[PR #299] [CLOSED] Scheduled weekly dependency update for week 49 #310

New issue

Closed

opened 2026-02-26 01:33:59 +03:00 by kerem · 0 comments

kerem commented 2026-02-26 01:33:59 +03:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/jeffknupp/sandman2/pull/299
Author: @pyup-bot
Created: 12/5/2022
Status: ❌ Closed

Base: master ← Head: pyup-scheduled-update-2022-12-05

---

📝 Commits (10+)

• b216bbb Update flask from 1.1.2 to 2.2.2
• 0188554 Update flask-admin from 1.5.7 to 1.6.0
• 90b7baf Update flask-sqlalchemy from 2.4.4 to 3.0.2
• 711431f Update sqlalchemy from 1.3.20 to 1.4.44
• f9a2501 Update wtforms from 2.3.3 to 3.0.1
• 214372c Update coverage from 5.3 to 6.5.0
• 5d76e2f Update pytest from 6.2.0 to 7.2.0
• 71468fb Update flask-cors from 3.0.9 to 3.0.10
• 228ad1e Update pytest-cov from 2.10.1 to 4.0.0
• 9d5e0f4 Update pytest-flask from 1.1.0 to 1.2.0

📊 Changes

1 file changed (+14 additions, -14 deletions)

View changed files

📝 requirements.txt (+14 -14)

📄 Description

Update Flask from 1.1.2 to 2.2.2.

Changelog

2.2.2

-------------

Released 2022-08-08

-   Update Werkzeug dependency to >= 2.2.2. This includes fixes related
 to the new faster router, header parsing, and the development
 server. :pr:`4754`
-   Fix the default value for ``app.env`` to be ``"production"``. This
 attribute remains deprecated. :issue:`4740`

2.2.1

-------------

Released 2022-08-03

-   Setting or accessing ``json_encoder`` or ``json_decoder`` raises a
 deprecation warning. :issue:`4732`

2.2.0

-------------

Released 2022-08-01

-   Remove previously deprecated code. :pr:`4667`

 -   Old names for some ``send_file`` parameters have been removed.
     ``download_name`` replaces ``attachment_filename``, ``max_age``
     replaces ``cache_timeout``, and ``etag`` replaces ``add_etags``.
     Additionally, ``path`` replaces ``filename`` in
     ``send_from_directory``.
 -   The ``RequestContext.g`` property returning ``AppContext.g`` is
     removed.

-   Update Werkzeug dependency to >= 2.2.
-   The app and request contexts are managed using Python context vars
 directly rather than Werkzeug's ``LocalStack``. This should result
 in better performance and memory use. :pr:`4682`

 -   Extension maintainers, be aware that ``_app_ctx_stack.top``
     and ``_request_ctx_stack.top`` are deprecated. Store data on
     ``g`` instead using a unique prefix, like
     ``g._extension_name_attr``.

-   The ``FLASK_ENV`` environment variable and ``app.env`` attribute are
 deprecated, removing the distinction between development and debug
 mode. Debug mode should be controlled directly using the ``--debug``
 option or ``app.run(debug=True)``. :issue:`4714`
-   Some attributes that proxied config keys on ``app`` are deprecated:
 ``session_cookie_name``, ``send_file_max_age_default``,
 ``use_x_sendfile``, ``propagate_exceptions``, and
 ``templates_auto_reload``. Use the relevant config keys instead.
 :issue:`4716`
-   Add new customization points to the ``Flask`` app object for many
 previously global behaviors.

 -   ``flask.url_for`` will call ``app.url_for``. :issue:`4568`
 -   ``flask.abort`` will call ``app.aborter``.
     ``Flask.aborter_class`` and ``Flask.make_aborter`` can be used
     to customize this aborter. :issue:`4567`
 -   ``flask.redirect`` will call ``app.redirect``. :issue:`4569`
 -   ``flask.json`` is an instance of ``JSONProvider``. A different
     provider can be set to use a different JSON library.
     ``flask.jsonify`` will call ``app.json.response``, other
     functions in ``flask.json`` will call corresponding functions in
     ``app.json``. :pr:`4692`

-   JSON configuration is moved to attributes on the default
 ``app.json`` provider. ``JSON_AS_ASCII``, ``JSON_SORT_KEYS``,
 ``JSONIFY_MIMETYPE``, and ``JSONIFY_PRETTYPRINT_REGULAR`` are
 deprecated. :pr:`4692`
-   Setting custom ``json_encoder`` and ``json_decoder`` classes on the
 app or a blueprint, and the corresponding ``json.JSONEncoder`` and
 ``JSONDecoder`` classes, are deprecated. JSON behavior can now be
 overridden using the ``app.json`` provider interface. :pr:`4692`
-   ``json.htmlsafe_dumps`` and ``json.htmlsafe_dump`` are deprecated,
 the function is built-in to Jinja now. :pr:`4692`
-   Refactor ``register_error_handler`` to consolidate error checking.
 Rewrite some error messages to be more consistent. :issue:`4559`
-   Use Blueprint decorators and functions intended for setup after
 registering the blueprint will show a warning. In the next version,
 this will become an error just like the application setup methods.
 :issue:`4571`
-   ``before_first_request`` is deprecated. Run setup code when creating
 the application instead. :issue:`4605`
-   Added the ``View.init_every_request`` class attribute. If a view
 subclass sets this to ``False``, the view will not create a new
 instance on every request. :issue:`2520`.
-   A ``flask.cli.FlaskGroup`` Click group can be nested as a
 sub-command in a custom CLI. :issue:`3263`
-   Add ``--app`` and ``--debug`` options to the ``flask`` CLI, instead
 of requiring that they are set through environment variables.
 :issue:`2836`
-   Add ``--env-file`` option to the ``flask`` CLI. This allows
 specifying a dotenv file to load in addition to ``.env`` and
 ``.flaskenv``. :issue:`3108`
-   It is no longer required to decorate custom CLI commands on
 ``app.cli`` or ``blueprint.cli`` with ``with_appcontext``, an app
 context will already be active at that point. :issue:`2410`
-   ``SessionInterface.get_expiration_time`` uses a timezone-aware
 value. :pr:`4645`
-   View functions can return generators directly instead of wrapping
 them in a ``Response``. :pr:`4629`
-   Add ``stream_template`` and ``stream_template_string`` functions to
 render a template as a stream of pieces. :pr:`4629`
-   A new implementation of context preservation during debugging and
 testing. :pr:`4666`

 -   ``request``, ``g``, and other context-locals point to the
     correct data when running code in the interactive debugger
     console. :issue:`2836`
 -   Teardown functions are always run at the end of the request,
     even if the context is preserved. They are also run after the
     preserved context is popped.
 -   ``stream_with_context`` preserves context separately from a
     ``with client`` block. It will be cleaned up when
     ``response.get_data()`` or ``response.close()`` is called.

-   Allow returning a list from a view function, to convert it to a
 JSON response like a dict is. :issue:`4672`
-   When type checking, allow ``TypedDict`` to be returned from view
 functions. :pr:`4695`
-   Remove the ``--eager-loading/--lazy-loading`` options from the
 ``flask run`` command. The app is always eager loaded the first
 time, then lazily loaded in the reloader. The reloader always prints
 errors immediately but continues serving. Remove the internal
 ``DispatchingApp`` middleware used by the previous implementation.
 :issue:`4715`

2.1.3

-------------

Released 2022-07-13

-   Inline some optional imports that are only used for certain CLI
 commands. :pr:`4606`
-   Relax type annotation for ``after_request`` functions. :issue:`4600`
-   ``instance_path`` for namespace packages uses the path closest to
 the imported submodule. :issue:`4610`
-   Clearer error message when ``render_template`` and
 ``render_template_string`` are used outside an application context.
 :pr:`4693`

2.1.2

-------------

Released 2022-04-28

-   Fix type annotation for ``json.loads``, it accepts str or bytes.
 :issue:`4519`
-   The ``--cert`` and ``--key`` options on ``flask run`` can be given
 in either order. :issue:`4459`

2.1.1

-------------

Released on 2022-03-30

-   Set the minimum required version of importlib_metadata to 3.6.0,
 which is required on Python < 3.10. :issue:`4502`

2.1.0

-------------

Released 2022-03-28

-   Drop support for Python 3.6. :pr:`4335`
-   Update Click dependency to >= 8.0. :pr:`4008`
-   Remove previously deprecated code. :pr:`4337`

 -   The CLI does not pass ``script_info`` to app factory functions.
 -   ``config.from_json`` is replaced by
     ``config.from_file(name, load=json.load)``.
 -   ``json`` functions no longer take an ``encoding`` parameter.
 -   ``safe_join`` is removed, use ``werkzeug.utils.safe_join``
     instead.
 -   ``total_seconds`` is removed, use ``timedelta.total_seconds``
     instead.
 -   The same blueprint cannot be registered with the same name. Use
     ``name=`` when registering to specify a unique name.
 -   The test client's ``as_tuple`` parameter is removed. Use
     ``response.request.environ`` instead. :pr:`4417`

-   Some parameters in ``send_file`` and ``send_from_directory`` were
 renamed in 2.0. The deprecation period for the old names is extended
 to 2.2. Be sure to test with deprecation warnings visible.

 -   ``attachment_filename`` is renamed to ``download_name``.
 -   ``cache_timeout`` is renamed to ``max_age``.
 -   ``add_etags`` is renamed to ``etag``.
 -   ``filename`` is renamed to ``path``.

-   The ``RequestContext.g`` property is deprecated. Use ``g`` directly
 or ``AppContext.g`` instead. :issue:`3898`
-   ``copy_current_request_context`` can decorate async functions.
 :pr:`4303`
-   The CLI uses ``importlib.metadata`` instead of ``setuptools`` to
 load command entry points. :issue:`4419`
-   Overriding ``FlaskClient.open`` will not cause an error on redirect.
 :issue:`3396`
-   Add an ``--exclude-patterns`` option to the ``flask run`` CLI
 command to specify patterns that will be ignored by the reloader.
 :issue:`4188`
-   When using lazy loading (the default with the debugger), the Click
 context from the ``flask run`` command remains available in the
 loader thread. :issue:`4460`
-   Deleting the session cookie uses the ``httponly`` flag.
 :issue:`4485`
-   Relax typing for ``errorhandler`` to allow the user to use more
 precise types and decorate the same function multiple times.
 :issue:`4095, 4295, 4297`
-   Fix typing for ``__exit__`` methods for better compatibility with
 ``ExitStack``. :issue:`4474`
-   From Werkzeug, for redirect responses the ``Location`` header URL
 will remain relative, and exclude the scheme and domain, by default.
 :pr:`4496`
-   Add ``Config.from_prefixed_env()`` to load config values from
 environment variables that start with ``FLASK_`` or another prefix.
 This parses values as JSON by default, and allows setting keys in
 nested dicts. :pr:`4479`

2.0.3

-------------

Released 2022-02-14

-   The test client's ``as_tuple`` parameter is deprecated and will be
 removed in Werkzeug 2.1. It is now also deprecated in Flask, to be
 removed in Flask 2.1, while remaining compatible with both in
 2.0.x. Use ``response.request.environ`` instead. :pr:`4341`
-   Fix type annotation for ``errorhandler`` decorator. :issue:`4295`
-   Revert a change to the CLI that caused it to hide ``ImportError``
 tracebacks when importing the application. :issue:`4307`
-   ``app.json_encoder`` and ``json_decoder`` are only passed to
 ``dumps`` and ``loads`` if they have custom behavior. This improves
 performance, mainly on PyPy. :issue:`4349`
-   Clearer error message when ``after_this_request`` is used outside a
 request context. :issue:`4333`

2.0.2

-------------

Released 2021-10-04

-   Fix type annotation for ``teardown_*`` methods. :issue:`4093`
-   Fix type annotation for ``before_request`` and ``before_app_request``
 decorators. :issue:`4104`
-   Fixed the issue where typing requires template global
 decorators to accept functions with no arguments. :issue:`4098`
-   Support View and MethodView instances with async handlers. :issue:`4112`
-   Enhance typing of ``app.errorhandler`` decorator. :issue:`4095`
-   Fix registering a blueprint twice with differing names. :issue:`4124`
-   Fix the type of ``static_folder`` to accept ``pathlib.Path``.
 :issue:`4150`
-   ``jsonify`` handles ``decimal.Decimal`` by encoding to ``str``.
 :issue:`4157`
-   Correctly handle raising deferred errors in CLI lazy loading.
 :issue:`4096`
-   The CLI loader handles ``**kwargs`` in a ``create_app`` function.
 :issue:`4170`
-   Fix the order of ``before_request`` and other callbacks that trigger
 before the view returns. They are called from the app down to the
 closest nested blueprint. :issue:`4229`

2.0.1

-------------

Released 2021-05-21

-   Re-add the ``filename`` parameter in ``send_from_directory``. The
 ``filename`` parameter has been renamed to ``path``, the old name
 is deprecated. :pr:`4019`
-   Mark top-level names as exported so type checking understands
 imports in user projects. :issue:`4024`
-   Fix type annotation for ``g`` and inform mypy that it is a namespace
 object that has arbitrary attributes. :issue:`4020`
-   Fix some types that weren't available in Python 3.6.0. :issue:`4040`
-   Improve typing for ``send_file``, ``send_from_directory``, and
 ``get_send_file_max_age``. :issue:`4044`, :pr:`4026`
-   Show an error when a blueprint name contains a dot. The ``.`` has
 special meaning, it is used to separate (nested) blueprint names and
 the endpoint name. :issue:`4041`
-   Combine URL prefixes when nesting blueprints that were created with
 a ``url_prefix`` value. :issue:`4037`
-   Revert a change to the order that URL matching was done. The
 URL is again matched after the session is loaded, so the session is
 available in custom URL converters. :issue:`4053`
-   Re-add deprecated ``Config.from_json``, which was accidentally
 removed early. :issue:`4078`
-   Improve typing for some functions using ``Callable`` in their type
 signatures, focusing on decorator factories. :issue:`4060`
-   Nested blueprints are registered with their dotted name. This allows
 different blueprints with the same name to be nested at different
 locations. :issue:`4069`
-   ``register_blueprint`` takes a ``name`` option to change the
 (pre-dotted) name the blueprint is registered with. This allows the
 same blueprint to be registered multiple times with unique names for
 ``url_for``. Registering the same blueprint with the same name
 multiple times is deprecated. :issue:`1091`
-   Improve typing for ``stream_with_context``. :issue:`4052`

