Scheduled weekly dependency update for week 47

[pyup-bot]

Update amqp from 2.5.2 to 5.3.1.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/amqp
• Repo: http://github.com/celery/py-amqp

Update asgiref from 3.2.5 to 3.8.1.

Changelog

3.8.1

------------------

* Fixes a regression in 3.8.0 affecting nested task cancellation inside
sync_to_async.

3.8.0

------------------

* Adds support for Python 3.12.

* Drops support for (end-of-life) Python 3.7.

* Fixes task cancellation propagation to subtasks when using synchronous Django
middleware.

* Allows nesting ``sync_to_async`` via ``asyncio.wait_for``.

* Corrects WSGI adapter handling of root path.

* Handles case where `"client"` is ``None`` in WsgiToAsgi adapter.

3.7.2

------------------

* The type annotations for SyncToAsync and AsyncToSync have been changed to
more accurately reflect the kind of callables they return.

3.7.1

------------------

* On Python 3.10 and below, the version of the "typing_extensions" package
is now constrained to be at least version 4 (as we depend on functionality
in that version and above)

3.7.0

------------------

* Contextvars are now required for the implementation of `sync` as Python 3.6
is now no longer a supported version.

* sync_to_async and async_to_sync now pass-through

* Debug and Lifespan State extensions have resulted in a typing change for some
request and response types. This change should be backwards-compatible.

* ``asgiref`` frames will now be hidden in Django tracebacks by default.

* Raw performance and garbage collection improvements in Local, SyncToAsync,
and AsyncToSync.

3.6.0

------------------

* Two new functions are added to the ``asgiref.sync`` module: ``iscoroutinefunction()``
and ``markcoroutinefunction()``.

Python 3.12 deprecates ``asyncio.iscoroutinefunction()`` as an alias for
``inspect.iscoroutinefunction()``, whilst also removing the ``_is_coroutine`` marker.
The latter is replaced with the ``inspect.markcoroutinefunction`` decorator.

The new ``asgiref.sync`` functions are compatibility shims for these
functions that can be used until Python 3.12 is the minimum supported
version.

**Note** that these functions are considered **beta**, and as such, whilst
not likely, are subject to change in a point release, until the final release
of Python 3.12. They are included in ``asgiref`` now so that they can be
adopted by Django 4.2, in preparation for support of Python 3.12.

* The ``loop`` argument to ``asgiref.timeout.timeout`` is deprecated. As per other
``asyncio`` based APIs, the running event loop is used by default. Note that
``asyncio`` provides timeout utilities from Python 3.11, and these should be
preferred where available.

* Support for the ``ASGI_THREADS`` environment variable, used by
``SyncToAsync``, is removed. In general, a running event-loop is not
available to `asgiref` at import time, and so the default thread pool
executor cannot be configured. Protocol servers, or applications, should set
the default executor as required when configuring the event loop at
application startup.

3.5.2

------------------

* Allow async-callables class instances to be passed to AsyncToSync
without warning

* Prevent giving async-callable class instances to SyncToAsync

3.5.1

------------------

* sync_to_async in thread-sensitive mode now works corectly when the
outermost thread is synchronous (214)

3.5.0

------------------

* Python 3.6 is no longer supported, and asyncio calls have been changed to
use only the modern versions of the APIs as a result

* Several causes of RuntimeErrors in cases where an event loop was assigned
to a thread but not running

* Speed improvements in the Local class

3.4.1

------------------

* Fixed an issue with the deadlock detection where it had false positives
during exception handling.

3.4.0

------------------

* Calling sync_to_async directly from inside itself (which causes a deadlock
when in the default, thread-sensitive mode) now has deadlock detection.

* asyncio usage has been updated to use the new versions of get_event_loop,
ensure_future, wait and gather, avoiding deprecation warnings in Python 3.10.
Python 3.6 installs continue to use the old versions; this is only for 3.7+

* sync_to_async and async_to_sync now have improved type hints that pass
through the underlying function type correctly.

* All Websocket* types are now spelled WebSocket, to match our specs and the
official spelling. The old names will work until release 3.5.0, but will
raise deprecation warnings.

* The typing for WebSocketScope and HTTPScope's `extensions` key has been
fixed.

3.3.4

------------------

* The async_to_sync type error is now a warning due the high false negative
rate when trying to detect coroutine-returning callables in Python.

3.3.3

------------------

* The sync conversion functions now correctly detect functools.partial and other
wrappers around async functions on earlier Python releases.

3.3.2

------------------

* SyncToAsync now takes an optional "executor" argument if you want to supply
your own executor rather than using the built-in one.

* async_to_sync and sync_to_async now check their arguments are functions of
the correct type.

* Raising CancelledError inside a SyncToAsync function no longer stops a future
call from functioning.

* ThreadSensitive now provides context hooks/override options so it can be
made to be sensitive in a unit smaller than threads (e.g. per request)

* Drop Python 3.5 support.

* Add type annotations.

3.3.1

------------------

* Updated StatelessServer to use ASGI v3 single-callable applications.

3.3.0

------------------

* sync_to_async now defaults to thread-sensitive mode being on
* async_to_sync now works inside of forked processes
* WsgiToAsgi now correctly clamps its response body when Content-Length is set

3.2.10

-------------------

* Fixed bugs due to bad WeakRef handling introduced in 3.2.8

3.2.9

------------------

* Fixed regression with exception handling in 3.2.8 related to the contextvars fix.

3.2.8

------------------

* Fixed small memory leak in local.Local
* contextvars are now persisted through AsyncToSync

3.2.7

------------------

* Bug fixed in local.Local where deleted Locals would occasionally inherit
their storage into new Locals due to memory reuse.

3.2.6

------------------

* local.Local now works in all threading situations, no longer requires
periodic garbage collection, and works with libraries that monkeypatch
threading (like gevent)

Links

• PyPI: https://pypi.org/project/asgiref
• Changelog: https://data.safetycli.com/changelogs/asgiref/
• Repo: https://github.com/django/asgiref/

Update billiard from 3.6.3.0 to 4.2.1.

Changelog

4.2.0

--------------------
- Update process.py to close during join only if process has completed.
- Adjust the __repr__ in ApplyResult.
- Remove python 3.7 from CI.
- Added Python 3.12 support.
- Fixed (co_positions): resolve issue caused by absence co_positions (395).
- Fixed: Replaced mktemp usage for Python 3 from python 2.
- Changed nose test to pytest (397) in Integration test.
- Changed nose dependency for unit test (383).

4.1.0

--------------------
- Fixed a python 2 to 3 compat issue which was missed earlier (374).
- Adde Python 3.11 primary support

4.0.2

--------------------
- ExceptionWithTraceback should be an exception.

4.0.1

--------------------
- Add support for Python 3.11 _posixsubprocess.fork_exec() arguments.
- Keep exception traceback somehow (368).

