Changelog¶
Release notes for Veloce, covering bug fixes, new features, security updates, and breaking changes across every published version.
Changelog¶
All notable changes to this project are documented here. The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
[Unreleased]¶
Added¶
@app.queryregisters a route for the HTTPQUERYmethod (RFC 10008) — safe and idempotent likeGET, with a request body likePOST.
[0.9.0] - 2026-06-24¶
Added¶
SecuritySchemeis the shared base for authentication schemes, owningauto_errorand the__call__(request)contract. (#236)stream=Trueon a route opts its handler into incremental request-body reading viarequest.stream(), instead of buffering the body first. (#222)MCPErrorand typed subclasses (InvalidParamsError,AuthorizationError, others) let an MCP handler raise a specific JSON-RPC error. (#229)- The MCP HTTP transport rejects an unsupported
MCP-Protocol-Versionheader with400. (#230) ProtocolVersionErrorandOriginNotAllowedErrorsurface MCP transport violations as typed errors. (#230)- The MCP HTTP endpoint answers a
GETwith405 Method Not Allowed. (#230) - The MCP SSE stream sends a priming event on open and a
retryfield before closing. (#230) - The MCP
initializeresult emitsinstructionsfrom the app description or summary. (#230) - The MCP
initializeresult emits aserverInfo.titlefrom the app title. (#230) - MCP tool annotations now carry
openWorldHintand the route summary asannotations.title. (#230) - MCP tool
inputSchemaandoutputSchemadeclare the JSON Schema 2020-12 dialect. (#230) Iconobjects on@app.mcp_tool,@app.mcp_prompt, andmcp_icons=routes surface as a primitive'siconsarray. (#230)- MCP content blocks carry optional
audience/priority/lastModifiedannotations. (#230) ResourceLinkandEmbeddedResourcecontent blocks let a route return a linked or inlined resource result. (#230)@app.mcp_completeranswers MCPcompletion/completewith per-argument value suggestions for a prompt or resource. (#230)- MCP
notifications/cancelledcancels the named in-flight request and unwinds its task. (#230) MCPSessionrecords the client capabilities advertised ininitializeover the stdio transport. (#230)MCP_ENFORCE_LIFECYCLErejects a request that precedesinitializeon a stateful connection. (#230)task_support=Trueopts an MCP tool into a task-augmentedtools/callthat runs in the background. (#230)- A task-augmented
tools/callreturns aCreateTaskResultthe client polls for the result. (#230) tasks/get,tasks/result,tasks/list, andtasks/canceldrive an MCP task through its lifecycle. (#230)- The MCP server emits
notifications/tasks/statuswith the related-task_metaon each task transition. (#230) mount_mcp(transport="http", sessions=True)assigns and validates anMcp-Session-Idon the HTTP transport. (#230)- The MCP HTTP transport rejects a missing required session id with
400and a terminated one with404. (#230) - A
DELETEon the MCP HTTP endpoint terminates the session when session management is enabled. (#230) SessionRequiredErrorandSessionNotFoundErrorsurface MCP session violations as typed errors. (#230)mount_mcp(transport="http", resumable=True)attaches per-stream ids to MCP SSE events and keeps a bounded replay buffer. (#230)- A
GETcarryingLast-Event-IDresumes an MCP SSE stream, replaying only that stream's missed events. (#230) MCP_RESOURCE_SUBSCRIPTIONSlets a clientresources/subscribeandresources/unsubscribeto a resource URI. (#230)MCPServer.notify_resource_updatedsendsnotifications/resources/updatedto subscribed connections. (#230)MCPServer.notify_resources_list_changedsendsnotifications/resources/list_changedto open connections. (#230)MCPContext.sampleasks the client's model for a completion viasampling/createMessage. (#230)MCPContext.elicitrequests user input viaelicitation/createin form or URL mode. (#230)MCPContext.rootslists the client's filesystem roots viaroots/list. (#230)- The stdio transport issues server-to-client requests and awaits their correlated replies. (#230)
MCPCapabilityErrorrejects a server-initiated request the client did not advertise support for. (#230)- The MCP
