Django 4.2 release notes - UNDER DEVELOPMENT¶
Expected April 2023
Welcome to Django 4.2!
These release notes cover the new features, as well as some backwards incompatible changes you’ll want to be aware of when upgrading from Django 4.1 or earlier. We’ve begun the deprecation process for some features.
See the How to upgrade Django to a newer version guide if you’re updating an existing project.
Python compatibility¶
Django 4.2 supports Python 3.8, 3.9, 3.10, and 3.11. We highly recommend and only officially support the latest release of each series.
What’s new in Django 4.2¶
Psycopg 3 support¶
Django now supports psycopg version 3.1 or higher. To update your code,
install the psycopg library, you don’t need to change the
ENGINE
as django.db.backends.postgresql
supports both libraries.
Support for psycopg2
is likely to be deprecated and removed at some point
in the future.
Mitigation for the BREACH attack¶
GZipMiddleware
now includes a mitigation for
the BREACH attack. It will add up to 100 random bytes to gzip responses to make
BREACH attacks harder. Read more about the mitigation technique in the Heal
The Breach (HTB) paper.
Minor features¶
django.contrib.admin
¶
- The light or dark color theme of the admin can now be toggled in the UI, as well as being set to follow the system setting.
- The admin’s font stack now prefers system UI fonts and no longer requires downloading fonts. Additionally, CSS variables are available to more easily override the default font families.
- The admin/delete_confirmation.html template now has some additional blocks and scripting hooks to ease customization.
- The chosen options of
filter_horizontal
andfilter_vertical
widgets are now filterable. - The
admin/base.html
template now has a new blocknav-breadcrumbs
which contains the navigation landmark and thebreadcrumbs
block. ModelAdmin.list_editable
now uses atomic transactions when making edits.
django.contrib.auth
¶
- The default iteration count for the PBKDF2 password hasher is increased from 390,000 to 480,000.
UserCreationForm
now saves many-to-many form fields for a custom user model.
django.contrib.gis
¶
- The GeoJSON serializer now outputs the
id
key for serialized features, which defaults to the primary key of objects. - The
GDALRaster
class now supportspathlib.Path
. - The
GeoIP2
class now supports.mmdb
files downloaded from DB-IP. - The OpenLayers template widget no longer includes inline CSS (which also
removes the former
map_css
block) to better comply with a strict Content Security Policy.
django.contrib.postgres
¶
- The new
trigram_strict_word_similar
lookup, and theTrigramStrictWordSimilarity()
andTrigramStrictWordDistance()
expressions allow using trigram strict word similarity. - The
arrayfield.overlap
lookup now supportsQuerySet.values()
andvalues_list()
as a right-hand side.
django.contrib.sitemaps
¶
- The new
Sitemap.get_languages_for_item()
method allows customizing the list of languages for which the item is displayed.
django.contrib.staticfiles
¶
ManifestStaticFilesStorage
now replaces paths to JavaScript modules inimport
andexport
statements with their hashed counterparts.
Cache¶
- …
CSRF¶
- …
Decorators¶
- …
Email¶
- …
Error Reporting¶
- The debug page now shows exception notes and fine-grained error locations on Python 3.11+.
File Storage¶
- …
File Uploads¶
- …
Forms¶
ModelForm
now accepts the newMeta
optionformfield_callback
to customize form fields.modelform_factory()
now respects theformfield_callback
attribute of theform
’sMeta
.- Session cookies are now treated as credentials and therefore hidden and
replaced with stars (
**********
) in error reports.
Generic Views¶
- …
Internationalization¶
- Added support and translations for the Central Kurdish (Sorani) language.
- The
LocaleMiddleware
now respects a language from the request wheni18n_patterns()
is used with theprefix_default_language
argument set toFalse
.
Logging¶
- The django.db.backends logger now logs transaction management queries
(
BEGIN
,COMMIT
, andROLLBACK
) at theDEBUG
level.
Management Commands¶
makemessages
command now supports locales with private sub-tags such asnl_NL-x-informal
.- The new
makemigrations --update
option merges model changes into the latest migration and optimizes the resulting operations.
Migrations¶
- Migrations now support serialization of
enum.Flag
objects.
