Sourced from flask-wtf's releases.

v1.3.0

What's Changed

• pre-commit autoupdate by @​azmeuk in pallets-eco/flask-wtf#607
• remove slsa provenance by @​davidism in pallets-eco/flask-wtf#638
• Support for Python 3.14 by @​azmeuk in pallets-eco/flask-wtf#648
• Try not to read uploaded files into memory by @​Zverik in pallets-eco/flask-wtf#635
• Migrate the project to uv by @​azmeuk in pallets-eco/flask-wtf#649
• ReCaptcha field testing mode documentation by @​OmeirP in pallets-eco/flask-wtf#650
• Allow nonce in reCaptcha by @​kesara in pallets-eco/flask-wtf#312
• CSRF meta tag helper by @​azmeuk in pallets-eco/flask-wtf#674
• widget support the kwargs to add custom html attributes by @​thivolle-cazat-cedric in pallets-eco/flask-wtf#353
• Respect exempts in CSRFProtect.protect() by @​rauchy in pallets-eco/flask-wtf#419
• Adding RECAPTCHA_ENABLE to disable recaptcha by @​rnt in pallets-eco/flask-wtf#509
• Improve CSRF Documentation by @​israel-oye in pallets-eco/flask-wtf#584

New Contributors

• @​Zverik made their first contribution in pallets-eco/flask-wtf#635
• @​OmeirP made their first contribution in pallets-eco/flask-wtf#650
• @​kesara made their first contribution in pallets-eco/flask-wtf#312
• @​thivolle-cazat-cedric made their first contribution in pallets-eco/flask-wtf#353
• @​rauchy made their first contribution in pallets-eco/flask-wtf#419
• @​rnt made their first contribution in pallets-eco/flask-wtf#509
• @​israel-oye made their first contribution in pallets-eco/flask-wtf#584

Full Changelog: pallets-eco/flask-wtf@v1.2.2...v1.3.0

Sourced from flask-wtf's changelog.

Version 1.3.0

Released 2026-04-23

• Don't read the whole uploaded files to know their size. :pr:635
• Stop support for Python 3.9. Start support for Python 3.14. :pr:648
• Migrate the project to uv. :pr:649
• Allow setting a nonce on :class:~flask_wtf.recaptcha.RecaptchaField (string or zero-argument callable) for nonce-based Content Security Policies. :pr:312
• Add csrf_meta_tag() helper and WTF_CSRF_META_NAME setting to render the CSRF token as an HTML <meta> tag.
• Forward keyword arguments passed to the reCAPTCHA widget as HTML attributes on the captcha <div>, with the field id used as a default id. :pr:353
• Add apply_exemptions parameter to :meth:~flask_wtf.csrf.CSRFProtect.protect so @csrf.exempt keeps working when validation is triggered manually. :pr:419
• Add RECAPTCHA_ENABLED setting. :pr:509

• 63eb4d3 chore: bump to v1.3.0
• 192ece3 Improve CSRF Documentation (#584)
• 1f8522d Adding RECAPTCHA_ENABLE to disable recaptcha (#509)
• 64b9215 Respect exempts in CSRFProtect.protect() (#419)
• adf674f widget support the kwargs to add custom html attributes (#353)
• ea1f797 feat: CSRF meta tag helper (#674)
• 412e3ef Allow nonce in reCaptcha (#312)
• a7b764a ReCaptcha field testing mode documentation (#650)
• c053c0e chore(deps-dev): bump pytest from 9.0.1 to 9.0.3 (#673)
• ca2216c chore(deps): bump uv from 0.9.11 to 0.11.6 (#672)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)