• e321e76 release 7.31.1
• 67ca2b3 Merge pull request from GHSA-pq7m-3gw7-gq5x
• 2794330 back to dev
• be343e7 release 7.31.0
• 0fcf2c4 Merge pull request #13428 from meeseeksmachine/auto-backport-of-pr-13427-on-7.x
• b8db9b1 Backport PR #13427: wn 731
• 7f253dc Merge pull request #13412 from bnavigator/backport-inspect
• 4f26796 fix xxlimited_35 import name
• 77ca4a6 don't run nose-based iptest on py310, only pytest
• 533e509 back to decorator skip
• Additional commits viewable in compare view

Sourced from fastapi's releases.

0.65.2

Security fixes

• 🔒 Check Content-Type request header before assuming JSON. Initial PR #2118 by @​patrickkwang.

This change fixes a CSRF security vulnerability when using cookies for authentication in path operations with JSON payloads sent by browsers.

In versions lower than 0.65.2, FastAPI would try to read the request payload as JSON even if the content-type header sent was not set to application/json or a compatible JSON media type (e.g. application/geo+json).

So, a request with a content type of text/plain containing JSON data would be accepted and the JSON data would be extracted.

But requests with content type text/plain are exempt from CORS preflights, for being considered Simple requests. So, the browser would execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application.

See CVE-2021-32677 for more details.

Thanks to Dima Boger for the security report! 🙇🔒

Internal

• 🔧 Update sponsors badge, course bundle. PR #3340 by @​tiangolo.
• 🔧 Add new gold sponsor Jina 🎉. PR #3291 by @​tiangolo.
• 🔧 Add new banner sponsor badge for FastAPI courses bundle. PR #3288 by @​tiangolo.
• 👷 Upgrade Issue Manager GitHub Action. PR #3236 by @​tiangolo.

0.65.1

Security fixes

• 📌 Upgrade pydantic pin, to handle security vulnerability CVE-2021-29510. PR #3213 by @​tiangolo.

0.65.0

Breaking Changes - Upgrade

• ⬆️ Upgrade Starlette to 0.14.2, including internal UJSONResponse migrated from Starlette. This includes several bug fixes and features from Starlette. PR #2335 by @​hanneskuettner.

Translations

• 🌐 Initialize new language Polish for translations. PR #3170 by @​neternefer.

Internal

• 👷 Add GitHub Action cache to speed up CI installs. PR #3204 by @​tiangolo.
• ⬆️ Upgrade setup-python GitHub Action to v2. PR #3203 by @​tiangolo.
• 🐛 Fix docs script to generate a new translation language with overrides boilerplate. PR #3202 by @​tiangolo.
• ✨ Add new Deta banner badge with new sponsorship tier 🙇. PR #3194 by @​tiangolo.
• 👥 Update FastAPI People. PR #3189 by @​github-actions[bot].
• 🔊 Update FastAPI People to allow better debugging. PR #3188 by @​tiangolo.

0.64.0

Features

... (truncated)

• 4d91f97 🔖 Release version 0.65.2
• aabe2c7 📝 Update release notes
• 377234a 🔒 Create Security Policy
• 38b7858 📝 Update release notes
• fa7e3c9 🐛 Check Content-Type request header before assuming JSON (#2118)
• 90120dd 📝 Update release notes
• 3677254 🔧 Update sponsors badge, course bundle (#3340)
• 40bb0c5 📝 Update release notes
• 60918d2 🔧 Add new gold sponsor Jina 🎉 (#3291)
• 3afce2c 📝 Update release notes
• Additional commits viewable in compare view

Sourced from pydantic's releases.

v1.6.2 (2021-05-11)

Security fix: Fix date and datetime parsing so passing either 'infinity' or float('inf') (or their negative values) does not cause an infinite loop, see security advisory CVE-2021-29510.

v1.6.1 (2020-07-15)

See Changelog.

Thank you to pydantic's sponsors: @​matin, @​tiangolo, @​chdsbd, @​jorgecarleitao, and 1 anonymous sponsor for their kind support.

changes:

• fix validation and parsing of nested models with default_factory, #1710 by @​PrettyWood

v1.6 (2020-07-11)

See Changelog.

