- Update to 3.0.1:
  * Fix slow multipart parsing for large parts potentially enabling DoS
    attacks. (CVE-2023-46136, bsc#1216581)
  * Remove previously deprecated code.
  * Deprecate the ``__version__`` attribute. Use feature detection, or
    ``importlib.metadata.version("werkzeug")``, instead.
  * ``generate_password_hash`` uses scrypt by default.
  * Add the ``"werkzeug.profiler"`` item to the  WSGI ``environ`` dictionary
    passed to `ProfilerMiddleware`'s `filename_format` function. It contains
    the ``elapsed`` and ``time`` values for the profiled request.
  * Explicitly marked the PathConverter as non path isolating.

• Files Changed
• Browse Source

- Update to 2.3.7:
  * Use ``flit_core`` instead of ``setuptools`` as build backend.
  * Fix parsing of multipart bodies.
    Adjust index of last newline in data start.
  * ``_plain_int`` and ``_plain_float`` strip whitespace before type
    enforcement.
  * Fix empty file streaming when testing.
  * Clearer error message when URL rule does not start with slash.
  * ``Accept`` ``q`` value can be a float without a decimal part.
- Drop captialisation again.

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- Update to 2.3.6:
  * FileStorage.content_length does not fail if the form data did not provide
    a value.
- Update to 2.3.5:
  * Python 3.12 compatibility.
  * Fix handling of invalid base64 values in Authorization.from_header.
  * The debugger escapes the exception message in the page title.
  * When binding routing.Map, a long IDNA server_name with a port does not
    fail encoding.
  * iri_to_uri shows a deprecation warning instead of an error when passing
    bytes.
  * When parsing numbers in HTTP request headers such as Content-Length, only
    ASCII digits are accepted rather than any format that Python’s int and
    float accept.
- Update to 2.3.4:
  * Authorization.from_header and WWWAuthenticate.from_header detects tokens
    that end with base64 padding (=).
  * Remove usage of warnings.catch_warnings.
  * Remove max_form_parts restriction from standard form data parsing and only
    use if for multipart content.
  * Response will avoid converting the Location header in some cases to
    preserve invalid URL schemes like itms-services.
- Update to 2.3.3:
  * Fix parsing of large multipart bodies. Remove invalid leading newline, and
    restore parsing speed.
  * The cookie Path attribute is set to / by default again, to prevent clients
    from falling back to RFC 6265’s default-path behavior.
- Update to 2.3.2:
  * Parse the cookie Expires attribute correctly in the test client.
  * max_content_length can only be enforced on streaming requests if the
    server sets wsgi.input_terminated.
- Update to 2.3.1:
  * Percent-encode plus (+) when building URLs and in test requests.
  * Cookie values don’t quote characters defined in RFC 6265.
  * Include pyi files for datastructures type annotations.
  * Authorization and WWWAuthenticate objects can be compared for equality.
- Update to 2.3.0:
  * Drop support for Python 3.7.
  * Remove previously deprecated code.
  * Passing bytes where strings are expected is deprecated, as well as the
    charset and errors parameters in many places. Anywhere that was annotated,
    documented, or tested to accept bytes shows a warning. Removing this
    artifact of the transition from Python 2 to 3 removes a significant amount
    of overhead in instance checks and encoding cycles. In general, always
    work with UTF-8, the modern HTML, URL, and HTTP standards all strongly
    recommend this.
  * Deprecate the werkzeug.urls module, except for the uri_to_iri and
    iri_to_uri functions. Use the urllib.parse library instead.
  * Update which characters are considered safe when using percent encoding
    in URLs, based on the WhatWG URL Standard.
  * Update which characters are considered safe when using percent encoding
    for Unicode filenames in downloads.
  * Deprecate the safe_conversion parameter of iri_to_uri. The Location header
    is converted to IRI using the same process as everywhere else.
  * Deprecate werkzeug.wsgi.make_line_iter and make_chunk_iter.
  * Use modern packaging metadata with pyproject.toml instead of setup.cfg.
  * Request.get_json() will raise a 415 Unsupported Media Type error if the
    Content-Type header is not application/json, instead of a generic 400.
  * A URL converter’s part_isolating defaults to False if its regex contains
    a /.
  * A custom converter’s regex can have capturing groups without breaking
    the router.
  * The reloader can pick up arguments to python like -X dev, and does not
    require heuristics to determine how to reload the command. Only available
    on Python >= 3.10.
  * The Watchdog reloader ignores file opened events. Bump the minimum version
    of Watchdog to 2.3.0.
