Update Werkzeug dependency to >= 2.2.2. This includes fixes relatedto the new faster router, header parsing, and the developmentserver.#4754

Fix the default value forapp.env to be"production". Thisattribute remains deprecated.#4740

Setting or accessingjson_encoder orjson_decoder raises adeprecation warning.#4732

Remove previously deprecated code.#4667

• Old names for somesend_file parameters have been removed.download_name replacesattachment_filename,max_agereplacescache_timeout, andetag replacesadd_etags.Additionally,path replacesfilename insend_from_directory.

• TheRequestContext.g property returningAppContext.g isremoved.

Update Werkzeug dependency to >= 2.2.

The app and request contexts are managed using Python context varsdirectly rather than Werkzeug'sLocalStack. This should resultin better performance and memory use.#4682

• Extension maintainers, be aware that_app_ctx_stack.topand_request_ctx_stack.top are deprecated. Store data ong instead using a unique prefix, likeg._extension_name_attr.

TheFLASK_ENV environment variable andapp.env attribute aredeprecated, removing the distinction between development and debugmode. Debug mode should be controlled directly using the--debugoption orapp.run(debug=True).#4714

Some attributes that proxied config keys onapp are deprecated:session_cookie_name,send_file_max_age_default,use_x_sendfile,propagate_exceptions, andtemplates_auto_reload. Use the relevant config keys instead.#4716

Add new customization points to theFlask app object for manypreviously global behaviors.

• flask.url_for will callapp.url_for.#4568

• flask.abort will callapp.aborter.Flask.aborter_class andFlask.make_aborter can be usedto customize this aborter.#4567

• flask.redirect will callapp.redirect.#4569

• flask.json is an instance ofJSONProvider. A differentprovider can be set to use a different JSON library.flask.jsonify will callapp.json.response, otherfunctions inflask.json will call corresponding functions inapp.json.#4692

JSON configuration is moved to attributes on the defaultapp.json provider.JSON_AS_ASCII,JSON_SORT_KEYS,JSONIFY_MIMETYPE, andJSONIFY_PRETTYPRINT_REGULAR aredeprecated.#4692

Setting customjson_encoder andjson_decoder classes on theapp or a blueprint, and the correspondingjson.JSONEncoder andJSONDecoder classes, are deprecated. JSON behavior can now beoverridden using theapp.json provider interface.#4692

json.htmlsafe_dumps andjson.htmlsafe_dump are deprecated,the function is built-in to Jinja now.#4692

Refactorregister_error_handler to consolidate error checking.Rewrite some error messages to be more consistent.#4559

Use Blueprint decorators and functions intended for setup afterregistering the blueprint will show a warning. In the next version,this will become an error just like the application setup methods.#4571

before_first_request is deprecated. Run setup code when creatingthe application instead.#4605

Added theView.init_every_request class attribute. If a viewsubclass sets this toFalse, the view will not create a newinstance on every request.#2520.

Aflask.cli.FlaskGroup Click group can be nested as asub-command in a custom CLI.#3263

Add--app and--debug options to theflask CLI, insteadof requiring that they are set through environment variables.#2836

Add--env-file option to theflask CLI. This allowsspecifying a dotenv file to load in addition to.env and.flaskenv.#3108

It is no longer required to decorate custom CLI commands onapp.cli orblueprint.cli with@with_appcontext, an appcontext will already be active at that point.#2410

SessionInterface.get_expiration_time uses a timezone-awarevalue.#4645

View functions can return generators directly instead of wrappingthem in aResponse.#4629

Addstream_template andstream_template_string functions torender a template as a stream of pieces.#4629

A new implementation of context preservation during debugging andtesting.#4666

• request,g, and other context-locals point to thecorrect data when running code in the interactive debuggerconsole.#2836

• Teardown functions are always run at the end of the request,even if the context is preserved. They are also run after thepreserved context is popped.

• stream_with_context preserves context separately from awithclient block. It will be cleaned up whenresponse.get_data() orresponse.close() is called.

Allow returning a list from a view function, to convert it to aJSON response like a dict is.#4672

When type checking, allowTypedDict to be returned from viewfunctions.#4695

Remove the--eager-loading/--lazy-loading options from theflaskrun command. The app is always eager loaded the firsttime, then lazily loaded in the reloader. The reloader always printserrors immediately but continues serving. Remove the internalDispatchingApp middleware used by the previous implementation.#4715

Inline some optional imports that are only used for certain CLIcommands.#4606

Relax type annotation forafter_request functions.#4600

instance_path for namespace packages uses the path closest tothe imported submodule.#4610

Clearer error message whenrender_template andrender_template_string are used outside an application context.#4693

Fix type annotation forjson.loads, it accepts str or bytes.#4519

The--cert and--key options onflaskrun can be givenin either order.#4459

Set the minimum required version of importlib_metadata to 3.6.0,which is required on Python < 3.10.#4502

Drop support for Python 3.6.#4335

Update Click dependency to >= 8.0.#4008

Remove previously deprecated code.#4337

• The CLI does not passscript_info to app factory functions.

• config.from_json is replaced byconfig.from_file(name,load=json.load).

• json functions no longer take anencoding parameter.

• safe_join is removed, usewerkzeug.utils.safe_joininstead.

• total_seconds is removed, usetimedelta.total_secondsinstead.

• The same blueprint cannot be registered with the same name. Usename= when registering to specify a unique name.

• The test client'sas_tuple parameter is removed. Useresponse.request.environ instead.#4417

Some parameters insend_file andsend_from_directory wererenamed in 2.0. The deprecation period for the old names is extendedto 2.2. Be sure to test with deprecation warnings visible.