Thank you to pydantic's sponsors: @​matin, @​tiangolo, @​chdsbd, @​jorgecarleitao, and 1 anonymous sponsor for their kind support.

changes:

• Modify validators for conlist and conset to not have always=True, #1682 by @​samuelcolvin
• add port check to AnyUrl (can't exceed 65536) ports are 16 insigned bits: 0 <= port <= 2**16-1 src: rfc793 header format, #1654 by @​flapili
• Document default regex anchoring semantics, #1648 by @​yurikhan
• Use chain.from_iterable in class_validators.py. This is a faster and more idiomatic way of using itertools.chain. Instead of computing all the items in the iterable and storing them in memory, they are computed one-by-one and never stored as a huge list. This can save on both runtime and memory space, #1642 by @​cool-RR
• Add conset(), analogous to conlist(), #1623 by @​patrickkwang
• make pydantic errors (un)pickable, #1616 by @​PrettyWood
• Allow custom encoding for dotenv files, #1615 by @​PrettyWood
• Ensure SchemaExtraCallable is always defined to get type hints on BaseConfig, #1614 by @​PrettyWood
• Update datetime parser to support negative timestamps, #1600 by @​mlbiche
• Update mypy, remove AnyType alias for Type[Any], #1598 by @​samuelcolvin
• Adjust handling of root validators so that errors are aggregated from all failing root validators, instead of reporting on only the first root validator to fail, #1586 by @​beezee
• Make __modify_schema__ on Enums apply to the enum schema rather than fields that use the enum, #1581 by @​therefromhere
• Fix behavior of __all__ key when used in conjunction with index keys in advanced include/exclude of fields that are sequences, #1579 by @​xspirus
• Subclass validators do not run when referencing a List field defined in a parent class when each_item=True. Added an example to the docs illustrating this, #1566 by @​samueldeklund
• change schema.field_class_to_schema to support frozenset in schema, #1557 by @​wangpeibao
• Call __modify_schema__ only for the field schema, #1552 by @​PrettyWood
• Move the assignment of field.validate_always in fields.py so the always parameter of validators work on inheritance, #1545 by @​dcHHH
• Added support for UUID instantiation through 16 byte strings such as b'\x12\x34\x56\x78' * 4. This was done to support BINARY(16) columns in sqlalchemy, #1541 by @​shawnwall
• Add a test assertion that default_factory can return a singleton, #1523 by @​therefromhere
• Add NameEmail.__eq__ so duplicate NameEmail instances are evaluated as equal, #1514 by @​stephen-bunn
• Add datamodel-code-generator link in pydantic document site, #1500 by @​koxudaxi
• Added a "Discussion of Pydantic" section to the documentation, with a link to "Pydantic Introduction" video by Alexander Hultnér, #1499 by @​hultner
• Avoid some side effects of default_factory by calling it only once if possible and by not setting a default value in the schema, #1491 by @​PrettyWood
• Added docs about dumping dataclasses to JSON, #1487 by @​mikegrima
• Make BaseModel.__signature__ class-only, so getting __signature__ from model instance will raise AttributeError, #1466 by @​MrMrRobat
• include 'format': 'password' in the schema for secret types, #1424 by @​atheuz
• Modify schema constraints on ConstrainedFloat so that exclusiveMinimum and minimum are not included in the schema if they are equal to -math.inf and exclusiveMaximum and maximum are not included if they are equal to math.inf, #1417 by @​vdwees
• Squash internal __root__ dicts in .dict() (and, by extension, in .json()), #1414 by @​patrickkwang

... (truncated)

Sourced from pydantic's changelog.

v1.6.2 (2021-05-11)

• Security fix: Fix date and datetime parsing so passing either 'infinity' or float('inf') (or their negative values) does not cause an infinite loop, See security advisory CVE-2021-29510

v1.6.1 (2020-07-15)

• fix validation and parsing of nested models with default_factory, #1710 by @​PrettyWood

v1.6 (2020-07-11)

Thank you to pydantic's sponsors: @​matin, @​tiangolo, @​chdsbd, @​jorgecarleitao, and 1 anonymous sponsor for their kind support.

