django/docs/releases/6.0.txt

============================================
Django 6.0 release notes - UNDER DEVELOPMENT
============================================

*Expected December 2025*

Welcome to Django 6.0!

These release notes cover the :ref:`new features <whats-new-6.0>`, as well as
some :ref:`backwards incompatible changes <backwards-incompatible-6.0>` you'll
want to be aware of when upgrading from Django 5.2 or earlier. We've
:ref:`begun the deprecation process for some features
<deprecated-features-6.0>`.

See the :doc:`/howto/upgrade-version` guide if you're updating an existing
project.

Python compatibility
====================

Django 6.0 supports Python 3.12 and 3.13. We **highly recommend** and only
officially support the latest release of each series.

The Django 5.2.x series is the last to support Python 3.10 and 3.11.

Third-party library support for older version of Django
=======================================================

Following the release of Django 6.0, we suggest that third-party app authors
drop support for all versions of Django prior to 5.2. At that time, you should
be able to run your package's tests using ``python -Wd`` so that deprecation
warnings appear. After making the deprecation warning fixes, your app should be
compatible with Django 6.0.

.. _whats-new-6.0:

What's new in Django 6.0
========================

Content Security Policy support
-------------------------------

Built-in support for the :ref:`Content Security Policy (CSP) <security-csp>`
standard is now available, making it easier to protect web applications against
content injection attacks such as cross-site scripting (XSS). CSP allows
declaring trusted sources of content by giving browsers strict rules about
which scripts, styles, images, or other resources can be loaded.

CSP policies can now be enforced or monitored directly using built-in tools:
headers are added via the
:class:`~django.middleware.csp.ContentSecurityPolicyMiddleware`, nonces are
supported through the :func:`~django.template.context_processors.csp` context
processor, and policies are configured using the :setting:`SECURE_CSP` and
:setting:`SECURE_CSP_REPORT_ONLY` settings.

These settings accept Python dictionaries and support Django-provided constants
for clarity and safety. For example::

    from django.utils.csp import CSP

    SECURE_CSP = {
        "default-src": [CSP.SELF],
        "script-src": [CSP.SELF, CSP.NONCE],
        "img-src": [CSP.SELF, "https:"],
    }

The resulting ``Content-Security-Policy`` header would be set to:

.. code-block:: text

    default-src 'self'; script-src 'self' 'nonce-SECRET'; img-src 'self' https:

To get started, follow the :doc:`CSP how-to guide </howto/csp>`. For in-depth
guidance, see the :ref:`CSP security overview <security-csp>` and the
:doc:`reference docs </ref/csp>`.

Adoption of Python's modern email API
-------------------------------------

Email handling in Django now uses Python's modern email API, introduced in
Python 3.6. This API, centered around the
:py:class:`email.message.EmailMessage` class, offers a cleaner and
Unicode-friendly interface for composing and sending emails. It replaces use of
Python's older legacy (``Compat32``) API, which relied on lower-level MIME
classes (from :py:mod:`email.mime`) and required more manual handling of
message structure and encoding.

Notably, the return type of the :class:`EmailMessage.message()
<django.core.mail.EmailMessage>` method is now an instance of Python's
:py:class:`email.message.EmailMessage`. This supports the same API as the
previous ``SafeMIMEText`` and ``SafeMIMEMultipart`` return types, but is not an
instance of those now-deprecated classes.

Minor features
--------------

:mod:`django.contrib.admin`
~~~~~~~~~~~~~~~~~~~~~~~~~~~

* The Font Awesome Free icon set (version 6.7.2) is now used for the admin
  interface icons.

:mod:`django.contrib.admindocs`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* The new :attr:`.AdminSite.password_change_form` attribute allows customizing
  the form used in the admin site password change view.

:mod:`django.contrib.auth`
~~~~~~~~~~~~~~~~~~~~~~~~~~

* The default iteration count for the PBKDF2 password hasher is increased from
  1,000,000 to 1,200,000.

:mod:`django.contrib.contenttypes`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* ...

