- Tests
- gh-135120: Add test.support.subTests().
- Library
- gh-133967: Do not normalize locale name ‘C.UTF-8’ to
‘en_US.UTF-8’.
- gh-135326: Restore support of integer-like objects with
__index__() in random.getrandbits().
- gh-135321: Raise a correct exception for values greater
than 0x7fffffff for the BINSTRING opcode in the C
implementation of pickle.
- gh-135276: Backported bugfixes in zipfile.Path from
zipp 3.23. Fixed .name, .stem and other basename-based
properties on Windows when working with a zipfile on disk.
- gh-134151: email: Fix TypeError in
email.utils.decode_params() when sorting RFC 2231
continuations that contain an unnumbered section.
- gh-134152: email: Fix parsing of email message ID with
invalid domain.
- gh-127081: Fix libc thread safety issues with os by
replacing getlogin with getlogin_r re-entrant version.
- gh-131884: Fix formatting issues in json.dump() when both
indent and skipkeys are used.
- Core and Builtins
- gh-135171: Roll back changes to generator and list
comprehensions that went into 3.13.4 to fix gh-127682,
but which involved semantic and bytecode changes not
appropriate for a bugfix release.
- C API
- gh-134989: Fix Py_RETURN_NONE, Py_RETURN_TRUE and
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=102
- Security
- gh-135034: Fixes multiple issues that allowed tarfile
extraction filters (filter="data" and filter="tar") to be
bypassed using crafted symlinks and hard links.
Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
(bsc#1244059), CVE-2025-4330 (bsc#1244060), and
CVE-2025-4517 (bsc#1244032).
- gh-133767: Fix use-after-free in the “unicode-escape”
decoder with a non-“strict” error handler (CVE-2025-4516,
bsc#1243273).
- gh-128840: Short-circuit the processing of long IPv6
addresses early in ipaddress to prevent excessive memory
consumption and a minor denial-of-service.
- Library
- gh-134718: ast.dump() now only omits None and [] values if
they are default values.
- gh-128840: Fix parsing long IPv6 addresses with embedded
IPv4 address.
- gh-134696: Built-in HACL* and OpenSSL implementations of
hash function constructors now correctly accept the same
documented named arguments. For instance, md5() could be
previously invoked as md5(data=data) or md5(string=string)
depending on the underlying implementation but these calls
were not compatible. Patch by Bénédikt Tran.
- gh-134210: curses.window.getch() now correctly handles
signals. Patch by Bénédikt Tran.
- gh-80334: multiprocessing.freeze_support() now checks for
work on any “spawn” start method platform rather than only
on Windows.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=100
- Tools/Demos
- gh-131852: msgfmt no longer adds the POT-Creation-Date to
generated .mo files for consistency with GNU msgfmt.
- gh-85012: Correctly reset msgctxt when compiling messages
in msgfmt.
- gh-130025: The iOS testbed now correctly handles symlinks
used as Python framework references.
- Tests
- gh-131050: test_ssl.test_dh_params is skipped if the
underlying TLS library does not support finite-field
ephemeral Diffie-Hellman.
- gh-129200: Multiple iOS testbed runners can now be started
at the same time without introducing an ambiguity over
simulator ownership.
- gh-130292: The iOS testbed will now run successfully on a
machine that has not previously run Xcode tests (such as CI
configurations).
- gh-130293: The tests of terminal colorization are no longer
sensitive to the value of the TERM variable in the testing
environment.
- gh-126332: Add unit tests for pyrepl.
- Security
- gh-131809: Update bundled libexpat to 2.7.1
- gh-131261: Upgrade to libexpat 2.7.0
- gh-127371: Avoid unbounded buffering for
tempfile.SpooledTemporaryFile.writelines(). Previously,
disk spillover was only checked after the lines iterator
had been exhausted. This is now done after each line is
written.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=87
- Tools/Demos
- gh-128152: Fix a bug where Argument Clinic’s C
pre-processor parser tried to parse pre-processor
directives inside C comments. Patch by Erlend Aasland.
- Tests
- gh-127906: Test the limited C API in test_cppext. Patch by
Victor Stinner.
- gh-127637: Add tests for the dis command-line
interface. Patch by Bénédikt Tran.
- gh-126925: iOS test results are now streamed during test
execution, and the deprecated xcresulttool is no longer
used.
- Security
- gh-105704: When using urllib.parse.urlsplit() and
urllib.parse.urlparse() host parsing would not reject
domain names containing square brackets ([ and ]). Square
brackets are only valid for IPv6 and IPvFuture hosts
according to RFC 3986 Section 3.2.2. (CVE-2025-0938,
bsc#1236705)
- gh-127655: Fixed the
asyncio.selector_events._SelectorSocketTransport
transport not pausing writes for the protocol when
the buffer reaches the high water mark when using
asyncio.WriteTransport.writelines() (CVE-2024-12254,
bsc#1234290).