Models¶
QuerySet
now extensively supports filtering against Window functions with the exception of disjunctive filter lookups against window functions when performing aggregation.prefetch_related()
now supportsPrefetch
objects with sliced querysets.- Registering lookups on
Field
instances is now supported. - The new
robust
argument foron_commit()
allows performing actions that can fail after a database transaction is successfully committed. - The new
KT()
expression represents the text value of a key, index, or path transform ofJSONField
. Now
now supports microsecond precision on MySQL and millisecond precision on SQLite.F()
expressions that outputBooleanField
can now be negated using~F()
(inversion operator).Model
now provides asynchronous versions of some methods that use the database, using ana
prefix:adelete()
,arefresh_from_db()
, andasave()
.- Related managers now provide asynchronous versions of methods that change a
set of related objects, using an
a
prefix:aadd()
,aclear()
,aremove()
, andaset()
.
Requests and Responses¶
StreamingHttpResponse
now supports async iterators when Django is served via ASGI.
Security¶
- …
Serialization¶
- …
Signals¶
- …
Templates¶
- …
Tests¶
The
test --debug-sql
option now formats SQL queries withsqlparse
.The
RequestFactory
,AsyncRequestFactory
,Client
, andAsyncClient
classes now support theheaders
parameter, which accepts a dictionary of header names and values. This allows a more natural syntax for declaring headers.# Before: self.client.get("/home/", HTTP_ACCEPT_LANGUAGE="fr") await self.async_client.get("/home/", ACCEPT_LANGUAGE="fr") # After: self.client.get("/home/", headers={"accept-language": "fr"}) await self.async_client.get("/home/", headers={"accept-language": "fr"})
URLs¶
- …
Utilities¶
- The new
encoder
parameter fordjango.utils.html.json_script()
function allows customizing a JSON encoder class. - The private internal vendored copy of
urllib.parse.urlsplit()
now strips'\r'
,'\n'
, and'\t'
(see CVE-2022-0391 and bpo-43882). This is to protect projects that may be incorrectly using the internalurl_has_allowed_host_and_scheme()
function, instead of using one of the documented functions for handling URL redirects. The Django functions were not affected. - The new
django.utils.http.content_disposition_header()
function returns aContent-Disposition
HTTP header value as specified by RFC 6266.
Validators¶
- The list of common passwords used by
CommonPasswordValidator
is updated to the most recent version.
Backwards incompatible changes in 4.2¶
Database backend API¶
This section describes changes that may be needed in third-party database backends.
DatabaseFeatures.allows_group_by_pk
is removed as it only remained to accommodate a MySQL extension that has been supplanted by proper functional dependency detection in MySQL 5.7.15. Note thatDatabaseFeatures.allows_group_by_selected_pks
is still supported and should be enabled if your backend supports functional dependency detection inGROUP BY
clauses as specified by theSQL:1999
standard.
Dropped support for MariaDB 10.3¶
Upstream support for MariaDB 10.3 ends in May 2023. Django 4.2 supports MariaDB 10.4 and higher.
Dropped support for MySQL 5.7¶
Upstream support for MySQL 5.7 ends in October 2023. Django 4.2 supports MySQL 8 and higher.
Dropped support for PostgreSQL 11¶
Upstream support for PostgreSQL 11 ends in November 2023. Django 4.2 supports PostgreSQL 12 and higher.
Setting update_fields
in Model.save()
may now be required¶
In order to avoid updating unnecessary columns,
QuerySet.update_or_create()
now passes update_fields
to the
Model.save()
calls. As a consequence, any
fields modified in the custom save()
methods should be added to the
update_fields
keyword argument before calling super()
. See
Overriding predefined model methods for more details.
