This is the Werkzeug 3.0.3 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.
PyPI: https://pypi.org/project/Werkzeug/3.0.3/
Changes: https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-3
Milestone: https://github.com/pallets/werkzeug/milestone/35?closed=1
- Only allow
localhost,.localhost,127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger UI makes requests using the full URL rather than only the path. GHSA-2g68-c3qc-8985 - Make reloader more robust when
""is insys.path. #2823 - Better TLS cert format with
adhocdev certs. #2891 - Inform Python < 3.12 how to handle
itms-servicesURIs correctly, rather than using an overly-broad workaround in Werkzeug that caused some redirect URIs to be passed on without encoding. #2828 - Type annotation for
Rule.endpointand other uses ofendpointisAny. #2836