Zope 5.13 → 5.14.2 ------------------ See https://github.com/zopefoundation/Zope/blob/5.x/CHANGES.rst packaging: 25.0 → 26.2 ---------------------- pip: 25.3 → 26.1.2 ------------------ setuptools: 80.9.0 → 81.0.0 --------------------------- wheel: 0.45.1 → 0.47.0 ---------------------- zc.buildout: 4.1.12 → 4.2.0 --------------------------- diazo: 2.0.4 → 2.0.6 -------------------- Internal: - Update action workflows and other configuration files. [plone devs] - Do not test what happens when trying to put a title tag within a title tag. ``lxml`` 6 wants only text within the title tag. Rewrite the test to use a div in the body. [mauritsvanrees] five.intid: 3.0.2 → 3.1.0 ------------------------- New features: - Officially add support for Python 3.12-3.14. Require Python 3.10 minimum, which in practice was already the case, because this version is for Plone 6.2 only. Internal: - Update configuration files. [plone devs] Plone: 6.1.4 → 6.1.5 -------------------- - Prepare release. [maurits] plone.app.content: 4.1.11 → 4.2.0 --------------------------------- New features: - Alphabetically sort the list of portal types in the constraints configuration form @erral (#320) Internal: - Update configuration files. [plone devs] - Do not test in Plone 6.2.x @erral (#323) plone.app.contenttypes: 4.0.9 → 4.0.10 -------------------------------------- Bug fixes: - Restrict title to 1024 and description to 10000. This is for images and files. For others, a similar change is done in ``plone.app.dexterity``. See `security advisory `_. [maurits] Internal: - Update configuration files. [plone devs] plone.app.dexterity: 4.1.1 → 4.1.3 ---------------------------------- Bug fixes: - Added ``max_length`` constraints to the ``title`` (1024 characters) and ``description`` (10000 characters) fields of the ``IBasic`` behavior. Very long values slow down the site because these fields are rendered in listings, navigation, and the management interface. Developers who need higher limits can override the fields in a downstream package:: from plone.app.dexterity.behaviors.metadata import IBasic IBasic["title"].max_length = 5000 # or None to remove the limit IBasic["description"].max_length = 50000 # same pattern for description Place this in your package's ``__init__.py`` or any other Python module loaded at startup. See `security advisory `_. (#433) - Use raw rich text value instead of output when indexing. [maurits] (#423) Internal: - Update configuration files. [plone devs] - Update configuration files. [plone devs] plone.app.discussion: 5.2.2 → 5.2.3 ----------------------------------- Bug fixes: - Fix translation of comment byline. @erral Internal: - Update configuration files. [plone devs] plone.app.event: 5.2.3 → 5.2.4 ------------------------------ Bug fixes: - Security: harden the icalendar import to prevent denial of service and stored XSS. - Be more strict in which urls we accept. - Check for timeout and limit the number of bytes. Get this limit from environment variable ``MAXIMUM_ICAL_IMPORT_SIZE_BYTES``, default 500000. - Add limit to how many events can be imported via ical. Get this limit from environment variable ``MAXIMUM_ICAL_IMPORT_EVENTS``, default 366. - Use transaction savepoints instead of a commit per event. - Check that event urls (via import or normal edit) are valid, for example no ``javascript`` urls. [maurits] - Be more strict in which urls we accept. - Check for timeout and limit the number of bytes. Get this limit from environment variable ``MAXIMUM_ICAL_IMPORT_SIZE_BYTES``, default 500000. - Add limit to how many events can be imported via ical. Get this limit from environment variable ``MAXIMUM_ICAL_IMPORT_EVENTS``, default 366. - Use transaction savepoints instead of a commit per event. - Check that event urls (via import or normal edit) are valid, for example no ``javascript`` urls. plone.app.locales: 6.1.1 → 6.1.2 -------------------------------- New features: - Update translations with those made for Plone 6.2 @erral Bug fixes: - Update German translations for password reset and creation. Internal: - Update configuration files. [plone devs] plone.app.multilingual: 8.4.0 → 8.4.2 ------------------------------------- Bug fixes: - Fixed uninstall profile