Django 4.2 release notes - UNDER DEVELOPMENT

Expected April 2023

Welcome to Django 4.2!

These release notes cover the new features, as well as some backwards incompatible changes you’ll want to be aware of when upgrading from Django 4.1 or earlier. We’ve begun the deprecation process for some features.

See the How to upgrade Django to a newer version guide if you’re updating an existing project.

Python compatibility

Django 4.2 supports Python 3.8, 3.9, 3.10, and 3.11. We highly recommend and only officially support the latest release of each series.

What’s new in Django 4.2

Psycopg 3 support

Django now supports psycopg version 3.1 or higher. To update your code, install the psycopg library, you don’t need to change the ENGINE as django.db.backends.postgresql supports both libraries.

Support for psycopg2 is likely to be deprecated and removed at some point in the future.

Mitigation for the BREACH attack

GZipMiddleware now includes a mitigation for the BREACH attack. It will add up to 100 random bytes to gzip responses to make BREACH attacks harder. Read more about the mitigation technique in the Heal The Breach (HTB) paper.

Minor features

django.contrib.admin

  • The light or dark color theme of the admin can now be toggled in the UI, as well as being set to follow the system setting.
  • The admin’s font stack now prefers system UI fonts and no longer requires downloading fonts. Additionally, CSS variables are available to more easily override the default font families.
  • The admin/delete_confirmation.html template now has some additional blocks and scripting hooks to ease customization.
  • The chosen options of filter_horizontal and filter_vertical widgets are now filterable.
  • The admin/base.html template now has a new block nav-breadcrumbs which contains the navigation landmark and the breadcrumbs block.
  • ModelAdmin.list_editable now uses atomic transactions when making edits.

django.contrib.auth

  • The default iteration count for the PBKDF2 password hasher is increased from 390,000 to 480,000.
  • UserCreationForm now saves many-to-many form fields for a custom user model.

django.contrib.gis

  • The GeoJSON serializer now outputs the id key for serialized features, which defaults to the primary key of objects.
  • The GDALRaster class now supports pathlib.Path.
  • The GeoIP2 class now supports .mmdb files downloaded from DB-IP.
  • The OpenLayers template widget no longer includes inline CSS (which also removes the former map_css block) to better comply with a strict Content Security Policy.

django.contrib.postgres

django.contrib.sitemaps

django.contrib.staticfiles

  • ManifestStaticFilesStorage now replaces paths to JavaScript modules in import and export statements with their hashed counterparts.

Cache

CSRF

Decorators

Email

Error Reporting

File Storage

File Uploads

Forms

  • ModelForm now accepts the new Meta option formfield_callback to customize form fields.
  • modelform_factory() now respects the formfield_callback attribute of the form’s Meta.
  • Session cookies are now treated as credentials and therefore hidden and replaced with stars (**********) in error reports.

Generic Views

Internationalization

  • Added support and translations for the Central Kurdish (Sorani) language.
  • The LocaleMiddleware now respects a language from the request when i18n_patterns() is used with the prefix_default_language argument set to False.

Logging

  • The django.db.backends logger now logs transaction management queries (BEGIN, COMMIT, and ROLLBACK) at the DEBUG level.

Management Commands

  • makemessages command now supports locales with private sub-tags such as nl_NL-x-informal.
  • The new makemigrations --update option merges model changes into the latest migration and optimizes the resulting operations.

Migrations

  • Migrations now support serialization of enum.Flag objects.

Models

  • QuerySet now extensively supports filtering against Window functions with the exception of disjunctive filter lookups against window functions when performing aggregation.
  • prefetch_related() now supports Prefetch objects with sliced querysets.
  • Registering lookups on Field instances is now supported.
  • The new robust argument for on_commit() allows performing actions that can fail after a database transaction is successfully committed.
  • The new KT() expression represents the text value of a key, index, or path transform of JSONField.
  • Now now supports microsecond precision on MySQL and millisecond precision on SQLite.
  • F() expressions that output BooleanField can now be negated using ~F() (inversion operator).
  • Model now provides asynchronous versions of some methods that use the database, using an a prefix: adelete(), arefresh_from_db(), and asave().
  • Related managers now provide asynchronous versions of methods that change a set of related objects, using an a prefix: aadd(), aclear(), aremove(), and aset().

Requests and Responses

Security

Serialization

Signals

Templates

Tests

  • The test --debug-sql option now formats SQL queries with sqlparse.

  • The RequestFactory, AsyncRequestFactory, Client, and AsyncClient classes now support the headers parameter, which accepts a dictionary of header names and values. This allows a more natural syntax for declaring headers.

    # Before:
    self.client.get("/home/", HTTP_ACCEPT_LANGUAGE="fr")
    await self.async_client.get("/home/", ACCEPT_LANGUAGE="fr")
    
    # After:
    self.client.get("/home/", headers={"accept-language": "fr"})
    await self.async_client.get("/home/", headers={"accept-language": "fr"})
    

URLs

Utilities

  • The new encoder parameter for django.utils.html.json_script() function allows customizing a JSON encoder class.
  • The private internal vendored copy of urllib.parse.urlsplit() now strips '\r', '\n', and '\t' (see CVE-2022-0391 and bpo-43882). This is to protect projects that may be incorrectly using the internal url_has_allowed_host_and_scheme() function, instead of using one of the documented functions for handling URL redirects. The Django functions were not affected.
  • The new django.utils.http.content_disposition_header() function returns a Content-Disposition HTTP header value as specified by RFC 6266.

Validators

  • The list of common passwords used by CommonPasswordValidator is updated to the most recent version.

Backwards incompatible changes in 4.2

Database backend API

This section describes changes that may be needed in third-party database backends.