2.0.0

-------------

Released 2021-05-11

-   Drop support for Python 2 and 3.5.
-   Bump minimum versions of other Pallets projects: Werkzeug >= 2,
 Jinja2 >= 3, MarkupSafe >= 2, ItsDangerous >= 2, Click >= 8. Be sure
 to check the change logs for each project. For better compatibility
 with other applications (e.g. Celery) that still require Click 7,
 there is no hard dependency on Click 8 yet, but using Click 7 will
 trigger a DeprecationWarning and Flask 2.1 will depend on Click 8.
-   JSON support no longer uses simplejson. To use another JSON module,
 override ``app.json_encoder`` and ``json_decoder``. :issue:`3555`
-   The ``encoding`` option to JSON functions is deprecated. :pr:`3562`
-   Passing ``script_info`` to app factory functions is deprecated. This
 was not portable outside the ``flask`` command. Use
 ``click.get_current_context().obj`` if it's needed. :issue:`3552`
-   The CLI shows better error messages when the app failed to load
 when looking up commands. :issue:`2741`
-   Add ``SessionInterface.get_cookie_name`` to allow setting the
 session cookie name dynamically. :pr:`3369`
-   Add ``Config.from_file`` to load config using arbitrary file
 loaders, such as ``toml.load`` or ``json.load``.
 ``Config.from_json`` is deprecated in favor of this. :pr:`3398`
-   The ``flask run`` command will only defer errors on reload. Errors
 present during the initial call will cause the server to exit with
 the traceback immediately. :issue:`3431`
-   ``send_file`` raises a ``ValueError`` when passed an ``io`` object
 in text mode. Previously, it would respond with 200 OK and an empty
 file. :issue:`3358`
-   When using ad-hoc certificates, check for the cryptography library
 instead of PyOpenSSL. :pr:`3492`
-   When specifying a factory function with ``FLASK_APP``, keyword
 argument can be passed. :issue:`3553`
-   When loading a ``.env`` or ``.flaskenv`` file, the current working
 directory is no longer changed to the location of the file.
 :pr:`3560`
-   When returning a ``(response, headers)`` tuple from a view, the
 headers replace rather than extend existing headers on the response.
 For example, this allows setting the ``Content-Type`` for
 ``jsonify()``. Use ``response.headers.extend()`` if extending is
 desired. :issue:`3628`
-   The ``Scaffold`` class provides a common API for the ``Flask`` and
 ``Blueprint`` classes. ``Blueprint`` information is stored in
 attributes just like ``Flask``, rather than opaque lambda functions.
 This is intended to improve consistency and maintainability.
 :issue:`3215`
-   Include ``samesite`` and ``secure`` options when removing the
 session cookie. :pr:`3726`
-   Support passing a ``pathlib.Path`` to ``static_folder``. :pr:`3579`
-   ``send_file`` and ``send_from_directory`` are wrappers around the
 implementations in ``werkzeug.utils``. :pr:`3828`
-   Some ``send_file`` parameters have been renamed, the old names are
 deprecated. ``attachment_filename`` is renamed to ``download_name``.
 ``cache_timeout`` is renamed to ``max_age``. ``add_etags`` is
 renamed to ``etag``. :pr:`3828, 3883`
-   ``send_file`` passes ``download_name`` even if
 ``as_attachment=False`` by using ``Content-Disposition: inline``.
 :pr:`3828`
-   ``send_file`` sets ``conditional=True`` and ``max_age=None`` by
 default. ``Cache-Control`` is set to ``no-cache`` if ``max_age`` is
 not set, otherwise ``public``. This tells browsers to validate
 conditional requests instead of using a timed cache. :pr:`3828`
-   ``helpers.safe_join`` is deprecated. Use
 ``werkzeug.utils.safe_join`` instead. :pr:`3828`
-   The request context does route matching before opening the session.
 This could allow a session interface to change behavior based on
 ``request.endpoint``. :issue:`3776`
-   Use Jinja's implementation of the ``|tojson`` filter. :issue:`3881`
-   Add route decorators for common HTTP methods. For example,
 ``app.post("/login")`` is a shortcut for
 ``app.route("/login", methods=["POST"])``. :pr:`3907`
-   Support async views, error handlers, before and after request, and
 teardown functions. :pr:`3412`
-   Support nesting blueprints. :issue:`593, 1548`, :pr:`3923`
-   Set the default encoding to "UTF-8" when loading ``.env`` and
 ``.flaskenv`` files to allow to use non-ASCII characters. :issue:`3931`
-   ``flask shell`` sets up tab and history completion like the default
 ``python`` shell if ``readline`` is installed. :issue:`3941`
-   ``helpers.total_seconds()`` is deprecated. Use
 ``timedelta.total_seconds()`` instead. :pr:`3962`
-   Add type hinting. :pr:`3973`.

1.1.4

-------------

Released 2021-05-13

-   Update ``static_folder`` to use ``_compat.fspath`` instead of
 ``os.fspath`` to continue supporting Python < 3.6 :issue:`4050`

1.1.3

-------------

Released 2021-05-13

-   Set maximum versions of Werkzeug, Jinja, Click, and ItsDangerous.
 :issue:`4043`
-   Re-add support for passing a ``pathlib.Path`` for ``static_folder``.
 :pr:`3579`

Links

• PyPI: https://pypi.org/project/flask
• Changelog: https://pyup.io/changelogs/flask/
• Homepage: https://palletsprojects.com/p/flask

Update Flask-Admin from 1.5.7 to 1.6.0.

Changelog

1.6.0

-----

* Dropped Python 2 support
* WTForms 3.0 support
* Various fixes

1.5.8

-----

* SQLAlchemy 1.4.5+ compatibility fixes
* Redis CLI fixes

Links

• PyPI: https://pypi.org/project/flask-admin
• Changelog: https://pyup.io/changelogs/flask-admin/
• Repo: https://github.com/flask-admin/flask-admin/
• Docs: https://pythonhosted.org/Flask-Admin/

Update Flask-SQLAlchemy from 2.4.4 to 3.0.2.

Changelog

3.0.2

-------------

Released 2022-10-14

-   Update compatibility with SQLAlchemy 2. :issue:`1122`

3.0.1

-------------

Released 2022-10-11

-   Export typing information instead of using external typeshed definitions.
 :issue:`1112`
-   If default engine options are set, but ``SQLALCHEMY_DATABASE_URI`` is not set, an
 invalid default bind will not be configured. :issue:`1117`

3.0.0

-------------

Released 2022-10-04

-   Drop support for Python 2, 3.4, 3.5, and 3.6.
-   Bump minimum version of Flask to 2.2.
-   Bump minimum version of SQLAlchemy to 1.4.18.
-   Remove previously deprecated code.
-   The session is scoped to the current app context instead of the thread. This
 requires that an app context is active. This ensures that the session is cleaned up
 after every request.
-   An active Flask application context is always required to access ``session`` and
 ``engine``, regardless of if an application was passed to the constructor.
 :issue:`508, 944`
-   Different bind keys use different SQLAlchemy ``MetaData`` registries, allowing
 tables in different databases to have the same name. Bind keys are stored and looked
 up on the resulting metadata rather than the model or table.
-   ``SQLALCHEMY_DATABASE_URI`` does not default to ``sqlite:///:memory:``. An error is
 raised if neither it nor ``SQLALCHEMY_BINDS`` define any engines. :pr:`731`
-   Configuring SQLite with a relative path is relative to ``app.instance_path`` instead
 of ``app.root_path``. The instance folder is created if necessary. :issue:`462`
-   Added ``get_or_404``, ``first_or_404``, ``one_or_404``, and ``paginate`` methods to
 the extension object. These use SQLAlchemy's preferred ``session.execute(select())``
 pattern instead of the legacy query interface. :issue:`1088`
-   Setup methods that create the engines and session are renamed with a leading
 underscore. They are considered internal interfaces which may change at any time.
-   All parameters to ``SQLAlchemy`` except ``app`` are keyword-only.
-   Renamed the ``bind`` parameter to ``bind_key`` and removed the ``app`` parameter
 from various ``SQLAlchemy`` methods.
-   The extension object uses ``__getattr__`` to alias names from the SQLAlchemy
 package, rather than copying them as attributes.
-   The extension object is stored directly as ``app.extensions["sqlalchemy"]``.
 :issue:`698`
-   The session class can be customized by passing the ``class_`` key in the
 ``session_options`` parameter. :issue:`327`
-   ``SignallingSession`` is renamed to ``Session``.
-   ``Session.get_bind`` more closely matches the base implementation.
-   Model classes and the ``db`` instance are available without imports in
 ``flask shell``. :issue:`1089`
-   The ``CamelCase`` to ``snake_case`` table name converter handles more patterns
 correctly. If model that was already created in the database changed, either use
 Alembic to rename the table, or set ``__tablename__`` to keep the old name.
 :issue:`406`
-   ``Model`` ``repr`` distinguishes between transient and pending instances.
 :issue:`967`
-   A custom model class can implement ``__init_subclass__`` with class parameters.
 :issue:`1002`
-   ``db.Table`` is a subclass instead of a function.
-   The ``engine_options`` parameter is applied as defaults before per-engine
 configuration.
-   ``SQLALCHEMY_BINDS`` values can either be an engine URL, or a dict of engine options
 including URL, for each bind. ``SQLALCHEMY_DATABASE_URI`` and
 ``SQLALCHEMY_ENGINE_OPTIONS`` correspond to the ``None`` key and take precedence.
 :issue:`783`
-   Engines are created when calling ``init_app`` rather than the first time they are
 accessed. :issue:`698`
-   ``db.engines`` exposes the map of bind keys to engines for the current app.
-   ``get_engine``, ``get_tables_for_bind``, and ``get_binds`` are deprecated.
-   SQLite driver-level URIs that look like ``sqlite:///file:name.db?uri=true`` are
 supported. :issue:`998, 1045`
-   SQLite engines do not use ``NullPool`` if ``pool_size`` is 0.
-   MySQL engines use the "utf8mb4" charset by default. :issue:`875`
-   MySQL engines do not set ``pool_size`` to 10.
-   MySQL engines don't set a default for ``pool_recycle`` if not using a queue pool.
 :issue:`803`
-   ``Query`` is renamed from ``BaseQuery``.
-   Added ``Query.one_or_404``.
-   The query class is applied to ``backref`` in ``relationship``. :issue:`417`
-   Creating ``Pagination`` objects manually is no longer a public API. They should be
 created with ``db.paginate`` or ``query.paginate``. :issue:`1088`
-   ``Pagination.iter_pages`` and ``Query.paginate`` parameters are keyword-only.
-   ``Pagination`` is iterable, iterating over its items. :issue:`70`
-   Pagination count query is more efficient.
-   ``Pagination.iter_pages`` is more efficient. :issue:`622`
-   ``Pagination.iter_pages`` ``right_current`` parameter is inclusive.
-   Pagination ``per_page`` cannot be 0. :issue:`1091`
-   Pagination ``max_per_page`` defaults to 100. :issue:`1091`
-   Added ``Pagination.first`` and ``last`` properties, which give the number of the
 first and last item on the page. :issue:`567`
-   ``SQLALCHEMY_RECORD_QUERIES`` is disabled by default, and is not enabled
 automatically with ``app.debug`` or ``app.testing``. :issue:`1092`
-   ``get_debug_queries`` is renamed to ``get_recorded_queries`` to better match the
 config and functionality.
-   Recorded query info is a dataclass instead of a tuple. The ``context`` attribute is
 renamed to ``location``. Finding the location uses a more inclusive check.
-   ``SQLALCHEMY_TRACK_MODIFICATIONS`` is disabled by default. :pr:`727`
-   ``SQLALCHEMY_COMMIT_ON_TEARDOWN`` is deprecated. It can cause various design issues
 that are difficult to debug. Call ``db.session.commit()`` directly instead.
 :issue:`216`

2.5.1

-------------

Released 2021-03-18

-   Fix compatibility with Python 2.7.

2.5.0

-------------

Released 2021-03-18

-   Update to support SQLAlchemy 1.4.
-   SQLAlchemy ``URL`` objects are immutable. Some internal methods have
 changed to return a new URL instead of ``None``. :issue:`885`

Links

• PyPI: https://pypi.org/project/flask-sqlalchemy
• Changelog: https://pyup.io/changelogs/flask-sqlalchemy/
• Docs: https://pythonhosted.org/flask-sqlalchemy/

Update SQLAlchemy from 1.3.20 to 1.4.44.

Changelog

1.4.44

:released: November 12, 2022

 .. change::
     :tags: bug, sql
     :tickets: 8790

     Fixed critical memory issue identified in cache key generation, where for
     very large and complex ORM statements that make use of lots of ORM aliases
     with subqueries, cache key generation could produce excessively large keys
     that were orders of magnitude bigger than the statement itself. Much thanks
     to Rollo Konig Brock for their very patient, long term help in finally
     identifying this issue.

 .. change::
     :tags: bug, postgresql, mssql
     :tickets: 8770

     For the PostgreSQL and SQL Server dialects only, adjusted the compiler so
     that when rendering column expressions in the RETURNING clause, the "non
     anon" label that's used in SELECT statements is suggested for SQL
     expression elements that generate a label; the primary example is a SQL
     function that may be emitting as part of the column's type, where the label
     name should match the column's name by default. This restores a not-well
     defined behavior that had changed in version 1.4.21 due to :ticket:`6718`,
     :ticket:`6710`. The Oracle dialect has a different RETURNING implementation
     and was not affected by this issue. Version 2.0 features an across the
     board change for its widely expanded support of RETURNING on other
     backends.


 .. change::
     :tags: bug, oracle

     Fixed issue in the Oracle dialect where an INSERT statement that used
     ``insert(some_table).values(...).returning(some_table)`` against a full
     :class:`.Table` object at once would fail to execute, raising an exception.

 .. change::
     :tags: bug, tests
     :tickets: 8793

     Fixed issue where the ``--disable-asyncio`` parameter to the test suite
     would fail to not actually run greenlet tests and would also not prevent
     the suite from using a "wrapping" greenlet for the whole suite. This
     parameter now ensures that no greenlet or asyncio use will occur within the
     entire run when set.