• attachment_filename is renamed todownload_name.

• cache_timeout is renamed tomax_age.

• add_etags is renamed toetag.

• filename is renamed topath.

TheRequestContext.g property is deprecated. Useg directlyorAppContext.g instead.#3898

copy_current_request_context can decorate async functions.#4303

The CLI usesimportlib.metadata instead ofsetuptools toload command entry points.#4419

OverridingFlaskClient.open will not cause an error on redirect.#3396

Add an--exclude-patterns option to theflaskrun CLIcommand to specify patterns that will be ignored by the reloader.#4188

When using lazy loading (the default with the debugger), the Clickcontext from theflaskrun command remains available in theloader thread.#4460

Deleting the session cookie uses thehttponly flag.#4485

Relax typing forerrorhandler to allow the user to use moreprecise types and decorate the same function multiple times.#4095,#4295,#4297

Fix typing for__exit__ methods for better compatibility withExitStack.#4474

From Werkzeug, for redirect responses theLocation header URLwill remain relative, and exclude the scheme and domain, by default.#4496

AddConfig.from_prefixed_env() to load config values fromenvironment variables that start withFLASK_ or another prefix.This parses values as JSON by default, and allows setting keys innested dicts.#4479

The test client'sas_tuple parameter is deprecated and will beremoved in Werkzeug 2.1. It is now also deprecated in Flask, to beremoved in Flask 2.1, while remaining compatible with both in2.0.x. Useresponse.request.environ instead.#4341

Fix type annotation forerrorhandler decorator.#4295

Revert a change to the CLI that caused it to hideImportErrortracebacks when importing the application.#4307

app.json_encoder andjson_decoder are only passed todumps andloads if they have custom behavior. This improvesperformance, mainly on PyPy.#4349

Clearer error message whenafter_this_request is used outside arequest context.#4333

Fix type annotation forteardown_* methods.#4093

Fix type annotation forbefore_request andbefore_app_requestdecorators.#4104

Fixed the issue where typing requires template globaldecorators to accept functions with no arguments.#4098

Support View and MethodView instances with async handlers.#4112

Enhance typing ofapp.errorhandler decorator.#4095

Fix registering a blueprint twice with differing names.#4124

Fix the type ofstatic_folder to acceptpathlib.Path.#4150

jsonify handlesdecimal.Decimal by encoding tostr.#4157

Correctly handle raising deferred errors in CLI lazy loading.#4096

The CLI loader handles**kwargs in acreate_app function.#4170

Fix the order ofbefore_request and other callbacks that triggerbefore the view returns. They are called from the app down to theclosest nested blueprint.#4229

Re-add thefilename parameter insend_from_directory. Thefilename parameter has been renamed topath, the old nameis deprecated.#4019

Mark top-level names as exported so type checking understandsimports in user projects.#4024

Fix type annotation forg and inform mypy that it is a namespaceobject that has arbitrary attributes.#4020

Fix some types that weren't available in Python 3.6.0.#4040

Improve typing forsend_file,send_from_directory, andget_send_file_max_age.#4044,#4026

Show an error when a blueprint name contains a dot. The. hasspecial meaning, it is used to separate (nested) blueprint names andthe endpoint name.#4041

Combine URL prefixes when nesting blueprints that were created withaurl_prefix value.#4037

Revert a change to the order that URL matching was done. TheURL is again matched after the session is loaded, so the session isavailable in custom URL converters.#4053

Re-add deprecatedConfig.from_json, which was accidentallyremoved early.#4078

Improve typing for some functions usingCallable in their typesignatures, focusing on decorator factories.#4060

Nested blueprints are registered with their dotted name. This allowsdifferent blueprints with the same name to be nested at differentlocations.#4069

register_blueprint takes aname option to change the(pre-dotted) name the blueprint is registered with. This allows thesame blueprint to be registered multiple times with unique names forurl_for. Registering the same blueprint with the same namemultiple times is deprecated.#1091

Improve typing forstream_with_context.#4052

Drop support for Python 2 and 3.5.

Bump minimum versions of other Pallets projects: Werkzeug >= 2,Jinja2 >= 3, MarkupSafe >= 2, ItsDangerous >= 2, Click >= 8. Be sureto check the change logs for each project. For better compatibilitywith other applications (e.g. Celery) that still require Click 7,there is no hard dependency on Click 8 yet, but using Click 7 willtrigger a DeprecationWarning and Flask 2.1 will depend on Click 8.

JSON support no longer uses simplejson. To use another JSON module,overrideapp.json_encoder andjson_decoder.#3555

Theencoding option to JSON functions is deprecated.#3562

Passingscript_info to app factory functions is deprecated. Thiswas not portable outside theflask command. Useclick.get_current_context().obj if it's needed.#3552

The CLI shows better error messages when the app failed to loadwhen looking up commands.#2741

AddSessionInterface.get_cookie_name to allow setting thesession cookie name dynamically.#3369

AddConfig.from_file to load config using arbitrary fileloaders, such astoml.load orjson.load.Config.from_json is deprecated in favor of this.#3398

Theflaskrun command will only defer errors on reload. Errorspresent during the initial call will cause the server to exit withthe traceback immediately.#3431

send_file raises aValueError when passed anio objectin text mode. Previously, it would respond with 200 OK and an emptyfile.#3358

When using ad-hoc certificates, check for the cryptography libraryinstead of PyOpenSSL.#3492

When specifying a factory function withFLASK_APP, keywordargument can be passed.#3553

When loading a.env or.flaskenv file, the current workingdirectory is no longer changed to the location of the file.#3560