• Modify validators for conlist and conset to not have always=True, #1682 by @​samuelcolvin
• add port check to AnyUrl (can't exceed 65536) ports are 16 insigned bits: 0 <= port <= 2**16-1 src: rfc793 header format, #1654 by @​flapili
• Document default regex anchoring semantics, #1648 by @​yurikhan
• Use chain.from_iterable in class_validators.py. This is a faster and more idiomatic way of using itertools.chain. Instead of computing all the items in the iterable and storing them in memory, they are computed one-by-one and never stored as a huge list. This can save on both runtime and memory space, #1642 by @​cool-RR
• Add conset(), analogous to conlist(), #1623 by @​patrickkwang
• make pydantic errors (un)pickable, #1616 by @​PrettyWood
• Allow custom encoding for dotenv files, #1615 by @​PrettyWood
• Ensure SchemaExtraCallable is always defined to get type hints on BaseConfig, #1614 by @​PrettyWood
• Update datetime parser to support negative timestamps, #1600 by @​mlbiche
• Update mypy, remove AnyType alias for Type[Any], #1598 by @​samuelcolvin
• Adjust handling of root validators so that errors are aggregated from all failing root validators, instead of reporting on only the first root validator to fail, #1586 by @​beezee
• Make __modify_schema__ on Enums apply to the enum schema rather than fields that use the enum, #1581 by @​therefromhere
• Fix behavior of __all__ key when used in conjunction with index keys in advanced include/exclude of fields that are sequences, #1579 by @​xspirus
• Subclass validators do not run when referencing a List field defined in a parent class when each_item=True. Added an example to the docs illustrating this, #1566 by @​samueldeklund
• change schema.field_class_to_schema to support frozenset in schema, #1557 by @​wangpeibao
• Call __modify_schema__ only for the field schema, #1552 by @​PrettyWood
• Move the assignment of field.validate_always in fields.py so the always parameter of validators work on inheritance, #1545 by @​dcHHH
• Added support for UUID instantiation through 16 byte strings such as b'\x12\x34\x56\x78' * 4. This was done to support BINARY(16) columns in sqlalchemy, #1541 by @​shawnwall
• Add a test assertion that default_factory can return a singleton, #1523 by @​therefromhere
• Add NameEmail.__eq__ so duplicate NameEmail instances are evaluated as equal, #1514 by @​stephen-bunn
• Add datamodel-code-generator link in pydantic document site, #1500 by @​koxudaxi
• Added a "Discussion of Pydantic" section to the documentation, with a link to "Pydantic Introduction" video by Alexander Hultnér, #1499 by @​hultner
• Avoid some side effects of default_factory by calling it only once if possible and by not setting a default value in the schema, #1491 by @​PrettyWood
• Added docs about dumping dataclasses to JSON, #1487 by @​mikegrima
• Make BaseModel.__signature__ class-only, so getting __signature__ from model instance will raise AttributeError, #1466 by @​MrMrRobat
• include 'format': 'password' in the schema for secret types, #1424 by @​atheuz
• Modify schema constraints on ConstrainedFloat so that exclusiveMinimum and minimum are not included in the schema if they are equal to -math.inf and exclusiveMaximum and maximum are not included if they are equal to math.inf, #1417 by @​vdwees
• Squash internal __root__ dicts in .dict() (and, by extension, in .json()), #1414 by @​patrickkwang
• Move const validator to post-validators so it validates the parsed value, #1410 by @​selimb
• Fix model validation to handle nested literals, e.g. Literal['foo', Literal['bar']], #1364 by @​DBCerigo
• Remove user_required = True from RedisDsn, neither user nor password are required, #1275 by @​samuelcolvin

... (truncated)

• acf7783 tweak history
• 829528c comment out broken tests
• cf9a417 hack tests into passing
• b37a922 fix formatting
• ac360c5 prepare for release
• bdde15b Merge pull request from GHSA-5jqp-qgf6-3pvh
• d2b0501 uprev
• e2fcab5 fix: validate and parse nested models properly with default_factory (#1712)
• ba56a67 Bump pytest-mock from 3.1.1 to 3.2.0 (#1719)
• f1f944f Update datamode_code_generator:typo in pip install (#1713)
• Additional commits viewable in compare view

Sourced from py's changelog.

1.10.0 (2020-12-12)

• Fix a regular expression DoS vulnerability in the py.path.svnwc SVN blame functionality (CVE-2020-29651)
• Update vendored apipkg: 1.4 => 1.5
• Update vendored iniconfig: 1.0.0 => 1.1.1

1.9.0 (2020-06-24)

• Add type annotation stubs for the following modules:

  • py.error
  • py.iniconfig
  • py.path (not including SVN paths)
  • py.io
  • py.xml

  There are no plans to type other modules at this time.

  The type annotations are provided in external .pyi files, not inline in the code, and may therefore contain small errors or omissions. If you use py in conjunction with a type checker, and encounter any type errors you believe should be accepted, please report it in an issue.

1.8.2 (2020-06-15)

• On Windows, py.path.locals which differ only in case now have the same Python hash value. Previously, such paths were considered equal but had different hashes, which is not allowed and breaks the assumptions made by dicts, sets and other users of hashes.

• e5ff378 Update CHANGELOG for 1.10.0
• 94cf44f Update vendored libs
• 5e8ded5 testing: comment out an assert which fails on Python 3.9 for now
• afdffcc Rename HOWTORELEASE.rst to RELEASING.rst
• 2de53a6 Merge pull request #266 from nicoddemus/gh-actions
• fa1b32e Merge pull request #264 from hugovk/patch-2
• 887d6b8 Skip test_samefile_symlink on pypy3 on Windows
• e94e670 Fix test_comments() in test_source
• fef9a32 Adapt test
• 4a694b0 Add GitHub Actions badge to README
• Additional commits viewable in compare view

Sourced from pygments's releases.

