Changelog:
==========
- Fix AttributeError in cluster metrics recording when connection is None or
ClusterNode object instance is used to extract the connection info (#3999)
- Fixing security concern in repr methods for ConnectionPools - passwords might
leak in plain text logs (#3998)
- Refactored connection count and SCH metric collection (#4001)
- Refactored health check logic for MultiDBClient (#3994)
- Expose basic Otel classes and functions to be importable through
redis.observability to match the examples in the readthedocs
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
===========
- Make marshmallow.fields.Number and marshmallow.fields.Mapping abstract base
classes to prevent using them within Schemas
- Allow required to be set on marshmallow.fields.Contant
- Fix marshmallow.validate.OneOf emitting extra pairs when labels outnumber
choices
- Fix behavior when passing a dot-delimited attribute name to partial for a key
with data_key set
- Fix Enum field by-name lookup to only return actual members
- marshmallow.fields.DateTime with format="timestamp_ms" properly rejects bool
values
- Fix typing of error_essages argument to marshmallow.fields.Field
- Add ipaddress.* to marshmallow.Schema.TYPE_MAPPING
-
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Bug Fixes
==========
- HTTP/2 ASGI Body Duplication: Fix request body being received twice in HTTP/2
ASGI requests, causing JSON parsing errors with "Extra data" messages (#3558)
- ASGI Chunked EOF Handling: Add finish() method to callback parser to handle
chunked encoding edge case where connection closes before final CRLF after
zero-chunk
- HTTP/2 Documentation: Fix http_protocols examples to use comma-separated
string instead of list syntax (#3561)
- Chunked Encoding: Reject chunk extensions containing bare CR bytes per RFC
9112 (#3556)
- Request Line Limit: Fix --limit-request-line 0 to mean unlimited as
documented, instead of using default maximum. Works with both Python and fast
C parser. (#3563)
- uWSGI Async Workers: Fix InvalidUWSGIHeader: incomplete header error when
using gevent or gthread workers with uwsgi protocol behind nginx.
- FileWrapper Iterator Protocol: Add __iter__ and __next__ methods to
FileWrapper for full PEP 3333 compliance. Previously only supported old-style
__getitem__ iteration which broke code explicitly using iter() or next().
Security =============
- ASGI Parser Header Validation: Add security checks per RFC 9110/9112:
- Reject duplicate Content-Length headers
- Reject requests with both Content-Length and Transfer-Encoding
- Reject chunked transfer encoding in HTTP/1.0
- Reject stacked chunked encoding
- Validate Transfer-Encoding values
- Strict chunk size validation
Changes ==========
- Fast HTTP Parser: Update to gunicorn_h1c >= 0.6.3 for asgi_headers property
and InvalidChunkExtension validation for bare CR rejection
- ASGI PROXY Protocol: Add PROXY protocol v1/v2 support to callback parser
- Docker Images: Update to Python 3.14
New Features ============
- Fast HTTP Parser (gunicorn_h1c 0.6.0): Integrate new exception types and
limit parameters from gunicorn_h1c 0.6.0 for both WSGI and ASGI workers
- Requires gunicorn_h1c >= 0.6.0 for http_parser='fast'
- Falls back to Python parser in auto mode if version not met
- Proper HTTP status codes for limit errors (414, 431)
Performance ============
- ASGI HTTP Parser Optimizations: Improve ASGI worker HTTP parsing performance
- Callback-based parsing with direct bytearray buffer operations
- Use bytearray.find() directly instead of converting to bytes first
- Use index-based iteration for header parsing instead of list.pop(0) (O(1) vs
O(n))
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Security fixes:
=================
- Remove import-time loading of timezone offset data from pickle to prevent
unsafe deserialization from packaged data
- Replace eval() use when parsing no_word_spacing with strict boolean
parsing to prevent code execution from locale metadata (#1056)
New features:
=============
- Add support for expressions like "N {interval} from now" in English (#1271)
- Add support for the en-US locale (#1222)
Fixes:
========
- Honor REQUIRE_PARTS for ambiguous month-number inputs by retrying with a
year-biased DATE_ORDER (#1298)
- Fix parsing word-number relative phrases such as "two days later" (#1316)
- Allow md5hash to work in FIPS environments (#1267)
Improvements:
=============
- Add Bosnian Cyrillic (ijekavica) date translations (#1293)
- Add a new browser-based demo to the project documentation (#1306)
- Update installation documentation to replace setup.py install guidance
- Add a project security policy
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
Fixed AttributeError in start_notify() and stop_notify() on Android.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
===========
- Dropped support for Python 3.9
- Added a ttl parameter to the anyio.functools.lru_cache wrapper
- Widened the type annotations of file I/O streams to accept IO[bytes] instead
of just BinaryIO
- Fixed anyio.Path not being compatible with Python 3.15 due to the removal of
pathlib.Path.is_reserved() and the addition of pathlib.Path.__vfspath__()
- Fixed the BrokenResourceError raised by the asyncio SocketStream not having
the original exception as its cause
- Fixed the TypeError raised when using "func" as a parameter name in
pytest.mark.parametrize when using the pytest plugin
- Fixed the pytest plugin not running tests that had the anyio marker added
programmatically via pytest_collection_modifyitems
- Fixed cancellation exceptions leaking from a CancelScope on asyncio when they
are contained in an exception group alongside non-cancellation exceptions
- Fixed Condition.wait() not passing on a notification when the task is
cancelled but already received a notification
- Fixed inverted condition in the process pool shutdown phase which would cause
still-running pooled processes not to be terminated
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changes:
* Support Python 3.14
* Fix bug in Levenshtein distance when substitution_cost > 2
* Fix bug in Treebank detokeniser re quote ordering
* Fix bug in Jaro similarity for empty strings
* Several security enhancements
* Fix GHSA-rf74-v2fm-23pw: unbounded recursion in JSONTaggedDecoder
* Implement TextTiling vocabulary introduction method (Hearst 1997)
* Fix ALINE feature matrix errors and add comprehensive tests
* Support multiple VerbNet versions, fix longid/shortid regex for VerbNet ids
* Let downloader fallback to md5 when sha256 is unavailable
* Several other minor bugfixes and code cleanups
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
This CVE is disputed, and it is now tracked with an old version
of the application, it doesn't show up in the CVE report anymore.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
While in this case `RDEPENDS:class-target +=` wouldn't result in any
unwanted override, there is no guarantee there won't be a change, which
would be hidden by this override. To avoid any surprises in the future
let's use `:append:class-target =` syntax here.
