- Update to 2.3.6:
  * FileStorage.content_length does not fail if the form data did not provide
    a value.
- Update to 2.3.5:
  * Python 3.12 compatibility.
  * Fix handling of invalid base64 values in Authorization.from_header.
  * The debugger escapes the exception message in the page title.
  * When binding routing.Map, a long IDNA server_name with a port does not
    fail encoding.
  * iri_to_uri shows a deprecation warning instead of an error when passing
    bytes.
  * When parsing numbers in HTTP request headers such as Content-Length, only
    ASCII digits are accepted rather than any format that Python’s int and
    float accept.
- Update to 2.3.4:
  * Authorization.from_header and WWWAuthenticate.from_header detects tokens
    that end with base64 padding (=).
  * Remove usage of warnings.catch_warnings.
  * Remove max_form_parts restriction from standard form data parsing and only
    use if for multipart content.
  * Response will avoid converting the Location header in some cases to
    preserve invalid URL schemes like itms-services.
- Update to 2.3.3:
  * Fix parsing of large multipart bodies. Remove invalid leading newline, and
    restore parsing speed.
  * The cookie Path attribute is set to / by default again, to prevent clients
    from falling back to RFC 6265’s default-path behavior.
- Update to 2.3.2:
  * Parse the cookie Expires attribute correctly in the test client.
  * max_content_length can only be enforced on streaming requests if the
    server sets wsgi.input_terminated.
- Update to 2.3.1:
  * Percent-encode plus (+) when building URLs and in test requests.
  * Cookie values don’t quote characters defined in RFC 6265.
  * Include pyi files for datastructures type annotations.
  * Authorization and WWWAuthenticate objects can be compared for equality.
- Update to 2.3.0:
  * Drop support for Python 3.7.
  * Remove previously deprecated code.
  * Passing bytes where strings are expected is deprecated, as well as the
    charset and errors parameters in many places. Anywhere that was annotated,
    documented, or tested to accept bytes shows a warning. Removing this
    artifact of the transition from Python 2 to 3 removes a significant amount
    of overhead in instance checks and encoding cycles. In general, always
    work with UTF-8, the modern HTML, URL, and HTTP standards all strongly
    recommend this.
  * Deprecate the werkzeug.urls module, except for the uri_to_iri and
    iri_to_uri functions. Use the urllib.parse library instead.
  * Update which characters are considered safe when using percent encoding
    in URLs, based on the WhatWG URL Standard.
  * Update which characters are considered safe when using percent encoding
    for Unicode filenames in downloads.
  * Deprecate the safe_conversion parameter of iri_to_uri. The Location header
    is converted to IRI using the same process as everywhere else.
  * Deprecate werkzeug.wsgi.make_line_iter and make_chunk_iter.
  * Use modern packaging metadata with pyproject.toml instead of setup.cfg.
  * Request.get_json() will raise a 415 Unsupported Media Type error if the
    Content-Type header is not application/json, instead of a generic 400.
  * A URL converter’s part_isolating defaults to False if its regex contains
    a /.
  * A custom converter’s regex can have capturing groups without breaking
    the router.
  * The reloader can pick up arguments to python like -X dev, and does not
    require heuristics to determine how to reload the command. Only available
    on Python >= 3.10.
  * The Watchdog reloader ignores file opened events. Bump the minimum version
    of Watchdog to 2.3.0.
  * When using a Unix socket for the development server, the path can start
    with a dot.
  * Increase default work factor for PBKDF2 to 600,000 iterations.
  * parse_options_header is 2-3 times faster. It conforms to RFC 9110, some
    invalid parts that were previously accepted are now ignored.
  * The is_filename parameter to unquote_header_value is deprecated.
  * Deprecate the extra_chars parameter and passing bytes to
    quote_header_value, the allow_token parameter to dump_header, and the cls
    parameter and passing bytes to parse_dict_header.
  * Improve parse_accept_header implementation. Parse according to RFC 9110.
    Discard items with invalid q values.
  * quote_header_value quotes the empty string.
  * dump_options_header skips None values rather than using a bare key.
  * dump_header and dump_options_header will not quote a value if the key ends
    with an asterisk *.
  * parse_dict_header will decode values with charsets.
  * Refactor the Authorization and WWWAuthenticate header data structures.
    + Both classes have type, parameters, and token attributes. The token
      attribute supports auth schemes that use a single opaque token rather
      than key=value parameters, such as Bearer.
    + Neither class is a dict anymore, although they still implement getting,
      setting, and deleting auth[key] and auth.key syntax, as well as
      auth.get(key) and key in auth.
    + Both classes have a from_header class method. parse_authorization_header
      and parse_www_authenticate_header are deprecated.
    + The methods WWWAuthenticate.set_basic and set_digest are deprecated.
      Instead, an instance should be created and assigned to
      response.www_authenticate.
    + A list of instances can be assigned to response.www_authenticate to set
      multiple header values. However, accessing the property only returns the
      first instance.
  * Refactor parse_cookie and dump_cookie.
    + parse_cookie is up to 40% faster, dump_cookie is up to 60% faster.
    + Passing bytes to parse_cookie and dump_cookie is deprecated. The
      dump_cookie charset parameter is deprecated.
    + dump_cookie allows domain values that do not include a dot ., and strips
      off a leading dot.
    + dump_cookie does not set path="/" unnecessarily by default.
  * Refactor the test client cookie implementation.
    + The cookie_jar attribute is deprecated. http.cookiejar is no longer used
      for storage.
    + Domain and path matching is used when sending cookies in requests. The
      domain and path parameters default to localhost and /.
    + Added a get_cookie method to inspect cookies.
    + Cookies have decoded_key and decoded_value attributes to match what the
      app sees rather than the encoded values a client would see.
    + The first positional server_name parameter to set_cookie and
      delete_cookie is deprecated. Use the domain parameter instead.
    + Other parameters to delete_cookie besides domain, path, and value are
      deprecated.
  * If request.max_content_length is set, it is checked immediately when
    accessing the stream, and while reading from the stream in general, rather
    than only during form parsing.
  * The development server, which must not be used in production, will exhaust
    the request stream up to 10GB or 1000 reads. This allows clients to see a
    413 error if max_content_length is exceeded, instead of a “connection
    reset” failure.
  * The development server discards header keys that contain underscores _, as
    they are ambiguous with dashes - in WSGI.
  * secure_filename looks for more Windows reserved file names.
  * Update type annotation for best_match to make default parameter clearer.
  * Multipart parser handles empty fields correctly.
  * The Map charset parameter and Request.url_charset property are deprecated.
    Percent encoding in URLs must always represent UTF-8 bytes. Invalid bytes
    are left percent encoded rather than replaced.
  * The Request.charset, Request.encoding_errors, Response.charset, and
    Client.charset attributes are deprecated. Request and response data must
    always use UTF-8.
  * Header values that have charset information only allow ASCII, UTF-8, and
    ISO-8859-1.
  * Update type annotation for ProfilerMiddleware stream parameter.
  * Use postponed evaluation of annotations.
  * The development server escapes ASCII control characters in decoded URLs
    before logging the request to the terminal.
  * The FormDataParser parse_functions attribute and get_parse_func method,
    and the invalid application/x-url-encoded content type, are deprecated.
  * generate_password_hash supports scrypt. Plain hash methods are deprecated,
    only scrypt and pbkdf2 are supported.
- Remove patch which was made obsolete by upstream:
  * moved_root.patch

• Files Changed
• Browse Source