When returning a(response,headers) tuple from a view, theheaders replace rather than extend existing headers on the response.For example, this allows setting theContent-Type forjsonify(). Useresponse.headers.extend() if extending isdesired.#3628

TheScaffold class provides a common API for theFlask andBlueprint classes.Blueprint information is stored inattributes just likeFlask, rather than opaque lambda functions.This is intended to improve consistency and maintainability.#3215

Includesamesite andsecure options when removing thesession cookie.#3726

Support passing apathlib.Path tostatic_folder.#3579

send_file andsend_from_directory are wrappers around theimplementations inwerkzeug.utils.#3828

Somesend_file parameters have been renamed, the old names aredeprecated.attachment_filename is renamed todownload_name.cache_timeout is renamed tomax_age.add_etags isrenamed toetag.#3828,#3883

send_file passesdownload_name even ifas_attachment=False by usingContent-Disposition:inline.#3828

send_file setsconditional=True andmax_age=None bydefault.Cache-Control is set tono-cache ifmax_age isnot set, otherwisepublic. This tells browsers to validateconditional requests instead of using a timed cache.#3828

helpers.safe_join is deprecated. Usewerkzeug.utils.safe_join instead.#3828

The request context does route matching before opening the session.This could allow a session interface to change behavior based onrequest.endpoint.#3776

Use Jinja's implementation of the|tojson filter.#3881

Add route decorators for common HTTP methods. For example,@app.post("/login") is a shortcut for@app.route("/login",methods=["POST"]).#3907

Support async views, error handlers, before and after request, andteardown functions.#3412

Support nesting blueprints.#593,#1548,#3923

Set the default encoding to "UTF-8" when loading.env and.flaskenv files to allow to use non-ASCII characters.#3931

flaskshell sets up tab and history completion like the defaultpython shell ifreadline is installed.#3941

helpers.total_seconds() is deprecated. Usetimedelta.total_seconds() instead.#3962

Add type hinting.#3973.

Updatestatic_folder to use_compat.fspath instead ofos.fspath to continue supporting Python < 3.6#4050

Set maximum versions of Werkzeug, Jinja, Click, and ItsDangerous.#4043

Re-add support for passing apathlib.Path forstatic_folder.#3579

Work around an issue when running theflask command with anexternal debugger on Windows.#3297

The static route will not catch all URLs if theFlaskstatic_folder argument ends with a slash.#3452

Theflask.json_available flag was added back for compatibilitywith some extensions. It will raise a deprecation warning when used,and will be removed in version 2.0.0.#3288

Bump minimum Werkzeug version to >= 0.15.

Drop support for Python 3.4.

Error handlers forInternalServerError or500 will always bepassed an instance ofInternalServerError. If they are invokeddue to an unhandled exception, that original exception is nowavailable ase.original_exception rather than being passeddirectly to the handler. The same is true if the handler is for thebaseHTTPException. This makes error handler behavior moreconsistent.#3266

• Flask.finalize_request is called for all unhandledexceptions even if there is no500 error handler.

Flask.logger takes the same name asFlask.name (the valuepassed asFlask(import_name). This reverts 1.0's behavior ofalways logging to"flask.app", in order to support multiple appsin the same process. A warning will be shown if old configuration isdetected that needs to be moved.#2866

RequestContext.copy includes the current session object in therequest context copy. This preventssession pointing to anout-of-date object.#2935

Using built-in RequestContext, unprintable Unicode characters inHost header will result in a HTTP 400 response and not HTTP 500 aspreviously.#2994

send_file supportsPathLike objects as described inPEP 519, to supportpathlib in Python 3.#3059

send_file supportsBytesIO partial content.#2957

open_resource accepts the "rt" file mode. This still does thesame thing as "r".#3163

TheMethodView.methods attribute set in a base class is used bysubclasses.#3138

Flask.jinja_options is adict instead of anImmutableDict to allow easier configuration. Changes must stillbe made before creating the environment.#3190

Flask'sJSONMixin for the request and response wrappers wasmoved into Werkzeug. Use Werkzeug's version with Flask-specificsupport. This bumps the Werkzeug dependency to >= 0.15.#3125

Theflask command entry point is simplified to take advantageof Werkzeug 0.15's better reloader support. This bumps the Werkzeugdependency to >= 0.15.#3022

Supportstatic_url_path that ends with a forward slash.#3134

Support emptystatic_folder without requiring setting an emptystatic_url_path as well.#3124

jsonify supportsdataclass objects.#3195

Allow customizing theFlask.url_map_class used for routing.#3069

The development server port can be set to 0, which tells the OS topick an available port.#2926

The return value fromcli.load_dotenv is more consistent withthe documentation. It will returnFalse if python-dotenv is notinstalled, or if the given path isn't a file.#2937

Signaling support has a stub for theconnect_via method whenthe Blinker library is not installed.#3208

Add an--extra-files option to theflaskrun CLI command tospecify extra files that will trigger the reloader on change.#2897

Allow returning a dictionary from a view function. Similar to howreturning a string will produce atext/html response, returninga dict will calljsonify to produce aapplication/jsonresponse.#3111

Blueprints have acli Click group likeapp.cli. CLI commandsregistered with a blueprint will be available as a group under theflask command.#1357.

