| toc_depth |
|---|
2 |
- Drop Python 3.8 support #2823.
- Remove
ExceptionMiddlewareimport proxy fromstarlette.exceptionsmodule #2826. - Remove deprecated
WS_1004_NO_STATUS_RCVDandWS_1005_ABNORMAL_CLOSURE#2827.
- Remove deprecated
allow_redirectsargument fromTestClient#2808.
- Make UUID path parameter conversion more flexible #2806.
- Raise
ClientDisconnectonStreamingResponse#2732.
- Use ETag from headers when parsing If-Range in FileResponse #2761.
- Follow directory symlinks in
StaticFileswhenfollow_symlinks=True#2711. - Bump minimum
python-multipartversion to0.0.180ba8395. - Bump minimum
httpxversion to0.27.0#2773.
- Exclude the query parameters from the
scope[raw_path]on theTestClient#2716. - Replace
dictbyMappingonHTTPException.headers#2749. - Correct middleware argument passing and improve factory pattern #2752.
- Revert bump on
python-multipartonstarlette[full]extras #2737.
- Bump minimum
python-multipartversion to0.0.13#2734. - Change
python-multipartimport topython_multipart#2733.
- Allow to raise
HTTPExceptionbeforewebsocket.accept()#2725.
This release fixes a Denial of service (DoS) via multipart/form-data requests.
You can view the full security advisory: GHSA-f96h-pmfr-66vw
- Add
max_part_sizetoMultiPartParserto limit the size of parts inmultipart/form-datarequests fd038f3.
- Allow use of
request.url_forwhen only "app" scope is available #2672. - Fix internal type hints to support
python-multipart==0.0.12#2708.
- Avoid regex re-compilation in
responses.pyandschemas.py#2700. - Improve performance of
get_route_pathby removing regular expression usage #2701. - Consider
FileResponse.chunk_sizewhen handling multiple ranges #2703. - Use
token_hexfor generating multipart boundary strings #2702.
- Add support for HTTP Range to
FileResponse#2697.
- Close unclosed
MemoryObjectReceiveStreaminTestClient#2693.
- Schedule
BackgroundTasksfrom withinBaseHTTPMiddleware#2688. This behavior was removed in 0.38.3, and is now restored.
- Ensure accurate
root_pathremoval inget_route_pathfunction #2600.
- Support for Python 3.13 #2662.
- Don't poll for disconnects in
BaseHTTPMiddlewareviaStreamingResponse#2620.
- Not assume all routines have
__name__onrouting.get_name()#2648.
- Revert "Add support for ASGI pathsend extension" #2649.
- Allow use of
memoryviewinStreamingResponseandResponse#2576 and #2577. - Send 404 instead of 500 when filename requested is too long on
StaticFiles#2583.
- Fail fast on invalid
Jinja2Templateinstantiation parameters #2568. - Check endpoint handler is async only once #2536.
- Add proper synchronization to
WebSocketTestSession#2597.
- Add
bytesto_RequestDatatype #2510.
- Revert "Turn
scope["client"]toNoneonTestClient(#2377)" #2525. - Remove deprecated
appargument passed tohttpx.Clienton theTestClient#2526.
- Warn instead of raise for missing env file on
Config#2485.
- Support the WebSocket Denial Response ASGI extension #2041.
- Create
anyio.Eventon async context #2459.
- Check if "extensions" in scope before checking the extension #2438.
- Add support for ASGI
pathsendextension #2435. - Cancel
WebSocketTestSessionon close #2427. - Raise
WebSocketDisconnectwhenWebSocket.send()exceptsIOError#2425. - Raise
FileNotFoundErrorwhen theenv_fileparameter onConfigis not valid #2422.
- Stop using the deprecated "method" parameter in
FileResponseinside ofStaticFiles#2406. - Make
typing-extensionsoptional again #2409.
- Add
*argstoMiddlewareand improve its type hints #2381.