4.0.0

--------------------
- Support Sphinx 4.x.
- Remove dependency to case.
- Drop support of Python < 3.7.
- Update to psutil 5.9.0.
- Add python_requires to enforce Python version.
- Replace deprecated threading Event.isSet with Event.is_set.
- Prevent segmentation fault in get_pdeathsig while using ctypes (361).
- Migrated CI to Github actions.
- Python 3.10 support added.

3.6.4.0

--------------------
- Issue 309: Add Python 3.9 support to spawnv_passfds()
- fix 314

Links

• PyPI: https://pypi.org/project/billiard
• Changelog: https://data.safetycli.com/changelogs/billiard/
• Repo: https://github.com/celery/billiard

Update boto3 from 1.12.26 to 1.35.68.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/boto3
• Repo: https://github.com/boto/boto3

Update botocore from 1.15.26 to 1.35.68.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/botocore
• Repo: https://github.com/boto/botocore

Update cachetools from 4.0.0 to 5.5.0.

Changelog

5.5.0

===================

- ``TTLCache.expire()`` returns iterable of expired ``(key, value)``
pairs.

- ``TLRUCache.expire()`` returns iterable of expired ``(key, value)``
pairs.

- Documentation improvements.

- Update CI environment.

5.4.0

===================

- Add the ``keys.typedmethodkey`` decorator.

- Deprecate ``MRUCache`` class.

- Deprecate ``func.mru_cache`` decorator.

- Update CI environment.

5.3.3

===================

- Documentation improvements.

- Update CI environment.

5.3.2

===================

- Add support for Python 3.12.

- Various documentation improvements.

5.3.1

===================

- Depend on Python >= 3.7.

5.3.0

===================

- Add ``cache_info()`` function to ``cached`` decorator.

5.2.1

===================

- Add support for Python 3.11.

- Correct version information in RTD documentation.

- ``badges/shields``: Change to GitHub workflow badge routes.

5.2.0

===================

- Add ``cachetools.keys.methodkey()``.

- Add ``cache_clear()`` function to decorators.

- Add ``src`` directory to ``sys.path`` for Sphinx autodoc.

- Modernize ``func`` wrappers.

5.1.0

===================

- Add cache decorator parameters as wrapper function attributes.

5.0.0

===================

- Require Python 3.7 or later (breaking change).

- Remove deprecated submodules (breaking change).

The ``cache``, ``fifo``, ``lfu``, ``lru``, ``mru``, ``rr`` and
``ttl`` submodules have been deleted.  Therefore, statements like

``from cachetools.ttl import TTLCache``

will no longer work. Use

``from cachetools import TTLCache``

instead.

- Pass ``self`` to ``cachedmethod`` key function (breaking change).

The ``key`` function passed to the ``cachedmethod`` decorator is
now called as ``key(self, *args, **kwargs)``.

The default key function has been changed to ignore its first
argument, so this should only affect applications using custom key
functions with the ``cachedmethod`` decorator.

- Change exact time of expiration in ``TTLCache`` (breaking change).

``TTLCache`` items now get expired if their expiration time is less
than *or equal to* ``timer()``.  For applications using the default
``timer()``, this should be barely noticeable, but it may affect the
use of custom timers with larger tick intervals.  Note that this
also implies that a ``TTLCache`` with ``ttl=0`` can no longer hold
any items, since they will expire immediately.

- Change ``Cache.__repr__()`` format (breaking change).

String representations of cache instances now use a more compact and
efficient format, e.g.

``LRUCache({1: 1, 2: 2}, maxsize=10, currsize=2)``

- Add TLRU cache implementation.

- Documentation improvements.

4.2.4

===================

- Add submodule shims for backward compatibility.

4.2.3

===================

- Add documentation and tests for using ``TTLCache`` with
``datetime``.

- Link to typeshed typing stubs.

- Flatten package file hierarchy.

4.2.2

===================

- Update build environment.

- Remove Python 2 remnants.

- Format code with Black.

4.2.1

===================

- Handle ``__missing__()`` not storing cache items.

- Clean up ``__missing__()`` example.

4.2.0

===================

- Add FIFO cache implementation.

- Add MRU cache implementation.

- Improve behavior of decorators in case of race conditions.

- Improve documentation regarding mutability of caches values and use
of key functions with decorators.

- Officially support Python 3.9.

4.1.1

===================

- Improve ``popitem()`` exception context handling.

- Replace ``float('inf')`` with ``math.inf``.

- Improve "envkey" documentation example.

4.1.0

===================

- Support ``user_function`` with ``cachetools.func`` decorators
(Python 3.8 compatibility).

- Support ``cache_parameters()`` with ``cachetools.func`` decorators
(Python 3.9 compatibility).

Links

• PyPI: https://pypi.org/project/cachetools
• Changelog: https://data.safetycli.com/changelogs/cachetools/
• Repo: https://github.com/tkem/cachetools/

Update celery from 4.4.2 to 5.4.0.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/celery
• Homepage: https://docs.celeryq.dev/
• Docs: https://pythonhosted.org/celery/

Update certifi from 2019.11.28 to 2024.8.30.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/certifi
• Repo: https://github.com/certifi/python-certifi

Update chardet from 3.0.4 to 5.2.0.

Changelog

5.2.0

Adds support for running chardet CLI via `python -m chardet` (0e9b7bc20366163efcc221281201baff4100fe19, dan-blanchard)

5.1.0

Features
- Add `should_rename_legacy` argument to most functions, which will rename older encodings to their more modern equivalents (e.g., `GB2312` becomes `GB18030`) (264, dan-blanchard)
- Add capital letter sharp S and ISO-8859-15 support (222, SimonWaldherr)
- Add a prober for MacRoman encoding (5 updated as c292b52a97e57c95429ef559af36845019b88b33, Rob Speer and dan-blanchard )
- Add `--minimal` flag to `chardetect` command (214, dan-blanchard)
- Add type annotations to the project and run mypy on CI (261, jdufresne)
- Add support for Python 3.11 (274, hugovk)

Fixes
- Clarify LGPL version in License trove classifier (255, musicinmybrain)
- Remove support for EOL Python 3.6 (260, jdufresne)
- Remove unnecessary guards for non-falsey values (259, jdufresne)

Misc changes
- Switch to Python 3.10 release in GitHub actions (257, jdufresne)
- Remove setup.py in favor of build package (262, jdufresne)
- Run tests on macos, Windows, and 3.11-dev (267, dan-blanchard)

5.0.0

⚠️ This release is the first release of chardet that no longer supports Python < 3.6 ⚠️

In addition to that change, it features the following user-facing changes:

- Added a prober for Johab Korean (207, grizlupo)
- Added a prober for UTF-16/32 BE/LE (109, 206, jpz) 
- Added test data for Croatian, Czech, Hungarian, Polish, Slovak, Slovene, Greek, and Turkish, which should help prevent future errors with those languages
- Improved XML tag filtering, which should improve accuracy for XML files (208)
- Tweaked `SingleByteCharSetProber` confidence to match latest uchardet (209)
- Made `detect_all` return child prober confidences (210)
- Updated examples in docs (223, domdfcoding)
- Documentation fixes (212, 224, 225, 226, 220, 221, 244 from too many to mention)
- Minor performance improvements (252, deedy5)
- Add support for Python 3.10 when testing (232, jdufresne)
- Lots of little development cycle improvements, mostly thanks to jdufresne

4.0.0

Benchmarking chardet 4.0.0 on CPython 3.7.5 (default, Sep  8 2020, 12:19:42)
[Clang 11.0.3 (clang-1103.0.32.62)]
--------------------------------------------------------------------------------
.......................................................................................................................................................................................................................................................................................................................................................................
Calls per second for each encoding:

Links

• PyPI: https://pypi.org/project/chardet
• Changelog: https://data.safetycli.com/changelogs/chardet/
• Repo: https://github.com/chardet/chardet

Update defusedxml from 0.6.0 to 0.7.1.