:mod:`django.contrib.gis`
~~~~~~~~~~~~~~~~~~~~~~~~~

* The new :attr:`.GEOSGeometry.hasm` property checks whether the geometry has
  the M dimension.

* The new :class:`~django.contrib.gis.db.models.functions.Rotate` database
  function rotates a geometry by a specified angle around the origin or a
  specified point.

* The new :attr:`.BaseGeometryWidget.base_layer` attribute allows specifying a
  JavaScript map base layer, enabling customization of map tile providers.

* :lookup:`coveredby` and :lookup:`isvalid` lookups,
  :class:`~django.contrib.gis.db.models.Collect` aggregation, and
  :class:`~django.contrib.gis.db.models.functions.GeoHash` and
  :class:`~django.contrib.gis.db.models.functions.IsValid` database functions
  are now supported on MariaDB 12.0.1+.

* The new :lookup:`geom_type` lookup and
  :class:`GeometryType() <django.contrib.gis.db.models.functions.GeometryType>`
  database function allow filtering geometries by their types.

:mod:`django.contrib.messages`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* ...

:mod:`django.contrib.postgres`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* Model fields, indexes, and constraints from :mod:`django.contrib.postgres`
  now include system checks to verify that ``django.contrib.postgres`` is an
  installed app.

* The :class:`.CreateExtension`, :class:`.BloomExtension`,
  :class:`.BtreeGinExtension`, :class:`.BtreeGistExtension`,
  :class:`.CITextExtension`, :class:`.CryptoExtension`,
  :class:`.HStoreExtension`, :class:`.TrigramExtension`, and
  :class:`.UnaccentExtension` operations now support the optional ``hints``
  parameter. This allows providing database hints to database routers to assist
  them in :ref:`making routing decisions <topics-db-multi-db-hints>`.

:mod:`django.contrib.redirects`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* ...

:mod:`django.contrib.sessions`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* ...

:mod:`django.contrib.sitemaps`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* ...

:mod:`django.contrib.sites`
~~~~~~~~~~~~~~~~~~~~~~~~~~~

* ...

:mod:`django.contrib.staticfiles`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* :class:`~django.contrib.staticfiles.storage.ManifestStaticFilesStorage` now
  ensures consistent path ordering in manifest files, making them more
  reproducible and reducing unnecessary diffs.

:mod:`django.contrib.syndication`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* ...

Cache
~~~~~

* ...

CSRF
~~~~

* ...

Decorators
~~~~~~~~~~

* ...

Email
~~~~~

* The new ``policy`` argument for :class:`EmailMessage.message()
  <django.core.mail.EmailMessage>` allows specifying the email policy, the set
  of rules for updating and serializing the representation of the message.
  Defaults to :py:data:`email.policy.default`.

* :class:`EmailMessage.attach() <django.core.mail.EmailMessage>` now accepts a
  :class:`~email.message.MIMEPart` object from Python's modern email API.

Error Reporting
~~~~~~~~~~~~~~~

* ...

File Storage
~~~~~~~~~~~~

* ...

File Uploads
~~~~~~~~~~~~

* ...

Forms
~~~~~

* ...

Generic Views
~~~~~~~~~~~~~

* ...

Internationalization
~~~~~~~~~~~~~~~~~~~~

* ...

Logging
~~~~~~~

* ...

Management Commands
~~~~~~~~~~~~~~~~~~~

* The :djadmin:`startproject` and :djadmin:`startapp` commands now create the
  custom target directory if it doesn't exist.

* Common utilities, such as ``django.conf.settings``, are now automatically
  imported to the :djadmin:`shell` by default.

Migrations
~~~~~~~~~~

* Squashed migrations can now themselves be squashed before being transitioned
  to normal migrations.

* Migrations now support serialization of :class:`zoneinfo.ZoneInfo` instances.

* Serialization of deconstructible objects now supports keyword arguments with
  names that are not valid Python identifiers.

Models
~~~~~~

* :doc:`Constraints </ref/models/constraints>` now implement a ``check()``
  method that is already registered with the check framework.

* The new ``order_by`` argument for :class:`~django.db.models.Aggregate` allows
  specifying the ordering of the elements in the result.

