Security
- gh-142145: Remove quadratic behavior in xml.minidom node ID
cache clearing.
- gh-119452: Fix a potential memory denial of service in the
http.server module. When a malicious user is connected to the
CGI server on Windows, it could cause an arbitrary amount of
memory to be allocated. This could have led to symptoms
including a MemoryError, swapping, out of memory (OOM) killed
processes or containers, or even system crashes.
Library
- gh-140797: Revert changes to the undocumented re.Scanner
class. Capturing groups are still allowed for backward
compatibility, although using them can lead to incorrect
result. They will be forbidden in future Python versions.
- gh-142206: The resource tracker in the multiprocessing module
now uses the original communication protocol, as in Python
3.14.0 and below, by default. This avoids issues with
upgrading Python while it is running. (Note that such
‘in-place’ upgrades are not tested.) The tracker remains
compatible with subprocesses that use new protocol (that is,
subprocesses using Python 3.13.10, 3.14.1 and 3.15).
- gh-142214: Fix two regressions in dataclasses in Python
3.14.1 related to annotations. An exception is no longer
raised if slots=True is used and the __init__ method does not
have an __annotate__ attribute (likely because init=False was
used). An exception is no longer raised if annotations are
requested on the __init__ method and one of the fields is not
present in the class annotations. This can occur in certain
dynamic scenarios. Patch by Jelle Zijlstra.
Core and Builtins
- gh-142218: Fix crash when inserting into a split table
dictionary with a non str key that matches an existing key.
- gh-116738: Fix cmath data race when initializing
trigonometric tables with subinterpreters.
* Update to 3.14.1:
Tools/Demos
- gh-141692: Each slice of an iOS XCframework now contains
a lib folder that contains a symlink to the libpython dylib.
This allows binary modules to be compiled for iOS using
dynamic libreary linking, rather than Framework linking.
- gh-141442: The iOS testbed now correctly handles test
arguments that contain spaces.
- gh-140702: The iOS testbed app will now expose the
GITHUB_ACTIONS environment variable to iOS apps being tested.
- gh-137484: Have Tools/wasm/wasi put the build Python into
a directory named after the build triple instead of “build”.
- gh-137248: Add a --logdir option to Tools/wasm/wasi for
specifying where to write log files.
- gh-137243: Have Tools/wasm/wasi detect a WASI SDK install in
/opt when it was directly extracted from a release tarball.
Tests
- gh-140482: Preserve and restore the state of stty echo as
part of the test environment.
- gh-140082: Update python -m test to set FORCE_COLOR=1 when
being run with color enabled so that unittest which is run by
it with redirected output will output in color.
- gh-139208: Fix regrtest --fast-ci --verbose: don’t ignore the
--verbose option anymore. Patch by Victor Stinner.
- gh-136442: Use exitcode 1 instead of 5 if
unittest.TestCase.setUpClass() raises an exception
Security
- gh-139700: Check consistency of the zip64 end of central
directory record. Support records with “zip64 extensible
data” if there are no bytes prepended to the ZIP file.
- gh-139283: sqlite3: correctly handle maximum number of rows
to fetch in Cursor.fetchmany and reject negative values for
Cursor.arraysize. Patch by Bénédikt Tran. (CVE-2025-8291,
bsc#1251305)
- gh-137836: Add support of the “plaintext” element, RAWTEXT
elements “xmp”, “iframe”, “noembed” and “noframes”, and
optionally RAWTEXT element “noscript” in
html.parser.HTMLParser.
- gh-136063: email.message: ensure linear complexity for legacy
HTTP parameters parsing. Patch by Bénédikt Tran.
- gh-136065: Fix quadratic complexity in os.path.expandvars()
(CVE-2025-6075, bsc#1252974)
- gh-119451: Fix a potential memory denial of service in the
http.client module. When connecting to a malicious server, it
could cause an arbitrary amount of memory to be allocated.
This could have led to symptoms including a MemoryError,
swapping, out of memory (OOM) killed processes or containers,
or even system crashes (CVE-2025-13836, bsc#1254400)
- gh-119342: Fix a potential memory denial of service in the
plistlib module. When reading a Plist file received from
untrusted source, it could cause an arbitrary amount of
memory to be allocated. This could have led to symptoms
including a MemoryError, swapping, out of memory (OOM) killed
processes or containers, or even system crashes
(CVE-2025-13837, bsc#1254401).
Library
- gh-74389: When the stdin being used by a subprocess.Popen
instance is closed, this is now ignored in
subprocess.Popen.communicate() instead of leaving the class
in an inconsistent state.
- gh-87512: Fix subprocess.Popen.communicate() timeout handling
on Windows when writing large input. Previously, the timeout
was ignored during stdin writing, causing the method to block
indefinitely if the child process did not consume input
quickly. The stdin write is now performed in a background
thread, allowing the timeout to be properly enforced.
- gh-141473: When subprocess.Popen.communicate() was called
with input and a timeout and is called for a second time
after a TimeoutExpired exception before the process has died,
it should no longer hang.
- gh-59000: Fix pdb breakpoint resolution for class methods
when the module defining the class is not imported.
- gh-141570: Support file-like object raising OSError from
fileno() in color detection (_colorize.can_colorize()). This
can occur when sys.stdout is redirected.
- gh-141659: Fix bad file descriptor errors from
_posixsubprocess on AIX.
- gh-141600: Fix musl version detection on Void Linux.
- gh-141497: ipaddress: ensure that the methods
IPv4Network.hosts() and IPv6Network.hosts() always return an
iterator.
- gh-140938: The statistics.stdev() and statistics.pstdev()
functions now raise a ValueError when the input contains an
infinity or a NaN.
- gh-124111: Updated Tcl threading configuration in _tkinter to
assume that threads are always available in Tcl 9 and later.
- gh-137109: The os.fork and related forking APIs will no
longer warn in the common case where Linux or macOS platform
APIs return the number of threads in a process and find the
answer to be 1 even when a os.register_at_fork()
after_in_parent= callback (re)starts a thread.
- gh-141314: Fix assertion failure in io.TextIOWrapper.tell()
when reading files with standalone carriage return (\r) line
endings.
- gh-141311: Fix assertion failure in io.BytesIO.readinto() and
undefined behavior arising when read position is above
capcity in io.BytesIO.
- gh-141141: Fix a thread safety issue with base64.b85decode().
Contributed by Benel Tayar.
- gh-137969: Fix annotationlib.ForwardRef.evaluate() returning
ForwardRef objects which don’t update with new globals.
- gh-140911: collections: Ensure that the methods
UserString.rindex() and UserString.index() accept
collections.UserString instances as the sub argument.
- gh-140797: The undocumented re.Scanner class now forbids
regular expressions containing capturing groups in its
lexicon patterns. Patterns using capturing groups could
previously lead to crashes with segmentation fault. Use
non-capturing groups (?:…) instead.
- gh-125115: Refactor the pdb parsing issue so positional
arguments can pass through intuitively.
- gh-140815: faulthandler now detects if a frame or a code
object is invalid or freed. Patch by Victor Stinner.
- gh-100218: Correctly set errno when socket.if_nametoindex()
or socket.if_indextoname() raise an OSError. Patch by
Bénédikt Tran.
- gh-140875: Fix handling of unclosed character references
(named and numerical) followed by the end of file in
html.parser.HTMLParser with convert_charrefs=False.
- gh-140734: multiprocessing: fix off-by-one error when
checking the length of a temporary socket file path. Patch by
Bénédikt Tran.
- gh-140874: Bump the version of pip bundled in ensurepip to
version 25.3
- gh-140691: In urllib.request, when opening a FTP URL fails
because a data connection cannot be made, the control
connection’s socket is now closed to avoid a ResourceWarning.