resourcescapability advertisessubscribeandlistChangedwhen subscriptions are enabled. (#230) - MCP resource subscriptions deliver
notifications/resources/updatedover a stateful HTTPMcp-Session-Idconnection. (#230) - The MCP HTTP transport records the client capabilities from
initializeon a session, gatingMCPContext.sample/elicit/roots. (#230)
Changed¶
- A client disconnecting from an MCP SSE stream no longer cancels the in-flight call. (#230)
MCPContext.cancelledreflects real cancellation state instead of always returningFalse. (#230)- The MCP HTTP transport advertises
resources.subscribe/listChangedastrueonly withsessions=True; a stateless request advertisesfalse. (#230) MCP_ENFORCE_LIFECYCLEis enforced on a stateful HTTPMcp-Session-Idconnection, not only over stdio. (#230)Response.mimetype,charset, andmimetype_paramscache their parse, keyed on the currentcontent_typevalue. (#239)- Route registration rejects a path parameter name that is not a valid Python identifier or is a reserved keyword, instead of failing opaquely at request time. (#240)
Fixed¶
- Response and DI-injected background tasks are tracked and cancelled-and-drained on shutdown, so one no longer outlives the event loop and is orphaned mid-run. (#241)
request.json()caches a JSONnullbody asNoneso it is parsed once instead of re-decoded on every access. (#240)- The MCP HTTP
GETresume path validatesOriginandMCP-Protocol-Versionso a cross-origin or unsupported-version client cannot bypass the DNS-rebinding defense. (#237) - MCP
completion/completebounds the number of client-suppliedcontext.argumentsentries it ingests. (#237) - A malformed inbound
traceparentno longer raises out of the OpenTelemetry span-emit hook; the span is rooted instead. (#237) - An MCP task that settles after a racing
tasks/cancelkeeps itscancelledstatus instead of being overwritten. (#237) - MCP
notifications/cancelledignores a non-scalarrequestIdinstead of raisingTypeErroron the lookup. (#237) PlainTextResponseandHTMLResponsenow acceptbytesas well asstr, matching Starlette parity. (#226)- An MCP HTTP client's
notifications/cancelledcancels only its own in-flight request, never a peer's call with a colliding JSON-RPC id. (#230) - An MCP task is private to the connection that created it;
tasks/listandtasks/get/result/cancelreject another connection's task. (#230) - The MCP HTTP session store evicts idle
Mcp-Session-Idsessions so an abandoned session no longer leaks for the process lifetime. (#230) - The MCP SSE event store caps retained streams so a long-running resumable server's replay buffer no longer grows without bound. (#230)
- An MCP task keys ownership to a stable per-connection id so a task cannot alias to a later session that reuses a freed session's address. (#230)
- Evicting an MCP HTTP session cancels and drops its tasks so a never-settling task no longer pins memory for the process lifetime. (#230)
tasks/canceldelivers itsnotifications/tasks/status(cancelled) reliably instead of dropping it to garbage collection. (#230)- Concurrent MCP SSE streams on one
Mcp-Session-Ideach receive resource-update notifications and unregister independently. (#230) mount_mcp(transport="http")rejects atask_supporttool withoutsessions=Trueso a created task is never silently unretrievable. (#230)- An MCP task runner refuses
ctx.sample/elicit/rootson stdio, settling the task failed instead of racing the serve loop's reader. (#230)
[0.8.0] - 2026-06-13¶
Added¶
Veloce.run(reload=True)andveloce run --reloadauto-restart the built-in server on source changes, without uvicorn. (#212)EVENT_LOOP_WATCHDOGnames the route and dependency a blocking call stalled in. (#210)
[0.7.0] - 2026-06-12¶
Changed¶
- OpenAPI parameters derive from the handler plan the resolver runs, keeping documented and enforced contracts in lockstep. (#205)
clickis now an optionalcliextra; installveloceframework[cli]to useapp.cliandtest_cli_runner. (#206)
Fixed¶
- Parameters the resolver treats as optional are documented as
required: false, matching runtime. (#205) - A form request body whose every field is optional is documented as not required, matching runtime. (#205)
