+++++++++++ Python News +++++++++++ What's New in Python 3.13.12 final? =================================== *Release date: 2026-02-03* Windows ------- - gh-128067: Fix a bug in PyREPL on Windows where output without a trailing newline was overwritten by the next prompt. Tools/Demos ----------- - gh-142095: Make gdb 'py-bt' command use frame from thread local state when available. Patch by Sam Gross and Victor Stinner. Tests ----- - gh-144415: The Android testbed now distinguishes between stdout/stderr messages which were triggered by a newline, and those triggered by a manual call to ``flush``. This fixes logging of progress indicators and similar content. - gh-65784: Add support for parametrized resource ``wantobjects`` in regrtests, which allows to run Tkinter tests with the specified value of :data:`!tkinter.wantobjects`, for example ``-u wantobjects=0``. - gh-143553: Add support for parametrized resources, such as ``-u xpickle=2.7``. - gh-142836: Accommodated Solaris in ``test_pdb.test_script_target_anonymous_pipe``. - gh-129401: Fix a flaky test in ``test_repr_rlock`` that checks the representation of :class:`multiprocessing.RLock`. - bpo-31391: Forward-port test_xpickle from Python 2 to Python 3 and add the resource back to test's command line. Security -------- - gh-144125: :mod:`~email.generator.BytesGenerator` will now refuse to serialize (write) headers that are unsafely folded or delimited; see :attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas Bloemsaat and Petr Viktorin in :gh:`121650`). - gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs. - gh-143925: Reject control characters in ``data:`` URL media types. - gh-143919: Reject control characters in :class:`http.cookies.Morsel` fields and values. - gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters. Library ------- - gh-144380: Improve performance of :class:`io.BufferedReader` line iteration by ~49%. - gh-144169: Fix three crashes when non-string keyword arguments are supplied to objects in the :mod:`ast` module. - gh-144100: Fixed a crash in ctypes when using a deprecated ``POINTER(str)`` type in ``argtypes``. Instead of aborting, ctypes now raises a proper Python exception when the pointer target type is unresolved. - gh-144050: Fix :func:`stat.filemode` in the pure-Python implementation to avoid misclassifying invalid mode values as block devices. - gh-144023: Fixed validation of file descriptor 0 in posix functions when used with follow_symlinks parameter. - gh-143999: Fix an issue where :func:`inspect.getgeneratorstate` and :func:`inspect.getcoroutinestate` could fail for generators wrapped by :func:`types.coroutine` in the suspended state. - gh-143706: Fix :mod:`multiprocessing` forkserver so that :data:`sys.argv` is correctly set before ``__main__`` is preloaded. Previously, :data:`sys.argv` was empty during main module import in forkserver child processes. This fixes a regression introduced in 3.13.8 and 3.14.1. Root caused by Aaron Wieczorek, test provided by Thomas Watson, thanks! - gh-143638: Forbid reentrant calls of the :class:`pickle.Pickler` and :class:`pickle.Unpickler` methods for the C implementation. Previously, this could cause crash or data corruption, now concurrent calls of methods of the same object raise :exc:`RuntimeError`. - gh-78724: Raise :exc:`RuntimeError`'s when user attempts to call methods on half-initialized :class:`~struct.Struct` objects, For example, created by ``Struct.__new__(Struct)``. Patch by Sergey B Kirpichev. - gh-143602: Fix a inconsistency issue in :meth:`~io.RawIOBase.write` that leads to unexpected buffer overwrite by deduplicating the buffer exports. - gh-143547: Fix :func:`sys.unraisablehook` when the hook raises an exception and changes :func:`sys.unraisablehook`: hold a strong reference to the old hook. Patch by Victor Stinner. - gh-143378: Fix use-after-free crashes when a :class:`~io.BytesIO` object is concurrently mutated during :meth:`~io.RawIOBase.write` or :meth:`~io.IOBase.writelines`. - gh-143346: Fix incorrect wrapping of the Base64 data in :class:`!plistlib._PlistWriter` when the indent contains a mix of tabs and spaces. - gh-143310: :mod:`tkinter`: fix a crash when a Python :class:`list` is mutated during the conversion to a Tcl object (e.g., when setting a Tcl variable). Patch by Bénédikt Tran. - gh-143309: Fix a crash in :func:`os.execve` on non-Windows platforms when given a custom environment mapping which is then mutated during parsing. Patch by Bénédikt Tran. - gh-143308: :mod:`pickle`: fix use-after-free crashes when a :class:`~pickle.PickleBuffer` is concurrently mutated by a custom buffer callback during pickling. Patch by Bénédikt Tran and Aaron Wieczorek. - gh-143237: Fix support of named pipes in the rotating :mod:`logging` handlers. - gh-143249: Fix possible buffer leaks in Windows overlapped I/O on error handling. - gh-143241: :mod:`zoneinfo`: fix infinite loop in :meth:`ZoneInfo.from_file ` when parsing a malformed TZif file. Patch by Fatih Celik. - gh-142830: :mod:`sqlite3`: fix use-after-free crashes when the connection's callbacks are mutated during a callback execution. Patch by Bénédikt Tran. - gh-143200: :mod:`xml.etree.ElementTree`: fix use-after-free crashes in :meth:`~object.__getitem__` and :meth:`~object.__setitem__` methods of :class:`~xml.etree.ElementTree.Element` when the element is concurrently mutated. Patch by Bénédikt Tran. - gh-142195: Updated timeout evaluation logic in :mod:`subprocess` to be compatible with deterministic environments like Shadow where time moves exactly as requested. - gh-143145: Fixed a possible reference leak in ctypes when constructing results with multiple output parameters on error. - gh-122431: Corrected the error message in :func:`readline.append_history_file` to state that ``nelements`` must be non-negative instead of positive. - gh-143004: Fix a potential use-after-free in :meth:`collections.Counter.update` when user code mutates the Counter during an update. - gh-143046: The :mod:`asyncio` REPL no longer prints copyright and version messages in the quiet mode (:option:`-q`). Patch by Bartosz Sławecki. - gh-140648: The :mod:`asyncio` REPL now respects the :option:`-I` flag (isolated mode). Previously, it would load and execute :envvar:`PYTHONSTARTUP` even if the flag was set. Contributed by Bartosz Sławecki. - gh-142991: Fixed socket operations such as recvfrom() and sendto() for FreeBSD divert(4) socket. - gh-143010: Fixed a bug in :mod:`mailbox` where the precise timing of an external event could result in the library opening an existing file instead of a file it expected to create. - gh-142881: Fix concurrent and reentrant call of :func:`atexit.unregister`. - gh-112127: Fix possible use-after-free in :func:`atexit.unregister` when the callback is unregistered during comparison. - gh-142783: Fix zoneinfo use-after-free with descriptor _weak_cache. a descriptor as _weak_cache could cause crashes during object creation. The fix ensures proper reference counting for descriptor-provided objects. - gh-142754: Add the *ownerDocument* attribute to :mod:`xml.dom.minidom` elements and attributes created by directly instantiating the ``Element`` or ``Attr`` class. Note that this way of creating nodes is not supported; creator functions like :py:meth:`xml.dom.Document.documentElement` should be used instead. - gh-142784: The :mod:`asyncio` REPL now properly closes the loop upon the end of interactive session. Previously, it could cause surprising warnings. Contributed by Bartosz Sławecki. - gh-142555: :mod:`array`: fix a crash in ``a[i] = v`` when converting *i* to an index via :meth:`i.__index__ ` or :meth:`i.__float__ ` mutates the array. - gh-142594: Fix crash in ``TextIOWrapper.close()`` when the underlying buffer's ``closed`` property calls :meth:`~io.TextIOBase.detach`. - gh-142451: :mod:`hmac`: Ensure that the :attr:`HMAC.block_size ` attribute is correctly copied by :meth:`HMAC.copy `. Patch by Bénédikt Tran. - gh-142495: :class:`collections.defaultdict` now prioritizes :meth:`~object.