Changelog

0.7.1

----------------

*Release date: 08-Mar-2021*

- Fix regression ``defusedxml.ElementTree.ParseError`` (63)
The ``ParseError`` exception is now the same class object as
``xml.etree.ElementTree.ParseError`` again.

0.7.0

----------------

*Release date: 4-Mar-2021*

- No changes

0.7.0rc2

-------------------

*Release date: 12-Jan-2021*

- Re-add and deprecate ``defusedxml.cElementTree``
- Use GitHub Actions instead of TravisCI
- Restore ``ElementTree`` attribute of ``xml.etree`` module after patching

0.7.0rc1

-------------------

*Release date: 04-May-2020*

- Add support for Python 3.9
- ``defusedxml.cElementTree`` is not available with Python 3.9.
- Python 2 is deprecate. Support for Python 2 will be removed in 0.8.0.

Links

• PyPI: https://pypi.org/project/defusedxml
• Changelog: https://data.safetycli.com/changelogs/defusedxml/
• Repo: https://github.com/tiran/defusedxml

Update Django from 3.0.4 to 5.1.3.

Changelog

5.1.3

==========================

*November 5, 2024*

Django 5.1.3 fixes several bugs in 5.1.2 and adds compatibility with Python
3.13.

Bugfixes
========

* Fixed a bug in Django 5.1 where
:class:`~django.core.validators.DomainNameValidator` accepted any input value
that contained a valid domain name, rather than only input values that were a
valid domain name (:ticket:`35845`).

* Fixed a regression in Django 5.1 that prevented the use of DB-IP databases
with :class:`~django.contrib.gis.geoip2.GeoIP2` (:ticket:`35841`).

* Fixed a regression in Django 5.1 where non-ASCII fieldset names were not
displayed when rendering admin fieldsets (:ticket:`35876`).


==========================

5.1.2

==========================

*October 8, 2024*

Django 5.1.2 fixes several bugs in 5.1.1. Also, the latest string translations
from Transifex are incorporated.

Bugfixes
========

* Fixed a regression in Django 5.1 that caused a crash when using the
PostgreSQL lookup :lookup:`trigram_similar` on output fields from ``Concat``
(:ticket:`35732`).

* Fixed a regression in Django 5.1 that caused a crash of ``JSONObject()``
when using server-side binding with PostgreSQL 16+ (:ticket:`35734`).

* Fixed a regression in Django 5.1 that made selected items in multi-select
widgets indistinguishable from non-selected items in the admin dark theme
(:ticket:`35809`).


==========================

5.1.1

==========================

*September 3, 2024*

Django 5.1.1 fixes one security issue with severity "moderate", one security
issue with severity "low", and several bugs in 5.1.

CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

CVE-2024-45231: Potential user email enumeration via response status on password reset
======================================================================================

Due to unhandled email sending failures, the
:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote
attackers to enumerate user emails by issuing password reset requests and
observing the outcomes.

To mitigate this risk, exceptions occurring during password reset email sending
are now handled and logged using the :ref:`django-contrib-auth-logger` logger.

Bugfixes
========

* Fixed a regression in Django 5.1 that caused a crash of ``Window()`` when
passing an empty sequence to the ``order_by`` parameter, and a crash of
``Prefetch()`` for a sliced queryset without ordering (:ticket:`35665`).

* Fixed a regression in Django 5.1 where a new ``usable_password`` field was
included in :class:`~django.contrib.auth.forms.BaseUserCreationForm` (and
children). A new :class:`~django.contrib.auth.forms.AdminUserCreationForm`
including this field was added, isolating the feature to the admin where it
was intended (:ticket:`35678`).

* Adjusted the deprecation warning ``stacklevel`` in :meth:`.Model.save` and
:meth:`.Model.asave` to correctly point to the offending call site
(:ticket:`35060`).

* Adjusted the deprecation warning ``stacklevel`` when using ``OS_OPEN_FLAGS``
in :class:`~django.core.files.storage.FileSystemStorage` to correctly point
to the offending call site (:ticket:`35326`).

* Adjusted the deprecation warning ``stacklevel`` in
``FieldCacheMixin.get_cache_name()`` to correctly point to the offending call
site (:ticket:`35405`).

* Restored, following a regression in Django 5.1, the ability to override the
timezone and role setting behavior used within the ``init_connection_state``
method of the PostgreSQL backend (:ticket:`35688`).

* Fixed a bug in Django 5.1 where variable lookup errors were logged when
rendering admin fieldsets (:ticket:`35716`).


========================

5.1

========================

*August 7, 2024*

Welcome to Django 5.1!

These release notes cover the :ref:`new features <whats-new-5.1>`, as well as
some :ref:`backwards incompatible changes <backwards-incompatible-5.1>` you
should be aware of when upgrading from Django 5.0 or earlier. We've
:ref:`begun the deprecation process for some features
<deprecated-features-5.1>`.

See the :doc:`/howto/upgrade-version` guide if you're updating an existing
project.

Python compatibility
====================

Django 5.1 supports Python 3.10, 3.11, 3.12, and 3.13 (as of 5.1.3). We
**highly recommend** and only officially support the latest release of each
series.

.. _whats-new-5.1:

What's new in Django 5.1
========================

``{% querystring %}`` template tag
-----------------------------------

Django 5.1 introduces the :ttag:`{% querystring %} <querystring>` template
tag, simplifying the modification of query parameters in URLs, making it easier
to generate links that maintain existing query parameters while adding or
changing specific ones.