FileResponse.from_pathemits a bareContent-Dispositionfor a non-default disposition with no filename, matching the sync constructor. (#207)
[0.6.0] - 2026-06-10¶
Added¶
veloce new NAME [--template minimal|api|web]scaffolds a project, andveloce generate KIND NAME(aliasg) emits a single file. (#197)get_flashed_messagesis auto-injected as a Jinja global, so templates call it without manual registration. (#197)SessionMiddleware/ServerSessionMiddlewareresolve unset constructor arguments fromapp.configon the first request. (#198)app.secret_keyis a live property bound toconfig["SECRET_KEY"], so it alone configuresSessionMiddleware. (#198)send_file/async_send_fileapplySEND_FILE_MAX_AGE_DEFAULTwhen called withoutmax_age=. (#198)
Security¶
CORSMiddleware(allow_origin_regex=...)gates strictly by the regex instead of defaultingallow_originsto["*"]. (#197)
Changed¶
APIRouternow aliasesRouter(wasBlueprint); constructBlueprintfor a named route group. (#198)MAX_CONTENT_LENGTHdefaults to104857600(100 MiB); set it toNonefor unlimited. (#198)- A failing
yield-dependency teardown now reachesgot_request_exceptionand re-raises underPROPAGATE_EXCEPTIONS. (#198)
Fixed¶
/docsrenders withBaseLayoutinstead of the unloadedStandaloneLayout. (#197)@rate_limitis honored oninclude_in_schema=Falseroutes (with the strategy API). (#197)@app.endpoint(name)reclassifies the route so a sync view is offloaded, not awaited. (#198)PROPAGATE_EXCEPTIONS=false(and0/off) from an env file now reads as off. (#198)security_audit()no longer claims session signing falls back to weak defaults whenSECRET_KEYis unset. (#198)- The native server drops chunked-request trailer fields instead of prepending them to the next request. (#198)
- A mounted sub-app's trailing-slash redirect carries the mount prefix in its
Location. (#197) - A non-ASCII
query_stringover ASGI returns400instead of raising a500. (#197) - A
multipart/form-databody that fails mid-parse returns400, not a partial200. (#197) StreamingResponseon the native server no longer truncates on an emptybyteschunk. (#197)- Registering
/usersand/users/no longer flips the first to a slash redirect. (#197) - Blueprint routes keep
exclude_middleware=[...]afterregister_blueprint. (#197) - A mutable parameter default (
tags: list[str] = []) is no longer shared across requests. (#197) ProxyFixkeeps the brackets and port of aForwardedIPv6host. (#197)- A native-server
HEADresponse no longer sends a body, keepingContent-Length. (#197) - The native server no longer drops a WebSocket frame pipelined into the handshake segment. (#197)
- A non-WebSocket
Upgrade(e.g.h2c) returns400without running the route handler. (#197)
[0.5.0] - 2026-06-10¶
Added¶
- MCP HTTP transport hardening:
mount_mcp(transport="http", allowed_origins=[...])validates theOriginheader (DNS-rebinding defense), andexclude_middleware=[...]drops named app middleware from the/mcp+ metadata routes (so an app-wide auth middleware the transport's ownauthreplaces does not run on it). (#194) - MCP authorization:
mount_mcp(transport="http", auth=MCPAuth(...))makes the endpoint an OAuth 2.1 resource server — a user-suppliedverifycallable validates the bearer token on every request, the RFC 9728 protected-resource metadata is served, and a missing/invalid token returns401(insufficient endpoint scope returns403) with aWWW-Authenticatechallenge. Declarative per-tool scopes (@app.mcp_tool(scopes=...),mcp_scopes=on exposed routes) are enforced against the request principal. (#194) Principal+current_principal()/set_principal(): a unified authenticated identity populated by HTTP auth or the MCP transport, so authorization and identity-aware dependencies read one source across both doors. (#194)Request.is_mcpmarks a replayed MCP tool/resource call, so auth middleware can defer to the transport on agent calls while business middleware runs unchanged. (#194)- MCP Streamable HTTP transport:
