Changelog

If you are upgrading an existing installation, read the instructions

1.3.2 - 2021/10/16

1.3.1 - 2021/10/12

  • Remove trailing slash from JSON scraper (issue 287)

1.3.0 - 2021/10/9

  • Allow config options to be overridden by environment variables (issue 270)

1.2.4 - 2021/6/10

  • Fix missing permissions for non-admin users (issue 284)

1.2.3 - 2021/6/9

  • Add Pyramid>=2.0 to dependencies (issue 283)

1.2.2 - 2021/6/8

  • Upgrade to Pyramid 2.0
  • Remove the SQL index from package summary field (will take effect when you rebuild your cache, but a rebuild is not required)

1.2.1 - 2021/5/18

  • Fix a XSS vulnerability (issue 280)
  • Remove storage limit of package summary (pull 276) (will take effect when you rebuild your cache, but a rebuild is not required unless you hit this issue)

1.2.0 - 2021/3/1

  • Add more package info to JSON API (pull 269)
  • Stop normalizing metadata for Azure (pull 272)
  • Provide Azure credentials via environment variable (issue 270)
  • Pin the Pyramid version to avoid deprecation (issue 274)
  • Dropping support for Python 3.5 and 3.6 due to difficulty with cryptography library

1.1.7 - 2020/11/16

  • Fix a datetime crash when reloading the cache (issue 266)
  • Fix a logic error with db.graceful_reload (pull 267)

1.1.6 - 2020/11/7

  • Fix content-type when streaming packages (pull 260)
  • JSON scraper doesn’t throw exceptions if it receives a HTTP error (issue 264)
  • Add config option for GCS IAM signing email (pull 262)

1.1.5 - 2020/9/19

  • Add pypi.allow_delete to disable deleting packages (issue 259)

1.1.4 - 2020/9/13

  • Fix concurrency bugs in GCS backend (issue 258)

1.1.3 - 2020/8/17

  • Fix metadata storage issue with some S3-compatible backends (pull 255)
  • Command line arg to generate password hash from stdin (pull 253)

1.1.2 - 2020/7/23

  • Fix error when package in local storage but not in fallback repository (issue 251)

1.1.1 - 2020/6/14

  • Fix an exception when pypi.use_json_scraper = false (issue 250)
  • Allow passing in auth.signing_key as an environment variable (issue 247)
  • Add some documentation about the DynamoDB cache (issue 249)

1.1.0 - 2020/5/31

  • Drop support for Python 2 (pull 243)
  • Add support for package hashes (pull 244)

1.0.16 - 2020/5/20

  • Add support for Microsoft Azure Blob storage (pull 241)

1.0.15 - 2020/5/8

  • Add requests as a dependency (pull 240)

1.0.14 - 2020/5/7

  • Fix a bug with reloading Redis cache (pull 230)
  • More graceful handling of non-package files in GCS (issue 232)
  • Support for requires_python metadata (pull 234, issue 219)
  • Add pypi.use_json_scraper setting for configuring
  • Change default value of storage.redirect_urls to True
  • Add auth.scheme setting to customize password hashing algorithm (issue 237)
  • SIGNIFICANTLY LOWERED default password hashing rounds. Read about why in the docs

1.0.13 - 2020/1/1

  • Add option to use IAM signer on GCS (pull 226)

1.0.12 - 2019/12/11

  • Change default fallback url from http://pypi.python.org to https://pypi.org (pull 207)
  • Add pypi.disallow_fallback option to disable fallback for specific packages (pull 216)
  • Fix automatic bucket creation for all S3 regions (pull 225)

1.0.11 - 2019/4/5

  • Add ability to stream files through pypicloud (pull 202)
  • Support spaces in auth.ldap.admin_value values (pull 206)

1.0.10 - 2018/11/26

  • Strip non-ASCII characters from summary for S3 backend (pull 197)
  • Fix an issue with production log format (issue 198)
  • Add auth.ldap.fallback to use config file configure groups and permissions with LDAP access backend (issue 199)

1.0.9 - 2018/9/6

  • Fix: Exception during LDAP reconnect (pull 192)
  • Fix: LDAP on Python 3 could not detect admins (pull 193)
  • Feature: New pypi.auth.admin_group_dn setting for LDAP (for when memberOf is unavailable)

1.0.8 - 2018/8/27

  • Feature: Google Cloud Storage support (pull 189)

1.0.7 - 2018/8/14

  • Feature: /health endpoint checks health of connection to DB backends (issue 181)
  • Feature: Options for LDAP access backend to ignore referrals and ignore multiple user results (pull 184)
  • Fix: Exception when storage.cloud_front_key_file was set (pull 185)
  • Fix: Bad redirect to the fallback url when searching the /json endpoint (pull 188)
  • Deprecation: pypi.fallback_url has been deprecated in favor of pypi.fallback_base_url (pull 188)