- gh-103847: Fix hang when cancelling process created by
asyncio.create_subprocess_exec() or
asyncio.create_subprocess_shell(). Patch by Kumar Aditya.
- gh-120057: Add os.reload_environ() to os.__all__.
- gh-140228: Avoid making unnecessary filesystem calls for
frozen modules in linecache when the global module cache is
not present.
- gh-140590: Fix arguments checking for the
functools.partial.__setstate__() that may lead to internal
state corruption and crash. Patch by Sergey Miryanov.
- gh-125434: Display thread name in faulthandler on Windows.
Patch by Victor Stinner.
- gh-140634: Fix a reference counting bug in
os.sched_param.__reduce__().
- gh-140633: Ignore AttributeError when setting a module’s
__file__ attribute when loading an extension module packaged
as Apple Framework.
- gh-140593: xml.parsers.expat: Fix a memory leak that could
affect users with ElementDeclHandler() set to a custom
element declaration handler. Patch by Sebastian Pipping.
- gh-140607: Inside io.RawIOBase.read(), validate that the
count of bytes returned by io.RawIOBase.readinto() is valid
(inside the provided buffer).
- gh-138162: Fix logging.LoggerAdapter with merge_extra=True
and without the extra argument.
- gh-138774: ast.unparse() now generates full source code when
handling ast.Interpolation nodes that do not have a specified
source.
- gh-140474: Fix memory leak in array.array when creating
arrays from an empty str and the u type code.
- gh-137530: dataclasses Fix annotations for generated __init__
methods by replacing the annotations that were in-line in the
generated source code with __annotate__ functions attached to
the methods.
- gh-140348: Fix regression in Python 3.14.0 where using the
| operator on a typing.Union object combined with an object
that is not a type would raise an error.
- gh-140272: Fix memory leak in the clear() method of the
dbm.gnu database.
- gh-140041: Fix import of ctypes on Android and Cygwin when
ABI flags are present.
- gh-140120: Fixed a memory leak in hmac when it was using the
hacl-star backend. Discovered by @ashm-dev using
AddressSanitizer.
- gh-139905: Add suggestion to error message for typing.Generic
subclasses when cls.__parameters__ is missing due to a parent
class failing to call super().__init_subclass__() in its
__init_subclass__.
- gh-139894: Fix incorrect sharing of current task with the
child process while forking in asyncio. Patch by Kumar
Aditya.
- gh-139845: Fix to not print KeyboardInterrupt twice in
default asyncio REPL.
- gh-139783: Fix inspect.getsourcelines() for the case when
a decorator is followed by a comment or an empty line.
- gh-139809: Prevent premature colorization of subparser prog
in argparse.ArgumentParser.add_subparsers() to respect color
environment variable changes after parser creation.
- gh-139736: Fix excessive indentation in the default argparse
HelpFormatter. Patch by Alexander Edland.
- gh-70765: http.server: fix default handling of HTTP/0.9
requests in BaseHTTPRequestHandler. Previously,
BaseHTTPRequestHandler.parse_request() incorrectly waited for
headers in the request although those are not supported in
HTTP/0.9. Patch by Bénédikt Tran.
- gh-63161: Fix tokenize.detect_encoding(). Support non-UTF-8
shebang and comments if non-UTF-8 encoding is specified.
Detect decoding error for non-UTF-8 encoding. Detect null
bytes in source code.
- gh-139391: Fix an issue when, on non-Windows platforms, it
was not possible to gracefully exit a python -m asyncio
process suspended by Ctrl+Z and later resumed by fg other
than with kill.
- gh-101828: Fix 'shift_jisx0213', 'shift_jis_2004',
'euc_jisx0213' and 'euc_jis_2004' codecs truncating null
chars as they were treated as part of multi-character
sequences.
- gh-139289: Do a real lazy-import on rlcompleter in pdb and
restore the existing completer after importing rlcompleter.
- gh-139246: fix: paste zero-width in default repl width is
wrong.
- gh-90949: Add SetAllocTrackerActivationThreshold() and
SetAllocTrackerMaximumAmplification() to xmlparser objects to
prevent use of disproportional amounts of dynamic memory from
within an Expat parser. Patch by Bénédikt Tran.
- gh-139210: Fix use-after-free when reporting unknown event in
xml.etree.ElementTree.iterparse(). Patch by Ken Jin.
- gh-138860: Lazy import rlcompleter in pdb to avoid deadlock
in subprocess.
- gh-112729: Fix crash when calling
concurrent.interpreters.create() when the process is out of
memory.
- gh-135729: Fix unraisable exception during finalization when
using concurrent.interpreters in the REPL.
- gh-139076: Fix a bug in the pydoc module that was hiding
functions in a Python module if they were implemented in an
extension module and the module did not have __all__.
- gh-139065: Fix trailing space before a wrapped long word if
the line length is exactly width in textwrap.
- gh-139001: Fix race condition in pathlib.Path on the internal
_raw_paths field.
- gh-138813: multiprocessing.BaseProcess defaults kwargs to
None instead of a shared dictionary.
- gh-138993: Dedent credits text.
- gh-138891: Fix SyntaxError when inspect.get_annotations(f,
eval_str=True) is called on a function annotated with a PEP
646 star_expression
- gh-130567: Fix possible crash in locale.strxfrm() due to
a platform bug on macOS.
- gh-138859: Fix generic type parameterization raising
a TypeError when omitting a ParamSpec that has a default
which is not a list of types.
- gh-138764: Prevent annotationlib.call_annotate_function()
from calling __annotate__ functions that don’t support
VALUE_WITH_FAKE_GLOBALS in a fake globals namespace with
empty globals. Make FORWARDREF and STRING annotations fall
back to using VALUE annotations in the case that neither
their own format, nor VALUE_WITH_FAKE_GLOBALS are supported.
- gh-138775: Use of python -m with base64 has been fixed to
detect input from a terminal so that it properly notices EOF.
- gh-138779: Support device numbers larger than 2**63-1 for the
st_rdev field of the os.stat_result structure.
- gh-137706: Fix the partial evaluation of annotations that use
typing.Annotated[T, x] where T is a forward reference.
- gh-88375: Fix normalization of the robots.txt rules and URLs
in the urllib.robotparser module. No longer ignore trailing
?. Distinguish raw special characters ?, = and & from the
percent-encoded ones.
- gh-111788: Fix parsing errors in the urllib.robotparser
module. Don’t fail trying to parse weird paths. Don’t fail
trying to decode non-UTF-8 robots.txt files.
- gh-98896: Fix a failure in multiprocessing resource_tracker
when SharedMemory names contain colons. Patch by Rani
Pinchuk.
- gh-138425: Fix partial evaluation of annotationlib.ForwardRef
objects which rely on names defined as globals.
- gh-138432: zoneinfo.reset_tzpath() will now convert any
os.PathLike objects it receives into strings before adding
them to TZPATH. It will raise TypeError if anything other
than a string is found after this conversion. If given an
os.PathLike object that represents a relative path, it will
now raise ValueError instead of TypeError, and present a more
informative error message.
- gh-138008: Fix segmentation faults in the ctypes module due
to invalid argtypes. Patch by Dung Nguyen.
- gh-60462: Fix locale.strxfrm() on Solaris (and possibly other
platforms).
- gh-138239: The REPL now highlights type as a soft keyword in
type statements.
- gh-138204: Forbid expansion of shared anonymous memory maps
on Linux, which caused a bus error.
- gh-138010: Fix an issue where defining a class with an
@warnings.deprecated-decorated base class may not invoke the
correct __init_subclass__() method in cases involving
multiple inheritance. Patch by Brian Schubert.
- gh-138151: In annotationlib, improve evaluation of forward
references to nonlocal variables that are not yet defined
when the annotations are initially evaluated.
