Changelog¶
This document lists changes between released versions of pwned-passwords-django.
1.6 – released 2022-05-19¶
No new features. No new bug fixes. Django 4.0 is now supported. Python 3.6, Django 2.2, and Django 3.1 are no longer supported, as they have reached the end of their upstream support cycles.
1.5 – released 2021-06-21¶
No new features. No bug fixes. Django 3.2 is now supported; Django 3.0 and Python 3.5 are no longer supported, as they have both reached the end of their upstream support cycles.
1.4 – released 2020-01-28¶
New features:¶
- The
PwnedPasswordsValidator
is now serializable. This is unlikely to be useful, however, as the validator is not intended to be attached to a model.
Other changes:¶
- The supported versions of Django are now 2.2 and 3.0. This means Python 2 support is dropped; if you still need to use pwned-passwords-django on Python 2 with Django 1.11, stay with the 1.3 release series of pwned-passwords-django.
1.3.2 – released 2019-05-07¶
No new features. No bug fixes. Released to add explicit markers of Django 2.2 compatibility.
1.3.1 – released 2018-09-18¶
Released to include documentation updates which were inadvertently left out of the 1.3 package.
1.3 – released 2018-09-18¶
No new features. No bug fixes. Released only to add explicit markers of Python 3.7 and Django 2.1 compatibility.
1.2.1 – released 2018-06-18¶
Released to correct the date of the 1.2 release listed in this changelog document. No other changes.
1.2 – released 2018-06-18¶
New features:¶
- Password-validator error messages are now customizable.
- The request-timeout value for contacting the Pwned Passwords API
defaults to one second, and is customizable via the setting
PWNED_PASSWORDS_API_TIMEOUT
. - When a request to the Pwned Passwords API times out, or encounters
an error, it logs the problem with a message of level
logging.WARNING
. ThePwnedPasswordsValidator
will fall back toCommonPasswordValidator
, which has a smaller list of common passwords. ThePwnedPasswordsMiddleware
does not have a fallback behavior;pwned_password()
will returnNone
to indicate the error case.
Bugs fixed:¶
N/A
Other changes:¶
pwned_password()
will now raiseTypeError
if its argument is not a Unicode string (the typeunicode
on Python 2,str
on Python 3). This is debatably backwards-incompatible;pwned_password()
encodes its argument to UTF-8 bytes, which will raiseAttributeError
if attempted on abytes
object in Python 3. As a result, all supported environments other than Python 2.7/Django 1.11 would already raiseAttributeError
(due tobytes
objects lacking theencode()
method) in both 1.0 and 1.1. Enforcing theTypeError
on all supported environments ensures users of pwned-passwords-django do not write code that accidentally works in one and only one environment, and supplies a more accurate and comprehensible exception than theAttributeError
which would have been raised in previous versions.- The default error and help messages of
PwnedPasswordsValidator
now match the messages of Django’sCommonPasswordValidator
. SincePwnedPasswordsValidator
falls back toCommonPasswordValidator
when the Pwned Passwords API is unresponsive, this provides consistency of messages, and also ensures the messages are translated (Django provides translations for its built-in messages).
1.1 – released 2018-03-06¶
New features:¶
N/A
Bugs fixed:¶
- Case sensitivity issue. The Pwned Passwords API always uses uppercase hexadecimal digits for password hashes; pwned-passwords-django was using lowercase. Fixed by switching pwned-passwords-django to use uppercase.
Other changes¶
N/A
1.0 – released 2018-03-06¶
Initial public release.