 .. change::
     :tags: bug, tests

     Adjusted the test suite which tests the Mypy plugin to accommodate for
     changes in Mypy 0.990 regarding how it handles message output, which affect
     how sys.path is interpreted when determining if notes and errors should be
     printed for particular files. The change broke the test suite as the files
     within the test directory itself no longer produced messaging when run
     under the mypy API.

.. changelog::

1.4.43

:released: November 4, 2022

 .. change::
     :tags: bug, orm
     :tickets: 8738

     Fixed issue in joined eager loading where an assertion fail would occur
     with a particular combination of outer/inner joined eager loads, when
     eager loading across three mappers where the middle mapper was
     an inherited subclass mapper.


 .. change::
     :tags: bug, oracle
     :tickets: 8708

     Fixed issue where bound parameter names, including those automatically
     derived from similarly-named database columns, which contained characters
     that normally require quoting with Oracle would not be escaped when using
     "expanding parameters" with the Oracle dialect, causing execution errors.
     The usual "quoting" for bound parameters used by the Oracle dialect is not
     used with the "expanding parameters" architecture, so escaping for a large
     range of characters is used instead, now using a list of characters/escapes
     that are specific to Oracle.



 .. change::
     :tags: bug, orm
     :tickets: 8721

     Fixed bug involving :class:`.Select` constructs, where combinations of
     :meth:`.Select.select_from` with :meth:`.Select.join`, as well as when
     using :meth:`.Select.join_from`, would cause the
     :func:`_orm.with_loader_criteria` feature as well as the IN criteria needed
     for single-table inheritance queries to not render, in cases where the
     columns clause of the query did not explicitly include the left-hand side
     entity of the JOIN. The correct entity is now transferred to the
     :class:`.Join` object that's generated internally, so that the criteria
     against the left side entity is correctly added.


 .. change::
     :tags: bug, mssql
     :tickets: 8714

     Fixed issue with :meth:`.Inspector.has_table`, which when used against a
     temporary table with the SQL Server dialect would fail on some Azure
     variants, due to an unnecessary information schema query that is not
     supported on those server versions. Pull request courtesy Mike Barry.

 .. change::
     :tags: bug, orm
     :tickets: 8711

     An informative exception is now raised when the
     :func:`_orm.with_loader_criteria` option is used as a loader option added
     to a specific "loader path", such as when using it within
     :meth:`.Load.options`. This use is not supported as
     :func:`_orm.with_loader_criteria` is only intended to be used as a top
     level loader option. Previously, an internal error would be generated.

 .. change::
     :tags: bug, oracle
     :tickets: 8744

     Fixed issue where the ``nls_session_parameters`` view queried on first
     connect in order to get the default decimal point character may not be
     available depending on Oracle connection modes, and would therefore raise
     an error.  The approach to detecting decimal char has been simplified to
     test a decimal value directly, instead of reading system views, which
     works on any backend / driver.


 .. change::
     :tags: bug, orm
     :tickets: 8753

     Improved "dictionary mode" for :meth:`_orm.Session.get` so that synonym
     names which refer to primary key attribute names may be indicated in the
     named dictionary.

 .. change::
     :tags: bug, engine, regression
     :tickets: 8717

     Fixed issue where the :meth:`.PoolEvents.reset` event hook would not be be
     called in all cases when a :class:`_engine.Connection` were closed and was
     in the process of returning its DBAPI connection to the connection pool.

     The scenario was when the :class:`_engine.Connection` had already emitted
     ``.rollback()`` on its DBAPI connection within the process of returning
     the connection to the pool, where it would then instruct the connection
     pool to forego doing its own "reset" to save on the additional method
     call.  However, this prevented custom pool reset schemes from being
     used within this hook, as such hooks by definition are doing more than
     just calling ``.rollback()``, and need to be invoked under all
     circumstances.  This was a regression that appeared in version 1.4.

     For version 1.4, the :meth:`.PoolEvents.checkin` remains viable as an
     alternate event hook to use for custom "reset" implementations. Version 2.0
     will feature an improved version of :meth:`.PoolEvents.reset` which is
     called for additional scenarios such as termination of asyncio connections,
     and is also passed contextual information about the reset, to allow for
     "custom connection reset" schemes which can respond to different reset
     scenarios in different ways.

 .. change::
     :tags: bug, orm
     :tickets: 8704

     Fixed issue where "selectin_polymorphic" loading for inheritance mappers
     would not function correctly if the :paramref:`_orm.Mapper.polymorphic_on`
     parameter referred to a SQL expression that was not directly mapped on the
     class.

 .. change::
     :tags: bug, orm
     :tickets: 8710

     Fixed issue where the underlying DBAPI cursor would not be closed when
     using the :class:`_orm.Query` object as an iterator, if a user-defined exception
     case were raised within the iteration process, thereby causing the iterator
     to be closed by the Python interpreter.  When using
     :meth:`_orm.Query.yield_per` to create server-side cursors, this would lead
     to the usual MySQL-related issues with server side cursors out of sync,
     and without direct access to the :class:`.Result` object, end-user code
     could not access the cursor in order to close it.

     To resolve, a catch for ``GeneratorExit`` is applied within the iterator
     method, which will close the result object in those cases when the
     iterator were interrupted, and by definition will be closed by the
     Python interpreter.

     As part of this change as implemented for the 1.4 series, ensured that
     ``.close()`` methods are available on all :class:`.Result` implementations
     including :class:`.ScalarResult`, :class:`.MappingResult`.  The 2.0
     version of this change also includes new context manager patterns for use
     with :class:`.Result` classes.

 .. change::
     :tags: bug, engine
     :tickets: 8710

     Ensured all :class:`.Result` objects include a :meth:`.Result.close` method
     as well as a :attr:`.Result.closed` attribute, including on
     :class:`.ScalarResult` and :class:`.MappingResult`.

 .. change::
     :tags: bug, mssql, reflection
     :tickets: 8700

     Fixed issue with :meth:`.Inspector.has_table`, which when used against a
     view with the SQL Server dialect would erroneously return ``False``, due to
     a regression in the 1.4 series which removed support for this on SQL
     Server. The issue is not present in the 2.0 series which uses a different
     reflection architecture. Test support is added to ensure ``has_table()``
     remains working per spec re: views.

 .. change::
     :tags: bug, sql
     :tickets: 8724

     Fixed issue which prevented the :func:`_sql.literal_column` construct from
     working properly within the context of a :class:`.Select` construct as well
     as other potential places where "anonymized labels" might be generated, if
     the literal expression contained characters which could interfere with
     format strings, such as open parenthesis, due to an implementation detail
     of the "anonymous label" structure.


.. changelog::

1.4.42

:released: October 16, 2022

 .. change::
     :tags: bug, asyncio
     :tickets: 8516

     Improved implementation of ``asyncio.shield()`` used in context managers as
     added in :ticket:`8145`, such that the "close" operation is enclosed within
     an ``asyncio.Task`` which is then strongly referenced as the operation
     proceeds. This is per Python documentation indicating that the task is
     otherwise not strongly referenced.

 .. change::
     :tags: bug, orm
     :tickets: 8614

     The :paramref:`_orm.Session.execute.bind_arguments` dictionary is no longer
     mutated when passed to :meth:`_orm.Session.execute` and similar; instead,
     it's copied to an internal dictionary for state changes. Among other
     things, this fixes and issue where the "clause" passed to the
     :meth:`_orm.Session.get_bind` method would be incorrectly referring to the
     :class:`_sql.Select` construct used for the "fetch" synchronization
     strategy, when the actual query being emitted was a :class:`_dml.Delete` or
     :class:`_dml.Update`. This would interfere with recipes for "routing
     sessions".

 .. change::
     :tags: bug, orm
     :tickets: 7094

     A warning is emitted in ORM configurations when an explicit
     :func:`_orm.remote` annotation is applied to columns that are local to the
     immediate mapped class, when the referenced class does not include any of
     the same table columns. Ideally this would raise an error at some point as
     it's not correct from a mapping point of view.

 .. change::
     :tags: bug, orm
     :tickets: 7545

     A warning is emitted when attempting to configure a mapped class within an
     inheritance hierarchy where the mapper is not given any polymorphic
     identity, however there is a polymorphic discriminator column assigned.
     Such classes should be abstract if they never intend to load directly.


 .. change::
     :tags: bug, mssql, regression
     :tickets: 8525

     Fixed yet another regression in SQL Server isolation level fetch (see
     :ticket:`8231`, :ticket:`8475`), this time with "Microsoft Dynamics CRM
     Database via Azure Active Directory", which apparently lacks the
     ``system_views`` view entirely. Error catching has been extended that under
     no circumstances will this method ever fail, provided database connectivity
     is present.

 .. change::
     :tags: orm, bug, regression
     :tickets: 8569

     Fixed regression for 1.4 in :func:`_orm.contains_eager` where the "wrap in
     subquery" logic of :func:`_orm.joinedload` would be inadvertently triggered
     for use of the :func:`_orm.contains_eager` function with similar statements
     (e.g. those that use ``distinct()``, ``limit()`` or ``offset()``), which
     would then lead to secondary issues with queries that used some
     combinations of SQL label names and aliasing. This "wrapping" is not
     appropriate for :func:`_orm.contains_eager` which has always had the
     contract that the user-defined SQL statement is unmodified with the
     exception of adding the appropriate columns to be fetched.

 .. change::
     :tags: bug, orm, regression
     :tickets: 8507

     Fixed regression where using ORM update() with synchronize_session='fetch'
     would fail due to the use of evaluators that are now used to determine the
     in-Python value for expressions in the the SET clause when refreshing
     objects; if the evaluators make use of math operators against non-numeric
     values such as PostgreSQL JSONB, the non-evaluable condition would fail to
     be detected correctly. The evaluator now limits the use of math mutation
     operators to numeric types only, with the exception of "+" that continues
     to work for strings as well. SQLAlchemy 2.0 may alter this further by
     fetching the SET values completely rather than using evaluation.

 .. change::
     :tags: usecase, postgresql
     :tickets: 8574

     :class:`_postgresql.aggregate_order_by` now supports cache generation.

 .. change::
     :tags: bug, mysql
     :tickets: 8588

     Adjusted the regular expression used to match "CREATE VIEW" when
     testing for views to work more flexibly, no longer requiring the
     special keyword "ALGORITHM" in the middle, which was intended to be
     optional but was not working correctly.  The change allows view reflection
     to work more completely on MySQL-compatible variants such as StarRocks.
     Pull request courtesy John Bodley.

 .. change::
     :tags: bug, engine
     :tickets: 8536

     Fixed issue where mixing "*" with additional explicitly-named column
     expressions within the columns clause of a :func:`_sql.select` construct
     would cause result-column targeting to sometimes consider the label name or
     other non-repeated names to be an ambiguous target.

.. changelog::

1.4.41

:released: September 6, 2022

 .. change::
     :tags: bug, sql
     :tickets: 8441

     Fixed issue where use of the :func:`_sql.table` construct, passing a string
     for the :paramref:`_sql.table.schema` parameter, would fail to take the
     "schema" string into account when producing a cache key, thus leading to
     caching collisions if multiple, same-named :func:`_sql.table` constructs
     with different schemas were used.


 .. change::
     :tags: bug, events, orm
     :tickets: 8467

     Fixed event listening issue where event listeners added to a superclass
     would be lost if a subclass were created which then had its own listeners
     associated. The practical example is that of the :class:`.sessionmaker`
     class created after events have been associated with the
     :class:`_orm.Session` class.

 .. change::
     :tags: orm, bug
     :tickets: 8401

     Hardened the cache key strategy for the :func:`_orm.aliased` and
     :func:`_orm.with_polymorphic` constructs. While no issue involving actual
     statements being cached can easily be demonstrated (if at all), these two
     constructs were not including enough of what makes them unique in their
     cache keys for caching on the aliased construct alone to be accurate.

 .. change::
     :tags: bug, orm, regression
     :tickets: 8456

     Fixed regression appearing in the 1.4 series where a joined-inheritance
     query placed as a subquery within an enclosing query for that same entity
     would fail to render the JOIN correctly for the inner query. The issue
     manifested in two different ways prior and subsequent to version 1.4.18
     (related issue :ticket:`6595`), in one case rendering JOIN twice, in the
     other losing the JOIN entirely. To resolve, the conditions under which
     "polymorphic loading" are applied have been scaled back to not be invoked
     for simple joined inheritance queries.

 .. change::
     :tags: bug, orm
     :tickets: 8446

     Fixed issue in :mod:`sqlalchemy.ext.mutable` extension where collection
     links to the parent object would be lost if the object were merged with
     :meth:`.Session.merge` while also passing :paramref:`.Session.merge.load`
     as False.

 .. change::
     :tags: bug, orm
     :tickets: 8399

     Fixed issue involving :func:`_orm.with_loader_criteria` where a closure
     variable used as bound parameter value within the lambda would not carry
     forward correctly into additional relationship loaders such as
     :func:`_orm.selectinload` and :func:`_orm.lazyload` after the statement
     were cached, using the stale originally-cached value instead.


 .. change::
     :tags: bug, mssql, regression
     :tickets: 8475

     Fixed regression caused by the fix for :ticket:`8231` released in 1.4.40
     where connection would fail if the user did not have permission to query
     the ``dm_exec_sessions`` or ``dm_pdw_nodes_exec_sessions`` system views
     when trying to determine the current transaction isolation level.

 .. change::
     :tags: bug, asyncio
     :tickets: 8419

     Integrated support for asyncpg's ``terminate()`` method call for cases
     where the connection pool is recycling a possibly timed-out connection,
     where a connection is being garbage collected that wasn't gracefully
     closed, as well as when the connection has been invalidated. This allows
     asyncpg to abandon the connection without waiting for a response that may
     incur long timeouts.

.. changelog::

1.4.40

:released: August 8, 2022

 .. change::
     :tags: bug, orm
     :tickets: 8357

     Fixed issue where referencing a CTE multiple times in conjunction with a
     polymorphic SELECT could result in multiple "clones" of the same CTE being
     constructed, which would then trigger these two CTEs as duplicates. To
     resolve, the two CTEs are deep-compared when this occurs to ensure that
     they are equivalent, then are treated as equivalent.


 .. change::
     :tags: bug, orm, declarative
     :tickets: 8190

     Fixed issue where a hierarchy of classes set up as an abstract or mixin
     declarative classes could not declare standalone columns on a superclass
     that would then be copied correctly to a :class:`_orm.declared_attr`
     callable that wanted to make use of them on a descendant class.

