Django 3.0 release notes¶
December 2, 2019
Welcome to Django 3.0!
These release notes cover the new features, as well as some backwards incompatible changes you’ll want to be aware of when upgrading from Django 2.2 or earlier. We’ve dropped some features that have reached the end of their deprecation cycle, and we’ve begun the deprecation process for some features.
See the Upgrading Django to a newer version guide if you’re updating an existing project.
Django 3.0 supports Python 3.6, 3.7, and 3.8. We highly recommend and only officially support the latest release of each series.
The Django 2.2.x series is the last to support Python 3.5.
Third-party library support for older version of Django¶
Following the release of Django 3.0, we suggest that third-party app authors
drop support for all versions of Django prior to 2.2. At that time, you should
be able to run your package’s tests using
python -Wd so that deprecation
warnings appear. After making the deprecation warning fixes, your app should be
compatible with Django 3.0.
What’s new in Django 3.0¶
Django 3.0 begins our journey to making Django fully async-capable by providing support for running as an ASGI application.
This is in addition to our existing WSGI support. Django intends to support both for the foreseeable future. Async features will only be available to applications that run under ASGI, however.
There is no need to switch your applications over unless you want to start experimenting with asynchronous code, but we have documentation on deploying with ASGI if you want to learn more.
Note that as a side-effect of this change, Django is now aware of asynchronous
event loops and will block you calling code marked as “async unsafe” - such as
ORM operations - from an asynchronous context. If you were using Django from
async code before, this may trigger if you were doing it incorrectly. If you
SynchronousOnlyOperation error, then closely examine your code and
move any database operations to be in a synchronous child thread.
Exclusion constraints on PostgreSQL¶
Expressions that output
BooleanField may now be
used directly in
QuerySet filters, without having to first annotate and
then filter against the annotation.
Enumerations for model field choices¶
Custom enumeration types
are now available as a way to define
IntegerChoices types are provided for text and integer fields. The
Choices class allows defining a compatible enumeration for other concrete
data types. These custom enumeration types support human-readable labels that
can be translated and accessed via a property on the enumeration or its
members. See Enumeration types for more
details and examples.
- Added support for the
admin_order_fieldattribute on properties in
- The new
ModelAdmin.get_inlines()method allows specifying the inlines based on the request or model instance.
- Select2 library is upgraded from version 4.0.3 to 4.0.7.
- jQuery is upgraded from version 3.3.1 to 3.4.1.
- The new
PasswordResetConfirmViewallows specifying a token parameter displayed as a component of password reset URLs.
BaseBackendclass to ease customization of authentication backends.
get_user_permissions()method to mirror the existing
- Added HTML
autocompleteattribute to widgets of username, email, and password fields in
django.contrib.auth.formsfor better interaction with browser password managers.
createsuperusernow falls back to environment variables for password and required fields, when a corresponding command line argument isn’t provided in non-interactive mode.
- The new
UserManager.with_perm()method returns users that have the specified permission.
- The default iteration count for the PBKDF2 password hasher is increased from 150,000 to 180,000.
- Allowed MySQL spatial lookup functions to operate on real geometries. Previous support was limited to bounding boxes.
- Added the
GeometryDistancefunction, supported on PostGIS.
- Added support for the
GEOIP_PATHsetting now supports
GeoIP2class now accepts
- The new
get_session_cookie_age()method allows dynamically specifying the session cookie age.
- The new
Storage.get_alternative_name()method allows customizing the algorithm for generating filenames if a file with the uploaded name already exists.
- The new
compilemessages --ignoreoption allows ignoring specific directories when searching for
.pofiles to compile.
showmigrations --listnow shows the applied datetimes when
--verbosityis 2 and above.
- On PostgreSQL,
dbshellnow supports client-side TLS certificates.
OneToOneFieldwhen a foreign key has a unique or primary key constraint.
- The new
--skip-checksoption skips running system checks prior to running the command.
startproject --templateoptions now support templates stored in XZ archives (
.txz) and LZMA archives (
is_dstparameter of the
Truncdatabase functions determines the treatment of nonexistent and ambiguous datetimes.
COPY … TOstatements on PostgreSQL.