  * When using a Unix socket for the development server, the path can start
    with a dot.
  * Increase default work factor for PBKDF2 to 600,000 iterations.
  * parse_options_header is 2-3 times faster. It conforms to RFC 9110, some
    invalid parts that were previously accepted are now ignored.
  * The is_filename parameter to unquote_header_value is deprecated.
  * Deprecate the extra_chars parameter and passing bytes to
    quote_header_value, the allow_token parameter to dump_header, and the cls
    parameter and passing bytes to parse_dict_header.
  * Improve parse_accept_header implementation. Parse according to RFC 9110.
    Discard items with invalid q values.
  * quote_header_value quotes the empty string.
  * dump_options_header skips None values rather than using a bare key.
  * dump_header and dump_options_header will not quote a value if the key ends
    with an asterisk *.
  * parse_dict_header will decode values with charsets.
  * Refactor the Authorization and WWWAuthenticate header data structures.
    + Both classes have type, parameters, and token attributes. The token
      attribute supports auth schemes that use a single opaque token rather
      than key=value parameters, such as Bearer.
    + Neither class is a dict anymore, although they still implement getting,
      setting, and deleting auth[key] and auth.key syntax, as well as
      auth.get(key) and key in auth.
    + Both classes have a from_header class method. parse_authorization_header
      and parse_www_authenticate_header are deprecated.
    + The methods WWWAuthenticate.set_basic and set_digest are deprecated.
      Instead, an instance should be created and assigned to
      response.www_authenticate.
    + A list of instances can be assigned to response.www_authenticate to set
      multiple header values. However, accessing the property only returns the
      first instance.
  * Refactor parse_cookie and dump_cookie.
    + parse_cookie is up to 40% faster, dump_cookie is up to 60% faster.
    + Passing bytes to parse_cookie and dump_cookie is deprecated. The
      dump_cookie charset parameter is deprecated.
    + dump_cookie allows domain values that do not include a dot ., and strips
      off a leading dot.
    + dump_cookie does not set path="/" unnecessarily by default.
  * Refactor the test client cookie implementation.
    + The cookie_jar attribute is deprecated. http.cookiejar is no longer used
      for storage.
    + Domain and path matching is used when sending cookies in requests. The
      domain and path parameters default to localhost and /.
    + Added a get_cookie method to inspect cookies.
    + Cookies have decoded_key and decoded_value attributes to match what the
      app sees rather than the encoded values a client would see.
    + The first positional server_name parameter to set_cookie and
      delete_cookie is deprecated. Use the domain parameter instead.
    + Other parameters to delete_cookie besides domain, path, and value are
      deprecated.
  * If request.max_content_length is set, it is checked immediately when
    accessing the stream, and while reading from the stream in general, rather
    than only during form parsing.
  * The development server, which must not be used in production, will exhaust
    the request stream up to 10GB or 1000 reads. This allows clients to see a
    413 error if max_content_length is exceeded, instead of a “connection
    reset” failure.
  * The development server discards header keys that contain underscores _, as
    they are ambiguous with dashes - in WSGI.
  * secure_filename looks for more Windows reserved file names.
  * Update type annotation for best_match to make default parameter clearer.
  * Multipart parser handles empty fields correctly.
  * The Map charset parameter and Request.url_charset property are deprecated.
    Percent encoding in URLs must always represent UTF-8 bytes. Invalid bytes
    are left percent encoded rather than replaced.
  * The Request.charset, Request.encoding_errors, Response.charset, and
    Client.charset attributes are deprecated. Request and response data must
    always use UTF-8.
  * Header values that have charset information only allow ASCII, UTF-8, and
    ISO-8859-1.
  * Update type annotation for ProfilerMiddleware stream parameter.
  * Use postponed evaluation of annotations.
  * The development server escapes ASCII control characters in decoded URLs
    before logging the request to the terminal.
  * The FormDataParser parse_functions attribute and get_parse_func method,
    and the invalid application/x-url-encoded content type, are deprecated.
  * generate_password_hash supports scrypt. Plain hash methods are deprecated,
    only scrypt and pbkdf2 are supported.
- Remove patch which was made obsolete by upstream:
  * moved_root.patch