  • DatabaseFeatures.allows_group_by_pk is removed as it only remained to accommodate a MySQL extension that has been supplanted by proper functional dependency detection in MySQL 5.7.15. Note that DatabaseFeatures.allows_group_by_selected_pks is still supported and should be enabled if your backend supports functional dependency detection in GROUP BY clauses as specified by the SQL:1999 standard.

Dropped support for MariaDB 10.3

Upstream support for MariaDB 10.3 ends in May 2023. Django 4.2 supports MariaDB 10.4 and higher.

Dropped support for MySQL 5.7

Upstream support for MySQL 5.7 ends in October 2023. Django 4.2 supports MySQL 8 and higher.

Dropped support for PostgreSQL 11

Upstream support for PostgreSQL 11 ends in November 2023. Django 4.2 supports PostgreSQL 12 and higher.

Setting update_fields in Model.save() may now be required

In order to avoid updating unnecessary columns, QuerySet.update_or_create() now passes update_fields to the Model.save() calls. As a consequence, any fields modified in the custom save() methods should be added to the update_fields keyword argument before calling super(). See Overriding predefined model methods for more details.

Miscellaneous

  • The undocumented SimpleTemplateResponse.rendering_attrs and TemplateResponse.rendering_attrs are renamed to non_picklable_attrs.
  • The undocumented django.http.multipartparser.parse_header() function is removed. Use django.utils.http.parse_header_parameters() instead.
  • {% blocktranslate asvar %} result is now marked as safe for (HTML) output purposes.
  • The autofocus HTML attribute in the admin search box is removed as it can be confusing for screen readers.
  • The makemigrations --check option no longer creates missing migration files.
  • The alias argument for Expression.get_group_by_cols() is removed.
  • The minimum supported version of sqlparse is increased from 0.2.2 to 0.2.3.
  • The undocumented negated parameter of the Exists expression is removed.
  • The is_summary argument of the undocumented Query.add_annotation() method is removed.
  • The minimum supported version of SQLite is increased from 3.9.0 to 3.21.0.
  • inspectdb now uses display_size from DatabaseIntrospection.get_table_description() rather than internal_size for CharField.
  • The minimum supported version of asgiref is increased from 3.5.2 to 3.6.0.

Features deprecated in 4.2

index_together option is deprecated in favor of indexes

The Meta.index_together option is deprecated in favor of the indexes option.

Migrating existing index_together should be handled as a migration. For example:

class Author(models.Model):
    rank = models.IntegerField()
    name = models.CharField(max_length=30)

    class Meta:
        index_together = [["rank", "name"]]

Should become:

class Author(models.Model):
    rank = models.IntegerField()
    name = models.CharField(max_length=30)

    class Meta:
        indexes = [models.Index(fields=["rank", "name"])]

Running the makemigrations command will generate a migration containing a RenameIndex operation which will rename the existing index.

The AlterIndexTogether migration operation is now officially supported only for pre-Django 4.2 migration files. For backward compatibility reasons, it’s still part of the public API, and there’s no plan to deprecate or remove it, but it should not be used for new migrations. Use AddIndex and RemoveIndex operations instead.

Passing encoded JSON string literals to JSONField is deprecated

JSONField and its associated lookups and aggregates use to allow passing JSON encoded string literals which caused ambiguity on whether string literals were already encoded from database backend’s perspective.

During the deprecation period string literals will be attempted to be JSON decoded and a warning will be emitted on success that points at passing non-encoded forms instead.

Code that use to pass JSON encoded string literals:

Document.objects.bulk_create(
    Document(data=Value("null")),
    Document(data=Value("[]")),
    Document(data=Value('"foo-bar"')),
)
Document.objects.annotate(
    JSONBAgg("field", default=Value('[]')),
)

Should become:

Document.objects.bulk_create(
    Document(data=Value(None, JSONField())),
    Document(data=[]),
    Document(data="foo-bar"),
)
Document.objects.annotate(
    JSONBAgg("field", default=[]),
)

From Django 5.1+ string literals will be implicitly interpreted as JSON string literals.

Miscellaneous

  • The BaseUserManager.make_random_password() method is deprecated. See recipes and best practices for using Python’s secrets module to generate passwords.

  • The length_is template filter is deprecated in favor of length and the == operator within an {% if %} tag. For example

    {% if value|length == 4 %}{% endif %}
    {% if value|length == 4 %}True{% else %}False{% endif %}
    

    instead of:

    {% if value|length_is:4 %}{% endif %}
    {{ value|length_is:4 }}
    
  • django.contrib.auth.hashers.SHA1PasswordHasher, django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher, and django.contrib.auth.hashers.UnsaltedMD5PasswordHasher are deprecated.

  • django.contrib.postgres.fields.CICharField is deprecated in favor of CharField(db_collation="…") with a case-insensitive non-deterministic collation.

  • django.contrib.postgres.fields.CIEmailField is deprecated in favor of EmailField(db_collation="…") with a case-insensitive non-deterministic collation.

  • django.contrib.postgres.fields.CITextField is deprecated in favor of TextField(db_collation="…") with a case-insensitive non-deterministic collation.

  • django.contrib.postgres.fields.CIText mixin is deprecated.

  • The map_height and map_width attributes of BaseGeometryWidget are deprecated, use CSS to size map widgets instead.

  • SimpleTestCase.assertFormsetError() is deprecated in favor of assertFormSetError().

  • TransactionTestCase.assertQuerysetEqual() is deprecated in favor of assertQuerySetEqual().

  • Passing positional arguments to Signer and TimestampSigner is deprecated in favor of keyword-only arguments.

Back to Top