app.mount_mcp(transport="http", path="/mcp")mounts the MCP server as aPOSTroute, so it can run as a remote/hosted server under any ASGI server. A request withAccept: text/event-streamis answered with an SSE stream of the call's progress/log notifications followed by the JSON-RPC response; otherwise a single JSON response. The route is protected by whatever middleware and dependencies the app applies to it. (#194) - MCP progress and logging:
MCPContext.report_progress(...)andMCPContext.log(...)now send livenotifications/progressandnotifications/messageto the client (progress requires the client'sprogressToken); the server handleslogging/setLeveland advertises theloggingcapability. (#194) - MCP per-call timeout: set
app.config["MCP_CALL_TIMEOUT"](seconds) to bound each tool call, resource read, and prompt render; an overrun is cancelled and surfaced as an in-band tool error or a JSON-RPC error. Unset (no timeout) by default. (#194) - MCP prompts: register a reusable prompt template with
@app.mcp_prompt(...). The callable's parameters become the prompt's arguments and its return (a string or a list of role/content messages) becomes the rendered messages; the server answersprompts/listandprompts/get, withDepends/MCPContextresolved as in a tool, and advertises thepromptscapability when at least one is registered. (#194) - MCP resources: expose a read-only (
GET/HEAD) route as a Model Context Protocol resource withexpose_as_mcp_resource=Trueandmcp_resource_uri=...(a static URI, or a URI template such asusers://{user_id}binding the route's path parameters). The server answersresources/list,resources/templates/list, andresources/read, replaying the route's dependencies, security, andresponse_modelthrough the shared invocation path; it advertises theresourcescapability when at least one resource is registered. (#194) - MCP non-text tool content: a tool returning an
image/*oraudio/*response emits the matching typed MCP content block (base64), and a binary resource read returns its bytes as ablob. (#194)
Fixed¶
- The native dev server (
app.run()) now starts on Windows:reuse_portis requested only whereSO_REUSEPORTexists, instead of unconditionally passingreuse_port=Trueto the selector event loop (which raisedValueErrorand killed the serving thread before it bound). (#195) - The native dev server now drains in-flight requests on shutdown on Windows too:
where
loop.add_signal_handleris unavailable,_servefalls back tosignal.signaland schedules the cooperative shutdown on the loop, so Ctrl+C / Ctrl+Break let an in-flight request finish at its boundary instead of raisingKeyboardInterruptstraight out of the loop and resetting the connection. (#195) - Blueprint error handlers are now scoped to their own routes: a
@bp.errorhandleronly catches exceptions raised on that blueprint (or a nested descendant), consulted by the failing request's blueprint chain before the app-level handlers — it no longer catches a sibling blueprint's or an app-level route's exception.error_handler_specnow reports per-blueprint sub-tables. (#195) - A mounted Veloce sub-app now sees
request.root_path(andscript_root) set to its mount prefix, matching mounted ASGI apps, sourl_forand proxy-aware URLs inside the sub-app are prefix-correct. (#195) JSONResponse,HTMLResponse, andPlainTextResponseacceptbackground=(forwarded to the baseResponse), so aBackgroundTask/BackgroundTaskscan be attached to them as it can toResponse. (#195)FileResponse(content_disposition_type="inline")now emitsContent-Disposition: inlineeven without afilename; an explicit non-default disposition is honoured (the defaultattachmentwithout a filename still emits no header, so plain file responses are not forced to download). (#195)- The
sessionproxy forwards attribute writes, sosession.permanent = Trueworks through the global proxy rather than raisingAttributeError. (#195) - A single Pydantic body model's validation errors are now located under
"body"(e.g.["body", "field"]), consistent withBody(...)marker params and the whole-body error cases. (#195) - MCP: the
