Version 3.1.3

3.1.3 (2023-10-19)

Fixed

• oheaders from a Response contains Set-Cookie entries when it should not.
• Static type checker not accepting list[str] in values for argument param.
• Static type checker not accepting Iterable[bytes] for data.
• Function proxy_bypass_registry for Windows may be fooled by insufficient control on our end.
  Patch taken from idle upstream PR psf#6302
• SSLError message related to the certificate revocation could print None instead of unspecified for the reason.

Changed

• Allow setting None in max_size for SharableLimitedDict to remove limits.
• Using RLock instead of Lock in SharableLimitedDict, and InMemoryRevocationStatus classes.

Misc

• Missing assert statements for test test_header_validation.
• Unrelated warnings are now silent in our test suite.
• Unexpected warning now trigger an error in our test suite.
• Removed tests.compat.
• Removed test-readme, flake8, and publish from Makefile.

Added

• Extra-dist install http3 to force install HTTP/3 support in your environment if not present.
• Extra-dist install ocsp to force install certificate revocation support in your environment if not present.

Version 3.1.2

3.1.2 (2023-10-16)

Fixed

• Static type checker not accepting list[str] in values for argument data.

Misc

• Changed the documentation theme by furo.

Added

• IPv6 support in the NO_PROXY environment variable or in the proxies (key no_proxy) argument.
  Patch taken from idle upstream PR psf#5953

• Preemptively register a website to be HTTP/3 capable prior to the first TLS over TCP handshake.
  You can do so by doing like:

  from niquests import Session
  
  s = Session()
  s.quic_cache_layer.add_domain("cloudflare.com")

• Passed data will be converted to form-data if headers have a Content-Type header and is set to multipart/form-data.
  Otherwise, by default, it is still urlencoded. If you specified a boundary, it will be used, otherwise, a random one will
  be generated.

Version 3.1.1

3.1.1 (2023-10-11)

Fixed

• Fixed Transfer-Encoding wrongfully added to headers when body is actually of length 0. Due to the ambiguous return of super_len in niquests internals.
• Fixed accepting three-valued tuple for Timeout (connect, read, total) in addition to known (connect, read) tuple.

Version 3.1.0

Release History

3.1.0 (2023-10-10)

Misc

• Static typing has been improved to provide a better development experience.

Added

• Certificate revocation verification via the OCSP protocol.

  This feature is broadly available and is enabled by default when verify=True.
  We decided to follow what browsers do by default, so Niquests follows by being non-strict.
  OCSP responses are expected to arrive in less than 200ms, otherwise ignored (e.g. OCSP is dropped).
  Niquests keep in-memory the results until the size exceeds 2,048 entries, then an algorithm chooses an entry
  to be deleted (oldest request or the first one that ended in error).

  You can at your own discretion enable strict OCSP checks by passing the environment variable NIQUESTS_STRICT_OCSP
  with anything inside but 0. In strict mode, the maximum delay for response passes from 200ms to 1,000ms and
  raises an error or explicit warning.

  In non-strict mode, this security measure will be deactivated automatically if your usage is unreasonable.
  e.g. Making a hundred of requests to a hundred of domains, thus consuming resources that should have been
  allocated to browser users. This was made available for users with a limited target of domains to get
  a complementary security measure.

  Unless in strict mode, the proxy configuration will be respected when given, as long as it specifies
  a plain http proxy. This is meant for people who want privacy.

  This feature may not be available if the cryptography package is missing from your environment.
  Verify the availability after Niquests upgrade by running python -m niquests.help.

  There is several downside to using OCSP, Niquests knows it. It is not a silver bullet solution. But better than nothing.
  It does not apply to HTTPS proxies themselves. For now.

• Add property ocsp_verified in both PreparedRequest, and Response to have a clue on the post handshake verification.

  Will be None if no verification took place, True if the verification leads to confirmation from the OCSP server
  that the certificate is valid, False otherwise.

Changed

• Bump lower version requirement for urllib3.future to 2.1.900 to ensure compatibility with newer features.
• Internal in-memory QUIC capabilities is now thread-safe and limited to 12,288 entries.
• Pickling a Session object no longer dumps adapters or the QUIC in-memory capabilities, they are reset on setstate.

Fixed

• conn_info was unset if the response came after a redirect.

Release 3.0.2

3.0.2 (2023-10-01)

Changed

• niquests.help show more information about direct dependencies.
• urllib3.future minimal version was raised to 2.0.936 due to an important fix on the QUIC layer.
• wassima minimal version was raised to 1.0.1 in order to support certifi as a fallback in rare cases.

Version 3.0.1

3.0.1 (2023-09-26)

Fixed

• Method head not accepting allow_redirect named argument.
• PreparedRequest did not uppercase the HTTP verb when constructed manually.