- Use
IterableinsteadIteratoroniterate_in_threadpool#2362.
- Handle
root_pathto keep compatibility with mounted ASGI applications and WSGI #2400. - Turn
scope["client"]toNoneonTestClient#2377.
- Deprecate
FileResponse(method=...)parameter #2366.
- Do not overwrite
"path"and"root_path"scope keys #2352. - Set
ensure_ascii=Falseonjson.dumps()forWebSocket.send_json()#2341.
- Revert mkdocs-material from 9.1.17 to 9.4.7 #2326.
- Inherit from
HTMLResponseinstead ofResponseon_TemplateResponse#2274. - Restore the
Response.rendertype annotation to its pre-0.31.0 state #2264.
- Fix import error when
exceptiongroupisn't available #2231. - Set
url_forglobal for custom Jinja environments #2230.
- Officially support Python 3.12 #2214.
- Support AnyIO 4.0 #2211.
- Strictly type annotate Starlette (strict mode on mypy) #2180.
- Don't group duplicated headers on a single string when using the
TestClient#2219.
- Drop Python 3.7 support #2178.
- Add
follow_redirectsparameter toTestClient#2207. - Add
__str__toHTTPExceptionandWebSocketException#2181. - Warn users when using
lifespantogether withon_startup/on_shutdown#2193. - Collect routes from
Hostto generate the OpenAPI schema #2183. - Add
requestargument toTemplateResponse#2191.
- Stop
body_streamin casemore_body=FalseonBaseHTTPMiddleware#2194.
- Reuse
Request's body buffer for call_next inBaseHTTPMiddleware#1692. - Move exception handling logic to
Route#2026.
- Add
envparameter toJinja2Templates, and deprecate**env_options#2159. - Add clear error message when
httpxis not installed #2177.
- Allow "name" argument on
templates url_for()#2127.
This release fixes a path traversal vulnerability in StaticFiles. You can view the full security advisory:
https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px
- Minify JSON websocket data via
send_json#2128
- Replace
commonprefixbycommonpathonStaticFiles1797de4. - Convert ImportErrors into ModuleNotFoundError #2135.
- Correct the RuntimeError message content in websockets #2141.
- Fix typing of Lifespan to allow subclasses of Starlette #2077.
- Replace reference from Events to Lifespan on the mkdocs.yml #2072.
- Support lifespan state #2060, #2065 and #2064.
- Change
url_forsignature to return aURLinstance #1385.
- Allow "name" argument on
url_for()andurl_path_for()#2050.
- Deprecate
on_startupandon_shutdownevents #2070.
- Limit the number of fields and files when parsing
multipart/form-dataon theMultipartParser8c74c2c and #2036.
- Allow
StaticFilesto follow symlinks #1683. - Allow
Request.form()as a context manager #1903. - Add
sizeattribute toUploadFile#1405. - Add
env_prefixargument toConfig#1990. - Add template context processors #1904.
- Support
stranddatetimeonexpiresparameter on theResponse.set_cookiemethod #1908.
- Lazily build the middleware stack #2017.
- Make the
fileargument required onUploadFile#1413. - Use debug extension instead of custom response template extension #1991.
- Fix url parsing of ipv6 urls on
URL.replace#1965.
- Only stop receiving stream on
body_streamif body is empty on theBaseHTTPMiddleware#1940.
- Add
headersparameter to theTestClient#1966.
- Deprecate
StarletteandRouterdecorators #1897.
- Fix bug on
FloatConvertorregex #1973.
- Bypass
GZipMiddlewarewhen response includesContent-Encoding#1901.
- Remove unneeded
unquote()from query parameters on theTestClient#1953. - Make sure
MutableHeaders._listis actually alist#1917. - Import compatibility with the next version of
AnyIO#1936.
This release replaces the underlying HTTP client used on the TestClient (requests β‘οΈ httpx), and as those clients differ a bit on their API, your test suite will likely break. To make the migration smoother, you can use the bump-testclient tool.