__setitem__` when inserting default values from ``default_factory``. This prevents race conditions where a default value would overwrite a value set before ``default_factory`` returns. - gh-142651: :mod:`unittest.mock`: fix a thread safety issue where :attr:`Mock.call_count ` may return inaccurate values when the mock is called concurrently from multiple threads. - gh-142595: Added type check during initialization of the :mod:`decimal` module to prevent a crash in case of broken stdlib. Patch by Sergey B Kirpichev. - gh-142517: The non-``compat32`` :mod:`email` policies now correctly handle refolding encoded words that contain bytes that can not be decoded in their specified character set. Previously this resulted in an encoding exception during folding. - gh-112527: The help text for required options in :mod:`argparse` no longer extended with " (default: None)". - gh-142315: Pdb can now run scripts from anonymous pipes used in process substitution. Patch by Bartosz Sławecki. - gh-142282: Fix :func:`winreg.QueryValueEx` to not accidentally read garbage buffer under race condition. - gh-75949: Fix :mod:`argparse` to preserve ``|`` separators in mutually exclusive groups when the usage line wraps due to length. - gh-68552: ``MisplacedEnvelopeHeaderDefect`` and ``Missing header name`` defects are now correctly passed to the ``handle_defect`` method of ``policy`` in :class:`~email.parser.FeedParser`. - gh-142006: Fix a bug in the :mod:`email.policy.default` folding algorithm which incorrectly resulted in a doubled newline when a line ending at exactly max_line_length was followed by an unfoldable token. - gh-105836: Fix :meth:`asyncio.run_coroutine_threadsafe` leaving underlying cancelled asyncio task running. - gh-139971: :mod:`pydoc`: Ensure that the link to the online documentation of a :term:`stdlib` module is correct. - gh-139262: Some keystrokes can be swallowed in the new ``PyREPL`` on Windows, especially when used together with the ALT key. Fix by Chris Eibl. - gh-138897: Improved :data:`license`/:data:`copyright`/:data:`credits` display in the :term:`REPL`: now uses a pager. - gh-79986: Add parsing for ``References`` and ``In-Reply-To`` headers to the :mod:`email` library that parses the header content as lists of message id tokens. This prevents them from being folded incorrectly. - gh-109263: Starting a process from spawn context in :mod:`multiprocessing` no longer sets the start method globally. - gh-90871: Fixed an off by one error concerning the backlog parameter in :meth:`~asyncio.loop.create_unix_server`. Contributed by Christian Harries. - gh-133253: Fix thread-safety issues in :mod:`linecache`. - gh-132715: Skip writing objects during marshalling once a failure has occurred. - gh-127529: Correct behavior of :func:`!asyncio.selector_events.BaseSelectorEventLoop._accept_connection` in handling :exc:`ConnectionAbortedError` in a loop. This improves performance on OpenBSD. IDLE ---- - gh-143774: Better explain the operation of Format / Format Paragraph. Documentation ------------- - gh-140806: Add documentation for :func:`enum.bin`. Core and Builtins ----------------- - gh-144307: Prevent a reference leak in module teardown at interpreter finalization. - gh-144194: Fix error handling in perf jitdump initialization on memory allocation failure. - gh-141805: Fix crash in :class:`set` when objects with the same hash are concurrently added to the set after removing an element with the same hash while the set still contains elements with the same hash. - gh-143670: Fixes a crash in ``ga_repr_items_list`` function. - gh-143377: Fix a crash in :func:`!_interpreters.capture_exception` when the exception is incorrectly formatted. Patch by Bénédikt Tran. - gh-143189: Fix crash when inserting a non-:class:`str` key into a split table dictionary when the key matches an existing key in the split table but has no corresponding value in the dict. - gh-143228: Fix use-after-free in perf trampoline when toggling profiling while threads are running or during interpreter finalization with daemon threads active. The fix uses reference counting to ensure trampolines are not freed while any code object could still reference them. Pach by Pablo Galindo - gh-142664: Fix a use-after-free crash in :meth:`memoryview.__hash__ ` when the ``__hash__`` method of the referenced object mutates that object or the view. Patch by Bénédikt Tran. - gh-142557: Fix a use-after-free crash in :ref:`bytearray.__mod__ ` when the :class:`!bytearray` is mutated while formatting the ``%``-style arguments. Patch by Bénédikt Tran. - gh-143195: Fix use-after-free crashes in :meth:`bytearray.hex` and :meth:`memoryview.hex` when the separator's :meth:`~object.__len__` mutates the original object. Patch by Bénédikt Tran. - gh-143135: Set :data:`sys.flags.inspect` to ``1`` when :envvar:`PYTHONINSPECT` is ``0``. Previously, it was set to ``0`` in this case. - gh-143003: Fix an overflow of the shared empty buffer in :meth:`bytearray.extend` when ``__length_hint__()`` returns 0 for non-empty iterator. - gh-143006: Fix a possible assertion error when comparing negative non-integer ``float`` and ``int`` with the same number of bits in the integer part. - gh-142776: Fix a file descriptor leak in import.c - gh-142829: Fix a use-after-free crash in :class:`contextvars.Context` comparison when a custom ``__eq__`` method modifies the context via :meth:`~contextvars.ContextVar.set`. - gh-142766: Clear the frame of a generator when :meth:`generator.close` is called. - gh-142737: Tracebacks will be displayed in fallback mode even if :func:`io.open` is lost. Previously, this would crash the interpreter. Patch by Bartosz Sławecki. - gh-142554: Fix a crash in :func:`divmod` when :func:`!_pylong.int_divmod` does not return a tuple of length two exactly. Patch by Bénédikt Tran. - gh-142560: Fix use-after-free in :class:`bytearray` search-like methods (:meth:`~bytearray.find`, :meth:`~bytearray.count`, :meth:`~bytearray.index`, :meth:`~bytearray.rindex`, and :meth:`~bytearray.rfind`) by marking the storage as exported which causes reallocation attempts to raise :exc:`BufferError`. For :func:`~operator.contains`, :meth:`~bytearray.split`, and :meth:`~bytearray.rsplit` the :ref:`buffer protocol ` is used for this. - gh-142343: Fix SIGILL crash on m68k due to incorrect assembly constraint. - gh-141732: Ensure the :meth:`~object.__repr__` for :exc:`ExceptionGroup` and :exc:`BaseExceptionGroup` does not change when the exception sequence that was original passed in to its constructor is subsequently mutated. - gh-100964: Fix reference cycle in exhausted generator frames. Patch by Savannah Ostrowski. - gh-140373: Correctly emit ``PY_UNWIND`` event when generator object is closed. Patch by Mikhail Efimov. - gh-138568: Adjusted the built-in :func:`help` function so that empty inputs are ignored in interactive mode. - gh-127773: Do not use the type attribute cache for types with incompatible :term:`MRO`. C API ----- - gh-142571: :c:func:`!PyUnstable_CopyPerfMapFile` now checks that opening the file succeeded before flushing. Build ----- - gh-142454: When calculating the digest of the JIT stencils input, sort the hashed files by filenames before adding their content to the hasher. This ensures deterministic hash input and hence deterministic hash, independent on filesystem order. - gh-141808: When running ``make clean-retain-profile``, keep the generated JIT stencils. That way, the stencils are not generated twice when Profile-guided optimization (PGO) is used. It also allows distributors to supply their own pre-built JIT stencils. - gh-138061: Ensure reproducible builds by making JIT stencil header generation deterministic. What's New in Python 3.13.11 