When using the test client as a context manager (withclient:),all preserved request contexts are popped when the block exits,ensuring nested contexts are cleaned up correctly.#3157

Show a better error message when the view return type is notsupported.#3214

flask.testing.make_test_environ_builder() has been deprecated infavour of a new classflask.testing.EnvironBuilder.#3232

Theflaskrun command no longer fails if Python is not builtwith SSL support. Using the--cert option will show anappropriate error message.#3211

URL matching now occurs after the request context is pushed, ratherthan when it's created. This allows custom URL converters to accessthe app and request contexts, such as to query a database for an id.#3088

The key information forBadRequestKeyError is no longer clearedoutside debug mode, so error handlers can still access it. Thisrequires upgrading to Werkzeug 0.15.5.#3249

send_file url quotes the ":" and "/" characters for morecompatible UTF-8 filename support in some browsers.#3074

Fixes forPEP 451 import loaders and pytest 5.x.#3275

Show message about dotenv on stderr instead of stdout.#3285

send_file encodes filenames as ASCII instead of Latin-1(ISO-8859-1). This fixes compatibility with Gunicorn, which isstricter about header encodings thanPEP 3333.#2766

Allow custom CLIs usingFlaskGroup to set the debug flag withoutit always being overwritten based on environment variables.#2765

flask--version outputs Werkzeug's version and simplifies thePython version.#2825

send_file handles anattachment_filename that is a nativePython 2 string (bytes) with UTF-8 coded bytes.#2933

A catch-all error handler registered forHTTPException will nothandleRoutingException, which is used internally duringrouting. This fixes the unexpected behavior that had been introducedin 1.0.#2986

Passing thejson argument toapp.test_client does notpush/pop an extra app context.#2900

Fix more backwards compatibility issues with merging slashes betweena blueprint prefix and route.#2748

Fix error withflaskroutes command when there are no routes.#2751

Fix registering partials (with no__name__) as view functions.#2730

Don't treat lists returned from view functions the same as tuples.Only tuples are interpreted as response data.#2736

Extra slashes between a blueprint'surl_prefix and a route URLare merged. This fixes some backwards compatibility issues with thechange in 1.0.#2731,#2742

Only trapBadRequestKeyError errors in debug mode, not allBadRequest errors. This allowsabort(400) to continueworking as expected.#2735

TheFLASK_SKIP_DOTENV environment variable can be set to1to skip automatically loading dotenv files.#2722

Python 2.6 and 3.3 are no longer supported.

Bump minimum dependency versions to the latest stable versions:Werkzeug >= 0.14, Jinja >= 2.10, itsdangerous >= 0.24, Click >= 5.1.#2586

Skipapp.run when a Flask application is run from the commandline. This avoids some behavior that was confusing to debug.

Change the default forJSONIFY_PRETTYPRINT_REGULAR toFalse.~json.jsonify returns a compact format by default,and an indented format in debug mode.#2193

Flask.__init__ accepts thehost_matching argument and setsit onFlask.url_map.#1559

Flask.__init__ accepts thestatic_host argument and passesit as thehost argument when defining the static route.#1559

send_file supports Unicode inattachment_filename.#2223

Pass_scheme argument fromurl_for toFlask.handle_url_build_error.#2017

Flask.add_url_rule accepts theprovide_automatic_optionsargument to disable adding theOPTIONS method.#1489

MethodView subclasses inherit method handlers from base classes.#1936

Errors caused while opening the session at the beginning of therequest are handled by the app's error handlers.#2254

Blueprints gainedBlueprint.json_encoder andBlueprint.json_decoder attributes to override the app'sencoder and decoder.#1898

Flask.make_response raisesTypeError instead ofValueError for bad response types. The error messages have beenimproved to describe why the type is invalid.#2256

Addroutes CLI command to output routes registered on theapplication.#2259

Show warning when session cookie domain is a bare hostname or an IPaddress, as these may not behave properly in some browsers, such asChrome.#2282

Allow IP address as exact session cookie domain.#2282

SESSION_COOKIE_DOMAIN is set if it is detected throughSERVER_NAME.#2282

Auto-detect zero-argument app factory calledcreate_app ormake_app fromFLASK_APP.#2297

Factory functions are not required to take ascript_infoparameter to work with theflask command. If they take a singleparameter or a parameter namedscript_info, theScriptInfoobject will be passed.#2319

FLASK_APP can be set to an app factory, with arguments ifneeded, for exampleFLASK_APP=myproject.app:create_app('dev').#2326

FLASK_APP can point to local packages that are not installed ineditable mode, althoughpipinstall-e is still preferred.#2414

TheView class attributeView.provide_automatic_options is set inView.as_view, to bedetected byFlask.add_url_rule.#2316

Error handling will try handlers registered forblueprint,code,app,code,blueprint,exception,app,exception.#2314

Cookie is added to the response'sVary header if the sessionis accessed at all during the request (and not deleted).#2288

Flask.test_request_context acceptssubdomain andurl_scheme arguments for use when building the base URL.#1621

SetAPPLICATION_ROOT to'/' by default. This was already theimplicit default when it was set toNone.

TRAP_BAD_REQUEST_ERRORS is enabled by default in debug mode.BadRequestKeyError has a message with the bad key in debug modeinstead of the generic bad request message.#2348

Allow registering new tags withTaggedJSONSerializer to supportstoring other types in the session cookie.#2352

Only open the session if the request has not been pushed onto thecontext stack yet. This allowsstream_with_context generators toaccess the same session that the containing view uses.#2354

Addjson keyword argument for the test client request methods.This will dump the given object as JSON and set the appropriatecontent type.#2358

Extract JSON handling to a mixin applied to both theRequest andResponse classes. This adds theResponse.is_json andResponse.get_json methods to the response to make testing JSONresponse much easier.#2358

Removed error handler caching because it caused unexpected resultsfor some exception inheritance hierarchies. Register handlersexplicitly for each exception if you want to avoid traversing theMRO.#2362

Fix incorrect JSON encoding of aware, non-UTC datetimes.#2374

Template auto reloading will honor debug mode even even ifFlask.jinja_env was already accessed.#2373

The following old deprecated code was removed.#2385

• flask.ext - import extensions directly by their name insteadof through theflask.ext namespace. For example,importflask.ext.sqlalchemy becomesimportflask_sqlalchemy.

