4.1.0

[Archmonger]

Description

Added

• Added support for zstd compression on Python 3.14+
  • ref Zstandard support evansd/whitenoise#668)
• Added support for the top-level servestatic module to run as a Django app
  • fix Rename servestatic.runserver_nostatic #56
• Added Django system checks to test for common misconfigurations
  • fix Use the Django Checks API to test for misconfiguration #64
• Added jxl image support.
  • ref Add JXL MIME and skip compression for .jxl and .avif evansd/whitenoise#674
• Added a new allow_unsafe_symlinks configuration option for WSGI/ASGI
• Added a new SERVESTATIC_ALLOW_UNSAFE_SYMLINKS configuration option for Django.

Changed

• Improved event-loop handling for ASGI file iterator.
• Installing servestatic as a Django app is now the suggested configuration. A warning will appear if it is not detected in INSTALLED_APPS when DEBUG is True.
• servestatic.runserver_nostatic is no longer the recommended Django app installation path. This import path will be retained to ease WhiteNoise to ServeStatic migration, but now the documentation recommends to use the top-level servestatic module instead.
• For security purposes, ServeStatic will no longer follow unsafe symlinks by default. If you are symlinking to files outside of your static root, it is highly recommended to copy them instead. This behavior can be disabled for trusted deployments using allow_unsafe_symlinks / SERVESTATIC_ALLOW_UNSAFE_SYMLINKS.

Fixed

• Fixed a range-request edge case where the last byte could be requested but would not be served.

Security

• Hardened autorefresh path matching to prevent potential path traversal or path clobbering
  • ref Use os.path.commonpath() to identify child paths evansd/whitenoise#684
• Hardened static file resolution to block symlink breakout by default.

Checklist

Please update this checklist as you complete each item:

• Tests have been developed for bug fixes or new functionality.
• The changelog has been updated, if necessary.
• Documentation has been updated, if necessary.
• GitHub Issues closed by this PR have been linked.

_{By submitting this pull request I agree that all contributions comply with this project's open source license(s).}