Sourced from fastapi's releases.

0.65.2

Security fixes

• 🔒 Check Content-Type request header before assuming JSON. Initial PR #2118 by @​patrickkwang.

This change fixes a CSRF security vulnerability when using cookies for authentication in path operations with JSON payloads sent by browsers.

In versions lower than 0.65.2, FastAPI would try to read the request payload as JSON even if the content-type header sent was not set to application/json or a compatible JSON media type (e.g. application/geo+json).

So, a request with a content type of text/plain containing JSON data would be accepted and the JSON data would be extracted.

But requests with content type text/plain are exempt from CORS preflights, for being considered Simple requests. So, the browser would execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application.

See CVE-2021-32677 for more details.

Thanks to Dima Boger for the security report! 🙇🔒

Internal

• 🔧 Update sponsors badge, course bundle. PR #3340 by @​tiangolo.
• 🔧 Add new gold sponsor Jina 🎉. PR #3291 by @​tiangolo.
• 🔧 Add new banner sponsor badge for FastAPI courses bundle. PR #3288 by @​tiangolo.
• 👷 Upgrade Issue Manager GitHub Action. PR #3236 by @​tiangolo.

0.65.1

Security fixes

• 📌 Upgrade pydantic pin, to handle security vulnerability CVE-2021-29510. PR #3213 by @​tiangolo.

0.65.0

Breaking Changes - Upgrade

• ⬆️ Upgrade Starlette to 0.14.2, including internal UJSONResponse migrated from Starlette. This includes several bug fixes and features from Starlette. PR #2335 by @​hanneskuettner.

Translations

• 🌐 Initialize new language Polish for translations. PR #3170 by @​neternefer.

Internal

• 👷 Add GitHub Action cache to speed up CI installs. PR #3204 by @​tiangolo.
• ⬆️ Upgrade setup-python GitHub Action to v2. PR #3203 by @​tiangolo.
• 🐛 Fix docs script to generate a new translation language with overrides boilerplate. PR #3202 by @​tiangolo.
• ✨ Add new Deta banner badge with new sponsorship tier 🙇. PR #3194 by @​tiangolo.
• 👥 Update FastAPI People. PR #3189 by @​github-actions[bot].
• 🔊 Update FastAPI People to allow better debugging. PR #3188 by @​tiangolo.

0.64.0

Features

... (truncated)

• 4d91f97 🔖 Release version 0.65.2
• aabe2c7 📝 Update release notes
• 377234a 🔒 Create Security Policy
• 38b7858 📝 Update release notes
• fa7e3c9 🐛 Check Content-Type request header before assuming JSON (#2118)
• 90120dd 📝 Update release notes
• 3677254 🔧 Update sponsors badge, course bundle (#3340)
• 40bb0c5 📝 Update release notes
• 60918d2 🔧 Add new gold sponsor Jina 🎉 (#3291)
• 3afce2c 📝 Update release notes
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from urllib3's releases.

1.26.5

:warning: IMPORTANT: urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap

• Fixed deprecation warnings emitted in Python 3.10.
• Updated vendored six library to 1.16.0.
• Improved performance of URL parser when splitting the authority component.

If you or your organization rely on urllib3 consider supporting us via GitHub Sponsors

1.26.4

:warning: IMPORTANT: urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap

• Changed behavior of the default SSLContext when connecting to HTTPS proxy during HTTPS requests. The default SSLContext now sets check_hostname=True.

If you or your organization rely on urllib3 consider supporting us via GitHub Sponsors

1.26.3

:warning: IMPORTANT: urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap

• Fixed bytes and string comparison issue with headers (Pull #2141)

• Changed ProxySchemeUnknown error message to be more actionable if the user supplies a proxy URL without a scheme (Pull #2107)

If you or your organization rely on urllib3 consider supporting us via GitHub Sponsors

1.26.2

:warning: IMPORTANT: urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap

• Fixed an issue where wrap_socket and CERT_REQUIRED wouldn't be imported properly on Python 2.7.8 and earlier (Pull #2052)

