (This is the impetus for this release, to keep
the package safely on CRAN.)
* We have switched to newer oauth2.googleapis.com-based OAuth2 URIs,
moving away from the accounts.google.com and googleapis.com/oauth2
equivalents.
* `credentials_gce()` no longer validates the requested scopes against
instance scopes. In practice, it's easy for this check to be more of
a nuisance than a help (#161, #185 @craigcitro).
* `request_retry()` retries for an expanded set of HTTP codes: 408,
429, 500, 502, 503. Previously, retries were limited to 429 (#169).
## Dependency changes
* The minimum versions of rlang and testthat have been bumped. The
motivation is to exploit and adapt to the changes to the display of
error messages.
# webfakes 1.2.0
* The httpbin app now implements the `/brotli`, `/deflate`, `/digest-auth`
`/forms/post`, `/hidden-basic-auth`, `/range/:n`, `/stream/:n`, `/cache`
and `/cache/:value` endpoints. With these, it implements all endpoint of
the otiginal Python httpbin app (#3).
* New middleware `mw_cookie_parser()` to parse a `Cookie` header. Relatedly,
new `response$add_cookie()` and `response$clear_cookie()` methods to add a
cookie to a response and to add a header that clears a cookie (#2).
* Parsing query parametes without a value now does not fail.
* New utility function `http_time_stamp()` to format a time stamp for HTTP.
* The httpbin app now implements the endpoints related to cookies (#3).
* The httpbin app now sends the `Date` header in the correct format.
* The `offset` parameter is now optional in the `/links` endpoint of the
httpbin app.
* `mw_etag()` now does not add an `ETag` header to the response, if there
is one already. (The comparision is case sensitive.)
* New middleware: `mw_range_parser()` to parse `Range` headers.
# webfakes 1.1.7
* No user visible changes.
# bslib 0.4.2
## Potentially breaking changes
* Upgraded Bootstrap 5 (i.e., `bs_theme(version = 5)`) from 5.1.3 to 5.2.2. (#438, #455)
## New features
* Adds a new `card()` API as well as `value_box()` and
`layout_column_wrap()`. To learn more about this new functionality,
refer to these new pkgdown articles:
* https://rstudio.github.io/bslib/articles/cards.html
* https://rstudio.github.io/bslib/articles/value-boxes.html
* https://rstudio.github.io/bslib/articles/layouts.html
# bslib 0.4.1
## Bug Fixes
* Closed#458. This release `{bslib}` now requires `{memoise}` 2.0.1 or above.
# bslib 0.4.0
## Breaking changes
* `bs_theme()` now defaults to `version = 5` (i.e., Bootstrap 5). If
this change happens to break an existing app, consider specifying
`bs_theme(version = 4)` to revert the change in the Bootstrap
version. (#374)
* The default coloring on some Bootswatch 4+ theme's
`.navbar-default`/`.navbar-inverse` class has changed slightly to
better match their Bootswatch 3 coloring. Also, since this coloring
is now based solely on [`$navbar-*`
variables](https://rstudio.github.io/bslib/articles/bs5-variables.html),
Bootswatch themes now work better in combination with custom
`$navbar-*` values (e.g., `bs_theme("navbar-bg" = ...)` can be used
to provide the background color, and foreground colors will
automatically contrast appropriately). (#392)
## New features
* Upgraded Bootstrap 5 (i.e., `bs_theme(version = 5)`) from 5.1.0 to 5.1.3 (#378)
* Closed#369: `bs_dependency_defer()` now memoises `func` (by
default), reducing the time required to render multiple instances of
the same [dynamically themable
widget](https://rstudio.github.io/bslib/articles/custom-components.html#dynamically-themeable-component). (#405)
## Bug fixes
* Closed#393: Bootstrap 5's `$form-check-label-*` variables now work
as expected with `shiny::radioButtons()`, `shiny::checkboxInput()`,
and `shiny::checkboxGroupInput()`. (#395)
* Closed#382: Various fixes for using `shiny::checkboxInput()`,
`shiny::checkboxGroupInput()`, and `shiny::radioButton()` with
`bs_theme(version = 5, bootswatch = "sketchy")`. (#385)
* Closed#377: make sure `shiny::tabsetPanel(type = "hidden")` (i.e.,
`bslib::navs_hidden()`) stays hidden when used with
`bs_theme()`. (#379)
* Closed#424: fixed an issue with `nav_menu()` appearing first in a
`navs_*()` container with Bootstrap 4+.
* Closed#431: Bootstrap 5 navbars no longer have an unwanted "Toggle
Navigation" label when collapsed. (#432)
* Closed#400: `nav_menu(align="right")` now works with Bootstrap 5. (#401)
* Closed#390: using `bs_theme(bootswatch = "paper", version = 5)` or
`bs_theme(bootswatch = "readable", version = 5)` no longer
errors. (#391)
# sass 0.4.6
* Close#127: Removed a compilation warning on Windows w/ gcc-12. (#128)
# sass 0.4.5
## Improvements
* Close#122: Upgrade LibSass dependency from v3.6.4 to v3.6.5. (#123)
# sass 0.4.4
## Improvements
* Close#116: Remove hard-coded lstdc++ flag from Makevars. (#118)
# sass 0.4.3
## Improvements
* Close#113: Get rid of C++ warning during package installation about
sprintf() being deprecated. (#114)
# sass 0.4.2
## Bug fixes
* `sass()` no longer encounters a false positive cache hit when
`sass_file()` is used inside a `sass_bundle()`. (#107, #108)
* `font_google()` no longer produces a directory name with a `_`
prefix (which was causing the directory to be ignored when deployed
to GitHub Pages). (#105, #106)
# sass 0.4.1
## Improvements
* Several speed improvements for `sass()` and `as_sass_layer()`,
particularly when `sass(write_attachments = TRUE)` encounters a
`cache` hit. (#98) 0
* Removed compilation warnings with gcc-12. (#100)
* Removed linking errors that occur when custom C++ flags are used to
compile (#94, #104).
# httpuv 1.6.11
* Fix race condition introduced in 1.6.10. (#363)
* Hygiene and metadata improvements requested by CRAN. (#366, #369, #370)
# httpuv 1.6.10
* WebSocket connections now send Ping frames to the client every 20
seconds. This is only intended to serve as a keepalive for proxies
that might be sitting in front of us; we don't pay attention to
whether a Pong response is received in a timely manner. (#359)
This is python library for interacting with the Firefox Accounts
ecosystem.
Eventually, it is planned to provide easy support for the following
features:
- being a direct firefox accounts authentication client
- being an FxA OAuth Service Provider
- accessing attached services
- helps interactions with Firefox Account servers wiht requests
Authentication plugins.
4.10.0 (2023-06-07)
* Implement proxy support for Selenium Manager
* Prevent setting driver log level in Safari
* Change all Selenium Manager logging to :debug (#12145)
* Error messages include links to documentation
* Add custom error class for driver location and improve error logic
6.3.0 - Mugi No Toki Itaru (2023-05-31)
Japan has 72 traditional microseasons. May 31 is the first day of 麦秋至,
which means the time of the wheat/barley harvest.
Features
* Add dsl method supported_http_methods ([#3106], [#3014])
* Puma error responses no longer have any fingerprints to indicate Puma
([#3161], [#3037])
* Support decryption of SSL key ([#3133], [#3132])
Bugfixes
* Don't send 103 early hints response when only invalid headers are used
([#3163])
* Handle malformed request path ([#3155], [#3148])
* Misc lib file fixes - trapping additional errors, CI helper ([#3129])
* Fixup req form data file upload with "r\n" line endings ([#3137])
* Restore rack 1.6 compatibility ([#3156])
Refactor
* const.rb - Update Puma::HTTP_STATUS_CODES ([#3162])
* Clarify Reactor#initialize ([#3151])
New Contributors
* @severin made their first contribution in #3156
2.2.0 (2023-06-01)
What's Changed
* Implement header_parser_block option by @zavan in #28
New Contributors
* @zavan made their first contribution in #28
1.123.1 (2023-06-02)
* Issue - Fix multipart download_file so that it does not download bytes out
of range (#2859).
1.123.0 (2023-05-31)
* Feature - Code Generated Changes, see ./build_tools or aws-sdk-core's
CHANGELOG.md for details.
1.66.0 (2023-06-05)
* Feature - This release includes feature to import customer's asymmetric
(RSA and ECC) and HMAC keys into KMS. It also includes feature to allow
customers to specify number of days to schedule a KMS key deletion as a
policy condition key.
1.65.0 (2023-05-31)
* Feature - Code Generated Changes, see ./build_tools or aws-sdk-core's
CHANGELOG.md for details.
3.174.0 (2023-05-31)
* Feature - Updated Aws::STS::Client with the latest API changes.
* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
* Feature - Updated Aws::SSO::Client with the latest API changes.
* Feature - Improve User-Agent metrics tracking.
1.777.0 (2023-06-08)
* Feature - Added support for enumerating regions for
Aws::PaymentCryptographyData.
* Feature - Added support for enumerating regions for
Aws::PaymentCryptography.
