Scheduled monthly dependency update for July

[pyup-bot]

Updates

Here's a list of all the updates bundled in this pull request. I've added some links to make it easier for you to find all the information you need.

gevent	1.2.0	»	1.2.2	PyPI | Changelog | Homepage
boto3	1.4.3	»	1.4.4	PyPI | Changelog | Repo
boto	2.46.1	»	2.47.0	PyPI | Changelog | Repo
django-storages	1.5.1	»	1.6.3	PyPI | Changelog | Repo
django-anymail	0.9	»	0.10	PyPI | Changelog | Repo
raven	6.0.0	»	6.1.0	PyPI | Changelog | Repo
django	1.10.5	»	1.11.2	PyPI | Changelog | Homepage
django-environ	0.4.1	»	0.4.3	PyPI | Changelog | Repo
django-model-utils	2.6.1	»	3.0.0	PyPI | Changelog | Repo
django-grappelli	2.9.1	»	2.10.1	PyPI | Changelog | Docs
Pillow	4.1.0	»	4.1.1	PyPI | Changelog | Homepage
django-allauth	0.31.0	»	0.32.0	PyPI | Changelog | Repo
django-haystack	2.6.0	»	2.6.1	PyPI | Homepage
django-redis	4.7.0	»	4.8.0	PyPI | Changelog | Repo
django-leaflet	0.21.0	»	0.22.0	PyPI | Changelog | Repo
jsonfield	2.0.1	»	2.0.2	PyPI | Changelog | Repo
django-atom	0.12.7	»	0.14.3	PyPI | Changelog | Repo
Sphinx	1.5.5	»	1.6.2	PyPI | Changelog | Homepage
django-extensions	1.7.8	»	1.8.0	PyPI | Changelog | Repo | Docs
Werkzeug	0.11.15	»	0.12.2	PyPI | Changelog | Homepage
django-test-plus	1.0.16	»	1.0.18	PyPI | Changelog | Repo
django-debug-toolbar	1.7	»	1.8	PyPI | Changelog | Repo
ipdb	0.10.2	»	0.10.3	PyPI | Changelog | Repo

Changelogs

gevent 1.2.0 -> 1.2.2

1.2.2

==================

• Testing on Python 3.5 now uses Python 3.5.3 due to SSL changes. See
  :issue:943.
• Linux CI has been updated from Ubuntu 12.04 to Ubuntu 14.04 since
  the former has reached EOL.
• Linux CI now tests on PyPy2 5.7.1, updated from PyPy2 5.6.0.
• Linux CI now tests on PyPy3 3.5-5.7.1-beta, updated from PyPy3
  3.3-5.5-alpha.
• Python 2 sockets are compatible with the SOCK_CLOEXEC flag found
  on Linux. They no longer pass the socket type or protocol to
  getaddrinfo when connect is called. Reported in :issue:944
  by Bernie Hackett.
• Replace optparse module with argparse. See :issue:947.
• Update to version 1.3.1 of tblib to fix :issue:954,
  reported by ml31415.
• Fix the name of the type parameter to
  :func:gevent.socket.getaddrinfo to be correct on Python 3. This
  would cause callers using keyword arguments to raise a :exc:TypeError.
  Reported in :issue:960 by js6626069. Likewise, correct the
  argument names for fromfd and socketpair on Python 2,
  although they cannot be called with keyword arguments under CPython.

.. note:: The gethost* functions take different argument names
under CPython and PyPy. gevent follows the CPython
convention, although these functions cannot be called with
keyword arguments on CPython.

• The previously-singleton exception objects FileObjectClosed and
  cancel_wait_ex were converted to classes. On Python 3, an
  exception object is stateful, including references to its context
  and possibly traceback, which could lead to objects remaining alive
  longer than intended.
• Make sure that python -m gevent.monkey <script> runs code in the
  global scope, not the scope of the main function. Fixed in
  :pr:975 by Shawn Bohrer.

1.2.1

==================

• CI services now test on 3.6.0.
• Windows: Provide socket.socketpair for all Python 3 versions.
  This was added to Python 3.5, but tests were only added in 3.6.
  (For versions older than 3.4 this is a gevent extension.) Previously
  this was not supported on any Python 3 version.
• Windows: List subprocess.STARTUPINFO in subprocess.__all__
  for 3.6 compatibility.
• The _DummyThread objects created by calling
  :func:threading.current_thread from inside a raw
  :class:greenlet.greenlet in a system with monkey-patched
  threading now clean up after themselves when the
  greenlet dies (:class:gevent.Greenlet-based _DummyThreads have
  always cleaned up). This requires the use of a :class:weakref.ref
  (and may not be timely on PyPy).
  Reported in :issue:918 by frozenoctobeer.
• Build OS X wheels with -D_DARWIN_FEATURE_CLOCK_GETTIME=0 for
  compatibility with OS X releases before 10.12 Sierra. Reported by
  Ned Batchelder in :issue:916.

boto 2.46.1 -> 2.47.0

2.47.0

============

📅 2017/05/24

Adds features for Google Cloud Storage.

Changes

• Loosen requirements for ID field in PROJECT_PRIVATE_RE. (:issue:3729, :sha:5e85d7c7)
• Populate storage class from HEAD Object responses. (:issue:3691, :sha:315b76e0)

django-storages 1.5.1 -> 1.6.3

1.6.3

---

• Revert default AWS_S3_SIGNATURE_VERSION to be V2 to restore backwards
  compatability in S3Boto3. It's recommended that all new projects set
  this to be 's3v4'. (344_)

.. _344: jschneier/django-storages#344

1.6.2

---

• Fix regression in safe_join() to handle a trailing slash in an
  intermediate path. (341_)
• Fix regression in gs.GSBotoStorage got an unespected kwarg.
  (342_)

.. _341: jschneier/django-storages#341
.. _342: jschneier/django-storages#342

1.6.1

---

• Drop support for Django 1.9 (e89db45_)
• Fix regression in safe_join() to allow joining a base path with an empty
  string. (336_)

.. _e89db45: jschneier/django-storages@e89db45
.. _336: jschneier/django-storages#336