Changed

• Minor code refactor in the text, and json methods within the Response class to be more concise.

Version 3.0.0

3.0.0 (2023-09-24)

Added

• Static type annotations throughout the whole package.
• cert argument for client authentication with certificate can now pass the password/passphrase using a 3-values tuple (cert, key, password).
  The three parameters in the tuple must be of type str.
• verify argument behavior has been extended and now accepts your CA bundle as str instead of a path. It also accepts your CA bundle as bytes directly.
  This helps when you do not have access to the fs.
• Operating system truststore will be used instead of certifi. Root CAs are automatically grabbed from your computer configuration.
• Oriented-object headers. Access them through the new property oheaders in your Response.
• Propagated the argument retries in niquests.api for all functions.
• Added argument retries in the Session constructor.
• Property conn_info to the PreparedRequest and Response that hold a reference to a ConnectionInfo.
  This class exposes the following properties: certificate_der (bytes), certificate_dict (dict) as provided by the standard
  library (ssl), destination_address (tuple[ipAddress, portNumber]), cipher (str), tls_version (TLSVersion), and http_version.
• Two hooks, namely pre_send and pre_request. The pre_request event is fired just after the initial construction of
  a PreparedRequest instance. Finally, the pre_send will be triggered just after picking a (live) connection
  for your request. The two events receive a PreparedRequest instance.

Changed

• Calling the method json from Response when no encoding was provided no longer relies on internal encoding inference.
  We fall back on charset-normalizer with a limited set of charsets allowed (UTF-8/16/32 or ASCII).
• No longer will the text method from Response return str if content cannot be decoded. It returns None instead.
• If specified charset in content-type does not exist (LookupError) the text method from Response will rely on charset detection.
• If specified charset in content-type is not made for text decoding (e.g. base64), the text method from Response returns None.
• With above four changes, the json method will raise RequestsJSONDecodeError when the payload (body) cannot be decoded.
• Passing invalid files description no longer just skip invalid entries, it raises ValueError from now on.
• Non-str HTTP-Verb are refused.
• Passing files with minimal description (meaning no tuple but just the fp) no longer guess its name when fp.name return bytes.
• No longer will the default timeout be unset, thus making you wait indefinitely.
  Functions get, head, and options ships with a default of 30 seconds.
  Then put, post, patch and delete uses a default of 120 seconds.
  Finally, the request function also have 120 seconds.
• Basic authorization username and password are now encoded using utf-8 instead of latin-1 prior to being base64 encoded.

Removed

• Property apparent_encoding in favor of a discrete internal inference.
• Support for the legacy chardet detector in case it was present in environment.
  Extra chardet_on_py3 is now unavailable.
• requests.compat no longer hold reference to chardet.
• Deprecated requests.packages that was meant to avoid breakage from people importing urllib3 or chardet within this package.
  They were vendored in early versions of Requests. A long time ago.
• Deprecated function get_encodings_from_content from utils.
• Deprecated function get_unicode_from_response from utils.
• BasicAuth middleware no longer supports anything else than bytes or str for username and password.
• requests.compat is stripped of every reference that no longer vary between supported interpreter version.
• Charset fall back ISO-8859-1 when content-type is text and no charset was specified.
• Main functions get, post, put, patch, delete, and head no longer accept kwargs. They have a fixed list of typed argument.
  It is no longer possible to specify non-supported additional keyword arguments from a Session instance or directly through requests.api functions.
  e.g. function delete no longer accepts json, or files arguments. as per RFCs specifications. You can still override this behavior through the request function.
• Mixin classes RequestEncodingMixin, and RequestHooksMixin due to OOP violations. Now deported directly into child classes.
• Function unicode_is_ascii as it is part of the stable str stdlib on Python 3 or greater.
• Alias function session for Session context manager that was kept for BC reasons since the v1.
• pyOpenSSL/urllib3 injection in case built-in ssl module does not have SNI support as it is not the case anymore for every supported interpreters.
• Constant DEFAULT_CA_BUNDLE_PATH, and submodule certs due to dropping certifi.
• Function extract_zipped_paths because rendered useless as it was made to handle an edge case where certifi is "zipped".
• Extra security when installing this package. It was previously emptied in the previous major.
• Warning emitted when passing a file opened in text-mode instead of binary. urllib3.future can overrule
  the content-length if it detects an error. You should not encounter broken request being sent.
• Support for simplejson if was present in environment.
• Submodule compat.

Fixed

• An invalid content-type definition would cause the charset to be evaluated to True, thus making the program crash.
• Given proxies could be mutated when environment proxies were evaluated and injected. This package should not modify your inputs.
  For context see psf#6118
• A server could specify a Location header that does not comply with HTTP specifications and could lead to an unexpected exception.
  We try to fall back to Unicode decoding if the typical and expected Latin-1 would fail. If that fails too, a proper exception is raised.
  For context see psf#6026
• Top-level init now specify correctly the exposed api. Fixes mypy error .. does not explicitly export attribute ...

