diff --git a/release-notes.md b/release-notes.md index a39b430..18fffe1 100644 --- a/release-notes.md +++ b/release-notes.md @@ -9,69 +9,98 @@ This is a feature release with a few bigger updates. ### AI model changes -The library used for non-OpenAI LLMs was changed from [`llm`](https://github.com/simonw/llm) to [`litellm`](https://docs.litellm.ai/docs/). -Reasons for this change include: +The library used for non-OpenAI LLMs has been changed from [`llm`](https://github.com/simonw/llm) +to [`litellm`](https://docs.litellm.ai/docs/). Reasons for this change include: - It has far fewer additional dependencies. -- It supports async APIs out of the box. -- The `llm` library is optimized for the command line use-case, whereas `litellm` offers similar functionality as a native - Python library. - +- It supports async APIs out of the box (for most models). +- The `llm` library is more targeted for the command line use-case, whereas `litellm` offers similar functionality + as a native Python library with a cleaner API. + Litellm can still be used with all common AI models, including OpenAI, Anthropic/Claude, and Meta/Llama models -(with ollama). For details on getting started with `litellm` see the updated [AI documentation](./ai.md). +(via ollama). For details on getting started with `litellm` see the updated [AI documentation](./ai.md). + +### Formatting and linting now use Ruff + +Black and isort have been replaced with [ruff](https://github.com/astral-sh/ruff)---a Python linter/formatter +that offers the same functionality as those tools but is much faster. + +Additionally, Pegasus will now remove unused imports from your files automatically, both +when building your project and if you have set up `pre-commit`. + +This change should be a relatively seamless drop-in replacement, though you may see some new lint errors +in your projects which you can choose to address. ### Spam prevention updates -Turnstile TODO docs +There has been a dramatic increase in spam-bots over the last month. +Many of these bots target seemingly-innocuous functionality like sign up and password reset forms. -### Ruff support + import removal +This version includes a few updates to help combat these bots. +First, you can now easily add [Cloudflare turnstile](https://www.cloudflare.com/products/turnstile/) to your sign up forms, +which will present the user with a captcha and should help reduce bot sign-ups. +See [the turnstile documentation](./configuration.md#turnstile) for information on setting this up. -TODO docs +Additionally, the `ACCOUNT_EMAIL_UNKNOWN_ACCOUNTS` setting has been set to `False` by default. +This prevents "forgot password" and "magic link" emails from being sent out to unknown accounts. +It should also help reduce unnecessary email sending. -### Added +Finally, the [admin dashboard](#admin-dashboard) no longer shows users with unconfirmed email addresses if you have set +`ACCOUNT_EMAIL_VERIFICATION = 'mandatory'`. +This helps filter out likely bots from the report to provide clearer visibilty of people actually signing up for your app. + +### Complete changelog + +Below is the complete set of changes in this release. + +#### Added -- Added configurable captcha support on sign up pages, using [Cloudflare turnstile](https://www.cloudflare.com/products/turnstile/). +- **Added configurable captcha support on sign up pages, using [Cloudflare turnstile](https://www.cloudflare.com/products/turnstile/).** See [the turnstile documentation](./configuration.md#turnstile) for more information on setting this up. - Added API views for two-factor authentication, and to change the logged-in user's password. (Thanks Finbar for suggesting!) - Add UI to tell users they need a verified email address prior to setting up two-factor auth. - Also added a `has_verified_email` helper class to the `CustomUser` model. - Added tests for the delete team view for both team admins and members. (HTMX builds only) - Added test for team member removal permissions. +- Add display and sort on the number of active members in the teams admin. -### Fixed +#### Fixed - Fixed a bug where team names longer than 50 characters could cause a crash during sign up. - Fixed a bug where multi-factor authentication QR codes had a dark background when dark mode was enabled (Tailwind builds only). (Thanks Artem for reporting!) - Fixed a bug where it was possible to bypass two-factor-authentication when using the API authentication views. (Thanks Finbar for reporting and helping with the fix!) -- Add display and sort on the number of active members in the teams admin. - Fixed a bug where deleting the user's only team while impersonating them resulted in a temporary crash. (Thanks EJ for reporting!) - Fixed a bug where creating an API key crashed if your user's first + last name combined to more than 40 characters. (Thanks Luc for reporting!) - - -### Changed - -- Non-OpenAI builds now use `litellm` instead of `llm`. TODO more. -- **Changed the formatter/linter from `black` and `isort` to [ruff](https://github.com/astral-sh/ruff).