1.776.0 (2023-06-06)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.775.0 (2023-06-05)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.774.0 (2023-06-02)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.773.0 (2023-06-01)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.772.0 (2023-05-30)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
nghttp2 v1.54.0
nghttpx: Consistent error handling and use of high-level API
h2load: Fix http3 upload stall
h2load: Use std::chrono::steady_clock for quic timestamp
Avoid ev_now
Remove unused macro bswap64
Bump ngtcp2 and nghttp3
Bump libbpf to v1.2.0
Avoid copies
2.0.3 (2023-06-07)
- Allowed alternative SSL libraries such as LibreSSL, while still issuing a warning as we cannot help users facing issues with implementations other than OpenSSL.
- Deprecated URLs which don't have an explicit scheme
- Fixed response decoding with Zstandard when compressed data is made of several frames.
- Fixed ``assert_hostname=False`` to correctly skip hostname check.
Used only by the tools, not by the library.
This drops the Python dependency on the library, which is needed by
curl -- should help mitigate the ouroboros of curling pythons here.
1.7.2:
- Added a color-coding scheme to HTTP status codes.
- Added '--external-assets' command line option to output external JS+CSS
files. Great when used with Content Security Policy (CSP).
- Ensure there's a fallback for 'Windows' if it appears on the user-agent.
- Ensure we construct the WebSocket URL in a way that supports multiple use
cases when used along '--ws-url' and '--port'.
- Fixed a segfault due to a null pointer exception on FreeBSD.
- Fixed build with '--disable-nls'.
- Fixed invalid read (heap-buffer-overflow) when parsing an XFF spec via
JSON.
- Fixed segfault when parsing a specific XFF specifier.
1.7.1:
- Added 'inlang' for easy localization (i18n) updates.
https://inlang.com/editor/github.com/allinurl/goaccess
- Added nanosecond parsing option via the '%n' specifier. Great for parsing
'Traefik' JSON logs duration field.
- Fixed issue with '--unknowns-as-crawlers' where it did not process them as
such.
1.7:
- Added an option to classify unknown OS and browsers as crawlers using
`--unknowns-as-crawlers`.
- Added highlighting to certain metrics on the HTML report for readability.
- Added a new panel that displays ASN data for GeoIP2 and legacy databases.
Great for detecting malicious traffic and blocking accordingly.
- Added an ASN metric per IP/host.
- Changed and prioritize user's browsers list over heuristics.
- Ensure `--geoip-database=<path>` can be used multiple times to support
different databases.
- Fixed invalid read when loading the list of agents for an IP.
- Fixed issue where a file containing a NUL `\0` character would crash the
program.
- Updated Swedish i18n.
3.2.2
Changes:
- Improvement: Add support for psycopg3
- Improvement: runserver_plus, autoreload on template change
- Improvement: highlighting, test_should_highlight_bash_syntax_without_name to include whitespace spans
- Improvement: tests, add Python 3.11 to tox and actions to formally support python 3.11
- Improvement: runserver_plus, Send the file_changed event when a reload is triggered
- Improvement: runserver_plus, Add REMOTE_USER to werkzeug environment
- Improvement: pipchecker, force pip to use pkg_resources as backend for resolving distributions
- Fix: Fix error with lack of PosixPath support
- Fix: Cleanup http: links
Almost all uses, if not all of them, are wrong, according to the
semantics of BUILD_DEPENDS (packages built for target available for
use _by_ tools at build-time) and TOOL_DEPEPNDS (packages built for
host available for use _as_ tools at build-time).
No change to BUILD_DEPENDS as used correctly inside buildlink3.
As proposed on tech-pkg:
https://mail-index.netbsd.org/tech-pkg/2023/06/03/msg027632.html
pkgsrc change
* Switch to GitHub from googlecode.
* Drop dependency to www/squid4. This package is utility for Squid Cache
but no dependency to specific version of squid.
As for changes from 2013-12-17, please refer
<https://github.com/paleg/sqtop/commits/master> in detail.
Apache Serf 1.3.10 [2023-xx-xx, from tags/1.3.10, rxxxxxxx]
Support for OpenSSL 3 (r1901937, ...)
Fix issue #171: Win32: Running tests fails with "no OPENSSL_Applink" error
Fix issue #194: Win32: Linking error when building against OpenSSL 1.1+
Fix issue #198: OpenSSL BIO control method incorrectly handles unknown requests
Fix issue #202: SSL tests are not passing with OpenSSL 3
Fix error handling when reading the outgoing request body (r1804534, ...)
Fix handling of invalid chunk lengths in the dechunk bucket (r1804005, ...)
Fix an endless loop in the deflate bucket with truncated input (r1805301)
Fix BIO control handlers to support BIO_CTRL_EOF (r1902208)
Fix a CRT mismatch issue caused by using certain OpenSSL functions (r1909252)
Build changes to support VS2017, VS2019 and VS2022 (r1712131, ...)
Build changes to support Python 3 (r1875933)
1.0.5 (2021-09-24)
* Adds testing against latest non-EOL Python and Django versions and updates
package metadata accordingly.
1.0.4 (2020-04-01)
* Run tests for Django 2.2 and 3.0 and Python 3.5, 3.6, 3.7 and 3.8
* Add template and middleware settings in test_settings (required for Django 2.2)
1.0.3 (2019-03-3)
Packaging metadata updates:
* Update tox configuration to match Django Python support map
* Drop support for Django 1.8, 1.9 and 1.10
* Drop support for python 3.3
* Confirm support for Django 1.11, 2.0 and 2.1
* Confirm support for python 3.7
1.0.2 (2016-04-19)
* Minor fixes to test setup
* Update supported Django and Python versions, in line with Django's
own supported versions.
1.0 (2015-02-15)
* This app precedes Django's own AppConfig_ classes that act as
"objects [to] store metadata for an application" inside Django's
app loading mechanism. In other words, they solve a related but
different use case than django-appconf and can't easily be used
as a replacement. The similarity in name is purely coincidental.
* Dropped support of Python 2.5.
* Added support for Django 1.7 and 1.8.
* Modernized test setup.
What's Changed
- Add example configuration with dark mode palette in #92
- Crate updates, and reverting to tracing 0.1.37 because of yanked
release in #93
* Not tested under NetBSD/i386 and 9 for this commit. If you find problems,
please report your failure to me.
* Disable WebGL for a while to avoid runtime errors under NetBSD.
* Do not pass '-j1 -j1' to cargo when MAKE_JOBS=1.
* Do not restrict cargo to unconditional -j1.
* Use ffmpeg6 instead of ffmpeg5.
Changelog:
113.0.2
Fixed
* Fixed an issue which caused Picture-in-Picture windows to not be snappable
on Windows 11 or on systems with the FancyZones PowerToy installed (bug
1832331)
* Fixed a video playback crash on some Windows systems with Intel graphics (
bug 1831329)
* Fixed a bug which could cause Firefox to freeze on some pages when loading
them with the Developer Tools Web Console open (bug 1828026)
* Fixed a bug which would cause the bookmarks and history sidebars to not
properly react to the browser window being vertically resized (bug 1831535)
113.0.1
Fixed
* Fixed incorrect colors for Windows users with installed monitor/display
color profiles, particularly on wide gamut displays (bug 1832215)
* Fixed borders being visible around fullscreen windows for some
configurations (bug 1830721)
* Fixed an issue which may cause users in some configurations to experience
tearing when watching videos in fullscreen mode (bug 1830792)
113.0
New
* Say hello to enhanced Picture-in-Picture! Rewind, check video duration, and
effortlessly switch to full-screen mode on the web's most popular video
websites.
* Firefox's address bar is already a great place to search for what you're
looking for. Now you'll always be able to see your web search terms and
refine them while viewing your search's results - no additional scrolling
needed! Also, a new result menu has been added making it easier to remove
history results and dismiss sponsored Firefox Suggest entries.
Image demonstrating search terms persisting in the address bar after
hitting Enter for easier editing
* Private windows now protect users even better by blocking third-party
cookies and storage of content trackers.
* Passwords automatically generated by Firefox now include special
characters, giving users more secure passwords by default.
* Firefox 113 introduces a redesigned accessibility engine which
significantly improves the speed, responsiveness, and stability of Firefox
when used with:
+ Screen readers, as well as certain other accessibility software;
+ East Asian input methods;
+ Enterprise single sign-on software; and
+ Other applications which use accessibility frameworks to access
information.
* Importing bookmarks from Safari or a Chrome-based browser? The favicons for
those bookmarks will now also be imported by default to make them easier to
identify.
* Firefox 113 now supports AV1 Image Format files containing animations
(AVIS), improving support for AVIF images across the web.
* The Windows GPU sandbox first shipped in the Firefox 110 release has been
tightened to enhance the security benefits it provides.
* A 13-year-old feature request was fulfilled and Firefox now supports files
being drag-and-dropped directly from Microsoft Outlook. A special thanks to
volunteer contributor Marco Spiess for helping to get this across the
finish line!
* Users on macOS can now access the Services sub-menu directly from Firefox
context menus.
* On Windows, the elastic overscroll effect has been enabled by default. When
two-finger scrolling on the touchpad or scrolling on the touchscreen, you
will now see a bouncing animation when scrolling past the edge of a scroll
container.
* Firefox is now available in the Tajik (tg) language.
Fixed
* Various security fixes.
Changed
* The long-deprecated mozRTCPeerConnection, mozRTCIceCandidate, and
mozRTCSessionDescription WebRTC interfaces have been removed. Sites should
utilize the non-prefixed versions instead.