- gh-137317: inspect.signature() now correctly handles classes
that use a descriptor on a wrapped __init__() or __new__()
method. Contributed by Yongyu Yan.
- gh-137754: Fix import of the zoneinfo module if the
C implementation of the datetime module is not available.
- gh-137490: Handle ECANCELED in the same way as EINTR in
signal.sigwaitinfo() on NetBSD.
- gh-137477: Fix inspect.getblock(), inspect.getsourcelines()
and inspect.getsource() for generator expressions.
- gh-137044: Return large limit values as positive integers
instead of negative integers in resource.getrlimit(). Accept
large values and reject negative values (except
RLIM_INFINITY) for limits in resource.setrlimit().
- gh-75989: tarfile.TarFile.extractall() and
tarfile.TarFile.extract() now overwrite symlinks when
extracting hardlinks. (Contributed by Alexander Enrique
Urieles Nieto in gh-75989.)
- gh-137017: Fix threading.Thread.is_alive to remain True until
the underlying OS thread is fully cleaned up. This avoids
false negatives in edge cases involving thread monitoring or
premature threading.Thread.is_alive calls.
- gh-137273: Fix debug assertion failure in locale.setlocale()
on Windows.
- gh-137239: heapq: Update heapq.__all__ with *_max functions.
- gh-81325: tarfile.TarFile now accepts a path-like when
working on a tar archive. (Contributed by Alexander Enrique
Urieles Nieto in gh-81325.)
- gh-137185: Fix a potential async-signal-safety issue in
faulthandler when printing C stack traces.
- gh-136914: Fix retrieval of doctest.DocTest.lineno for
objects decorated with functools.cache() or
functools.cached_property.
- gh-136912: hmac.digest() now properly handles large keys and
messages by falling back to the pure Python implementation
when necessary. Patch by Bénédikt Tran.
- gh-83424: Allows creating a ctypes.CDLL without name when
passing a handle as an argument.
- gh-136234: Fix asyncio.WriteTransport.writelines() to be
robust to connection failure, by using the same behavior as
write().
- gh-136507: Fix mimetypes CLI to handle multiple file
parameters.
- gh-136057: Fixed the bug in pdb and bdb where next and step
can’t go over the line if a loop exists in the line.
- gh-135386: Fix opening a dbm.sqlite3 database for reading
from read-only file or directory.
- gh-135444: Fix asyncio.DatagramTransport.sendto() to account
for datagram header size when data cannot be sent.
- gh-126631: Fix multiprocessing forkserver bug which prevented
__main__ from being preloaded.
- gh-135307: email: Fix exception in set_content() when
encoding text and max_line_length is set to 0 or None
(unlimited).
- gh-134453: Fixed subprocess.Popen.communicate() input=
handling of memoryview instances that were non-byte shaped on
POSIX platforms. Those are now properly cast to a byte shaped
view instead of truncating the input. Windows platforms did
not have this bug.
- gh-134698: Fix a crash when calling methods of ssl.SSLContext
or ssl.SSLSocket across multiple threads.
- gh-125996: Fix thread safety of collections.OrderedDict.
Patch by Kumar Aditya.
- gh-133789: Fix unpickling of pathlib objects that were
pickled in Python 3.13.
- gh-127081: Fix libc thread safety issues with dbm by
performing stateful operations in critical sections.
- gh-132551: Make io.BytesIO safe in free-threaded build.
- gh-131788: Make ResourceTracker.send from multiprocessing
re-entrant safe
- gh-118981: Fix potential hang in
multiprocessing.popen_spawn_posix that can happen when the
child proc dies early by closing the child fds right away.
- gh-102431: Clarify constraints for “logical” arguments in
methods of decimal.Context.
- gh-78319: UTF8 support for the IMAP APPEND command has been
made RFC compliant. bpo-38735: Fix failure when importing
a module from the root directory on unix-like platforms with
sys.pycache_prefix set. bpo-41839: Allow negative priority
values from os.sched_get_priority_min() and
os.sched_get_priority_max() functions.
IDLE
- gh-96491: Deduplicate version number in IDLE shell title bar
after saving to a file.
- gh-139742: Colorize t-string prefixes for template strings in
IDLE, as done for f-string prefixes.
Documentation
- gh-141994: xml.sax.handler: Make Documentation of
xml.sax.handler.feature_external_ges warn of opening up to
external entity attacks. Patch by Sebastian Pipping.
- gh-140578: Remove outdated sencence in the documentation for
multiprocessing, that implied that
concurrent.futures.ThreadPoolExecutor did not exist.
Core and Builtins
- gh-142048: Fix quadratically increasing garbage collection
delays in free-threaded build.
- gh-116738: Fix thread safety issue with re scanner objects in
free-threaded builds.
- gh-141930: When importing a module, use Python’s regular file
object to ensure that writes to .pyc files are complete or an
appropriate error is raised.
- gh-120158: Fix inconsistent state when enabling or disabling
monitoring events too many times.
- gh-139653: Only raise a RecursionError or trigger a fatal
error if the stack pointer is both below the limit pointer
and above the stack base. If outside of these bounds assume
that it is OK. This prevents false positives when user-space
threads swap stacks.
- gh-139103: Improve multithreaded scaling of dataclasses on
the free-threaded build.
- gh-141579: Fix sys.activate_stack_trampoline() to properly
support the perf_jit backend. Patch by Pablo Galindo.
- gh-114203: Skip locking if object is already locked by
two-mutex critical section.
- gh-141528: Suggest using
concurrent.interpreters.Interpreter.close() instead of the
private _interpreters.destroy function when warning about
remaining subinterpreters. Patch by Sergey Miryanov.
- gh-141312: Fix the assertion failure in the __setstate__
method of the range iterator when a non-integer argument is
passed. Patch by Sergey Miryanov.
- gh-116738: Make csv module thread-safe on the free threaded
build.
- gh-140939: Fix memory leak when bytearray or bytes is
formated with the %*b format with a large width that results
in a MemoryError.
- gh-140260: Fix struct data race in endian table
initialization with subinterpreters. Patch by Shamil
Abdulaev.
- gh-140530: Fix a reference leak when raise exc from cause
fails. Patch by Bénédikt Tran.
- gh-140373: Correctly emit PY_UNWIND event when generator
object is closed. Patch by Mikhail Efimov.
- gh-140576: Fixed crash in tokenize.generate_tokens() in case
of specific incorrect input. Patch by Mikhail Efimov.
- gh-140551: Fixed crash in dict if dict.clear() is called at
the lookup stage. Patch by Mikhail Efimov and Inada Naoki.
- gh-140517: Fixed a reference leak when iterating over the
result of map() with strict=True when the input iterables
have different lengths. Patch by Mikhail Efimov.
- gh-140471: Fix potential buffer overflow in ast.AST node
initialization when encountering malformed _fields containing
non-str.
- gh-140431: Fix a crash in Python’s garbage collector due to
partially initialized coroutine objects when coroutine origin
tracking depth is enabled
(sys.set_coroutine_origin_tracking_depth()).
- gh-140398: Fix memory leaks in readline functions
read_init_file(), read_history_file(), write_history_file(),
and append_history_file() when PySys_Audit() fails.
- gh-140406: Fix memory leak when an object’s __hash__() method
returns an object that isn’t an int.
- gh-140358: Restore elapsed time and unreachable object count
in GC debug output. These were inadvertently removed during
a refactor of gc.c. The debug log now again reports elapsed
collection time and the number of unreachable objects.
Contributed by Pål Grønås Drange.
- gh-140306: Fix memory leaks in cross-interpreter channel
operations and shared namespace handling.
- gh-140301: Fix memory leak of PyConfig in subinterpreters.
- gh-140257: Fix data race between interpreter_clear() and
take_gil() on eval_breaker during finalization with daemon
threads.