* The new :attr:`.Aggregate.allow_order_by` class attribute determines whether
  the aggregate function allows passing an ``order_by`` keyword argument.

* The new :class:`~django.db.models.StringAgg` aggregate returns the input
  values concatenated into a string, separated by the ``delimiter`` string.
  This aggregate was previously supported only for PostgreSQL.

* The :meth:`~django.db.models.Model.save` method now raises a specialized
  :exc:`Model.NotUpdated <django.db.models.Model.NotUpdated>` exception, when
  :ref:`a forced update <ref-models-force-insert>` results in no affected rows,
  instead of a generic :exc:`django.db.DatabaseError`.

* :meth:`.QuerySet.raw` now supports models with a
  :class:`~django.db.models.CompositePrimaryKey`.

* :class:`~django.db.models.JSONField` now supports
  :ref:`negative array indexing <key-index-and-path-transforms>` on SQLite.

* The new :class:`~django.db.models.AnyValue` aggregate returns an arbitrary
  value from the non-null input values. This is supported on SQLite, MySQL,
  Oracle, and PostgreSQL 16+.

Pagination
~~~~~~~~~~

* The new :class:`~django.core.paginator.AsyncPaginator` and
  :class:`~django.core.paginator.AsyncPage` provide async implementations of
  :class:`~django.core.paginator.Paginator` and
  :class:`~django.core.paginator.Page` respectively.

Requests and Responses
~~~~~~~~~~~~~~~~~~~~~~

* ...

Security
~~~~~~~~

* ...

Serialization
~~~~~~~~~~~~~

* ...

Signals
~~~~~~~

* ...

Templates
~~~~~~~~~

* The new variable ``forloop.length`` is now available within a :ttag:`for`
  loop.

* The :ttag:`querystring` template tag now consistently prefixes the returned
  query string with a ``?``, ensuring reliable link generation behavior.

* The :ttag:`querystring` template tag now accepts multiple positional
  arguments, which must be mappings, such as :class:`~django.http.QueryDict`
  or :class:`dict`.

Tests
~~~~~

* The :class:`.DiscoverRunner` now supports parallel test execution on systems
  using the ``forkserver`` :mod:`multiprocessing` start method.

URLs
~~~~

* ...

Utilities
~~~~~~~~~

* ...

Validators
~~~~~~~~~~

* ...

.. _backwards-incompatible-6.0:

Backwards incompatible changes in 6.0
=====================================

Database backend API
--------------------

This section describes changes that may be needed in third-party database
backends.

* ``BaseDatabaseCreation.create_test_db(serialize)`` is deprecated. Use
  ``serialize_db_to_string()`` instead.

* :class:`~django.db.backends.base.schema.BaseDatabaseSchemaEditor` and
  PostgreSQL backends no longer use ``CASCADE`` when dropping a column.

Dropped support for MariaDB 10.5
--------------------------------

Upstream support for MariaDB 10.5 ends in June 2025. Django 6.0 supports
MariaDB 10.6 and higher.

Dropped support for Python < 3.12
---------------------------------

Because Python 3.12 is now the minimum supported version for Django, any
optional dependencies must also meet that requirement. The following versions
of each library are the first to add or confirm compatibility with Python 3.12:

* ``aiosmtpd`` 1.4.5
* ``argon2-cffi`` 23.1.0
* ``bcrypt`` 4.1.1
* ``geoip2`` 4.8.0
* ``Pillow`` 10.1.0
* ``mysqlclient`` 2.2.1
* ``numpy`` 1.26.0
* ``PyYAML`` 6.0.2
* ``psycopg`` 3.1.12
* ``psycopg2`` 2.9.9
* ``redis-py`` 5.1.0
* ``selenium`` 4.23.0
* ``sqlparse`` 0.5.0
* ``tblib`` 3.0.0

Email
-----

* The undocumented ``mixed_subtype`` and ``alternative_subtype`` properties
  of :class:`~django.core.mail.EmailMessage` and
  :class:`~django.core.mail.EmailMultiAlternatives` are no longer supported.

* The undocumented ``encoding`` property of
  :class:`~django.core.mail.EmailMessage` no longer supports Python legacy
  :py:class:`email.charset.Charset` objects.