For instance, navigating pagination and query strings in templates can be
cumbersome. Consider this template fragment that dynamically generates a URL
for navigating to the next page within a paginated view:

.. code-block:: html+django

 { Linebreaks added for readability, this should be one, long line. }
 <a href="?{% for key, values in request.GET.iterlists %}
   {% if key != "page" %}
     {% for value in values %}
       {{ key }}={{ value }}&
     {% endfor %}
   {% endif %}
 {% endfor %}page={{ page.next_page_number }}">Next page</a>

When switching to using this new template tag, the above magically becomes:

.. code-block:: html+django

 <a href="{% querystring page=page.next_page_number %}">Next page</a>

PostgreSQL Connection Pools
---------------------------

Django 5.1 also introduces :ref:`connection pool <postgresql-pool>` support for
PostgreSQL. As the time to establish a new connection can be relatively long,
keeping connections open can reduce latency.

To use a connection pool with `psycopg`_, you can set the ``"pool"`` option
inside :setting:`OPTIONS` to be a dict to be passed to
:class:`~psycopg:psycopg_pool.ConnectionPool`, or to ``True`` to use the
``ConnectionPool`` defaults::

 DATABASES = {
     "default": {
         "ENGINE": "django.db.backends.postgresql",
          ...
         "OPTIONS": {
             "pool": {
                 "min_size": 2,
                 "max_size": 4,
                 "timeout": 10,
             }
         },
     },
 }

.. _psycopg: https://www.psycopg.org/

Middleware to require authentication by default
-----------------------------------------------

The new :class:`~django.contrib.auth.middleware.LoginRequiredMiddleware`
redirects all unauthenticated requests to a login page. Views can allow
unauthenticated requests by using the new
:func:`~django.contrib.auth.decorators.login_not_required` decorator.

``LoginRequiredMiddleware`` respects the ``login_url`` and
``redirect_field_name`` values set via the
:func:`~.django.contrib.auth.decorators.login_required` decorator, but does not
support setting ``login_url`` or ``redirect_field_name`` via the
:class:`~django.contrib.auth.mixins.LoginRequiredMixin`.

To enable this, add ``"django.contrib.auth.middleware.LoginRequiredMiddleware"``
to your :setting:`MIDDLEWARE` setting.

Minor features
--------------

:mod:`django.contrib.admin`
~~~~~~~~~~~~~~~~~~~~~~~~~~~

* :attr:`.ModelAdmin.list_display` now supports using ``__`` lookups to list
fields from related models.

:mod:`django.contrib.auth`
~~~~~~~~~~~~~~~~~~~~~~~~~~

* The default iteration count for the PBKDF2 password hasher is increased from
720,000 to 870,000.

* The default ``parallelism`` of the ``ScryptPasswordHasher`` is 
increased from 1 to 5, to follow OWASP recommendations.

* The new :class:`~django.contrib.auth.forms.AdminUserCreationForm` and
the existing :class:`~django.contrib.auth.forms.AdminPasswordChangeForm` now
support disabling password-based authentication by setting an unusable
password on form save. This is now available in the admin when visiting the
user creation and password change pages.

* :func:`~.django.contrib.auth.decorators.login_required`,
:func:`~.django.contrib.auth.decorators.permission_required`, and
:func:`~.django.contrib.auth.decorators.user_passes_test` decorators now
support wrapping asynchronous view functions.

* ``ReadOnlyPasswordHashWidget`` now includes a button to reset the user's
password, which replaces the link previously embedded in the
``ReadOnlyPasswordHashField``'s help text, improving the overall
accessibility of the
:class:`~django.contrib.auth.forms.UserChangeForm`.

:mod:`django.contrib.gis`
~~~~~~~~~~~~~~~~~~~~~~~~~

* :class:`~django.contrib.gis.db.models.functions.BoundingCircle` is now
supported on SpatiaLite 5.1+.

* :class:`~django.contrib.gis.db.models.Collect` is now supported on MySQL
8.0.24+.

* :class:`~django.contrib.gis.geoip2.GeoIP2` now allows querying using
:class:`ipaddress.IPv4Address` or :class:`ipaddress.IPv6Address` objects.

* :meth:`.GeoIP2.country` now exposes the ``continent_code``,
``continent_name``, and ``is_in_european_union`` values.

* :meth:`.GeoIP2.city` now exposes the ``accuracy_radius`` and ``region_name``
values. In addition, the ``dma_code`` and ``region`` values are now exposed
as ``metro_code`` and ``region_code``, but the previous keys are also
retained for backward compatibility.

* :class:`~django.contrib.gis.measure.Area` now supports the ``ha`` unit.

* The new :attr:`.OGRGeometry.is_3d` attribute allows checking if a geometry
has a ``Z`` coordinate dimension.

* The new :meth:`.OGRGeometry.set_3d` method allows addition and removal of the
``Z`` coordinate dimension.

* :class:`~django.contrib.gis.gdal.OGRGeometry`,
:class:`~django.contrib.gis.gdal.Point`,
:class:`~django.contrib.gis.gdal.LineString`,
:class:`~django.contrib.gis.gdal.Polygon`, and
:class:`~django.contrib.gis.gdal.GeometryCollection` and its subclasses now
support measured geometries via the new :attr:`.OGRGeometry.is_measured` and
``m`` properties, and the :meth:`.OGRGeometry.set_measured` method.

* :attr:`.OGRGeometry.centroid` is now available on all supported geometry
types.

* :class:`FromWKB() <django.contrib.gis.db.models.functions.FromWKB>` and
:class:`FromWKT() <django.contrib.gis.db.models.functions.FromWKT>` functions
now support the optional ``srid`` argument (except for Oracle where it is
ignored).

:mod:`django.contrib.postgres`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* :class:`~django.contrib.postgres.indexes.BTreeIndex` now supports the
``deduplicate_items`` parameter.

:mod:`django.contrib.sessions`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* :class:`django.contrib.sessions.backends.cached_db.SessionStore` now handles
exceptions when storing session information in the cache, logging proper
error messages with their traceback via the newly added
:ref:`sessions logger <django-contrib-sessions-logger>`.

* :class:`django.contrib.sessions.backends.base.SessionBase` and all built-in
session engines now provide async API. The new asynchronous methods all have
``a`` prefixed names, e.g. ``aget()``, ``akeys()``, or ``acycle_key()``.

Database backends
~~~~~~~~~~~~~~~~~

* ``"init_command"`` option is now supported in :setting:`OPTIONS` on SQLite
to allow specifying :ref:`pragma options <sqlite-init-command>` to set upon
connection.

* ``"transaction_mode"`` option is now supported in :setting:`OPTIONS` on
SQLite to allow specifying the :ref:`sqlite-transaction-behavior`.

* ``"pool"`` option is now supported in :setting:`OPTIONS` on PostgreSQL to
allow using :ref:`connection pools <postgresql-pool>`.

Error Reporting
~~~~~~~~~~~~~~~

* In order to improve accessibility, the technical 404 and 500 error pages now
use HTML landmark elements for the header, footer, and main content areas.

File Storage
~~~~~~~~~~~~

* The :attr:`~django.core.files.storage.FileSystemStorage.allow_overwrite`
parameter of :class:`~django.core.files.storage.FileSystemStorage` now allows
saving new files over existing ones.