final? =================================== *Release date: 2025-12-05* Security -------- - gh-142145: Remove quadratic behavior in ``xml.minidom`` node ID cache clearing. - gh-119451: Fix a potential memory denial of service in the :mod:`http.client` module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a :exc:`MemoryError`, swapping, out of memory (OOM) killed processes or containers, or even system crashes. - gh-119452: Fix a potential memory denial of service in the :mod:`http.server` module. When a malicious user is connected to the CGI server on Windows, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a :exc:`MemoryError`, swapping, out of memory (OOM) killed processes or containers, or even system crashes. Library ------- - gh-140797: Revert changes to the undocumented :class:`!re.Scanner` class. Capturing groups are still allowed for backward compatibility, although using them can lead to incorrect result. They will be forbidden in future Python versions. - gh-142206: The resource tracker in the :mod:`multiprocessing` module now uses the original communication protocol, as in Python 3.14.0 and below, by default. This avoids issues with upgrading Python while it is running. (Note that such 'in-place' upgrades are not tested.) The tracker remains compatible with subprocesses that use new protocol (that is, subprocesses using Python 3.13.10, 3.14.1 and 3.15). Core and Builtins ----------------- - gh-142218: Fix crash when inserting into a split table dictionary with a non :class:`str` key that matches an existing key. What's New in Python 3.13.10 final? =================================== *Release date: 2025-12-02* Tools/Demos ----------- - gh-141442: The iOS testbed now correctly handles test arguments that contain spaces. Tests ----- - gh-140482: Preserve and restore the state of ``stty echo`` as part of the test environment. - gh-140082: Update ``python -m test`` to set ``FORCE_COLOR=1`` when being run with color enabled so that :mod:`unittest` which is run by it with redirected output will output in color. - gh-136442: Use exitcode ``1`` instead of ``5`` if :func:`unittest.TestCase.setUpClass` raises an exception Security -------- - gh-139700: Check consistency of the zip64 end of central directory record. Support records with "zip64 extensible data" if there are no bytes prepended to the ZIP file. - gh-137836: Add support of the "plaintext" element, RAWTEXT elements "xmp", "iframe", "noembed" and "noframes", and optionally RAWTEXT element "noscript" in :class:`html.parser.HTMLParser`. - gh-136063: :mod:`email.message`: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran. - gh-136065: Fix quadratic complexity in :func:`os.path.expandvars`. - gh-119342: Fix a potential memory denial of service in the :mod:`plistlib` module. When reading a Plist file received from untrusted source, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a :exc:`MemoryError`, swapping, out of memory (OOM) killed processes or containers, or even system crashes. Library ------- - gh-74389: When the stdin being used by a :class:`subprocess.Popen` instance is closed, this is now ignored in :meth:`subprocess.Popen.communicate` instead of leaving the class in an inconsistent state. - gh-87512: Fix :func:`subprocess.Popen.communicate` timeout handling on Windows when writing large input. Previously, the timeout was ignored during stdin writing, causing the method to block indefinitely if the child process did not consume input quickly. The stdin write is now performed in a background thread, allowing the timeout to be properly enforced. - gh-141473: When :meth:`subprocess.Popen.communicate` was called with *input* and a *timeout* and is called for a second time after a :exc:`~subprocess.TimeoutExpired` exception before the process has died, it should no longer hang. - gh-59000: Fix :mod:`pdb` breakpoint resolution for class methods when the module defining the class is not imported. - gh-141570: Support :term:`file-like object` raising :exc:`OSError` from :meth:`~io.IOBase.fileno` in color detection (``_colorize.can_colorize()``). This can occur when ``sys.stdout`` is redirected. - gh-141659: Fix bad file descriptor errors from ``_posixsubprocess`` on AIX. - gh-141497: :mod:`ipaddress`: ensure that the methods :meth:`IPv4Network.hosts() ` and :meth:`IPv6Network.hosts() ` always return an iterator. - gh-140938: The :func:`statistics.stdev` and :func:`statistics.pstdev` functions now raise a :exc:`ValueError` when the input contains an infinity or a NaN. - gh-124111: Updated Tcl threading configuration in :mod:`_tkinter` to assume that threads are always available in Tcl 9 and later. - gh-137109: The :mod:`os.fork` and related forking APIs will no longer warn in the common case where Linux or macOS platform APIs return the number of threads in a process and find the answer to be 1 even when a :func:`os.register_at_fork` ``after_in_parent=`` callback (re)starts a thread. - gh-141314: Fix assertion failure in :meth:`io.TextIOWrapper.tell` when reading files with standalone carriage return (``\r``) line endings. - gh-141311: Fix assertion failure in :func:`!io.BytesIO.readinto` and undefined behavior arising when read position is above capcity in :class:`io.BytesIO`. - gh-141141: Fix a thread safety issue with :func:`base64.b85decode`. Contributed by Benel Tayar. - gh-140911: :mod:`collections`: Ensure that the methods ``UserString.rindex()`` and ``UserString.index()`` accept :class:`collections.UserString` instances as the sub argument. - gh-140797: The undocumented :class:`!re.Scanner` class now forbids regular expressions containing capturing groups in its lexicon patterns. Patterns using capturing groups could previously lead to crashes with segmentation fault. Use non-capturing groups (?:...) instead. - gh-140815: :mod:`faulthandler` now detects if a frame or a code object is invalid or freed. Patch by Victor Stinner. - gh-100218: Correctly set :attr:`~OSError.errno` when :func:`socket.if_nametoindex` or :func:`socket.if_indextoname` raise an :exc:`OSError`. Patch by Bénédikt Tran. - gh-140875: Fix handling of unclosed character references (named and numerical) followed by the end of file in :class:`html.parser.HTMLParser` with ``convert_charrefs=False``. - gh-140734: :mod:`multiprocessing`: fix off-by-one error when checking the length of a temporary socket file path. Patch by Bénédikt Tran. - gh-140874: Bump the version of pip bundled in :mod:`ensurepip` to version 25.3 - gh-140691: In :mod:`urllib.request`, when opening a FTP URL fails because a data connection cannot be made, the control connection's socket is now closed to avoid a :exc:`ResourceWarning`. - gh-103847: Fix hang when cancelling process created by :func:`asyncio.create_subprocess_exec` or :func:`asyncio.create_subprocess_shell`. Patch by Kumar Aditya. - gh-140590: Fix arguments checking for the :meth:`!functools.partial.__setstate__` that may lead to internal state corruption and crash. Patch by Sergey Miryanov. - gh-140634: Fix a reference counting bug in :meth:`!os.sched_param.__reduce__`. - gh-140633: Ignore :exc:`AttributeError` when setting a module's ``__file__`` attribute when loading an extension module packaged as Apple Framework. - gh-140593: :mod:`xml.parsers.expat`: Fix a memory leak that could affect users with :meth:`~xml.parsers.expat.xmlparser.ElementDeclHandler` set to a custom element declaration handler. Patch by Sebastian Pipping. - gh-140607: Inside :meth:`io.RawIOBase.read`, validate that the count of bytes returned by :meth:`io.RawIOBase.readinto` is valid (inside the provided buffer). - gh-138162: Fix :class:`logging.LoggerAdapter` with ``merge_extra=True`` and without the *extra* argument. - gh-140474: Fix memory leak in :class:`array.array` when creating arrays from an empty :class:`str` and the ``u`` type code. - gh-140272: Fix memory leak in the :meth:`!clear` method of the :mod:`dbm.gnu` database. - gh-140041: Fix import of :mod:`ctypes` on Android and Cygwin when ABI flags are present. - gh-139905: Add suggestion to error message for :class:`typing.Generic` subclasses when ``cls.