- No changes from 2.1rc4.
- Add static license specifier LicenseRef-Repoze-BSD-derived to the package metadata to satisfy SPDX license format.
- Add "Operating System :: Independent" trove classifier.
- Remove static license specifier in metadata, relying on the license file instead.
- Switch dev dependencies to using dependency groups instead of extras. See #3810
- Update Github actions to install Python versions using uv instead of setup-python to support versions that aren't available by default on hosted runner images. See #3810
Add support for Python 3.12, 3.13, and 3.14.
Added HTTP 418 error code via pyramid.httpexceptions.HTTPImATeapot. See #3667
Base coverage reports in tests on Python 3.14 instead of Python 3.8.
All scripts now pass a new option
__script__when loading the WSGI app. For example,pservesets__script__ == 'pserve'. This works forpserve,pshell,prequest,proutes,ptweens,pviews, as well as when usingpyramid.paster.bootstrapdirectly.When using
plaster-pastedeployto load an INI file, this option will manifest as a new value passed into theglobal_confarg of your application factory, where you can use it as part of initializing your app.See #3735
Replace usage of
md5in the Pyramid view system withsha256. This is not a security-related feature and is considered an implementation detail that should not impact users.See #3745
Replace usage of
pkg_resourcesinpyramid.path.DottedNameResolver. See #3748Replace usage of
pkg_resourcesinpdistreportandpshellCLI commands. See #3749Constrain
setuptools < 82to remain compatible with requiredpkg_resourcesfeatures. Work continues to fully removepkg_resourcesfrom Pyramid code in future releases. See #3795Remove internal usages of deprecated
localeanddatetimeAPIs to reduce deprecation warnings. See #3808
Fix issues where permissions may be checked on exception views. This is not supposed to happen in normal circumstances.
This also prevents issues where a
request.urlfails to be decoded when logging info whenpyramid.debug_authorizationis enabled.See #3741
Applications raising
pyramid.exceptions.BadCSRFTokenandpyramid.exceptions.BadCSRFOriginwere returning invalid HTTP status lines with values like400 Bad CSRF Origininstead of400 Bad Request.See #3742
The methods
LegacySessionCSRFStoragePolicy.check_csrf_token,SessionCSRFStoragePolicy.check_csrf_tokenandCookieCSRFStoragePolicy.check_csrf_tokennow useerrors='backslashreplace'when encoding thesupplied_tokento"latin-1". PreviouslyUnicodeEncodeErrorwas raised whensupplied_tokencould not be encoded to"latin-1". See #3800
- Drop support for Python 3.6, 3.7, 3.8, and 3.9.
- Drop support for l*gettext() methods in the i18n module. These have been deprecated in Python's gettext module since 3.8, and removed in Python 3.11.
- Add get_spec method to IPackageOverrides. See #3792
- When using a cache buster with asset overrides, the cache buster will find the first existing file in the override stack, rather than taking the first override regardless of whether the file exists or not. See #3792
- Deprecated the ability to use a non-existent package with
pyramid.config.Configurator.add_static_viewandpyramid.static.static_view. This can be fixed by choosing a path located within a real package as theroot_dirfor your static files. This is almost always either a misconfig or an attempt to define an alias location for use withpyramid.config.Configurator.override_asset. See #3752
- Sync the SQLAlchemy Wiki tutorial with changes to the
pyramid-cookiecutter-starter. Includes updates to usepyproject.tomlto replace separate config files forpytest,coverage, andsetuptools. Also upgrades patterns to support SQLAlchemy 2.0. See #3747 - Sync the ZODB Wiki tutorial with changes to the
pyramid-cookiecutter-starter. Includes updates to usepyproject.tomlto replace separate config files forpytest,coverage, andsetuptools. See #3751