1.6

---

• Breaking: Remove backends deprecated in v1.5.1 (280_)
• Breaking: DropBoxStorage has been upgrade to support v2 of the API, v1 will be shut off at the
  end of the month - upgrading is recommended (273_)
• Breaking: The SFTPStorage backend now checks for the existence of the fallback ~/.ssh/known_hosts
  before attempting to load it. If you had previously been passing in a path to a non-existent file it will no longer
  attempt to load the fallback. (issue 118_ pr 325_)
• Breaking: The default version value for AWS_S3_SIGNATURE_VERSION is now 's3v4'. No changes should
  be required (335_)
• Deprecation: The undocumented gs.GSBotoStorage backend. See the new gcloud.GoogleCloudStorage
  or apache_libcloud.LibCloudStorage backends instead. (236_)
• Add a new backend, gcloud.GoogleCloudStorage based on the google-cloud bindings. (236_)
• Pass in the location constraint when auto creating a bucket in S3Boto3Storage (257, 258)
• Add support for reading AWS_SESSION_TOKEN and AWS_SECURITY_TOKEN from the environment
  to S3Boto3Storage and S3BotoStorage. (283_)
• Fix Boto3 non-ascii filenames on Python 2.7 (216, 217)
• Fix collectstatic timezone handling in and add get_modified_time to S3BotoStorage (290_)
• Add support for Django 1.11 (295_)
• Add project keyword support to GCS in LibCloudStorage backend (269_)
• Files that have a guessable encoding (e.g. gzip or compress) will be uploaded with that Content-Encoding in
  the s3boto3 backend (issue 263_ pr 264_)
• The Dropbox backend now properly translates backslashes in Windows paths into forward slashes (e52a127_)
• The S3 backends now permit colons in the keys (issue 248_ pr 322_)

.. _217: jschneier/django-storages#217
.. _273: jschneier/django-storages#273
.. _216: jschneier/django-storages#216
.. _283: jschneier/django-storages#283
.. _280: jschneier/django-storages#280
.. _257: jschneier/django-storages#257
.. _258: jschneier/django-storages#258
.. _290: jschneier/django-storages#290
.. _295: jschneier/django-storages#295
.. _269: jschneier/django-storages#269
.. _263: jschneier/django-storages#263
.. _264: jschneier/django-storages#264
.. _e52a127: jschneier/django-storages@e52a127
.. _236: jschneier/django-storages#236
.. _issue 118: jschneier/django-storages#118
.. _pr 325: jschneier/django-storages#325
.. _issue 248: jschneier/django-storages#248
.. _pr 322: jschneier/django-storages#322
.. _335: jschneier/django-storages#335

1.5.2

---

• Actually use SFTP_STORAGE_HOST in SFTPStorage backend (204_)
• Fix S3Boto3Storage to avoid race conditions in a multi-threaded WSGI environment (238_)
• Fix trying to localize a naive datetime when settings.USE_TZ is False in S3Boto3Storage.modified_time.
  (235, 234)
• Fix automatic bucket creation in S3Boto3Storage when AWS_AUTO_CREATE_BUCKET is True (196_)
• Improve the documentation for the S3 backends

.. _204: jschneier/django-storages#204
.. _238: jschneier/django-storages#238
.. _234: jschneier/django-storages#234
.. _235: jschneier/django-storages#235
.. _196: jschneier/django-storages#196

django-anymail 0.9 -> 0.10

0.10

New features

• Mailgun, SparkPost: Support multiple from addresses, as a comma-separated from_email string. (Not a list of strings, like the recipient fields.) RFC-5322 allows multiple from email addresses, and these two ESPs support it. Though as a practical matter, multiple from emails are either ignored or treated as a spam signal by receiving mail handlers. (See 60.)

Other changes

• Fix crash sending forwarded email messages as attachments. (See 59.)
• Mailgun: Fix webhook crash on bounces from some receiving mail handlers. (See 62.)
• Improve recipient-parsing error messages and consistency with Django's SMTP backend. In particular, Django (and now Anymail) allows multiple, comma-separated email addresses in a single recipient string.

raven 6.0.0 -> 6.1.0

6.1.0

---

• Support both string and class values for ignore_exceptions parameters.
  Class values also support child exceptions.
• Ensure consistent fingerprint for SoftTimeLimitExceeded exceptions
• Add sample_rate configuration
• fix registration of hooks for Django

django 1.10.5 -> 1.11.2

1.11.2

===========================

June 1, 2017

Django 1.11.2 adds a minor feature and fixes several bugs in 1.11.1. Also, the
latest string translations from Transifex are incorporated.

Minor feature

The new LiveServerTestCase.port attribute reallows the use case of binding
to a specific port following the :ref:bind to port zero <liveservertestcase-port-zero-change> change in Django 1.11.

Bugfixes

• Added detection for GDAL 2.1 and 2.0, and removed detection for unsupported
  versions 1.7 and 1.8 (:ticket:28181).

• Changed contrib.gis to raise ImproperlyConfigured rather than
  GDALException if gdal isn't installed, to allow third-party apps to
  catch that exception (:ticket:28178).

• Fixed django.utils.http.is_safe_url() crash on invalid IPv6 URLs
  (:ticket:28142).

• Fixed regression causing pickling of model fields to crash (:ticket:28188).

• Fixed django.contrib.auth.authenticate() when multiple authentication
  backends don't accept a positional request argument (:ticket:28207).

• Fixed introspection of index field ordering on PostgreSQL (:ticket:28197).

• Fixed a regression where Model._state.adding wasn't set correctly on
  multi-table inheritance parent models after saving a child model
  (:ticket:28210).

• Allowed DjangoJSONEncoder to serialize
  django.utils.deprecation.CallableBool (:ticket:28230).

• Relaxed the validation added in Django 1.11 of the fields in the defaults
  argument of QuerySet.get_or_create() and update_or_create() to
  reallow settable model properties (:ticket:28222).

• Fixed MultipleObjectMixin.paginate_queryset() crash on Python 2 if the
  InvalidPage message contains non-ASCII (:ticket:28204).

• Prevented Subquery from adding an unnecessary CAST which resulted in
  invalid SQL (:ticket:28199).

• Corrected detection of GDAL 2.1 on Windows (:ticket:28181).

• Made date-based generic views return a 404 rather than crash when given an
  out of range date (:ticket:28209).

• Fixed a regression where file_move_safe() crashed when moving files to a
  CIFS mount (:ticket:28170).

• Moved the ImageField file extension validation added in Django 1.11 from
  the model field to the form field to reallow the use case of storing images
  without an extension (:ticket:28242).