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- update to 2.2.3 (bsc#1208283, CVE-2023-25577):
  * Ensure that URL rules using path converters will redirect
    with strict slashes when the trailing slash is missing.
  * Type signature for ``get_json`` specifies that return type
    is not optional when ``silent=False``.
  * ``parse_content_range_header`` returns ``None`` for a value
    like ``bytes */-1`` where the length is invalid, instead of
    raising an ``AssertionError``.
  * Address remaining ``ResourceWarning`` related to the socket
    used by ``run_simple``.
  * Remove ``prepare_socket``, which now happens when
    creating the server.
  * Update pre-existing headers for ``multipart/form-data``
    requests with the test client.
  * Fix handling of header extended parameters such that they
    are no longer quoted.
  * ``LimitedStream.read`` works correctly when wrapping a
    stream that may not return the requested size in one 
    ``read`` call.
  * A cookie header that starts with ``=`` is treated as an
    empty key and discarded, rather than stripping the leading ``==``.
  * Specify a maximum number of multipart parts, default 1000,
    after which a ``RequestEntityTooLarge`` exception is
    raised on parsing.  This mitigates a DoS attack where a
    larger number of form/file parts would result in disproportionate
    resource use.

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- update to 2.1.2:
  * The development server does not set ``Transfer-Encoding: chunked``
    for 1xx, 204, 304, and HEAD responses. :issue:`2375`
  * Response HTML for exceptions and redirects starts with
    ``<!doctype html>`` and ``<html lang=en>``. :issue:`2390`
  * Fix ability to set some ``cache_control`` attributes to ``False``.
    :issue:`2379`
  * Disable ``keep-alive`` connections in the development server, which
    are not supported sufficiently by Python's ``http.server``.
    :issue:`2397` 
- drop 2402-dev_server.patch (upstream)