FilePathFieldnow accepts a callable for
Allowed symmetrical intermediate table for self-referential
SmallAutoFieldwhich acts much like an
AutoFieldexcept that it only allows values under a certain (database-dependent) limit. Values from
32767are safe in all databases supported by Django.
CheckConstraintis now supported on MySQL 8.0.16+.
django.db.backends.base.BaseDatabaseFeaturesallows optimization of
GROUP BYclauses to require only the selected models’ primary keys. By default, it’s supported only for managed models on PostgreSQL.
To enable the
GROUP BYprimary key-only optimization for unmanaged models, you have to subclass the PostgreSQL database engine, overriding the features class
allows_group_by_selected_pks_on_model()method as you require. See Subclassing the built-in database backends for an example.
Requests and Responses¶
X_FRAME_OPTIONSnow defaults to
'DENY'. In older versions, the
X_FRAME_OPTIONSsetting defaults to
'SAMEORIGIN'. If your site uses frames of itself, you will need to explicitly set
X_FRAME_OPTIONS = 'SAMEORIGIN'for them to continue working.
SECURE_CONTENT_TYPE_NOSNIFFsetting now defaults to
True. With the enabled
SecurityMiddlewaresets the X-Content-Type-Options: nosniff header on all responses that do not already have it.
SecurityMiddlewarecan now send the Referrer-Policy header.
- The new test
raise_request_exceptionallows controlling whether or not exceptions raised during the request should also be raised in the test. The value defaults to
Truefor backwards compatibility. If it is
Falseand an exception occurs, the test client will return a 500 response with the attribute
exc_info, a tuple providing information of the exception that occurred.
- Tests and test cases to run can be selected by test name pattern using the
- HTML comparison, as used by
assertHTMLEqual(), now treats text, character references, and entity references that refer to the same character as equivalent.
- Django test runner now supports headless mode for selenium tests on supported
browsers. Add the
--headlessoption to enable this mode.
- Django test runner now supports
--start-afteroptions to run tests starting from a specific top-level module.
- Django test runner now supports a
--pdboption to spawn a debugger at each error or failure.
Backwards incompatible changes in 3.0¶
Database backend API¶
This section describes changes that may be needed in third-party database backends.
- The second argument of
DatabaseIntrospection.get_geometry_type()is now the row description instead of the column name.
DatabaseIntrospection.get_field_type()may no longer return tuples.
- If the database can create foreign keys in the same SQL statement that adds a
SchemaEditor.sql_create_column_inline_fkwith the appropriate SQL; otherwise, set
DatabaseFeatures.can_create_inline_fk = False.
can_return_ids_from_bulk_insertare renamed to
- Database functions now handle
datetime.timezoneformats when created using
timezone(timedelta(hours=5)), which would output
'UTC+05:00'). Third-party backends should handle this format when preparing
- Entries for
SmallAutoFieldare added to
DatabaseOperations.integer_field_rangesto support the integer range validators on these field types. Third-party backends may need to customize the default entries.
DatabaseOperations.fetch_returned_insert_id()is replaced by
fetch_returned_insert_columns()which returns a list of values returned by the
INSERT … RETURNINGstatement, instead of a single value.
DatabaseOperations.return_insert_id()is replaced by
return_insert_columns()that accepts a
fieldsargument, which is an iterable of fields to be returned after insert. Usually this is only the auto-generated primary key.
- Admin’s model history change messages now prefers more readable field labels instead of field names.
- Support for PostGIS 2.1 is removed.
- Support for SpatiaLite 4.1 and 4.2 is removed.
- Support for GDAL 1.11 and GEOS 3.4 is removed.
Dropped support for PostgreSQL 9.4¶
Upstream support for PostgreSQL 9.4 ends in December 2019. Django 3.0 supports PostgreSQL 9.5 and higher.
Dropped support for Oracle 12.1¶
Upstream support for Oracle 12.1 ends in July 2021. Django 2.2 will be supported until April 2022. Django 3.0 officially supports Oracle 12.2 and 18c.
Removed private Python 2 compatibility APIs¶
While Python 2 support was removed in Django 2.0, some private APIs weren’t removed from Django so that third party apps could continue using them until the Python 2 end-of-life.