* As the internal implementations of :class:`~django.core.mail.EmailMessage`
  and :class:`~django.core.mail.EmailMultiAlternatives` have changed
  significantly, closely examine any custom subclasses that rely on overriding
  undocumented, internal underscore methods.

Custom ORM expressions should return params as a tuple
------------------------------------------------------

Prior to Django 6.0, :doc:`custom lookups </howto/custom-lookups>` and
:ref:`custom expressions <writing-your-own-query-expressions>` implementing the
``as_sql()`` method (and its supporting methods ``process_lhs()`` and
``process_rhs()``) were allowed to return a sequence of params in either a list
or a tuple. To address the interoperability problems that resulted, the second
return element of the ``as_sql()`` method should now be a tuple::

  def as_sql(self, compiler, connection) -> tuple[str, tuple]: ...

If your custom expressions support multiple versions of Django, you should
adjust any pre-processing of parameters to be resilient against either tuples
or lists. For instance, prefer unpacking like this::

  params = (*lhs_params, *rhs_params)

Miscellaneous
-------------

* The :ref:`JSON <serialization-formats-json>` serializer now writes a newline
  at the end of the output, even without the ``indent`` option set.

* The undocumented ``django.utils.http.parse_header_parameters()`` function is
  refactored to use Python's :py:class:`email.message.Message` for parsing.
  Input headers exceeding 10000 characters will now raise :exc:`ValueError`.

* Widgets from :mod:`django.contrib.gis.forms.widgets` now render without
  inline JavaScript in templates. If you have customized any geometry widgets
  or their templates, you may need to :ref:`update them
  <geometry-widgets-customization>` to match the new layout.

* Message levels ``messages.DEBUG`` and ``messages.INFO`` now have distinct
  icons and CSS styling in the admin. Previously, these used the same icon and
  styling as the ``messages.SUCCESS`` level. Since
  :meth:`.ModelAdmin.message_user` uses the ``messages.INFO`` level by default,
  set the level to ``messages.SUCCESS`` to retain the previous icon and
  styling.

* The minimum supported version of ``asgiref`` is increased from 3.8.1 to
  3.9.1.

.. _deprecated-features-6.0:

Features deprecated in 6.0
==========================

Positional arguments in ``django.core.mail`` APIs
-------------------------------------------------

.. currentmodule:: django.core.mail

:mod:`django.core.mail` APIs now require keyword arguments for less commonly
used parameters. Using positional arguments for these now emits a deprecation
warning and will raise a :exc:`TypeError` when the deprecation period ends.

* All *optional* parameters (``fail_silently`` and later) must be passed as
  keyword arguments to :func:`get_connection`,  :func:`mail_admins`,
  :func:`mail_managers`, :func:`send_mail`, and :func:`send_mass_mail`.

* All parameters must be passed as keyword arguments when creating an
  :class:`EmailMessage` or :class:`EmailMultiAlternatives` instance, except for
  the first four (``subject``, ``body``, ``from_email``, and ``to``), which may
  still be passed either as positional or keyword arguments.

* :mod:`django.core.mail` APIs now require keyword arguments for less commonly
  used parameters. Using positional arguments for these now emits a deprecation
  warning and will raise a :exc:`TypeError` when the deprecation period ends:

Miscellaneous
-------------

* ``BaseDatabaseCreation.create_test_db(serialize)`` is deprecated. Use
  ``serialize_db_to_string()`` instead.

* The PostgreSQL ``StringAgg`` class is deprecated in favor of the generally
  available :class:`~django.db.models.StringAgg` class.

* The PostgreSQL ``OrderableAggMixin`` is deprecated in favor of the
  ``order_by`` attribute now available on the ``Aggregate`` class.

* The default protocol in :tfilter:`urlize` and :tfilter:`urlizetrunc` will
  change from HTTP to HTTPS in Django 7.0. Set the transitional setting
  ``URLIZE_ASSUME_HTTPS`` to ``True`` to opt into assuming HTTPS during the
  Django 6.x release cycle.

