It checks consistency of the zip64 end of central directory
record, and preventing obfuscation of the payload, i.e., you
scanning for malicious content in a ZIP file with one ZIP parser
(let's say a Rust one) then unpack it in production with another
(e.g., the Python one) and get malicious content that the other
parser did not see (CVE-2025-8291, bsc#1251305)
- Tools/Demos
- gh-139330: SBOM generation tool didn’t cross-check
the version and checksum values against the
Modules/expat/refresh.sh script, leading to the values
becoming out-of-date during routine updates.
- gh-132006: XCframeworks now include privacy manifests to
satisfy Apple App Store submission requirements.
- gh-138171: A script for building an iOS XCframework was
added. As part of this change, the top level iOS folder has
been moved to be a subdirectory of the Apple folder.
- gh-137873: The iOS test runner has been simplified,
resolving some issues that have been observed using
the runner in GitHub Actions and Azure Pipelines test
environments.
- gh-137484: Have Tools/wasm/wasi put the build Python into a
directory named after the build triple instead of “build”.
- gh-137025: The wasm_build.py script has been removed.
Tools/wasm/emscripten and Tools/wasm/wasi should be used
instead, as described in the Dev Guide.
- gh-137248: Add a --logdir option to Tools/wasm/wasi for
specifying where to write log files.
- gh-137243: Have Tools/wasm/wasi detect a WASI SDK install
in /opt when it was directly extracted from a release
tarball.
- gh-136251: Fixes and usability improvements for
Tools/wasm/emscripten/web_example
- gh-135968: Stubs for strip are now provided as part of an
iOS install.
- gh-135379: The cases generator no longer accepts type
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=109
Python 3.14 is the latest stable release of the Python
programming language, with a mix of changes to the language,
the implementation, and the standard library. The biggest
changes include template string literals, deferred evaluation
of annotations, and support for subinterpreters in the standard
library.
The library changes include significantly improved capabilities
for introspection in asyncio, support for Zstandard via a new
compression.zstd module, syntax highlighting in the REPL, as
well as the usual deprecations and removals, and improvements
in user-friendliness and correctness.
- Interpreter improvements:
- PEP 649 and PEP 749: Deferred evaluation of annotations
- PEP 734: Multiple interpreters in the standard library
- PEP 750: Template strings
- PEP 758: Allow except and except* expressions without
brackets
- PEP 765: Control flow in finally blocks
- PEP 768: Safe external debugger interface for CPython
- A new type of interpreter
- Free-threaded mode improvements
- Improved error messages
- Incremental garbage collection
- Significant improvements in the standard library:
- PEP 784: Zstandard support in the standard library
- Asyncio introspection capabilities
- Concurrent safe warnings control
- Syntax highlighting in the default interactive shell, and
color output in several standard library CLIs
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=104
- Tools/Demos
- gh-137873: The iOS test runner has been simplified,
resolving some issues that have been observed using
the runner in GitHub Actions and Azure Pipelines test
environments.
- Security
- gh-135661: Fix CDATA section parsing in
html.parser.HTMLParser according to the HTML5 standard: ]
]> and ]] > no longer end the CDATA section. Add private
method _set_support_cdata() which can be used to specify
how to parse <[CDATA[ — as a CDATA section in foreign
content (SVG or MathML) or as a bogus comment in the HTML
namespace.
- Library
- gh-138998: Update bundled libexpat to 2.7.2
- gh-118803: Add back collections.abc.ByteString and
typing.ByteString. Both had been removed in prior alpha,
beta and release candidates for Python 3.14, but their
removal has now been postponed to Python 3.17.
- gh-137226: Fix typing.get_type_hints() calls on generic
typing.TypedDict classes defined with string annotations.
- gh-138804: Raise TypeError instead of AttributeError when
an argument of incorrect type is passed to shlex.quote().
This restores the behavior of the function prior to 3.14.
- gh-128636: Fix crash in PyREPL when os.environ is
overwritten with an invalid value for mac
- gh-138514: Raise ValueError when a multi-character string
is passed to the echo_char parameter of getpass.getpass().
Patch by Benjamin Johnson.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=99
- Library
- gh-137426: Remove the code deprecation of
importlib.abc.ResourceLoader. It is documented as
deprecated, but left for backwards compatibility with other
classes in importlib.abc.
- gh-137282: Fix tab completion and dir() on
concurrent.futures.
- gh-137257: Bump the version of pip bundled in ensurepip to
version 25.2
- gh-137226: Fix behavior of
annotationlib.ForwardRef.evaluate() when the type_params
parameter is passed and the name of a type param is also
present in an enclosing scope.