logging/setLevelminimum is now scoped per request (a ContextVar like the progress/notification channel) rather than on the sharedMCPServer, so one HTTP client's level change no longer raises the notification floor for others. (#194) - MCP: a resource read short-circuited by an auth guard (
401/403) maps to a forbidden error rather than an internal error. (#194)
Security¶
- MCP: a pure
@app.mcp_toolhandler error (and the defensive internal-error path) surfaces a generic message unlessapp.debugis set, so an exception carrying a secret is not returned verbatim to the agent. (#194) - MCP: a tool argument can no longer masquerade as an
Authorization/Cookieheader on the replayed request, so aSecurityscheme cannot read agent-supplied input as a credential;Principal.tokenis excluded fromrepr();MCPAuthrequiresresource_server_url+authorization_servers; and an insufficient scope is reported uniformly across tools/resources/prompts (HTTP 403 with aWWW-Authenticatechallenge over the JSON transport). (#194)
[0.4.0] - 2026-06-08¶
Added¶
- Configurable rate limiting: selectable algorithms (
FixedWindow,SlidingWindow,TokenBucket), pluggable in-memory or Redis backends, and per-route limits viaoverridesor the@rate_limitdecorator. - Result caching: the
cacheddecorator withInMemoryCacheandRedisCache. (#171) veloce.contrib.redis:RedisSessionStore,RedisRateLimitBackend, andRedisCachefor state shared across workers.- msgspec as an opt-in fast validation and serialization backend. (#157)
- Model Context Protocol integration (
veloce.contrib.mcp): tool exposure over stdio, protocol-version negotiation,ping, route-derived tool metadata, and streaming-result tools. - JSON Web Tokens (
encode_jwt/decode_jwt), storage-free reset tokens (make_reset_token/check_reset_token), and aSecretwrapper that resists accidental disclosure. (#139) CSPMiddleware(Content-Security-Policy with a per-request nonce and report-only mode) andConditionalGetMiddleware(304forIf-None-Match/If-Modified-Since). (#139)CORSMiddlewaregains Private Network Access support and preflight-method validation;CSRFMiddlewaregains Origin verification viatrusted_origins. (#136)- Middleware ordering with
add_middleware(..., priority=N)and per-route opt-out withexclude_middleware=[...]. - Background-task supervision:
app.supervise(...)(restart policy) andapp.spawn(...)(app-scoped tasks). - Routing: constrained converter syntax (
{x:converter(arg)}),date/time/ decimal path converters, duplicate-route detection, and the declarative@app.websocket_listenerroute. StaticFiles: precompressed-sibling serving,html=Truedirectory indexes, and write-sideIf-Match/If-Unmodified-Sincepreconditions.- WebSockets: native-transport server support on
Veloce.run(), an idle-receive timeout, async-context-manager support, heartbeats, send backpressure, and UTF-8 / close-frame validation. - Server-Sent Events:
ServerSentEvent.commentand.json, bare-value source iterators, and a proactive heartbeat. - Observability:
instrument_access_log/log_requests_as_json, a Prometheus exporter (instrument_with_prometheus), and an OpenTelemetry bridge with a live-tracing mode and anon_spanhook. - OpenAPI: separate request/response schemas, identity-keyed components,
operationId de-duplication, a documented
422response, and avalidate_openapiflag. - Sessions: sliding expiry,
domain=/ chunked-cookie options, andVary: Cookieon cookie-varying responses. - Encoder extensibility: a per-call
custom_encoder, process-levelregister_encoder, and broader built-in coverage (bytes,set/frozenset,pathlib.Path,re.Pattern, scalar subclasses). - Deployment: optional gunicorn
VeloceWorker, built-in dev-server TLS, an ASGI-appmount,.envloading, a dev event-loop watchdog, and an asyncTestClient.uvicornis now an optional extra rather than a hard dependency. - New top-level exports:
Config,Aborter,URLRule,SetupError,JSONProvider/DefaultJSONProvider/config_orjson_options,get_openapi_schema/setup_openapi_routes,StaticFiles,Jinja2Templates,log_requests_as_json, andasync_send_file. - Developer documentation: a build-one-app tutorial, a runnable
examples/directory, a databases guide, and a Hypothesis fuzzing harness across the parsers, router, signing, and WebSocket paths.