- gh-126108: Fix a possible NULL pointer dereference in
PySys_AddWarnOptionUnicode().
- gh-80222: Fix bug in the folding of quoted strings
when flattening an email message using a modern email
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=76
- Tools/Demos
- gh-126807: Fix extraction warnings in pygettext.py caused
by mistaking function definitions for function calls.
- gh-126167: The iOS testbed was modified so that it can be
used by third-party projects for testing purposes.
- Tests
- gh-126909: Fix test_os extended attribute tests to work on
filesystems with 1 KiB xattr size limit.
- gh-125041: Re-enable skipped tests for zlib on the
s390x architecture: only skip checks of the compressed
bytes, which can be different between zlib’s software
implementation and the hardware-accelerated implementation.
- gh-124295: Add translation tests to the argparse module.
- Security
- gh-126623: Upgrade libexpat to 2.6.4
- gh-125140: Remove the current directory from sys.path when
using PyREPL.
- gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to
consistently use the mapped IPv4 address value for deciding
properties. Properties which have their behavior fixed are
is_multicast, is_reserved, is_link_local, is_global, and
is_unspecified.
- Library
- gh-127321: pdb.set_trace() will not stop at an opcode that
does not have an associated line number anymore.
- gh-127303: Publicly expose EXACT_TOKEN_TYPES in
token.__all__.
- gh-123967: Fix faulthandler for trampoline frames. If the
top-most frame is a trampoline frame, skip it. Patch by
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=70
Major new features of the 3.13 series, compared to 3.12
Some of the new major new features and changes in Python 3.13 are:
- New features
- A new and improved interactive interpreter, based on
PyPy's, featuring multi-line editing and color support, as
well as colorized exception tracebacks.
- An experimental free-threaded build mode, which disables
the Global Interpreter Lock, allowing threads to run
more concurrently. The build mode is available as an
experimental feature in the Windows and macOS installers as
well.
- A preliminary, experimental JIT, providing the ground work
for significant performance improvements.
- The locals() builtin function (and its C equivalent)
now has well-defined semantics when mutating the
returned mapping, which allows debuggers to operate more
consistently.
- A modified version of mimalloc is now included, optional
but enabled by default if supported by the platform, and
required for the free-threaded build mode.
- Docstrings now have their leading indentation stripped,
reducing memory use and the size of .pyc files. (Most tools
handling docstrings already strip leading indentation.)
- The dbm module has a new dbm.sqlite3 backend that is used
by default when creating new files.
- WASI is now a Tier 2 supported platform. Emscripten is
no longer an officially supported platform (but Pyodide
continues to support Emscripten).
- Typing
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=56
- The most important change is rolling back the incremental
cyclic garbage collector (GC), which was added in one of
the alpha releases. The incremental GC had more significant
performance regressions in specific workloads than we
expected.
- Tests
- gh-124378: Updated test_ttk to pass with Tcl/Tk 8.6.15.
- Library
- gh-124538: Fixed crash when using gc.get_referents() on a
capsule object.
- gh-124498: Fix typing.TypeAliasType not to be generic, when
type_params is an empty tuple.
- gh-123017: Due to unreliable results on some devices,
time.strftime() no longer accepts negative years on
Android.
- gh-123014: os.pidfd_open() and signal.pidfd_send_signal()
are now unavailable when building against Android API
levels older than 31, since the underlying system calls may
cause a crash.
- gh-124248: Fixed potential crash when using struct to
process zero-width ‘Pascal string’ fields (0p).
- gh-87041: Fix a bug in argparse where lengthy subparser
argument help is incorrectly indented.
- gh-124212: Fix invalid variable in venv handling of failed
symlink on Windows
- gh-124171: Add workaround for broken fmod() implementations
on Windows, that loose zero sign (e.g. fmod(-10, 1) returns
0.0). Patch by Sergey B Kirpichev.
- gh-123934: Fix unittest.mock.MagicMock reseting magic
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=51
- Tools/Demos
- gh-123418: Update GitHub CI workflows to use OpenSSL 3.0.15
and multissltests to use 3.0.15, 3.1.7, and 3.2.3.
- Tests
- gh-119727: Add --single-process command line option to
Python test runner (regrtest). Patch by Victor Stinner.
- gh-101525: Skip test_gdb if the binary is relocated by
BOLT. Patch by Donghee Na.
- Security
- gh-123678: Upgrade libexpat to 2.6.3
- gh-121285: Remove backtracking from tarfile header parsing
for hdrcharset, PAX, and GNU sparse headers (bsc#1230227,
CVE-2024-6232).
- Library
- gh-123448: Fixed memory leak of typing.NoDefault by moving
it to the static types array.
- gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
according to RFC 3596, §2.5. Patch by Bénédikt Tran.
- gh-123270: Applied a more surgical fix for malformed
payloads in zipfile.Path causing infinite loops (gh-122905)
without breaking contents using legitimate characters
(bsc#1229704, CVE-2024-8088).
- gh-123228: Fix return type for
_pyrepl.readline._ReadlineWrapper.get_line_buffer() to be
str(). Patch by Sergey B Kirpichev.
- gh-123240: Raise audit events for the input() in the new
REPL.
- gh-123243: Fix memory leak in _decimal.
- gh-122546: Consistently use same file name for different
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=46
- Tests
- gh-59022: Add tests for pkgutil.extend_path(). Patch by
Andreas Stocker.
- gh-99242: os.getloadavg() may throw OSError when
running regression tests under certain conditions (e.g.
chroot). This error is now caught and ignored, since
reporting load average is optional.
- Security
- gh-122133: Authenticate the socket connection for the
socket.socketpair() fallback on platforms where AF_UNIX is
not available like Windows.
- Patch by Gregory P. Smith <greg@krypto.org> and Seth Larson
<seth@python.org>. Reported by Ellie <el@horse64.org>
- gh-121957: Fixed missing audit events around interactive
use of Python, now also properly firing for python -i, as
well as for python -m asyncio. The events in question are
cpython.run_stdin and cpython.run_startup.
- Library
- gh-122400: Handle ValueErrors raised by os.stat() in
filecmp.dircmp and filecmp.cmpfiles(). Patch by Bénédikt
Tran.
- gh-122311: Fix some error messages in pickle.
- gh-122332: Fixed segfault with asyncio.Task.get_coro() when
using an eager task factory.
- gh-105733: ctypes.ARRAY() is now soft deprecated: it no
longer emits deprecation warnings and is not scheduled for
removal.
- gh-122087: Restore inspect.ismethoddescriptor() and
inspect.isroutine() returning False for functools.partial
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=31
- Tests
- gh-121084: Fix test_typing random leaks. Clear typing ABC
caches when running tests for refleaks (-R option): call
_abc_caches_clear() on typing abstract classes and their
subclasses.
- gh-121160: Add a test for
readline.set_history_length(). Note that this test may fail
on readline libraries.
- gh-121200: Fix test_expanduser_pwd2() of
test_posixpath. Call getpwnam() to get pw_dir, since it
can be different than getpwall() pw_dir.
- gh-121188: When creating the JUnit XML file, regrtest
now escapes characters which are invalid in XML, such
as the chr(27) control character used in ANSI escape
sequences.
- Library
- gh-57141: The shallow argument to filecmp.dircmp (new in
Python 3.13) is now keyword-only.
- gh-121245: Simplify handling of the history file in
site.register_readline() helper. The CAN_USE_PYREPL
variable now will be initialized, when imported.
- gh-121332: Fix constructor of ast nodes with custom
_attributes. Previously, passing custom attributes would
raise a DeprecationWarning. Passing arguments to the
constructor that are not in _fields or _attributes remains
deprecated.
- gh-121279: Avoid NameError for the warnings module when
accessing the depracated atributes of the importlib.abc
module.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=26
- move pathlib to -base
- move _pyrepl to -base (used by pydoc which is in base)
- fix import-mapping
- restrict PEP668 to ALP/Tumbleweed
* Support Expat >= 2.4.5
- allow build with Sphinx >= 3.x
* remove importlib_resources and importlib-metadata
- bpo-41304: Fixes python3x._pth being ignored on Windows, caused
- bpo-29778: Ensure python3.dll is loaded from correct locations
- bpo-39603: Prevent http header injection by rejecting control
“__setattr__” in a multi-inheritance setup and
- bpo-41247: Always cache the running loop holder when running
- bpo-41252: Fix incorrect refcounting in
- bpo-41215: Use non-NULL default values in the PEG parser
- bpo-41218: Python 3.8.3 had a regression where compiling with
ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would
- bpo-41175: Guard against a NULL pointer dereference within
- bpo-39960: The “hackcheck” that prevents sneaking around a type’s
__setattr__() by calling the superclass method was
- bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the
- bpo-39017: Avoid infinite loop when reading specially crafted
- bpo-41207: In distutils.spawn, restore expectation that
- bpo-41194: Fix a crash in the _ast module: it can no longer be
- bpo-39384: Fixed email.contentmanager to allow set_content() to set a
- bpo-41300: Save files with non-ascii chars.
- bpo-37765: Add keywords to module name completion list.
- bpo-40170: Revert PyType_HasFeature() change: it reads
again directly the PyTypeObject.tp_flags
member when the limited C API is not used, rather than always calling
OBS-URL: https://build.opensuse.org/request/show/1184193
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=20