 .. change::
     :tags: bug, types
     :tickets: 7249

     Fixed issue where :class:`.TypeDecorator` would not correctly proxy the
     ``__getitem__()`` operator when decorating the :class:`_types.ARRAY`
     datatype, without explicit workarounds.

 .. change::
     :tags: bug, asyncio
     :tickets: 8145

     Added ``asyncio.shield()`` to the connection and session release process
     specifically within the ``__aexit__()`` context manager exit, when using
     :class:`.AsyncConnection` or :class:`.AsyncSession` as a context manager
     that releases the object when the context manager is complete. This appears
     to help with task cancellation when using alternate concurrency libraries
     such as ``anyio``, ``uvloop`` that otherwise don't provide an async context
     for the connection pool to release the connection properly during task
     cancellation.



 .. change::
     :tags: bug, postgresql
     :tickets: 4392

     Fixed issue in psycopg2 dialect where the "multiple hosts" feature
     implemented for :ticket:`4392`, where multiple ``host:port`` pairs could be
     passed in the query string as
     ``?host=host1:port1&host=host2:port2&host=host3:port3`` was not implemented
     correctly, as it did not propagate the "port" parameter appropriately.
     Connections that didn't use a different "port" likely worked without issue,
     and connections that had "port" for some of the entries may have
     incorrectly passed on that hostname. The format is now corrected to pass
     hosts/ports appropriately.

     As part of this change, maintained support for another multihost style that
     worked unintentionally, which is comma-separated
     ``?host=h1,h2,h3&port=p1,p2,p3``. This format is more consistent with
     libpq's query-string format, whereas the previous format is inspired by a
     different aspect of libpq's URI format but is not quite the same thing.

     If the two styles are mixed together, an error is raised as this is
     ambiguous.

 .. change::
     :tags: bug, sql
     :tickets: 8253

     Adjusted the SQL compilation for string containment functions
     ``.contains()``, ``.startswith()``, ``.endswith()`` to force the use of the
     string concatenation operator, rather than relying upon the overload of the
     addition operator, so that non-standard use of these operators with for
     example bytestrings still produces string concatenation operators.


 .. change::
     :tags: bug, orm
     :tickets: 8235

     A :func:`_sql.select` construct that is passed a sole '*' argument for
     ``SELECT *``, either via string, :func:`_sql.text`, or
     :func:`_sql.literal_column`, will be interpreted as a Core-level SQL
     statement rather than as an ORM level statement. This is so that the ``*``,
     when expanded to match any number of columns, will result in all columns
     returned in the result. the ORM- level interpretation of
     :func:`_sql.select` needs to know the names and types of all ORM columns up
     front which can't be achieved when ``'*'`` is used.

     If ``'*`` is used amongst other expressions simultaneously with an ORM
     statement, an error is raised as this can't be interpreted correctly by the
     ORM.

 .. change::
     :tags: bug, mssql
     :tickets: 8210

     Fixed issues that prevented the new usage patterns for using DML with ORM
     objects presented at :ref:`orm_dml_returning_objects` from working
     correctly with the SQL Server pyodbc dialect.


 .. change::
     :tags: bug, mssql
     :tickets: 8231

     Fixed issue where the SQL Server dialect's query for the current isolation
     level would fail on Azure Synapse Analytics, due to the way in which this
     database handles transaction rollbacks after an error has occurred. The
     initial query has been modified to no longer rely upon catching an error
     when attempting to detect the appropriate system view. Additionally, to
     better support this database's very specific "rollback" behavior,
     implemented new parameter ``ignore_no_transaction_on_rollback`` indicating
     that a rollback should ignore Azure Synapse error 'No corresponding
     transaction found. (111214)', which is raised if no transaction is present
     in conflict with the Python DBAPI.

     Initial patch and valuable debugging assistance courtesy of ww2406.

     .. seealso::

         :ref:`azure_synapse_ignore_no_transaction_on_rollback`

 .. change::
     :tags: bug, mypy
     :tickets: 8196

     Fixed a crash of the mypy plugin when using a lambda as a Column
     default. Pull request curtesy of tchapi.


 .. change::
     :tags: usecase, engine

     Implemented new :paramref:`_engine.Connection.execution_options.yield_per`
     execution option for :class:`_engine.Connection` in Core, to mirror that of
     the same :ref:`yield_per <orm_queryguide_yield_per>` option available in
     the ORM. The option sets both the
     :paramref:`_engine.Connection.execution_options.stream_results` option at
     the same time as invoking :meth:`_engine.Result.yield_per`, to provide the
     most common streaming result configuration which also mirrors that of the
     ORM use case in its usage pattern.

     .. seealso::

         :ref:`engine_stream_results` - revised documentation


 .. change::
     :tags: bug, engine

     Fixed bug in :class:`_engine.Result` where the usage of a buffered result
     strategy would not be used if the dialect in use did not support an
     explicit "server side cursor" setting, when using
     :paramref:`_engine.Connection.execution_options.stream_results`. This is in
     error as DBAPIs such as that of SQLite and Oracle already use a
     non-buffered result fetching scheme, which still benefits from usage of
     partial result fetching.   The "buffered" strategy is now used in all
     cases where :paramref:`_engine.Connection.execution_options.stream_results`
     is set.


 .. change::
     :tags: bug, engine
     :tickets: 8199

     Added :meth:`.FilterResult.yield_per` so that result implementations
     such as :class:`.MappingResult`, :class:`.ScalarResult` and
     :class:`.AsyncResult` have access to this method.

.. changelog::

1.4.39

:released: June 24, 2022

 .. change::
     :tags: bug, orm, regression
     :tickets: 8133

     Fixed regression caused by :ticket:`8133` where the pickle format for
     mutable attributes was changed, without a fallback to recognize the old
     format, causing in-place upgrades of SQLAlchemy to no longer be able to
     read pickled data from previous versions. A check plus a fallback for the
     old format is now in place.

.. changelog::

1.4.38

:released: June 23, 2022

 .. change::
     :tags: bug, orm, regression
     :tickets: 8162

     Fixed regression caused by :ticket:`8064` where a particular check for
     column correspondence was made too liberal, resulting in incorrect
     rendering for some ORM subqueries such as those using
     :meth:`.PropComparator.has` or :meth:`.PropComparator.any` in conjunction
     with joined-inheritance queries that also use legacy aliasing features.

 .. change::
     :tags: bug, engine
     :tickets: 8115

     Repaired a deprecation warning class decorator that was preventing key
     objects such as :class:`_engine.Connection` from having a proper
     ``__weakref__`` attribute, causing operations like Python standard library
     ``inspect.getmembers()`` to fail.


 .. change::
     :tags: bug, sql
     :tickets: 8098

     Fixed multiple observed race conditions related to :func:`.lambda_stmt`,
     including an initial "dogpile" issue when a new Python code object is
     initially analyzed among multiple simultaneous threads which created both a
     performance issue as well as some internal corruption of state.
     Additionally repaired observed race condition which could occur when
     "cloning" an expression construct that is also in the process of being
     compiled or otherwise accessed in a different thread due to memoized
     attributes altering the ``__dict__`` while iterated, for Python versions
     prior to 3.10; in particular the lambda SQL construct is sensitive to this
     as it holds onto a single statement object persistently. The iteration has
     been refined to use ``dict.copy()`` with or without an additional iteration
     instead.

 .. change::
     :tags: bug, sql
     :tickets: 8084

     Enhanced the mechanism of :class:`.Cast` and other "wrapping"
     column constructs to more fully preserve a wrapped :class:`.Label`
     construct, including that the label name will be preserved in the
     ``.c`` collection of a :class:`.Subquery`.  The label was already
     able to render in the SQL correctly on the outside of the construct
     which it was wrapped inside.

 .. change::
     :tags: bug, orm, sql
     :tickets: 8091

     Fixed an issue where :meth:`_sql.GenerativeSelect.fetch` would not
     be applied when executing a statement using the ORM.

 .. change::
     :tags: bug, orm
     :tickets: 8109

     Fixed issue where a :func:`_orm.with_loader_criteria` option could not be
     pickled, as is necessary when it is carried along for propagation to lazy
     loaders in conjunction with a caching scheme. Currently, the only form that
     is supported as picklable is to pass the "where criteria" as a fixed
     module-level callable function that produces a SQL expression. An ad-hoc
     "lambda" can't be pickled, and a SQL expression object is usually not fully
     picklable directly.


 .. change::
     :tags: bug, schema
     :tickets: 8100, 8101

     Fixed bugs involving the :paramref:`.Table.include_columns` and the
     :paramref:`.Table.resolve_fks` parameters on :class:`.Table`; these
     little-used parameters were apparently not working for columns that refer
     to foreign key constraints.

     In the first case, not-included columns that refer to foreign keys would
     still attempt to create a :class:`.ForeignKey` object, producing errors
     when attempting to resolve the columns for the foreign key constraint
     within reflection; foreign key constraints that refer to skipped columns
     are now omitted from the table reflection process in the same way as
     occurs for :class:`.Index` and :class:`.UniqueConstraint` objects with the
     same conditions. No warning is produced however, as we likely want to
     remove the include_columns warnings for all constraints in 2.0.

     In the latter case, the production of table aliases or subqueries would
     fail on an FK related table not found despite the presence of
     ``resolve_fks=False``; the logic has been repaired so that if a related
     table is not found, the :class:`.ForeignKey` object is still proxied to the
     aliased table or subquery (these :class:`.ForeignKey` objects are normally
     used in the production of join conditions), but it is sent with a flag that
     it's not resolvable. The aliased table / subquery will then work normally,
     with the exception that it cannot be used to generate a join condition
     automatically, as the foreign key information is missing. This was already
     the behavior for such foreign key constraints produced using non-reflection
     methods, such as joining :class:`.Table` objects from different
     :class:`.MetaData` collections.

 .. change::
     :tags: bug, sql
     :tickets: 8113

     Adjusted the fix made for :ticket:`8056` which adjusted the escaping of
     bound parameter names with special characters such that the escaped names
     were translated after the SQL compilation step, which broke a published
     recipe on the FAQ illustrating how to merge parameter names into the string
     output of a compiled SQL string. The change restores the escaped names that
     come from ``compiled.params`` and adds a conditional parameter to
     :meth:`.SQLCompiler.construct_params` named ``escape_names`` that defaults
     to ``True``, restoring the old behavior by default.

 .. change::
     :tags: bug, schema, mssql
     :tickets: 8111

     Fixed issue where :class:`.Table` objects that made use of IDENTITY columns
     with a :class:`.Numeric` datatype would produce errors when attempting to
     reconcile the "autoincrement" column, preventing construction of the
     :class:`.Column` from using the :paramref:`.Column.autoincrement` parameter
     as well as emitting errors when attempting to invoke an :class:`_dml.Insert`
     construct.


 .. change::
     :tags: bug, extensions
     :tickets: 8133

     Fixed bug in :class:`.Mutable` where pickling and unpickling of an ORM
     mapped instance would not correctly restore state for mappings that
     contained multiple :class:`.Mutable`-enabled attributes.

.. changelog::

1.4.37

:released: May 31, 2022

 .. change::
     :tags: bug, mssql
     :tickets: 8062

     Fix issue where a password with a leading "{" would result in login failure.

 .. change::
     :tags: bug, sql, postgresql, sqlite
     :tickets: 8014

     Fixed bug where the PostgreSQL
     :meth:`_postgresql.Insert.on_conflict_do_update` method and the SQLite
     :meth:`_sqlite.Insert.on_conflict_do_update` method would both fail to
     correctly accommodate a column with a separate ".key" when specifying the
     column using its key name in the dictionary passed to
     :paramref:`_postgresql.Insert.on_conflict_do_update.set_`, as well as if
     the :attr:`_postgresql.Insert.excluded` collection were used as the
     dictionary directly.

 .. change::
     :tags: bug, sql
     :tickets: 8073

     An informative error is raised for the use case where
     :meth:`_dml.Insert.from_select` is being passed a "compound select" object such
     as a UNION, yet the INSERT statement needs to append additional columns to
     support Python-side or explicit SQL defaults from the table metadata. In
     this case a subquery of the compound object should be passed.

 .. change::
     :tags: bug, orm
     :tickets: 8064

     Fixed issue where using a :func:`_orm.column_property` construct containing
     a subquery against an already-mapped column attribute would not correctly
     apply ORM-compilation behaviors to the subquery, including that the "IN"
     expression added for a single-table inherits expression would fail to be
     included.

 .. change::
     :tags: bug, orm
     :tickets: 8001

     Fixed issue where ORM results would apply incorrect key names to the
     returned :class:`.Row` objects in the case where the set of columns to be
     selected were changed, such as when using
     :meth:`.Select.with_only_columns`.

 .. change::
     :tags: bug, mysql
     :tickets: 7966

     Further adjustments to the MySQL PyODBC dialect to allow for complete
     connectivity, which was previously still not working despite fixes in
     :ticket:`7871`.

 .. change::
     :tags: bug, sql
     :tickets: 7979

     Fixed an issue where using :func:`.bindparam` with no explicit data or type
     given could be coerced into the incorrect type when used in expressions
     such as when using :meth:`_types.ARRAY.Comparator.any` and
     :meth:`_types.ARRAY.Comparator.all`.


 .. change::
     :tags: bug, oracle
     :tickets: 8053

     Fixed SQL compiler issue where the "bind processing" function for a bound
     parameter would not be correctly applied to a bound value if the bound
     parameter's name were "escaped". Concretely, this applies, among other
     cases, to Oracle when a :class:`.Column` has a name that itself requires
     quoting, such that the quoting-required name is then used for the bound
     parameters generated within DML statements, and the datatype in use
     requires bind processing, such as the :class:`.Enum` datatype.

 .. change::
     :tags: bug, mssql, reflection
     :tickets: 8035

     Explicitly specify the collation when reflecting table columns using
     MSSQL to prevent "collation conflict" errors.