===========================

1.11.1

===========================

May 6, 2017

Django 1.11.1 adds a minor feature and fixes several bugs in 1.11.

Allowed disabling server-side cursors on PostgreSQL

The change in Django 1.11 to make :meth:.QuerySet.iterator() use server-side
cursors on PostgreSQL prevents running Django with pgBouncer in transaction
pooling mode. To reallow that, use the :setting:DISABLE_SERVER_SIDE_CURSORS <DATABASE-DISABLE_SERVER_SIDE_CURSORS> setting in :setting:DATABASES.

See :ref:transaction-pooling-server-side-cursors for more discussion.

Bugfixes

• Made migrations respect Index’s name argument. If you created a
  named index with Django 1.11, makemigrations will create a migration to
  recreate the index with the correct name (:ticket:28051).

• Fixed a crash when using a __icontains lookup on a ArrayField
  (:ticket:28038).

• Fixed a crash when using a two-tuple in EmailMessage’s attachments
  argument (:ticket:28042).

• Fixed QuerySet.filter() crash when it references the name of a
  OneToOneField primary key (:ticket:28047).

• Fixed empty POST data table appearing instead of "No POST data" in HTML debug
  page (:ticket:28079).

• Restored BoundField\s without any choices evaluating to True
  (:ticket:28058).

• Prevented SessionBase.cycle_key() from losing session data if
  _session_cache isn't populated (:ticket:28066).

• Fixed layout of ReadOnlyPasswordHashWidget (used in the admin's user
  change page) (:ticket:28097).

• Allowed prefetch calls on managers with custom ModelIterable subclasses
  (:ticket:28096).

• Fixed change password link in the contrib.auth admin for el,
  es_MX, and pt translations (:ticket:28100).

• Restored the output of the class attribute in the <ul> of widgets
  that use the multiple_input.html template. This fixes
  ModelAdmin.radio_fields with admin.HORIZONTAL (:ticket:28059).

• Fixed crash in BaseGeometryWidget.subwidgets() (:ticket:28039).

• Fixed exception reraising in ORM query execution when cursor.execute()
  fails and the subsequent cursor.close() also fails (:ticket:28091).

• Fixed a regression where CheckboxSelectMultiple, NullBooleanSelect,
  RadioSelect, SelectMultiple, and Select localized option values
  (:ticket:28075).

• Corrected the stack level of unordered queryset pagination warnings
  (:ticket:28109).

• Fixed a regression causing incorrect queries for __in subquery lookups
  when models use ForeignKey.to_field (:ticket:28101).

• Fixed crash when overriding the template of
  django.views.static.directory_index() (:ticket:28122).

• Fixed a regression in formset min_num validation with unchanged forms
  that have initial data (:ticket:28130).

• Prepared for cx_Oracle 6.0 support (:ticket:28138).

• Updated the contrib.postgres SplitArrayWidget to use template-based
  widget rendering (:ticket:28040).

• Fixed crash in BaseGeometryWidget.get_context() when overriding existing
  attrs (:ticket:28105).

• Prevented AddIndex and RemoveIndex from mutating model state
  (:ticket:28043).

• Prevented migrations from dropping database indexes from Meta.indexes
  when changing Field.db_index to False (:ticket:28052).

• Fixed a regression in choice ordering in form fields with grouped and
  non-grouped options (:ticket:28157).

• Fixed crash in BaseInlineFormSet._construct_form() when using
  save_as_new (:ticket:28159).

• Fixed a regression where Model._state.db wasn't set correctly on
  multi-table inheritance parent models after saving a child model
  (:ticket:28166).

• Corrected the return type of ArrayField(CITextField()) values retrieved
  from the database (:ticket:28161).

• Fixed QuerySet.prefetch_related() crash when fetching relations in nested
  Prefetch objects (:ticket:27554).

• Prevented hiding GDAL errors if it's not installed when using contrib.gis
  (:ticket:28160). (It's a required dependency as of Django 1.11.)

• Fixed a regression causing __in lookups on a foreign key to fail when
  using the foreign key's parent model as the lookup value (:ticket:28175).

=========================

1.11

=========================

April 4, 2017

Welcome to Django 1.11!

These release notes cover the :ref:new features <whats-new-1.11>, as well as
some :ref:backwards incompatible changes <backwards-incompatible-1.11> you'll
want to be aware of when upgrading from Django 1.10 or older versions. We've
:ref:begun the deprecation process for some features <deprecated-features-1.11>.

See the :doc:/howto/upgrade-version guide if you're updating an existing
project.

Django 1.11 is designated as a :term:long-term support release. It will
receive security updates for at least three years after its release. Support
for the previous LTS, Django 1.8, will end in April 2018.

Python compatibility

Django 1.11 requires Python 2.7, 3.4, 3.5, or 3.6. Django 1.11 is the first
release to support Python 3.6. We highly recommend and only officially
support the latest release of each series.

The Django 1.11.x series is the last to support Python 2. The next major
release, Django 2.0, will only support Python 3.5+.

Deprecating warnings are no longer loud by default

Unlike older versions of Django, Django's own deprecation warnings are no
longer displayed by default. This is consistent with Python's default behavior.

This change allows third-party apps to support both Django 1.11 LTS and Django
1.8 LTS without having to add code to avoid deprecation warnings.

Following the release of Django 2.0, we suggest that third-party app authors
drop support for all versions of Django prior to 1.11. At that time, you should
be able run your package's tests using python -Wd so that deprecation
warnings do appear. After making the deprecation warning fixes, your app should
be compatible with Django 2.0.

.. _whats-new-1.11:

What's new in Django 1.11

Class-based model indexes

The new :mod:django.db.models.indexes module contains classes which ease
creating database indexes. Indexes are added to models using the
:attr:Meta.indexes <django.db.models.Options.indexes> option.

The :class:~django.db.models.Index class creates a b-tree index, as if you
used :attr:~django.db.models.Field.db_index on the model field or
:attr:~django.db.models.Options.index_together on the model Meta class.
It can be subclassed to support different index types, such as
:class:~django.contrib.postgres.indexes.GinIndex. It also allows defining the
order (ASC/DESC) for the columns of the index.

Template-based widget rendering

To ease customizing widgets, form widget rendering is now done using the
template system rather than in Python. See :doc:/ref/forms/renderers.

You may need to adjust any custom widgets that you've written for a few
:ref:backwards incompatible changes <template-widget-incompatibilities-1-11>.