* ``URLIZE_ASSUME_HTTPS`` transitional setting is deprecated.

* Setting :setting:`ADMINS` or :setting:`MANAGERS` to a list of (name, address)
  tuples is deprecated. Set to a list of email address strings instead. Django
  never used the name portion. To include a name, format the address string as
  ``'"Name" <address>'`` or use Python's :func:`email.utils.formataddr`.

* Support for the ``orphans`` argument being larger than or equal to the
  ``per_page`` argument of :class:`django.core.paginator.Paginator` and
  :class:`django.core.paginator.AsyncPaginator` is deprecated.

* Using a percent sign in a column alias or annotation is deprecated.

* Support for passing Python's legacy email :class:`~email.mime.base.MIMEBase`
  object to :class:`EmailMessage.attach() <django.core.mail.EmailMessage>` (or
  including one in the message's ``attachments`` list) is deprecated. For
  complex attachments requiring additional headers or parameters, switch to the
  modern email API's :class:`~email.message.MIMEPart`.

* The ``django.core.mail.BadHeaderError`` exception is deprecated. Python's
  modern email raises a :exc:`!ValueError` for email headers containing
  prohibited characters.

* The ``django.core.mail.SafeMIMEText`` and ``SafeMIMEMultipart`` classes are
  deprecated.

* The undocumented ``django.core.mail.forbid_multi_line_headers()`` and
  ``django.core.mail.message.sanitize_address()`` functions are deprecated.

Features removed in 6.0
=======================

These features have reached the end of their deprecation cycle and are removed
in Django 6.0.

See :ref:`deprecated-features-5.0` for details on these changes, including how
to remove usage of these features.

* Support for passing positional arguments to ``BaseConstraint`` is removed.

* The ``DjangoDivFormRenderer`` and ``Jinja2DivFormRenderer`` transitional form
  renderers are removed.

* ``BaseDatabaseOperations.field_cast_sql()`` is removed.

* ``request`` is required in the signature of ``ModelAdmin.lookup_allowed()``
  subclasses.

* Support for calling ``format_html()`` without passing args or kwargs is
  removed.

* The default scheme for ``forms.URLField`` changed from ``"http"`` to
  ``"https"``.

* The ``FORMS_URLFIELD_ASSUME_HTTPS`` transitional setting is removed.

* The ``django.db.models.sql.datastructures.Join`` no longer fallback to
  ``get_joining_columns()``.

* The ``get_joining_columns()`` method of ``ForeignObject`` and
  ``ForeignObjectRel`` is removed.

* The ``ForeignObject.get_reverse_joining_columns()`` method is removed.

* Support for ``cx_Oracle`` is removed.

* The ``ChoicesMeta`` alias to ``django.db.models.enums.ChoicesType`` is
  removed.

* The ``Prefetch.get_current_queryset()`` method is removed.

* The ``get_prefetch_queryset()`` method of related managers and descriptors is
  removed.

* ``get_prefetcher()`` and ``prefetch_related_objects()`` no longer fallback to
  ``get_prefetch_queryset()``.

See :ref:`deprecated-features-5.1` for details on these changes, including how
to remove usage of these features.

* ``django.urls.register_converter()`` no longer allows overriding existing
  converters.

* The ``ModelAdmin.log_deletion()`` and ``LogEntryManager.log_action()``
  methods are removed.

* The undocumented ``django.utils.itercompat.is_iterable()`` function and the
  ``django.utils.itercompat`` module is removed.

* The ``django.contrib.gis.geoip2.GeoIP2.coords()`` method is removed.

* The ``django.contrib.gis.geoip2.GeoIP2.open()`` method is removed.

* Support for passing positional arguments to ``Model.save()`` and
  ``Model.asave()`` is removed.

* The setter for ``django.contrib.gis.gdal.OGRGeometry.coord_dim`` is removed.

* The ``check`` keyword argument of ``CheckConstraint`` is removed.

* The ``get_cache_name()`` method of ``FieldCacheMixin`` is removed.

* The ``OS_OPEN_FLAGS`` attribute of
  :class:`~django.core.files.storage.FileSystemStorage` is removed.