• Flask.init_jinja_globals - extendFlask.create_jinja_environment instead.

• Flask.error_handlers - tracked byFlask.error_handler_spec, useFlask.errorhandlerto register handlers.

• Flask.request_globals_class - useFlask.app_ctx_globals_class instead.

• Flask.static_path - useFlask.static_url_path instead.

• Request.module - useRequest.blueprint instead.

TheRequest.json property is no longer deprecated.#1421

Support passing aEnvironBuilder ordict totest_client.open.#2412

Theflask command andFlask.run will load environmentvariables from.env and.flaskenv files if python-dotenv isinstalled.#2416

When passing a full URL to the test client, the scheme in the URL isused instead ofPREFERRED_URL_SCHEME.#2430

Flask.logger has been simplified.LOGGER_NAME andLOGGER_HANDLER_POLICY config was removed. The logger is alwaysnamedflask.app. The level is only set on first access, itdoesn't checkFlask.debug each time. Only one format is used,not different ones depending onFlask.debug. No handlers areremoved, and a handler is only added if no handlers are alreadyconfigured.#2436

Blueprint view function names may not contain dots.#2450

Fix aValueError caused by invalidRange requests in somecases.#2526

The development server uses threads by default.#2529

Loading config files withsilent=True will ignoreENOTDIRerrors.#2581

Pass--cert and--key options toflaskrun to run thedevelopment server over HTTPS.#2606

AddedSESSION_COOKIE_SAMESITE to control theSameSiteattribute on the session cookie.#2607

AddedFlask.test_cli_runner to create a Click runner that caninvoke Flask CLI commands for testing.#2636

Subdomain matching is disabled by default and settingSERVER_NAME does not implicitly enable it. It can be enabled bypassingsubdomain_matching=True to theFlask constructor.#2635

A single trailing slash is stripped from the blueprinturl_prefix when it is registered with the app.#2629

Request.get_json doesn't cache the result if parsing fails whensilent is true.#2651

Request.get_json no longer accepts arbitrary encodings. IncomingJSON should be encoded using UTF-8 perRFC 8259, but Flask willautodetect UTF-8, -16, or -32.#2691

AddedMAX_COOKIE_SIZE andResponse.max_cookie_size tocontrol when Werkzeug warns about large cookies that browsers mayignore.#2693

Updated documentation theme to make docs look better in smallwindows.#2709

Rewrote the tutorial docs and example project to take a morestructured approach to help new users avoid common pitfalls.#2676

Pin Werkzeug to < 1.0.0.#3497

Repackage 0.12.3 to fix package layout issue.#2728

Request.get_json no longer accepts arbitrary encodings.Incoming JSON should be encoded using UTF-8 perRFC 8259, butFlask will autodetect UTF-8, -16, or -32.#2692

Fix a Python warning about imports when usingpython-mflask.#2666

Fix aValueError caused by invalidRange requests in somecases.

Fix a bug insafe_join on Windows.

Preventflaskrun from showing aNoAppException when anImportError occurs within the imported application module.

Fix encoding behavior ofapp.config.from_pyfile for Python 3.#2118

Use theSERVER_NAME config if it is present as default valuesforapp.run.#2109,#2152

Callctx.auto_pop with the exception object instead ofNone,in the event that aBaseException such asKeyboardInterruptis raised in a request handler.

The cli command now responds to--version.

Mimetype guessing and ETag generation for file-like objects insend_file has been removed.#104, :pr`1849`

Mimetype guessing insend_file now fails loudly and doesn't fallback toapplication/octet-stream.#1988

Makeflask.safe_join able to join multiple paths likeos.path.join#1730

Revert a behavior change that made the dev server crash instead ofreturning an Internal Server Error.#2006

Correctly invoke response handlers for both regular requestdispatching as well as error handlers.

Disable logger propagation by default for the app logger.

Add support for range requests insend_file.

app.test_client includes preset default environment, which cannow be directly set, instead of perclient.get.

Fix crash when running under PyPy3.#1814

Fixed a bug that preventedFLASK_APP=foobar/__init__.py fromworking.#1872

Added support to serializing top-level arrays tojsonify. Thisintroduces a security risk in ancient browsers.

Added before_render_template signal.

Added**kwargs toFlask.test_client to support passingadditional keyword arguments to the constructor ofFlask.test_client_class.

AddedSESSION_REFRESH_EACH_REQUEST config key that controls theset-cookie behavior. If set toTrue a permanent session will berefreshed each request and get their lifetime extended, if set toFalse it will only be modified if the session actually modifies.Non permanent sessions are not affected by this and will alwaysexpire if the browser window closes.

Made Flask support custom JSON mimetypes for incoming data.

Added support for returning tuples in the form(response,headers) from a view function.

AddedConfig.from_json.

AddedFlask.config_class.

AddedConfig.get_namespace.

Templates are no longer automatically reloaded outside of debugmode. This can be configured with the newTEMPLATES_AUTO_RELOADconfig key.

Added a workaround for a limitation in Python 3.3's namespaceloader.

Added support for explicit root paths when using Python 3.3'snamespace packages.

Addedflask and theflask.cli module to start thelocal debug server through the click CLI system. This is recommendedover the oldflask.run() method as it works faster and morereliable due to a different design and also replacesFlask-Script.

Error handlers that match specific classes are now checked first,thereby allowing catching exceptions that are subclasses of HTTPexceptions (inwerkzeug.exceptions). This makes it possible foran extension author to create exceptions that will by default resultin the HTTP error of their choosing, but may be caught with a customerror handler if desired.