Forms
~~~~~

* In order to improve accessibility and enable screen readers to associate
fieldsets with their help text, the form fieldset now includes the
``aria-describedby`` HTML attribute.

Management Commands
~~~~~~~~~~~~~~~~~~~

* The :djadmin:`makemigrations` command now displays meaningful symbols for
each operation to highlight :class:`operation categories
<django.db.migrations.operations.base.OperationCategory>`.

Migrations
~~~~~~~~~~

* The new ``Operation.category`` attribute allows specifying an
:class:`operation category
<django.db.migrations.operations.base.OperationCategory>` used by the
:djadmin:`makemigrations` to display a meaningful symbol for the operation.

Models
~~~~~~

* :meth:`.QuerySet.explain` now supports the ``generic_plan`` option on
PostgreSQL 16+.

* :class:`~django.db.models.expressions.RowRange` now accepts positive integers
for the ``start`` argument and negative integers for the ``end`` argument.

* The new ``exclusion`` argument of
:class:`~django.db.models.expressions.RowRange` and
:class:`~django.db.models.expressions.ValueRange` allows excluding rows,
groups, and ties from the window frames.

* :meth:`.QuerySet.order_by` now supports ordering by annotation transforms
such as ``JSONObject`` keys and ``ArrayAgg`` indices.

* :class:`F() <django.db.models.F>` and :class:`OuterRef()
<django.db.models.OuterRef>` expressions that output
:class:`~django.db.models.CharField`, :class:`~django.db.models.EmailField`,
:class:`~django.db.models.SlugField`, :class:`~django.db.models.URLField`,
:class:`~django.db.models.TextField`, or
:class:`~django.contrib.postgres.fields.ArrayField` can now be :ref:`sliced
<slicing-using-f>`.

* The new ``from_queryset`` argument of :meth:`.Model.refresh_from_db` and
:meth:`.Model.arefresh_from_db`  allows customizing the queryset used to
reload a model's value. This can be used to lock the row before reloading or
to select related objects.

* The new :attr:`.Expression.constraint_validation_compatible` attribute allows
specifying that the expression should be ignored during a constraint
validation.

Templates
~~~~~~~~~

* Custom tags may now set extra data on the ``Parser`` object that will later
be made available on the ``Template`` instance. Such data may be used, for
example, by the template loader, or other template clients.

* :ref:`Template engines <field-checking>` now implement a ``check()`` method
that is already registered with the check framework.

Tests
~~~~~

* :meth:`~django.test.SimpleTestCase.assertContains`,
:meth:`~django.test.SimpleTestCase.assertNotContains`, and
:meth:`~django.test.SimpleTestCase.assertInHTML` assertions now add haystacks
to assertion error messages.

* The :class:`~django.test.RequestFactory`,
:class:`~django.test.AsyncRequestFactory`, :class:`~django.test.Client`, and
:class:`~django.test.AsyncClient` classes now support the ``query_params``
parameter, which accepts a dictionary of query string keys and values. This
allows setting query strings on any HTTP methods more easily.

.. code-block:: python

  self.client.post("/items/1", query_params={"action": "delete"})
  await self.async_client.post("/items/1", query_params={"action": "delete"})

* The new :meth:`.SimpleTestCase.assertNotInHTML` assertion allows testing that
an HTML fragment is not contained in the given HTML haystack.

* In order to enforce test isolation, database connections inside threads are
no longer allowed in :class:`~django.test.SimpleTestCase`.