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- Update to 2.1.1:
  - ResponseCacheControl.s_maxage converts its value to an int,
    like max_age.
  - Drop support for Python 3.6.
  - Using gevent or eventlet requires greenlet>=1.0 or
    PyPy>=7.3.7. werkzeug.locals and contextvars will not work
    correctly with older versions.
  - Remove previously deprecated code.
     - Remove the non-standard shutdown function from the WSGI
       environ when running the development server. See the docs
       for alternatives.
     - Request and response mixins have all been merged into the
       Request and Response classes.
     - The user agent parser and the useragents module is
       removed. The user_agent module provides an interface that
       can be subclassed to add a parser, such as ua-parser. By
       default it only stores the whole string.
     - The test client returns TestResponse instances and can no
       longer be treated as a tuple. All data is available as
       properties on the response.
     - Remove locals.get_ident and related thread-local code from
       locals, it no longer makes sense when moving to
       a contextvars-based implementation.
     - Remove the python -m werkzeug.serving CLI.
     - The has_key method on some mapping datastructures; use key
       in data instead.
     - Request.disable_data_descriptor is removed, pass
       shallow=True instead.
     - Remove the no_etag parameter from Response.freeze().
     - Remove the HTTPException.wrap class method.
     - Remove the cookie_date function. Use http_date instead.
     - Remove the pbkdf2_hex, pbkdf2_bin, and safe_str_cmp
       functions. Use equivalents in hashlib and hmac modules
       instead.
     - Remove the Href class.
     - Remove the HTMLBuilder class.
     - Remove the invalidate_cached_property function. Use del
       obj.attr instead.
     - Remove bind_arguments and validate_arguments. Use
       Signature.bind() and inspect.signature() instead.
     - Remove detect_utf_encoding, it’s built-in to json.loads.
     - Remove format_string, use string.Template instead.
     - Remove escape and unescape. Use MarkupSafe instead.
    - The multiple parameter of parse_options_header is
      deprecated.
    - Rely on PEP 538 and PEP 540 to handle decoding file names
      with the correct filesystem encoding. The filesystem module
      is removed.
    - Default values passed to Headers are validated the same way
      values added later are.
    - Setting CacheControl int properties, such as max_age, will
      convert the value to an int.
    - Always use socket.fromfd when restarting the dev server.
    - When passing a dict of URL values to Map.build, list values
      do not filter out None or collapse to a single value.
      Passing a MultiDict does collapse single items. This undoes
      a previous change that made it difficult to pass a list, or
      None values in a list, to custom URL converters.
    - run_simple shows instructions for dealing with “address
      already in use” errors, including extra instructions for
      macOS.
    - Extend list of characters considered always safe in URLs
      based on RFC 3986.
    - Optimize the stat reloader to avoid watching unnecessary
      files in more cases. The watchdog reloader is still
      recommended for performance and accuracy.
    - The development server uses Transfer-Encoding: chunked for
      streaming responses when it is configured for HTTP/1.1.
    - The development server uses HTTP/1.1, which enables
      keep-alive connections and chunked streaming responses,
      when threaded or processes is enabled.
    - cached_property works for classes with __slots__ if
      a corresponding _cache_{name} slot is added.
    - Refactor the debugger traceback formatter to use Python’s
      built-in traceback module as much as possible.
    - The TestResponse.text property is a shortcut for
      r.get_data(as_text=True), for convenient testing against
      text instead of bytes.
    - safe_join ensures that the path remains relative if the
      trusted directory is the empty string.
    - Percent-encoded newlines (%0a), which are decoded by WSGI
      servers, are considered when routing instead of terminating
      the match early.
    - The test client doesn’t set duplicate headers for
      CONTENT_LENGTH and CONTENT_TYPE.
    - append_slash_redirect handles PATH_INFO with internal
      slashes.
    - The default status code for append_slash_redirect is 308
      instead of 301. This preserves the request body, and
      matches a previous change to strict_slashes in routing.
    - Fix ValueError: I/O operation on closed file. with the test
      client when following more than one redirect.
    - Response.autocorrect_location_header is disabled by
      default. The Location header URL will remain relative, and
      exclude the scheme and domain, by default.
    - Request.get_json() will raise a 400 BadRequest error if the
      Content-Type header is not application/json. This makes
      a very common source of confusion more visible.
- Add no-network-testing.patch to mark all tests requiring
  network access (so they can be skipped by pytest test runner,
  gh#pallets/werkzeug#2393).

• Files Changed
• Browse Source

- update to 2.0.3:
  * ``ProxyFix`` supports IPv6 addresses.
  *  Type annotation for ``Response.make_conditional``,
    ``HTTPException.get_response``, and ``Map.bind_to_environ`` accepts
    ``Request`` in addition to ``WSGIEnvironment`` for the first
     parameter.
  * Fix type annotation for ``Request.user_agent_class``.
  * Accessing ``LocalProxy.__class__`` and ``__doc__`` on an unbound
    proxy returns the fallback value instead of a method object.
  * Redirects with the test client set ``RAW_URI`` and ``REQUEST_URI``
    correctly.

• Files Changed
• Browse Source

- update to 2.0.2:
  * Handle multiple tokens in ``Connection`` header when routing
    WebSocket requests.
  * Set the debugger pin cookie secure flag when on https.
  * Fix type annotation for ``MultiDict.update`` to accept iterable
    values :pr:`2142`
  * Prevent double encoding of redirect URL when ``merge_slash=True``
    for ``Rule.match``.
  * ``CombinedMultiDict.to_dict`` with ``flat=False`` considers all
    component dicts when building value lists. :issue:`2189`
  * ``send_file`` only sets a detected ``Content-Encoding`` if
    ``as_attachment`` is disabled to avoid browsers saving
    decompressed ``.tar.gz`` files.
  * Fix type annotations for ``TypeConversionDict.get`` to not return an
    ``Optional`` value if both ``default`` and ``type`` are not
    ``None``.
  * Fix type annotation for routing rule factories to accept
    ``Iterable[RuleFactory]`` instead of ``Iterable[Rule]`` for the
    ``rules`` parameter. :issue:`2183`
  * Add missing type annotation for ``FileStorage.__getattr__``
  * The debugger pin cookie is set with ``SameSite`` set to ``Strict``
    instead of ``None`` to be compatible with modern browser security.
  * Type annotations use ``IO[bytes]`` and ``IO[str]`` instead of
    ``BinaryIO`` and ``TextIO`` for wider type compatibility.
  * Ad-hoc TLS certs are generated with SAN matching CN. :issue:`2158`
  * Fix memory usage for locals when using Python 3.6 or pre 0.4.17
    greenlet versions. :pr:`2212`
  * Fix type annotation in ``CallbackDict``, because it is not
    utilizing a bound TypeVar. :issue:`2235`
  * Fix setting CSP header options on the response. :pr:`2237`