 .. change::
     :tags: bug, orm, oracle, postgresql
     :tickets: 8056

     Fixed bug, likely a regression from 1.3, where usage of column names that
     require bound parameter escaping, more concretely when using Oracle with
     column names that require quoting such as those that start with an
     underscore, or in less common cases with some PostgreSQL drivers when using
     column names that contain percent s

---

<sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

## 📋 Pull Request Information **Original PR:** https://github.com/jeffknupp/sandman2/pull/299 **Author:** [@pyup-bot](https://github.com/pyup-bot) **Created:** 12/5/2022 **Status:** ❌ Closed **Base:** `master` ← **Head:** `pyup-scheduled-update-2022-12-05` --- ### 📝 Commits (10+) - [`b216bbb`](https://github.com/jeffknupp/sandman2/commit/b216bbb309ff37e094670003bf08bf92d0e4b38e) Update flask from 1.1.2 to 2.2.2 - [`0188554`](https://github.com/jeffknupp/sandman2/commit/0188554e00d7b008a06832d264f8b0cd868643e9) Update flask-admin from 1.5.7 to 1.6.0 - [`90b7baf`](https://github.com/jeffknupp/sandman2/commit/90b7baf95235b78fef4350b75052d88cb987a41f) Update flask-sqlalchemy from 2.4.4 to 3.0.2 - [`711431f`](https://github.com/jeffknupp/sandman2/commit/711431f028417bb52a20e83bb3580b1c460e8f97) Update sqlalchemy from 1.3.20 to 1.4.44 - [`f9a2501`](https://github.com/jeffknupp/sandman2/commit/f9a250121ced449a76026f489f4bf6d4522fe115) Update wtforms from 2.3.3 to 3.0.1 - [`214372c`](https://github.com/jeffknupp/sandman2/commit/214372cefb9020c53f0d250eb2bd2723a631ffd1) Update coverage from 5.3 to 6.5.0 - [`5d76e2f`](https://github.com/jeffknupp/sandman2/commit/5d76e2fa14f91030566848483b1e3764d35a6fc6) Update pytest from 6.2.0 to 7.2.0 - [`71468fb`](https://github.com/jeffknupp/sandman2/commit/71468fb252bd3276fe4d46f4eb20f92a04766aa6) Update flask-cors from 3.0.9 to 3.0.10 - [`228ad1e`](https://github.com/jeffknupp/sandman2/commit/228ad1e6edde86e7f50b0ccd2934d1091db3f082) Update pytest-cov from 2.10.1 to 4.0.0 - [`9d5e0f4`](https://github.com/jeffknupp/sandman2/commit/9d5e0f40086ce80248627cf61a76a372bf698377) Update pytest-flask from 1.1.0 to 1.2.0 ### 📊 Changes **1 file changed** (+14 additions, -14 deletions) <details> <summary>View changed files</summary> 📝 `requirements.txt` (+14 -14) </details> ### 📄 Description ### Update [Flask](https://pypi.org/project/Flask) from **1.1.2** to **2.2.2**. <details> <summary>Changelog</summary> ### 2.2.2 ``` ------------- Released 2022-08-08 - Update Werkzeug dependency to &gt;= 2.2.2. This includes fixes related to the new faster router, header parsing, and the development server. :pr:`4754` - Fix the default value for ``app.env`` to be ``&quot;production&quot;``. This attribute remains deprecated. :issue:`4740` ``` ### 2.2.1 ``` ------------- Released 2022-08-03 - Setting or accessing ``json_encoder`` or ``json_decoder`` raises a deprecation warning. :issue:`4732` ``` ### 2.2.0 ``` ------------- Released 2022-08-01 - Remove previously deprecated code. :pr:`4667` - Old names for some ``send_file`` parameters have been removed. ``download_name`` replaces ``attachment_filename``, ``max_age`` replaces ``cache_timeout``, and ``etag`` replaces ``add_etags``. Additionally, ``path`` replaces ``filename`` in ``send_from_directory``. - The ``RequestContext.g`` property returning ``AppContext.g`` is removed. - Update Werkzeug dependency to &gt;= 2.2. - The app and request contexts are managed using Python context vars directly rather than Werkzeug&#x27;s ``LocalStack``. This should result in better performance and memory use. :pr:`4682` - Extension maintainers, be aware that ``_app_ctx_stack.top`` and ``_request_ctx_stack.top`` are deprecated. Store data on ``g`` instead using a unique prefix, like ``g._extension_name_attr``. - The ``FLASK_ENV`` environment variable and ``app.env`` attribute are deprecated, removing the distinction between development and debug mode. Debug mode should be controlled directly using the ``--debug`` option or ``app.run(debug=True)``. :issue:`4714` - Some attributes that proxied config keys on ``app`` are deprecated: ``session_cookie_name``, ``send_file_max_age_default``, ``use_x_sendfile``, ``propagate_exceptions``, and ``templates_auto_reload``. Use the relevant config keys instead. :issue:`4716` - Add new customization points to the ``Flask`` app object for many previously global behaviors. - ``flask.url_for`` will call ``app.url_for``. :issue:`4568` - ``flask.abort`` will call ``app.aborter``. ``Flask.aborter_class`` and ``Flask.make_aborter`` can be used to customize this aborter. :issue:`4567` - ``flask.redirect`` will call ``app.redirect``. :issue:`4569` - ``flask.json`` is an instance of ``JSONProvider``. A different provider can be set to use a different JSON library. ``flask.jsonify`` will call ``app.json.response``, other functions in ``flask.json`` will call corresponding functions in ``app.json``. :pr:`4692` - JSON configuration is moved to attributes on the default ``app.json`` provider. ``JSON_AS_ASCII``, ``JSON_SORT_KEYS``, ``JSONIFY_MIMETYPE``, and ``JSONIFY_PRETTYPRINT_REGULAR`` are deprecated. :pr:`4692` - Setting custom ``json_encoder`` and ``json_decoder`` classes on the app or a blueprint, and the corresponding ``json.JSONEncoder`` and ``JSONDecoder`` classes, are deprecated. JSON behavior can now be overridden using the ``app.json`` provider interface. :pr:`4692` - ``json.htmlsafe_dumps`` and ``json.htmlsafe_dump`` are deprecated, the function is built-in to Jinja now. :pr:`4692` - Refactor ``register_error_handler`` to consolidate error checking. Rewrite some error messages to be more consistent. :issue:`4559` - Use Blueprint decorators and functions intended for setup after registering the blueprint will show a warning. In the next version, this will become an error just like the application setup methods. :issue:`4571` - ``before_first_request`` is deprecated. Run setup code when creating the application instead. :issue:`4605` - Added the ``View.init_every_request`` class attribute. If a view subclass sets this to ``False``, the view will not create a new instance on every request. :issue:`2520`. - A ``flask.cli.FlaskGroup`` Click group can be nested as a sub-command in a custom CLI. :issue:`3263` - Add ``--app`` and ``--debug`` options to the ``flask`` CLI, instead of requiring that they are set through environment variables. :issue:`2836` - Add ``--env-file`` option to the ``flask`` CLI. This allows specifying a dotenv file to load in addition to ``.env`` and ``.flaskenv``. :issue:`3108` - It is no longer required to decorate custom CLI commands on ``app.cli`` or ``blueprint.cli`` with ``with_appcontext``, an app context will already be active at that point. :issue:`2410` - ``SessionInterface.get_expiration_time`` uses a timezone-aware value. :pr:`4645` - View functions can return generators directly instead of wrapping them in a ``Response``. :pr:`4629` - Add ``stream_template`` and ``stream_template_string`` functions to render a template as a stream of pieces. :pr:`4629` - A new implementation of context preservation during debugging and testing. :pr:`4666` - ``request``, ``g``, and other context-locals point to the correct data when running code in the interactive debugger console. :issue:`2836` - Teardown functions are always run at the end of the request, even if the context is preserved. They are also run after the preserved context is popped. - ``stream_with_context`` preserves context separately from a ``with client`` block. It will be cleaned up when ``response.get_data()`` or ``response.close()`` is called. - Allow returning a list from a view function, to convert it to a JSON response like a dict is. :issue:`4672` - When type checking, allow ``TypedDict`` to be returned from view functions. :pr:`4695` - Remove the ``--eager-loading/--lazy-loading`` options from the ``flask run`` command. The app is always eager loaded the first time, then lazily loaded in the reloader. The reloader always prints errors immediately but continues serving. Remove the internal ``DispatchingApp`` middleware used by the previous implementation. :issue:`4715` ``` ### 2.1.3 ``` ------------- Released 2022-07-13 - Inline some optional imports that are only used for certain CLI commands. :pr:`4606` - Relax type annotation for ``after_request`` functions. :issue:`4600` - ``instance_path`` for namespace packages uses the path closest to the imported submodule. :issue:`4610` - Clearer error message when ``render_template`` and ``render_template_string`` are used outside an application context. :pr:`4693` ``` ### 2.1.2 ``` ------------- Released 2022-04-28 - Fix type annotation for ``json.loads``, it accepts str or bytes. :issue:`4519` - The ``--cert`` and ``--key`` options on ``flask run`` can be given in either order. :issue:`4459` ``` ### 2.1.1 ``` ------------- Released on 2022-03-30 - Set the minimum required version of importlib_metadata to 3.6.0, which is required on Python &lt; 3.10. :issue:`4502` ``` ### 2.1.0 ``` ------------- Released 2022-03-28 - Drop support for Python 3.6. :pr:`4335` - Update Click dependency to &gt;= 8.0. :pr:`4008` - Remove previously deprecated code. :pr:`4337` - The CLI does not pass ``script_info`` to app factory functions. - ``config.from_json`` is replaced by ``config.from_file(name, load=json.load)``. - ``json`` functions no longer take an ``encoding`` parameter. - ``safe_join`` is removed, use ``werkzeug.utils.safe_join`` instead. - ``total_seconds`` is removed, use ``timedelta.total_seconds`` instead. - The same blueprint cannot be registered with the same name. Use ``name=`` when registering to specify a unique name. - The test client&#x27;s ``as_tuple`` parameter is removed. Use ``response.request.environ`` instead. :pr:`4417` - Some parameters in ``send_file`` and ``send_from_directory`` were renamed in 2.0. The deprecation period for the old names is extended to 2.2. Be sure to test with deprecation warnings visible. - ``attachment_filename`` is renamed to ``download_name``. - ``cache_timeout`` is renamed to ``max_age``. - ``add_etags`` is renamed to ``etag``. - ``filename`` is renamed to ``path``. - The ``RequestContext.g`` property is deprecated. Use ``g`` directly or ``AppContext.g`` instead. :issue:`3898` - ``copy_current_request_context`` can decorate async functions. :pr:`4303` - The CLI uses ``importlib.metadata`` instead of ``setuptools`` to load command entry points. :issue:`4419` - Overriding ``FlaskClient.open`` will not cause an error on redirect. :issue:`3396` - Add an ``--exclude-patterns`` option to the ``flask run`` CLI command to specify patterns that will be ignored by the reloader. :issue:`4188` - When using lazy loading (the default with the debugger), the Click context from the ``flask run`` command remains available in the loader thread. :issue:`4460` - Deleting the session cookie uses the ``httponly`` flag. :issue:`4485` - Relax typing for ``errorhandler`` to allow the user to use more precise types and decorate the same function multiple times. :issue:`4095, 4295, 4297` - Fix typing for ``__exit__`` methods for better compatibility with ``ExitStack``. :issue:`4474` - From Werkzeug, for redirect responses the ``Location`` header URL will remain relative, and exclude the scheme and domain, by default. :pr:`4496` - Add ``Config.from_prefixed_env()`` to load config values from environment variables that start with ``FLASK_`` or another prefix. This parses values as JSON by default, and allows setting keys in nested dicts. :pr:`4479` ``` ### 2.0.3 ``` ------------- Released 2022-02-14 - The test client&#x27;s ``as_tuple`` parameter is deprecated and will be removed in Werkzeug 2.1. It is now also deprecated in Flask, to be removed in Flask 2.1, while remaining compatible with both in 2.0.x. Use ``response.request.environ`` instead. :pr:`4341` - Fix type annotation for ``errorhandler`` decorator. :issue:`4295` - Revert a change to the CLI that caused it to hide ``ImportError`` tracebacks when importing the application. :issue:`4307` - ``app.json_encoder`` and ``json_decoder`` are only passed to ``dumps`` and ``loads`` if they have custom behavior. This improves performance, mainly on PyPy. :issue:`4349` - Clearer error message when ``after_this_request`` is used outside a request context. :issue:`4333` ``` ### 2.0.2 ``` ------------- Released 2021-10-04 - Fix type annotation for ``teardown_*`` methods. :issue:`4093` - Fix type annotation for ``before_request`` and ``before_app_request`` decorators. :issue:`4104` - Fixed the issue where typing requires template global decorators to accept functions with no arguments. :issue:`4098` - Support View and MethodView instances with async handlers. :issue:`4112` - Enhance typing of ``app.errorhandler`` decorator. :issue:`4095` - Fix registering a blueprint twice with differing names. :issue:`4124` - Fix the type of ``static_folder`` to accept ``pathlib.Path``. :issue:`4150` - ``jsonify`` handles ``decimal.Decimal`` by encoding to ``str``. :issue:`4157` - Correctly handle raising deferred errors in CLI lazy loading. :issue:`4096` - The CLI loader handles ``**kwargs`` in a ``create_app`` function. :issue:`4170` - Fix the order of ``before_request`` and other callbacks that trigger before the view returns. They are called from the app down to the closest nested blueprint. :issue:`4229` ``` ### 2.0.1 ``` ------------- Released 2021-05-21 - Re-add the ``filename`` parameter in ``send_from_directory``. The ``filename`` parameter has been renamed to ``path``, the old name is deprecated. :pr:`4019` - Mark top-level names as exported so type checking understands imports in user projects. :issue:`4024` - Fix type annotation for ``g`` and inform mypy that it is a namespace object that has arbitrary attributes. :issue:`4020` - Fix some types that weren&#x27;t available in Python 3.6.0. :issue:`4040` - Improve typing for ``send_file``, ``send_from_directory``, and ``get_send_file_max_age``. :issue:`4044`, :pr:`4026` - Show an error when a blueprint name contains a dot. The ``.`` has special meaning, it is used to separate (nested) blueprint names and the endpoint name. :issue:`4041` - Combine URL prefixes when nesting blueprints that were created with a ``url_prefix`` value. :issue:`4037` - Revert a change to the order that URL matching was done. The URL is again matched after the session is loaded, so the session is available in custom URL converters. :issue:`4053` - Re-add deprecated ``Config.from_json``, which was accidentally removed early. :issue:`4078` - Improve typing for some functions using ``Callable`` in their type signatures, focusing on decorator factories. :issue:`4060` - Nested blueprints are registered with their dotted name. This allows different blueprints with the same name to be nested at different locations. :issue:`4069` - ``register_blueprint`` takes a ``name`` option to change the (pre-dotted) name the blueprint is registered with. This allows the same blueprint to be registered multiple times with unique names for ``url_for``. Registering the same blueprint with the same name multiple times is deprecated. :issue:`1091` - Improve typing for ``stream_with_context``. :issue:`4052` ``` ### 2.0.0 ``` ------------- Released 2021-05-11 - Drop support for Python 2 and 3.5. - Bump minimum versions of other Pallets projects: Werkzeug &gt;= 2, Jinja2 &gt;= 3, MarkupSafe &gt;= 2, ItsDangerous &gt;= 2, Click &gt;= 8. Be sure to check the change logs for each project. For better compatibility with other applications (e.g. Celery) that still require Click 7, there is no hard dependency on Click 8 yet, but using Click 7 will trigger a DeprecationWarning and Flask 2.1 will depend on Click 8. - JSON support no longer uses simplejson. To use another JSON module, override ``app.json_encoder`` and ``json_decoder``. :issue:`3555` - The ``encoding`` option to JSON functions is deprecated. :pr:`3562` - Passing ``script_info`` to app factory functions is deprecated. This was not portable outside the ``flask`` command. Use ``click.get_current_context().obj`` if it&#x27;s needed. :issue:`3552` - The CLI shows better error messages when the app failed to load when looking up commands. :issue:`2741` - Add ``SessionInterface.get_cookie_name`` to allow setting the session cookie name dynamically. :pr:`3369` - Add ``Config.from_file`` to load config using arbitrary file loaders, such as ``toml.load`` or ``json.load``. ``Config.from_json`` is deprecated in favor of this. :pr:`3398` - The ``flask run`` command will only defer errors on reload. Errors present during the initial call will cause the server to exit with the traceback immediately. :issue:`3431` - ``send_file`` raises a ``ValueError`` when passed an ``io`` object in text mode. Previously, it would respond with 200 OK and an empty file. :issue:`3358` - When using ad-hoc certificates, check for the cryptography library instead of PyOpenSSL. :pr:`3492` - When specifying a factory function with ``FLASK_APP``, keyword argument can be passed. :issue:`3553` - When loading a ``.env`` or ``.flaskenv`` file, the current working directory is no longer changed to the location of the file. :pr:`3560` - When returning a ``(response, headers)`` tuple from a view, the headers replace rather than extend existing headers on the response. For example, this allows setting the ``Content-Type`` for ``jsonify()``. Use ``response.headers.extend()`` if extending is desired. :issue:`3628` - The ``Scaffold`` class provides a common API for the ``Flask`` and ``Blueprint`` classes. ``Blueprint`` information is stored in attributes just like ``Flask``, rather than opaque lambda functions. This is intended to improve consistency and maintainability. :issue:`3215` - Include ``samesite`` and ``secure`` options when removing the session cookie. :pr:`3726` - Support passing a ``pathlib.Path`` to ``static_folder``. :pr:`3579` - ``send_file`` and ``send_from_directory`` are wrappers around the implementations in ``werkzeug.utils``. :pr:`3828` - Some ``send_file`` parameters have been renamed, the old names are deprecated. ``attachment_filename`` is renamed to ``download_name``. ``cache_timeout`` is renamed to ``max_age``. ``add_etags`` is renamed to ``etag``. :pr:`3828, 3883` - ``send_file`` passes ``download_name`` even if ``as_attachment=False`` by using ``Content-Disposition: inline``. :pr:`3828` - ``send_file`` sets ``conditional=True`` and ``max_age=None`` by default. ``Cache-Control`` is set to ``no-cache`` if ``max_age`` is not set, otherwise ``public``. This tells browsers to validate conditional requests instead of using a timed cache. :pr:`3828` - ``helpers.safe_join`` is deprecated. Use ``werkzeug.utils.safe_join`` instead. :pr:`3828` - The request context does route matching before opening the session. This could allow a session interface to change behavior based on ``request.endpoint``. :issue:`3776` - Use Jinja&#x27;s implementation of the ``|tojson`` filter. :issue:`3881` - Add route decorators for common HTTP methods. For example, ``app.post(&quot;/login&quot;)`` is a shortcut for ``app.route(&quot;/login&quot;, methods=[&quot;POST&quot;])``. :pr:`3907` - Support async views, error handlers, before and after request, and teardown functions. :pr:`3412` - Support nesting blueprints. :issue:`593, 1548`, :pr:`3923` - Set the default encoding to &quot;UTF-8&quot; when loading ``.env`` and ``.flaskenv`` files to allow to use non-ASCII characters. :issue:`3931` - ``flask shell`` sets up tab and history completion like the default ``python`` shell if ``readline`` is installed. :issue:`3941` - ``helpers.total_seconds()`` is deprecated. Use ``timedelta.total_seconds()`` instead. :pr:`3962` - Add type hinting. :pr:`3973`. ``` ### 1.1.4 ``` ------------- Released 2021-05-13 - Update ``static_folder`` to use ``_compat.fspath`` instead of ``os.fspath`` to continue supporting Python &lt; 3.6 :issue:`4050` ``` ### 1.1.3 ``` ------------- Released 2021-05-13 - Set maximum versions of Werkzeug, Jinja, Click, and ItsDangerous. :issue:`4043` - Re-add support for passing a ``pathlib.Path`` for ``static_folder``. :pr:`3579` ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/flask - Changelog: https://pyup.io/changelogs/flask/ - Homepage: https://palletsprojects.com/p/flask </details> ### Update [Flask-Admin](https://pypi.org/project/Flask-Admin) from **1.5.7** to **1.6.0**. <details> <summary>Changelog</summary> ### 1.6.0 ``` ----- * Dropped Python 2 support * WTForms 3.0 support * Various fixes ``` ### 1.5.8 ``` ----- * SQLAlchemy 1.4.5+ compatibility fixes * Redis CLI fixes ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/flask-admin - Changelog: https://pyup.io/changelogs/flask-admin/ - Repo: https://github.com/flask-admin/flask-admin/ - Docs: https://pythonhosted.org/Flask-Admin/ </details> ### Update [Flask-SQLAlchemy](https://pypi.org/project/Flask-SQLAlchemy) from **2.4.4** to **3.0.2**. <details> <summary>Changelog</summary> ### 3.0.2 ``` ------------- Released 2022-10-14 - Update compatibility with SQLAlchemy 2. :issue:`1122` ``` ### 3.0.1 ``` ------------- Released 2022-10-11 - Export typing information instead of using external typeshed definitions. :issue:`1112` - If default engine options are set, but ``SQLALCHEMY_DATABASE_URI`` is not set, an invalid default bind will not be configured. :issue:`1117` ``` ### 3.0.0 ``` ------------- Released 2022-10-04 - Drop support for Python 2, 3.4, 3.5, and 3.6. - Bump minimum version of Flask to 2.2. - Bump minimum version of SQLAlchemy to 1.4.18. - Remove previously deprecated code. - The session is scoped to the current app context instead of the thread. This requires that an app context is active. This ensures that the session is cleaned up after every request. - An active Flask application context is always required to access ``session`` and ``engine``, regardless of if an application was passed to the constructor. :issue:`508, 944` - Different bind keys use different SQLAlchemy ``MetaData`` registries, allowing tables in different databases to have the same name. Bind keys are stored and looked up on the resulting metadata rather than the model or table. - ``SQLALCHEMY_DATABASE_URI`` does not default to ``sqlite:///:memory:``. An error is raised if neither it nor ``SQLALCHEMY_BINDS`` define any engines. :pr:`731` - Configuring SQLite with a relative path is relative to ``app.instance_path`` instead of ``app.root_path``. The instance folder is created if necessary. :issue:`462` - Added ``get_or_404``, ``first_or_404``, ``one_or_404``, and ``paginate`` methods to the extension object. These use SQLAlchemy&#x27;s preferred ``session.execute(select())`` pattern instead of the legacy query interface. :issue:`1088` - Setup methods that create the engines and session are renamed with a leading underscore. They are considered internal interfaces which may change at any time. - All parameters to ``SQLAlchemy`` except ``app`` are keyword-only. - Renamed the ``bind`` parameter to ``bind_key`` and removed the ``app`` parameter from various ``SQLAlchemy`` methods. - The extension object uses ``__getattr__`` to alias names from the SQLAlchemy package, rather than copying them as attributes. - The extension object is stored directly as ``app.extensions[&quot;sqlalchemy&quot;]``. :issue:`698` - The session class can be customized by passing the ``class_`` key in the ``session_options`` parameter. :issue:`327` - ``SignallingSession`` is renamed to ``Session``. - ``Session.get_bind`` more closely matches the base implementation. - Model classes and the ``db`` instance are available without imports in ``flask shell``. :issue:`1089` - The ``CamelCase`` to ``snake_case`` table name converter handles more patterns correctly. If model that was already created in the database changed, either use Alembic to rename the table, or set ``__tablename__`` to keep the old name. :issue:`406` - ``Model`` ``repr`` distinguishes between transient and pending instances. :issue:`967` - A custom model class can implement ``__init_subclass__`` with class parameters. :issue:`1002` - ``db.Table`` is a subclass instead of a function. - The ``engine_options`` parameter is applied as defaults before per-engine configuration. - ``SQLALCHEMY_BINDS`` values can either be an engine URL, or a dict of engine options including URL, for each bind. ``SQLALCHEMY_DATABASE_URI`` and ``SQLALCHEMY_ENGINE_OPTIONS`` correspond to the ``None`` key and take precedence. :issue:`783` - Engines are created when calling ``init_app`` rather than the first time they are accessed. :issue:`698` - ``db.engines`` exposes the map of bind keys to engines for the current app. - ``get_engine``, ``get_tables_for_bind``, and ``get_binds`` are deprecated. - SQLite driver-level URIs that look like ``sqlite:///file:name.db?uri=true`` are supported. :issue:`998, 1045` - SQLite engines do not use ``NullPool`` if ``pool_size`` is 0. - MySQL engines use the &quot;utf8mb4&quot; charset by default. :issue:`875` - MySQL engines do not set ``pool_size`` to 10. - MySQL engines don&#x27;t set a default for ``pool_recycle`` if not using a queue pool. :issue:`803` - ``Query`` is renamed from ``BaseQuery``. - Added ``Query.one_or_404``. - The query class is applied to ``backref`` in ``relationship``. :issue:`417` - Creating ``Pagination`` objects manually is no longer a public API. They should be created with ``db.paginate`` or ``query.paginate``. :issue:`1088` - ``Pagination.iter_pages`` and ``Query.paginate`` parameters are keyword-only. - ``Pagination`` is iterable, iterating over its items. :issue:`70` - Pagination count query is more efficient. - ``Pagination.iter_pages`` is more efficient. :issue:`622` - ``Pagination.iter_pages`` ``right_current`` parameter is inclusive. - Pagination ``per_page`` cannot be 0. :issue:`1091` - Pagination ``max_per_page`` defaults to 100. :issue:`1091` - Added ``Pagination.first`` and ``last`` properties, which give the number of the first and last item on the page. :issue:`567` - ``SQLALCHEMY_RECORD_QUERIES`` is disabled by default, and is not enabled automatically with ``app.debug`` or ``app.testing``. :issue:`1092` - ``get_debug_queries`` is renamed to ``get_recorded_queries`` to better match the config and functionality. - Recorded query info is a dataclass instead of a tuple. The ``context`` attribute is renamed to ``location``. Finding the location uses a more inclusive check. - ``SQLALCHEMY_TRACK_MODIFICATIONS`` is disabled by default. :pr:`727` - ``SQLALCHEMY_COMMIT_ON_TEARDOWN`` is deprecated. It can cause various design issues that are difficult to debug. Call ``db.session.commit()`` directly instead. :issue:`216` ``` ### 2.5.1 ``` ------------- Released 2021-03-18 - Fix compatibility with Python 2.7. ``` ### 2.5.0 ``` ------------- Released 2021-03-18 - Update to support SQLAlchemy 1.4. - SQLAlchemy ``URL`` objects are immutable. Some internal methods have changed to return a new URL instead of ``None``. :issue:`885` ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/flask-sqlalchemy - Changelog: https://pyup.io/changelogs/flask-sqlalchemy/ - Docs: https://pythonhosted.org/flask-sqlalchemy/ </details> ### Update [SQLAlchemy](https://pypi.org/project/SQLAlchemy) from **1.3.20** to **1.4.44**. <details> <summary>Changelog</summary> ### 1.4.44 ``` :released: November 12, 2022 .. change:: :tags: bug, sql :tickets: 8790 Fixed critical memory issue identified in cache key generation, where for very large and complex ORM statements that make use of lots of ORM aliases with subqueries, cache key generation could produce excessively large keys that were orders of magnitude bigger than the statement itself. Much thanks to Rollo Konig Brock for their very patient, long term help in finally identifying this issue. .. change:: :tags: bug, postgresql, mssql :tickets: 8770 For the PostgreSQL and SQL Server dialects only, adjusted the compiler so that when rendering column expressions in the RETURNING clause, the &quot;non anon&quot; label that&#x27;s used in SELECT statements is suggested for SQL expression elements that generate a label; the primary example is a SQL function that may be emitting as part of the column&#x27;s type, where the label name should match the column&#x27;s name by default. This restores a not-well defined behavior that had changed in version 1.4.21 due to :ticket:`6718`, :ticket:`6710`. The Oracle dialect has a different RETURNING implementation and was not affected by this issue. Version 2.0 features an across the board change for its widely expanded support of RETURNING on other backends. .. change:: :tags: bug, oracle Fixed issue in the Oracle dialect where an INSERT statement that used ``insert(some_table).values(...).returning(some_table)`` against a full :class:`.Table` object at once would fail to execute, raising an exception. .. change:: :tags: bug, tests :tickets: 8793 Fixed issue where the ``--disable-asyncio`` parameter to the test suite would fail to not actually run greenlet tests and would also not prevent the suite from using a &quot;wrapping&quot; greenlet for the whole suite. This parameter now ensures that no greenlet or asyncio use will occur within the entire run when set. .. change:: :tags: bug, tests Adjusted the test suite which tests the Mypy plugin to accommodate for changes in Mypy 0.990 regarding how it handles message output, which affect how sys.path is interpreted when determining if notes and errors should be printed for particular files. The change broke the test suite as the files within the test directory itself no longer produced messaging when run under the mypy API. .. changelog:: ``` ### 1.4.43 ``` :released: November 4, 2022 .. change:: :tags: bug, orm :tickets: 8738 Fixed issue in joined eager loading where an assertion fail would occur with a particular combination of outer/inner joined eager loads, when eager loading across three mappers where the middle mapper was an inherited subclass mapper. .. change:: :tags: bug, oracle :tickets: 8708 Fixed issue where bound parameter names, including those automatically derived from similarly-named database columns, which contained characters that normally require quoting with Oracle would not be escaped when using &quot;expanding parameters&quot; with the Oracle dialect, causing execution errors. The usual &quot;quoting&quot; for bound parameters used by the Oracle dialect is not used with the &quot;expanding parameters&quot; architecture, so escaping for a large range of characters is used instead, now using a list of characters/escapes that are specific to Oracle. .. change:: :tags: bug, orm :tickets: 8721 Fixed bug involving :class:`.Select` constructs, where combinations of :meth:`.Select.select_from` with :meth:`.Select.join`, as well as when using :meth:`.Select.join_from`, would cause the :func:`_orm.with_loader_criteria` feature as well as the IN criteria needed for single-table inheritance queries to not render, in cases where the columns clause of the query did not explicitly include the left-hand side entity of the JOIN. The correct entity is now transferred to the :class:`.Join` object that&#x27;s generated internally, so that the criteria against the left side entity is correctly added. .. change:: :tags: bug, mssql :tickets: 8714 Fixed issue with :meth:`.Inspector.has_table`, which when used against a temporary table with the SQL Server dialect would fail on some Azure variants, due to an unnecessary information schema query that is not supported on those server versions. Pull request courtesy Mike Barry. .. change:: :tags: bug, orm :tickets: 8711 An informative exception is now raised when the :func:`_orm.with_loader_criteria` option is used as a loader option added to a specific &quot;loader path&quot;, such as when using it within :meth:`.Load.options`. This use is not supported as :func:`_orm.with_loader_criteria` is only intended to be used as a top level loader option. Previously, an internal error would be generated. .. change:: :tags: bug, oracle :tickets: 8744 Fixed issue where the ``nls_session_parameters`` view queried on first connect in order to get the default decimal point character may not be available depending on Oracle connection modes, and would therefore raise an error. The approach to detecting decimal char has been simplified to test a decimal value directly, instead of reading system views, which works on any backend / driver. .. change:: :tags: bug, orm :tickets: 8753 Improved &quot;dictionary mode&quot; for :meth:`_orm.Session.get` so that synonym names which refer to primary key attribute names may be indicated in the named dictionary. .. change:: :tags: bug, engine, regression :tickets: 8717 Fixed issue where the :meth:`.PoolEvents.reset` event hook would not be be called in all cases when a :class:`_engine.Connection` were closed and was in the process of returning its DBAPI connection to the connection pool. The scenario was when the :class:`_engine.Connection` had already emitted ``.rollback()`` on its DBAPI connection within the process of returning the connection to the pool, where it would then instruct the connection pool to forego doing its own &quot;reset&quot; to save on the additional method call. However, this prevented custom pool reset schemes from being used within this hook, as such hooks by definition are doing more than just calling ``.rollback()``, and need to be invoked under all circumstances. This was a regression that appeared in version 1.4. For version 1.4, the :meth:`.PoolEvents.checkin` remains viable as an alternate event hook to use for custom &quot;reset&quot; implementations. Version 2.0 will feature an improved version of :meth:`.PoolEvents.reset` which is called for additional scenarios such as termination of asyncio connections, and is also passed contextual information about the reset, to allow for &quot;custom connection reset&quot; schemes which can respond to different reset scenarios in different ways. .. change:: :tags: bug, orm :tickets: 8704 Fixed issue where &quot;selectin_polymorphic&quot; loading for inheritance mappers would not function correctly if the :paramref:`_orm.Mapper.polymorphic_on` parameter referred to a SQL expression that was not directly mapped on the class. .. change:: :tags: bug, orm :tickets: 8710 Fixed issue where the underlying DBAPI cursor would not be closed when using the :class:`_orm.Query` object as an iterator, if a user-defined exception case were raised within the iteration process, thereby causing the iterator to be closed by the Python interpreter. When using :meth:`_orm.Query.yield_per` to create server-side cursors, this would lead to the usual MySQL-related issues with server side cursors out of sync, and without direct access to the :class:`.Result` object, end-user code could not access the cursor in order to close it. To resolve, a catch for ``GeneratorExit`` is applied within the iterator method, which will close the result object in those cases when the iterator were interrupted, and by definition will be closed by the Python interpreter. As part of this change as implemented for the 1.4 series, ensured that ``.close()`` methods are available on all :class:`.Result` implementations including :class:`.ScalarResult`, :class:`.MappingResult`. The 2.0 version of this change also includes new context manager patterns for use with :class:`.Result` classes. .. change:: :tags: bug, engine :tickets: 8710 Ensured all :class:`.Result` objects include a :meth:`.Result.close` method as well as a :attr:`.Result.closed` attribute, including on :class:`.ScalarResult` and :class:`.MappingResult`. .. change:: :tags: bug, mssql, reflection :tickets: 8700 Fixed issue with :meth:`.Inspector.has_table`, which when used against a view with the SQL Server dialect would erroneously return ``False``, due to a regression in the 1.4 series which removed support for this on SQL Server. The issue is not present in the 2.0 series which uses a different reflection architecture. Test support is added to ensure ``has_table()`` remains working per spec re: views. .. change:: :tags: bug, sql :tickets: 8724 Fixed issue which prevented the :func:`_sql.literal_column` construct from working properly within the context of a :class:`.Select` construct as well as other potential places where &quot;anonymized labels&quot; might be generated, if the literal expression contained characters which could interfere with format strings, such as open parenthesis, due to an implementation detail of the &quot;anonymous label&quot; structure. .. changelog:: ``` ### 1.4.42 ``` :released: October 16, 2022 .. change:: :tags: bug, asyncio :tickets: 8516 Improved implementation of ``asyncio.shield()`` used in context managers as added in :ticket:`8145`, such that the &quot;close&quot; operation is enclosed within an ``asyncio.Task`` which is then strongly referenced as the operation proceeds. This is per Python documentation indicating that the task is otherwise not strongly referenced. .. change:: :tags: bug, orm :tickets: 8614 The :paramref:`_orm.Session.execute.bind_arguments` dictionary is no longer mutated when passed to :meth:`_orm.Session.execute` and similar; instead, it&#x27;s copied to an internal dictionary for state changes. Among other things, this fixes and issue where the &quot;clause&quot; passed to the :meth:`_orm.Session.get_bind` method would be incorrectly referring to the :class:`_sql.Select` construct used for the &quot;fetch&quot; synchronization strategy, when the actual query being emitted was a :class:`_dml.Delete` or :class:`_dml.Update`. This would interfere with recipes for &quot;routing sessions&quot;. .. change:: :tags: bug, orm :tickets: 7094 A warning is emitted in ORM configurations when an explicit :func:`_orm.remote` annotation is applied to columns that are local to the immediate mapped class, when the referenced class does not include any of the same table columns. Ideally this would raise an error at some point as it&#x27;s not correct from a mapping point of view. .. change:: :tags: bug, orm :tickets: 7545 A warning is emitted when attempting to configure a mapped class within an inheritance hierarchy where the mapper is not given any polymorphic identity, however there is a polymorphic discriminator column assigned. Such classes should be abstract if they never intend to load directly. .. change:: :tags: bug, mssql, regression :tickets: 8525 Fixed yet another regression in SQL Server isolation level fetch (see :ticket:`8231`, :ticket:`8475`), this time with &quot;Microsoft Dynamics CRM Database via Azure Active Directory&quot;, which apparently lacks the ``system_views`` view entirely. Error catching has been extended that under no circumstances will this method ever fail, provided database connectivity is present. .. change:: :tags: orm, bug, regression :tickets: 8569 Fixed regression for 1.4 in :func:`_orm.contains_eager` where the &quot;wrap in subquery&quot; logic of :func:`_orm.joinedload` would be inadvertently triggered for use of the :func:`_orm.contains_eager` function with similar statements (e.g. those that use ``distinct()``, ``limit()`` or ``offset()``), which would then lead to secondary issues with queries that used some combinations of SQL label names and aliasing. This &quot;wrapping&quot; is not appropriate for :func:`_orm.contains_eager` which has always had the contract that the user-defined SQL statement is unmodified with the exception of adding the appropriate columns to be fetched. .. change:: :tags: bug, orm, regression :tickets: 8507 Fixed regression where using ORM update() with synchronize_session=&#x27;fetch&#x27; would fail due to the use of evaluators that are now used to determine the in-Python value for expressions in the the SET clause when refreshing objects; if the evaluators make use of math operators against non-numeric values such as PostgreSQL JSONB, the non-evaluable condition would fail to be detected correctly. The evaluator now limits the use of math mutation operators to numeric types only, with the exception of &quot;+&quot; that continues to work for strings as well. SQLAlchemy 2.0 may alter this further by fetching the SET values completely rather than using evaluation. .. change:: :tags: usecase, postgresql :tickets: 8574 :class:`_postgresql.aggregate_order_by` now