Security fixes:
#CVE-2023-32205: Browser prompts could have been obscured by popups
#CVE-2023-32206: Crash in RLBox Expat driver
#CVE-2023-32207: Potential permissions request bypass via clickjacking
#CVE-2023-32208: Leak of script base URL in service workers via import()
#CVE-2023-32209: Persistent DoS via favicon image
#CVE-2023-32210: Incorrect principal object ordering
#CVE-2023-32211: Content process crash due to invalid wasm code
#CVE-2023-32212: Potential spoof due to obscured address bar
#CVE-2023-32213: Potential memory corruption in FileReader::DoReadData()
#MFSA-TMP-2023-0002: Race condition in dav1d decoding
#CVE-2023-32214: Potential DoS via exposed protocol handlers
#CVE-2023-32215: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11
#CVE-2023-32216: Memory safety bugs fixed in Firefox 113
This is a Django project that contains default settings and url settings
for Mailman 3 Web Interface. It consists of the following sub-projects:
* Postorius
* Hyperkitty
A multiprocessing distributed task queue for Django
Features:
* Multiprocessing worker pool
* Asynchronous tasks
* Scheduled, cron and repeated tasks
* Signed and compressed packages
* Failure and success database or cache
* Result hooks, groups and chains
* Django Admin integration
* PaaS compatible with multiple instances
* Multi cluster monitor
* Redis, Disque, IronMQ, SQS, MongoDB or ORM
* Rollbar and Sentry support
Haystack provides modular search for Django. It features a unified, familiar
API that allows you to plug in different search backends (such as Solr,
Elasticsearch, Whoosh, Xapian, etc.) without having to modify your code.
Django Compressor processes, combines and minifies linked and inline
Javascript or CSS in a Django template into cacheable static files.
It supports compilers such as coffeescript, LESS and SASS and is
extensible by custom processing steps.
This package contains libraries and templates for Django-based interfaces
interacting with Mailman.
To use this application, add django_mailman3 to the INSTALLED_APPS list
in your Django server's settings file.
Integrated set of Django applications addressing authentication, registration,
account management as well as 3rd party (social) account authentication.
# shiny 1.7.4
## Full changelog
### Breaking changes
* Closed#3719: Output container sizes, which are available via
[`session$clientData` and
`getCurrentOutputInfo()`](https://shiny.rstudio.com/articles/client-data.html),
no longer round to the nearest pixel (i.e., they are now more exact,
possibly fractional values). (#3720)
* Closed#3704, #3735, and #3740: `renderPlot()` no longer generates
an error (or segfault) when it executes before the output is
visible. Instead, it'll now use the graphics device's default size
for it's initial size. Relatedly, `plotPNG()` now ignores `NULL`
values for `width`/`height` (and uses the device's default
`width`/`height` instead). (#3739)
### New features and improvements
* `plotOutput()`, `imageOutput()`, and `uiOutput()` gain a `fill`
argument. If `TRUE` (the default for `plotOutput()`), the output
container is allowed to grow/shrink to fit a fill container (created
via `htmltools::bindFillRole()`) with an opinionated height. This
means `plotOutput()` will grow/shrink by default [inside of
`bslib::card_body_fill()`](https://rstudio.github.io/bslib/articles/cards.html#responsive-sizing),
but `imageOutput()` and `uiOutput()` will have to opt-in to similar
behavior with `fill = TRUE`. (#3715)
* Closed#3687: Updated jQuery-UI to v1.13.2. (#3697)
* Internal: Added clearer and strict TypeScript type definitions (#3644)
# shiny 1.7.3
### Bug fixes
* Shiny 1.7.0 changed the `icon(lib="fontawesome")` implementation
from a bundled copy of fontawesome, to the {fontawesome}
package. This led to issue #3688, where icons that were previously
working, were now breaking. That's because {fontawesome} 0.3.0 and
earlier did not have support for icon names used in Font Awesome 5
and earlier, only the newest icon names used in Font Awesome 6. Now,
{fontawesome} 0.4.0 has restored support for those older icon names,
and Shiny 1.7.2.1 has updated its {fontawesome} requirement to
>=0.4.0.
# shiny 1.7.2
## Full changelog
### Breaking changes
* Closed#3626: `renderPlot()` (and `plotPNG()`) now uses
`ragg::agg_png()` by default when the [`{ragg}`
package](https://github.com/r-lib/ragg) is installed. To restore the
previous behavior, set `options(shiny.useragg = FALSE)`. (#3654)
### New features and improvements
* Closed#1545: `insertUI()` now executes `<script>` tags. (#3630)
* `fileInput()` can set the `capture` attribute to facilitates user
access to a device's media capture mechanism, such as a camera, or
microphone, from within a file upload control ([W3C HTML Media
Capture](https://www.w3.org/TR/html-media-capture/)). (Thanks to
khaled-alshamaa, #3481)
* Closedtidyverse/dplyr#5552: Compatibility of dplyr 1.0 (and rlang
chained errors in general) with `req()`, `validate()`, and friends.
* Closedtidyverse/dplyr#6154: Values from an `actionButton()` had S3
classes in the incorrect order.
* Closed#3346: Default for `ref` input in `runGithub()` changed from
`"master"` to `"HEAD"`. (#3564)
* Closed#3619: In R 4.2, `splitLayout()` no longer raises warnings
about incorrect length in an `if` statement. (Thanks to @dmenne,
#3625)
### Bug fixes
* Closed #3250:`{rlang}`/`{tidyeval}` conditions (i.e., warnings and
errors) are no longer filtered from stack traces. (#3602)
* Closed#3581: Errors in throttled/debounced reactive expressions no
longer cause the session to exit. (#3624)
* Closed#3657: `throttle.ts` and the `Throttler` typescript objects
it provides now function as intended. (Thanks gto @dvg-p4, #3659)
* The auto-reload feature (`options(shiny.autoreload=TRUE)`) was not
being activated by `devmode(TRUE)`, despite a console message
asserting that it was. (#3620)
* Closed#2297: If an error occurred in parsing a value in a bookmark
query string, an error would be thrown and nothing would be
restored. Now a message is displayed and that value is
ignored. (Thanks to @daattali, #3385)
* Restored the previous behavior of automatically guessing the
`Content-Type` header for `downloadHandler` functions when no
explicit `contentType` argument is supplied. (#3393)
* Previously, updating an input value without a corresponding Input
binding element did not trigger a JavaScript `shiny:inputchanged`
event. Now, if no Input binding element is found, the
`shiny:inputchanged` event is triggered on
`window.document`. (#3584)
* Closed#2955: Input and output bindings previously attempted to use
`el['data-input-id']`, but that never worked. They now use
`el.getAttribute('data-input-id')` instead. (#3538)
### Minor improvements
* When taking a test snapshot, the sort order of the json keys of the
`input`, `output`, and `export` fields is currently sorted using the
locale of the machine. This can lead to inconsistent test snapshot
results. To opt-in to a consistent ordering of snapshot fields with
`{shinytest}`, please set the global option
`options(shiny.snapshotsortc = TRUE)`. `{shinytest2}` users do not
need to set this value. (#3515)
* Closedrstudio/shinytest2#222: When restoring a context (i.e.,
bookmarking) from a URL, Shiny now better handles a trailing `=`
after `_inputs_` and `_values_`. (#3648)
* Shiny's internal HTML dependencies are now mounted dynamically
instead of statically. (#3537)
* HTML dependencies that are sent to dynamic UI now have better type
checking, and no longer require a `dep.src.href` field. (#3537)
# shinyjs 2.1.0 (2021-12-20)
- New feature: you can now reset all inputs on the page by calling
`reset()` with no arguments (#222)
- New feature: Add a `removeEvent()` function which removes events
added to HTML elements with `onclick()` or `onevent()` (#244)
- Fix bug: `disable()` did not work on nested download buttons (#223)
- Fix bug: Don't automatically namespace ID arguments in custom
extendShinyjs functions (#229)
- Fix bug: ensure that `extendShinyjs()` functions don't overwrite
native {shinyjs} functions (#230)
Flask-Security allows you to quickly add common security mechanisms
to your Flask application.
This is a independently maintained version of Flask-Security based on
the 3.0.0 version of the Original.
v3.1.0
- Documentation and packaging improvements.
- Don't return the default locale twice
- Fix tests breaking against babel 12.2, which changed localized times to use
non-breaking-spaces. Babel 12.2 or greater is now required.
- Relax version requirements for dependencies.
v3.0.0
Major version bump as this version removes support for Python 3.5 and 3.6, along with multiple
major breaking changes. Hope you've been following SemVer :)
- Dropped support for end-of-life Python 3.5 and 3.6, added tests for 3.10 and 3.11.
- Fixes to documentation to address outdated links and settings
- Jinja version 3 or greater is now required (released 2021)
- Removed Babel._date_formats, use the public Babel.date_formats instead.
- list_translations() always returns the default locale, even if it does not exist.
- Add lazy_npgettext()
- Babel.locale_selector and Babel.timezone_selector no longer exist. They must be provided
either when the Babel() object is created or when init_app() is called. This is to support
having a single Babel object for multiple Flask apps as well as to simplify settings
and multi-threaded state.
- Most configuration options can be passed directly through init_app().
v2.0.0
Starting with version 2, flask-babel drops official support for Python2.
