Merge pull request #904 from plone/maurits-update-61-from-609

Update 6.1 to include latest changes from 6.0.9

constraints-ecosystem.txt

@@ -5,7 +5,7 @@ plone.app.drafts==2.0.0
 plone.app.jquerytools==1.9.5
 plone.app.mosaic==3.2.0a1
 plone.app.standardtiles==3.1.2
-plone.app.tiles==4.0.0
+plone.app.tiles==4.0.1
 plone.formwidget.autocomplete==1.4.1
 plone.jsonserializer==0.9.11
 products.pdbdebugmode==2.0

constraints-extra.txt

@@ -1,65 +1,66 @@
-argcomplete==3.1.1
-argh==0.28.1
-bleach==6.0.0
+argcomplete==3.1.6
+argh==0.30.4
+bleach==6.1.0
 build==1.0.3
 cachecontrol==0.13.1
 cached-property==1.5.2
 check-manifest==0.49
-click-default-group==1.2.2
+click-default-group==1.2.4
 cmarkgfm==2022.10.27
 colorama==0.4.6
 commonmark==0.9.1
 configparser==5.3.0
 deprecated==1.2.14
 distro==1.8.0
 fancycompleter==0.9.1
-filelock==3.12.2
-gitdb==4.0.10
+filelock==3.13.1
+gitdb==4.0.11
 grpcio-tools==1.59.0
-gitpython==3.1.32
+gitpython==3.1.40
 httplib2==0.22.0
 i18ndude==6.1.0
 incremental==22.10.0
 jaraco.classes==3.3.0
-keyring==23.13.1
+keyring==24.3.0
 lockfile==0.12.2
-markdown-it-py==2.2.0
+markdown-it-py==3.0.0
 mdurl==0.1.2
-more-itertools==9.1.0
-msgpack==1.0.5
+more-itertools==10.1.0
+msgpack==1.0.7
 mxdev==3.0.0
+nh3==0.2.14
 oauthlib==3.2.2
 pdbpp==0.10.3
 pep440==0.1.2
-pep517==0.13.0
+pep517==0.13.1
 pkginfo==1.9.6
 plone.recipe.zeoserver==3.0.1
 plone.releaser==2.2.1
 plone.reload==3.0.2
 plone.versioncheck==1.8.1
 progress==1.6
-pygithub==1.59.0
+pygithub==2.1.1
 pynacl==1.5.0
-pyparsing==3.1.0
+pyparsing==3.1.1
 pyproject-hooks==1.0.0
 pyrepl==0.9.0
 pyroma==4.2
-readme-renderer==40.0.0
+readme-renderer==42.0
 requests-toolbelt==1.0.0
 rfc3986==2.0.0
-rich==13.4.2
-smmap==5.0.0
-stdlib-list==0.9.0
+rich==13.7.0
+smmap==5.0.1
+stdlib-list==0.10.0
 tomli==2.0.1
-towncrier==23.6.0
-trove-classifiers==2023.8.7
+towncrier==23.11.0
+trove-classifiers==2023.11.29
 twine==4.0.2
 wadllib==1.3.6
 webencodings==0.5.1
-wmctrl==0.4
+wmctrl==0.5
 z3c.dependencychecker==2.12
 zest.pocompile==2.0.0
-zest.releaser==9.1.0
+zest.releaser==9.1.1
 zestreleaser.towncrier==1.3.0
 zodbverify==1.2.0
 zope.mkzeoinstance==5.1.1