Subquery expressions

The new :class:~django.db.models.Subquery and
:class:~django.db.models.Exists database expressions allow creating
explicit subqueries. Subqueries may refer to fields from the outer queryset
using the :class:~django.db.models.OuterRef class.

Minor features

:mod:django.contrib.admin

• :attr:.ModelAdmin.date_hierarchy can now reference fields across relations.

• The new :meth:ModelAdmin.get_exclude() <django.contrib.admin.ModelAdmin.get_exclude> hook allows specifying the
  exclude fields based on the request or model instance.

• The popup_response.html template can now be overridden per app, per
  model, or by setting the :attr:.ModelAdmin.popup_response_template
  attribute.

:mod:django.contrib.auth

• The default iteration count for the PBKDF2 password hasher is increased by
  20%.

• The :class:~django.contrib.auth.views.LoginView and
  :class:~django.contrib.auth.views.LogoutView class-based views supersede the
  deprecated login() and logout() function-based views.

• The :class:~django.contrib.auth.views.PasswordChangeView,
  :class:~django.contrib.auth.views.PasswordChangeDoneView,
  :class:~django.contrib.auth.views.PasswordResetView,
  :class:~django.contrib.auth.views.PasswordResetDoneView,
  :class:~django.contrib.auth.views.PasswordResetConfirmView, and
  :class:~django.contrib.auth.views.PasswordResetCompleteView class-based
  views supersede the deprecated password_change(),
  password_change_done(), password_reset(), password_reset_done(),
  password_reset_confirm(), and password_reset_complete() function-based
  views.

• The new post_reset_login attribute for
  :class:~django.contrib.auth.views.PasswordResetConfirmView allows
  automatically logging in a user after a successful password reset.
  If you have multiple AUTHENTICATION_BACKENDS configured, use the
  post_reset_login_backend attribute to choose which one to use.

• To avoid the possibility of leaking a password reset token via the HTTP
  Referer header (for example, if the reset page includes a reference to CSS or
  JavaScript hosted on another domain), the
  :class:~django.contrib.auth.views.PasswordResetConfirmView (but not the
  deprecated password_reset_confirm() function-based view) stores the token
  in a session and redirects to itself to present the password change form to
  the user without the token in the URL.

• :func:~django.contrib.auth.update_session_auth_hash now rotates the session
  key to allow a password change to invalidate stolen session cookies.

• The new success_url_allowed_hosts attribute for
  :class:~django.contrib.auth.views.LoginView and
  :class:~django.contrib.auth.views.LogoutView allows specifying a set of
  hosts that are safe for redirecting after login and logout.

• Added password validators help_text to
  :class:~django.contrib.auth.forms.UserCreationForm.

• The HttpRequest is now passed to :func:~django.contrib.auth.authenticate
  which in turn passes it to the authentication backend if it accepts a
  request argument.

• The :func:~django.contrib.auth.signals.user_login_failed signal now
  receives a request argument.

• :class:~django.contrib.auth.forms.PasswordResetForm supports custom user
  models that use an email field named something other than 'email'.
  Set :attr:CustomUser.EMAIL_FIELD <django.contrib.auth.models.CustomUser.EMAIL_FIELD> to the name of the field.

• :func:~django.contrib.auth.get_user_model can now be called at import time,
  even in modules that define models.

:mod:django.contrib.contenttypes

• When stale content types are detected in the
  :djadmin:remove_stale_contenttypes command, there's now a list of related
  objects such as auth.Permission\s that will also be deleted. Previously,
  only the content types were listed (and this prompt was after migrate
  rather than in a separate command).

:mod:django.contrib.gis

• The new :meth:.GEOSGeometry.from_gml and :meth:.OGRGeometry.from_gml
  methods allow creating geometries from GML.

• Added support for the :lookup:dwithin lookup on SpatiaLite.

• The :class:~django.contrib.gis.db.models.functions.Area function,
  :class:~django.contrib.gis.db.models.functions.Distance function, and
  distance lookups now work with geodetic coordinates on SpatiaLite.

• The OpenLayers-based form widgets now use OpenLayers.js from
  https://cdnjs.cloudflare.com which is more suitable for production use
  than the the old http://openlayers.org source. They are also updated to
  use OpenLayers 3.

• PostGIS migrations can now change field dimensions.

• Added the ability to pass the size, shape, and offset parameter when
  creating :class:~django.contrib.gis.gdal.GDALRaster objects.

• Added SpatiaLite support for the
  :class:~django.contrib.gis.db.models.functions.IsValid function,
  :class:~django.contrib.gis.db.models.functions.MakeValid function, and
  :lookup:isvalid lookup.

• Added Oracle support for the
  :class:~django.contrib.gis.db.models.functions.AsGML function,
  :class:~django.contrib.gis.db.models.functions.BoundingCircle function,
  :class:~django.contrib.gis.db.models.functions.IsValid function, and
  :lookup:isvalid lookup.

:mod:django.contrib.postgres

• The new distinct argument for
  :class:~django.contrib.postgres.aggregates.StringAgg determines if
  concatenated values will be distinct.

• The new :class:~django.contrib.postgres.indexes.GinIndex and
  :class:~django.contrib.postgres.indexes.BrinIndex classes allow
  creating GIN and BRIN indexes in the database.

• :class:~django.contrib.postgres.fields.JSONField accepts a new encoder
  parameter to specify a custom class to encode data types not supported by the
  standard encoder.

• The new :class:~django.contrib.postgres.fields.CIText mixin and
  :class:~django.contrib.postgres.operations.CITextExtension migration
  operation allow using PostgreSQL's citext extension for case-insensitive
  lookups. Three fields are provided: :class:.CICharField,
  :class:.CIEmailField, and :class:.CITextField.

• The new :class:~django.contrib.postgres.aggregates.JSONBAgg allows
  aggregating values as a JSON array.

• The :class:~django.contrib.postgres.fields.HStoreField (model field) and
  :class:~django.contrib.postgres.forms.HStoreField (form field) allow
  storing null values.

Cache

• Memcached backends now pass the contents of :setting:OPTIONS <CACHES-OPTIONS>
  as keyword arguments to the client constructors, allowing for more advanced
  control of client behavior. See the :ref:cache arguments <cache_arguments>
  documentation for examples.

• Memcached backends now allow defining multiple servers as a comma-delimited
  string in :setting:LOCATION <CACHES-LOCATION>, for convenience with
  third-party services that use such strings in environment variables.