Python versions 3.5 through 3.9-beta1 are tested and supported, as well as pypy3.
- Tests moved from unittest to pytest
- Domain and caching support from Flask-BabelEx
- Documentation moved from python-hosted to Github Pages.
- CI moved from Travisci to Github Actions
- Small documentation improvements.
- Removed uncessary checks on get_translations()
- localeselector and timezoneselector can be changed after creation.
5.0.0
- New function multi_download() which supports concurrent downloads and resuming
download for large files, while giving detailed progress information.
- Windows: updated libcurl to 7.84.0 + nghttp2
- Windows: default to CURLSSLOPT_NATIVE_CA when using openssl unless an ennvar
with CURL_CA_BUNDLE is set.
- Use the new optiontype API for type checking if available (libcurl 7.73.0)
4.3.3
- Add support for setting ssl_ctx_function callbacks
- Normalize curlopt_postfields to curlopt_copypostfields to transfer ownership
of the input data to libcurl.
- Fix strict-prototype errors
# httr 1.4.6
* Supress use of httpbin in examples and tests because it has become
unreliable.
# httr 1.4.5
* An internal helper that checks for an interactive session in the OOB
flow now honors the `"rlang_interactive"` global option, in case
it's necessary to declare the session to be interactive (enough) for
OOB (@jennybc, #734).
# httr 1.4.4
* Fix intermittent failing test.
# httr 1.4.3
* Fix failing test.
Still compiles, still doesn't link against ffmpeg, but MOZ_FFMPEG is
defined to 1.
Bump PKGREVISION.
XXX: Update comment about hunspell: it's now perhaps new enough to
be used from pkgsrc instead of using the provided copy.
0.14.5
Bugfix for data loss prevention exception when same uri is used in multiple to-many resources in a payload.
Doc fix for delete_detail
More cleanup for python 2 EOL
Added support for Django 4.1.
curl and libcurl 8.1.2
This release includes the following bugfixes:
o configure: quote the assignments for run-compiler [1]
o configure: without pkg-config and no custom path, use -lnghttp2 [8]
o curl: cache the --trace-time value for a second [9]
o http2: fix EOF handling on uploads with auth negotiation [7]
o http3: send EOF indicator early as possible [11]
o lib1560: verify more scheme guessing [5]
o lib: remove unused functions, make single-use static [3]
o libcurl.m4: remove trailing 'dnl' that causes this to break autoconf [10]
o libssh: when keyboard-interactive auth fails, try password [4]
o misc: fix spelling mistakes [2]
o page-header: mention curl version and how to figure out current release [13]
o page-header: minor wording polish in the URL segment [12]
o scripts/singleuse.pl: add more API calls
o urlapi: remove superfluous host name check [6]
v1.1.1 Released 2023-01-17
* Fixed validate extra_validators parameter.
v1.1.0 Released 2023-01-15
* Drop support for Python 3.6.
* validate_on_submit takes a extra_validators parameters
* Stop supporting Flask-Babelex
* Support for python 3.11
* Remove unused call to JSONEncoder
Changelog:
This is mostly a bugfix release.
This version created by taking patches from the current development branch and
back-porting them on top of version 0.9.76.
The most notable changes are: some improvements for Digest and Basic
authorizations, fixed efficiency for TLS upgraded connections, fixed
processing of folded headers in requests, fixed functionality with blocking
sockets, improved and fixed internal test-suite.
The more detailed list of the important changes:
API changes:
+ Added new function MHD_get_version_bin().
Improvements and enhancements:
* Digest Auth: changed algorithm identifiers in server generated headers from
"md5" / "sha-256" to "MD5" / "SHA-256" to better match RFC (while clients
should use caseless matching).
* Improved Base64 decoding by new implementation with robust input data
validation checks.
* Improved configure for cross-compiling, for better compatibility with POSIX
and for better compatibility with the latest compiler versions.
* New internal tests: for Base64 decoding, Basic Auth and folded headers.
* Supported new libcurl API in tests to mute deprecation warnings.
* Supported ARM and ARM64 for VC compilers.
Functionality changes:
* any negative number returned by response data generation callback function
is treated as an error. Previously negative values except predefined error
codes could produce undefined behaviour.
* Added handling of "DEBUG" preprocessor macro as an alias of "_DEBUG".
Fixes:
# Fixed functionality with blocking sockets.
# Fixed very inefficient data pumping for upgraded TLS connections.
# Fixed processing of folded headers in the requests.
# Fixed data races when closing upgraded connection.
# Removed duplication of "Connection: upgrade" header.
# Digest auth: fixed thread sync to avoid "stale hash" results.
# Fixed harmless unwanted extra data processing resulting in triggering of the
assert.
# Fixed tests for LTO.
# Removed removed non-portable functions in examples.
# Fixed delayed call of connection notification callback in
thread-per-connection mode.
# Fixed Address Sanitizer unpoison of memory when memory pool is destroyed.
This fixed periodic ASAN error when used for a long time with the sanitizer.
# Fixed compiler warnings in library code, examples, tests and configure
checks.
# New TLS certificates for test-suite: all with SAN fields and SHA-256 hash.
# Tests: fixed tests on Darwin 22.x (Ventura).
# Tests: redesigned one tests group to avoid stress-testing of the OS.
For the workaround case $PREFIX/bin/firefox would have an extra
/usr/pkg/lib/firefox/firefox "$@" added after the
exec /usr/pkg/lib/firefox/firefox "$@"
Calling "export LD_PRELOAD=/usr/X11R7/lib/libEGL.so" before starting firefox
avoids the crash on startup in many cases
To be removed once PR#57445 is resolved (or restricted to non fixed installs)
Version 1.4.2
Fix typo in new backwards JWT compat heuristics
Version 1.4.1
This is a minor release focused on improving backwards compatibility with applications after the API breaking changes introduced in 1.4
This patch adds a bunch of heuristics to be able to safely autodetect a token type. It has been tested to solve the compatibility issues (ie old code works without modifications and fully securely) with at least one large application.
Version 1.4
This is a security release to address CVE-2022-3102.
The JWT code can auto-detect the type of token being provided, and this can lead the application to incorrect conclusions about the trustworthiness of the token.
Quoting the private disclosure we received : "Under certain circumstances, it is possible to substitute a [..] signed JWS with a JWE that is encrypted with the public key that is normally used for signature validation."
This substitution attack can occur only if the validating application also have access to the private key, normally used to sign the tokens, available during validation of the received JWT.
The significance of this attacks depends on the use of the token, it may lead to authentication bypass or authorization bypass (respectively if claims are used to authenticate or authorize certain actions), because the attacker has full control of the data placed in the JWE and can inject any desired claim value.
Several mitigating factors exist that can protect applications from this issue:
If the private key corresponding to the public key used to encrypt the JWE is not available to the application an exception will be raised.
If the JWK is specified with the 'use' parameter set to 'sig' (as expected for keys used only for signing/verification) an exception will be raised.
If the JWK is specified with the 'key_ops' parameter set and it does not include the 'decrypt' operation an exception will be raised.
Applications may check the token type before validation, in this case they would fail to detect an expected JWS
Normally, signing and validation are done by different applications, so this scenario should be unlikely. However it is possible to have applications that both sign and validate tokens and do not separate JWKs in use, or do not set a JWK 'use' type.
Due to the mitigating factors, and the fact that specific operational constraints and conditions need to be in place to successfully exploit this issue to generate an authentication bypass, we rate this security issue as moderate. Other avenues may decide on a different rating based on use case, always verify what conditions apply to your use of the library to assess risk.
1.6.0 (2023-05-26)
* Dependencies have been updated:
- Loofah ~>2.21 and Nokogiri ~>1.14 for HTML5 parser support
- As a result, required Ruby version is now >= 2.7.0
* Security updates will continue to be made on the 1.5.x release branch as
long as Rails 6.1 (which supports Ruby 2.5) is still in security support.
Mike Dalessio
* HTML5 standards-compliant sanitizers are now available on platforms
supported by Nokogiri::HTML5. These are available as:
- Rails::HTML5::FullSanitizer
- Rails::HTML5::LinkSanitizer
- Rails::HTML5::SafeListSanitizer
And a new "vendor" is provided at Rails::HTML5::Sanitizer that can be used
in a future version of Rails.
Note that for symmetry Rails::HTML4::Sanitizer is also added, though its
behavior is identical to the vendor class methods on
Rails::HTML::Sanitizer.
Users may call Rails::HTML::Sanitizer.best_supported_vendor to get back
the HTML5 vendor if it's supported, else the legacy HTML4 vendor.
Mike Dalessio
* Module namespaces have changed, but backwards compatibility is provided by
aliases.
The library defines three additional modules:
- Rails::HTML for general functionality (replacing Rails::Html)
- Rails::HTML4 containing sanitizers that parse content as HTML4
- Rails::HTML5 containing sanitizers that parse content as HTML5
The following aliases are maintained for backwards compatibility:
- Rails::Html points to Rails::HTML
- Rails::HTML::FullSanitizer points to Rails::HTML4::FullSanitizer
- Rails::HTML::LinkSanitizer points to Rails::HTML4::LinkSanitizer
- Rails::HTML::SafeListSanitizer points to Rails::HTML4::SafeListSanitizer
Mike Dalessio
* LinkSanitizer always returns UTF-8 encoded strings. SafeListSanitizer and
FullSanitizer already ensured this encoding.