constraints.txt

@@ -1,13 +1,13 @@
--c https://zopefoundation.github.io/Zope/releases/5.8.6/constraints.txt
-pip==23.2.1
-setuptools==68.2.2
-wheel==0.41.2
+-c https://zopefoundation.github.io/Zope/releases/5.9/constraints.txt
+pip==23.3.1
+setuptools==69.0.2
+wheel==0.42.0
 zc.buildout==3.0.1
 nt-svcutils==2.13.0
 borg.localrole==3.1.11
 diazo==1.5.0
 five.intid==2.0.0
-plone==6.0.7
+plone==6.0.9
 plone.alterego==2.0.0
 plone.api==2.0.8
 plone.app.caching==3.1.3
@@ -25,7 +25,7 @@ plone.app.intid==2.0.0
 plone.app.iterate==5.0.2
 plone.app.layout==4.0.7
 plone.app.linkintegrity==4.0.3
-plone.app.locales==6.0.16
+plone.app.locales==6.0.18
 plone.app.lockingbehavior==2.0.0
 plone.app.multilingual==8.0.2
 plone.app.portlets==5.0.6
@@ -99,7 +99,7 @@ products.cmfdifftool==4.0.1
 products.cmfdynamicviewfti==7.0.2
 products.cmfeditions==4.0.2
 products.cmfplacefulworkflow==3.0.3
-products.cmfplone==6.0.7
+products.cmfplone==6.0.9
 products.extendedpathindex==4.0.1
 products.isurlinportal==2.0.1
 products.mimetypesregistry==3.0.1
@@ -112,7 +112,7 @@ collective.monkeypatcher==1.2.1
 collective.recipe.omelette==1.1.0
 collective.recipe.vscode==0.1.9
 collective.xmltestreport==2.0.2
-icalendar==5.0.7
+icalendar==5.0.11
 products.daterecurringindex==3.0.1
 robotsuite==2.3.2
 five.customerize==2.1.0
@@ -125,67 +125,66 @@ products.mailhost==5.0
 products.pluggableauthservice==2.8.1
 products.pluginregistry==2.0
 products.pythonscripts==5.0
-products.sessions==4.15
+products.sessions==5.0
 products.siteerrorlog==6.0
 products.standardcachemanagers==5.0
-products.zopeversioncontrol==4.0
+products.zopeversioncontrol==4.1
 repoze.xmliter==0.6.1
 z3c.caching==3.0
 z3c.form==5.1
 z3c.formwidget.query==2.0.0
-z3c.objpath==1.3
+z3c.objpath==2.0
 z3c.relationfield==1.0
 z3c.zcmlhook==2.0
 zc.relation==2.0
 zdaemon==5.0
-zeo==5.4.1
+zeo==6.0.0
 zodb3==3.11.0
 zodbupdate==2.0
-zope.app.locales==4.3
+zope.app.locales==5.0
 zope.componentvocabulary==2.3.0
 zope.copy==4.3
 zope.intid==5.0
 zope.keyreference==6.0
 zope.ramcache==3.0
-zope.sendmail==5.3
+zope.sendmail==6.0
 async-generator==1.10
 attrs==23.1.0
 backports.cached-property==1.0.2
-cryptography==41.0.3
+cryptography==41.0.7
 click==8.1.7
 cssselect==1.2.0
 decorator==5.1.1
-exceptiongroup==1.1.2
+exceptiongroup==1.2.0
 feedparser==6.0.10
 furl==2.1.3
 future==0.18.3
-gunicorn==20.1.0
+gunicorn==21.2.0
 h11==0.14.0
-importlib-metadata==6.8.0
 importlib-resources==5.13.0
-jsonschema==4.18.2
-jsonschema-specifications==2023.6.1
+jsonschema==4.20.0
+jsonschema-specifications==2023.11.2
 jeepney==0.8.0
 lxml==4.9.3
 manuel==1.12.4
-markdown==3.4.3
+markdown==3.5.1
 mock==5.1.0
 orderedmultidict==1.0.1
-outcome==1.2.0
-overrides==7.3.1
+outcome==1.3.0post0
+overrides==7.4.0
 piexif==1.1.3
 pillow==9.5.0
 prompt-toolkit==2.0.10
 py==1.11.0
-pyjwt==2.7.0
-pyopenssl==23.2.0
-pyrsistent==0.19.3
+pyjwt==2.8.0
+pyopenssl==23.3.0
+pyrsistent==0.20.0
 pysocks==1.7.1
 python-dateutil==2.8.2
 python-dotenv==1.0.0
 pyyaml==6.0.1
-referencing==0.29.1
-responses==0.23.1
+referencing==0.31.1
+responses==0.24.1
 robotframework==6.0.2
 robotframework-lsp==1.10.1
 robotframework-assertion-engine==2.0.0
@@ -194,28 +193,27 @@ robotframework-debuglibrary==2.3.0
 robotframework-pythonlibcore==4.2.0
 robotframework-selenium2library==3.0.0
 robotframework-selenium2screenshots==0.8.1
-robotframework-seleniumlibrary==6.1.0
+robotframework-seleniumlibrary==6.1.3
 robotframework-seleniumtestability==2.1.0
-rpds-py==0.8.10
+rpds-py==0.13.2
 secretstorage==3.3.3
 selenium==4.9.1
 sgmllib3k==1.0.0
-simplejson==3.19.1
+simplejson==3.19.2
 sniffio==1.3.0
 sortedcontainers==2.4.0
 toml==0.10.2
-trio==0.22.2
-trio-websocket==0.10.3
+trio==0.23.1
+trio-websocket==0.11.1
 types-pyyaml==6.0.12.10
 types-toml==0.10.8.5
-typing-extensions==4.7.1
-unidecode==1.3.6
+typing-extensions==4.8.0
+unidecode==1.3.7
 urllib3-secure-extra==0.1.0
 watchdog==3.0.0
-wcwidth==0.2.6
+wcwidth==0.2.12
 webresource==1.2
-wrapt==1.15.0
+wrapt==1.16.0
 wsproto==1.2.0
-zipp==3.16.1
 backports.zoneinfo==0.2.1; python_version == "3.8"
 pkgutil-resolve-name==1.3.10; python_version == "3.8"

release/RELEASE-NOTES.md

@@ -1,68 +1,47 @@
-# Release notes for Plone 6.0.7
+# Release notes for Plone 6.0.9
 