supports cache generation. .. change:: :tags: bug, mysql :tickets: 8588 Adjusted the regular expression used to match &quot;CREATE VIEW&quot; when testing for views to work more flexibly, no longer requiring the special keyword &quot;ALGORITHM&quot; in the middle, which was intended to be optional but was not working correctly. The change allows view reflection to work more completely on MySQL-compatible variants such as StarRocks. Pull request courtesy John Bodley. .. change:: :tags: bug, engine :tickets: 8536 Fixed issue where mixing &quot;*&quot; with additional explicitly-named column expressions within the columns clause of a :func:`_sql.select` construct would cause result-column targeting to sometimes consider the label name or other non-repeated names to be an ambiguous target. .. changelog:: ``` ### 1.4.41 ``` :released: September 6, 2022 .. change:: :tags: bug, sql :tickets: 8441 Fixed issue where use of the :func:`_sql.table` construct, passing a string for the :paramref:`_sql.table.schema` parameter, would fail to take the &quot;schema&quot; string into account when producing a cache key, thus leading to caching collisions if multiple, same-named :func:`_sql.table` constructs with different schemas were used. .. change:: :tags: bug, events, orm :tickets: 8467 Fixed event listening issue where event listeners added to a superclass would be lost if a subclass were created which then had its own listeners associated. The practical example is that of the :class:`.sessionmaker` class created after events have been associated with the :class:`_orm.Session` class. .. change:: :tags: orm, bug :tickets: 8401 Hardened the cache key strategy for the :func:`_orm.aliased` and :func:`_orm.with_polymorphic` constructs. While no issue involving actual statements being cached can easily be demonstrated (if at all), these two constructs were not including enough of what makes them unique in their cache keys for caching on the aliased construct alone to be accurate. .. change:: :tags: bug, orm, regression :tickets: 8456 Fixed regression appearing in the 1.4 series where a joined-inheritance query placed as a subquery within an enclosing query for that same entity would fail to render the JOIN correctly for the inner query. The issue manifested in two different ways prior and subsequent to version 1.4.18 (related issue :ticket:`6595`), in one case rendering JOIN twice, in the other losing the JOIN entirely. To resolve, the conditions under which &quot;polymorphic loading&quot; are applied have been scaled back to not be invoked for simple joined inheritance queries. .. change:: :tags: bug, orm :tickets: 8446 Fixed issue in :mod:`sqlalchemy.ext.mutable` extension where collection links to the parent object would be lost if the object were merged with :meth:`.Session.merge` while also passing :paramref:`.Session.merge.load` as False. .. change:: :tags: bug, orm :tickets: 8399 Fixed issue involving :func:`_orm.with_loader_criteria` where a closure variable used as bound parameter value within the lambda would not carry forward correctly into additional relationship loaders such as :func:`_orm.selectinload` and :func:`_orm.lazyload` after the statement were cached, using the stale originally-cached value instead. .. change:: :tags: bug, mssql, regression :tickets: 8475 Fixed regression caused by the fix for :ticket:`8231` released in 1.4.40 where connection would fail if the user did not have permission to query the ``dm_exec_sessions`` or ``dm_pdw_nodes_exec_sessions`` system views when trying to determine the current transaction isolation level. .. change:: :tags: bug, asyncio :tickets: 8419 Integrated support for asyncpg&#x27;s ``terminate()`` method call for cases where the connection pool is recycling a possibly timed-out connection, where a connection is being garbage collected that wasn&#x27;t gracefully closed, as well as when the connection has been invalidated. This allows asyncpg to abandon the connection without waiting for a response that may incur long timeouts. .. changelog:: ``` ### 1.4.40 ``` :released: August 8, 2022 .. change:: :tags: bug, orm :tickets: 8357 Fixed issue where referencing a CTE multiple times in conjunction with a polymorphic SELECT could result in multiple &quot;clones&quot; of the same CTE being constructed, which would then trigger these two CTEs as duplicates. To resolve, the two CTEs are deep-compared when this occurs to ensure that they are equivalent, then are treated as equivalent. .. change:: :tags: bug, orm, declarative :tickets: 8190 Fixed issue where a hierarchy of classes set up as an abstract or mixin declarative classes could not declare standalone columns on a superclass that would then be copied correctly to a :class:`_orm.declared_attr` callable that wanted to make use of them on a descendant class. .. change:: :tags: bug, types :tickets: 7249 Fixed issue where :class:`.TypeDecorator` would not correctly proxy the ``__getitem__()`` operator when decorating the :class:`_types.ARRAY` datatype, without explicit workarounds. .. change:: :tags: bug, asyncio :tickets: 8145 Added ``asyncio.shield()`` to the connection and session release process specifically within the ``__aexit__()`` context manager exit, when using :class:`.AsyncConnection` or :class:`.AsyncSession` as a context manager that releases the object when the context manager is complete. This appears to help with task cancellation when using alternate concurrency libraries such as ``anyio``, ``uvloop`` that otherwise don&#x27;t provide an async context for the connection pool to release the connection properly during task cancellation. .. change:: :tags: bug, postgresql :tickets: 4392 Fixed issue in psycopg2 dialect where the &quot;multiple hosts&quot; feature implemented for :ticket:`4392`, where multiple ``host:port`` pairs could be passed in the query string as ``?host=host1:port1&amp;host=host2:port2&amp;host=host3:port3`` was not implemented correctly, as it did not propagate the &quot;port&quot; parameter appropriately. Connections that didn&#x27;t use a different &quot;port&quot; likely worked without issue, and connections that had &quot;port&quot; for some of the entries may have incorrectly passed on that hostname. The format is now corrected to pass hosts/ports appropriately. As part of this change, maintained support for another multihost style that worked unintentionally, which is comma-separated ``?host=h1,h2,h3&amp;port=p1,p2,p3``. This format is more consistent with libpq&#x27;s query-string format, whereas the previous format is inspired by a different aspect of libpq&#x27;s URI format but is not quite the same thing. If the two styles are mixed together, an error is raised as this is ambiguous. .. change:: :tags: bug, sql :tickets: 8253 Adjusted the SQL compilation for string containment functions ``.contains()``, ``.startswith()``, ``.endswith()`` to force the use of the string concatenation operator, rather than relying upon the overload of the addition operator, so that non-standard use of these operators with for example bytestrings still produces string concatenation operators. .. change:: :tags: bug, orm :tickets: 8235 A :func:`_sql.select` construct that is passed a sole &#x27;*&#x27; argument for ``SELECT *``, either via string, :func:`_sql.text`, or :func:`_sql.literal_column`, will be interpreted as a Core-level SQL statement rather than as an ORM level statement. This is so that the ``*``, when expanded to match any number of columns, will result in all columns returned in the result. the ORM- level interpretation of :func:`_sql.select` needs to know the names and types of all ORM columns up front which can&#x27;t be achieved when ``&#x27;*&#x27;`` is used. If ``&#x27;*`` is used amongst other expressions simultaneously with an ORM statement, an error is raised as this can&#x27;t be interpreted correctly by the ORM. .. change:: :tags: bug, mssql :tickets: 8210 Fixed issues that prevented the new usage patterns for using DML with ORM objects presented at :ref:`orm_dml_returning_objects` from working correctly with the SQL Server pyodbc dialect. .. change:: :tags: bug, mssql :tickets: 8231 Fixed issue where the SQL Server dialect&#x27;s query for the current isolation level would fail on Azure Synapse Analytics, due to the way in which this database handles transaction rollbacks after an error has occurred. The initial query has been modified to no longer rely upon catching an error when attempting to detect the appropriate system view. Additionally, to better support this database&#x27;s very specific &quot;rollback&quot; behavior, implemented new parameter ``ignore_no_transaction_on_rollback`` indicating that a rollback should ignore Azure Synapse error &#x27;No corresponding transaction found. (111214)&#x27;, which is raised if no transaction is present in conflict with the Python DBAPI. Initial patch and valuable debugging assistance courtesy of ww2406. .. seealso:: :ref:`azure_synapse_ignore_no_transaction_on_rollback` .. change:: :tags: bug, mypy :tickets: 8196 Fixed a crash of the mypy plugin when using a lambda as a Column default. Pull request curtesy of tchapi. .. change:: :tags: usecase, engine Implemented new :paramref:`_engine.Connection.execution_options.yield_per` execution option for :class:`_engine.Connection` in Core, to mirror that of the same :ref:`yield_per &lt;orm_queryguide_yield_per&gt;` option available in the ORM. The option sets both the :paramref:`_engine.Connection.execution_options.stream_results` option at the same time as invoking :meth:`_engine.Result.yield_per`, to provide the most common streaming result configuration which also mirrors that of the ORM use case in its usage pattern. .. seealso:: :ref:`engine_stream_results` - revised documentation .. change:: :tags: bug, engine Fixed bug in :class:`_engine.Result` where the usage of a buffered result strategy would not be used if the dialect in use did not support an explicit &quot;server side cursor&quot; setting, when using :paramref:`_engine.Connection.execution_options.stream_results`. This is in error as DBAPIs such as that of SQLite and Oracle already use a non-buffered result fetching scheme, which still benefits from usage of partial result fetching. The &quot;buffered&quot; strategy is now used in all cases where :paramref:`_engine.Connection.execution_options.stream_results` is set. .. change:: :tags: bug, engine :tickets: 8199 Added :meth:`.FilterResult.yield_per` so that result implementations such as :class:`.MappingResult`, :class:`.ScalarResult` and :class:`.AsyncResult` have access to this method. .. changelog:: ``` ### 1.4.39 ``` :released: June 24, 2022 .. change:: :tags: bug, orm, regression :tickets: 8133 Fixed regression caused by :ticket:`8133` where the pickle format for mutable attributes was changed, without a fallback to recognize the old format, causing in-place upgrades of SQLAlchemy to no longer be able to read pickled data from previous versions. A check plus a fallback for the old format is now in place. .. changelog:: ``` ### 1.4.38 ``` :released: June 23, 2022 .. change:: :tags: bug, orm, regression :tickets: 8162 Fixed regression caused by :ticket:`8064` where a particular check for column correspondence was made too liberal, resulting in incorrect rendering for some ORM subqueries such as those using :meth:`.PropComparator.has` or :meth:`.PropComparator.any` in conjunction with joined-inheritance queries that also use legacy aliasing features. .. change:: :tags: bug, engine :tickets: 8115 Repaired a deprecation warning class decorator that was preventing key objects such as :class:`_engine.Connection` from having a proper ``__weakref__`` attribute, causing operations like Python standard library ``inspect.getmembers()`` to fail. .. change:: :tags: bug, sql :tickets: 8098 Fixed multiple observed race conditions related to :func:`.lambda_stmt`, including an initial &quot;dogpile&quot; issue when a new Python code object is initially analyzed among multiple simultaneous threads which created both a performance issue as well as some internal corruption of state. Additionally repaired observed race condition which could occur when &quot;cloning&quot; an expression construct that is also in the process of being compiled or otherwise accessed in a different thread due to memoized attributes altering the ``__dict__`` while iterated, for Python versions prior to 3.10; in particular the lambda SQL construct is sensitive to this as it holds onto a single statement object persistently. The iteration has been refined to use ``dict.copy()`` with or without an additional iteration instead. .. change:: :tags: bug, sql :tickets: 8084 Enhanced the mechanism of :class:`.Cast` and other &quot;wrapping&quot; column constructs to more fully preserve a wrapped :class:`.Label` construct, including that the label name will be preserved in the ``.c`` collection of a :class:`.Subquery`. The label was already able to render in the SQL correctly on the outside of the construct which it was wrapped inside. .. change:: :tags: bug, orm, sql :tickets: 8091 Fixed an issue where :meth:`_sql.GenerativeSelect.fetch` would not be applied when executing a statement using the ORM. .. change:: :tags: bug, orm :tickets: 8109 Fixed issue where a :func:`_orm.with_loader_criteria` option could not be pickled, as is necessary when it is carried along for propagation to lazy loaders in conjunction with a caching scheme. Currently, the only form that is supported as picklable is to pass the &quot;where criteria&quot; as a fixed module-level callable function that produces a SQL expression. An ad-hoc &quot;lambda&quot; can&#x27;t be pickled, and a SQL expression object is usually not fully picklable directly. .. change:: :tags: bug, schema :tickets: 8100, 8101 Fixed bugs involving the :paramref:`.Table.include_columns` and the :paramref:`.Table.resolve_fks` parameters on :class:`.Table`; these little-used parameters were apparently not working for columns that refer to foreign key constraints. In the first case, not-included columns that refer to foreign keys would still attempt to create a :class:`.ForeignKey` object, producing errors when attempting to resolve the columns for the foreign key constraint within reflection; foreign key constraints that refer to skipped columns are now omitted from the table reflection process in the same way as occurs for :class:`.Index` and :class:`.UniqueConstraint` objects with the same conditions. No warning is produced however, as we likely want to remove the include_columns warnings for all constraints in 2.0. In the latter case, the production of table aliases or subqueries would fail on an FK related table not found despite the presence of ``resolve_fks=False``; the logic has been repaired so that if a related table is not found, the :class:`.ForeignKey` object is still proxied to the aliased table or subquery (these :class:`.ForeignKey` objects are normally used in the production of join conditions), but it is sent with a flag that it&#x27;s not resolvable. The aliased table / subquery will then work normally, with the exception that it cannot be used to generate a join condition automatically, as the foreign key information is missing. This was already the behavior for such foreign key constraints produced using non-reflection methods, such as joining :class:`.Table` objects from different :class:`.MetaData` collections. .. change:: :tags: bug, sql :tickets: 8113 Adjusted the fix made for :ticket:`8056` which adjusted the escaping of bound parameter names with special characters such that the escaped names were translated after the SQL compilation step, which broke a published recipe on the FAQ illustrating how to merge parameter names into the string output of a compiled SQL string. The change restores the escaped names that come from ``compiled.params`` and adds a conditional parameter to :meth:`.SQLCompiler.construct_params` named ``escape_names`` that defaults to ``True``, restoring the old behavior by default. .. change:: :tags: bug, schema, mssql :tickets: 8111 Fixed issue where :class:`.Table` objects that made use of IDENTITY columns with a :class:`.Numeric` datatype would produce errors when attempting to reconcile the &quot;autoincrement&quot; column, preventing construction of the :class:`.Column` from using the :paramref:`.Column.autoincrement` parameter as well as emitting errors when attempting to invoke an :class:`_dml.Insert` construct. .. change:: :tags: bug, extensions :tickets: 8133 Fixed bug in :class:`.Mutable` where pickling and unpickling of an ORM mapped instance would not correctly restore state for mappings that contained multiple :class:`.Mutable`-enabled attributes. .. changelog:: ``` ### 1.4.37 ``` :released: May 31, 2022 .. change:: :tags: bug, mssql :tickets: 8062 Fix issue where a password with a leading &quot;{&quot; would result in login failure. .. change:: :tags: bug, sql, postgresql, sqlite :tickets: 8014 Fixed bug where the PostgreSQL :meth:`_postgresql.Insert.on_conflict_do_update` method and the SQLite :meth:`_sqlite.Insert.on_conflict_do_update` method would both fail to correctly accommodate a column with a separate &quot;.key&quot; when specifying the column using its key name in the dictionary passed to :paramref:`_postgresql.Insert.on_conflict_do_update.set_`, as well as if the :attr:`_postgresql.Insert.excluded` collection were used as the dictionary directly. .. change:: :tags: bug, sql :tickets: 8073 An informative error is raised for the use case where :meth:`_dml.Insert.from_select` is being passed a &quot;compound select&quot; object such as a UNION, yet the INSERT statement needs to append additional columns to support Python-side or explicit SQL defaults from the table metadata. In this case a subquery of the compound object should be passed. .. change:: :tags: bug, orm :tickets: 8064 Fixed issue where using a :func:`_orm.column_property` construct containing a subquery against an already-mapped column attribute would not correctly apply ORM-compilation behaviors to the subquery, including that the &quot;IN&quot; expression added for a single-table inherits expression would fail to be included. .. change:: :tags: bug, orm :tickets: 8001 Fixed issue where ORM results would apply incorrect key names to the returned :class:`.Row` objects in the case where the set of columns to be selected were changed, such as when using :meth:`.Select.with_only_columns`. .. change:: :tags: bug, mysql :tickets: 7966 Further adjustments to the MySQL PyODBC dialect to allow for complete connectivity, which was previously still not working despite fixes in :ticket:`7871`. .. change:: :tags: bug, sql :tickets: 7979 Fixed an issue where using :func:`.bindparam` with no explicit data or type given could be coerced into the incorrect type when used in expressions such as when using :meth:`_types.ARRAY.Comparator.any` and :meth:`_types.ARRAY.Comparator.all`. .. change:: :tags: bug, oracle :tickets: 8053 Fixed SQL compiler issue where the &quot;bind processing&quot; function for a bound parameter would not be correctly applied to a bound value if the bound parameter&#x27;s name were &quot;escaped&quot;. Concretely, this applies, among other cases, to Oracle when a :class:`.Column` has a name that itself requires quoting, such that the quoting-required name is then used for the bound parameters generated within DML statements, and the datatype in use requires bind processing, such as the :class:`.Enum` datatype. .. change:: :tags: bug, mssql, reflection :tickets: 8035 Explicitly specify the collation when reflecting table columns using MSSQL to prevent &quot;collation conflict&quot; errors. .. change:: :tags: bug, orm, oracle, postgresql :tickets: 8056 Fixed bug, likely a regression from 1.3, where usage of column names that require bound parameter escaping, more concretely when using Oracle with column names that require quoting such as those that start with an underscore, or in less common cases with some PostgreSQL drivers when using column names that contain percent s --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