Mike Dalessio
* SafeListSanitizer allows time tag and lang attribute by default.
Mike Dalessio
* The constant Rails::Html::XPATHS_TO_REMOVE has been removed. It's not
necessary with the existing sanitizers, and should have been a private
constant all along anyway.
Mike Dalessio
2.7.5 (2023-05-24)
What's Changed
* Subclass Options structs using a block by @bdewater in #1489
* Remove direct struct subclassing by @bdewater in #1491
* Fix incorrect use of logger middleware in docs by @mattbrictson in #1497
* Always assume the existence of URI::Generic#find_proxy by @yykamei in
#1502
* Encode false to "false" in Faraday::Request::Json by @yykamei in #1504
* ProxyOptions should treat empty string as nil by @exoego in #1493
New Contributors
* @mattbrictson made their first contribution in #1497
* @exoego made their first contribution in #1493
1.771.0 (2023-05-26)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.770.0 (2023-05-25)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.769.0 (2023-05-24)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.768.0 (2023-05-23)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
Version 1.2
===========
Main changes
* Added support for Python 3.10.
* Add support for HTML form-associated elements (i.e. input elements that are
associated with a form by a ``form`` attribute, but are not a child element
of the form.)
Bug fixes
* When uploading a file, only the filename is now submitted to the server.
Previously, the full file path was being submitted, which exposed more
local information than users may have been expecting.
Version 2.0.0!
This is a major release since it drops comparability with some older versions of python.
Huge thanks to @graingert for bringing pytest-httpbin into the modern world!
Drop support for Python 2.6, 2.7, 3.4, 3.5 and 3.6
Add support for Python 3.7, 3.8, 3.9 and 3.10
Avoid deprecation warnings and resource warnings
Add support for Python 3.11 and 3.12, drop dependency on six
Changelog (taken from https://github.com/superseriousbusiness/gotosocial/releases/tag/v0.9.0):
v0.9.0 Spicy Sloth
24 May 14:58
282be6f
HELLO! The sloth has landed! Repeat, the sloth has landed! Introducing v0.9.0 of GoToSocial, aka Spicy Sloth!
This release was fun to work on, and we hope you enjoy using it! The project is slowly and steadily maturing and getting better 🌞
Big thank you to all contributors, folks who opened issues, instance admins who let us know weird stuff was happening, people who seem to like the code, and people who give us money to write the code!
Highlights
PROFILE FIELDS will now be federated. This means you can set key/value fields on your profile, just like other Fedi softwares already have, and they will federate in and out properly! It may take up to 2 days to start seeing fields on remote profiles, be patient ;)
Kickass new layout for web view of profiles, including fields!
Initial support for request tracing (https://github.com/superseriousbusiness/gotosocial/blob/main/docs/configuration/observability.md)
"subscribe" to an account you follow to receive notifications when they create a new post! (AKA 'click the bell' functionality.) Very useful for catching posts of followed accounts who don't post very often.
Automatic remote status refetching to get up-to-date replies + edits.
Performance improvements for message sending: you can now configure the rate at which messages will be federated outwards, better spacing out CPU usage and avoiding issues with rate-limiting.
Lots of caching performance improvements; things should feel generally snappier.
Suspend accounts from right within the admin panel by clicking through from reports.
We added a whole bunch of trans rights to the code 🏳️⚧️ The code has so much trans rights in it now. If you don't like trans rights, you won't like this code.
Migration notes
Upgrading
To upgrade to 0.9.0 from a previous release:
Binary/tar
Stop GoToSocial
Untar the new release, including the web assets and html templates.
Edit your config.yaml file as necessary (see below).
Start GoToSocial
Docker
Stop GoToSocial.
Pull the new docker container (superseriousbusiness/gotosocial:0.9.0 or superseriousbusiness/gotosocial:latest)
Start GoToSocial.
config.yaml
The configuration file has changed since the previous release. You can see a diff of the config file here: v0.8.1...v0.9.0#diff-c071e03510b2c57e193a44503fd9528a785f0f411497cc75841a9f8d0b1ac622
Database Migrations
This release contains several database migrations which will run the first time you start up this new version. Be sure not to interrupt this migration process. This will take anywhere between a couple seconds and ten minutes (on slower hardware). Please be patient!
Features / Performance
89dcbd5 [frontend] Basic user moderation actions (#1728)
6c9d8e7 [feature] status refetch support (#1690)
9cc9ffc [frontend] Profiles with fields & more (#1764)
6392e00 [feature] initial tracing support (#1623)
0e29f1f [feature] Enable federation in/out of profile PropertyValue fields (#1722)
6d13858 [feature] Implement the preferences client API (#1740)
3ff1391 [performance] replace domain block cache with an in-memory radix trie (#1714)
68b91d2 [performance] tweak http client error handling (#1718)
8b1e228 [feature] Add GET endpoint for single notification (#1719)
6a29c5f [performance] improved request batching (removes need for queueing) (#1687)
093cf2a [feature] Receive notification when followed account posts (if desired) (#1680)
107237c [feature] Make client IP logging configurable (#1799)
Bugfixes
17b9a93 [bugfix] Fix duplicating fields on profile edit (#1788)
e91cabb [bugfix] Fix NegotiateFormat with multiple accept headers (#1797)
2478d83 [bugfix] Fix proxy_pass in named location (#1794)
68e54cb [bugfix] Start + stop caches properly for testrig + pruning (#1804)
99ddaba [bugfix] Fix incorrect default for empty emoji domain (#1803)
2063d01 [bugfix] Add back removed ValidateRequest() before backoff-retry loop (#1805)
2b7c815 [bugfix] update go-cache to v3.3.3 (#1778)
b47661f [bugfix] Downstep otel to fix freebsd compile issue (#1773)
8eda005 [bugfix] Ensure account fields can be set by JSON (#1762)
878ed48 [bugfix] Don't try to get user when serializing local instance account (#1757)
11e843a [bugfix] fix possible domain blockcache nil ptr + add debug String() func (#1755)
8275d70 [bugfix] update go-cache version to support multi-keying (#1756)
37b4d9d [bugfix] Punycode fixes (#1743)
b7dd32d [bugfix] Return languages in api/v1/instance (#1741)
5027d0c [bugfix] Serve correct 'application/jrd+json' content type for webfinger requests (#1738)
4a012ac [bugfix] Rework notifs to use min_id for paging up (#1734)
a6ec2a5 [bugfix] Fix invalid og:description on account w/ empty note (#1733)
ead286a [bugfix] tweak httpclient error handling again ... (#1721)
fdd2487 [bugfix] add From to email header (#1717)
6b4f6dc [bugfix] Fix remaining mangled URI escaping issues in statuses + accounts (#1712)
fd3bf92 [bugfix] fix small config typos (#1707)
cb1f935 [bugfix] Fix the bookmarks list API endpoint returning an empty array (#1700)
c01d2f9 [chore]: Bump golang.org/x/oauth2 from 0.6.0 to 0.7.0 (#1684)
1d8f9c6 [chore]: Bump golang.org/x/crypto from 0.7.0 to 0.8.0 (#1685)
014d7ac [chore]: Bump github.com/spf13/cobra from 1.6.1 to 1.7.0 (#1686)
158facf [chore]: Bump golang.org/x/image from 0.6.0 to 0.7.0 (#1682)
Chores
e1b7ab2 [chore]: Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#1785)
89c1d58 [chore]: Bump golang.org/x/crypto from 0.8.0 to 0.9.0 (#1784)
c7702c4 [chore] Change time comparison in webfinger test (#1798)
a0952ad [chore]: Bump github.com/minio/minio-go/v7 from 7.0.52 to 7.0.53 (#1808)
c48abd8 [chore] update account statuses paging logic (#1814)
ea1bbac [chore]: Bump github.com/go-playground/validator/v10 (#1812)
9c24dee [chore] Replace pinafore with semaphore (#1801)
514eb8c [frogend/chore] Fix profile domain (#1779)
3046dab [frogend/chore] Update backnextlinks (#1774)
ec325fe [chore] Update a bunch of database dependencies (#1772)
66df974 [frogend/bugfix] fix dynamicSpoiler elements (#1771)
b315aa1 [frogend/chore] remove break-all on profile fields (#1770)
ba5a464 [chore] Prefer JSON errors in API endpoints (#1766)
265cc32 [frogend] use more semantic headers for profile page (#1765)
65cd1ac [chore] tidy + update StatusToAPIStatus (#1754)
cbb9e2d [chore/performance] Make sender multiplier configurable (#1750)
9b4b4d4 [chore] update readthedocs deps, use conda (#1742)
c41c1f9 [chore] Hide vendor from diffs (#1729)
66f09a8 [chore]: Bump modernc.org/sqlite from 1.22.0 to 1.22.1 (#1726)
e9de7be [chore]: Bump github.com/go-playground/validator/v10 (#1724)
ab7f518 [chore]: Bump github.com/KimMachineGun/automemlimit from 0.2.5 to 0.2.6 (#1723)
5904e3b [chore]: Bump github.com/miekg/dns from 1.1.53 to 1.1.54 (#1727)
49395f2 [chore]: Bump modernc.org/sqlite from 1.21.1 to 1.22.0 (#1711)