__parameters__`` is missing due to a parent class failing to call :meth:`super().__init_subclass__() ` in its ``__init_subclass__``. - gh-139845: Fix to not print KeyboardInterrupt twice in default asyncio REPL. - gh-139783: Fix :func:`inspect.getsourcelines` for the case when a decorator is followed by a comment or an empty line. - gh-70765: :mod:`http.server`: fix default handling of HTTP/0.9 requests in :class:`~http.server.BaseHTTPRequestHandler`. Previously, :meth:`!BaseHTTPRequestHandler.parse_request` incorrectly waited for headers in the request although those are not supported in HTTP/0.9. Patch by Bénédikt Tran. - gh-139391: Fix an issue when, on non-Windows platforms, it was not possible to gracefully exit a ``python -m asyncio`` process suspended by Ctrl+Z and later resumed by :manpage:`fg` other than with :manpage:`kill`. - gh-101828: Fix ``'shift_jisx0213'``, ``'shift_jis_2004'``, ``'euc_jisx0213'`` and ``'euc_jis_2004'`` codecs truncating null chars as they were treated as part of multi-character sequences. - gh-139246: fix: paste zero-width in default repl width is wrong. - gh-90949: Add :meth:`~xml.parsers.expat.xmlparser.SetAllocTrackerActivationThreshold` and :meth:`~xml.parsers.expat.xmlparser.SetAllocTrackerMaximumAmplification` to :ref:`xmlparser ` objects to prevent use of disproportional amounts of dynamic memory from within an Expat parser. Patch by Bénédikt Tran. - gh-139065: Fix trailing space before a wrapped long word if the line length is exactly *width* in :mod:`textwrap`. - gh-138993: Dedent :data:`credits` text. - gh-138859: Fix generic type parameterization raising a :exc:`TypeError` when omitting a :class:`ParamSpec` that has a default which is not a list of types. - gh-138775: Use of ``python -m`` with :mod:`base64` has been fixed to detect input from a terminal so that it properly notices EOF. - gh-98896: Fix a failure in multiprocessing resource_tracker when SharedMemory names contain colons. Patch by Rani Pinchuk. - gh-75989: :func:`tarfile.TarFile.extractall` and :func:`tarfile.TarFile.extract` now overwrite symlinks when extracting hardlinks. (Contributed by Alexander Enrique Urieles Nieto in :gh:`75989`.) - gh-83424: Allows creating a :class:`ctypes.CDLL` without name when passing a handle as an argument. - gh-136234: Fix :meth:`asyncio.WriteTransport.writelines` to be robust to connection failure, by using the same behavior as :meth:`~asyncio.WriteTransport.write`. - gh-136057: Fixed the bug in :mod:`pdb` and :mod:`bdb` where ``next`` and ``step`` can't go over the line if a loop exists in the line. - gh-135307: :mod:`email`: Fix exception in ``set_content()`` when encoding text and max_line_length is set to ``0`` or ``None`` (unlimited). - gh-134453: Fixed :func:`subprocess.Popen.communicate` ``input=`` handling of :class:`memoryview` instances that were non-byte shaped on POSIX platforms. Those are now properly cast to a byte shaped view instead of truncating the input. Windows platforms did not have this bug. - gh-102431: Clarify constraints for "logical" arguments in methods of :class:`decimal.Context`. IDLE ---- - gh-96491: Deduplicate version number in IDLE shell title bar after saving to a file. Documentation ------------- - gh-141994: :mod:`xml.sax.handler`: Make Documentation of :data:`xml.sax.handler.feature_external_ges` warn of opening up to `external entity attacks `_. Patch by Sebastian Pipping. - gh-140578: Remove outdated sencence in the documentation for :mod:`multiprocessing`, that implied that :class:`concurrent.futures.ThreadPoolExecutor` did not exist. Core and Builtins ----------------- - gh-142048: Fix quadratically increasing garbage collection delays in free-threaded build. - gh-141930: When importing a module, use Python's regular file object to ensure that writes to ``.pyc`` files are complete or an appropriate error is raised. - gh-120158: Fix inconsistent state when enabling or disabling monitoring events too many times. - gh-141579: Fix :func:`sys.activate_stack_trampoline` to properly support the ``perf_jit`` backend. Patch by Pablo Galindo. - gh-141312: Fix the assertion failure in the ``__setstate__`` method of the range iterator when a non-integer argument is passed. Patch by Sergey Miryanov. - gh-140939: Fix memory leak when :class:`bytearray` or :class:`bytes` is formated with the ``%*b`` format with a large width that results in a :exc:`MemoryError`. - gh-140530: Fix a reference leak when ``raise exc from cause`` fails. Patch by Bénédikt Tran. - gh-140576: Fixed crash in :func:`tokenize.generate_tokens` in case of specific incorrect input. Patch by Mikhail Efimov. - gh-140551: Fixed crash in :class:`dict` if :meth:`dict.clear` is called at the lookup stage. Patch by Mikhail Efimov and Inada Naoki. - gh-140471: Fix potential buffer overflow in :class:`ast.AST` node initialization when encountering malformed :attr:`~ast.AST._fields` containing non-:class:`str`. - gh-140406: Fix memory leak when an object's :meth:`~object.__hash__` method returns an object that isn't an :class:`int`. - gh-140306: Fix memory leaks in cross-interpreter channel operations and shared namespace handling. - gh-140301: Fix memory leak of ``PyConfig`` in subinterpreters. - gh-140000: Fix potential memory leak when a reference cycle exists between an instance of :class:`typing.TypeAliasType`, :class:`typing.TypeVar`, :class:`typing.ParamSpec`, or :class:`typing.TypeVarTuple` and its ``__name__`` attribute. Patch by Mikhail Efimov. - gh-139748: Fix reference leaks in error branches of functions accepting path strings or bytes such as :func:`compile` and :func:`os.system`. Patch by Bénédikt Tran. - gh-139516: Fix lambda colon erroneously start format spec in f-string in tokenizer. - gh-139640: Fix swallowing some syntax warnings in different modules if they accidentally have the same message and are emitted from the same line. Fix duplicated warnings in the ``finally`` block. - gh-137400: Fix a crash in the :term:`free threading` build when disabling profiling or tracing across all threads with :c:func:`PyEval_SetProfileAllThreads` or :c:func:`PyEval_SetTraceAllThreads` or their Python equivalents :func:`threading.settrace_all_threads` and :func:`threading.setprofile_all_threads`. - gh-133400: Fixed Ctrl+D (^D) behavior in _pyrepl module to match old pre-3.13 REPL behavior. C API ----- - gh-140042: Removed the sqlite3_shutdown call that could cause closing connections for sqlite when used with multiple sub interpreters. - gh-140487: Fix :c:macro:`Py_RETURN_NOTIMPLEMENTED` in limited C API 3.11 and older: don't treat ``Py_NotImplemented`` as immortal. Patch by Victor Stinner. What's New in Python 3.13.9 final? ================================== *Release date: 2025-10-14* Library ------- - gh-139783: Fix :func:`inspect.getsourcelines` for the case when a decorator is followed by a comment or an empty line. What's New in Python 3.13.8 final? ================================== *Release date: 2025-10-07* macOS ----- - gh-124111: Update macOS installer to use Tcl/Tk 8.6.17. - gh-139573: Updated bundled version of OpenSSL to 3.0.18. Windows ------- - gh-139573: Updated bundled version of OpenSSL to 3.0.18. - gh-138896: Fix error installing C runtime on non-updated Windows machines Tools/Demos ----------- - gh-139330: SBOM generation tool didn't cross-check the version and checksum values against the ``Modules/expat/refresh.sh`` script, leading to the values becoming out-of-date during routine updates. - gh-137873: The iOS test runner has been simplified, resolving some issues that have been observed using the runner in GitHub Actions and Azure Pipelines test environments. Tests ----- - gh-139208: Fix regrtest ``--fast-ci --verbose``: don't ignore the ``--verbose`` option anymore. Patch by Victor Stinner. Security -------- - gh-139400: :mod:`xml.parsers.expat`: Make sure that parent Expat parsers are only garbage-collected once they are no longer referenced by subparsers created by :meth:`~xml.parsers.expat.xmlparser.ExternalEntityParserCreate`. Patch by Sebastian Pipping. - gh-139283: :mod:`sqlite3`: correctly handle maximum number of rows to fetch in :meth:`Cursor.fetchmany ` and reject negative values for :attr:`Cursor.arraysize `. Patch by Bénédikt Tran. - gh-135661: Fix CDATA section parsing in :class:`html.parser.HTMLParser` according to the HTML5 standard: ``] ]>`` and ``]] >`` no longer end the CDATA section. Add private method ``_set_support_cdata()`` which can be used to specify how to parse ``<[CDATA[`` --- as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. Library ------- - gh-139312: Upgrade bundled libexpat to 2.7.3 - gh-139289: Do a real lazy-import on :mod:`rlcompleter` in :mod:`pdb` and restore the existing completer after importing :mod:`rlcompleter`. - gh-139210: Fix use-after-free when reporting unknown event in :func:`xml.etree.ElementTree.iterparse`. Patch by Ken Jin. - gh-138860: Lazy import :mod:`rlcompleter` in :mod:`pdb` to avoid deadlock in subprocess. - gh-112729: Fix crash when calling ``_interpreters.create`` when the process is out of memory. - gh-139076: Fix a bug in the :mod:`pydoc` module that was hiding functions in a Python module if they were implemented in an extension module and the module did not have ``__all__``. - gh-138998: Update bundled libexpat to 2.7.2 - gh-130567: Fix possible crash in :func:`locale.strxfrm` due to a platform bug on macOS. - gh-138779: Support device numbers larger than ``2**63-1`` for the :attr:`~os.stat_result.st_rdev` field of the :class:`os.stat_result` structure. - gh-128636: Fix crash in PyREPL when os.environ is overwritten with an invalid value for mac - gh-88375: Fix normalization of the ``robots.txt`` rules and URLs in the :mod:`urllib.robotparser` module. No longer ignore trailing ``?``. Distinguish raw special characters ``?``, ``=`` and ``&`` from the percent-encoded ones. - gh-138515: :mod:`email` is added to Emscripten build. - gh-111788: Fix parsing errors in the :mod:`urllib.robotparser` module. Don't fail trying to parse weird paths. Don't fail trying to decode non-UTF-8 ``robots.txt`` files. - gh-138432: :meth:`zoneinfo.reset_tzpath` will now convert any :class:`os.PathLike` objects it receives into strings before adding them to ``TZPATH``. It will raise ``TypeError`` if anything other than a string is found after this conversion. If given an :class:`os.PathLike` object that represents a relative path, it will now raise ``ValueError`` instead of ``TypeError``, and present a more informative error message. - gh-138008: Fix segmentation faults in the :mod:`ctypes` module due to invalid :attr:`~ctypes._CFuncPtr.argtypes`. Patch by Dung Nguyen. - gh-60462: Fix :func:`locale.strxfrm` on Solaris (and possibly other platforms). - gh-138204: Forbid expansion of shared anonymous :mod:`memory maps ` on Linux, which caused a bus error. - gh-138010: Fix an issue where defining a class with a :deco:`warnings.deprecated`-decorated base class may not invoke the correct :meth:`~object.__init_subclass__` method in cases involving multiple inheritance. Patch by Brian Schubert. - gh-138133: Prevent infinite traceback loop when sending CTRL^C to Python through ``strace``. - gh-134869: Fix an issue where pressing Ctrl+C during tab completion in the REPL would leave the autocompletion menu in a corrupted state. - gh-137317: :func:`inspect.signature` now correctly handles classes that use a descriptor on a wrapped :meth:`!__init__` or :meth:`!__new__` method. Contributed by Yongyu Yan. - gh-137754: Fix import of the :mod:`zoneinfo` module if the C implementation of the :mod:`datetime` module is not available. - gh-137490: Handle :data:`~errno.ECANCELED` in the same way as :data:`~errno.EINTR` in :func:`signal.sigwaitinfo` on NetBSD. - gh-137477: Fix :func:`!inspect.getblock`, :func:`inspect.getsourcelines` and :func:`inspect.getsource` for generator expressions. - gh-137017: Fix :obj:`threading.Thread.is_alive` to remain ``True`` until the underlying OS thread is fully cleaned up. This avoids false negatives in edge cases involving thread monitoring or premature :obj:`threading.Thread.is_alive` calls. - gh-136134: :meth:`!SMTP.auth_cram_md5` now raises an :exc:`~smtplib.SMTPException` instead of a :exc:`ValueError` if Python has been built without MD5 support. In particular, :class:`~smtplib.SMTP` clients will not attempt to use this method even if the remote server is assumed to support it. Patch by Bénédikt Tran. - gh-136134: :meth:`IMAP4.login_cram_md5 ` now raises an :exc:`IMAP4.error ` if CRAM-MD5 authentication is not supported. Patch by Bénédikt Tran. - gh-135386: Fix opening a :mod:`dbm.sqlite3` database for reading from read-only file or directory. - gh-126631: Fix :mod:`multiprocessing` ``forkserver`` bug which prevented ``__main__`` from being preloaded. - gh-123085: In a bare call to :func:`importlib.resources.files`, ensure the caller's frame is properly detected when ``importlib.resources`` is itself available as a compiled module only (no source). - gh-118981: Fix potential hang in ``multiprocessing.popen_spawn_posix`` that can happen when the child proc dies early by closing the child fds right away. - gh-78319: UTF8 support for the IMAP APPEND command has been made RFC compliant. - bpo-38735: Fix failure when importing a module from the root directory on unix-like platforms with sys.pycache_prefix set. - bpo-41839: Allow negative priority values from :func:`os.sched_get_priority_min` and :func:`os.sched_get_priority_max` functions. Core and Builtins ----------------- - gh-134466: Don't run PyREPL in a degraded environment where setting termios attributes is not allowed. - gh-71810: Raise :exc:`OverflowError` for ``(-1).to_bytes()`` for signed conversions when bytes count is zero. Patch by Sergey B Kirpichev. - gh-105487: Remove non-existent :meth:`~object.__copy__`, :meth:`~object.__deepcopy__`, and :attr:`~type.__bases__` from the :meth:`~object.__dir__` entries of :class:`types.GenericAlias`. - gh-134163: Fix a hang when the process is out of memory inside an exception handler. - gh-138479: Fix a crash when a generic object's ``__typing_subst__`` returns an object that isn't a :class:`tuple`. - gh-137576: Fix for incorrect source code being shown in tracebacks from the Basic REPL when :envvar:`PYTHONSTARTUP` is given. Patch by Adam Hartz. - gh-132744: Certain calls now check for runaway recursion and respect the system recursion limit. C API ----- - gh-87135: Attempting to acquire the GIL after runtime finalization has begun in a different thread now causes the thread to hang rather than terminate, which avoids potential crashes or memory corruption caused by attempting to terminate a thread that is running code not specifically designed to support termination. In most cases this hanging is harmless since the process will soon exit anyway. While not officially marked deprecated until 3.14, ``PyThread_exit_thread`` is no longer called internally and remains solely for interface compatibility. Its behavior is inconsistent across platforms, and it can only be used safely in the unlikely case that every function in the entire call stack has been designed to support the platform-dependent termination mechanism. It is recommended that users of this function change their design to not require thread termination. In the unlikely case that thread termination is needed and can be done safely, users may migrate to calling platform-specific APIs such as ``pthread_exit`` (POSIX) or ``_endthreadex`` (Windows) directly. Build ----- - gh-135734: Python can correctly be configured and built with ``./configure --enable-optimizations --disable-test-modules``. Previously, the profile data generation step failed due to PGO tests where immortalization couldn't be properly suppressed. Patch by Bénédikt Tran. What's New in Python 3.13.7 final? ================================== *Release date: 2025-08-14* Library ------- - gh-137583: Fix a deadlock introduced in 3.13.6 when a call to :meth:`ssl.SSLSocket.recv ` was blocked in one thread, and then another method on the object (such as :meth:`ssl.SSLSocket.send `) was subsequently called in another thread. - gh-137044: Return large limit values as positive integers instead of negative integers in :func:`resource.getrlimit`. Accept large values and reject negative values (except :data:`~resource.RLIM_INFINITY`) for limits in :func:`resource.setrlimit`. - gh-136914: Fix retrieval of :attr:`doctest.DocTest.lineno` for objects decorated with :func:`functools.cache` or :class:`functools.cached_property`. - gh-131788: Make ``ResourceTracker.send`` from :mod:`multiprocessing` re-entrant safe Documentation ------------- - gh-136155: We are now checking for fatal errors in EPUB builds in CI. Core and Builtins ----------------- - gh-137400: Fix a crash in the :term:`free threading` build when disabling profiling or tracing across all threads with :c:func:`PyEval_SetProfileAllThreads` or :c:func:`PyEval_SetTraceAllThreads` or their Python equivalents :func:`threading.settrace_all_threads` and :func:`threading.setprofile_all_threads`. What's New in Python 3.13.6 final? ================================== *Release date: 2025-08-06* macOS ----- - gh-137450: macOS installer shell path management improvements: separate the installer ``Shell profile updater`` postinstall script from the ``Update Shell Profile.command`` to enable more robust error handling. - gh-137134: Update macOS installer to ship with SQLite version 3.50.4. Windows ------- - gh-137134: Update Windows installer to ship with SQLite 3.50.4. Tools/Demos ----------- - gh-135968: Stubs for ``strip`` are now provided as part of an iOS install. Tests ----- - gh-135966: The iOS testbed now handles the ``app_packages`` folder as a site directory. - gh-135494: Fix regrtest to support excluding tests from ``--pgo`` tests. Patch by Victor Stinner. - gh-135489: Show verbose output for failing tests during PGO profiling step with --enable-optimizations. Security -------- - gh-135661: Fix parsing start and end tags in :class:`html.parser.HTMLParser` according to the HTML5 standard. * Whitespaces no longer accepted between ```` does not end the script section. * Vertical tabulation (``\v``) and non-ASCII whitespaces no longer recognized as whitespaces. The only whitespaces are ``\t\n\r\f`` and space. * Null character (U+0000) no longer ends the tag name. * Attributes and slashes after the tag name in end tags are now ignored, instead of terminating after the first ``>`` in quoted attribute value. E.g. ````. * Multiple slashes and whitespaces between the last attribute and closing ``>`` are now ignored in both start and end tags. E.g. ````. * Multiple ``=`` between attribute name and value are no longer collapsed. E.g. ```` produces attribute "foo" with value "=bar". - gh-102555: Fix comment parsing in :class:`html.parser.HTMLParser` according to the HTML5 standard. ``--!>`` now ends the comment. ``-- >`` no longer ends the comment. Support abnormally ended empty comments ``<-->`` and ``<--->``. - gh-135462: Fix quadratic complexity in processing specially crafted input in :class:`html.parser.HTMLParser`. End-of-file errors are now handled according to the HTML5 specs -- comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements "textarea" and "title") in :class:`html.parser.HTMLParser`. Library ------- - gh-132710: If possible, ensure that :func:`uuid.getnode` returns the same result even across different processes. Previously, the result was constant only within the same process. Patch by Bénédikt Tran. - gh-137273: Fix debug assertion failure in :func:`locale.setlocale` on Windows. - gh-137257: Bump the version of pip bundled in ensurepip to version 25.2 - gh-81325: :class:`tarfile.TarFile` now accepts a :term:`path-like ` when working on a tar archive. (Contributed by Alexander Enrique Urieles Nieto in :gh:`81325`.) - gh-130522: Fix unraisable :exc:`TypeError` raised during :term:`interpreter shutdown` in the :mod:`threading` module. - gh-130577: :mod:`tarfile` now validates archives to ensure member offsets are non-negative. (Contributed by Alexander Enrique Urieles Nieto in :gh:`130577`.) - gh-136549: Fix signature of :func:`threading.excepthook`. - gh-136523: Fix :class:`wave.Wave_write` emitting an unraisable when open raises. - gh-52876: Add missing ``keepends`` (default ``True``) parameter to :meth:`!codecs.StreamReaderWriter.readline` and :meth:`!codecs.StreamReaderWriter.readlines`. - gh-85702: If ``zoneinfo._common.load_tzdata`` is given a package without a resource a :exc:`zoneinfo.ZoneInfoNotFoundError` is raised rather than a :exc:`PermissionError`. Patch by Victor Stinner. - gh-134759: Fix :exc:`UnboundLocalError` in :func:`email.message.Message.get_payload` when the payload to decode is a :class:`bytes` object. Patch by Kliment Lamonov. - gh-136028: Fix parsing month names containing "İ" (U+0130, LATIN CAPITAL LETTER I WITH DOT ABOVE) in :func:`time.strptime`. This affects locales az_AZ, ber_DZ, ber_MA and crh_UA. - gh-135995: In the palmos encoding, make byte ``0x9b`` decode to ``›`` (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK). - gh-53203: Fix :func:`time.strptime` for ``%c`` and ``%x`` formats on locales byn_ER, wal_ET and lzh_TW, and for ``%X`` format on locales ar_SA, bg_BG and lzh_TW. - gh-91555: An earlier change, which was introduced in 3.13.4, has been reverted. It disabled logging for a logger during handling of log messages for that logger. Since the reversion, the behaviour should be as it was before 3.13.4. - gh-135878: Fixes a crash of :class:`types.SimpleNamespace` on :term:`free threading` builds, when several threads were calling its :meth:`~object.__repr__` method at the same time. - gh-135836: Fix :exc:`IndexError` in :meth:`asyncio.loop.create_connection` that could occur when non-\ :exc:`OSError` exception is raised during connection and socket's ``close()`` raises :exc:`!OSError`. - gh-135836: Fix :exc:`IndexError` in :meth:`asyncio.loop.create_connection` that could occur when the Happy Eyeballs algorithm resulted in an empty exceptions list during connection attempts. - gh-135855: Raise :exc:`TypeError` instead of :exc:`SystemError` when :func:`!_interpreters.set___main___attrs` is passed a non-dict object. Patch by Brian Schubert. - gh-135815: :mod:`netrc`: skip security checks if :func:`os.getuid` is missing. Patch by Bénédikt Tran. - gh-135640: Address bug where it was possible to call :func:`xml.etree.ElementTree.ElementTree.write` on an ElementTree object with an invalid root element. This behavior blanked the file passed to ``write`` if it already existed. - gh-135444: Fix :meth:`asyncio.DatagramTransport.sendto` to account for datagram header size when data cannot be sent. - gh-135497: Fix :func:`os.getlogin` failing for longer usernames on BSD-based platforms. - gh-135487: Fix :meth:`!reprlib.Repr.repr_int` when given integers with more than :func:`sys.get_int_max_str_digits` digits. Patch by Bénédikt Tran. - gh-135335: :mod:`multiprocessing`: Flush ``stdout`` and ``stderr`` after preloading modules in the ``forkserver``. - gh-135244: :mod:`uuid`: when the MAC address cannot be determined, the 48-bit node ID is now generated with a cryptographically-secure pseudo-random number generator (CSPRNG) as per :rfc:`RFC 9562, §6.10.3 <9562#section-6.10-3>`. This affects :func:`~uuid.uuid1`. - gh-135069: Fix the "Invalid error handling" exception in :class:`!encodings.idna.IncrementalDecoder` to correctly replace the 