to restore the default `document_view` for the `Plone Site` content type. @sneridagh (#529) - Fix two tests that took way too long. [maurits] (#525) plone.app.portlets: 6.0.3 → 6.0.4 --------------------------------- Bug fixes: - Fix TALES expression injection (remote code execution) in the Classic portlet. The user-supplied ``template`` and ``macro`` fields are now validated against a strict whitelist that forbids TALES metacharacters (notably ``:`` and ``|``), so they can no longer be turned into a TALES expression with a ``python:`` type or a ``|`` fallback chain when passed to the TAL ``path()`` helper. Validation is enforced both on the add/edit form fields and again at render time (for assignments created programmatically). Reported by Giuseppe Caruso (giuseppe.caruso@betrusted.it) (GHSA-rr49-f9g6-c9r5). (ghsa-rr49-f9g6-c9r5) - RSS portlet: fix passing last modified header. [maurits] - Security fixes in RSS portlet. - Be strict in which RSS feed urls we accept in the RSS portlet. Only http/https urls. Refuse internal IP addresses, single word domains, and port numbers, to avoid abuse as port scanner. - Refuse downloading gigantic RSS feeds, to avoid denial of service attack. You can influence this by setting environment variable ``MAXIMUM_RSS_FEED_SIZE_BYTES``. Default maximum is 1 million. See `security advisory `_. [maurits] - Be strict in which RSS feed urls we accept in the RSS portlet. Only http/https urls. Refuse internal IP addresses, single word domains, and port numbers, to avoid abuse as port scanner. - Refuse downloading gigantic RSS feeds, to avoid denial of service attack. You can influence this by setting environment variable ``MAXIMUM_RSS_FEED_SIZE_BYTES``. Default maximum is 1 million. Internal: - Update configuration files. [plone devs] plone.app.querystring: 2.1.4 → 2.1.7 ------------------------------------ Bug fixes: - Fix merging multiple date operations. @davisagli (#188) Internal: - Update configuration files. [plone devs] - Fix tests for ``not`` queries in ``Products.ZCatalog`` 7.2.0+. [maurits] plone.app.robotframework: 2.1.5 → 2.1.6 --------------------------------------- Internal: - Add the robocop pre-commit check. [ale-rt] plone.app.textfield: 3.0.1 → 3.0.2 ---------------------------------- Bug fixes: - Security: Always sanitize RichText output for safe-HTML output type. See https://github.com/plone/plone.app.textfield/security/advisories/GHSA-4r4f-gg25-rmg5 @gyst Internal: - Update configuration files. [plone devs] plone.app.upgrade: 3.3.1 → 3.3.2 -------------------------------- Bug fixes: - Remove upgrades for Plone 6.2. On Plone 6.2 you need ``plone.app.upgrade`` 4.0.0a1 or higher. [maurits] Internal: - Added upgrade to 6112, Plone 6.1.5. [maurits] (#6112) plone.app.z3cform: 4.7.9 → 4.7.10 --------------------------------- Bug fixes: - Add comment to the list of buttons where only btn-primary should be set @erral (#254) Internal: - Update configuration files. [plone devs] plone.folder: 4.0.1 → 4.0.2 --------------------------- Bug fixes: - Fix `AttributeError` in `orderObjects` after deleting an object and restarting Zope. @wesleybl (#50) Internal: - Update configuration files. [plone devs] plone.memoize: 3.0.4 → 3.0.5 ---------------------------- Internal: - Update configuration files. Require ``setuptools<82`` in the build system. [plone devs] plone.namedfile: 7.3.0 → 7.4.0 ------------------------------ New features: - Add original image size url in the srcset generated in the srcset method @erral Internal: - Update configuration files. [plone devs] plone.restapi: 9.15.4 → 9.15.6 ------------------------------ Bug fixes: - Security: in rich text fields, do not accept input that claims it is already sanitized. Specifically, raise a ValueError when deserializing a text field with input mimetype `text/x-html-safe`. See https://github.com/plone/plone.restapi/security/advisories/GHSA-8rqh-vxpr-x77p @gyst, @mauritsvanrees - In the `@search` service, fix a case where the `sort_order` parameter was ignored. @mamico, @davisagli #1954 - Remove default limit of 1000 from service @querystring-search. @wesleybl #1955 Internal: - Consolidate test layers so PAM, Iterate, Blocks, and Workflows all share `PLONE_RESTAPI_DX_FIXTURE` as