Signed-off-by: Michal Sieron <michalwsieron@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
This dependency was replaced with the standard compression.zstd module
in 1.1.0[1].
[1] ccf0def15e
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
===========
- Use bytearray for request body accumulation to avoid O(n^2) allocation on fragmented bodies
- Escape brackets and backslash in httptools HEADER_RE regex
- Fix multiple issues in websockets sans-io implementation
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
==============
- 'GenericPlainRegistry.parse_expression' now correctly returns a dimensionless
Quantity when taking a float, int, or NaN
- Replace MIP with scipy in 'Quantity.to_preferred'
- New unit formatting modifier added ('^') to format unit with negative
exponents
- Add atomic unit of electric field gradient
('atomic_unit_of_electric_field_gradient', 'a_u_efg')
- Defer expensive loading of dask.array
- Add support for numpy's 'vdot', 'inner', 'outer', 'linalg.outer', 'matvec',
'vecmat', 'tensordot', and 'linalg.tensordot'
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
============
- Fix test_hexadecimal_with_libc_bulk()
- Keep available deprecated aliases for mpc/mpf_log()
- Use version_file option of setuptools-scm to keep version info
- Add workaround for test on s390x
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
License-Update: Copyright year updated to 2026
Changelog:
==========
- add support for CMakeLists
- implement more move constructor in the C++ code
- add C++ tests
- add support for GraalPy
- add RiscV support
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
==========
- Fix: issue 2138 describes a memory leak that happened when repeatedly using
the Coverage API with in-memory data. This is now fixed.
- Fix: the markdown-formatted coverage report didn't fully escape special
characters in file paths (issue 2141). This would be very unlikely to cause a
problem, but now it's done properly
- Fix: the C extension wouldn't build on VS2019, but now it does
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
=========
- Added the max_depth decoder parameter to limit the maximum allowed nesting
level of containers, with a default value of 400 levels (CVE-2026-26209)
- Changed the default read_size from 4096 to 1 for backwards compatibility. The
buffered reads introduced in 5.8.0 could cause issues when code needs to
access the stream position after decoding. Users can opt-in to faster decoding
by passing read_size=4096 when they don't need to access the stream directly
after decoding. Added a direct read path for read_size=1 to avoid buffer
management overhead.
- Fixed C encoder not respecting string referencing when encoding string-type
datetimes (tag 0)
- Fixed a missed check for an exception in the C implementation of
CBOREncoder.encode_shared()
- Fixed two reference/memory leaks in the C extension's long string decoder
- Fixed C decoder ignoring the str_errors setting when decoding strings, and
improved string decoding performance by using stack allocation for small
strings and eliminating unnecessary conditionals. Benchmarks show 9-17% faster
deserialization.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
============
- Added adapter attribute to bleak.args.bluez.BlueZClientArgs and
bleak.args.bluez.BlueZScannerArgs.
- Added bluez keyword argument to BleakClient.
- Added new bleak.args.bluez.BlueZClientArgs class.
- Added bleak.exc.BleakGATTProtocolError and
bleak.exc.BleakGATTProtocolErrorCode classes.
- Added type hints and documentation for use_cached kwarg for read_gatt_char()
and read_gatt_descriptor() methods in BleakClient.
- Added support for "use_cached" kwarg to read_gatt_char() and
read_gatt_descriptor() methods in BlueZ backend.
- Deprecated adapter keyword argument in BleakScanner and BleakClient.
- Changed GATT read and write methods to raise BleakGATTProtocolError when a
GATT protocol error occurs.
- Changed start/stop scanning on CoreBluetooth so that the isScanning property
is not checked anymore.
- Changed BleakClient.write_gatt_descriptor() to raise ValueError when
attempting to write to the descriptor 0x2902 (Client Characteristic
Configuration Descriptor, CCCD). Use start_notify() and stop_notify() instead.
- Fixed occasional EOFError when disconnecting in BlueZ backend.
- Fixed a potential deadlock when turning off Bluetooth manually while starting
scanning on CoreBluetooth.
- Fixed reading descriptors 0x2900, 0x2902 and 0x2903 on CoreBluetooth backend.
- Fixed cyclic references problem in CoreBluetooth backend causing memory
leaks.
- Fixed typehint for BleakScanner.__aexit__().
- Removed undocumented/deprecated device keyword argument from
BleakScannerBlueZDBus and BleakClientBlueZDBus.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