CSRF

• Added the :setting:CSRF_USE_SESSIONS setting to allow storing the CSRF
  token in the user's session rather than in a cookie.

Database backends

• Added the skip_locked argument to :meth:.QuerySet.select_for_update()
  on PostgreSQL 9.5+ and Oracle to execute queries with
  FOR UPDATE SKIP LOCKED.

• Added the :setting:TEST['TEMPLATE'] <TEST_TEMPLATE> setting to let
  PostgreSQL users specify a template for creating the test database.

• :meth:.QuerySet.iterator() now uses :ref:server-side cursors <psycopg2:server-side-cursors> on PostgreSQL. This feature transfers some of
  the worker memory load (used to hold query results) to the database and might
  increase database memory usage.

• Added MySQL support for the 'isolation_level' option in
  :setting:OPTIONS to allow specifying the :ref:transaction isolation level <mysql-isolation-level>. To avoid possible data loss, it's recommended to
  switch from MySQL's default level, repeatable read, to read committed.

• Added support for cx_Oracle 5.3.

Email

• Added the :setting:EMAIL_USE_LOCALTIME setting to allow sending SMTP date
  headers in the local time zone rather than in UTC.

• EmailMessage.attach() and attach_file() now fall back to MIME type
  application/octet-stream when binary content that can't be decoded as
  UTF-8 is specified for a text/* attachment.

File Storage

• To make it wrappable by :class:io.TextIOWrapper,
  :class:~django.core.files.File now has the readable(), writable(),
  and seekable() methods.

Forms

• The new :attr:CharField.empty_value <django.forms.CharField.empty_value>
  attribute allows specifying the Python value to use to represent "empty".

• The new :meth:Form.get_initial_for_field() <django.forms.Form.get_initial_for_field> method returns initial data for a
  form field.

Internationalization

• Number formatting and the :setting:NUMBER_GROUPING setting support
  non-uniform digit grouping.

Management Commands

• The new :option:loaddata --exclude option allows excluding models and apps
  while loading data from fixtures.

• The new :option:diffsettings --default option allows specifying a settings
  module other than Django's default settings to compare against.

• app_label\s arguments now limit the :option:showmigrations --plan
  output.

Migrations

• Added support for serialization of uuid.UUID objects.

Models

• Added support for callable values in the defaults argument of
  :meth:QuerySet.update_or_create() <django.db.models.query.QuerySet.update_or_create> and
  :meth:~django.db.models.query.QuerySet.get_or_create.

• :class:~django.db.models.ImageField now has a default
  :data:~django.core.validators.validate_image_file_extension validator.
  (This validator moved to the form field in :doc:Django 1.11.2 <1.11.2>.)

• Added support for time truncation to
  :class:~django.db.models.functions.datetime.Trunc functions.

• Added the :class:~django.db.models.functions.datetime.ExtractWeek function
  to extract the week from :class:~django.db.models.DateField and
  :class:~django.db.models.DateTimeField and exposed it through the
  :lookup:week lookup.

• Added the :class:~django.db.models.functions.datetime.TruncTime function
  to truncate :class:~django.db.models.DateTimeField to its time component
  and exposed it through the :lookup:time lookup.

• Added support for expressions in :meth:.QuerySet.values and
  :meth:~.QuerySet.values_list.

• Added support for query expressions on lookups that take multiple arguments,
  such as range.

• You can now use the unique=True option with
  :class:~django.db.models.FileField.

• Added the nulls_first and nulls_last parameters to
  :class:Expression.asc() <django.db.models.Expression.asc> and
  :meth:~django.db.models.Expression.desc to control
  the ordering of null values.

• The new F expression bitleftshift() and bitrightshift() methods
  allow :ref:bitwise shift operations <using-f-expressions-in-filters>.

• Added :meth:.QuerySet.union, :meth:~.QuerySet.intersection, and
  :meth:~.QuerySet.difference.

Requests and Responses

• Added :meth:QueryDict.fromkeys() <django.http.QueryDict.fromkeys>.

• :class:~django.middleware.common.CommonMiddleware now sets the
  Content-Length response header for non-streaming responses.

• Added the :setting:SECURE_HSTS_PRELOAD setting to allow appending the
  preload directive to the Strict-Transport-Security header.

• :class:~django.middleware.http.ConditionalGetMiddleware now adds the
  ETag header to responses.

Serialization

• The new django.core.serializers.base.Serializer.stream_class attribute
  allows subclasses to customize the default stream.

• The encoder used by the :ref:JSON serializer <serialization-formats-json>
  can now be customized by passing a cls keyword argument to the
  serializers.serialize() function.

• :class:~django.core.serializers.json.DjangoJSONEncoder now serializes
  :class:~datetime.timedelta objects (used by
  :class:~django.db.models.DurationField).

Templates

• :meth:~django.utils.safestring.mark_safe can now be used as a decorator.

• The :class:~django.template.backends.jinja2.Jinja2 template backend now
  supports context processors by setting the 'context_processors' option in
  :setting:OPTIONS <TEMPLATES-OPTIONS>.

• The :ttag:regroup tag now returns namedtuple\s instead of dictionaries
  so you can unpack the group object directly in a loop, e.g.
  {% for grouper, list in regrouped %}.

• Added a :ttag:resetcycle template tag to allow resetting the sequence of
  the :ttag:cycle template tag.

• You can now specify specific directories for a particular
  :class:filesystem.Loader <django.template.loaders.filesystem.Loader>.

Tests

• Added :meth:.DiscoverRunner.get_test_runner_kwargs to allow customizing the
  keyword arguments passed to the test runner.

• Added the :option:test --debug-mode option to help troubleshoot test
  failures by setting the :setting:DEBUG setting to True.

• The new :func:django.test.utils.setup_databases (moved from
  django.test.runner) and :func:~django.test.utils.teardown_databases
  functions make it easier to build custom test runners.

• Added support for :meth:python:unittest.TestCase.subTest’s when using the
  :option:test --parallel option.

• DiscoverRunner now runs the system checks at the start of a test run.
  Override the :meth:.DiscoverRunner.run_checks method if you want to disable
  that.

Validators

• Added :class:~django.core.validators.FileExtensionValidator to validate
  file extensions and
  :data:~django.core.validators.validate_image_file_extension to validate
  image files.