Validators
~~~~~~~~~~

* The new :class:`~django.core.validators.DomainNameValidator` validates domain
names, including internationalized domain names. The new
:func:`~django.core.validators.validate_domain_name` function returns an
instance of :class:`~django.core.validators.DomainNameValidator`.

.. _backwards-incompatible-5.1:

Backwards incompatible changes in 5.1
=====================================

:mod:`django.contrib.gis`
-------------------------

* Support for PostGIS 2.5 is removed.

* Support for PROJ < 6 is removed.

* Support for GDAL 2.4 is removed.

* :class:`~django.contrib.gis.geoip2.GeoIP2` no longer opens both city and
country databases when a directory path is provided, preferring the city
database, if it is available. The country database is a subset of the city
database and both are not typically needed. If you require use of the country
database when in the same directory as the city database, explicitly pass the
country database path to the constructor.

Dropped support for MariaDB 10.4
--------------------------------

Upstream support for MariaDB 10.4 ends in June 2024. Django 5.1 supports
MariaDB 10.5 and higher.

Dropped support for PostgreSQL 12
---------------------------------

Upstream support for PostgreSQL 12 ends in November 2024. Django 5.1 supports
PostgreSQL 13 and higher.

Miscellaneous
-------------

* In order to improve accessibility, the admin's changelist filter is now
rendered in a ``<nav>`` tag instead of a ``<div>``.

* In order to improve accessibility, the admin's footer is now rendered in
a ``<footer>`` tag instead of a ``<div>``, and also moved below the
``<div id="main">`` element.

* In order to improve accessibility, the expandable widget used for
:attr:`ModelAdmin.fieldsets <django.contrib.admin.ModelAdmin.fieldsets>` and
:attr:`InlineModelAdmin.fieldsets <django.contrib.admin.InlineModelAdmin>`,
when the fieldset has a name and use the ``collapse`` class, now includes
``<details>`` and ``<summary>`` elements.

* The JavaScript file ``collapse.js`` is removed since it is no longer needed
in the Django admin site.

* :meth:`.SimpleTestCase.assertURLEqual` and
:meth:`~django.test.SimpleTestCase.assertInHTML` now add ``": "`` to the
``msg_prefix``. This is consistent with the behavior of other assertions.

* ``django.utils.text.Truncator`` used by :tfilter:`truncatechars_html` and
:tfilter:`truncatewords_html` template filters now uses
:py:class:`html.parser.HTMLParser` subclasses. This results in a more robust
and faster operation, but there may be small differences in the output.

* The undocumented ``django.urls.converters.get_converter()`` function is
removed.

* The minimum supported version of SQLite is increased from 3.27.0 to 3.31.0.

* :class:`~django.db.models.FileField` now raises a
:class:`~django.core.exceptions.FieldError` when saving a file without a
``name``.

* ``ImageField.update_dimension_fields(force=True)`` is no longer called after
saving the image to storage. If your storage backend resizes images, the
``width_field`` and ``height_field`` will not match the width and height of
the image.

* The minimum supported version of ``asgiref`` is increased from 3.7.0 to
3.8.1.

.. _deprecated-features-5.1:

Features deprecated in 5.1
==========================

Miscellaneous
-------------

* The ``ModelAdmin.log_deletion()`` and ``LogEntryManager.log_action()``
methods are deprecated. Subclasses should implement
``ModelAdmin.log_deletions()`` and  ``LogEntryManager.log_actions()``
instead.

* The undocumented ``django.utils.itercompat.is_iterable()`` function and the
``django.utils.itercompat`` module are deprecated. Use
``isinstance(..., collections.abc.Iterable)`` instead.

* The ``django.contrib.gis.geoip2.GeoIP2.coords()`` method is deprecated. Use
``django.contrib.gis.geoip2.GeoIP2.lon_lat()`` instead.

* The ``django.contrib.gis.geoip2.GeoIP2.open()`` method is deprecated. Use the
:class:`~django.contrib.gis.geoip2.GeoIP2` constructor instead.

* Passing positional arguments to :meth:`.Model.save` and :meth:`.Model.asave`
is deprecated in favor of keyword-only arguments.

* Setting ``django.contrib.gis.gdal.OGRGeometry.coord_dim`` is deprecated. Use
:meth:`~django.contrib.gis.gdal.OGRGeometry.set_3d` instead.

* Overriding existing converters with ``django.urls.register_converter()`` is
deprecated.

* The ``check`` keyword argument of ``CheckConstraint`` is deprecated in favor
of ``condition``.

* The undocumented ``OS_OPEN_FLAGS`` property of
:class:`~django.core.files.storage.FileSystemStorage` is deprecated. To allow
overwriting files in storage, set the new
:attr:`~django.core.files.storage.FileSystemStorage.allow_overwrite` option
to ``True`` instead.

* The ``get_cache_name()`` method of ``FieldCacheMixin`` is deprecated in favor
of the ``cache_name`` cached property.

Features removed in 5.1
=======================

These features have reached the end of their deprecation cycle and are removed
in Django 5.1.

See :ref:`deprecated-features-4.2` for details on these changes, including how
to remove usage of these features.

* The ``BaseUserManager.make_random_password()`` method is removed.

* The model's ``Meta.index_together`` option is removed.

* The ``length_is`` template filter is removed.

* The ``django.contrib.auth.hashers.SHA1PasswordHasher``,
``django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher``, and
``django.contrib.auth.hashers.UnsaltedMD5PasswordHasher`` are removed.

* The model ``django.contrib.postgres.fields.CICharField``,
``django.contrib.postgres.fields.CIEmailField``, and
``django.contrib.postgres.fields.CITextField`` are removed, except for
support in historical migrations.

* The ``django.contrib.postgres.fields.CIText`` mixin is removed.

* The ``map_width`` and ``map_height`` attributes of ``BaseGeometryWidget`` are
removed.

* The ``SimpleTestCase.assertFormsetError()`` method is removed.

* The ``TransactionTestCase.assertQuerysetEqual()`` method is removed.

* Support for passing encoded JSON string literals to ``JSONField`` and
associated lookups and expressions is removed.

* Support for passing positional arguments to ``Signer`` and
``TimestampSigner`` is removed.

* The ``DEFAULT_FILE_STORAGE`` and ``STATICFILES_STORAGE`` settings is removed.

* The ``django.core.files.storage.get_storage_class()`` function is removed.








===========================

5.0.9

===========================

*September 3, 2024*

Django 5.0.9 fixes one security issue with severity "moderate" and one security
issue with severity "low" in 5.0.8.

CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

CVE-2024-45231: Potential user email enumeration via response status on password reset
======================================================================================

Due to unhandled email sending failures, the
:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote
attackers to enumerate user emails by issuing password reset requests and
observing the outcomes.

To mitigate this risk, exceptions occurring during password reset email sending
are now handled and logged using the :ref:`django-contrib-auth-logger` logger.


==========================

5.0.8

==========================

*August 6, 2024*

Django 5.0.8 fixes three security issues with severity "moderate", one security
issue with severity "high", and several bugs in 5.0.7.

CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
================================================================================

If :tfilter:`floatformat` received a string representation of a number in
scientific notation with a large exponent, it could lead to significant memory
consumption.

To avoid this, decimals with more than 200 digits are now returned as is.

CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` and ``AdminURLFieldWidget``
=======================================================================================================================

:tfilter:`urlize`, :tfilter:`urlizetrunc`, and ``AdminURLFieldWidget`` were
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.

CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
======================================================================================

:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
with a ``JSONField`` were subject to SQL injection in column aliases, via a
crafted JSON object key as a passed ``*arg``.

Bugfixes
========

* Added missing validation for ``UniqueConstraint(nulls_distinct=False)`` when
using ``*expressions`` (:ticket:`35594`).

* Fixed a regression in Django 5.0 where ``ModelAdmin.action_checkbox`` could