-* Released: Thursday September 21, 2023
+* Released: Tuesday December 19, 2023
 * Check the [release schedule](https://plone.org/download/release-schedule).
 * Read the [upgrade guide](https://6.docs.plone.org/upgrade/index.html), explaining the biggest changes compared to 5.2.
-* Canonical place for these [release notes](https://dist.plone.org/release/6.0.7/RELEASE-NOTES.md) and the full [packages changelog](https://dist.plone.org/release/6.0.7/changelog.txt).
+* Canonical place for these [release notes](https://dist.plone.org/release/6.0.9/RELEASE-NOTES.md) and the full [packages changelog](https://dist.plone.org/release/6.0.9/changelog.txt).
 
 If you want to jump straight in, here are two important links:
 
-* With pip you can use the constraints file at [https://dist.plone.org/release/6.0.7/constraints.txt](https://dist.plone.org/release/6.0.7/constraints.txt)
-* With Buildout you can use the versions file at [https://dist.plone.org/release/6.0.7/versions.cfg](https://dist.plone.org/release/6.0.7/versions.cfg), plus optionally [`versions-extra.cfg`](https://dist.plone.org/release/6.0.7/versions-extra.cfg) and [`versions-ecosystem.cfg`](https://dist.plone.org/release/6.0.7/versions-ecosystem.cfg).
+* With pip you can use the constraints file at [https://dist.plone.org/release/6.0.9/constraints.txt](https://dist.plone.org/release/6.0.9/constraints.txt)
+* With Buildout you can use the versions file at [https://dist.plone.org/release/6.0.9/versions.cfg](https://dist.plone.org/release/6.0.9/versions.cfg), plus optionally [`versions-extra.cfg`](https://dist.plone.org/release/6.0.9/versions-extra.cfg) and [`versions-ecosystem.cfg`](https://dist.plone.org/release/6.0.9/versions-ecosystem.cfg).
 
 
 ## Highlights
 
-Major changes since 6.0.6:
-
-* This includes security fixes from today's announcement:
-  * https://community.plone.org/t/plone-security-advisory-2023-09-21/17941
-  * https://plone.org/security/hotfix/20230921
-* `Zope`:
-  * Security fixes in `AccessControl` and `RestrictedPython`.  See [community announcement](https://community.plone.org/t/zope-4-8-9-and-5-8-4-released-with-a-security-fix/17849).
-  * Allow only some image types to be displayed inline. Force download for others, especially SVG images.
-  * Tighten down the ZMI frame source logic to only allow site-local sources.
-  * Added image dimensions to SVG file properties.
-* `plone.namedfile`:
-  * Fix stored XSS (Cross Site Scripting) for SVG images.
-  * Add internal modification timestamp with fallback to _p_mtime.
-  * Use new internal modification timestamp as part of the hash key for scales.
-  * Fixed issue with SVG images that contain extensive metadata.
-* `plone.rest`: When ``++api++`` is in the url multiple times, redirect to the proper url.
+Major changes since 6.0.8:
+
+* Plone 6.0.9 is the first release that can run on Python 3.12!
+  Unfortunately, there are [reports](https://github.com/zopefoundation/Zope/issues/1188) that on Python 3.12.1 the tests fail.
+  This should be only a problem in the tests, but it is hard to be completely sure.
+  So we cannot officially recommend Python 3.12 yet.
+* `Zope`: Support Python 3.12.
 * `plone.restapi`:
-  * Fix stored XSS (Cross Site Scripting) for SVG image in user portrait.
-  * Allow passing additional parameters to the delete users endpoint to request not to delete local roles and memberareas.
-  * When serializing blocks, `image_scales` is now added to blocks that contain a resolveuid-based `url`.
-  * When deserializing blocks, `image_scales` is removed.
-  * Add `visit_blocks` util for finding all nested blocks.
-* `plone.dexterity`: Fix a memory leak. For details see [issue 3829](https://github.com/plone/Products.CMFPlone/issues/3829).
-* `plone.app.widgets`: Make this package deprecated. It still works, and is included in Plone 6.0, but Plone 6.1 will not ship with it.
-  Widget base classes have been moved to ``plone.app.z3cform.widgets.patterns``.
-  Also see ``plone.app.widgets.utils`` for information about moving utility methods to their new location.
-* `plone.app.robotframework`: Add support for `playwright`-based tests via `robotframework-browser`.
-* `plone.app.z3cform`: Introduce new Email-Widget which is used for `plone.schema.email.IEmail` fields.  It uses the input type `email`.
-* `plone.volto`: Add `block_types` index to zcatalog. By default it is only added for new Plone sites.
-  To add it to an existing site, run `plone.volto.upgrades.add_block_types_index` manually.
-* `plone.app.multilingual`: Fixes for Indonesian in a multilingual site.  Fix `set_recursive_language` to actually find child objects.
-* `plone.app.querystring`: Fix the `currentUser`` operation when the current user's username is different from their user id.
-* `plone.staticresources`: Update Bootstrap to `5.3.2`, bootstrap-icons to `1.11.1` and Mockup to `5.1.5`:
-  * pat structure: Fix popover-structure-columns, use 2-column layout. (9fb499e)
-  * pat structure: Fix sticky position when toolbar is on top.
-  * pat tinymce: Fix image modal with selected image. Properly await the select2 initialization when using it from the insert image or insert link dialogs.
-* `plonetheme.barceloneta`: Update Bootstrap to `5.3.2`
-* `Products.CMFCore`:
-  * Improve handling of PortalFolder filter input.
-  * Provide a way to not publish items that are acquired.
-* `plone.app.locales`: Updates to nl translations.
+  - Added preview_image and preview_image_link to the list of smart fields for resolveuid and link integrity.
+* ZEO:
+  - Version 6.0.0 supports Python 3.12.
+  - It also switches "to using `async/await` directly instead of `@coroutine/yield`".
+  - That last change sounds like it could potentially have unforeseen side effects, so it would be good to get this more field tested.
+    (I may be too cautious here.)
+  - So for Python 3.11 and lower we pin 5.4.1, and on Python 3.12 we pin 6.0.0.
+    You are encouraged to try out the newer version on all Python versions, and report any problems.
+    We will likely pin the new version for all Python versions in the next Ploen bugfix release.
+  - See the [ZEO 6.0.0 changelog](https://github.com/zopefoundation/ZEO/blob/6.0.0/CHANGES.rst)
 