AddedConfig.from_mapping.

Flask will now log by default even if debug is disabled. The logformat is now hardcoded but the default log handling can be disabledthrough theLOGGER_HANDLER_POLICY configuration key.

Removed deprecated module functionality.

Added theEXPLAIN_TEMPLATE_LOADING config flag which whenenabled will instruct Flask to explain how it locates templates.This should help users debug when the wrong templates are loaded.

Enforce blueprint handling in the order they were registered fortemplate loading.

Ported test suite to py.test.

Deprecatedrequest.json in favour ofrequest.get_json().

Add "pretty" and "compressed" separators definitions in jsonify()method. Reduces JSON response size whenJSONIFY_PRETTYPRINT_REGULAR=False by removing unnecessary whitespace included by default after separators.

JSON responses are now terminated with a newline character, becauseit is a convention that UNIX text files end with a newline and someclients don't deal well when this newline is missing.#1262

The automatically providedOPTIONS method is now correctlydisabled if the user registered an overriding rule with thelowercase-versionoptions.#1288

flask.json.jsonify now supports thedatetime.date type.#1326

Don't leak exception info of already caught exceptions to contextteardown handlers.#1393

Allow custom Jinja environment subclasses.#1422

Updated extension dev guidelines.

flask.g now haspop() andsetdefault methods.

Turn on autoescape forflask.templating.render_template_stringby default.#1515

flask.ext is now deprecated.#1484

send_from_directory now raises BadRequest if the filename isinvalid on the server OS.#1763

Added theJSONIFY_MIMETYPE configuration variable.#1728

Exceptions during teardown handling will no longer leave badapplication contexts lingering around.

Fixed brokentest_appcontext_signals() test case.

Raise anAttributeError inhelpers.find_package with auseful message explaining why it is raised when aPEP 302 importhook is used without anis_package() method.

Fixed an issue causing exceptions raised before entering a requestor app context to be passed to teardown handlers.

Fixed an issue with query parameters getting removed from requestsin the test client when absolute URLs were requested.

Made@before_first_request into a decorator as intended.

Fixed an etags bug when sending a file streams with a name.

Fixedsend_from_directory not expanding to the application rootpath correctly.

Changed logic of before first request handlers to flip the flagafter invoking. This will allow some uses that are potentiallydangerous but should probably be permitted.

Fixed Python 3 bug when a handler fromapp.url_build_error_handlers reraises theBuildError.

Fixed an issue where|tojson was not quoting single quotes whichmade the filter not work properly in HTML attributes. Now it'spossible to use that filter in single quoted attributes. This shouldmake using that filter with angular.js easier.

Added support for byte strings back to the session system. Thisbroke compatibility with the common case of people putting binarydata for token verification into the session.

Fixed an issue where registering the same method twice for the sameendpoint would trigger an exception incorrectly.

Changed default cookie serialization format from pickle to JSON tolimit the impact an attacker can do if the secret key leaks.

Addedtemplate_test methods in addition to the already existingtemplate_filter method family.

Addedtemplate_global methods in addition to the alreadyexistingtemplate_filter method family.

Set the content-length header for x-sendfile.

tojson filter now does not escape script blocks in HTML5parsers.

tojson used in templates is now safe by default. This wasallowed due to the different escaping behavior.

Flask will now raise an error if you attempt to register a newfunction on an already used endpoint.

Added wrapper module around simplejson and added defaultserialization of datetime objects. This allows much easiercustomization of how JSON is handled by Flask or any Flaskextension.

Removed deprecated internalflask.session module alias. Useflask.sessions instead to get the session module. This is not tobe confused withflask.session the session proxy.

Templates can now be rendered without request context. The behavioris slightly different as therequest,session andgobjects will not be available and blueprint's context processors arenot called.

The config object is now available to the template as a real globaland not through a context processor which makes it available even inimported templates by default.

Added an option to generate non-ascii encoded JSON which shouldresult in less bytes being transmitted over the network. It'sdisabled by default to not cause confusion with existing librariesthat might expectflask.json.dumps to return bytes by default.

flask.g is now stored on the app context instead of the requestcontext.

flask.g now gained aget() method for not erroring out onnon existing items.

flask.g now can be used with thein operator to see what'sdefined and it now is iterable and will yield all attributes stored.

flask.Flask.request_globals_class got renamed toflask.Flask.app_ctx_globals_class which is a better name to whatit does since 0.10.

request,session andg are now also added as proxies tothe template context which makes them available in importedtemplates. One has to be very careful with those though becauseusage outside of macros might cause caching.

Flask will no longer invoke the wrong error handlers if a proxyexception is passed through.

Added a workaround for chrome's cookies in localhost not working asintended with domain names.

Changed logic for picking defaults for cookie values from sessionsto work better with Google Chrome.

Addedmessage_flashed signal that simplifies flashing testing.

Added support for copying of request contexts for better workingwith greenlets.

Removed custom JSON HTTP exception subclasses. If you were relyingon them you can reintroduce them again yourself trivially. Usingthem however is strongly discouraged as the interface was flawed.

Python requirements changed: requiring Python 2.6 or 2.7 now toprepare for Python 3.3 port.

Changed how the teardown system is informed about exceptions. Thisis now more reliable in case something handles an exception halfwaythrough the error handling process.

Request context preservation in debug mode now keeps the exceptioninformation around which means that teardown handlers are able todistinguish error from success cases.

Added theJSONIFY_PRETTYPRINT_REGULAR configuration variable.

Flask now orders JSON keys by default to not trash HTTP caches dueto different hash seeds between different workers.