f3066a1 [chore] Replacing all Pinafore mentions to Semaphore ones (#1689)
a3d2774 [chore]: Bump codeberg.org/gruf/go-cache/v3 from 3.2.3 to 3.2.5 (#1701)
c5f61c4 [chore]: Bump mvdan.cc/xurls/v2 from 2.4.0 to 2.5.0 (#1702)
ef3004b [chore]: Bump github.com/minio/minio-go/v7 from 7.0.50 to 7.0.52 (#1703)
Documentation
19dab83 [docs] add missing observability settings to example config (#1790)
32aefd5 [docs] remove nginx trailing slash (#1789)
282be6f [docs] local docs hacking howto (#1816)
d0e747c [docs] code highlighting configuration (#1817)
999a6ae [docs] support copy/pasta for code blocks (#1818)
1d8dec3 [docs] Add implementation notes for report (Flag) functionality (#1324)
0e03507 [docs] update instance splash and profile screenshots (#1775)
ae9d432 [docs] Migrates Chart Location (#1708)
922bd89 [docs] Explain that markdown is enabled on the user settings page. (#1699)
curl and libcurl 8.1.1
This release includes the following bugfixes:
o cf-socket: completely remove the disabled USE_RECV_BEFORE_SEND_WORKAROUND [12]
o checksrc: disallow spaces before labels [16]
o cmake: avoid `list(PREPEND)` for compatibility [24]
o cmake: repair cross compiling [10]
o configure: fix --help alignment [9]
o configure: generate a script to run the compiler [11]
o curl_easy_getinfo: clarify on return data types [15]
o docs: document that curl_url_cleanup(NULL) is a safe no-op [4]
o hostip: move easy_lock.h include above curl_memory.h [14]
o http2: double http request parser max line length [8]
o http2: increase stream window size to 10 MB [22]
o http2: upload improvements [21]
o lib: fix conversion warnings with gcc on macOS
o lib: rename struct 'http_req' to 'httpreq' [23]
o ngtcp2: fix compiler warning about possible null-deref [3]
o ngtcp2: proper handling of uint64_t when adjusting send buffer [1]
o os400: update chkstrings.c [2]
o runtests: handle interrupted reads from IPC pipes
o runtests: use the correct fd after select [20]
o sectransp.c: make the code c89 compatible [17]
o select: avoid returning an error on EINTR from select() or poll() [5]
o test425: fix the log directory for the upload
o url: provide better error message when URLs fail to parse [18]
o urlapi: allow numerical parts in the host name [7]
o vquic.c: make recvfrom_packets static, avoid compiler warning [6]
What's Changed
Guard PxManager test with pacrunner-duktape option by @janbrummer in #215
Fix build on NetBSD. by @0-wiz-0 in #220
Install libpxbackend into pkglibdir by @amigadave in #223
Move glib2 inclusion out of c++ protection. by @0-wiz-0 in #227
Replace libsoup with glib socket service functions by @janbrummer in #228
Enforce online state for tests by @janbrummer in #229
Use glib-object header instead of gio by @janbrummer in #230
Fix libproxy rpath by @janbrummer in #231
Draft: Improve ignore checks by @janbrummer in #232
Release 0.5.1 by @janbrummer in #233
Enable HTTPv3 protocol by default.
The OpenSSL compatibility layer, which emulates BoringSSL
QUIC API for OpenSSL, is enabled by default, and 0-RTT is
not supported in this mode.
<ChangeLog>
*) Feature: experimental HTTP/3 support.
</ChangeLog>
What's Changed
Fix building without duktape by @mattst88 in #180
Fix WITH_GNOME2 documentation by @mattst88 in #181
bindings: perl: Use ccflags from %Config for libproxy module compilation by @Vogtinator in #183
Use XDG_CURRENT_DESKTOP to detect GNOME desktop like systems by @janbrummer in #192
Enable the use of ducktape in Windows systems by @illera88 in #194
Enable static builds for libproxy by @illera88 in #195
Fix build on macOS by @wegank in #189
Complete rewrite by @janbrummer in #201
kde: Remove line breaks in values by @janbrummer in #203
Add man page for proxy tool by @janbrummer in #204
Add PX_FORCE_CONFIG env by @janbrummer in #205
add alert function to pacrunners by @multiSnow in #196
Update architecture documentation by @janbrummer in #206
Check for valid uri_host in ignore_ip() by @janbrummer in #210
Remove line break in debug output by @janbrummer in #211
Improve GNOME/KDE get_config() execution by @janbrummer in #212
This is a major release. A long standing issue affecting dom
promises which could lead to JavaScript hangs has been fixed, it
has been there since forking from PaleMoon and has been hunted for
years!
TLS 1.3 is now supported if a new enough system nss library is used.
Otherwise, countless fixes were imported
- build system improvements
- dom and layouting fixes
- specific MacOS fixes
4.1.1 (2023-05-15)
o General
* Fix Twig/Jinja: incorrect recognition of some special tokens like
keywords (#1949 by nsfisis)
* Add reference to Code of Conduct (#1942 by Tan Le)
o Dart Lexer
* Add basic support for Dart 3 features (#1935 by Parker Lougheed)
o Dot Lexer
* Add alias graphviz for dot (#1651 by Alexander Sapozhnikov)
o JavaScript Lexer
* javascript: Fix an issue where some keywords like "for" and "if" are
mistakenly recognized as functions (#1938 by nsfisis)
o Liquid Lexer
* Liquid: update for 5.0.0 (#1681 by Eric Knibbe)
o Mosel Lexer
* Delete buggy detection for Mosel (#1936 by Cyril Brulebois)
o Openedge Lexer
* fix: improve openedge abl langage (#1843 by clement-brodu)
o PHP Lexer
* php: fix highlight of fully-qualified identifiers (fix#1718) (#1924 by
nsfisis)
o Python Lexer
* Support doctest highlight in Python lexer (#1932 by Tan Le)
o Ruby Lexer
* Highlight Ruby's and/or/not logical operators (#1950 by Demian Ferreiro)
* Fix string interpolation in Ruby percent literal (#1945 by Tan Le)
o Rust Lexer
* rust: Update builtins and sample file (fix#1922) (#1923 by nsfisis)
o Shell Lexer
* Add detection for zsh completion files (#1933 by Germán Riaño)
1.767.0 (2023-05-19)
* Feature - Added support for enumerating regions for Aws::MediaPackageV2.
1.766.0 (2023-05-18)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.765.0 (2023-05-16)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.764.0 (2023-05-15)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
5.9 (2023-05-17)
This release is a bug fix release resolving some issues
found in the prior Squid releases.
The major changes to be aware of:
* Improve reply_body_max_size matching accuracy
This bug shows up as cache.log entries at debug level >=3
stating "HttpReply.cc(..) receivedBodyTooLarge: (negative number) >? -1"
In such cases, reply_body_max_size configuration would be
ignored, resulting in undercounting of traffic.
* Fix build issues highlighted by the most recent versions of
GCC and Clang.
* Portability fixes for ESI, bundled GnuRegex, and GnuTLS
6.70 2023-04-30 13:22:56Z
- Add cookie_jar_class attribute to allow different cookie jar modules
to be used more easily (GH#91) (Tom Hukins, Julien Fiegehenn)
- POD now contains all default attributes (GH#428) (Julien Fiegehenn)
6.69 2023-04-29 13:14:31Z
- Timeouts for cached connections now update (GH#73) (Eric Johnson)
- The conn_cache() can now be unset (GH#424) (Julien Fiegehenn)
- LWP::Protocol now only attempts to load modules once (GH#62) (Burak Gursoy)
- Fix a bug in no_proxy that allowed partial matches to a proxy address
to disable a proxy (GH#421) (Julien Fiegehenn)
Improvements:
* Added meta() method to Template::Document to return all META items
Bug Fixes:
* Fixed incorrect line numbers when using outline tags
* Fixed incorrect Apache::Util(s) module in t/html.t
Release Notes
- Breaking Changes occurred, please check the docs for instructions on how to
upgrade.
- Change log directory (#175)
The path of the logfile and the crash report have changed, check the
upgrading page to learn more.
- Add Language Selection (#168)
You can now change the language on the fly either by using the new -l and
--language cli arguments, or by pressing F2 in the tui and selecting a new
language from the menu. This feature also includes several new configuration
options, so be sure to check out the docs about them.
Please also check the docs to learn about what breaking changes have occurred
since 0.6.x
docs: https://builditluc.github.io/wiki-tui/0.7/changelog/upgrade/#upgrade-from-v06x-to-v07x
0.24.1 (17th May, 2023)
Added
* Provide additional context in some `InvalidURL` exceptions.
Fixed
* Fix optional percent-encoding behaviour.
* More robust checking for opening upload files in binary mode.
* Properly support IP addresses in `NO_PROXY` environment variable.
* Set default file for `NetRCAuth()` to `None` to use the stdlib default.
* Set logging request lines to INFO level for async requests, in line with sync requests.
* Fix which gen-delims need to be escaped for path/query/fragment components in URL.
0.17.1 (May 17th, 2023)
- If 'retries' is set, then allow retries if an SSL handshake error occurs.
- Improve correctness of tracebacks on network exceptions, by raising properly chained exceptions.
- Prevent connection-hanging behaviour when HTTP/2 connections are closed by a server-sent 'GoAway' frame.
- Fix edge-case exception when removing requests from the connection pool.