- Replace
requestswithhttpxinTestClient#1376.
- Add
WebSocketExceptionand support for WebSocket exception handlers #1263. - Add
middlewareparameter toMountclass #1649. - Officially support Python 3.11 #1863.
- Implement
__repr__for route classes #1864.
- Fix bug on which
BackgroundTaskswere cancelled when usingBaseHTTPMiddlewareand client disconnected #1715.
- Remove converter from path when generating OpenAPI schema #1648.
- Revert "Allow
StaticFilesto follow symlinks" #1681.
- Improve detection of async callables #1444.
- Send 400 (Bad Request) when
boundaryis missing #1617. - Send 400 (Bad Request) when missing "name" field on
Content-Dispositionheader #1643. - Do not send empty data to
StreamingResponseonBaseHTTPMiddleware#1609. - Add
__bool__dunder forSecret#1625.
- Fix inference of
Route.namewhen created from methods #1553. - Avoid
TypeErroronwebsocket.disconnectwhen code isNone#1574.
- Deprecate
WS_1004_NO_STATUS_RCVDandWS_1005_ABNORMAL_CLOSUREin favor ofWS_1005_NO_STATUS_RCVDandWS_1006_ABNORMAL_CLOSURE, as the previous constants didn't match the WebSockets specs #1580.
- Error handler will always run, even if the error happens on a background task #761.
- Add
headersparameter toHTTPException#1435. - Internal responses with
405status code insert anAllowheader, as described by RFC 7231 #1436. - The
contentargument inJSONResponseis now required #1431. - Add custom URL convertor register #1437.
- Add content disposition type parameter to
FileResponse#1266. - Add next query param with original request URL in requires decorator #920.
- Add
raw_pathtoTestClientscope #1445. - Add union operators to
MutableHeaders#1240. - Display missing route details on debug page #1363.
- Change
anyiorequired version range to>=3.4.0,<5.0#1421 and #1460. - Add
typing-extensions>=3.10requirement - used only on lower versions than Python 3.10 #1475.
- Prevent
BaseHTTPMiddlewarefrom hiding errors ofStreamingResponseand mounted applications #1459. SessionMiddlewareuses an explicitpath=..., instead of defaulting to the ASGI 'root_path' #1512.Request.clientis now compliant with the ASGI specifications #1462.- Raise
KeyErrorat early stage for missing boundary #1349.
- Change default chunk size from 4Kb to 64Kb on
FileResponse#1345. - Add support for
functools.partialinWebSocketRoute#1356. - Add
StaticFilespackages with directory #1350. - Allow environment options in
Jinja2Templates#1401. - Allow HEAD method on
HttpEndpoint#1346. - Accept additional headers on
websocket.acceptmessage #1361 and #1422. - Add
reasontoWebSocketclose ASGI event #1417. - Add headers attribute to
UploadFile#1382. - Don't omit
Content-Lengthheader forContent-Length: 0cases #1395. - Don't set headers for responses with 1xx, 204 and 304 status code #1397.
SessionMiddleware.max_agenow acceptsNone, so cookie can last as long as the browser session #1387.
- Tweak
hashlib.md5()function onFileResponses ETag generation. The parameterusedforsecurityflag is set toFalse, if the flag is available on the system. This fixes an error raised on systems with FIPS enabled #1366 and #1410. - Fix
path_paramstype onurl_path_for()method i.e. turnstrintoAny#1341. Hostnow ignoresporton routing #1322.
- Fix
IndexErrorin authenticationrequireswhen wrapped function arguments are distributed between*argsand**kwargs#1335.
Response.delete_cookienow accepts the same parameters asResponse.set_cookie#1228.- Update the
Jinja2Templatesconstructor to allowPathLike#1292.
- Fix BadSignature exception handling in SessionMiddleware #1264.