base, reducing redundant layer setup time. @jensens #1983 plone.scale: 4.3.0 → 4.3.1 -------------------------- Bug fixes: - Fix a problem where scaled animated GIFs could be saved with a much larger file size than the original image. @davisagli (#134) plone.staticresources: 2.3.5 → 2.3.8 ------------------------------------ Bug fixes: - Update mockup=5.4.10. See https://github.com/plone/mockup/releases/tag/5.4.10. @petschki - Update mockup=5.4.9. See https://github.com/plone/mockup/releases/tag/5.4.9. @petschki - Update mockup=5.4.7. See https://github.com/plone/mockup/releases/tag/5.4.7. @petschki plone.volto: 5.2.3 → 5.2.4 -------------------------- Bug fixes: - Add getRemoteUrl to summary field serializer. @jackahl #207 plonetheme.barceloneta: 3.3.3 → 3.3.4 ------------------------------------- - Fix TinyMCE content padding. @petschki #462 - Update dependencies. @petschki Products.CMFPlone: 6.1.4 → 6.1.5 -------------------------------- Bug fixes: - Allow a Site Administrator to manage the users roles if there are users that have the Manager role set through the portal_role plugin. [ale-rt] #4287 Tests - Fix robottests for UI changes in `pat-contentbrowser`. @petschki Internal: - Updated metadata version to 6112. @mauritsvanrees #6112 Products.isurlinportal: 3.0.1 → 3.1.0 ------------------------------------- New features: - Prevent URLs that start with more than two slashes to be considered as URLs in portal. See `security advisory `_. [ale-rt, maurits] Internal: - Update configuration files. [plone devs] five.customerize: 4.0 → 4.1 --------------------------- - Add support for Python 3.14. - Drop support for Python 3.9. z3c.relationfield: 3.0 → 3.1 ---------------------------- - Add support for Python 3.14. - Drop support for Python 3.9. ZEO: 6.0.0 → 6.2 ---------------- zest.releaser: 9.6.2 → 9.9.1 ---------------------------- zestreleaser.towncrier: 1.3.0 → 2.0.1 ------------------------------------- zodbupdate: 2.0 → 3.0 --------------------- - Drop ``pkg_resources`` for getting entry points. On Python 3.9 we require ``importlib-metadata`` for this. (`#47 `_) - Add support for Python 3.12, 3.13. - Drop support for Python 3.7, 3.8. - Fix tests by declaring a dependency which is used in ``relstorage 4.0.0`` but not declared. zope.app.locales: 5.0 → 6.0 --------------------------- zope.componentvocabulary: 3.0 → 4.0 ----------------------------------- zope.copy: 5.0 → 6.0 -------------------- zope.intid: 5.1 → 6.0 --------------------- zope.keyreference: 6.1 → 7.0 ---------------------------- zope.pytestlayer: 8.3 → 9.1 --------------------------- zope.ramcache: 3.1 → 4.0 ------------------------ zope.sendmail: 6.2 → 7.1 ------------------------ attrs: 25.3.0 → 26.1.0 ---------------------- build: 1.3.0 → 1.5.0 -------------------- click: 8.2.2 → 8.4.0 -------------------- cmarkgfm: 2024.11.20 → 2025.10.22 --------------------------------- cryptography: 45.0.7 → 48.0.0 ----------------------------- cssselect: 1.3.0 → 1.4.0 ------------------------ decorator: 5.2.1 → 5.3.1 ------------------------ id: 1.5.0 → 1.6.1 ----------------- iniconfig: 2.1.0 → 2.3.0 ------------------------ jaraco.context: 6.0.1 → 6.1.2 ----------------------------- jaraco.functools: 4.1.0 → 4.5.0 ------------------------------- jsonschema: 4.24.1 → 4.26.0 --------------------------- keyring: 25.6.0 → 25.7.0 ------------------------ lxml-html-clean: 0.4.3 → 0.4.4 ------------------------------ Markdown: 3.8.2 → 3.10.2 ------------------------ nh3: 0.2.22 → 0.3.5 ------------------- psutil: 7.1.3 → 7.2.2 --------------------- PyJWT: 2.10.1 → 2.12.1 ---------------------- pyOpenSSL: 25.3.0 → 26.2.0 -------------------------- python-dotenv: 1.1.1 → 1.2.2 ---------------------------- referencing: 0.36.2 → 0.37.0 ---------------------------- responses: 0.25.8 → 0.26.0 -------------------------- rich: 14.0.0 → 14.3.4 --------------------- rpds-py: 0.22.3 → 0.30.0 ------------------------ SecretStorage: 3.3.3 → 3.5.0 ---------------------------- trio: 0.30.0 → 0.33.0 --------------------- trove-classifiers: 2025.9.11.17 → 2026.5.20.19 ---------------------------------------------- tzdata: 2025.2 → 2026.2 ----------------------- wsproto: 1.2.0 → 1.3.2 ----------------------