- Fix pool timeout edge-case.
This release includes the following changes:
o curl: add --proxy-http2 [62]
o CURLPROXY_HTTPS2: for HTTPS proxy that may speak HTTP/2 [57]
o hostip: refuse to resolve the .onion TLD [19]
o tool_writeout: add URL component variables [41]
This release includes the following bugfixes:
o amiga: Fix CA certificate paths for AmiSSL and MorphOS [150]
o autotools: sync up clang picky warnings with cmake [114]
o aws-sigv4.d: fix region identifier in example [168]
o bufq: simplify since expression is always true [72]
o cf-h1-proxy: skip an extra NULL assign [80]
o cf-h2-proxy: fix processing ingress to stop too early [76]
o cf-socket: add socket recv buffering for most tcp cases [90]
o cf-socket: Disable socket receive buffer by default [75]
o cf-socket: remove dead code discovered by PVS [82]
o cf-socket: turn off IPV6_V6ONLY on Windows if it is supported [123]
o checksrc: check for spaces before the colon of switch labels [160]
o checksrc: find bad indentation in conditions without open brace [152]
o checksrc: fix SPACEBEFOREPAREN for conditions starting with "*" [115]
o ci: `-Wno-vla` no longer necessary [158]
o CI: fix brew retries on GHA
o CI: Set minimal permissions on workflow ngtcp2-quictls.yml [153]
o CI: skip Azure for commits which change only GHA
o CI: use another glob syntax for matching files on Appveyor
o cmake: bring in the network library on Haiku [9]
o cmake: do not add zlib headers for openssl [49]
o CMake: make config version 8 compatible with 7 [28]
o cmake: picky-linker fixes for openssl, ZLIB, H3 and more [31]
o cmake: set SONAME for SunOS too [3]
o cmake: speed up and extend picky clang/gcc options [116]
o CMakeLists.txt: fix typo for Haiku detection [95]
o compressed.d: clarify the words on "not notifying headers" [163]
o config-dos.h: fix SIZEOF_CURL_OFF_T for MS-DOS/DJGPP [52]
o configure: don't set HAVE_WRITABLE_ARGV on Windows [64]
o configure: fix detection of apxs (for httpd) [157]
o configure: make quiche require quiche_conn_send_ack_eliciting [46]
o connect: fix https connection setup to treat ssl_mode correctly [94]
o content_encoding: only do transfer-encoding compression if asked to [61]
o cookie: address PVS nits [74]
o cookie: clarify that init with data set to NULL reads no file [99]
o curl: do NOT append file name to path for upload when there's a query [58]
o curl_easy_getinfo.3: typo fix (duplicated "from the") [43]
o curl_easy_unescape.3: rename the argument [113]
o curl_path: bring back support for SFTP path ending in /~ [130]
o curl_url_set.3: mention that users can set content rather freely [105]
o CURLOPT_IPRESOLVE.3: this for host names, not IP addresses [165]
o data.d: emphasize no conversion [5]
o digest: clear target buffer [8]
o doc: curl_mime_init() strong easy binding was relaxed in 7.87.0 [26]
o docs/cmdline-opts: document the dotless config path [1]
o docs/examples/protofeats.c: outputs all protocols and features [110]
o docs/libcurl/curl_*escape.3: rename "url" argument to "input"/"string" [131]
o docs/SECURITY-ADVISORY.md: how to write a curl security advisory [128]
o docs: bump the minimum perl version to 5.6
o docs: clarify that more backends have HTTPS proxy support [127]
o dynbuf: never allocate larger than "toobig" [17]
o easy_cleanup: require a "good" handle to act [149]
o ftp: fix 'portsock' variable was assigned the same value [78]
o ftp: remove dead code [79]
o ftplistparser: move out private data from public struct [20]
o ftplistparser: replace realloc with dynbuf [18]
o gen.pl: error on duplicated See-Also fields [102]
o getpart: better handle case of file not found
o GHA-linux: add an address-sanitizer build [15]
o GHA: add a memory-sanitizer job [2]
o GHA: run all linux test jobs with valgrind [14]
o GHA: suppress git clone output [89]
o GIT-INFO: add --with-openssl [171]
o gskit: various compile errors in OS400 [12]
o h2/h3: replace `state.drain` counter with `state.dselect_bits` [141]
o hash: fix assigning same value [73]
o headers: clear (possibly) lingering pointer in init [167]
o hostcheck: fix host name wildcard checking [134]
o hostip: add locks around use of global buffer for alarm() [129]
o hostip: enforce a maximum DNS cache size independent of timeout value [166]
o HTTP-COOKIES.md: mention the #HttpOnly_ prefix [16]
o http2: always EXPIRE_RUN_NOW unpaused http/2 transfers [139]
o http2: do flow window accounting for cancelled streams [155]
o http2: enlarge the connection window [101]
o http2: flow control and buffer improvements [54]
o http2: move HTTP/2 stream vars into local context [67]
o http2: pass `stream` to http2_handle_stream_close to avoid NULL checks [140]
o http2: remove unused Curl_http2_strerror function declaration [108]
o HTTP3/quiche: terminate h1 response header when no body is sent [112]
o http3: check stream_ctx more thoroughly in all backends [77]
o HTTP3: document the ngtcp2/nghttp3 versions to use for building curl [143]
o http3: expire unpaused transfers in all HTTP/3 backends [138]
o http3: improvements across backends [51]
o http: free the url before storing a new copy [162]
o http: skip a double NULL assign [83]
o ipv4.d/ipv6.d: they are "mutex", not "boolean" [122]
o KNOWN_BUGS: remove fixed or outdated issues, move non-bugs [65]
o lib/cmake: add HAVE_WRITABLE_ARGV check [63]
o lib/sha256.c: typo fix in comment (duplicated "is available") [40]
o lib1560: verify that more bad host names are rejected [104]
o lib: add `bufq` and `dynhds` [34]
o lib: remove CURLX_NO_MEMORY_CALLBACKS [55]
o lib: unify the upload/method handling [144]
o lib: use correct printf flags for sockets and timediffs [36]
o libssh2: fix crash in keyboard callback [126]
o libssh2: free fingerprint better [164]
o libssh: tell it to use SFTP non-blocking [59]
o man pages: simplify the .TH sections [133]
o MANUAL.md: add dict example for looking up a single definition [132]
o md(4|5): don't use deprecated iOS functions [21]
o md4: only build when used [68]
o mime: skip NULL assigns after Curl_safefree() [84]
o multi: add handle asserts in DEBUG builds [11]
o multi: add multi-ignore logic to multi_socket_action [154]
o multi: free up more data earleier in DONE [118]
o multi: remove a few superfluous assigns [97]
o multi: remove PENDING + MSGSENT handles from the main linked list [23]
o ngtcp2: adapted to 0.15.0 [151]
o ngtcp2: adjust config and code checks for ngtcp2 without nghttp3 [4]
o noproxy: pointer to local array 'hostip' is stored outside scope [93]
o ntlm: clear lm and nt response buffers before use [7]
o openssl: interop with AWS-LC [30]
o OS400: fix and complete ILE/RPG binding [96]
o OS400: implement EBCDIC support for recent features [100]
o OS400: improve vararg emulation [92]
o OS400: provide ILE/RPG usage examples [81]
o pingpong: fix compiler warning "assigning an enum to unsigned char" [156]
o pytest: improvements for suitable curl and error output [35]
o quiche: disable pacing while pacing is not actually performed [148]
o quiche: Enable IDLE egress handling [109]
o RELEASE-PROCEDURE: update to new schedule [25]
o rtsp: convert mallocs to dynbuf for RTP buffering [37]
o rtsp: skip malformed RTSP interleaved frame data [33]
o rtsp: skip NULL assigns after Curl_safefree() [85]
o runtests: die if curl version can be found [10]
o runtests: don't start servers if -l is given
o runtests: fix -c option when run with valgrind [145]
o runtests: fix quoting in Appveyor and Azure test integration [117]
o runtests: lots of refactoring
o runtests: refactor into more packages [60]
o runtests: show error message if file can't be written
o runtests: spawn a new process for the test runner [146]
o rustls: fix error in recv handling [50]
o schannel: add clarifying comment [98]
o server/getpart: clear target buffer before load [6]
o smb: remove double assign [86]
o smbserver: remove temporary files before exit [135]
o socketpair: verify with a random value [142]
o ssh: Add support for libssh2 read timeout [170]
o telnet: simplify the implementation of str_is_nonascii() [42]
o test1169: fix so it works properly everywhere [106]
o test1592: add flaky keyword [39]
o test1960: point to the correct path for the precheck tool
o test303: kill server after test
o tests/http: add timeout to running curl in test cases [24]
o tests/http: fix log formatting on wrong exit code [27]
o tests/http: fix out-of-tree builds [121]
o tests/http: improved httpd detection [45]
o tests/http: more tests with specific clients [125]
o tests/http: relax connection check in test_07_02 [53]
o tests/keywords.pl: remove [111]
o tests/libtest/lib1900.c: remove
o tests/sshserver.pl: Define AddressFamily earlier [103]
o tests: 1078 1288 1297 use valid IPv4 addresses
o tests: document that the unittest keyword is special
o tests: increase sws timeout for more robust testing [66]
o tests: log a too-long Unix socket path in sws and socksd
o tests: make test_12_01 a bit more forgiving on connection counts
o tests: move pidfiles and portfiles under the log directory [48]
o tests: move server config files under the pid dir [47]
o tests: silence some Perl::Critic warnings in test suite [56]
o tests: stop using strndup(), which isn't portable
o tests: switch to 3-argument open in test suite
o tests: turn perl modules into full packages
o tests: use %LOGDIR to refer to the log directory
o tool_cb_hdr: Fix 'Location:' formatting for early VTE terminals [147]
o tool_operate: pass a long as CURLOPT_HEADEROPT argument [13]
o tool_operate: refuse (--data or --form) and --continue-at combo [119]
o transfer: refuse POSTFIELDS + RESUME_FROM combo [120]
o transfer: skip extra assign [87]
o url: fix null dispname for --connect-to option [161]
o url: fix PVS nits [71]
o url: remove call to Curl_llist_destroy in Curl_close [22]
o urlapi: cleanups and improvements [91]
o urlapi: detect and error on illegal IPv4 addresses [70]
o urlapi: prevent setting invalid schemes with *url_set() [107]
o urlapi: skip a pointless assign [88]
o urlapi: URL encoding for the URL missed the fragment [29]
o urldata: copy CURLOPT_AWS_SIGV4 value on handle duplication [137]
o urldata: shrink *select_bits int => unsigned char [124]
o vlts: use full buffer size when receiving data if possible [32]
o vtls and h2 improvements [69]
o Websocket: enhanced en-/decoding [136]
o wolfssl.yml: bump to version 5.6.0 [44]
o write-out.d: Use response_code in example [159]
o ws: handle reads before EAGAIN better [38]
11.0.3
May 7, 2023
Bug fixes
Fixed the threading implementation of servers on Windows.
