Django 4.0 release notes - UNDER DEVELOPMENT¶
Expected December 2021
Welcome to Django 4.0!
These release notes cover the new features, as well as some backwards incompatible changes you’ll want to be aware of when upgrading from Django 3.2 or earlier. We’ve begun the deprecation process for some features.
See the Upgrading Django to a newer version guide if you’re updating an existing project.
Python compatibility¶
Django 4.0 supports Python 3.8, 3.9, and 3.10. We highly recommend and only officially support the latest release of each series.
The Django 3.2.x series is the last to support Python 3.6 and 3.7.
What’s new in Django 4.0¶
Functional unique constraints¶
The new *expressions
positional argument of
UniqueConstraint()
enables
creating functional unique constraints on expressions and database functions.
For example:
from django.db import models
from django.db.models import UniqueConstraint
from django.db.models.functions import Lower
class MyModel(models.Model):
first_name = models.CharField(max_length=255)
last_name = models.CharField(max_length=255)
class Meta:
indexes = [
UniqueConstraint(
Lower('first_name'),
Lower('last_name').desc(),
name='first_last_name_unique',
),
]
Functional unique constraints are added to models using the
Meta.constraints
option.
Minor features¶
django.contrib.admin
¶
- The
admin/base.html
template now has a new blockheader
which contains the admin site header. - The new
ModelAdmin.get_formset_kwargs()
method allows customizing the keyword arguments passed to the constructor of a formset. - The navigation sidebar now has a quick filter toolbar.
django.contrib.admindocs
¶
- The admindocs now allows esoteric setups where
ROOT_URLCONF
is not a string. - The model section of the
admindocs
now shows cached properties.
django.contrib.auth
¶
- The default iteration count for the PBKDF2 password hasher is increased from 260,000 to 320,000.
- The new
LoginView.next_page
attribute andget_default_redirect_url()
method allow customizing the redirect after login.
django.contrib.gis
¶
- Added support for SpatiaLite 5.
django.contrib.postgres
¶
- The PostgreSQL backend now supports connecting by a service name. See PostgreSQL connection settings for more details.
django.contrib.staticfiles
¶
ManifestStaticFilesStorage
now replaces paths to JavaScript source map references with their hashed counterparts.
Cache¶
- …
CSRF¶
- CSRF protection now consults the
Origin
header, if present. To facilitate this, some changes to theCSRF_TRUSTED_ORIGINS
setting are required.
Decorators¶
- …
Email¶
- …
Error Reporting¶
- …
File Storage¶
- …
File Uploads¶
- …
Forms¶
ModelChoiceField
now includes the provided value in theparams
argument of a raisedValidationError
for theinvalid_choice
error message. This allows custom error messages to use the%(value)s
placeholder.
Generic Views¶
- …
Internationalization¶
- …
Logging¶
- …
Management Commands¶
- The
runserver
management command now supports the--skip-checks
option. - On PostgreSQL,
dbshell
now supports specifying a password file.
Migrations¶
- …
Models¶
- New
QuerySet.contains(obj)
method returns whether the queryset contains the given object. This tries to perform the query in the simplest and fastest way possible. - The new
precision
argument of theRound()
database function allows specifying the number of decimal places after rounding. QuerySet.bulk_create()
now sets the primary key on objects when using SQLite 3.35+.
Requests and Responses¶
- The
SecurityMiddleware
now adds the Cross-Origin Opener Policy header with a value of'same-origin'
to prevent cross-origin popups from sharing the same browsing context. You can prevent this header from being added by setting theSECURE_CROSS_ORIGIN_OPENER_POLICY
setting toNone
.
Security¶
- …
Serialization¶
- …
Signals¶
- The new
stdout
argument forpre_migrate()
andpost_migrate()
signals allows redirecting output to a stream-like object. It should be preferred oversys.stdout
andprint()
when emitting verbose output in order to allow proper capture when testing.
Templates¶
- …
Tests¶
- The new
serialized_aliases
argument ofdjango.test.utils.setup_databases()
determines whichDATABASES
aliases test databases should have their state serialized to allow usage of the serialized_rollback feature. - Django test runner now supports a
--buffer
option with parallel tests.
URLs¶
- …
Utilities¶
- …
Validators¶
- …
Backwards incompatible changes in 4.0¶
Database backend API¶
This section describes changes that may be needed in third-party database backends.
DatabaseOperations.year_lookup_bounds_for_date_field()
andyear_lookup_bounds_for_datetime_field()
methods now take the optionaliso_year
argument in order to support bounds for ISO-8601 week-numbering years.
django.contrib.gis
¶
- Support for PostGIS 2.3 is removed.
- Support for GDAL 2.0 and GEOS 3.5 is removed.
Dropped support for PostgreSQL 9.6¶
Upstream support for PostgreSQL 9.6 ends in November 2021. Django 4.0 supports PostgreSQL 10 and higher.
Dropped support for Oracle 12.2 and 18c¶
Upstream support for Oracle 12.2 ends in March 2022 and for Oracle 18c it ends in June 2021. Django 3.2 will be supported until April 2024. Django 4.0 officially supports Oracle 19c.