Changed¶
- The deprecated
Veloce.on_event()/Veloce.add_event_handler()now target removal in1.0.0. (#173) Veloce.run(workers=...)raisesValueErrorfor any worker count other than1(the built-in server is single-process). (#166)- Independent dependencies resolve concurrently, and a no-wave
Dependschain compiles to a straight-line async resolver. (#154) - Numerous per-request and schema-generation paths were optimized — a compiled feature pipeline, indexed route/encoder lookups, and bounded caches — without changing public behavior.
- Route resolution gates its mounted-app, static-handler, and ASGI-mount scans on the compiled pipeline flags, skipping each scan when nothing of that kind is registered. (#183)
- Literal request paths resolve through a registration-time exact-match map in one
hash lookup instead of a radix-tree walk, falling through to the tree for
parameterized, wildcard, and slash-redirect routes (literal
match()~1.7x faster, ~3x on deep literal paths). (#185) - Requests to feature-free apps take a straight-line dispatch fast path: when no
middleware, request/response hooks, mounts, or url-value preprocessors are
registered and the matched route is an async trivial or request-only handler
with no response model, custom response class, non-default status, host or
subdomain constraint, defaults, or middleware exclusion, the middleware, hook,
route-resolution, and dependency-resolution orchestration is skipped while
coercion,
after_this_requestcallbacks, background tasks, exception handling, and teardown remain shared (~6-8% lower per-request dispatch time on those routes, in-process A/B). (#185)
Fixed¶
- Per-route rate-limit state now rebuilds when routes are added after startup. (#178)
- A bodiless status (
1xx,204,205,304) no longer advertises a body, the WebSocket handshake uses the correct RFC 6455 GUID, and a frame with a non-zero RSV bit is rejected. HTTPBasic/HTTPDigestescape therealm, non-latin-1 header values are RFC 2047 encoded, anddecode_jwtrejects an empty secret.- JSON serialization handles
set/frozenset,pathlib.Path, integer-valuedDecimal, andexclude_none;StaticFilesprecompressed selection returns406and honours an explicitq=0. - Assorted correctness fixes across OpenAPI dual-schema comparison, scope-aware
dependency caching,
instrument_with_otelidempotency, signal delivery, and per-route middleware-exclusion symmetry.
Security¶
LoggingMiddlewareand the access log escape control characters in request-derived fields (CWE-117 log forging), andRequestIDMiddlewaresanitizes an inbound request id.- Security headers are matched case-insensitively so a handler override is not
silently replaced; the cookie writer round-trips a literal
%. - The native WebSocket server rejects an unmasked client frame, HTTP Basic
rejects an RFC 7617-malformed credential, and
dump_cookierejects a non-token cookie name. safe_joinrejects Windows reserved device names,URL.from_requestvalidates theHostheader (RFC 3986), and the router rejects a path that binds one parameter name twice.
[0.3.0] - 2026-06-01¶
Fixed¶
StaticFilesnow applies RFC 9110If-Rangevalidation correctly before serving partial responses. (#128)
[0.2.0] - 2026-05-31¶
Added¶
- Streaming request bodies on the built-in HTTP server, so large uploads no longer require buffering the full body before dispatch. (#106)
- CLI plugin discovery,
.envloading, template streaming, SSE heartbeat support, OpenTelemetry integration, and a signal namespace helper. - Hybrid routing for patterns that do not fit the radix tree, plus an optional gunicorn worker.