Miscellaneous¶
- The undocumented
SimpleTemplateResponse.rendering_attrs
andTemplateResponse.rendering_attrs
are renamed tonon_picklable_attrs
. - The undocumented
django.http.multipartparser.parse_header()
function is removed. Usedjango.utils.http.parse_header_parameters()
instead. {% blocktranslate asvar … %}
result is now marked as safe for (HTML) output purposes.- The
autofocus
HTML attribute in the admin search box is removed as it can be confusing for screen readers. - The
makemigrations --check
option no longer creates missing migration files. - The
alias
argument forExpression.get_group_by_cols()
is removed. - The minimum supported version of
sqlparse
is increased from 0.2.2 to 0.2.3. - The undocumented
negated
parameter of theExists
expression is removed. - The
is_summary
argument of the undocumentedQuery.add_annotation()
method is removed. - The minimum supported version of SQLite is increased from 3.9.0 to 3.21.0.
inspectdb
now usesdisplay_size
fromDatabaseIntrospection.get_table_description()
rather thaninternal_size
forCharField
.- The minimum supported version of
asgiref
is increased from 3.5.2 to 3.6.0.
Features deprecated in 4.2¶
index_together
option is deprecated in favor of indexes
¶
The Meta.index_together
option is deprecated in favor of the indexes
option.
Migrating existing index_together
should be handled as a migration. For
example:
class Author(models.Model):
rank = models.IntegerField()
name = models.CharField(max_length=30)
class Meta:
index_together = [["rank", "name"]]
Should become:
class Author(models.Model):
rank = models.IntegerField()
name = models.CharField(max_length=30)
class Meta:
indexes = [models.Index(fields=["rank", "name"])]
Running the makemigrations
command will generate a migration
containing a RenameIndex
operation
which will rename the existing index.
The AlterIndexTogether
migration operation is now officially supported only
for pre-Django 4.2 migration files. For backward compatibility reasons, it’s
still part of the public API, and there’s no plan to deprecate or remove it,
but it should not be used for new migrations. Use
AddIndex
and
RemoveIndex
operations instead.
Passing encoded JSON string literals to JSONField
is deprecated¶
JSONField
and its associated lookups and aggregates use to allow passing
JSON encoded string literals which caused ambiguity on whether string literals
were already encoded from database backend’s perspective.
During the deprecation period string literals will be attempted to be JSON decoded and a warning will be emitted on success that points at passing non-encoded forms instead.
Code that use to pass JSON encoded string literals:
Document.objects.bulk_create(
Document(data=Value("null")),
Document(data=Value("[]")),
Document(data=Value('"foo-bar"')),
)
Document.objects.annotate(
JSONBAgg("field", default=Value('[]')),
)
Should become:
Document.objects.bulk_create(
Document(data=Value(None, JSONField())),
Document(data=[]),
Document(data="foo-bar"),
)
Document.objects.annotate(
JSONBAgg("field", default=[]),
)
From Django 5.1+ string literals will be implicitly interpreted as JSON string literals.
Miscellaneous¶
The
BaseUserManager.make_random_password()
method is deprecated. See recipes and best practices for using Python’ssecrets
module to generate passwords.The
length_is
template filter is deprecated in favor oflength
and the==
operator within an{% if %}
tag. For example{% if value|length == 4 %}…{% endif %} {% if value|length == 4 %}True{% else %}False{% endif %}
instead of:
{% if value|length_is:4 %}…{% endif %} {{ value|length_is:4 }}
django.contrib.auth.hashers.SHA1PasswordHasher
,django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher
, anddjango.contrib.auth.hashers.UnsaltedMD5PasswordHasher
are deprecated.django.contrib.postgres.fields.CICharField
is deprecated in favor ofCharField(db_collation="…")
with a case-insensitive non-deterministic collation.django.contrib.postgres.fields.CIEmailField
is deprecated in favor ofEmailField(db_collation="…")
with a case-insensitive non-deterministic collation.django.contrib.postgres.fields.CITextField
is deprecated in favor ofTextField(db_collation="…")
with a case-insensitive non-deterministic collation.django.contrib.postgres.fields.CIText
mixin is deprecated.The
map_height
andmap_width
attributes ofBaseGeometryWidget
are deprecated, use CSS to size map widgets instead.SimpleTestCase.assertFormsetError()
is deprecated in favor ofassertFormSetError()
.TransactionTestCase.assertQuerysetEqual()
is deprecated in favor ofassertQuerySetEqual()
.Passing positional arguments to
Signer
andTimestampSigner
is deprecated in favor of keyword-only arguments.