Since we expect apps to drop Python 2 compatibility when adding support for Django 3.0, we’re removing these APIs at this time.
django.test.utils.str_prefix()- Strings don’t have ‘u’ prefixes in Python 3.
django.utils.lru_cache.lru_cache()- Alias of
django.utils.decorators.available_attrs()- This function returns
django.utils.decorators.ContextDecorator- Alias of
django.utils._os.abspathu()- Alias of
npath()- These functions do nothing on Python 3.
django.utils.six- Remove usage of this vendored library or switch to six.
django.utils.encoding.python_2_unicode_compatible()- Alias of
functools.partialmethod. See 5b1c389603a353625ae1603.
django.utils.safestring.SafeBytes- Unused since Django 2.0.
New default value for the
In older versions, the
FILE_UPLOAD_PERMISSIONS setting defaults to
None. With the default
FILE_UPLOAD_HANDLERS, this results in
uploaded files having different permissions depending on their size and which
upload handler is used.
FILE_UPLOAD_PERMISSION now defaults to
0o644 to avoid this
New default values for security settings¶
To make Django projects more secure by default, some security settings now have more secure default values:
See the What’s New Security section above for more details on these changes.
ContentType.__str__()now includes the model’s
app_labelto disambiguate models with the same name in different apps.
- Because accessing the language in the session rather than in the cookie is
LocaleMiddlewareno longer looks for the user’s language in the session and
django.contrib.auth.logout()no longer preserves the session’s language after logout.
html.escape()to escape HTML. This converts
'instead of the previous equivalent decimal code
django-admin test -koption now works as the
unittest -koption rather than as a shortcut for
- Support for
pywatchman< 1.2.0 is removed.
urlencode()now encodes iterable values as they are when
doseq=False, rather than iterating them, bringing it into line with the standard library
intwordtemplate filter now translates
1.0as a singular phrase and all other numeric values as plural. This may be incorrect for some languages.
- Assigning a value to a model’s
'_id'attribute now unsets the corresponding field. Accessing the field afterwards will result in a query.
patch_vary_headers()now handles an asterisk
'*'according to RFC 7231#section-7.1.4, i.e. if a list of header field names contains an asterisk, then the
Varyheader will consist of a single asterisk
- On MySQL 8.0.16+,
PositiveSmallIntegerFieldnow include a check constraint to prevent negative values in the database.
alias=Noneis added to the signature of
- Support for
sqlparse< 0.2.2 is removed.
RegexPattern, used by
re_path(), no longer returns keyword arguments with
Nonevalues to be passed to the view for the optional named groups that are missing.
Features deprecated in 3.0¶
force_text() aliases (since Django 2.0) of
force_str() are deprecated. Ignore this deprecation if
your code supports Python 2 as the behavior of
force_str() is different there.
urlunquote_plus()are deprecated in favor of the functions that they’re aliases for:
ungettext_lazy()are deprecated in favor of the functions that they’re aliases for:
- To limit creation of sessions and hence favor some caching strategies,
django.views.i18n.set_language()will stop setting the user’s language in the session in Django 4.0. Since Django 2.1, the language is always stored in the
django.utils.text.unescape_entities()is deprecated in favor of
html.unescape(). Note that unlike
html.unescape()evaluates lazy strings immediately.
- To avoid possible confusion as to effective scope, the private internal
is_safe_url()is renamed to
url_has_allowed_host_and_scheme(). That a URL has an allowed host and scheme doesn’t in general imply that it’s “safe”. It may still be quoted incorrectly, for example. Ensure to also use
iri_to_uri()on the path component of untrusted URLs.
Features removed in 3.0¶
These features have reached the end of their deprecation cycle and are removed in Django 3.0.
See Features deprecated in 2.0 for details on these changes, including how to remove usage of these features.
django.db.backends.postgresql_psycopg2module is removed.
DEFAULT_CONTENT_TYPEsetting is removed.
- Support for the
field_namekeyword argument of
See Features deprecated in 2.1 for details on these changes, including how to remove usage of these features.
ForceRHRGIS function is removed.
admin_statictemplate tag libraries are removed.