break the admin changelist HTML page when rendering a model instance with a
``__html__`` method (:ticket:`35606`).

* Fixed a crash when creating a model with a ``Field.db_default`` and a
``Meta.constraints`` constraint composed of ``__endswith``, ``__startswith``,
or ``__contains`` lookups (:ticket:`35625`).

* Fixed a regression in Django 5.0.7 that caused a crash in
``LocaleMiddleware`` when processing a language code over 500 characters
(:ticket:`35627`).

* Fixed a bug in Django 5.0 that caused a system check crash when
``ModelAdmin.date_hierarchy`` was a ``GeneratedField`` with an
``output_field`` of ``DateField`` or ``DateTimeField`` (:ticket:`35628`).

* Fixed a bug in Django 5.0 which caused constraint validation to either crash
or incorrectly raise validation errors for constraints referring to fields
using ``Field.db_default`` (:ticket:`35638`).

* Fixed a crash in Django 5.0 when saving a model containing a ``FileField``
with a ``db_default`` set (:ticket:`35657`).


==========================

5.0.7

==========================

*July 9, 2024*

Django 5.0.7 fixes two security issues with severity "moderate", two security
issues with severity "low", and one bug in 5.0.6.

CVE-2024-38875: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via certain inputs with a very large number of
brackets.

CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
================================================================================================

The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
allowed remote attackers to enumerate users via a timing attack involving login
requests for users with unusable passwords.

CVE-2024-39330: Potential directory-traversal via ``Storage.save()``
====================================================================

Derived classes of the :class:`~django.core.files.storage.Storage` base class
which override :meth:`generate_filename()
<django.core.files.storage.Storage.generate_filename()>` without replicating
the file path validations existing in the parent class, allowed for potential
directory-traversal via certain inputs when calling :meth:`save()
<django.core.files.storage.Storage.save()>`.

Built-in ``Storage`` sub-classes were not affected by this vulnerability.

CVE-2024-39614: Potential denial-of-service vulnerability in ``get_supported_language_variant()``
=================================================================================================

:meth:`~django.utils.translation.get_supported_language_variant` was subject to
a potential denial-of-service attack when used with very long strings
containing specific characters.

To mitigate this vulnerability, the language code provided to
:meth:`~django.utils.translation.get_supported_language_variant` is now parsed
up to a maximum length of 500 characters.

When the language code is over 500 characters, a :exc:`ValueError` will now be
raised if ``strict`` is ``True``, or if there is no generic variant and
``strict`` is ``False``.

Bugfixes
========

* Fixed a bug in Django 5.0 that caused a crash of ``Model.full_clean()`` on
unsaved model instances with a ``GeneratedField`` and certain defined
:attr:`Meta.constraints <django.db.models.Options.constraints>`
(:ticket:`35560`).


==========================

5.0.6

==========================

*May 7, 2024*

Django 5.0.6 fixes a packaging error in 5.0.5.


==========================

5.0.5

==========================

*May 6, 2024*

Django 5.0.5 fixes several bugs in 5.0.4.

Bugfixes
========

* Fixed a bug in Django 5.0 that caused a crash of ``Model.save()`` when
creating an instance of a model with a ``GeneratedField`` and providing a
primary key (:ticket:`35350`).

* Fixed a compatibility issue encountered in Python 3.11.9+ and 3.12.3+ when
validating email max line lengths with content decoded using the
``surrogateescape`` error handling scheme (:ticket:`35361`).

* Fixed a bug in Django 5.0 that caused a crash when applying migrations
including alterations to ``GeneratedField`` such as setting ``db_index=True``
on SQLite (:ticket:`35373`).

* Allowed importing ``aprefetch_related_objects`` from ``django.db.models``
(:ticket:`35392`).

* Fixed a bug in Django 5.0 that caused a migration crash when a
``GeneratedField`` was added before any of the referenced fields from its
``expression`` definition (:ticket:`35359`).

* Fixed a bug in Django 5.0 that caused a migration crash when altering a
``GeneratedField`` referencing a renamed field (:ticket:`35422`).

* Fixed a bug in Django 5.0 where the ``querysets`` argument of
``GenericPrefetch`` was not required (:ticket:`35426`).


==========================

5.0.4

==========================

*April 3, 2024*

Django 5.0.4 fixes several bugs in 5.0.3.

Bugfixes
========

* Fixed a bug in Django 5.0 that caused a crash of ``Model.full_clean()`` on
fields with expressions in ``db_default``. As a consequence,
``Model.full_clean()`` no longer validates for empty values in fields with
``db_default`` (:ticket:`35223`).

* Fixed a regression in Django 5.0 where the ``AdminFileWidget`` could be
rendered with two ``id`` attributes on the "Clear" checkbox
(:ticket:`35273`).

* Fixed a bug in Django 5.0 that caused a migration crash on PostgreSQL 15+
when adding a partial ``UniqueConstraint`` with ``nulls_distinct``
(:ticket:`35329`).

* Fixed a crash in Django 5.0 when performing queries involving table aliases
and lookups on a ``GeneratedField`` of the aliased table (:ticket:`35344`).

* Fixed a bug in Django 5.0 that caused a migration crash when adding a
``GeneratedField`` relying on the ``__contains`` or ``__icontains``
lookups or using a ``Value`` containing a ``"%"`` (:ticket:`35336`).


==========================

5.0.3

==========================

*March 4, 2024*

Django 5.0.3 fixes a security issue with severity "moderate" and several bugs
in 5.0.2.

CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()``
=========================================================================================================

``django.utils.text.Truncator.words()`` method (with ``html=True``) and
:tfilter:`truncatewords_html` template filter were subject to a potential
regular expression denial-of-service attack using a suitably crafted string
(follow up to :cve:`2019-14232` and :cve:`2023-43665`).

Bugfixes
========

* Fixed a regression in Django 5.0.2 where ``intcomma`` template filter could
return a leading comma for string representation of floats (:ticket:`35172`).

* Fixed a bug in Django 5.0 that caused a crash of ``Signal.asend()`` and
``asend_robust()`` when all receivers were asynchronous functions
(:ticket:`35174`).

* Fixed a regression in Django 5.0.1 where :meth:`.ModelAdmin.lookup_allowed`
would prevent filtering against foreign keys using lookups like ``__isnull``
when the field was not included in :attr:`.ModelAdmin.list_filter`
(:ticket:`35173`).

* Fixed a regression in Django 5.0 that caused a crash of
``sensitive_variables`` and ``sensitive_post_parameters`` decorators on
functions loaded from ``.pyc`` files (:ticket:`35187`).

* Fixed a regression in Django 5.0 that caused a crash when reloading a test
database and a base queryset for a base manager used ``prefetch_related()``
(:ticket:`35238`).

* Fixed a bug in Django 5.0 where facet filters in the admin would crash on a
``SimpleListFilter`` using a queryset without primary keys (:ticket:`35198`).


==========================

5.0.2

==========================

*February 6, 2024*

Django 5.0.2 fixes a security issue with severity "moderate" and several bugs
in 5.0.1. Also, the latest string translations from Transifex are incorporated.

CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter
===========================================================================

The ``intcomma`` template filter was subject to a potential denial-of-service
attack when used with very long strings.

Bugfixes
========

* Reallowed, following a regression in Django 5.0.1, filtering against local
foreign keys not included in :attr:`.ModelAdmin.list_filter`
(:ticket:`35087`).

* Fixed a regression in Django 5.0 where links in the admin had an incorrect
color (:ticket:`35121`).

* Fixed a bug in Django 5.0 that caused a crash of ``Model.full_clean()`` on
models with a ``GeneratedField`` (:ticket:`35127`).

* Fixed a regression in Django 5.0 that caused a crash of
``FilteredRelation()`` with querysets as right-hand sides (:ticket:`35135`).
``FilteredRelation()`` now raises a ``ValueError`` on querysets as right-hand
sides.

* Fixed a regression in Django 5.0 that caused a crash of the ``dumpdata``