- gh-130522: Fix unraisable TypeError raised during
interpreter shutdown in the threading module.
- gh-137059: Fix handling of file URLs with a
Windows drive letter in the URL authority by
urllib.request.url2pathname(). This fixes a regression in
earlier pre-releases of Python 3.14.
- gh-130577: tarfile now validates archives to ensure member
offsets are non-negative. (Contributed by Alexander Enrique
Urieles Nieto in gh-130577; CVE-2025-8194, bsc#1247249).
- gh-135228: When dataclasses replaces a class with a slotted
dataclass, the original class can now be garbage collected
again. Earlier changes in Python 3.14 caused this class to
always remain in existence together with the replacement
class synthesized by dataclasses.
- Documentation
- gh-136155: We are now checking for fatal errors in EPUB
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=91
- Tools/Demos
- gh-136251: Fixes and usability improvements for
Tools/wasm/emscripten/web_example
- Security
- gh-135661: Fix parsing attributes with whitespaces around
the = separator in html.parser.HTMLParser according to the
HTML5 standard.
- gh-118350: Fix support of escapable raw text mode (elements
“textarea” and “title”) in html.parser.HTMLParser.
- Library
- gh-136170: Removed the unreleased
zipfile.ZipFile.data_offset property added in 3.14.0a7 as
it wasn’t fully clear which behavior it should have in some
situations so the result was not always what a user might
expect.
- gh-124621: pyrepl now works in Emscripten.
- gh-136874: Discard URL query and fragment in
urllib.request.url2pathname().
- gh-130645: Enable color help by default in argparse.
- gh-136549: Fix signature of threading.excepthook().
- gh-136523: Fix wave.Wave_write emitting an unraisable when
open raises.
- gh-52876: Add missing keepends (default True)
parameter to codecs.StreamReaderWriter.readline() and
codecs.StreamReaderWriter.readlines().
- gh-136470: Correct
concurrent.futures.InterpreterPoolExecutor’s default thread
name.
- gh-136476: Fix a bug that was causing the
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=86
- Tools/Demos
- gh-135968: Stubs for strip are now provided as part of an
iOS install.
- gh-133600: Backport file reorganization for .
Tools/wasm/wasi This should make backporting future code .
changes easier. It also simplifies instructions around how.
to do WASI builds in the devguide .
- Tests
- gh-135966: The iOS testbed now handles the app_packages
folder as a site directory.
- gh-135494: Fix regrtest to support excluding tests from
--pgo tests. Patch by Victor Stinner.
- Security
- gh-136053: marshal: fix a possible crash when deserializing
slice objects.
- gh-135661: Fix parsing start and end tags in
html.parser.HTMLParser according to the HTML5 standard.
- Whitespaces no longer accepted between </ and the tag
name. E.g. </ script> does not end the script section.
- Vertical tabulation (\v) and non-ASCII whitespaces no
longer recognized as whitespaces. The only whitespaces
are \t\n\r\f and space.
- Null character (U+0000) no longer ends the tag name.
- Attributes and slashes after the tag name in end tags are
now ignored, instead of terminating after the first > in
quoted attribute value. E.g. </script/foo=">"/>.
- Multiple slashes and whitespaces between the last
attribute and closing > are now ignored in both start and
end tags. E.g. <a foo=bar/ //>.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=80
- Tests
- gh-132815: Fix test__opcode: add JUMP_BACKWARD to
specialization stats.
- gh-135489: Show verbose output for failing tests during PGO
profiling step with –enable-optimizations.
- gh-135120: Add test.support.subTests().
- Security
- gh-135462: Fix quadratic complexity in processing specially
crafted input in html.parser.HTMLParser. End-of-file errors
are now handled according to the HTML5 specs – comments and
declarations are automatically closed, tags are ignored.
- gh-135034: Fixes multiple issues that allowed tarfile
extraction filters (filter="data" and filter="tar") to be
bypassed using crafted symlinks and hard links.
Addresses CVE 2024-12718, CVE 2025-4138, CVE 2025-4330, and
CVE 2025-4517.
- Library
- gh-65697: configparser’s error message when attempting to
write an invalid key is now more helpful.
- gh-135497: Fix os.getlogin() failing for longer usernames
on BSD-based platforms.
- gh-135429: Fix the argument mismatch in _lsprof for
PY_THROW event.
- gh-135368: Fix unittest.mock.Mock generation on
dataclasses.dataclass() objects. Now all special attributes
are set as it was before gh-124429.
- gh-133967: Do not normalize locale name ‘C.UTF-8’ to
‘en_US.UTF-8’.
- gh-135321: Raise a correct exception for values greater
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=73