2.7.4

• Updated lexers:

  • Apache configurations: Improve handling of malformed tags (#1656)

  • CSS: Add support for variables (#1633, #1666)

  • Crystal (#1650, #1670)

  • Coq (#1648)

  • Fortran: Add missing keywords (#1635, #1665)

  • Ini (#1624)

  • JavaScript and variants (#1647 -- missing regex flags, #1651)

  • Markdown (#1623, #1617)

  • Shell

    • Lex trailing whitespace as part of the prompt (#1645)
    • Add missing in keyword (#1652)

  • SQL - Fix keywords (#1668)

  • Typescript: Fix incorrect punctuation handling (#1510, #1511)

• Fix infinite loop in SML lexer (#1625)

• Fix backtracking string regexes in JavaScript/TypeScript, Modula2 and many other lexers (#1637)

• Limit recursion with nesting Ruby heredocs (#1638)

• Fix a few inefficient regexes for guessing lexers

• Fix the raw token lexer handling of Unicode (#1616)

• Revert a private API change in the HTML formatter (#1655) -- please note that private APIs remain subject to change!

• Fix several exponential/cubic-complexity regexes found by Ben Caller/Doyensec (#1675)

• Fix incorrect MATLAB example (#1582)

Thanks to Google's OSS-Fuzz project for finding many of these bugs.

2.7.3

• Updated lexers:

  • Ada (#1581)
  • HTML (#1615, #1614)
  • Java (#1594, #1586)
  • JavaScript (#1605, #1589, #1588)
  • JSON (#1569 -- this is a complete rewrite)
  • Lean (#1601)
  • LLVM (#1612)
  • Mason (#1592)
  • MySQL (#1555, #1551)
  • Rust (#1608)
  • Turtle (#1590, #1553)

• Deprecated JsonBareObjectLexer, which is now identical to JsonLexer (#1600)

• The ImgFormatter now calculates the exact character width, which fixes some issues with overlapping text (#1213, #1611)

... (truncated)

Sourced from pygments's changelog.

Version 2.7.4

(released January 12, 2021)

• Updated lexers:

  • Apache configurations: Improve handling of malformed tags (#1656)

  • CSS: Add support for variables (#1633, #1666)

  • Crystal (#1650, #1670)

  • Coq (#1648)

  • Fortran: Add missing keywords (#1635, #1665)

  • Ini (#1624)

  • JavaScript and variants (#1647 -- missing regex flags, #1651)

  • Markdown (#1623, #1617)

  • Shell

    • Lex trailing whitespace as part of the prompt (#1645)
    • Add missing in keyword (#1652)

  • SQL - Fix keywords (#1668)

  • Typescript: Fix incorrect punctuation handling (#1510, #1511)

• Fix infinite loop in SML lexer (#1625)

• Fix backtracking string regexes in JavaScript/TypeScript, Modula2 and many other lexers (#1637)

• Limit recursion with nesting Ruby heredocs (#1638)

• Fix a few inefficient regexes for guessing lexers

• Fix the raw token lexer handling of Unicode (#1616)

• Revert a private API change in the HTML formatter (#1655) -- please note that private APIs remain subject to change!

• Fix several exponential/cubic-complexity regexes found by Ben Caller/Doyensec (#1675)

• Fix incorrect MATLAB example (#1582)

Thanks to Google's OSS-Fuzz project for finding many of these bugs.

Version 2.7.3

(released December 6, 2020)

• Updated lexers:

  • Ada (#1581)
  • HTML (#1615, #1614)
  • Java (#1594, #1586)
  • JavaScript (#1605, #1589, #1588)
  • JSON (#1569 -- this is a complete rewrite)
  • Lean (#1601)
  • LLVM (#1612)
  • Mason (#1592)

... (truncated)

• 4d555d0 Bump version to 2.7.4.
• fc3b05d Update CHANGES.
• ad21935 Revert "Added dracula theme style (#1636)"
• e411506 Prepare for 2.7.4 release.
• 275e34d doc: remove Perl 6 ref
• 2e7e8c4 Fix several exponential/cubic complexity regexes found by Ben Caller/Doyensec
• eb39c43 xquery: fix pop from empty stack
• 2738778 fix coding style in test_analyzer_lexer
• 02e0f09 Added 'ERROR STOP' to fortran.py keywords. (#1665)
• c83fe48 support added for css variables (#1633)
• Additional commits viewable in compare view