11.0.2
April 18, 2023
Bug fixes
Fixed a deadlock in the threading implementation when closing a connection without reading all messages.
11.0.1
April 6, 2023
Bug fixes
Restored the C extension in the source distribution.
11.0
April 2, 2023
Backwards-incompatible changes
The Sans-I/O implementation was moved.
Aliases provide compatibility for all previously public APIs according to the backwards-compatibility policy.
The connection module was renamed to protocol.
The connection.Connection, server.ServerConnection, and client.ClientConnection classes were renamed to protocol.Protocol, server.ServerProtocol, and client.ClientProtocol.
Sans-I/O protocol constructors now use keyword-only arguments.
If you instantiate ServerProtocol or ClientProtocol directly, make sure you are using keyword arguments.
Closing a connection without an empty close frame is OK.
Receiving an empty close frame now results in ConnectionClosedOK instead of ConnectionClosedError.
As a consequence, calling WebSocket.close() without arguments in a browser isn’t reported as an error anymore.
serve() times out on the opening handshake after 10 seconds by default.
You can adjust the timeout with the open_timeout parameter. Set it to None to disable the timeout entirely.
New features
websockets 10.0 introduces a implementation on top of threading.
It may be more convenient if you don’t need to manage many connections and you’re more comfortable with threading than asyncio.
It is particularly suited to client applications that establish only one connection. It may be used for servers handling few connections.
See connect() and serve() for details.
Added open_timeout to serve().
Made it possible to close a server without closing existing connections.
Added select_subprotocol to customize negotiation of subprotocols in the Sans-I/O layer.
Improvements
Added platform-independent wheels.
Improved error handling in broadcast().
Set server_hostname automatically on TLS connections when providing a sock argument to connect().
Many changes to improve rendering of inline and block elements.
Improved rendering performance
litehtml now passes Acid1 test
Removed some legacy code
Refactoring to make code more clean
Added additional rendering tests
What's new in Tornado 6.3.2
===========================
Security improvements
- Fixed an open redirect vulnerability in StaticFileHandler under certain
configurations.
<ChangeLog>
*) Change: remove Unix domain listen sockets upon reconfiguration.
*) Feature: basic URI rewrite support.
*) Feature: NJS loadable modules support.
*) Feature: per-application logging.
*) Feature: conditional logging of route selection.
*) Feature: support the keys API on the request objects in NJS.
*) Feature: default values for 'make install' pathnames such as prefix;
this allows to './configure && make && sudo make install'.
*) Feature: "server_version" setting to omit the version token from
"Server" header field.
*) Bugfix: request header field values could be corrupted in some cases;
the bug had appeared in 1.29.0.
*) Bugfix: PHP error handling (added missing 403 and 404 errors).
*) Bugfix: Perl applications crash on second responder call.
</ChangeLog>
Version 0.5.0
- Drop support for Python < 3.7.
- Switch to ``pyproject.toml`` and Flit for packaging.
- Move to Pallets Community Ecosystem for community-driven maintenance.
- Replace use of ``session_cookie_name`` for Flask 2.3 compatibility.
Security Vulnerabilities fixed in Firefox ESR 102.11
#CVE-2023-32205: Browser prompts could have been obscured by popups
#CVE-2023-32206: Crash in RLBox Expat driver
#CVE-2023-32207: Potential permissions request bypass via clickjacking
#CVE-2023-32211: Content process crash due to invalid wasm code
#CVE-2023-32212: Potential spoof due to obscured address bar
#CVE-2023-32213: Potential memory corruption in FileReader::DoReadData()
#CVE-2023-32214: Potential DoS via exposed protocol handlers
Pkgsrc changes :
* updated dependencies : removed py-six and added py-rich
Upstream changes :
- Pelican 4.5.1 :
* Refactor intra-site link discovery in order to match more permissively
* Fix plugins running twice in auto-reload mode
* Add notice to use from pelican import signals instead of
import pelican.signals
- Pelican 4.5.2 : Improve logging of generators and writer loaders
- Pelican 4.5.3 : Fix a mistake made in PR #2821
(https://github.com/getpelican/pelican/pull/2821)
- Pelican 4.5.4 : Replace plugin definitions in settings with string
representations after registering, so they can be cached correctly.
- Pelican 4.6.0 :
* Add new URL pattern to PAGINATION_PATTERNS for the last page in the list
* Speed up livereload Invoke task via caching
* Ignore None return value from get_generators signal
* Relax dependency minimum versions and remove upper bounds
- Pelican 4.7.0 :
* Improve default theme rendering on mobile and other small screen devices
* Add support for hidden articles
* Improve word count behavior when generating summary CJK & other locales
* Add progress spinner during generation and richer logging, both via Rich
* Invoke tasks serve and livereload now auto-open a web browser pointing to
the locally-served web site
* Support some date format codes used by ISO dates
* Document how to add a new writer
- Pelican 4.7.1 :
* Extend rich logging to server component
* Fix an issue where metadata flagged to be discarded was being cached
* Adjust suffix in server to allow redirection when needed
* Add MIME types for web fonts
* Distribute sample data used to run tests
* Add Python 3.10 to test matrix
- Pelican 4.7.2 :
* Fix incorrect parsing of parameters specified via -e / --extra-settings
option flags
* Add categories.html template to default theme
* Document how to use plugins to inject content
- Pelican 4.8.0 :
* Use JSON values for extra settings in Invoke tasks template
* Add content tag for links, which can help with things like Twitter
social cards
* Improve word count behavior when generating summary
2.21.0 (2023-05-10)
HTML5 Support
Classes Loofah::HTML5::Document and Loofah::HTML5::DocumentFragment are
introduced, along with helper methods:
* Loofah.html5_document
* Loofah.html5_fragment
* Loofah.scrub_html5_document
* Loofah.scrub_html5_fragment
These classes and methods use Nokogiri's HTML5 parser to ensure modern web
standards are used.
⚠ HTML5 functionality is only available with Nokogiri v1.14.0 and higher.
⚠ HTML5 functionality is not available for JRuby. Please see this upstream
Nokogiri issue if you're interested in helping implement and support HTML5
support.
Loofah::HTML4 module and namespace
Loofah::HTML has been renamed to Loofah::HTML4, and Loofah::HTML is aliased
to preserve backwards-compatibility. Nokogiri::HTML and Nokogiri::HTML4
parse methods still use libxml2's (or NekoHTML's) HTML4 parser.
Take special note that if you rely on the class name of an object in your
code, objects will now report a class of Loofah::HTML4::Foo where they
previously reported Loofah::HTML::Foo. Instead of relying on the string
returned by Object#class, prefer Class#=== or Object#is_a? or
Object#instance_of?.
Future releases of Nokogiri may deprecate HTML classes and methods or
otherwise change this behavior, so please start using HTML4 in place of
HTML.
Official support for JRuby
This version introduces official support for JRuby. Previously, the test
suite had never been green due to differences in behavior in the underlying
HTML parser used by Nokogiri. We've updated the test suite to accommodate
those differences, and have added JRuby to the CI suite.
2.21.1 (2023-05-10)
Fixed
* Don't define HTML5::Document and HTML5::DocumentFragment when Nokogiri is
< 1.14. In 2.21.0 these classes were defined whenever Nokogiri::HTML5 was
defined, but Nokogiri v1.12 and v1.13 do not support Loofah subclassing
properly.
2.21.2 (2023-05-11)
Dependencies
* Update the dependency on Nokogiri to be >= 1.12.0. The dependency in
2.21.0 and 2.21.1 was left at >= 1.5.9 but versions before 1.12 would
result in a NameError exception. [#266]