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Update to 1.0.0:
  * Drop support for Python 3.4. (#1478)
  * Remove code that issued deprecation warnings in version 0.15. (#1477)
  * Remove most top-level attributes provided by the werkzeug module in favor of direct imports. For example, instead of import werkzeug; werkzeug.url_quote, do from werkzeug.urls import url_quote. Install version 0.16 first to see deprecation warnings while upgrading. #2, #1640
  * Added utils.invalidate_cached_property() to invalidate cached properties. (#1474)
  * Directive keys for the Set-Cookie response header are not ignored when parsing the Cookie request header. This allows cookies with names such as “expires” and “version”. (#1495)
  * Request cookies are parsed into a MultiDict to capture all values for cookies with the same key. cookies[key] returns the first value rather than the last. Use cookies.getlist(key) to get all values. parse_cookie also defaults to a MultiDict. #1562, #1458
  * Add charset=utf-8 to an HTTP exception response’s CONTENT_TYPE header. (#1526)
  * The interactive debugger handles outer variables in nested scopes such as lambdas and comprehensions. #913, #1037, #1532
  * The user agent for Opera 60 on Mac is correctly reported as “opera” instead of “chrome”. #1556
  * The platform for Crosswalk on Android is correctly reported as “android” instead of “chromeos”. (#1572)
  * Issue a warning when the current server name does not match the configured server name. #760
  * A configured server name with the default port for a scheme will match the current server name without the port if the current scheme matches. #1584
  * InternalServerError has a original_exception attribute that frameworks can use to track the original cause of the error. #1590
  * Headers are tested for equality independent of the header key case, such that X-Foo is the same as x-foo. #1605
  * http.dump_cookie() accepts 'None' as a value for samesite. #1549
  * set_cookie() accepts a samesite argument. #1705
  * Support the Content Security Policy header through the Response.content_security_policy data structure. #1617
  * LanguageAccept will fall back to matching “en” for “en-US” or “en-US” for “en” to better support clients or translations that only match at the primary language tag. #450, #1507
  * MIMEAccept uses MIME parameters for specificity when matching. #458, #1574
  * If the development server is started with an SSLContext configured to verify client certificates, the certificate in PEM format will be available as environ["SSL_CLIENT_CERT"]. #1469
  * is_resource_modified will run for methods other than GET and HEAD, rather than always returning False. #409
  * SharedDataMiddleware returns 404 rather than 500 when trying to access a directory instead of a file with the package loader. The dependency on setuptools and pkg_resources is removed. #1599
  * Add a response.cache_control.immutable flag. Keep in mind that browser support for this Cache-Control header option is still experimental and may not be implemented. #1185
  * Optional request log highlighting with the development server is handled by Click instead of termcolor. #1235
  * Optional ad-hoc TLS support for the development server is handled by cryptography instead of pyOpenSSL. #1555
  * FileStorage.save() supports pathlib and PEP 519 PathLike objects. #1653
  * The debugger security pin is unique in containers managed by Podman. #1661
  * Building a URL when host_matching is enabled takes into account the current host when there are duplicate endpoints with different hosts. #488
  * The 429 TooManyRequests and 503 ServiceUnavailable HTTP exceptions takes a retry_after parameter to set the Retry-After header. #1657

• Files Changed
• Browse Source

- Update to 0.16.0:
  * Deprecate most top-level attributes provided by the werkzeug
    module in favor of direct imports. The deprecated imports will
    be removed in version 1.0.
- Rebase patch 0001_create_a_thread_to_reap_death_process.patch

• Files Changed
• Browse Source

- Update to 0.15.6:
  * Work around a bug in pip that caused the reloader to fail on Windows when
    the script was an entry point.
  * ProxyFix trusts the X-Forwarded-Proto header by default. :issue:`1630`

• Files Changed
• Browse Source