- gh-139951: Fixes a regression in GC performance for a growing
heap composed mostly of small tuples. Counts number of
actually tracked objects, instead of trackable objects. This
ensures that untracking tuples has the desired effect of
reducing GC overhead. Does not track most untrackable tuples
during creation. This prevents large numbers of small tuples
causing excessive GCs.
- gh-140104: Fix a bug with exception handling in the JIT.
Patch by Ken Jin. Bug reported by Daniel Diniz.
- gh-140061: Fixing the checking of whether an object is
uniquely referenced to ensure free-threaded compatibility.
Patch by Sergey Miryanov.
- gh-140067: Fix memory leak in sub-interpreter creation.
- gh-140000: Fix potential memory leak when a reference cycle
exists between an instance of typing.TypeAliasType,
typing.TypeVar, typing.ParamSpec, or typing.TypeVarTuple and
its __name__ attribute. Patch by Mikhail Efimov.
- gh-139914: Restore support for HP PA-RISC, which has an
upwards-growing stack.
- gh-139988: Fix a memory leak when failing to create a Union
type. Patch by Bénédikt Tran.
- gh-139748: Fix reference leaks in error branches of functions
accepting path strings or bytes such as compile() and
os.system(). Patch by Bénédikt Tran.
- gh-139516: Fix lambda colon erroneously start format spec in
f-string in tokenizer.
- gh-139640: ast.parse() no longer emits syntax warnings for
return/break/continue in finally (see PEP 765) – they are
only emitted during compilation.
- gh-139640: Fix swallowing some syntax warnings in different
modules if they accidentally have the same message and are
emitted from the same line. Fix duplicated warnings in the
finally block.
- gh-63161: Support non-UTF-8 shebang and comments in Python
source files if non-UTF-8 encoding is specified. Detect
decoding error in comments for default (UTF-8) encoding. Show
the line and position of decoding error for default encoding
in a traceback. Show the line containing the coding cookie
when it conflicts with the BOM in a traceback.
- gh-116738: Make mmap thread-safe on the free threaded build.
- gh-138558: Fix handling of unusual t-string annotations in
annotationlib. Patch by Dave Peck.
- gh-134466: Don’t run PyREPL in a degraded environment where
setting termios attributes is not allowed.
- gh-138944: Fix SyntaxError message when invalid syntax
appears on the same line as a valid import ... as ... or from
... import ... as ... statement. Patch by Brian Schubert.
- gh-105487: Remove non-existent __copy__(), __deepcopy__(),
and __bases__ from the __dir__() entries of
types.GenericAlias.
- gh-69605: Fix some standard library submodules missing from
the REPL auto-completion of imports.
- gh-116738: Make cProfile thread-safe on the free threaded
build.
- gh-138004: On Solaris/Illumos platforms, thread names are now
encoded as ASCII to avoid errors on systems (e.g.
OpenIndiana) that don’t support non-ASCII names.
- gh-137433: Fix a potential deadlock in the free threading
build when daemon threads enable or disable profiling or
tracing while the main thread is shutting down the
interpreter.
- gh-137400: Fix a crash in the free threading build when
disabling profiling or tracing across all threads with
PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads()
or their Python equivalents threading.settrace_all_threads()
and threading.setprofile_all_threads().
- gh-58124: Fix name of the Python encoding in Unicode errors
of the code page codec: use “cp65000” and “cp65001” instead
of “CP_UTF7” and “CP_UTF8” which are not valid Python code
names. Patch by Victor Stinner.
- gh-132657: Improve performance of frozenset by removing locks
in the free-threading build.
- gh-133400: Fixed Ctrl+D (^D) behavior in _pyrepl module to
match old pre-3.13 REPL behavior.
- gh-128640: Fix a crash when using threads inside of
a subinterpreter.
C API
- gh-137422: Fix free threading race condition in
PyImport_AddModuleRef(). It was previously possible for two
calls to the function return two different objects, only one
of which was stored in sys.modules.
- gh-140042: Removed the sqlite3_shutdown call that could cause
closing connections for sqlite when used with multiple sub
interpreters.
- gh-141042: Make qNaN in PyFloat_Pack2() and PyFloat_Pack4(),
if while conversion to a narrower precision floating-point
format — the remaining after truncation payload will be zero.
Patch by Sergey B Kirpichev.
- gh-140487: Fix Py_RETURN_NOTIMPLEMENTED in limited C API 3.11
and older: don’t treat Py_NotImplemented as immortal. Patch
by Victor Stinner.
- gh-140153: Fix Py_REFCNT() definition on limited C API
3.11-3.13. Patch by Victor Stinner.
- gh-139653: Add PyUnstable_ThreadState_SetStackProtection()
and PyUnstable_ThreadState_ResetStackProtection() functions
to set the stack protection base address and stack protection
size of a Python thread state. Patch by Victor Stinner.
Build
- gh-141808: Do not generate the jit stencils twice in case of
PGO builds on Windows.
- gh-141784: Fix _remote_debugging_module.c compilation on
32-bit Linux. Include Python.h before system headers to make
sure that _remote_debugging_module.c uses the same types
(ABI) than Python. Patch by Victor Stinner.
- gh-140768: Warn when the WASI SDK version doesn’t match
what’s supported.
- gh-140513: Generate a clear compilation error when
_Py_TAIL_CALL_INTERP is enabled but either preserve_none or
musttail is not supported.
- gh-140189: iOS builds were added to CI.
- gh-138489: When cross-compiling for WASI by build_wasm or
build_emscripten, the build-details.json step is now included
in the build process, just like with native builds. This
fixes the libinstall task which requires the
build-details.json file during the process.
- gh-137618: PYTHON_FOR_REGEN now requires Python 3.10 to
Python 3.15. Patch by Adam Turner.
- gh-123681: Check the strftime() behavior at runtime instead
of at the compile time to support cross-compiling. Remove the
internal macro _Py_NORMALIZE_CENTURY.
Remove upstreamed patches:
- CVE-2025-6075-expandvars-perf-degrad.patch
- CVE-2025-8291-consistency-zip64.patch
It checks consistency of the zip64 end of central directory
record, and preventing obfuscation of the payload, i.e., you
scanning for malicious content in a ZIP file with one ZIP parser
(let's say a Rust one) then unpack it in production with another
(e.g., the Python one) and get malicious content that the other
parser did not see (CVE-2025-8291, bsc#1251305)
- Tools/Demos
- gh-139330: SBOM generation tool didn’t cross-check
the version and checksum values against the
Modules/expat/refresh.sh script, leading to the values
becoming out-of-date during routine updates.
- gh-132006: XCframeworks now include privacy manifests to
satisfy Apple App Store submission requirements.
- gh-138171: A script for building an iOS XCframework was
added. As part of this change, the top level iOS folder has
been moved to be a subdirectory of the Apple folder.
- gh-137873: The iOS test runner has been simplified,
resolving some issues that have been observed using
the runner in GitHub Actions and Azure Pipelines test
environments.
- gh-137484: Have Tools/wasm/wasi put the build Python into a
directory named after the build triple instead of “build”.
- gh-137025: The wasm_build.py script has been removed.
Tools/wasm/emscripten and Tools/wasm/wasi should be used
instead, as described in the Dev Guide.
- gh-137248: Add a --logdir option to Tools/wasm/wasi for
specifying where to write log files.
- gh-137243: Have Tools/wasm/wasi detect a WASI SDK install
in /opt when it was directly extracted from a release
tarball.
- gh-136251: Fixes and usability improvements for
Tools/wasm/emscripten/web_example
- gh-135968: Stubs for strip are now provided as part of an
iOS install.