- Change
HTTPConnection.__getitem__return type fromstrtotyping.Any#1118. - Change
ImmutableMultiDict.getlistreturn type fromtyping.List[str]totyping.List[typing.Any]#1235. - Handle
OSErrorexceptions onStaticFiles#1220. - Fix
StaticFiles404.html in HTML mode #1314. - Prevent anyio.ExceptionGroup in error views under a BaseHTTPMiddleware #1262.
- Remove GraphQL support #1198.
starlette.websockets.WebSocketinstances are now hashable and compare by identity #1039- A number of fixes related to running task groups in lifespan #1213, #1227
- The method
starlette.templates.Jinja2Templates.get_envwas removed #1218 - The ClassVar
starlette.testclient.TestClient.async_backendwas removed, the backend is now configured using constructor kwargs #1211 - Passing an Async Generator Function or a Generator Function to
starlette.routing.Router(lifespan=)is deprecated. You should wrap your lifespan in@contextlib.asynccontextmanager. #1227 #1110
This release includes major changes to the low-level asynchronous parts of Starlette. As a result, Starlette now depends on AnyIO and some minor API changes have occurred. Another significant change with this release is the deprecation of built-in GraphQL support.
- Starlette now supports Trio as an async runtime via AnyIO - #1157.
TestClient.websocket_connect()now must be used as a context manager.- Initial support for Python 3.10 - #1201.
- The compression level used in
GZipMiddlewareis now adjustable - #1128.
- Several fixes to
CORSMiddleware. See #1111, #1112, #1113, #1199. - Improved exception messages in the case of duplicated path parameter names - #1177.
RedirectResponsenow usesquoteinstead ofquote_plusencoding for theLocationheader to better match the behaviour in other frameworks such as Django - #1164.- Exception causes are now preserved in more cases - #1158.
- Session cookies now use the ASGI root path in the case of mounted applications - #1147.
- Fixed a cache invalidation bug when static files were deleted in certain circumstances - #1023.
- Improved memory usage of
BaseHTTPMiddlewarewhen handling large responses - #1012 fixed via #1157
- Built-in GraphQL support via the
GraphQLAppclass has been deprecated and will be removed in a future release. Please see #619. GraphQL is not supported on Python 3.10. - The
executorparameter toGraphQLAppwas removed. Useexecutor_classinstead. - The
workersparameter toWSGIMiddlewarewas removed. This hasn't had any effect since Starlette v0.6.3.
- Fixed
ServerErrorMiddlewarecompatibility with Python 3.9.1/3.8.7 when debug mode is enabled - #1132. - Fixed unclosed socket
ResourceWarnings when using theTestClientwith WebSocket endpoints - #1132. - Improved detection of
asyncendpoints wrapped infunctools.partialon Python 3.8+ - #1106.
UJSONResponsewas removed (this change was intended to be included in 0.14.0). Please see the documentation for how to implement responses using custom JSON serialization - #1074.
- Starlette now officially supports Python3.9.
- In
StreamingResponse, allow custom async iterator such as objects from classes implementing__aiter__. - Allow usage of
functools.partialasync handlers in Python versions 3.6 and 3.7. - Add 418 I'm A Teapot status code.
- Create tasks from handler coroutines before sending them to
asyncio.wait. - Use
format_exceptioninstead offormat_tbinServerErrorMiddleware'sdebugresponses. - Be more lenient with handler arguments when using the
requiresdecorator.
-
Revert
Queue(maxsize=1)fix forBaseHTTPMiddlewaremiddleware classes and streaming responses. -
The
StaticFilesconstructor now allowspathlib.Pathin addition to strings for itsdirectoryargument.
- Fix high memory usage when using
BaseHTTPMiddlewaremiddleware classes and streaming responses.
- Fix 404 errors with
StaticFiles.
- Add support for
Starlette(lifespan=...)functions. - More robust path-traversal check in StaticFiles app.
- Fix WSGI PATH_INFO encoding.