Version 3.0.0 Beta 1

3.0.0b1 (2023-09-22)

Removed

• Support for simplejson if was present in environment.
• Submodule compat.

Added

• Oriented-object headers. Access them through the new property oheaders in your Response.
• Propagated the argument retries in niquests.api for all functions.
• Added argument retries in the Session constructor.

Fixed

• No configured retry of your HTTP requests but getting exception MaxRetryError nonetheless.

Version 3.0.0 Beta 0

This is the first preview for the v3.0 release.
It is not ready for production. We are close!

---

3.0.0b0 (2023-09-21)

Removed

• Property apparent_encoding in favor of a discrete internal inference.
• Support for the legacy chardet detector in case it was present in environment.
  Extra chardet_on_py3 is now unavailable.
• requests.compat no longer hold reference to chardet.
• Deprecated requests.packages that was meant to avoid breakage from people importing urllib3 or chardet within this package.
  They were vendored in early versions of Requests. A long time ago.
• Deprecated function get_encodings_from_content from utils.
• Deprecated function get_unicode_from_response from utils.
• BasicAuth middleware no-longer support anything else than bytes or str for username and password.
• requests.compat is stripped of every reference that no longer vary between supported interpreter version.
• Charset fall back ISO-8859-1 when content-type is text and no charset was specified.
• Main function get, post, put, patch, delete, and head no longer accept kwargs. They have a fixed list of typed argument.
  It is no longer possible to specify non-supported additional keyword argument from a Session instance or directly through requests.api functions.
  e.g. function delete no-longer accept json, or files arguments. as per RFCs specifications. You can still override this behavior through the request function.
• Mixin classes RequestEncodingMixin, and RequestHooksMixin due to OOP violations. Now deported directly into child classes.
• Function unicode_is_ascii as it is part of the stable str stdlib on Python 3 or greater.
• Alias function session for Session context manager that was kept for BC reasons since the v1.
• pyOpenSSL/urllib3 injection in case built-in ssl module does not have SNI support as it is not the case anymore for every supported interpreters.
• Constant DEFAULT_CA_BUNDLE_PATH, and submodule certs due to dropping certifi.
• Function extract_zipped_paths because rendered useless as it was made to handle an edge case where certifi is "zipped".
• Extra security when installing this package. It was previously emptied in the previous major.

Changed

• Calling the method json from Response when no encoding was provided no longer relies on internal encoding inference.
  We fall back on charset-normalizer with a limited set of charsets allowed (UTF-8/16/32 or ASCII).
• No longer will the text method from Response return str if content cannot be decoded. It returns None instead.
• If specified charset in content-type does not exist (LookupError) the text method from Response will rely on charset detection.
• If specified charset in content-type is not made for text decoding (e.g. base64), the text method from Response returns None.
• With above four changes, the json method will raise RequestsJSONDecodeError when the payload (body) cannot be decoded.
• Passing invalid files description no longer just skip invalid entries, it raises ValueError from now on.
• Non-str HTTP-Verb are refused.
• Passing files with minimal description (meaning no tuple but just the fp) no longer guess its name when fp.name returns bytes.
• No longer will the default timeout be unset, thus making you waiting indefinitely.
  Functions get, head, and options ships with a default of 30 seconds.
  Then put, post, patch and delete uses a default of 120 seconds.
  Finally, the request function also have 120 seconds.
• Basic authorization username and password are now encoded using utf-8 instead of latin-1 prior to being base64 encoded.

Added

• Static type annotations thorough the whole package.
• cert argument for client authentication with certificate can now pass the password/passphrase using a 3-values tuple (cert, key, password).
  The three parameters in the tuple must be of type str.
• verify argument behavior has been extended and now accept your CA bundle as str instead of a path. It also accepts your CA bundle as bytes directly.
  This helps when you do not have access to the fs.
• Operating system truststore will be used instead of certifi. Root CAs are automatically grabbed from your computer configuration.

Fixed

• An invalid content-type definition would cause the charset to be evaluated to True, thus making the program crash.
• Given proxies could be mutated when environment proxies were evaluated and injected. This package should not modify your inputs.
  For context see psf#6118
• A server could specify a Location header that does not comply with HTTP specifications and could lead to an unexpected exception.
  We try to fall back to Unicode decoding if the typical and expected Latin-1 would fail. If that fails too, a proper exception is raised.
  For context see psf#6026

v2.32.1

2.32.1 (2023-09-12)

Bugfixes

• Fix QUIC cache when using requests.request without persistent Session

Dependencies

• urllib3.future minimal version supported raised to 2.0.932 (ship with critical fixes)