.. _backwards-incompatible-1.11:

Backwards incompatible changes in 1.11

:mod:django.contrib.gis

• To simplify the codebase and because it's easier to install than when
  contrib.gis was first released, :ref:gdalbuild is now a required
  dependency for GeoDjango. In older versions, it's only required for SQLite.

• contrib.gis.maps is removed as it interfaces with a retired version of
  the Google Maps API and seems to be unmaintained. If you're using it, let us know <https://code.djangoproject.com/ticket/14284>_.

• The GEOSGeometry equality operator now also compares SRID.

• The OpenLayers-based form widgets now use OpenLayers 3, and the
  gis/openlayers.html and gis/openlayers-osm.html templates have been
  updated. Check your project if you subclass these widgets or extend the
  templates. Also, the new widgets work a bit differently than the old ones.
  Instead of using a toolbar in the widget, you click to draw, click and drag
  to move the map, and click and drag a point/vertex/corner to move it.

• Support for SpatiaLite < 4.0 is dropped.

• Support for GDAL 1.7 and 1.8 is dropped.

• The widgets in contrib.gis.forms.widgets and the admin's
  OpenLayersWidget use the :doc:form rendering API </ref/forms/renderers>
  rather than loader.render_to_string(). If you're using a custom widget
  template, you'll need to be sure your form renderer can locate it. For
  example, you could use the :class:~django.forms.renderers.TemplatesSetting
  renderer.

:mod:django.contrib.staticfiles

• collectstatic may now fail during post-processing when using a hashed
  static files storage if a reference loop exists (e.g. 'foo.css'
  references 'bar.css' which itself references 'foo.css') or if the
  chain of files referencing other files is too deep to resolve in several
  passes. In the latter case, increase the number of passes using
  :attr:.ManifestStaticFilesStorage.max_post_process_passes.

• When using ManifestStaticFilesStorage, static files not found in the
  manifest at runtime now raise a ValueError instead of returning an
  unchanged path. You can revert to the old behavior by setting
  :attr:.ManifestStaticFilesStorage.manifest_strict to False.

Database backend API

• The DatabaseOperations.time_trunc_sql() method is added to support
  TimeField truncation. It accepts a lookup_type and field_name
  arguments and returns the appropriate SQL to truncate the given time field
  field_name to a time object with only the given specificity. The
  lookup_type argument can be either 'hour', 'minute', or
  'second'.

• The DatabaseOperations.datetime_cast_time_sql() method is added to
  support the :lookup:time lookup. It accepts a field_name and tzname
  arguments and returns the SQL necessary to cast a datetime value to time value.

• To enable FOR UPDATE SKIP LOCKED support, set
  DatabaseFeatures.has_select_for_update_skip_locked = True.

• The new DatabaseFeatures.supports_index_column_ordering attribute
  specifies if a database allows defining ordering for columns in indexes. The
  default value is True and the DatabaseIntrospection.get_constraints()
  method should include an 'orders' key in each of the returned
  dictionaries with a list of 'ASC' and/or 'DESC' values corresponding
  to the the ordering of each column in the index.

• :djadmin:inspectdb no longer calls DatabaseIntrospection.get_indexes()
  which is deprecated. Custom database backends should ensure all types of
  indexes are returned by DatabaseIntrospection.get_constraints().

• Renamed the ignores_quoted_identifier_case feature to
  ignores_table_name_case to more accurately reflect how it is used.

• The name keyword argument is added to the
  DatabaseWrapper.create_cursor(self, name=None) method to allow usage of
  server-side cursors on backends that support it.

Dropped support for PostgreSQL 9.2 and PostGIS 2.0

Upstream support for PostgreSQL 9.2 ends in September 2017. As a consequence,
Django 1.11 sets PostgreSQL 9.3 as the minimum version it officially supports.

Support for PostGIS 2.0 is also removed as PostgreSQL 9.2 is the last version
to support it.

Also, the minimum supported version of psycopg2 is increased from 2.4.5 to
2.5.4.

.. _liveservertestcase-port-zero-change:

LiveServerTestCase binds to port zero

Rather than taking a port range and iterating to find a free port,
LiveServerTestCase binds to port zero and relies on the operating system
to assign a free port. The DJANGO_LIVE_TEST_SERVER_ADDRESS environment
variable is no longer used, and as it's also no longer used, the
manage.py test --liveserver option is removed.

If you need to bind LiveServerTestCase to a specific port, use the port
attribute added in Django 1.11.2.

Protection against insecure redirects in :mod:django.contrib.auth and i18n views

LoginView, LogoutView (and the deprecated function-based equivalents),
and :func:~django.views.i18n.set_language protect users from being redirected
to non-HTTPS next URLs when the app is running over HTTPS.

QuerySet.get_or_create() and update_or_create() validate arguments

To prevent typos from passing silently,
:meth:~django.db.models.query.QuerySet.get_or_create and
:meth:~django.db.models.query.QuerySet.update_or_create check that their
arguments are model fields. This should be backwards-incompatible only in the
fact that it might expose a bug in your project.

pytz is a required dependency and support for settings.TIME_ZONE = None is removed

To simplify Django's timezone handling, pytz is now a required dependency.
It's automatically installed along with Django.

Support for settings.TIME_ZONE = None is removed as the behavior isn't
commonly used and is questionably useful. If you want to automatically detect
the timezone based on the system timezone, you can use tzlocal <https://pypi.python.org/pypi/tzlocal>_::

from tzlocal import get_localzone

TIME_ZONE = get_localzone().zone

This works similar to settings.TIME_ZONE = None except that it also sets
os.environ['TZ']. Let us know <https://groups.google.com/d/topic/django-developers/OAV3FChfuPM/discussion>__
if there's a use case where you find you can't adapt your code to set a
TIME_ZONE.

HTML changes in admin templates

<p class="help"> is replaced with a <div> tag to allow including lists
inside help text.

Read-only fields are wrapped in <div class="readonly">...</div> instead of
<p>...</p> to allow any kind of HTML as the field's content.

.. _template-widget-incompatibilities-1-11:

Changes due to the introduction of template-based widget rendering

Some undocumented classes in django.forms.widgets are removed:

• SubWidget
• RendererMixin, ChoiceFieldRenderer, RadioFieldRenderer,
  CheckboxFieldRenderer
• ChoiceInput, RadioChoiceInput, CheckboxChoiceInput

The Widget.format_output() method is removed. Use a custom widget template
instead.