- Broader documentation coverage across configuration, templates, static files, sessions, signals, and related framework guides.
Changed¶
- Request body access is now asynchronous:
request.body(),request.text(), andrequest.get_data()must be awaited. (#106) request.stream()now streams on the raw HTTP path instead of replaying an already-buffered body. (#106)- Debug mode renders an HTML traceback page for clients that prefer HTML while preserving plain-text tracebacks for CLI and programmatic clients. (#117)
- Resolver and response-encoding internals were consolidated and optimized without changing the public API.
Fixed¶
- Correct handling for
If-Range, partial-content gzip behavior, async template context processors, duplicate response headers, hybrid-router edge cases, and gunicorn worker lifecycle/TLS behavior.
Security¶
- Restored strict header validation on streamed responses.
- Applied the same form-field limits to URL-encoded bodies as multipart forms.
[0.1.4] - 2026-05-25¶
Changed¶
- Focused maintenance release covering security hardening, correctness fixes, API cleanup, and small internal consolidations.
- Improved encoder behavior, cached more parsed request metadata, and reduced duplicated logic across middleware, CLI helpers, templating, and the test client. (#95)
Security¶
- Tightened multipart UTF-8 validation,
HTTPBasicchallenge construction, and exception handling around basic-auth parsing. (#95) - Made HSTS subdomain coverage opt-in rather than implicit. (#95)
Removed¶
- Dropped unused internal constants from the handler-plan implementation. (#95)
[0.1.3] - 2026-05-23¶
Changed¶
- Security and correctness release covering CSRF token rotation, password-hash parameter validation, and several framework/runtime fixes.
- Improved diagnostics around OpenAPI schema generation and clarified the process-local scope of the built-in rate limiter. (#94)
Fixed¶
- Addressed loop-affinity issues in
Veloce(), multipart encoding in the test client, stale response-encode caches, router merge behavior, and several runtime guards that previously relied onassert. (#94)
Security¶
- Added CSRF token rotation support after login or privilege changes. (#94)
- Rejected weak or tampered scrypt parameters during password verification. (#94)
- Added SRI protection for Swagger UI and ReDoc assets. (#94)
[0.1.2] - 2026-05-23¶
Added¶
- Top-level exports for
render_template,render_template_string, andJinja2Templates. (#78)
Changed¶
Request.json()became asynchronous for consistency with the rest of the request-body API. (#78)- Runtime dependencies were corrected so standard installs include the pieces needed for documented framework features. (#78)
veloce.__version__now comes from installed package metadata. (#78)
[0.1.1] - 2026-05-23¶
Changed¶
- Metadata-only release correcting maintainer information in the published package.
[0.1.0] - 2026-05-23¶
Added¶
- Initial public release of Veloce as
veloceframework. - Core framework surface including the
Veloceapp, radix-tree routing, request/response primitives, dependency injection, OpenAPI generation, and an in-memoryTestClient. - Built-in middleware, sessions, templating, signals, background tasks, Server-Sent Events, WebSockets, security helpers, and class-based views.
- CLI commands, static-file support, instrumentation hooks, server-side sessions, async password helpers, and the first round of performance-focused hot-path improvements.
Changed¶
- Set safer defaults and improved consistency across response handling, multipart uploads, WebSocket dependency injection, and request streaming.
Fixed¶
- Corrected early issues in blueprint registration, SSE encoding, dependency coercion, multipart cleanup, session-store race handling, static-file caching, logging, and request-scoped resource cleanup.
Security¶
- Added incremental request-size enforcement, request timeouts, WebSocket origin checks, security headers, signed CSRF tokens, multipart limits, and secure deployment audit helpers.