 
 ## Volto frontend
 
-The default frontend for new Plone 6 sites is Volto. Latest release is [16.24.0](https://www.npmjs.com/package/@plone/volto/v/16.24.0).  See the [changelog](https://github.com/plone/volto/blob/16.24.0/CHANGELOG.md).
+The default frontend for new Plone 6 sites is Volto. Latest release is [16.30.0](https://www.npmjs.com/package/@plone/volto/v/16.30.0).  See the [changelog](https://github.com/plone/volto/blob/16.30.0/CHANGELOG.md).
 Note that this is a JavaScript frontend that you need to run in a separate process with NodeJS.
 
 Also, existing Plone sites need some or more extensive changes to be upgraded before they can use the Volto Frontend. Please read the guide on [migrating from Plone Classic UI to Volto](https://6.docs.plone.org/backend/upgrading/version-specific-migration/migrate-to-volto.html).
 
+Note that Volto 17 is also available, and you can use it on Plone 6.0, but we will keep recommending Volto 16 by default.
+
 
 ## Classic UI
 
@@ -73,23 +52,26 @@ The HTML based and server side rendered UI that was present in Plone 5.2 and ear
 
 This release supports Python 3.8, 3.9, 3.10, and 3.11.
 
+Plone 6.0.9 is the first release that also runs on Python 3.12, but we cannot officially recommend it yet for production use.
+See the remark in the Highlights above about tests failing on 3.12.1.
+That Plone runs on 3.12 is largely made possible by recent changes in `Zope` and `RestrictedPython`, so thanks a lot to the developers working on that!
+
+Note that Plone 6.0 is tested on Python 3.8 and 3.11 on every change to core packages.  For the other Python versions we run the tests once a week.
+
 
 ## pip, buildout, setuptools
 
 In Plone core we use these versions to install Plone:
 
 ```
-pip==23.2
-setuptools==68.0.0
-wheel==0.40.0
+pip==23.3.1
+setuptools==69.0.2
+wheel==0.42.0
 zc.buildout==3.0.1
 ```
 
 In general you are free to use whatever versions work for you, but these worked for us.
 
-Note that `setuptools` 66 or higher is more strict with what versions it can recognize.  If you run `pip` or `buildout` and it suddenly cannot find a package with a non-standard version, then this may be the cause.
-And  `setuptools` 68.1.0 until at least 68.1.2 may give problems with namespace packages, especially when they have multiple levels, like `plone.app.*`, and are installed in editable mode.  And pinning a specific version of `setuptools` in your virtual environment may not even be enough for this case.  See https://github.com/plone/meta/issues/172
-
 
 ## Installation