1.26.1

:warning: IMPORTANT: urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap

• Fixed an issue where two User-Agent headers would be sent if a User-Agent header key is passed as bytes (Pull #2047)

1.26.0

:warning: IMPORTANT: urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap

• Added support for HTTPS proxies contacting HTTPS servers (Pull #1923, Pull #1806)

• Deprecated negotiating TLSv1 and TLSv1.1 by default. Users that still wish to use TLS earlier than 1.2 without a deprecation warning should opt-in explicitly by setting ssl_version=ssl.PROTOCOL_TLSv1_1 (Pull #2002) Starting in urllib3 v2.0: Connections that receive a DeprecationWarning will fail

• Deprecated Retry options Retry.DEFAULT_METHOD_WHITELIST, Retry.DEFAULT_REDIRECT_HEADERS_BLACKLIST and Retry(method_whitelist=...) in favor of Retry.DEFAULT_ALLOWED_METHODS, Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT, and Retry(allowed_methods=...) (Pull #2000) Starting in urllib3 v2.0: Deprecated options will be removed

... (truncated)

Sourced from urllib3's changelog.

1.26.5 (2021-05-26)

• Fixed deprecation warnings emitted in Python 3.10.
• Updated vendored six library to 1.16.0.
• Improved performance of URL parser when splitting the authority component.

1.26.4 (2021-03-15)

• Changed behavior of the default SSLContext when connecting to HTTPS proxy during HTTPS requests. The default SSLContext now sets check_hostname=True.

1.26.3 (2021-01-26)

• Fixed bytes and string comparison issue with headers (Pull #2141)

• Changed ProxySchemeUnknown error message to be more actionable if the user supplies a proxy URL without a scheme. (Pull #2107)

1.26.2 (2020-11-12)

• Fixed an issue where wrap_socket and CERT_REQUIRED wouldn't be imported properly on Python 2.7.8 and earlier (Pull #2052)

1.26.1 (2020-11-11)

• Fixed an issue where two User-Agent headers would be sent if a User-Agent header key is passed as bytes (Pull #2047)

1.26.0 (2020-11-10)

• NOTE: urllib3 v2.0 will drop support for Python 2. Read more in the v2.0 Roadmap <https://urllib3.readthedocs.io/en/latest/v2-roadmap.html>_.

• Added support for HTTPS proxies contacting HTTPS servers (Pull #1923, Pull #1806)

• Deprecated negotiating TLSv1 and TLSv1.1 by default. Users that still wish to use TLS earlier than 1.2 without a deprecation warning

... (truncated)

• d161647 Release 1.26.5
• 2d4a3fe Improve performance of sub-authority splitting in URL
• 2698537 Update vendored six to 1.16.0
• 07bed79 Fix deprecation warnings for Python 3.10 ssl module
• d725a9b Add Python 3.10 to GitHub Actions
• 339ad34 Use pytest==6.2.4 on Python 3.10+
• f271c9c Apply latest Black formatting
• 1884878 [1.26] Properly proxy EOF on the SSLTransport test suite
• a891304 Release 1.26.4
• 8d65ea1 Merge pull request from GHSA-5phf-pp7p-vc2r
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from pydantic's releases.

v1.6.2 (2021-05-11)

Security fix: Fix date and datetime parsing so passing either 'infinity' or float('inf') (or their negative values) does not cause an infinite loop, see security advisory CVE-2021-29510.

v1.6.1 (2020-07-15)

See Changelog.

Thank you to pydantic's sponsors: @​matin, @​tiangolo, @​chdsbd, @​jorgecarleitao, and 1 anonymous sponsor for their kind support.

changes:

• fix validation and parsing of nested models with default_factory, #1710 by @​PrettyWood

v1.6 (2020-07-11)

See Changelog.

