Zope

Latest version: v5.13

Safety actively analyzes 723683 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 6 of 17

5.4

Not secure
----------------

- Audit and fix all hyperlinks in code and documentation

- Change zope.org references to zope.dev due to ongoing domain ownership
issues. zope.dev is owned by the Plone Foundation and thus safe from
interference. XML/ZCML namespace URLs remain unchanged.
- Remove all links that are completely dead, such as the old zope.org
Collectors issue trackers.
- Update all other miscellaneous links to make them work again or remove if
the information is gone.

- Improve type guessing for the default WebDAV PUT factory
(`997 <https://github.com/zopefoundation/Zope/issues/997>`_)

- Enable WebDAV PUT factories to change a newly created object's ID
(`997 <https://github.com/zopefoundation/Zope/issues/997>`_)

- Fix potential race condition in ``App.version_txt.getZopeVersion``
(`999 <https://github.com/zopefoundation/Zope/issues/999>`_)

- Don't coerce file upload fields for adding DTML Documents/Methods to string.
This makes the Add forms work again with the ZPublisher converter code
changes.

- Remove deprecated ulines, utext, utokens, ustring from more code.
In the properties form, show a deprecation warning.

- Add function ``ZPublisher.utils.fix_properties``.
You can call this to fix lines properties to only contain strings, not bytes.
It also replaces the deprecated property types ulines, utext, utoken, and
ustring with their non-unicode variants.
(`987 <https://github.com/zopefoundation/Zope/issues/987>`_)

- Add support for Python 3.10.

- Update to newest compatible versions of dependencies.

5.3.1

------------------

- Prevent race condition in guarded_import
(`123 <https://github.com/zopefoundation/AccessControl/issues/123>`_)

5.3

Not secure
----------------

- Reinstate simple sessioning with ``Products.TemporaryFolder``
because the underlying issues with ``tempstorage`` have been fixed.
(`985 <https://github.com/zopefoundation/Zope/issues/985>`_)

- Update the ``AccessControl`` version pin to fix a remote code execution issue
(see `AccessControl security advisory GHSA-qcx9-j53g-ccgf
<https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf>`_)

- Prevent ``DeprecationWarnings`` from moved imports in ``AccessControl``

- make sure "Manager" users can always modify proxy roles
(`see Products.PythonScripts50
<https://github.com/zopefoundation/Products.PythonScripts/issues/50>`_)

- Deprecate usage of "unicode" converters. Also, the behavior of
``field2lines`` is now aligned to the other converters and returns a list of
strings instead of a list of bytes.
(`962 <https://github.com/zopefoundation/Zope/issues/962>`_)

- Update to newest compatible versions of dependencies.

5.2.1

Not secure
------------------

- Prevent unauthorized traversal through authorized Python modules in
TAL expressions

- Facelift the Zope logo.
(`973 <https://github.com/zopefoundation/Zope/issues/973>`_)

- Update to newest compatible versions of dependencies.

5.2

Not secure
----------------

- Prevent traversal to names starting with ``_`` in TAL expressions
and fix path expressions for the ``chameleon.tales`` expression engine.

- Provide friendlier ZMI error message for the Transaction Undo form
(`964 <https://github.com/zopefoundation/Zope/issues/964>`_)

- Updated/fixed the poll application tutorial in the Zope Developers Guide
(`958 <https://github.com/zopefoundation/Zope/issues/958>`_)

- Update to newest versions of dependencies.

- Depend on ``zope.datetime`` for the functions ``iso8601_date``,
``rfc850_date``, and ``rfc1123_date`` which used to be in ``App.Common``
keeping backwards-compatibility imports in place.

Backwards incompatible changes
++++++++++++++++++++++++++++++

- With the exception of ``field2bytes``, field converters do no longer try to
read file like objects
(`558 <https://github.com/zopefoundation/Zope/issues/558>`_)

5.1.2

Not secure
------------------

- Enforce Zope permissions during recursive XML-RPC data dumps
(`954 <https://github.com/zopefoundation/Zope/issues/954>`_)

- The ``compute_size`` method properly returns None if the content does not
have a ``get_size`` method but the parent has.
(`948 <https://github.com/zopefoundation/Zope/issues/948>`_)

- Fix control panel tab links on all control panel pages

- Update to newest versions of dependencies.

Page 6 of 17

© 2025 Safety CLI Cybersecurity Inc. All Rights Reserved.