management command when a base queryset used ``prefetch_related()``
(:ticket:`35159`).

* Fixed a regression in Django 5.0 that caused the ``request_finished`` signal to
sometimes not be fired when running Django through an ASGI server, resulting
in potential resource leaks (:ticket:`35059`).

* Fixed a bug in Django 5.0 that caused a migration crash on MySQL when adding
a ``BinaryField``, ``TextField``, ``JSONField``, or ``GeometryField`` with a
``db_default`` (:ticket:`35162`).

* Fixed a bug in Django 5.0 that caused a migration crash on models with a
literal ``db_default`` of a complex type such as ``dict`` instance of a
``JSONField``. Running ``makemigrations`` might generate no-op ``AlterField``
operations for fields using ``db_default`` (:ticket:`35149`).


==========================

5.0.1

==========================

*January 2, 2024*

Django 5.0.1 fixes several bugs in 5.0.

Bugfixes
========

* Reallowed, following a regression in Django 5.0, using a foreign key to a
model with a primary key that is not ``AutoField`` in
:attr:`.ModelAdmin.list_filter` (:ticket:`35020`).

* Fixed a long standing bug in handling the ``RETURNING INTO`` clause that
caused a crash when creating a model instance with a ``GeneratedField`` which
``output_field`` had backend-specific converters (:ticket:`35024`).

* Fixed a regression in Django 5.0 that caused a crash of ``Model.save()`` for
models with both ``GeneratedField`` and ``ForeignKey`` fields
(:ticket:`35019`).

* Fixed a bug in Django 5.0 that caused a migration crash on Oracle < 23c when
adding a ``GeneratedField`` with ``output_field=BooleanField``
(:ticket:`35018`).

* Fixed a regression in Django 5.0 where admin fields on the same line could
overflow the page and become non-interactive (:ticket:`35012`).

* Added compatibility for ``oracledb`` 2.0.0 (:ticket:`35054`).

* Fixed a regression in Django 5.0 where querysets referenced incorrect field
names from ``FilteredRelation()`` (:ticket:`35050`).

* Fixed a regression in Django 5.0 that caused a system check crash when
``ModelAdmin.filter_horizontal`` or ``filter_vertical`` contained a reverse
many-to-many relation with ``related_name`` (:ticket:`35056`).


========================

5.0

========================

*December 4, 2023*

Welcome to Django 5.0!

These release notes cover the :ref:`new features <whats-new-5.0>`, as well as
some :ref:`backwards incompatible changes <backwards-incompatible-5.0>` you'll
want to be aware of when upgrading from Django 4.2 or earlier. We've
:ref:`begun the deprecation process for some features
<deprecated-features-5.0>`.

See the :doc:`/howto/upgrade-version` guide if you're updating an existing
project.

Python compatibility
====================

Django 5.0 supports Python 3.10, 3.11, and 3.12. We **highly recommend** and
only officially support the latest release of each series.

The Django 4.2.x series is the last to support Python 3.8 and 3.9.

Third-party library support for older version of Django
=======================================================

Following the release of Django 5.0, we suggest that third-party app authors
drop support for all versions of Django prior to 4.2. At that time, you should
be able to run your package's tests using ``python -Wd`` so that deprecation
warnings appear. After making the deprecation warning fixes, your app should be
compatible with Django 5.0.

.. _whats-new-5.0:

What's new in Django 5.0
========================

Facet filters in the admin
--------------------------

Facet counts are now shown for applied filters in the admin changelist when
toggled on via the UI. This behavior can be changed via the new
:attr:`.ModelAdmin.show_facets` attribute. For more information see
:ref:`facet-filters`.

Simplified templates for form field rendering
---------------------------------------------

Django 5.0 introduces the concept of a field group, and field group templates.
This simplifies rendering of the related elements of a Django form field such
as its label, widget, help text, and errors.

For example, the template below:

.. code-block:: html+django

 <form>
 ...
 <div>
   {{ form.name.label_tag }}
   {% if form.name.help_text %}
     <div class="helptext" id="{{ form.name.auto_id }}_helptext">
       {{ form.name.help_text|safe }}
     </div>
   {% endif %}
   {{ form.name.errors }}
   {{ form.name }}
   <div class="row">
     <div class="col">
       {{ form.email.label_tag }}
       {% if form.email.help_text %}
         <div class="helptext" id="{{ form.email.auto_id }}_helptext">
           {{ form.email.help_text|safe }}
         </div>
       {% endif %}
       {{ form.email.errors }}
       {{ form.email }}
     </div>
     <div class="col">
       {{ form.password.label_tag }}
       {% if form.password.help_text %}
         <div class="helptext" id="{{ form.password.auto_id }}_helptext">
           {{ form.password.help_text|safe }}
         </div>
       {% endif %}
       {{ form.password.errors }}
       {{ form.password }}
     </div>
   </div>
 </div>
 ...
 </form>

Can now be simplified to:

.. code-block:: html+django

 <form>
 ...
 <div>
   {{ form.name.as_field_group }}
   <div class="row">
     <div class="col">{{ form.email.as_field_group }}</div>
     <div class="col">{{ form.password.as_field_group }}</div>
   </div>
 </div>
 ...
 </form>

:meth:`~django.forms.BoundField.as_field_group` renders fields with the
``"django/forms/field.html"`` template by default and can be customized on a
per-project, per-field, or per-request basis. See
:ref:`reusable-field-group-templates`.

Database-computed default values
--------------------------------

The new :attr:`Field.db_default <django.db.models.Field.db_default>` parameter
sets a database-computed default value. For example::

 from django.db import models
 from django.db.models.functions import Now, Pi


 class MyModel(models.Model):
     age = models.IntegerField(db_default=18)
     created = models.DateTimeField(db_default=Now())
     circumference = models.FloatField(db_default=2 * Pi())

Database generated model field
------------------------------

The new :class:`~django.db.models.GeneratedField` allows creation of database
generated columns. This field can be used on all supported database backends
to create a field that is always computed from other fields. For example::

 from django.db import models
 from django.db.models import F


 class Square(models.Model):
     side = models.IntegerField()
     area = models.GeneratedField(
         expression=F("side") * F("side"),
         output_field=models.BigIntegerField(),
         db_persist=True,
     )

More options for declaring field choices
----------------------------------------

:attr:`.Field.choices` *(for model fields)* and :attr:`.ChoiceField.choices`
*(for form fields)* allow for more flexibility when declaring their values. In
previous versions of Django, ``choices`` should either be a list of 2-tuples,
or an :ref:`field-choices-enum-types` subclass, but the latter required
accessing the ``.choices`` attribute to provide the values in the expected
form::

 from django.db import models

 Medal = models.TextChoices("Medal", "GOLD SILVER BRONZE")

 SPORT_CHOICES = [
     ("Martial Arts", [("judo", "Judo"), ("karate", "Karate")]),
     ("Racket", [("badminton", "Badminton"), ("tennis", "Tennis")]),
     ("unknown", "Unknown"),
 ]


 class Winner(models.Model):
     name = models.CharField(...)
     medal = models.CharField(..., choices=Medal.choices)
     sport = models.CharField(..., choices=SPORT_CHOICES)

Django 5.0 adds support for accepting a mapping or a callable instead of an
iterable, and also no longer requires ``.choices`` to be used directly to
expand :ref:`enumeration types <field-choices-enum-types>`::

 from django.db import models

 Medal = models.TextChoices("Medal", "GOLD SILVER BRONZE")

 SPORT_CHOICES = {   Using a mapping instead of a list of 2-tuples.
     "Martial Arts": {"judo": "Judo", "karate": "Karate"},
     "Racket": {"badminton": "Badminton", "tennis": "Tennis"},
     "unknown": "Unknown",
 }


 def get_scores():
     return [(i, str(i)) for i in range(10)]


 class Winner(models.Model):
     name = models.CharField(...)
     medal = models.CharField(..., choices=Medal)   Using `.choices` not required.
     sport = models.CharField(..., choices=SPORT_CHOICES)
     score = models.IntegerField(choices=get_scores)   A callable is allowed.

Under the hood the provided ``choices`` are normalized into a list of 2-tuples
as the canonical form whenever the ``choices`` value is updated. For more
information, please check the :ref:`mod

[pyup-bot]

Closing this in favor of #259