** - - Also addressed a handful of minor linting errors that came up as a result of this change. - Codebase linting is now substantially faster. -- Removed the `static/css` and `static/js` directories from the `dockerignore` file so that other project files - can be included. Also updated the production Docker build process so that any existing files are overwritten +- Improved the UI feedback when LLMs fail (e.g. if your API key is wrong or ollama is not running). +- Removed the `static/css` and `static/js` directories from the `.dockerignore` file so that other project files + can be included in these directories. + Also updated the production Docker build process so that any existing files are overwritten by the built versions. (Thanks Raul for reporting!) - Made some performance improvements to the production Dockerfile build (don't rebuild the front end if there are no changes in the dependent files). -- The login API response has changed, to allow for two-factor auth prompts, and more machine-readable status fields. +- Better support trialing subscriptions with no payment methods. + The subscription UI will now show the date the trial ends and won't log errors about missing invoices. (Thanks Jarrett for reporting!) + +#### Changed + - **Upgraded all Python packages to the latest versions.** - **Upgraded all JavaScript packages to the latest versions.** +- **Non-OpenAI builds now use `litellm` instead of `llm`.** See above. +- **Changed the formatter/linter from `black` and `isort` to [ruff](https://github.com/astral-sh/ruff).** See above. + - Also addressed a handful of minor linting errors that came up as a result of this change. + - Codebase linting is now substantially faster. + - Unused imports are now automatically removed when building your projects. +- **Celerybeat now uses the `django-celery-beat` library to store tasks in the database instead of on the filesystem.** + This improves support for celerybeat on Docker-based platforms. (Thanks Peter and Artem for the suggestion!) + - Also added a migration to save the default scheduled tasks in the database. +- The login API response has changed, to allow for two-factor auth prompts, and more machine-readable status fields. - Removed the no-longer-used `use_json_field=True` argument from wagtail `StreamField`s. -- The user dashboard no longer shows users with unconfirmed email addresses if you have set - `ACCOUNT_EMAIL_VERIFICATION = 'mandatory'`. This helps filter out likely bots from the report. -- The user dashboard now includes sign ups from the current date, by default. -- Better support trialing subscriptions with no payment methods. - The subscription UI will now show the date the trial ends and won't log errors about missing invoices. (Thanks Jarrett for reporting!) +- The admin dashboard no longer shows users with unconfirmed email addresses if you have set `ACCOUNT_EMAIL_VERIFICATION = 'mandatory'`. +- The admin dashboard now includes sign ups from the current date, by default. - Changed behavior when team role checks fail from raising a `TeamPermissionError` to returning a 403 response, and updated affected tests. One side effect of this is that the stack traces are removed from successful test runs. - Secret keys should no longer change every time you build your Pegasus project. @@ -79,29 +108,28 @@ TODO docs - Updated the default OpenAI chat model to gpt-4o. - Upgraded the openapi client generator to version 7.5.0 and also pinned the version used by `make build-api-client` to the same one. -- **Celerybeat now uses the `django-celery-beat` library to store tasks in the database instead of on the filesystem.** - This improves support for celerybeat on Docker-based platforms. (Thanks Peter and Artem for the suggestion!) - - Also added a migration to save the default scheduled tasks in the database. -- Make Team IDs optional on the create team page (HTMX builds only). +- Team IDs are now optional on the create team page (HTMX builds only). - Add clearer error message when charts are broken due to api config issue. (Thanks Yngve for reporting!) - Added `assume_scheme="https"` to form `URLField`s to be compatible with Django 6 behavior. - Added `FORMS_URLFIELD_ASSUME_HTTPS = True` to be compatible with Django 6 behavior. - Set `ACCOUNT_EMAIL_UNKNOWN_ACCOUNTS = False` by default, so that "forgot password" emails do not get sent to unknown accounts. This can help prevent spam bots. -### Removed +#### Removed - Removed `black` and `isort` from dev-requirements, since they have been replaced by `ruff`. - Removed `llm` library and associated code, since it has been replaced by `litellm`. - Removed no longer used `TeamPermissionError` class. -### Standalone front end +#### Standalone front end The following changes affect the experimental [standalone front end](./experimental/react-front-end.md): -- The standalone React front end now supports two-factor-authentication. +- **The standalone React front end now supports two-factor-authentication.** - Improve the UI when you have login issues in the standalone React front end. +*June 5, 2024* + ## Version 2024.5.3