Python 3.13.6 final
Release date: 2025-08-06
- Tools/Demos
- gh-135968: Stubs for strip are now provided as part of an
iOS install.
- Tests
- gh-135966: The iOS testbed now handles the app_packages
folder as a site directory.
- gh-135494: Fix regrtest to support excluding tests from
--pgo tests. Patch by Victor Stinner.
- gh-135489: Show verbose output for failing tests during PGO
profiling step with –enable-optimizations.
- Security
- gh-135661: Fix parsing start and end tags in
html.parser.HTMLParser according to the HTML5 standard.
- Whitespaces no longer accepted between </ and the tag
name. E.g. </ script> does not end the script section.
- Vertical tabulation (\v) and non-ASCII whitespaces no
longer recognized as whitespaces. The only whitespaces
are \t\n\r\f and space.
- Null character (U+0000) no longer ends the tag name.
- Attributes and slashes after the tag name in end tags
are now ignored, instead of terminating after the first
> in quoted attribute value. E.g. </script/foo=">"/>.
- Multiple slashes and whitespaces between the last
attribute and closing > are now ignored in both start
and end tags. E.g. <a foo=bar/ //>.
- Multiple = between attribute name and value are no
longer collapsed. E.g. <a foo==bar> produces attribute
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=115
- Tests
- gh-135120: Add test.support.subTests().
- Library
- gh-133967: Do not normalize locale name ‘C.UTF-8’ to
‘en_US.UTF-8’.
- gh-135326: Restore support of integer-like objects with
__index__() in random.getrandbits().
- gh-135321: Raise a correct exception for values greater
than 0x7fffffff for the BINSTRING opcode in the C
implementation of pickle.
- gh-135276: Backported bugfixes in zipfile.Path from
zipp 3.23. Fixed .name, .stem and other basename-based
properties on Windows when working with a zipfile on disk.
- gh-134151: email: Fix TypeError in
email.utils.decode_params() when sorting RFC 2231
continuations that contain an unnumbered section.
- gh-134152: email: Fix parsing of email message ID with
invalid domain.
- gh-127081: Fix libc thread safety issues with os by
replacing getlogin with getlogin_r re-entrant version.
- gh-131884: Fix formatting issues in json.dump() when both
indent and skipkeys are used.
- Core and Builtins
- gh-135171: Roll back changes to generator and list
comprehensions that went into 3.13.4 to fix gh-127682,
but which involved semantic and bytecode changes not
appropriate for a bugfix release.
- C API
- gh-134989: Fix Py_RETURN_NONE, Py_RETURN_TRUE and
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=102
- Security
- gh-135034: Fixes multiple issues that allowed tarfile
extraction filters (filter="data" and filter="tar") to be
bypassed using crafted symlinks and hard links.
Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
(bsc#1244059), CVE-2025-4330 (bsc#1244060), and
CVE-2025-4517 (bsc#1244032).
- gh-133767: Fix use-after-free in the “unicode-escape”
decoder with a non-“strict” error handler (CVE-2025-4516,
bsc#1243273).
- gh-128840: Short-circuit the processing of long IPv6
addresses early in ipaddress to prevent excessive memory
consumption and a minor denial-of-service.
- Library
- gh-134718: ast.dump() now only omits None and [] values if
they are default values.
- gh-128840: Fix parsing long IPv6 addresses with embedded
IPv4 address.
- gh-134696: Built-in HACL* and OpenSSL implementations of
hash function constructors now correctly accept the same
documented named arguments. For instance, md5() could be
previously invoked as md5(data=data) or md5(string=string)
depending on the underlying implementation but these calls
were not compatible. Patch by Bénédikt Tran.
- gh-134210: curses.window.getch() now correctly handles
signals. Patch by Bénédikt Tran.
- gh-80334: multiprocessing.freeze_support() now checks for
work on any “spawn” start method platform rather than only
on Windows.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=100
- Tools/Demos
- gh-131852: msgfmt no longer adds the POT-Creation-Date to
generated .mo files for consistency with GNU msgfmt.
- gh-85012: Correctly reset msgctxt when compiling messages
in msgfmt.
- gh-130025: The iOS testbed now correctly handles symlinks
used as Python framework references.
- Tests
- gh-131050: test_ssl.test_dh_params is skipped if the
underlying TLS library does not support finite-field
ephemeral Diffie-Hellman.
- gh-129200: Multiple iOS testbed runners can now be started
at the same time without introducing an ambiguity over
simulator ownership.
- gh-130292: The iOS testbed will now run successfully on a
machine that has not previously run Xcode tests (such as CI
configurations).
- gh-130293: The tests of terminal colorization are no longer
sensitive to the value of the TERM variable in the testing
environment.
- gh-126332: Add unit tests for pyrepl.
- Security
- gh-131809: Update bundled libexpat to 2.7.1
- gh-131261: Upgrade to libexpat 2.7.0
- gh-127371: Avoid unbounded buffering for
tempfile.SpooledTemporaryFile.writelines(). Previously,
disk spillover was only checked after the lines iterator
had been exhausted. This is now done after each line is
written.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=87
- Tools/Demos
- gh-128152: Fix a bug where Argument Clinic’s C
pre-processor parser tried to parse pre-processor
directives inside C comments. Patch by Erlend Aasland.
- Tests
- gh-127906: Test the limited C API in test_cppext. Patch by
Victor Stinner.
- gh-127637: Add tests for the dis command-line
interface. Patch by Bénédikt Tran.
- gh-126925: iOS test results are now streamed during test
execution, and the deprecated xcresulttool is no longer
used.
