============================================ Django 4.1 release notes - UNDER DEVELOPMENT ============================================ *Expected August 2022* Welcome to Django 4.1! These release notes cover the :ref:`new features `, as well as some :ref:`backwards incompatible changes ` you'll want to be aware of when upgrading from Django 4.0 or earlier. We've :ref:`begun the deprecation process for some features `. See the :doc:`/howto/upgrade-version` guide if you're updating an existing project. Python compatibility ==================== Django 4.1 supports Python 3.8, 3.9, and 3.10. We **highly recommend** and only officially support the latest release of each series. .. _whats-new-4.1: What's new in Django 4.1 ======================== .. _csrf-cookie-masked-usage: ``CSRF_COOKIE_MASKED`` setting ------------------------------ The new :setting:`CSRF_COOKIE_MASKED` transitional setting allows specifying whether to mask the CSRF cookie. :class:`~django.middleware.csrf.CsrfViewMiddleware` no longer masks the CSRF cookie like it does the CSRF token in the DOM. If you are upgrading multiple instances of the same project to Django 4.1, you should set :setting:`CSRF_COOKIE_MASKED` to ``True`` during the transition, in order to allow compatibility with the older versions of Django. Once the transition to 4.1 is complete you can stop overriding :setting:`CSRF_COOKIE_MASKED`. This setting is deprecated as of this release and will be removed in Django 5.0. Minor features -------------- :mod:`django.contrib.admin` ~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The admin :ref:`dark mode CSS variables ` are now applied in a separate stylesheet and template block. * :ref:`modeladmin-list-filters` providing custom ``FieldListFilter`` subclasses can now control the query string value separator when filtering for multiple values using the ``__in`` lookup. * The admin :meth:`history view ` is now paginated. :mod:`django.contrib.admindocs` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * ... :mod:`django.contrib.auth` ~~~~~~~~~~~~~~~~~~~~~~~~~~ * The default iteration count for the PBKDF2 password hasher is increased from 320,000 to 390,000. :mod:`django.contrib.contenttypes` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * ... :mod:`django.contrib.gis` ~~~~~~~~~~~~~~~~~~~~~~~~~ * The new :meth:`.GEOSGeometry.make_valid()` method allows converting invalid geometries to valid ones. :mod:`django.contrib.messages` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * ... :mod:`django.contrib.postgres` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The new :class:`BitXor() ` aggregate function returns an ``int`` of the bitwise ``XOR`` of all non-null input values. * :class:`~django.contrib.postgres.indexes.SpGistIndex` now supports covering indexes on PostgreSQL 14+. * :class:`~django.contrib.postgres.constraints.ExclusionConstraint` now supports covering exclusion constraints using SP-GiST indexes on PostgreSQL 14+. * The new ``default_bounds`` attribute of :attr:`DateTimeRangeField ` and :attr:`DecimalRangeField ` allows specifying bounds for list and tuple inputs. * :class:`~django.contrib.postgres.constraints.ExclusionConstraint` now allows specifying operator classes with the :class:`OpClass() ` expression. :mod:`django.contrib.redirects` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * ... :mod:`django.contrib.sessions` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * ... :mod:`django.contrib.sitemaps` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The default sitemap index template ```` now includes the ```` timestamp where available, through the new :meth:`~django.contrib.sitemaps.Sitemap.get_latest_lastmod` method. Custom sitemap index templates should be updated for the adjusted :ref:`context variables `. :mod:`django.contrib.sites` ~~~~~~~~~~~~~~~~~~~~~~~~~~~ * ... :mod:`django.contrib.staticfiles` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * :class:`~django.contrib.staticfiles.storage.ManifestStaticFilesStorage` now replaces paths to CSS source map references with their hashed counterparts. :mod:`django.contrib.syndication` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * ... Cache ~~~~~ * ... CSRF ~~~~ * ... Decorators ~~~~~~~~~~ * ... Email ~~~~~ * ... Error Reporting ~~~~~~~~~~~~~~~ * ... File Storage ~~~~~~~~~~~~ * ... File Uploads ~~~~~~~~~~~~ * ... Forms ~~~~~ * The new :meth:`~django.forms.BoundField.legend_tag` allows rendering field labels in ```` tags via the new ``tag`` argument of :meth:`~django.forms.BoundField.label_tag`. * The new ``edit_only`` argument for :func:`.modelformset_factory` and :func:`.inlineformset_factory` allows preventing new objects creation. Generic Views ~~~~~~~~~~~~~ * ... Internationalization ~~~~~~~~~~~~~~~~~~~~ * The :func:`~django.conf.urls.i18n.i18n_patterns` function now supports languages with both scripts and regions. Logging ~~~~~~~ * ... Management Commands ~~~~~~~~~~~~~~~~~~~ * :option:`makemigrations --no-input` now logs default answers and reasons why migrations cannot be created. * The new :option:`makemigrations --scriptable` option diverts log output and input prompts to ``stderr``, writing only paths of generated migration files to ``stdout``. * The new :option:`migrate --prune` option allows deleting nonexistent migrations from the ``django_migrations`` table. Migrations ~~~~~~~~~~ * ... Models ~~~~~~ * The ``order_by`` argument of the :class:`~django.db.models.expressions.Window` expression now accepts string references to fields and transforms. * The new :setting:`CONN_HEALTH_CHECKS` setting allows enabling health checks for :ref:`persistent database connections ` in order to reduce the number of failed requests, e.g. after database server restart. * :meth:`.QuerySet.bulk_create` now supports updating fields when a row insertion fails uniqueness constraints. This is supported on MariaDB, MySQL, PostgreSQL, and SQLite 3.24+. * :meth:`.QuerySet.iterator` now supports prefetching related objects as long as the ``chunk_size`` argument is provided. In older versions, no prefetching was done. Requests and Responses ~~~~~~~~~~~~~~~~~~~~~~ * ... Security ~~~~~~~~ * The new :setting:`SECRET_KEY_FALLBACKS` setting allows providing a list of values for secret key rotation. Serialization ~~~~~~~~~~~~~ * ... Signals ~~~~~~~ * The :data:`~django.db.models.signals.pre_delete` and :data:`~django.db.models.signals.post_delete` signals now dispatch the ``origin`` of the deletion. Templates ~~~~~~~~~ * :tfilter:`json_script` template filter now allows wrapping in a ``