1.0.6 - 2018/6/11

  • Fix: Support auth.profile_name passing in a boto profile name (pull 172)
  • Fix: Uploading package with empty description using twine crashes DynamoDB backend (issue 174)
  • Fix: Config file generation for use with docker container (using %(here)s was not working)
  • Use cryptography package instead of horrifyingly old and deprecated pycrypto (issue 179)
  • Add storage.public_url to S3 backend (issue 173)

1.0.5 - 2018/4/24

  • Fix: Download ACL button throws error in Python 3 (issue 166)
  • New access backend: AWS Secrets Manager (pull 164)
  • Add storage.storage_class option for S3 storage (pull 170)
  • Add db.tablenames option for DynamoDB cache (issue 167)
  • Reduce startup race conditions on empty caches when running multiple servers (issue 167)

1.0.4 - 2018/4/1

  • Fix: Fix SQL connection issues with uWSGI (issue 160)
  • Miscellaneous python 3 fixes

1.0.3 - 2018/3/26

  • Fix: uWSGI hangs in python 3 (issue 153)
  • Fix: Crash when using ppc-migrate to migrate from S3 to S3
  • Add warnings and documentation for edge case where S3 bucket has a dot in it (issue 145)
  • Admin can create signup tokens (issue 156)

1.0.2 - 2018/1/26

  • Fix: Hang when rebuilding Postgres cache (issue 147)
  • Fix: Some user deletes fail with Foreign Key errors (issue 150)
  • Fix: Incorrect parsing of version for wheels (issue 154)
  • Configuration option for number of rounds to use in password hash (issue 115)
  • Make request errors visible in the browser (issue 151)
  • Add a Create User button to admin page (issue 149)
  • SQL access backend defaults to disallowing anonymous users to register

1.0.1 - 2017/12/3

1.0.0 - 2017/10/29

  • Python3 support thanks to boto3
  • Removing stable/unstable version from package summary
  • Changing and removing many settings
  • Performance tweaks
  • graceful_reload option for caches, to refresh from the storage backend while remaining operational
  • Complete rewrite of LDAP access backend
  • Utilities for hooking into S3 create & delete notifications to keep multiple caches in sync

NOTE Because of the boto3 rewrite, many settings have changed. You will need to review the settings for your storage, cache, and access backends to make sure they are correct, as well as rebuilding your cache as per usual.

0.5.6 - 2017/10/29

  • Add storage.object_acl for S3 (pull 139)

0.5.5 - 2017/9/9

  • Allow search endpoint to have a trailing slash (issue 133)

0.5.4 - 2017/8/10

  • Allow overriding the displayed download URL in the web interface (pull 125)
  • Bump up the DB size of the version field (SQL-only) (pull 128)

0.5.3 - 2017/4/30

  • Bug fix: S3 uploads failing from web interface and when fallback=cache (issue 120)

0.5.2 - 2017/4/22

  • Bug fix: The /pypi path was broken for viewing & uploading packages (issue 119)
  • Update docs to recommend /simple as the install/upload URL
  • Beaker session sets invalidate_corrupt = true by default

0.5.1 - 2017/4/17

  • Bug fix: Deleting packages while using the Dynamo cache would sometimes remove the wrong package from Dynamo (issue 118)

0.5.0 - 2017/3/29

Upgrade breaks: SQL caching database. You will need to rebuild it.

  • Feature: Pip search works now (pull 107)

0.4.6 - 2017/4/17

  • Bug fix: Deleting packages while using the Dynamo cache would sometimes remove the wrong package from Dynamo (issue 118)

0.4.5 - 2017/3/25

  • Bug fix: Access backend now works with MySQL family (pull 106)
  • Bug fix: Return http 409 for duplicate upload to work better with twine (issue 112)
  • Bug fix: Show upload button in interface if default_write = everyone
  • Confirm prompt before deleting a user or group in the admin interface
  • Do some basica sanity checking of username/password inputs

0.4.4 - 2016/10/5

  • Feature: Add optional AWS S3 Server Side Encryption option (pull 99)

0.4.3 - 2016/8/2

  • Bug fix: Rebuilding cache always ends up with correct name/version (pull 93)
  • Feature: /health endpoint (nothing fancy, just returns 200) (issue 95)

0.4.2 - 2016/6/16

  • Bug fix: Show platform-specific versions of wheels (issue 91)

0.4.1 - 2016/6/8

  • Bug fix: LDAP auth disallows empty passwords for anonymous binding (pull 92)
  • Config generator sets pypi.default_read = authenticated for prod mode

0.4.0 - 2016/5/16

Backwards incompatibility: This version was released to handle a change in the way pip 8.1.2 handles package names. If you are upgrading from a previous version, there are detailed instructions for how to upgrade safely.