kerem 2026-02-26 01:33:59 +03:00

• closed this issue
• added the
  pull-request
  label

kerem referenced this issue 2026-02-26 01:34:01 +03:00

[PR #310] [CLOSED] Scheduled weekly dependency update for week 07 #318

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

pyup-scheduled-update-2026-04-20

pyup-scheduled-update-2024-09-16

pyup-scheduled-update-2023-07-24

pyup-scheduled-update-2023-06-19

pyup-scheduled-update-2023-05-22

pyup-scheduled-update-2023-05-15

pyup-scheduled-update-2023-05-08

dependabot/pip/flask-2.3.2

pyup-scheduled-update-2023-05-01

pyup-scheduled-update-2023-04-03

dependabot/pip/werkzeug-2.2.3

pyup-scheduled-update-2022-11-14

pyup-scheduled-update-2022-10-03

pyup-scheduled-update-2022-08-01

pyup-scheduled-update-2022-06-13

pyup-scheduled-update-2022-05-30

pyup-scheduled-update-2022-03-07

pyup-scheduled-update-2022-01-10

pyup-scheduled-update-2021-11-01

pyup-scheduled-update-2020-10-05

pyup-scheduled-update-2019-09-30

pyup-scheduled-update-2019-07-29

pyup-scheduled-update-2019-07-22

pyup-scheduled-update-2019-05-27

pyup-scheduled-update-2019-03-11

marshmallow

pyup-scheduled-update-2019-02-25

pyup-scheduled-update-2019-02-18

pyup-scheduled-update-2019-01-28

pyup-scheduled-update-2019-01-14

docker

name-map-stupid

swagger

fix-pagination

doc-expansion

specify-schema

No results found.

Labels

Clear labels   

bug

  

duplicate

  

enhancement

  

help wanted

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

refactoring

  

research

  

wontfix

No labels

bug

duplicate

enhancement

help wanted

invalid

pull-request

question

refactoring

research

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/sandman2-jeffknupp#310

No description provided.