'errors' parameter. - gh-134698: Fix a crash when calling methods of :class:`ssl.SSLContext` or :class:`ssl.SSLSocket` across multiple threads. - gh-132124: On POSIX-compliant systems, :func:`!multiprocessing.util.get_temp_dir` now ignores :envvar:`TMPDIR` (and similar environment variables) if the path length of ``AF_UNIX`` socket files exceeds the platform-specific maximum length when using the *forkserver* start method. Patch by Bénédikt Tran. - gh-133439: Fix dot commands with trailing spaces are mistaken for multi-line SQL statements in the sqlite3 command-line interface. - gh-132969: Prevent the :class:`~concurrent.futures.ProcessPoolExecutor` executor thread, which remains running when :meth:`shutdown(wait=False) `, from attempting to adjust the pool's worker processes after the object state has already been reset during shutdown. A combination of conditions, including a worker process having terminated abormally, resulted in an exception and a potential hang when the still-running executor thread attempted to replace dead workers within the pool. - gh-130664: Support the ``'_'`` digit separator in formatting of the integral part of :class:`~decimal.Decimal`'s. Patch by Sergey B Kirpichev. - gh-85702: If ``zoneinfo._common.load_tzdata`` is given a package without a resource a ``ZoneInfoNotFoundError`` is raised rather than a :exc:`IsADirectoryError`. - gh-130664: Handle corner-case for :class:`~fractions.Fraction`'s formatting: treat zero-padding (preceding the width field by a zero (``'0'``) character) as an equivalent to a fill character of ``'0'`` with an alignment type of ``'='``, just as in case of :class:`float`'s. Documentation ------------- - gh-135171: Document that the :term:`iterator` for the leftmost :keyword:`!for` clause in the generator expression is created immediately. Core and Builtins ----------------- - gh-58124: Fix name of the Python encoding in Unicode errors of the code page codec: use "cp65000" and "cp65001" instead of "CP_UTF7" and "CP_UTF8" which are not valid Python code names. Patch by Victor Stinner. - gh-137314: Fixed a regression where raw f-strings incorrectly interpreted escape sequences in format specifications. Raw f-strings now properly preserve literal backslashes in format specs, matching the behavior from Python 3.11. For example, ``rf"{obj:\xFF}"`` now correctly produces ``'\\xFF'`` instead of ``'ÿ'``. Patch by Pablo Galindo. - gh-136541: Fix some issues with the perf trampolines on x86-64 and aarch64. The trampolines were not being generated correctly for some cases, which could lead to the perf integration not working correctly. Patch by Pablo Galindo. - gh-109700: Fix memory error handling in :c:func:`PyDict_SetDefault`. - gh-78465: Fix error message for ``cls.__new__(cls, ...)`` where ``cls`` is not instantiable builtin or extension type (with ``tp_new`` set to ``NULL``). - gh-135871: Non-blocking mutex lock attempts now return immediately when the lock is busy instead of briefly spinning in the :term:`free threading` build. - gh-135607: Fix potential :mod:`weakref` races in an object's destructor on the :term:`free threaded ` build. - gh-135496: Fix typo in the f-string conversion type error ("exclamanation" -> "exclamation"). - gh-130077: Properly raise custom syntax errors when incorrect syntax containing names that are prefixes of soft keywords is encountered. Patch by Pablo Galindo. - gh-135148: Fixed a bug where f-string debug expressions (using =) would incorrectly strip out parts of strings containing escaped quotes and # characters. Patch by Pablo Galindo. - gh-133136: Limit excess memory usage in the :term:`free threading` build when a large dictionary or list is resized and accessed by multiple threads. - gh-132617: Fix :meth:`dict.update` modification check that could incorrectly raise a "dict mutated during update" error when a different dictionary was modified that happens to share the same underlying keys object. - gh-91153: Fix a crash when a :class:`bytearray` is concurrently mutated during item assignment. - gh-127971: Fix off-by-one read beyond the end of a string in string search. - gh-125723: Fix crash with ``gi_frame.f_locals`` when generator frames outlive their generator. Patch by Mikhail Efimov. Build ----- - gh-135497: Fix the detection of ``MAXLOGNAME`` in the ``configure.ac`` script. What's New in Python 3.13.5 final? ================================== *Release date: 2025-06-11* Windows ------- - gh-135151: Avoid distributing modified :file:`pyconfig.h` in the traditional installer. Extension module builds must always specify ``Py_GIL_DISABLED`` when targeting the free-threaded runtime. Tests ----- - gh-135120: Add :func:`!test.support.subTests`. Library ------- - gh-133967: Do not normalize :mod:`locale` name 'C.UTF-8' to 'en_US.UTF-8'. - gh-135326: Restore support of integer-like objects with :meth:`!__index__` in :func:`random.getrandbits`. - gh-135321: Raise a correct exception for values greater than 0x7fffffff for the ``BINSTRING`` opcode in the C implementation of :mod:`pickle`. - gh-135276: Backported bugfixes in zipfile.Path from zipp 3.23. Fixed ``.name``, ``.stem`` and other basename-based properties on Windows when working with a zipfile on disk. - gh-134151: :mod:`email`: Fix :exc:`TypeError` in :func:`email.utils.decode_params` when sorting :rfc:`2231` continuations that contain an unnumbered section. - gh-134152: :mod:`email`: Fix parsing of email message ID with invalid domain. - gh-127081: Fix libc thread safety issues with :mod:`os` by replacing ``getlogin`` with ``getlogin_r`` re-entrant version. - gh-131884: Fix formatting issues in :func:`json.dump` when both *indent* and *skipkeys* are used. Core and Builtins ----------------- - gh-135171: Roll back changes to generator and list comprehensions that went into 3.13.4 to fix GH-127682, but which involved semantic and bytecode changes not appropriate for a bugfix release. C API ----- - gh-134989: Fix ``Py_RETURN_NONE``, ``Py_RETURN_TRUE`` and ``Py_RETURN_FALSE`` macros in the limited C API 3.11 and older: don't treat ``Py_None``, ``Py_True`` and ``Py_False`` as immortal. Patch by Victor Stinner. - gh-134989: Implement :c:func:`PyObject_DelAttr` and :c:func:`PyObject_DelAttrString` as macros in the limited C API 3.12 and older. Patch by Victor Stinner. What's New in Python 3.13.4 final? ================================== *Release date: 2025-06-03* Windows ------- - gh-130727: Fix a race in internal calls into WMI that can result in an "invalid handle" exception under high load. Patch by Chris Eibl. - gh-76023: Make :func:`os.path.realpath` ignore Windows error 1005 when in non-strict mode. - gh-133626: Ensures packages are not accidentally bundled into the traditional installer. - gh-133512: Add warnings to :ref:`launcher` about use of subcommands belonging to the Python install manager. Tests ----- - gh-133744: Fix multiprocessing interrupt test. Add an event to synchronize the parent process with the child process: wait until the child process starts sleeping. Patch by Victor Stinner. - gh-133639: Fix ``TestPyReplAutoindent.test_auto_indent_default()`` doesn't run ``input_code``. - gh-133131: The iOS testbed will now select the most recently released "SE-class" device for testing if a device isn't explicitly specified. - gh-109981: The test helper that counts the list of open file descriptors now uses the optimised ``/dev/fd`` approach on all Apple platforms, not just macOS. This avoids crashes caused by guarded file descriptors. Security -------- - gh-135034: Fixes multiple issues that allowed ``tarfile`` extraction filters (``filter="data"`` and ``filter="tar"``) to be bypassed using crafted symlinks and hard links. Addresses :cve:`2024-12718`, :cve:`2025-4138`, :cve:`2025-4330`, and :cve:`2025-4517`. - gh-133767: Fix use-after-free in the "unicode-escape" decoder with a non-"strict" error handler. - gh-128840: Short-circuit the processing of long IPv6 addresses early in :mod:`ipaddress` to prevent excessive memory consumption and a minor denial-of-service. Library ------- - gh-134718: :func:`ast.dump` now only omits ``None`` and ``[]`` values if they are default values. - gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address. - gh-134696: Built-in HACL* and OpenSSL implementations of hash function constructors now correctly accept the same *documented* named arguments. For instance, :func:`~hashlib.md5` could be previously invoked as ``md5(data=data)`` or ``md5(string=string)`` depending on the underlying implementation but these calls were not compatible. Patch by Bénédikt Tran. - gh-134210: :func:`curses.window.getch` now correctly handles signals. Patch by Bénédikt Tran. - gh-80334: :func:`multiprocessing.freeze_support` now checks for work on any "spawn" start method platform rather than only on Windows. - gh-114177: Fix :mod:`asyncio` to not close subprocess pipes which would otherwise error out when the event loop is already closed. - gh-134152: Fixed :exc:`UnboundLocalError` that could occur during :mod:`email` header parsing if an expected trailing delimiter is missing in some contexts. - gh-62184: Remove import of C implementation of :class:`io.FileIO` from Python implementation which has its own implementation - gh-133982: Emit :exc:`RuntimeWarning` in the Python implementation of :mod:`io` when the :term:`file-like object ` is not closed explicitly in the presence of multiple I/O layers. - gh-133890: The :mod:`tarfile` module now handles :exc:`UnicodeEncodeError` in the same way as :exc:`OSError` when cannot extract a member. - gh-134097: Fix interaction of the new :term:`REPL` and :option:`-X showrefcount <-X>` command line option. - gh-133889: The generated directory listing page in :class:`http.server.SimpleHTTPRequestHandler` now only shows the decoded path component of the requested URL, and not the query and fragment. - gh-134098: Fix handling paths that end with a percent-encoded slash (``%2f`` or ``%2F``) in :class:`http.server.SimpleHTTPRequestHandler`. - gh-134062: :mod:`ipaddress`: fix collisions in :meth:`~object.__hash__` for :class:`~ipaddress.IPv4Network` and :class:`~ipaddress.IPv6Network` objects. - gh-133745: In 3.13.3 we accidentally changed the signature of the asyncio ``create_task()`` family of methods and how it calls a custom task factory in a backwards incompatible way. Since some 3rd party libraries have already made changes to work around the issue that might break if we simply reverted the changes, we're instead changing things to be backwards compatible with 3.13.2 while still supporting those workarounds for 3.13.3. In particular, the special-casing of ``name`` and ``context`` is back (until 3.14) and consequently eager tasks may still find that their name hasn't been set before they execute their first yielding await. - gh-71253: Raise :exc:`ValueError` in :func:`open` if *opener* returns a negative file-descriptor in the Python implementation of :mod:`io` to match the C implementation. - gh-77057: Fix handling of invalid markup declarations in :class:`html.parser.HTMLParser`. - gh-133489: :func:`random.getrandbits` can now generate more that 2\ :sup:`31` bits. :func:`random.randbytes` can now generate more that 256 MiB. - gh-133290: Fix attribute caching issue when setting :attr:`ctypes._Pointer._type_` in the undocumented and deprecated :func:`!ctypes.SetPointerType` function and the undocumented :meth:`!set_type` method. - gh-132876: ``ldexp()`` on Windows doesn't round subnormal results before Windows 11, but should. Python's :func:`math.ldexp` wrapper now does round them, so results may change slightly, in rare cases of very small results, on Windows versions before 11. - gh-133089: Use original timeout value for :exc:`subprocess.TimeoutExpired` when the func :meth:`subprocess.run` is called with a timeout instead of sometimes a confusing partial remaining time out value used internally on the final ``wait()``. - gh-133009: :mod:`xml.etree.ElementTree`: Fix a crash in :meth:`Element.__deepcopy__ ` when the element is concurrently mutated. Patch by Bénédikt Tran. - gh-132995: Bump the version of pip bundled in ensurepip to version 25.1.1 - gh-132017: Fix error when ``pyrepl`` is suspended, then resumed and terminated. - gh-132673: Fix a crash when using ``_align_ = 0`` and ``_fields_ = []`` in a :class:`ctypes.Structure`. - gh-132527: Include the valid typecode 'w' in the error message when an invalid typecode is passed to :class:`array.array`. - gh-132439: Fix ``PyREPL`` on Windows: characters entered via AltGr are swallowed. Patch by Chris Eibl. - gh-132429: Fix support of Bluetooth sockets on NetBSD and DragonFly BSD. - gh-132106: :meth:`QueueListener.start ` now raises a :exc:`RuntimeError` if the listener is already started. - gh-132417: Fix a ``NULL`` pointer dereference when a C function called using :mod:`ctypes` with ``restype`` :class:`~ctypes.py_object` returns ``NULL``. - gh-132385: Fix instance error suggestions trigger potential exceptions in :meth:`object.__getattr__` in :mod:`traceback`. - gh-132308: A :class:`traceback.TracebackException` now correctly renders the ``__context__`` and ``__cause__`` attributes from :ref:`falsey ` :class:`Exception`, and the ``exceptions`` attribute from falsey :class:`ExceptionGroup`. - gh-132250: Fixed the :exc:`SystemError` in :mod:`cProfile` when locating the actual C function of a method raises an exception. - gh-132063: Prevent exceptions that evaluate as falsey (namely, when their ``__bool__`` method returns ``False`` or their ``__len__`` method returns 0) from being ignored by :class:`concurrent.futures.ProcessPoolExecutor` and :class:`concurrent.futures.ThreadPoolExecutor`. - gh-119605: Respect ``follow_wrapped`` for :meth:`!__init__` and :meth:`!__new__` methods when getting the class signature for a class with :func:`inspect.signature`. Preserve class signature after wrapping with :func:`warnings.deprecated`. Patch by Xuehai Pan. - gh-91555: Ignore log messages generated during handling of log messages, to avoid deadlock or infinite recursion. [NOTE: This change has since been reverted.] - gh-131434: Improve error reporting for incorrect format in :func:`time.strptime`. - gh-131127: Systems using LibreSSL now successfully build. - gh-130999: Avoid exiting the new REPL and offer suggestions even if there are non-string candidates when errors occur. - gh-130941: Fix :class:`configparser.ConfigParser` parsing empty interpolation with ``allow_no_value`` set to ``True``. - gh-129098: Fix REPL traceback reporting when using :func:`compile` with an inexisting file. Patch by Bénédikt Tran. - gh-130631: :func:`!http.cookiejar.join_header_words` is now more similar to the original Perl version. It now quotes the same set of characters and always quote values that end with ``"\n"``. - gh-129719: Fix missing :data:`!socket.CAN_RAW_ERR_FILTER` constant in the socket module on Linux systems. It was missing since Python 3.11. - gh-124096: Turn on virtual terminal mode and enable bracketed paste in REPL on Windows console. (If the terminal does not support bracketed paste, enabling it does nothing.) - gh-122559: Remove :meth:`!__reduce__` and :meth:`!__reduce_ex__` methods that always raise :exc:`TypeError` in the C implementation of :class:`io.FileIO`, :class:`io.BufferedReader`, :class:`io.BufferedWriter` and :class:`io.BufferedRandom` and replace them with default :meth:`!__getstate__` methods that raise :exc:`!TypeError`. This restores fine details of behavior of Python 3.11 and older versions. - gh-122179: :func:`hashlib.file_digest` now raises :exc:`BlockingIOError` when no data is available during non-blocking I/O. Before, it added spurious null bytes to the digest. - gh-86155: :meth:`html.parser.HTMLParser.close` no longer loses data when the ``