- gh-135379: The cases generator no longer accepts type
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=109
Python 3.14 is the latest stable release of the Python
programming language, with a mix of changes to the language,
the implementation, and the standard library. The biggest
changes include template string literals, deferred evaluation
of annotations, and support for subinterpreters in the standard
library.
The library changes include significantly improved capabilities
for introspection in asyncio, support for Zstandard via a new
compression.zstd module, syntax highlighting in the REPL, as
well as the usual deprecations and removals, and improvements
in user-friendliness and correctness.
- Interpreter improvements:
- PEP 649 and PEP 749: Deferred evaluation of annotations
- PEP 734: Multiple interpreters in the standard library
- PEP 750: Template strings
- PEP 758: Allow except and except* expressions without
brackets
- PEP 765: Control flow in finally blocks
- PEP 768: Safe external debugger interface for CPython
- A new type of interpreter
- Free-threaded mode improvements
- Improved error messages
- Incremental garbage collection
- Significant improvements in the standard library:
- PEP 784: Zstandard support in the standard library
- Asyncio introspection capabilities
- Concurrent safe warnings control
- Syntax highlighting in the default interactive shell, and
color output in several standard library CLIs
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=104
- Tools/Demos
- gh-137873: The iOS test runner has been simplified,
resolving some issues that have been observed using
the runner in GitHub Actions and Azure Pipelines test
environments.
- Security
- gh-135661: Fix CDATA section parsing in
html.parser.HTMLParser according to the HTML5 standard: ]
]> and ]] > no longer end the CDATA section. Add private
method _set_support_cdata() which can be used to specify
how to parse <[CDATA[ — as a CDATA section in foreign
content (SVG or MathML) or as a bogus comment in the HTML
namespace.
- Library
- gh-138998: Update bundled libexpat to 2.7.2
- gh-118803: Add back collections.abc.ByteString and
typing.ByteString. Both had been removed in prior alpha,
beta and release candidates for Python 3.14, but their
removal has now been postponed to Python 3.17.
- gh-137226: Fix typing.get_type_hints() calls on generic
typing.TypedDict classes defined with string annotations.
- gh-138804: Raise TypeError instead of AttributeError when
an argument of incorrect type is passed to shlex.quote().
This restores the behavior of the function prior to 3.14.
- gh-128636: Fix crash in PyREPL when os.environ is
overwritten with an invalid value for mac
- gh-138514: Raise ValueError when a multi-character string
is passed to the echo_char parameter of getpass.getpass().
Patch by Benjamin Johnson.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=99
- Library
- gh-137426: Remove the code deprecation of
importlib.abc.ResourceLoader. It is documented as
deprecated, but left for backwards compatibility with other
classes in importlib.abc.
- gh-137282: Fix tab completion and dir() on
concurrent.futures.
- gh-137257: Bump the version of pip bundled in ensurepip to
version 25.2
- gh-137226: Fix behavior of
annotationlib.ForwardRef.evaluate() when the type_params
parameter is passed and the name of a type param is also
present in an enclosing scope.
- gh-130522: Fix unraisable TypeError raised during
interpreter shutdown in the threading module.
- gh-137059: Fix handling of file URLs with a
Windows drive letter in the URL authority by
urllib.request.url2pathname(). This fixes a regression in
earlier pre-releases of Python 3.14.
- gh-130577: tarfile now validates archives to ensure member
offsets are non-negative. (Contributed by Alexander Enrique
Urieles Nieto in gh-130577; CVE-2025-8194, bsc#1247249).
- gh-135228: When dataclasses replaces a class with a slotted
dataclass, the original class can now be garbage collected
again. Earlier changes in Python 3.14 caused this class to
always remain in existence together with the replacement
class synthesized by dataclasses.
- Documentation
- gh-136155: We are now checking for fatal errors in EPUB
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=91
- Tools/Demos
- gh-136251: Fixes and usability improvements for
Tools/wasm/emscripten/web_example
- Security
- gh-135661: Fix parsing attributes with whitespaces around
the = separator in html.parser.HTMLParser according to the
HTML5 standard.
- gh-118350: Fix support of escapable raw text mode (elements
“textarea” and “title”) in html.parser.HTMLParser.
- Library
- gh-136170: Removed the unreleased
zipfile.ZipFile.data_offset property added in 3.14.0a7 as
it wasn’t fully clear which behavior it should have in some
situations so the result was not always what a user might
expect.
- gh-124621: pyrepl now works in Emscripten.
- gh-136874: Discard URL query and fragment in
urllib.request.url2pathname().
- gh-130645: Enable color help by default in argparse.
- gh-136549: Fix signature of threading.excepthook().
- gh-136523: Fix wave.Wave_write emitting an unraisable when
open raises.
- gh-52876: Add missing keepends (default True)
parameter to codecs.StreamReaderWriter.readline() and
codecs.StreamReaderWriter.readlines().
- gh-136470: Correct
concurrent.futures.InterpreterPoolExecutor’s default thread
name.
- gh-136476: Fix a bug that was causing the
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=86
- Tools/Demos
- gh-135968: Stubs for strip are now provided as part of an
iOS install.
- gh-133600: Backport file reorganization for .
Tools/wasm/wasi This should make backporting future code .
changes easier. It also simplifies instructions around how.
to do WASI builds in the devguide .
- Tests
- gh-135966: The iOS testbed now handles the app_packages
folder as a site directory.
- gh-135494: Fix regrtest to support excluding tests from
--pgo tests. Patch by Victor Stinner.
- Security
- gh-136053: marshal: fix a possible crash when deserializing
slice objects.
- gh-135661: Fix parsing start and end tags in
html.parser.HTMLParser according to the HTML5 standard.
- Whitespaces no longer accepted between </ and the tag
name. E.g. </ script> does not end the script section.
- Vertical tabulation (\v) and non-ASCII whitespaces no
longer recognized as whitespaces. The only whitespaces
are \t\n\r\f and space.
- Null character (U+0000) no longer ends the tag name.
- Attributes and slashes after the tag name in end tags are
now ignored, instead of terminating after the first > in
quoted attribute value. E.g. </script/foo=">"/>.
- Multiple slashes and whitespaces between the last
attribute and closing > are now ignored in both start and
end tags. E.g. <a foo=bar/ //>.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=80
- Tests
- gh-132815: Fix test__opcode: add JUMP_BACKWARD to
specialization stats.
- gh-135489: Show verbose output for failing tests during PGO
profiling step with –enable-optimizations.
- gh-135120: Add test.support.subTests().
- Security
- gh-135462: Fix quadratic complexity in processing specially
crafted input in html.parser.HTMLParser. End-of-file errors
are now handled according to the HTML5 specs – comments and
declarations are automatically closed, tags are ignored.
- gh-135034: Fixes multiple issues that allowed tarfile
extraction filters (filter="data" and filter="tar") to be
bypassed using crafted symlinks and hard links.
Addresses CVE 2024-12718, CVE 2025-4138, CVE 2025-4330, and
CVE 2025-4517.
- Library
- gh-65697: configparser’s error message when attempting to
write an invalid key is now more helpful.
- gh-135497: Fix os.getlogin() failing for longer usernames
on BSD-based platforms.
- gh-135429: Fix the argument mismatch in _lsprof for
PY_THROW event.
- gh-135368: Fix unittest.mock.Mock generation on
dataclasses.dataclass() objects. Now all special attributes
are set as it was before gh-124429.
- gh-133967: Do not normalize locale name ‘C.UTF-8’ to
‘en_US.UTF-8’.
- gh-135321: Raise a correct exception for values greater
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=73
- Tools/Demos
- gh-134215: REPL import autocomplete only suggests private
modules when explicitly specified.
- Tests
- gh-133744: Fix multiprocessing interrupt test. Add an event
to synchronize the parent process with the child process:
wait until the child process starts sleeping. Patch by
Victor Stinner.