- RedirectResponse now accepts optional background parameter
- Allow path routes to contain regex meta characters
- Treat ASGI HTTP 'body' as an optional key.
- Don't use thread pooling for writing to in-memory upload files.
- Switch to promoting application configuration on init style everywhere. This means dropping the decorator style in favour of declarative routing tables and middleware definitions.
- Fix
request.url_for()for the Mount-within-a-Mount case.
- Fix
request.url_for()when an ASGIroot_pathis being used.
- Add
URL.include_query_params(**kwargs) - Add
URL.replace_query_params(**kwargs) - Add
URL.remove_query_params(param_names) request.stateproperly persisting across middleware.- Added
request.scopeinterface.
- Switch to ASGI 3.0.
- Fixes to CORS middleware.
- Add
StaticFiles(html=True)support. - Fix path quoting in redirect responses.
- Add
request.stateinterface, for storing arbitrary additional information. - Support disabling GraphiQL with
GraphQLApp(..., graphiql=False).
DatabaseMiddlewareis now dropped in favour ofdatabases- Templates are no longer configured on the application instance. Use
templates = Jinja2Templates(directory=...)andreturn templates.TemplateResponse('index.html', {"request": request}) - Schema generation is no longer attached to the application instance. Use
schemas = SchemaGenerator(...)andreturn schemas.OpenAPIResponse(request=request) LifespanMiddlewareis dropped in favor of router-based lifespan handling.- Application instances now accept a
routesargument,Starlette(routes=[...]) - Schema generation now includes mounted routes.
- Add
Lifespanrouting component.
- Ensure
templatingdoes not strictly requirejinja2to be installed.
- Templates are now configured independently from the application instance.
templates = Jinja2Templates(directory=...). Existing API remains in place, but is no longer documented, and will be deprecated in due course. See the template documentation for more details.
- Move to independent
databasespackage instead ofDatabaseMiddleware. Existing API remains in place, but is no longer documented, and will be deprecated in due course.
- Don't drop explicit port numbers on redirects from
HTTPSRedirectMiddleware.
- Add MySQL database support.
- Add host-based routing.
- WebSockets now default to sending/receiving JSON over text data frames. Use
.send_json(data, mode="binary")and.receive_json(mode="binary")for binary framing. GraphQLAppnow takes anexecutor_classargument, which should be used in preference to the existingexecutorargument. Resolves an issue with async executors being instantiated before the event loop was setup. Theexecutorargument is expected to be deprecated in the next median or major release.- Authentication and the
@requiresdecorator now support WebSocket endpoints. MultiDictandImmutableMultiDictclasses are available inuvicorn.datastructures.QueryParamsis now instantiated with standard dict-style*args, **kwargsarguments.
- Session cookies now include browser 'expires', in addition to the existing signed expiry.
request.form()now returns a multi-dict interface.- The query parameter multi-dict implementation now mirrors
dictmore correctly for the behavior of.keys(),.values(), and.items()when multiple same-key items occur. - Use
urlsplitthroughout in favor ofurlparse.
- Support
@requires(...)on class methods. - Apply URL escaping to form data.
- Support
HEADrequests automatically. - Add
await request.is_disconnected(). - Pass operationName to GraphQL executor.
- Add
TemplateResponse. - Add
CommaSeparatedStringsdatatype. - Add
BackgroundTasksfor multiple tasks. - Common subclass for
RequestandWebSocket, to eg. sharesessionfunctionality. - Expose remote address with
request.client.
- Add
request.database.executemany.
- Ensure that
AuthenticationMiddlewarehandles lifespan messages correctly.
- Add
AuthenticationMiddleware, and@requires()decorator.
- Support either
strorSecretforSessionMiddleware(secret_key=...).
- Add
config.environ. - Add
datastructures.Secret. - Add
datastructures.DatabaseURL.
- Add
config.Config(".env")
- Add optional database support.
- Add
requestto GraphQL context. - Hide any password component in
URL.__repr__.