Addedappcontext_pushed andappcontext_popped signals.

The builtin run method now takes theSERVER_NAME into accountwhen picking the default port to run on.

Addedflask.request.get_json() as a replacement for the oldflask.request.json property.

TheRequest.on_json_loading_failed now returns a JSON formattedresponse by default.

Theurl_for function now can generate anchors to the generatedlinks.

Theurl_for function now can also explicitly generate URL rulesspecific to a given HTTP method.

Logger now only returns the debug log setting if it was not setexplicitly.

Unregister a circular dependency between the WSGI environment andthe request object when shutting down the request. This means thatenvironwerkzeug.request will beNone after the response wasreturned to the WSGI server but has the advantage that the garbagecollector is not needed on CPython to tear down the request unlessthe user created circular dependencies themselves.

Session is now stored after callbacks so that if the session payloadis stored in the session you can still modify it in an after requestcallback.

TheFlask class will avoid importing the provided import name ifit can (the required first parameter), to benefit tools which buildFlask instances programmatically. The Flask class will fall back tousing import on systems with custom module hooks, e.g. Google AppEngine, or when the import name is inside a zip archive (usually anegg) prior to Python 2.7.

Blueprints now have a decorator to add custom template filtersapplication wide,Blueprint.app_template_filter.

The Flask and Blueprint classes now have a non-decorator method foradding custom template filters application wide,Flask.add_template_filter andBlueprint.add_app_template_filter.

Theget_flashed_messages function now allows rendering flashedmessage categories in separate blocks, through acategory_filterargument.

TheFlask.run method now acceptsNone forhost andport arguments, using default values whenNone. This allowsfor calling run using configuration values, e.g.app.run(app.config.get('MYHOST'),app.config.get('MYPORT')),with proper behavior whether or not a config file is provided.

Therender_template method now accepts a either an iterable oftemplate names or a single template name. Previously, it onlyaccepted a single template name. On an iterable, the first templatefound is rendered.

AddedFlask.app_context which works very similar to the requestcontext but only provides access to the current application. Thisalso adds support for URL generation without an active requestcontext.

View functions can now return a tuple with the first instance beingan instance ofResponse. This allows for returningjsonify(error="errormsg"),400 from a view function.

Flask andBlueprint now provide aget_send_file_max_agehook for subclasses to override behavior of serving static filesfrom Flask when usingFlask.send_static_file (used for thedefault static file handler) andhelpers.send_file. This hook isprovided a filename, which for example allows changing cachecontrols by file extension. The default max-age forsend_fileand static files can be configured through a newSEND_FILE_MAX_AGE_DEFAULT configuration variable, which is usedin the defaultget_send_file_max_age implementation.

Fixed an assumption in sessions implementation which could breakmessage flashing on sessions implementations which use externalstorage.

Changed the behavior of tuple return values from functions. They areno longer arguments to the response object, they now have a definedmeaning.

AddedFlask.request_globals_class to allow a specific class tobe used on creation of theg instance of each request.

Addedrequired_methods attribute to view functions to force-addmethods on registration.

Addedflask.after_this_request.

Addedflask.stream_with_context and the ability to push contextsmultiple times without producing unexpected behavior.

Fixed an issue with the undocumentedflask.session module to notwork properly on Python 2.5. It should not be used but did causesome problems for package managers.

Refactored session support into a session interface so that theimplementation of the sessions can be changed without having tooverride the Flask class.

Empty session cookies are now deleted properly automatically.

View functions can now opt out of getting the automatic OPTIONSimplementation.

HTTP exceptions and Bad Request errors can now be trapped so thatthey show up normally in the traceback.

Flask in debug mode is now detecting some common problems and triesto warn you about them.

Flask in debug mode will now complain with an assertion error if aview was attached after the first request was handled. This givesearlier feedback when users forget to import view code ahead oftime.

Added the ability to register callbacks that are only triggered onceat the beginning of the first request withFlask.before_first_request.

Malformed JSON data will now trigger a bad request HTTP exceptioninstead of a value error which usually would result in a 500internal server error if not handled. This is a backwardsincompatible change.

Applications now not only have a root path where the resources andmodules are located but also an instance path which is thedesignated place to drop files that are modified at runtime (uploadsetc.). Also this is conceptually only instance depending and outsideversion control so it's the perfect place to put configuration filesetc.

Added theAPPLICATION_ROOT configuration variable.

ImplementedTestClient.session_transaction to easily modifysessions from the test environment.

Refactored test client internally. TheAPPLICATION_ROOTconfiguration variable as well asSERVER_NAME are now properlyused by the test client as defaults.

AddedView.decorators to support simpler decorating of pluggable(class-based) views.

Fixed an issue where the test client if used with the "with"statement did not trigger the execution of the teardown handlers.

Added finer control over the session cookie parameters.

HEAD requests to a method view now automatically dispatch to theget method if no handler was implemented.

Implemented the virtualflask.ext package to import extensionsfrom.

The context preservation on exceptions is now an integral componentof Flask itself and no longer of the test client. This cleaned upsome internal logic and lowers the odds of runaway request contextsin unittests.

Fixed the Jinja2 environment'slist_templates method notreturning the correct names when blueprints or modules wereinvolved.

Fixed an issue with URL processors not properly working onblueprints.

Added missing future import that broke 2.5 compatibility.

Fixed an infinite redirect issue with blueprints.

AddedFlask.make_default_options_response which can be used bysubclasses to alter the default behavior forOPTIONS responses.

Unbound locals now raise a properRuntimeError instead of anAttributeError.

Mimetype guessing and etag support based on file objects is nowdeprecated forsend_file because it was unreliable. Passfilenames instead or attach your own etags and provide a propermimetype by hand.