CSRF_TRUSTED_ORIGINS
changes¶
Format change¶
Values in the CSRF_TRUSTED_ORIGINS
setting must include the scheme
(e.g. 'http://'
or 'https://'
) instead of only the hostname.
Also, values that started with a dot, must now also include an asterisk before
the dot. For example, change '.example.com'
to 'https://*.example.com'
.
A system check detects any required changes.
Configuring it may now be required¶
As CSRF protection now consults the Origin
header, you may need to set
CSRF_TRUSTED_ORIGINS
, particularly if you allow requests from
subdomains by setting CSRF_COOKIE_DOMAIN
(or
SESSION_COOKIE_DOMAIN
if CSRF_USE_SESSIONS
is enabled) to
a value starting with a dot.
Miscellaneous¶
- Support for
cx_Oracle
< 7.0 is removed. - To allow serving a Django site on a subpath without changing the value of
STATIC_URL
, the leading slash is removed from that setting (now'static/'
) in the defaultstartproject
template. - The
AdminSite
method for the adminindex
view is no longer decorated withnever_cache
when accessed directly, rather than via the recommendedAdminSite.urls
property, orAdminSite.get_urls()
method. - Unsupported operations on a sliced queryset now raise
TypeError
instead ofAssertionError
. - The undocumented
django.test.runner.reorder_suite()
function is renamed toreorder_tests()
. It now accepts an iterable of tests rather than a test suite, and returns an iterator of tests. - Calling
FileSystemStorage.delete()
with an emptyname
now raisesValueError
instead ofAssertionError
. - Calling
EmailMultiAlternatives.attach_alternative()
orEmailMessage.attach()
with an invalidcontent
ormimetype
arguments now raiseValueError
instead ofAssertionError
. assertHTMLEqual()
no longer considers a non-boolean attribute without a value equal to an attribute with the same name and value.- Tests that fail to load, for example due to syntax errors, now always match
when using
test --tag
.
Features deprecated in 4.0¶
Miscellaneous¶
SERIALIZE
test setting is deprecated as it can be inferred from thedatabases
with the serialized_rollback option enabled.
Features removed in 4.0¶
These features have reached the end of their deprecation cycle and are removed in Django 4.0.
See Features deprecated in 3.0 for details on these changes, including how to remove usage of these features.
django.utils.http.urlquote()
,urlquote_plus()
,urlunquote()
, andurlunquote_plus()
are removed.django.utils.encoding.force_text()
andsmart_text()
are removed.django.utils.translation.ugettext()
,ugettext_lazy()
,ugettext_noop()
,ungettext()
, andungettext_lazy()
are removed.django.views.i18n.set_language()
doesn’t set the user language inrequest.session
(key_language
).alias=None
is required in the signature ofdjango.db.models.Expression.get_group_by_cols()
subclasses.django.utils.text.unescape_entities()
is removed.django.utils.http.is_safe_url()
is removed.
See Features deprecated in 3.1 for details on these changes, including how to remove usage of these features.
- The
PASSWORD_RESET_TIMEOUT_DAYS
setting is removed. - The
isnull
lookup no longer allows using non-boolean values as the right-hand side. - The
django.db.models.query_utils.InvalidQuery
exception class is removed. - The
django-admin.py
entry point is removed. - The
HttpRequest.is_ajax()
method is removed. - Support for the pre-Django 3.1 encoding format of cookies values used by
django.contrib.messages.storage.cookie.CookieStorage
is removed. - Support for the pre-Django 3.1 password reset tokens in the admin site (that use the SHA-1 hashing algorithm) is removed.
- Support for the pre-Django 3.1 encoding format of sessions is removed.
- Support for the pre-Django 3.1
django.core.signing.Signer
signatures (encoded with the SHA-1 algorithm) is removed. - Support for the pre-Django 3.1
django.core.signing.dumps()
signatures (encoded with the SHA-1 algorithm) indjango.core.signing.loads()
is removed. - Support for the pre-Django 3.1 user sessions (that use the SHA-1 algorithm) is removed.
- The
get_request
argument fordjango.utils.deprecation.MiddlewareMixin.__init__()
is required and doesn’t acceptNone
. - The
providing_args
argument fordjango.dispatch.Signal
is removed. - The
length
argument fordjango.utils.crypto.get_random_string()
is required. - The
list
message forModelMultipleChoiceField
is removed. - Support for passing raw column aliases to
QuerySet.order_by()
is removed. - The
NullBooleanField
model field is removed, except for support in historical migrations. django.conf.urls.url()
is removed.- The
django.contrib.postgres.fields.JSONField
model field is removed, except for support in historical migrations. django.contrib.postgres.fields.jsonb.KeyTransform
anddjango.contrib.postgres.fields.jsonb.KeyTextTransform
are removed.django.contrib.postgres.forms.JSONField
is removed.- The
{% ifequal %}
and{% ifnotequal %}
template tags are removed. - The
DEFAULT_HASHING_ALGORITHM
transitional setting is removed.