- Security
- gh-105704: When using urllib.parse.urlsplit() and
urllib.parse.urlparse() host parsing would not reject
domain names containing square brackets ([ and ]). Square
brackets are only valid for IPv6 and IPvFuture hosts
according to RFC 3986 Section 3.2.2. (CVE-2025-0938,
bsc#1236705)
- gh-127655: Fixed the
asyncio.selector_events._SelectorSocketTransport
transport not pausing writes for the protocol when
the buffer reaches the high water mark when using
asyncio.WriteTransport.writelines() (CVE-2024-12254,
bsc#1234290).
- gh-126108: Fix a possible NULL pointer dereference in
PySys_AddWarnOptionUnicode().
- gh-80222: Fix bug in the folding of quoted strings
when flattening an email message using a modern email
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=76
- Tools/Demos
- gh-126807: Fix extraction warnings in pygettext.py caused
by mistaking function definitions for function calls.
- gh-126167: The iOS testbed was modified so that it can be
used by third-party projects for testing purposes.
- Tests
- gh-126909: Fix test_os extended attribute tests to work on
filesystems with 1 KiB xattr size limit.
- gh-125041: Re-enable skipped tests for zlib on the
s390x architecture: only skip checks of the compressed
bytes, which can be different between zlib’s software
implementation and the hardware-accelerated implementation.
- gh-124295: Add translation tests to the argparse module.
- Security
- gh-126623: Upgrade libexpat to 2.6.4
- gh-125140: Remove the current directory from sys.path when
using PyREPL.
- gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to
consistently use the mapped IPv4 address value for deciding
properties. Properties which have their behavior fixed are
is_multicast, is_reserved, is_link_local, is_global, and
is_unspecified.
- Library
- gh-127321: pdb.set_trace() will not stop at an opcode that
does not have an associated line number anymore.
- gh-127303: Publicly expose EXACT_TOKEN_TYPES in
token.__all__.
- gh-123967: Fix faulthandler for trampoline frames. If the
top-most frame is a trampoline frame, skip it. Patch by
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=70
Major new features of the 3.13 series, compared to 3.12
Some of the new major new features and changes in Python 3.13 are:
- New features
- A new and improved interactive interpreter, based on
PyPy's, featuring multi-line editing and color support, as
well as colorized exception tracebacks.
- An experimental free-threaded build mode, which disables
the Global Interpreter Lock, allowing threads to run
more concurrently. The build mode is available as an
experimental feature in the Windows and macOS installers as
well.
- A preliminary, experimental JIT, providing the ground work
for significant performance improvements.
- The locals() builtin function (and its C equivalent)
now has well-defined semantics when mutating the
returned mapping, which allows debuggers to operate more
consistently.
- A modified version of mimalloc is now included, optional
but enabled by default if supported by the platform, and
required for the free-threaded build mode.
- Docstrings now have their leading indentation stripped,
reducing memory use and the size of .pyc files. (Most tools
handling docstrings already strip leading indentation.)
- The dbm module has a new dbm.sqlite3 backend that is used
by default when creating new files.
- WASI is now a Tier 2 supported platform. Emscripten is
no longer an officially supported platform (but Pyodide
continues to support Emscripten).
- Typing
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=56
- The most important change is rolling back the incremental
cyclic garbage collector (GC), which was added in one of
the alpha releases. The incremental GC had more significant
performance regressions in specific workloads than we
expected.
- Tests
- gh-124378: Updated test_ttk to pass with Tcl/Tk 8.6.15.
- Library
- gh-124538: Fixed crash when using gc.get_referents() on a
capsule object.
- gh-124498: Fix typing.TypeAliasType not to be generic, when
type_params is an empty tuple.
- gh-123017: Due to unreliable results on some devices,
time.strftime() no longer accepts negative years on
Android.
- gh-123014: os.pidfd_open() and signal.pidfd_send_signal()
are now unavailable when building against Android API
levels older than 31, since the underlying system calls may
cause a crash.
- gh-124248: Fixed potential crash when using struct to
process zero-width ‘Pascal string’ fields (0p).
- gh-87041: Fix a bug in argparse where lengthy subparser
argument help is incorrectly indented.
- gh-124212: Fix invalid variable in venv handling of failed
symlink on Windows
- gh-124171: Add workaround for broken fmod() implementations
on Windows, that loose zero sign (e.g. fmod(-10, 1) returns
0.0). Patch by Sergey B Kirpichev.
- gh-123934: Fix unittest.mock.MagicMock reseting magic
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=51
- Tools/Demos
- gh-123418: Update GitHub CI workflows to use OpenSSL 3.0.15
and multissltests to use 3.0.15, 3.1.7, and 3.2.3.
- Tests
- gh-119727: Add --single-process command line option to
Python test runner (regrtest). Patch by Victor Stinner.
- gh-101525: Skip test_gdb if the binary is relocated by
BOLT. Patch by Donghee Na.
- Security
- gh-123678: Upgrade libexpat to 2.6.3
- gh-121285: Remove backtracking from tarfile header parsing
for hdrcharset, PAX, and GNU sparse headers (bsc#1230227,
CVE-2024-6232).
- Library
- gh-123448: Fixed memory leak of typing.NoDefault by moving
it to the static types array.
- gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
according to RFC 3596, §2.5. Patch by Bénédikt Tran.
- gh-123270: Applied a more surgical fix for malformed
payloads in zipfile.Path causing infinite loops (gh-122905)
without breaking contents using legitimate characters
(bsc#1229704, CVE-2024-8088).
- gh-123228: Fix return type for
_pyrepl.readline._ReadlineWrapper.get_line_buffer() to be
str(). Patch by Sergey B Kirpichev.
- gh-123240: Raise audit events for the input() in the new
REPL.
- gh-123243: Fix memory leak in _decimal.
- gh-122546: Consistently use same file name for different
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=46