Thank you to pydantic's sponsors: @​matin, @​tiangolo, @​chdsbd, @​jorgecarleitao, and 1 anonymous sponsor for their kind support.

changes:

• Modify validators for conlist and conset to not have always=True, #1682 by @​samuelcolvin
• add port check to AnyUrl (can't exceed 65536) ports are 16 insigned bits: 0 <= port <= 2**16-1 src: rfc793 header format, #1654 by @​flapili
• Document default regex anchoring semantics, #1648 by @​yurikhan
• Use chain.from_iterable in class_validators.py. This is a faster and more idiomatic way of using itertools.chain. Instead of computing all the items in the iterable and storing them in memory, they are computed one-by-one and never stored as a huge list. This can save on both runtime and memory space, #1642 by @​cool-RR
• Add conset(), analogous to conlist(), #1623 by @​patrickkwang
• make pydantic errors (un)pickable, #1616 by @​PrettyWood
• Allow custom encoding for dotenv files, #1615 by @​PrettyWood
• Ensure SchemaExtraCallable is always defined to get type hints on BaseConfig, #1614 by @​PrettyWood
• Update datetime parser to support negative timestamps, #1600 by @​mlbiche
• Update mypy, remove AnyType alias for Type[Any], #1598 by @​samuelcolvin
• Adjust handling of root validators so that errors are aggregated from all failing root validators, instead of reporting on only the first root validator to fail, #1586 by @​beezee
• Make __modify_schema__ on Enums apply to the enum schema rather than fields that use the enum, #1581 by @​therefromhere
• Fix behavior of __all__ key when used in conjunction with index keys in advanced include/exclude of fields that are sequences, #1579 by @​xspirus
• Subclass validators do not run when referencing a List field defined in a parent class when each_item=True. Added an example to the docs illustrating this, #1566 by @​samueldeklund
• change schema.field_class_to_schema to support frozenset in schema, #1557 by @​wangpeibao
• Call __modify_schema__ only for the field schema, #1552 by @​PrettyWood
• Move the assignment of field.validate_always in fields.py so the always parameter of validators work on inheritance, #1545 by @​dcHHH
• Added support for UUID instantiation through 16 byte strings such as b'\x12\x34\x56\x78' * 4. This was done to support BINARY(16) columns in sqlalchemy, #1541 by @​shawnwall
• Add a test assertion that default_factory can return a singleton, #1523 by @​therefromhere
• Add NameEmail.__eq__ so duplicate NameEmail instances are evaluated as equal, #1514 by @​stephen-bunn
• Add datamodel-code-generator link in pydantic document site, #1500 by @​koxudaxi
• Added a "Discussion of Pydantic" section to the documentation, with a link to "Pydantic Introduction" video by Alexander Hultnér, #1499 by @​hultner
• Avoid some side effects of default_factory by calling it only once if possible and by not setting a default value in the schema, #1491 by @​PrettyWood
• Added docs about dumping dataclasses to JSON, #1487 by @​mikegrima
• Make BaseModel.__signature__ class-only, so getting __signature__ from model instance will raise AttributeError, #1466 by @​MrMrRobat
• include 'format': 'password' in the schema for secret types, #1424 by @​atheuz
• Modify schema constraints on ConstrainedFloat so that exclusiveMinimum and minimum are not included in the schema if they are equal to -math.inf and exclusiveMaximum and maximum are not included if they are equal to math.inf, #1417 by @​vdwees
• Squash internal __root__ dicts in .dict() (and, by extension, in .json()), #1414 by @​patrickkwang

... (truncated)

Sourced from pydantic's changelog.

v1.6.2 (2021-05-11)

• Security fix: Fix date and datetime parsing so passing either 'infinity' or float('inf') (or their negative values) does not cause an infinite loop, See security advisory CVE-2021-29510

v1.6.1 (2020-07-15)

• fix validation and parsing of nested models with default_factory, #1710 by @​PrettyWood

v1.6 (2020-07-11)

Thank you to pydantic's sponsors: @​matin, @​tiangolo, @​chdsbd, @​jorgecarleitao, and 1 anonymous sponsor for their kind support.