- gh-133682: Fixed test case
test.test_annotationlib.TestStringFormat.test_displays
which ensures proper handling of complex data structures
(lists, sets, dictionaries, and tuples) in string
annotations.
- gh-133639: Fix
TestPyReplAutoindent.test_auto_indent_default() doesn’t run
input_code.
- Security
- gh-133767: Fix use-after-free in the “unicode-escape”
decoder with a non-“strict” error handler (CVE-2025-4516
bsc#1243273).
- gh-128840: Short-circuit the processing of long IPv6
addresses early in ipaddress to prevent excessive memory
consumption and a minor denial-of-service.
- Library
- gh-132710: If possible, ensure that uuid.getnode()
returns the same result even across different
processes. Previously, the result was constant only within
the same process. Patch by Bénédikt Tran.
- gh-80334: multiprocessing.freeze_support() now checks for
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=71
- Tools/Demos
- gh-130453: Allow passing multiple keyword arguments with
the same function name in pygettext.
- gh-130195: Add warning messages when pygettext
unimplemented -a/--extract-all option is called.
- Tests
- gh-133131: The iOS testbed will now select the most
recently released “SE-class” device for testing if a device
isn’t explicitly specified.
- gh-91048: Add ability to externally inspect all pending
asyncio tasks, even if no task is currently entered on the
event loop.
- gh-109981: The test helper that counts the list of open
file descriptors now uses the optimised /dev/fd approach on
all Apple platforms, not just macOS. This avoids crashes
caused by guarded file descriptors.
- gh-132678: Add --prioritize to -m test. This option allows
the user to specify which selected tests should execute
first, even if the order is otherwise randomized. This is
particularly useful for tests that run the longest.
- gh-131290: Tests in Lib/test can now be correctly executed
as standalone scripts.
- Security
- gh-115322: The underlying extension modules behind
readline:, subprocess, and ctypes now raise audit events
on previously uncovered code paths that could lead to file
system access related to C function calling and external
binary execution. The ctypes.call_function audit hook has
also been fixed to use an unsigned value for its function
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=53
- Tools/Demos
- gh-129248: The iOS test runner now strips the log prefix
from each line output by the test suite.
- gh-104400: Fix several bugs in extraction by switching to
an AST parser in pygettext.
- Tests
- gh-129386: Add test.support.reset_code, which can be used
to reset various bytecode-level optimizations and local
instrumentation for a function.
- gh-128474: Disable test_embed test cases that segfault on
BOLT instrument binaries. The tests are only disabled when
BOLT is enabled.
- gh-128003: Add an option --parallel-threads=N to the
regression test runner that runs individual tests in
multiple threads in parallel in order to find concurrency
bugs. Note that most of the test suite is not yet reviewed
for thread-safety or annotated with @thread_unsafe when
necessary.
- Security
- gh-105704: When using urllib.parse.urlsplit() and
urllib.parse.urlparse() host parsing would not reject
domain names containing square brackets ([ and ]). Square
brackets are only valid for IPv6 and IPvFuture hosts
according to RFC 3986 Section 3.2.2.
- gh-126108: Fix a possible NULL pointer dereference in
PySys_AddWarnOptionUnicode().
- gh-80222: Fix bug in the folding of quoted strings
when flattening an email message using a modern email
policy. Previously when a quoted string was folded so
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=38
- Tools/Demos
- gh-128152: Fix a bug where Argument Clinic’s C
pre-processor parser tried to parse pre-processor
directives inside C comments. Patch by Erlend Aasland.
- Tests
- gh-128690: Temporarily do not use test_embed in PGO profile
builds until the problem with test_init_pyvenv_cfg failing
in some configurations is resolved.
- Library
- gh-128731: Fix ResourceWarning in
urllib.robotparser.RobotFileParser.read().
- gh-71339: Add new assertion methods for unittest:
assertHasAttr(), assertNotHasAttr(), assertIsSubclass(),
assertNotIsSubclass() assertStartsWith(),
assertNotStartsWith(), assertEndsWith() and
assertNotEndsWith().
- gh-118761: Improve import time of pickle by 25% by removing
an unnecessary regular expression. As such, re is no more
implicitly available as pickle.re. Patch by Bénédikt Tran.
- gh-128661: Fixes typing.evaluate_forward_ref() not showing
deprecation when type_params arg is not passed.
- gh-128562: Fix possible conflicts in generated tkinter
widget names if the widget class name ends with a digit.
- gh-128559: Improved import time of asyncio.
- gh-128552: Fix cyclic garbage introduced
by asyncio.loop.create_task() and
asyncio.TaskGroup.create_task() holding a reference to the
created task if it is eager.
- gh-128340: Add internal thread safe handle to be used
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=32
- Tools/Demos
- gh-126700: Add support for multi-argument gettext functions
in pygettext.py.
- Tests
- gh-127906: Test the limited C API in test_cppext. Patch by
Victor Stinner.
- gh-127637: Add tests for the dis command-line
interface. Patch by Bénédikt Tran.
- gh-126925: iOS test results are now streamed during test
execution, and the deprecated xcresulttool is no longer
used.
- gh-127076: Disable strace based system call tests when
LD_PRELOAD is set.
- gh-127076: Filter out memory-related mmap, munmap, and
mprotect calls from file-related ones when testing io
behavior using strace.
- Security
- gh-127655: Fixed the
asyncio.selector_events._SelectorSocketTransport
transport not pausing writes for the protocol when
the buffer reaches the high water mark when using
asyncio.WriteTransport.writelines().
- Library
- gh-126907: Fix crash when using atexit concurrently on the
free-threaded build.
- gh-127870: Detect recursive calls in ctypes _as_parameter_
handling. Patch by Victor Stinner.
- gh-127732: The platform module now correctly detects
Windows Server 2025.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=28
- Tools/Demos
- gh-126807: Fix extraction warnings in pygettext.py caused
by mistaking function definitions for function calls.
- gh-126167: The iOS testbed was modified so that it can be
used by third-party projects for testing purposes.
- Tests
- gh-126909: Fix test_os extended attribute tests to work on
filesystems with 1 KiB xattr size limit.
- gh-125730: Change make test to not run GUI tests by
default. Use make ci to run tests with GUI tests instead.
- gh-124295: Add translation tests to the argparse module.
- Security
- gh-126623: Upgrade libexpat to 2.6.4
- Library
- gh-85957: Add missing MIME types for images with RFCs: emf,
fits, g3fax, jp2, jpm, jpx, t38, tiff-fx and wmf. Patch by
Hugo van Kemenade.
- gh-126920: Fix the prefix and exec_prefix keys from
sysconfig.get_config_vars() incorrectly having the same
value as sys.base_prefix and sys.base_exec_prefix,
respectively, inside virtual environments. They now
accurately reflect sys.prefix and sys.exec_prefix.
- gh-67877: Fix memory leaks when regular expression matching
terminates abruptly, either because of a signal or because
memory allocation fails.
- gh-125063: marshal now supports slice objects. The marshal
format version was increased to 5.
- gh-126789: Fixed the values of sysconfig.get_config_vars(),
sysconfig.get_paths(), and their siblings when the site
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=23
- Fix python314:doc package build with docutils 0.22. Remove the
"SPHINXERRORHANDLING = --fail-on-warning" from Doc/Makefile using
the gh139257-Support-docutils-0.22.patch.
- Summary – Release highlights
Python 3.14 is the latest stable release of the Python
programming language, with a mix of changes to the language,
the implementation, and the standard library. The biggest
changes include template string literals, deferred evaluation
of annotations, and support for subinterpreters in the standard
library.
The library changes include significantly improved capabilities
for introspection in asyncio, support for Zstandard via a new
compression.zstd module, syntax highlighting in the REPL, as
well as the usual deprecations and removals, and improvements
in user-friendliness and correctness.