- Handle startup/shutdown errors properly.
TestClientcan now be used as a context manager, instead ofLifespanContext.- Lifespan is now handled as middleware. Startup and Shutdown events are visible throughout the middleware stack.
- Better support for third-party API schema generators.
- Support chunked requests with TestClient.
- Cleanup asyncio tasks properly with WSGIMiddleware.
- Support using TestClient within endpoints, for service mocking.
- Session cookies are now set on the root path.
- Support URL convertors.
- Support HTTP 304 cache responses from
StaticFiles. - Resolve character escaping issue with form data.
- Default to empty body on responses.
- Add 'name' argument to
@app.route(). - Use 'Host' header for URL reconstruction.
- StaticFiles no longer reads the file for responses to
HEADrequests.
- Add a default templating configuration with Jinja2.
Allows the following:
app = Starlette(template_directory="templates")
@app.route('/')
async def homepage(request):
# `url_for` is available inside the template.
template = app.get_template('index.html')
content = template.render(request=request)
return HTMLResponse(content)- Add support for
@app.exception_handler(404). - Ensure handled exceptions are not seen as errors by the middleware stack.
- Add
max_age, and use timestamp-signed cookies. Defaults to two weeks.
- Ensure cookies are strictly HTTP correct.
- Check directory exists on instantiation.
- Add
starlette.concurrency.run_in_threadpool. Now handlescontextvarsupport.
- Add
name=support toapp.mount(). This allows eg:app.mount('/static', StaticFiles(directory='static'), name='static').
- Add support for
@app.middleware("http")decorator.
- Add "endpoint" to ASGI scope.
- Improve debug traceback information & styling.
- Support mounted URL lookups with "path=", eg.
url_for('static', path=...). - Support nested URL lookups, eg.
url_for('admin:user', username=...). - Add redirect slashes support.
- Add www redirect support.
- Add background task support to
FileResponseandStreamingResponse.
- Add
app.schema_generator = SchemaGenerator(...). - Add
app.schemaproperty. - Add
OpenAPIResponse(...).
- Drop
app.add_graphql_route("/", ...)in favor of more consistentapp.add_route("/", GraphQLApp(...)).
- Support routing to methods.
- Ensure
url_path_forworks with Mount('/{some_path_params}'). - Fix Router(default=) argument.
- Support repeated paths, like:
@app.route("/", methods=["GET"]),@app.route("/", methods=["POST"]) - Use the default ThreadPoolExecutor for all sync endpoints.
Added support for request.session, with SessionMiddleware.
Added support for BaseHTTPMiddleware, which provides a standard
request/response interface over a regular ASGI middleware.
This means you can write ASGI middleware while still working at a request/response level, rather than handling ASGI messages directly.
from starlette.applications import Starlette
from starlette.middleware.base import BaseHTTPMiddleware
class CustomMiddleware(BaseHTTPMiddleware):
async def dispatch(self, request, call_next):
response = await call_next(request)
response.headers['Custom-Header'] = 'Example'
return response
app = Starlette()
app.add_middleware(CustomMiddleware)The biggest change in 0.6 is that endpoint signatures are no longer:
async def func(request: Request, **kwargs) -> ResponseInstead we just use:
async def func(request: Request) -> ResponseThe path parameters are available on the request as request.path_params.
This is different to most Python webframeworks, but I think it actually ends up being much more nicely consistent all the way through.
Request and WebSocketSession now support URL reversing with request.url_for(name, **path_params).
This method returns a fully qualified URL instance.
The URL instance is a string-like object.
Applications now support URL path reversing with app.url_path_for(name, **path_params).
This method returns a URL instance with the path and scheme set.
The URL instance is a string-like object, and will return only the path if coerced to a string.
Applications now support a .routes parameter, which returns a list of [Route|WebSocketRoute|Mount].
The low level components to Router now match the @app.route(), @app.websocket_route(), and app.mount() signatures.