0.3.13 - 2016/6/8

  • Bug fix: LDAP auth disallows empty passwords for anonymous binding (pull 92)

0.3.12 - 2016/5/5

  • Feature: Setting auth.ldap.service_account for LDAP auth (pull 84)

0.3.11 - 2016/4/28

  • Bug fix: Missing newline in config template (pull 77)
  • Feature: pypi.always_show_upstream for tweaking fallback behavior (issue 82)

0.3.10 - 2016/3/21

  • Feature: S3 backend setting storage.redirect_urls

0.3.9 - 2016/3/13

  • Bug fix: SQL cache works with MySQL (issue 74)
  • Feature: S3 backend can use S3-compatible APIs (pull 72)

0.3.8 - 2016/3/10

  • Feature: Cloudfront storage (pull 71)
  • Bug fix: Rebuilding cache from storage won’t crash on odd file names (pull 70)

0.3.7 - 2016/1/12

  • Feature: /packages endpoint to list all files for all packages (pull 64)

0.3.6 - 2015/12/3

  • Bug fix: Settings parsed incorrectly for LDAP auth (issue 62)

0.3.5 - 2015/11/15

  • Bug fix: Mirror mode: only one package per version is displayed (issue 61)

0.3.4 - 2015/8/30

  • Add docker-specific option for config creation
  • Move docker config files to a separate repository

0.3.3 - 2015/7/17

  • Feature: LDAP Support (pull 55)
  • Bug fix: Incorrect package name/version when uploading from web (issue 56)

0.3.2 - 2015/7/7

  • Bug fix: Restore direct links to S3 to fix easy_install (issue 54)

0.3.1 - 2015/6/18

  • Bug fix: pypi.allow_overwrite causes crash in sql cache (issue 52)

0.3.0 - 2015/6/16

  • Fully defines the behavior of every possible type of pip request. See Fallbacks for more detail.
  • Don’t bother caching generated S3 urls.

0.2.13 - 2015/5/27

  • Bug fix: Crash when mirror mode serves private packages

0.2.12 - 2015/5/14

  • Bug fix: Mirror mode works properly with S3 storage backend

0.2.11 - 2015/5/11

  • Bug fix: Cache mode will correctly download packages with legacy versioning (pull 45)
  • Bug fix: Fix the fetch_requirements endpoint (commit 6b2e2db)
  • Bug fix: Incorrect expire time comparison with IAM roles (pull 47)
  • Feature: ‘mirror’ mode. Caches packages, but lists all available upstream versions.

0.2.10 - 2015/2/27

  • Bug fix: S3 download links expire incorrectly with IAM roles (issue 38)
  • Bug fix: fallback = cache crashes with distlib 0.2.0 (issue 41)

0.2.9 - 2014/12/14

  • Bug fix: Connection problems with new S3 regions (issue 39)
  • Usability: Warn users trying to log in over http when session.secure = true (issue 40)

0.2.8 - 2014/11/11

  • Bug fix: Crash when migrating packages from file storage to S3 storage (pull 35)

0.2.7 - 2014/10/2

  • Bug fix: First download of package using S3 backend and pypi.fallback = cache returns 404 (issue 31)

0.2.6 - 2014/8/3

  • Bug fix: Rebuilding SQL cache sometimes crashes (issue 29)

0.2.5 - 2014/6/9

  • Bug fix: Rebuilding SQL cache sometimes deadlocks (pull 27)

0.2.4 - 2014/4/29

  • Bug fix: ppc-migrate between two S3 backends (pull 22)

0.2.3 - 2014/3/13

0.2.2 - 2014/3/13

0.2.1 - 2014/3/12

  • Bug fix: Pre-existing S3 download links were broken by 0.2.0 (commit 52e3e6a)

0.2.0 - 2014/3/12

Upgrade breaks: caching database

  • Bug fix: Timestamp display on web interface (pull 18)
  • Bug fix: User registration stores password as plaintext (commit 21ebe44)
  • Feature: ppc-migrate, command to move packages between storage backends (commit 399a990)
  • Feature: Adding support for more than one package with the same version. Now you can upload wheels! (commit 2f24877)
  • Feature: Allow transparently downloading and caching packages from pypi (commit e4dabc7)
  • Feature: Export/Import access-control data via ppc-export and ppc-import (commit dbd2a16)
  • Feature: Can set default read/write permissions for packages (commit c9aa57b)
  • Feature: New cache backend: DynamoDB (commit d9d3092)
  • Hosting all js & css ourselves (no more CDN links) (commit 20e345c)
  • Obligatory miscellaneous refactoring

0.1.0 - 2014/1/20

  • First public release