- Interpreter improvements:
- PEP 649 and PEP 749: Deferred evaluation of annotations
- PEP 734: Multiple interpreters in the standard library
- PEP 750: Template strings
- PEP 758: Allow except and except* expressions without
brackets
- PEP 765: Control flow in finally blocks
- PEP 768: Safe external debugger interface for CPython
- A new type of interpreter
- Free-threaded mode improvements
- Improved error messages
- Incremental garbage collection
- Significant improvements in the standard library:
- PEP 784: Zstandard support in the standard library
- Asyncio introspection capabilities
- Concurrent safe warnings control
- Syntax highlighting in the default interactive shell, and
color output in several standard library CLIs
- C API improvements:
- PEP 741: Python configuration C API
- Platform support:
- PEP 776: Emscripten is now an officially supported
platform, at tier 3.
- Release changes:
- PEP 779: Free-threaded Python is officially supported
- PEP 761: PGP signatures have been discontinued for official
releases
- Windows and macOS binary releases now support the
experimental just-in-time compiler
- Binary releases for Android are now provided
OBS-URL: https://build.opensuse.org/request/show/1310012
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python314?expand=0&rev=27
Python 3.14 is the latest stable release of the Python
programming language, with a mix of changes to the language,
the implementation, and the standard library. The biggest
changes include template string literals, deferred evaluation
of annotations, and support for subinterpreters in the standard
library.
The library changes include significantly improved capabilities
for introspection in asyncio, support for Zstandard via a new
compression.zstd module, syntax highlighting in the REPL, as
well as the usual deprecations and removals, and improvements
in user-friendliness and correctness.
- Interpreter improvements:
- PEP 649 and PEP 749: Deferred evaluation of annotations
- PEP 734: Multiple interpreters in the standard library
- PEP 750: Template strings
- PEP 758: Allow except and except* expressions without
brackets
- PEP 765: Control flow in finally blocks
- PEP 768: Safe external debugger interface for CPython
- A new type of interpreter
- Free-threaded mode improvements
- Improved error messages
- Incremental garbage collection
- Significant improvements in the standard library:
- PEP 784: Zstandard support in the standard library
- Asyncio introspection capabilities
- Concurrent safe warnings control
- Syntax highlighting in the default interactive shell, and
color output in several standard library CLIs
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=104
- Update to 3.14.0~rc3:
- Tools/Demos
- gh-137873: The iOS test runner has been simplified,
resolving some issues that have been observed using
the runner in GitHub Actions and Azure Pipelines test
environments.
- Security
- gh-135661: Fix CDATA section parsing in
html.parser.HTMLParser according to the HTML5 standard: ]
]> and ]] > no longer end the CDATA section. Add private
method _set_support_cdata() which can be used to specify
how to parse <[CDATA[ — as a CDATA section in foreign
content (SVG or MathML) or as a bogus comment in the HTML
namespace.
- Library
- gh-138998: Update bundled libexpat to 2.7.2
- gh-118803: Add back collections.abc.ByteString and
typing.ByteString. Both had been removed in prior alpha,
beta and release candidates for Python 3.14, but their
removal has now been postponed to Python 3.17.
- gh-137226: Fix typing.get_type_hints() calls on generic
typing.TypedDict classes defined with string annotations.
- gh-138804: Raise TypeError instead of AttributeError when
an argument of incorrect type is passed to shlex.quote().
This restores the behavior of the function prior to 3.14.
- gh-128636: Fix crash in PyREPL when os.environ is
overwritten with an invalid value for mac
- gh-138514: Raise ValueError when a multi-character string
is passed to the echo_char parameter of getpass.getpass().
Patch by Benjamin Johnson.
- gh-138515: email is added to Emscripten build.
- gh-99948: ctypes.util.find_library() now works in
Emscripten build.
- gh-138253: Add the block parameter in the put() and
get() methods of the concurrent.interpreters queues for
compatibility with the queue.Queue interface.
- gh-138133: Prevent infinite traceback loop when sending
CTRL^C to Python through strace.
- gh-134869: Fix an issue where pressing Ctrl+C during tab
completion in the REPL would leave the autocompletion menu
in a corrupted state.
- gh-90548: Fix musl detection for platform.libc_ver() on
Alpine Linux if compiled with –strip-all.
- gh-136134: SMTP.auth_cram_md5() now raises an SMTPException
instead of a ValueError if Python has been built without
MD5 support. In particular, SMTP clients will not attempt
to use this method even if the remote server is assumed to
support it. Patch by Bénédikt Tran.
- gh-136134: IMAP4.login_cram_md5 now raises an IMAP4.error
if CRAM-MD5 authentication is not supported. Patch by
Bénédikt Tran.
- gh-134953: Expand _colorize theme with keyword_constant and
implement in repl.
- Core and Builtins
- gh-71810: Raise OverflowError for (-1).to_bytes() for
signed conversions when bytes count is zero. Patch by
Sergey B Kirpichev.
- gh-138192: Fix contextvars initialization so that all
subinterpreters are assigned the MISSING value.
- gh-138479: Fix a crash when a generic object’s
__typing_subst__ returns an object that isn’t a tuple.
- gh-138372: Fix SyntaxWarning emitted for erroneous
subscript expressions involving template string literals.
Patch by Brian Schubert.
- gh-138318: The default REPL now avoids highlighting
built-in names (for instance set or format()) when they
are used as attribute names (for instance in value.set or
text.format).
- gh-138349: Fix crash in certain cases where a module
contains both a module-level annotation and a
comprehension.
- gh-137384: Fix a crash when using the warnings module in a
finalizer at shutdown. Patch by Kumar Aditya.
- gh-137883: Fix runaway recursion when calling a function
with keyword arguments.
- gh-137079: Fix keyword typo recognition when parsing files.
Patch by Pablo Galindo.
- gh-137728: Fix the JIT’s handling of many local variables.
This previously caused a segfault.
- gh-137576: Fix for incorrect source code being shown in
tracebacks from the Basic REPL when PYTHONSTARTUP is given.
Patch by Adam Hartz.
OBS-URL: https://build.opensuse.org/request/show/1305881
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python314?expand=0&rev=25
- Tools/Demos
- gh-137873: The iOS test runner has been simplified,
resolving some issues that have been observed using
the runner in GitHub Actions and Azure Pipelines test
environments.
- Security
- gh-135661: Fix CDATA section parsing in
html.parser.HTMLParser according to the HTML5 standard: ]
]> and ]] > no longer end the CDATA section. Add private
method _set_support_cdata() which can be used to specify
how to parse <[CDATA[ — as a CDATA section in foreign
content (SVG or MathML) or as a bogus comment in the HTML
namespace.
- Library
- gh-138998: Update bundled libexpat to 2.7.2
- gh-118803: Add back collections.abc.ByteString and
typing.ByteString. Both had been removed in prior alpha,
beta and release candidates for Python 3.14, but their
removal has now been postponed to Python 3.17.
- gh-137226: Fix typing.get_type_hints() calls on generic
typing.TypedDict classes defined with string annotations.
- gh-138804: Raise TypeError instead of AttributeError when
an argument of incorrect type is passed to shlex.quote().
This restores the behavior of the function prior to 3.14.
- gh-128636: Fix crash in PyREPL when os.environ is
overwritten with an invalid value for mac
- gh-138514: Raise ValueError when a multi-character string
is passed to the echo_char parameter of getpass.getpass().
Patch by Benjamin Johnson.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=99
- Update to 3.14.0~rc2:
- Library
- gh-137426: Remove the code deprecation of
importlib.abc.ResourceLoader. It is documented as
deprecated, but left for backwards compatibility with other
classes in importlib.abc.