• Modify validators for conlist and conset to not have always=True, #1682 by @​samuelcolvin
• add port check to AnyUrl (can't exceed 65536) ports are 16 insigned bits: 0 <= port <= 2**16-1 src: rfc793 header format, #1654 by @​flapili
• Document default regex anchoring semantics, #1648 by @​yurikhan
• Use chain.from_iterable in class_validators.py. This is a faster and more idiomatic way of using itertools.chain. Instead of computing all the items in the iterable and storing them in memory, they are computed one-by-one and never stored as a huge list. This can save on both runtime and memory space, #1642 by @​cool-RR
• Add conset(), analogous to conlist(), #1623 by @​patrickkwang
• make pydantic errors (un)pickable, #1616 by @​PrettyWood
• Allow custom encoding for dotenv files, #1615 by @​PrettyWood
• Ensure SchemaExtraCallable is always defined to get type hints on BaseConfig, #1614 by @​PrettyWood
• Update datetime parser to support negative timestamps, #1600 by @​mlbiche
• Update mypy, remove AnyType alias for Type[Any], #1598 by @​samuelcolvin
• Adjust handling of root validators so that errors are aggregated from all failing root validators, instead of reporting on only the first root validator to fail, #1586 by @​beezee
• Make __modify_schema__ on Enums apply to the enum schema rather than fields that use the enum, #1581 by @​therefromhere
• Fix behavior of __all__ key when used in conjunction with index keys in advanced include/exclude of fields that are sequences, #1579 by @​xspirus
• Subclass validators do not run when referencing a List field defined in a parent class when each_item=True. Added an example to the docs illustrating this, #1566 by @​samueldeklund
• change schema.field_class_to_schema to support frozenset in schema, #1557 by @​wangpeibao
• Call __modify_schema__ only for the field schema, #1552 by @​PrettyWood
• Move the assignment of field.validate_always in fields.py so the always parameter of validators work on inheritance, #1545 by @​dcHHH
• Added support for UUID instantiation through 16 byte strings such as b'\x12\x34\x56\x78' * 4. This was done to support BINARY(16) columns in sqlalchemy, #1541 by @​shawnwall
• Add a test assertion that default_factory can return a singleton, #1523 by @​therefromhere
• Add NameEmail.__eq__ so duplicate NameEmail instances are evaluated as equal, #1514 by @​stephen-bunn
• Add datamodel-code-generator link in pydantic document site, #1500 by @​koxudaxi
• Added a "Discussion of Pydantic" section to the documentation, with a link to "Pydantic Introduction" video by Alexander Hultnér, #1499 by @​hultner
• Avoid some side effects of default_factory by calling it only once if possible and by not setting a default value in the schema, #1491 by @​PrettyWood
• Added docs about dumping dataclasses to JSON, #1487 by @​mikegrima
• Make BaseModel.__signature__ class-only, so getting __signature__ from model instance will raise AttributeError, #1466 by @​MrMrRobat
• include 'format': 'password' in the schema for secret types, #1424 by @​atheuz
• Modify schema constraints on ConstrainedFloat so that exclusiveMinimum and minimum are not included in the schema if they are equal to -math.inf and exclusiveMaximum and maximum are not included if they are equal to math.inf, #1417 by @​vdwees
• Squash internal __root__ dicts in .dict() (and, by extension, in .json()), #1414 by @​patrickkwang
• Move const validator to post-validators so it validates the parsed value, #1410 by @​selimb
• Fix model validation to handle nested literals, e.g. Literal['foo', Literal['bar']], #1364 by @​DBCerigo
• Remove user_required = True from RedisDsn, neither user nor password are required, #1275 by @​samuelcolvin

... (truncated)

• acf7783 tweak history
• 829528c comment out broken tests
• cf9a417 hack tests into passing
• b37a922 fix formatting
• ac360c5 prepare for release
• bdde15b Merge pull request from GHSA-5jqp-qgf6-3pvh
• d2b0501 uprev
• e2fcab5 fix: validate and parse nested models properly with default_factory (#1712)
• ba56a67 Bump pytest-mock from 3.1.1 to 3.2.0 (#1719)
• f1f944f Update datamode_code_generator:typo in pip install (#1713)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.