You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
v4.5.0(May 12,2026)
Fixed write_pandas temp stage name collisions (SNOW-3481510). The old PRNG could produce identical name sequences in forked processes (e.g. Notebook kernels), causing CREATE TEMPORARY STAGE to fail with "Object already exists".
Fixed a security bug in Okta SAML authentication where _is_prefix_equal() compared url1's port against itself instead of url2's port, allowing an attacker to redirect credentials to a different port on the same hostname. Also fixed the default port fallback to use int instead of str for correct comparison when one URL omits the port.
Fixed executemany with paramstyle="pyformat" to correctly locate the VALUES clause using a balanced-parentheses parser instead of a greedy regex. This fixes incorrect behaviour with nested function calls such as SQLAlchemy @compiles VARIANT patterns (e.g. PARSE_JSON(%(col)s)) and subquery-form INSERTs (SNOW-298756).
Added ECDSA key support (ES256, ES384, ES512) for key-pair authentication.
Added HTTP 307/308 redirect status codes to the retryable set as defense-in-depth, with redirect-aware logging in both sync and async paths.
Consolidated keyring token cache to use a single service name with hashed account keys, reducing macOS Keychain password prompts. Legacy entries are auto-migrated on first read.
Added support for AWS outbound JWT token attestation for Workload Identity Federation (WIF). This can be enabled by setting the SNOWFLAKE_ENABLE_AWS_WIF_OUTBOUND_TOKEN environment variable to true. Note: This environment variable will be removed in a future release.
Removed dynamic class deserialization from the OCSP response validation cache to prevent arbitrary code execution via crafted cache files (SNOW-2439940). The SNOWFLAKE_ENABLE_CUSTOM_REVOCATION_ERRORS environment variable is now a no-op.
Updated SPCS token injection to gate on SNOWFLAKE_RUNNING_INSIDE_SPCS environment variable, trim whitespace, and remove configurable token path.
GCP WIF attestation now uses hostname metadata.google.internal instead of the IPv4 link-local address, so it works on IPv6-only GCP VMs.
Fixed a bug where write_pandas() with auto_create_table=False and overwrite=True would execute CREATE TABLE IF NOT EXISTS, which required unnecessary OWNERSHIP privilege on the table. Now only TRUNCATE TABLE is executed in this case. Note: users who relied on the table being implicitly created despite auto_create_table=False should set auto_create_table=True instead.
Added validation of the account connection parameter so malformed identifiers (for example path-like values or labels outside letters, digits, _, and -) are rejected with ProgrammingError before login (SNOW-1902886).
Added support for Azure Workload Identity Federation impersonation, allowing a managed identity to authenticate as a service principal.