Some widget values, such as <select> options, are now localized if
settings.USE_L10N=True. You could revert to the old behavior with custom
widget templates that uses the :ttag:localize template tag to turn off
localization.

django.template.backends.django.Template.render() prohibits non-dict context

For compatibility with multiple template engines,
django.template.backends.django.Template.render() (returned from high-level
template loader APIs such as loader.get_template()) must receive a
dictionary of context rather than Context or RequestContext. If you
were passing either of the two classes, pass a dictionary instead -- doing so
is backwards-compatible with older versions of Django.

Model state changes in migration operations

To improve the speed of applying migrations, rendering of related models is
delayed until an operation that needs them (e.g. RunPython). If you have a
custom operation that works with model classes or model instances from the
from_state argument in database_forwards() or database_backwards(),
you must render model states using the clear_delayed_apps_cache() method as
described in :ref:writing your own migration operation <writing-your-own-migration-operation>.

Miscellaneous

• If no items in the feed have a pubdate or updateddate attribute,
  :meth:SyndicationFeed.latest_post_date() <django.utils.feedgenerator.SyndicationFeed.latest_post_date> now returns
  the current UTC date/time, instead of a datetime without any timezone
  information.

• CSRF failures are logged to the django.security.csrf logger instead of
  django.request.

• :setting:ALLOWED_HOSTS validation is no longer disabled when running tests.
  If your application includes tests with custom host names, you must include
  those host names in :setting:ALLOWED_HOSTS. See
  :ref:topics-testing-advanced-multiple-hosts.

• Using a foreign key's id (e.g. 'field_id') in ModelAdmin.list_display
  displays the related object's ID. Remove the _id suffix if you want the
  old behavior of the string representation of the object.

• In model forms, :class:~django.db.models.CharField with null=True now
  saves NULL for blank values instead of empty strings.

• On Oracle, :meth:Model.validate_unique() <django.db.models.Model.validate_unique> no longer checks empty strings for
  uniqueness as the database interprets the value as NULL.

• If you subclass :class:.AbstractUser and override clean(), be sure it
  calls super(). :meth:.BaseUserManager.normalize_email is called in a
  new :meth:.AbstractUser.clean method so that normalization is applied in
  cases like model form validation.

• EmailField and URLField no longer accept the strip keyword
  argument. Remove it because it doesn't have an effect in older versions of
  Django as these fields always strip whitespace.

• The checked and selected attribute rendered by form widgets now uses
  HTML5 boolean syntax rather than XHTML's checked='checked' and
  selected='selected'.

• :meth:RelatedManager.add() <django.db.models.fields.related.RelatedManager.add>,
  :meth:~django.db.models.fields.related.RelatedManager.remove,
  :meth:~django.db.models.fields.related.RelatedManager.clear, and
  :meth:~django.db.models.fields.related.RelatedManager.set now
  clear the prefetch_related() cache.

• To prevent possible loss of saved settings,
  :func:~django.test.utils.setup_test_environment now raises an exception if
  called a second time before calling
  :func:~django.test.utils.teardown_test_environment.

• The undocumented DateTimeAwareJSONEncoder alias for
  :class:~django.core.serializers.json.DjangoJSONEncoder (renamed in Django
  1.0) is removed.

• The :class:cached template loader <django.template.loaders.cached.Loader>
  is now enabled if :setting:DEBUG is False and
  :setting:OPTIONS['loaders'] <TEMPLATES-OPTIONS> isn't specified. This could
  be backwards-incompatible if you have some :ref:template tags that aren't thread safe <template_tag_thread_safety>.

• The prompt for stale content type deletion no longer occurs after running the
  migrate command. Use the new :djadmin:remove_stale_contenttypes command
  instead.

• The admin's widget for IntegerField uses type="number" rather than
  type="text".

• Conditional HTTP headers are now parsed and compared according to the
  :rfc:7232 Conditional Requests specification rather than the older
  :rfc:2616.

• :func:~django.utils.cache.patch_response_headers no longer adds a
  Last-Modified header. According to the :rfc:7234section-4.2.2, this
  header is useless alongside other caching headers that provide an explicit
  expiration time, e.g. Expires or Cache-Control.
  :class:~django.middleware.cache.UpdateCacheMiddleware and
  :func:~django.utils.cache.add_never_cache_headers call
  patch_response_headers() and therefore are also affected by this change.

• In the admin templates, <p class="help"> is replaced with a <div> tag
  to allow including lists inside help text.

• :class:~django.middleware.http.ConditionalGetMiddleware no longer sets the
  Date header as Web servers set that header. It also no longer sets the
  Content-Length header as this is now done by
  :class:~django.middleware.common.CommonMiddleware.

• :meth:~django.apps.AppConfig.get_model and
  :meth:~django.apps.AppConfig.get_models now raise
  :exc:~django.core.exceptions.AppRegistryNotReady if they're called before
  models of all applications have been loaded. Previously they only required
  the target application's models to be loaded and thus could return models
  without all their relations set up. If you need the old behavior of
  get_model(), set the require_ready argument to False.

• The unused BaseCommand.can_import_settings attribute is removed.

• The undocumented django.utils.functional.lazy_property is removed.

• For consistency with non-multipart requests, MultiPartParser.parse() now
  leaves request.POST immutable. If you're modifying that QueryDict,
  you must now first copy it, e.g. request.POST.copy().

• Support for cx_Oracle < 5.2 is removed.

• Support for IPython < 1.0 is removed from the shell command.

• The signature of private API Widget.build_attrs() changed from
  extra_attrs=None, **kwargs to base_attrs, extra_attrs=None.

• File-like objects (e.g., :class:~io.StringIO and :class:~io.BytesIO)
  uploaded to an :class:~django.db.models.ImageField using the test client
  now require a name attribute with a value that passes the
  :data:~django.core.validators.validate_image_file_extension validator.
  See the note in :meth:.Client.post.

.. _deprecated-features-1.11:

Features deprecated in 1.11

models.permalink() decorator

Use :func:django.urls.reverse instead. For example::

from django.db import models

class MyModel(models.Model):
...

   models.permalink
   def url(self):
       return ('guitarist_detail', [self.slug])

becomes::

from django.db import models
from django.urls import reverse

class MyModel(models.Model):
...

   def url(self):
       return reverse('guitarist_detail', args=[self.slug])

Miscellaneous

• contrib.auth’s login() and logout() function-based views are
  deprecated in favor of new class-based views
  :class:~django.contrib.auth.views.LoginView and
  :class:~django.contrib.auth.views.LogoutView.