Static file handling for modules now requires the name of the staticfolder to be supplied explicitly. The previous autodetection was notreliable and caused issues on Google's App Engine. Until 1.0 the oldbehavior will continue to work but issue dependency warnings.

Fixed a problem for Flask to run on jython.

Added aPROPAGATE_EXCEPTIONS configuration variable that can beused to flip the setting of exception propagation which previouslywas linked toDEBUG alone and is now linked to eitherDEBUGorTESTING.

Flask no longer internally depends on rules being added through theadd_url_rule function and can now also accept regular werkzeugrules added to the url map.

Added anendpoint method to the flask application object whichallows one to register a callback to an arbitrary endpoint with adecorator.

Use Last-Modified for static file sending instead of Date which wasincorrectly introduced in 0.6.

Addedcreate_jinja_loader to override the loader creationprocess.

Implemented a silent flag forconfig.from_pyfile.

Addedteardown_request decorator, for functions that should runat the end of a request regardless of whether an exception occurred.Also the behavior forafter_request was changed. It's now nolonger executed when an exception is raised.

Implementedhas_request_context.

Deprecatedinit_jinja_globals. Override theFlask.create_jinja_environment method instead to achieve thesame functionality.

Addedsafe_join.

The automatic JSON request data unpacking now looks at the charsetmimetype parameter.

Don't modify the session onget_flashed_messages if there are nomessages in the session.

before_request handlers are now able to abort requests witherrors.

It is not possible to define user exception handlers. That way youcan provide custom error messages from a central hub for certainerrors that might occur during request processing (for instancedatabase connection errors, timeouts from remote resources etc.).

Blueprints can provide blueprint specific error handlers.

Implemented generic class-based views.

Fixed an issue where the defaultOPTIONS response was notexposing all valid methods in theAllow header.

Jinja2 template loading syntax now allows "./" in front of atemplate load path. Previously this caused issues with modulesetups.

Fixed an issue where the subdomain setting for modules was ignoredfor the static folder.

Fixed a security problem that allowed clients to download arbitraryfiles if the host server was a windows based operating system andthe client uses backslashes to escape the directory the files whereexposed from.

After request functions are now called in reverse order ofregistration.

OPTIONS is now automatically implemented by Flask unless theapplication explicitly adds 'OPTIONS' as method to the URL rule. Inthis case no automatic OPTIONS handling kicks in.

Static rules are now even in place if there is no static folder forthe module. This was implemented to aid GAE which will remove thestatic folder if it's part of a mapping in the .yml file.

Flask.config is now available in the templates asconfig.

Context processors will no longer override values passed directly tothe render function.

Added the ability to limit the incoming request data with the newMAX_CONTENT_LENGTH configuration value.

The endpoint for theModule.add_url_rule method is now optionalto be consistent with the function of the same name on theapplication object.

Added amake_response function that simplifies creating responseobject instances in views.

Added signalling support based on blinker. This feature is currentlyoptional and supposed to be used by extensions and applications. Ifyou want to use it, make sure to haveblinker installed.

Refactored the way URL adapters are created. This process is nowfully customizable with theFlask.create_url_adapter method.

Modules can now register for a subdomain instead of just an URLprefix. This makes it possible to bind a whole module to aconfigurable subdomain.

Fixed another issue with loading templates from directories whenmodules were used.

Fixes an issue with template loading from directories when moduleswhere used.

Fixed a bug with subdomains that was caused by the inability tospecify the server name. The server name can now be set with theSERVER_NAME config key. This key is now also used to set thesession cookie cross-subdomain wide.

Autoescaping is no longer active for all templates. Instead it isonly active for.html,.htm,.xml and.xhtml. Insidetemplates this behavior can be changed with theautoescape tag.

Refactored Flask internally. It now consists of more than a singlefile.

send_file now emits etags and has the ability to do conditionalresponses builtin.

(temporarily) dropped support for zipped applications. This was ararely used feature and led to some confusing behavior.

Added support for per-package template and static-file directories.

Removed support forcreate_jinja_loader which is no longer usedin 0.5 due to the improved module support.

Added a helper function to expose files from any directory.

Added the ability to register application wide error handlers frommodules.

Flask.after_request handlers are now also invoked if the requestdies with an exception and an error handling page kicks in.

Test client has not the ability to preserve the request context fora little longer. This can also be used to trigger custom requeststhat do not pop the request stack for testing.

Because the Python standard library caches loggers, the name of thelogger is configurable now to better support unittests.

AddedTESTING switch that can activate unittesting helpers.

The logger switches toDEBUG mode now if debug is enabled.

Fixed a error reporting bug withConfig.from_envvar.

Removed some unused code.

Release does no longer include development leftover files (.gitfolder for themes, built documentation in zip and pdf file and some.pyc files)

Added support for categories for flashed messages.

The application now configures alogging.Handler and will logrequest handling exceptions to that logger when not in debug mode.This makes it possible to receive mails on server errors forexample.

Added support for context binding that does not require the use ofthe with statement for playing in the console.

The request context is now available within the with statementmaking it possible to further push the request context or pop it.

Added support for configurations.

Various bugfixes

Integrated JSON support

Addedget_template_attribute helper function.

Flask.add_url_rule can now also register a view function.

Refactored internal request dispatching.

Server listens on 127.0.0.1 by default now to fix issues withchrome.

Added external URL support.

Added support forsend_file.

Module support and internal request handling refactoring to bettersupport pluggable applications.

Sessions can be set to be permanent now on a per-session basis.

Better error reporting on missing secret keys.

Added support for Google Appengine.

First public preview release.