- gh-137282: Fix tab completion and dir() on
concurrent.futures.
- gh-137257: Bump the version of pip bundled in ensurepip to
version 25.2
- gh-137226: Fix behavior of
annotationlib.ForwardRef.evaluate() when the type_params
parameter is passed and the name of a type param is also
present in an enclosing scope.
- gh-130522: Fix unraisable TypeError raised during
interpreter shutdown in the threading module.
- gh-137059: Fix handling of file URLs with a
Windows drive letter in the URL authority by
urllib.request.url2pathname(). This fixes a regression in
earlier pre-releases of Python 3.14.
- gh-130577: tarfile now validates archives to ensure member
offsets are non-negative. (Contributed by Alexander Enrique
Urieles Nieto in gh-130577; CVE-2025-8194, bsc#1247249).
- gh-135228: When dataclasses replaces a class with a slotted
dataclass, the original class can now be garbage collected
again. Earlier changes in Python 3.14 caused this class to
always remain in existence together with the replacement
class synthesized by dataclasses.
- Documentation
- gh-136155: We are now checking for fatal errors in EPUB
builds in CI.
- Core and Builtins
- gh-137400: Fix a crash in the free threading
build when disabling profiling or tracing across
all threads with PyEval_SetProfileAllThreads()
or PyEval_SetTraceAllThreads() or their Python
equivalents threading.settrace_all_threads() and
threading.setprofile_all_threads().
- gh-137314: Fixed a regression where raw f-strings
incorrectly interpreted escape sequences in format
specifications. Raw f-strings now properly preserve literal
backslashes in format specs, matching the behavior from
Python 3.11. For example, rf"{obj:\xFF}" now correctly
produces '\\xFF' instead of 'ÿ'. Patch by Pablo Galindo.
- gh-137308: A standalone docstring in a node body is
optimized as a pass statement to ensure that the node’s
body is never empty. There was a ValueError in compile()
otherwise.
- gh-137288: Fix bug where some bytecode instructions of a
boolean expression are not associated with the correct
exception handler.
- gh-134291: Remove some newer macOS API usage from the JIT
compiler in order to restore compatibility with older OSX
10.15 deployment targets.
- gh-131338: Disable computed stack limit checks on non-glibc
linux platforms to fix crashes on deep recursion.
- gh-136870: Fix data races while de-instrumenting bytecode
of code objects running concurrently in threads.
- C API
- gh-137573: Mark _PyOptimizer_Optimize as Py_NO_INLINE to
prevent stack overflow crashes on macOS.
- Build
- gh-132339: Add support for OpenSSL 3.5.
- Replaces upstreamed patches:
- CVE-2025-8194-tarfile-no-neg-offsets.patch
OBS-URL: https://build.opensuse.org/request/show/1299840
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python314?expand=0&rev=21
- Library
- gh-137426: Remove the code deprecation of
importlib.abc.ResourceLoader. It is documented as
deprecated, but left for backwards compatibility with other
classes in importlib.abc.
- gh-137282: Fix tab completion and dir() on
concurrent.futures.
- gh-137257: Bump the version of pip bundled in ensurepip to
version 25.2
- gh-137226: Fix behavior of
annotationlib.ForwardRef.evaluate() when the type_params
parameter is passed and the name of a type param is also
present in an enclosing scope.
- gh-130522: Fix unraisable TypeError raised during
interpreter shutdown in the threading module.
- gh-137059: Fix handling of file URLs with a
Windows drive letter in the URL authority by
urllib.request.url2pathname(). This fixes a regression in
earlier pre-releases of Python 3.14.
- gh-130577: tarfile now validates archives to ensure member
offsets are non-negative. (Contributed by Alexander Enrique
Urieles Nieto in gh-130577; CVE-2025-8194, bsc#1247249).
- gh-135228: When dataclasses replaces a class with a slotted
dataclass, the original class can now be garbage collected
again. Earlier changes in Python 3.14 caused this class to
always remain in existence together with the replacement
class synthesized by dataclasses.
- Documentation
- gh-136155: We are now checking for fatal errors in EPUB
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=91
- Update to 3.14.0~rc1:
- Tools/Demos
- gh-136251: Fixes and usability improvements for
Tools/wasm/emscripten/web_example
- Security
- gh-135661: Fix parsing attributes with whitespaces around
the = separator in html.parser.HTMLParser according to the
HTML5 standard.
- gh-118350: Fix support of escapable raw text mode (elements
“textarea” and “title”) in html.parser.HTMLParser.
- Library
- gh-136170: Removed the unreleased
zipfile.ZipFile.data_offset property added in 3.14.0a7 as
it wasn’t fully clear which behavior it should have in some
situations so the result was not always what a user might
expect.
- gh-124621: pyrepl now works in Emscripten.
- gh-136874: Discard URL query and fragment in
urllib.request.url2pathname().
- gh-130645: Enable color help by default in argparse.
- gh-136549: Fix signature of threading.excepthook().
- gh-136523: Fix wave.Wave_write emitting an unraisable when
open raises.
- gh-52876: Add missing keepends (default True)
parameter to codecs.StreamReaderWriter.readline() and
codecs.StreamReaderWriter.readlines().
- gh-136470: Correct
concurrent.futures.InterpreterPoolExecutor’s default thread
name.
- gh-136476: Fix a bug that was causing the
get_async_stack_trace function to miss some frames in the
stack trace.
- gh-136434: Fix docs generation of UnboundItem in
concurrent.interpreters when running with -OO.
- gh-136380: Raises AttributeError when accessing
concurrent.futures.InterpreterPoolExecutor and
subinterpreters are not available.
- gh-134759: Fix UnboundLocalError in
email.message.Message.get_payload() when the payload to
decode is a bytes object. Patch by Kliment Lamonov.
- gh-134657: asyncio: Remove some private names from
asyncio.__all__.
- Core and Builtins
- gh-136801: Fix PyREPL syntax highlighting on match cases
after multi-line case. Contributed by Olga Matoula.
- gh-136421: Fix crash when initializing datetime
concurrently.
- gh-136541: Fix some issues with the perf trampolines
on x86-64 and aarch64. The trampolines were not being
generated correctly for some cases, which could lead to
the perf integration not working correctly. Patch by Pablo
Galindo.
- gh-136517: Fixed a typo that prevented printing of
uncollectable objects when the gc.DEBUG_UNCOLLECTABLE mode
was set.
- gh-136525: Fix issue where per-thread bytecode was not
instrumented for newly created threads.
- gh-132661: Interpolation.expression now has a default, the
empty string.
- gh-132661: Reflect recent PEP 750 change.
- Disallow concatenation of string.templatelib.Template and
str. Also, disallow implicit concatenation of t-string
literals with string or f-string literals.
- gh-116738: Make functions in grp thread-safe on the free
threaded build.
- gh-135148: Fixed a bug where f-string debug expressions
(using =) would incorrectly strip out parts of strings
containing escaped quotes and # characters. Patch by Pablo
Galindo.
- gh-133136: Limit excess memory usage in the free threading
build when a large dictionary or list is resized and
accessed by multiple threads.
- gh-91153: Fix a crash when a bytearray is concurrently
mutated during item assignment.
- gh-127971: Fix off-by-one read beyond the end of a string
in string search.
- C API
- gh-112068: Revert support of nullable arguments in
PyArg_Parse().
- gh-133296: New variants for the critical section API that
accept one or two PyMutex pointers rather than PyObject
instances are now public in the non-limited C API.
- gh-134009: Expose PyMutex_IsLocked() as part of the public
C API.
- Build
- gh-135621: PyREPL no longer depends on the curses standard
library. Contributed by Łukasz Langa.
OBS-URL: https://build.opensuse.org/request/show/1295248
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python314?expand=0&rev=19