• The unused extra_context parameter of
  contrib.auth.views.logout_then_login() is deprecated.

• contrib.auth’s password_change(), password_change_done(),
  password_reset(), password_reset_done(), password_reset_confirm(),
  and password_reset_complete() function-based views are deprecated in favor
  of new class-based views
  :class:~django.contrib.auth.views.PasswordChangeView,
  :class:~django.contrib.auth.views.PasswordChangeDoneView,
  :class:~django.contrib.auth.views.PasswordResetView,
  :class:~django.contrib.auth.views.PasswordResetDoneView,
  :class:~django.contrib.auth.views.PasswordResetConfirmView, and
  :class:~django.contrib.auth.views.PasswordResetCompleteView.

• django.test.runner.setup_databases() is moved to
  :func:django.test.utils.setup_databases. The old location is deprecated.

• django.utils.translation.string_concat() is deprecated in
  favor of :func:django.utils.text.format_lazy. string_concat(*strings)
  can be replaced by format_lazy('{}' * len(strings), *strings).

• For the PyLibMCCache cache backend, passing pylibmc behavior settings
  as top-level attributes of OPTIONS is deprecated. Set them under a
  behaviors key within OPTIONS instead.

• The host parameter of django.utils.http.is_safe_url() is deprecated
  in favor of the new allowed_hosts parameter.

• Silencing exceptions raised while rendering the
  :ttag:{% include %} <include> template tag is deprecated as the behavior is
  often more confusing than helpful. In Django 2.1, the exception will be
  raised.

• DatabaseIntrospection.get_indexes() is deprecated in favor of
  DatabaseIntrospection.get_constraints().

• :func:~django.contrib.auth.authenticate now passes a request argument
  to the authenticate() method of authentication backends. Support for
  methods that don't accept request as the first positional argument will
  be removed in Django 2.1.

• The USE_ETAGS setting is deprecated in favor of
  :class:~django.middleware.http.ConditionalGetMiddleware which now adds the
  ETag header to responses regardless of the setting. CommonMiddleware
  and django.utils.cache.patch_response_headers() will no longer set ETags
  when the deprecation ends.

• Model._meta.has_auto_field is deprecated in favor of checking if
  Model._meta.auto_field is not None.

• Using regular expression groups with iLmsu in url() is deprecated.
  The only group that's useful is (?i) for case-insensitive URLs, however,
  case-insensitive URLs aren't a good practice because they create multiple
  entries for search engines, for example. An alternative solution could be to
  create a :data:~django.conf.urls.handler404 that looks for uppercase
  characters in the URL and redirects to a lowercase equivalent.

• The renderer argument is added to the :meth:Widget.render() <django.forms.Widget.render> method. Methods that don't accept that argument
  will work through a deprecation period.

===========================

1.10.7

===========================

April 4, 2017

Django 1.10.7 fixes two security issues and a bug in 1.10.6.

CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs

Django relies on user input in some cases (e.g.
:func:django.contrib.auth.views.login and :doc:i18n </topics/i18n/index>)
to redirect the user to an "on success" URL. The security check for these
redirects (namely django.utils.http.is_safe_url()) considered some numeric
URLs (e.g. http:999999999) "safe" when they shouldn't be.

Also, if a developer relies on is_safe_url() to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS attack.

CVE-2017-7234: Open redirect vulnerability in django.views.static.serve()

A maliciously crafted URL to a Django site using the
:func:~django.views.static.serve view could redirect to any other domain. The
view no longer does any redirects as they don't provide any known, useful
functionality.

Note, however, that this view has always carried a warning that it is not
hardened for production use and should be used only as a development aid.

Bugfixes

• Made admin's RelatedFieldWidgetWrapper use the wrapped widget's
  value_omitted_from_data() method (:ticket:27905).

• Fixed model form default fallback for SelectMultiple
  (:ticket:27993).

===========================

1.10.6

===========================

March 1, 2017

Django 1.10.6 fixes several bugs in 1.10.5.

Bugfixes

• Fixed ClearableFileInput’s "Clear" checkbox on model form fields where
  the model field has a default (:ticket:27805).

• Fixed RequestDataTooBig and TooManyFieldsSent exceptions crashing
  rather than generating a bad request response (:ticket:27820).

• Fixed a crash on Oracle and PostgreSQL when subtracting DurationField
  or IntegerField from DateField (:ticket:27828).

• Fixed query expression date subtraction accuracy on PostgreSQL for
  differences larger than a month (:ticket:27856).

• Fixed a GDALException raised by GDALClose on GDAL ≥ 2.0
  (:ticket:27479).

===========================

django-environ 0.4.1 -> 0.4.3

0.4.3

0.4.2

Bugged version, care to default Env.ENVIRON 117

django-model-utils 2.6.1 -> 3.0.0

3.0.0

---

• Drop support for Python 2.6.
• Drop support for Django 1.4, 1.5, 1.6, 1.7.
• Exclude tests from the distribution, fixes GH-258.
• Add support for Django 1.11 GH-269

django-grappelli 2.9.1 -> 2.10.1

2.10.1

---

• First release of Grappelli which is compatible with Django 1.11.

Pillow 4.1.0 -> 4.1.1

4.1.1

---

• Undef PySlice_GetIndicesEx, see https://bugs.python.org/issue29943 2493
  [cgohlke]

• Fix for file with DPI in EXIF but not metadata, and XResolution is an int rather than tuple 2484
  [hugovk]

• Docs: Removed broken download counter badge 2487
  [hugovk]

• Docs: Fixed rst syntax error 2477
  [thebjorn]

django-allauth 0.31.0 -> 0.32.0

0.32.0

---

Note worthy changes

• Improved AJAX support: the account management views (change/set password,
  manage e-mail addresses and social connections) now support AJAX GET requests.
  These views hand over all the required data for you to build your frontend
  application upon.

• New providers: Dwolla, Trello.

• Shopify: support for per-user access mode.

Backwards incompatible changes

• In previous versions, the views only responded with JSON responses when
  issuing AJAX requests of type POST. Now, the views also respond in JSON when
  m

[coveralls]

Coverage remained the same at 82.541% when pulling 7f852d1 on pyup-scheduled-update-07-01-2017 into 8a113b0 on master.