4.6.0

• v4.6.0(May 28,2026)
  • Dropped support for Python 3.9. The minimum supported version is now Python 3.10.
  • Fixed sdist to only install the minicore binary matching the current platform (SNOW-3526469). Previous 4.x releases copied every platform's minicore .so/.dylib/.dll into the install prefix, breaking downstream packagers (e.g. Homebrew) whose audits reject foreign-arch binaries.
  • Added one in-band telemetry record per successful login describing which connection-identifier fields the user supplied (account_provided, account_with_region, account_org_provided, region_provided, host_provided). No hostname or account value is included. This is gated by the existing server-side CLIENT_TELEMETRY_ENABLED parameter and can additionally be disabled locally by setting SF_TELEMETRY_DISABLE_CONNECTION_SHAPE=true. The telemetry collection is time-boxed and will be removed in a future release.
  • Bumped up vendored urllib3 to 2.7.0

4.5.0

• v4.5.0(May 12,2026)
  • Fixed write_pandas temp stage name collisions (SNOW-3481510). The old PRNG could produce identical name sequences in forked processes (e.g. Notebook kernels), causing CREATE TEMPORARY STAGE to fail with "Object already exists".
  • Fixed a security bug in Okta SAML authentication where _is_prefix_equal() compared url1's port against itself instead of url2's port, allowing an attacker to redirect credentials to a different port on the same hostname. Also fixed the default port fallback to use int instead of str for correct comparison when one URL omits the port.
  • Fixed executemany with paramstyle="pyformat" to correctly locate the VALUES clause using a balanced-parentheses parser instead of a greedy regex. This fixes incorrect behaviour with nested function calls such as SQLAlchemy @compiles VARIANT patterns (e.g. PARSE_JSON(%(col)s)) and subquery-form INSERTs (SNOW-298756).
  • Added ECDSA key support (ES256, ES384, ES512) for key-pair authentication.
  • Added HTTP 307/308 redirect status codes to the retryable set as defense-in-depth, with redirect-aware logging in both sync and async paths.
  • Consolidated keyring token cache to use a single service name with hashed account keys, reducing macOS Keychain password prompts. Legacy entries are auto-migrated on first read.
  • Added support for AWS outbound JWT token attestation for Workload Identity Federation (WIF). This can be enabled by setting the SNOWFLAKE_ENABLE_AWS_WIF_OUTBOUND_TOKEN environment variable to true. Note: This environment variable will be removed in a future release.
  • Removed dynamic class deserialization from the OCSP response validation cache to prevent arbitrary code execution via crafted cache files (SNOW-2439940). The SNOWFLAKE_ENABLE_CUSTOM_REVOCATION_ERRORS environment variable is now a no-op.
  • Updated SPCS token injection to gate on SNOWFLAKE_RUNNING_INSIDE_SPCS environment variable, trim whitespace, and remove configurable token path.
  • GCP WIF attestation now uses hostname metadata.google.internal instead of the IPv4 link-local address, so it works on IPv6-only GCP VMs.
  • Fixed a bug where write_pandas() with auto_create_table=False and overwrite=True would execute CREATE TABLE IF NOT EXISTS, which required unnecessary OWNERSHIP privilege on the table. Now only TRUNCATE TABLE is executed in this case. Note: users who relied on the table being implicitly created despite auto_create_table=False should set auto_create_table=True instead.
  • Added validation of the account connection parameter so malformed identifiers (for example path-like values or labels outside letters, digits, _, and -) are rejected with ProgrammingError before login (SNOW-1902886).
  • Added support for Azure Workload Identity Federation impersonation, allowing a managed identity to authenticate as a service principal.

4.4.0

• v4.4.0(March 24,2026)
  • Bump the lower boundary of cryptography to 46.0.5 due to CVE-2026-26007.
  • Added support for Python 3.14.
  • Removed pyOpenSSL upper bound dependency constraint to allow installation of pyOpenSSL 26.0.0+, which includes a fix for GHSA-vp96-hxj8-p424.
  • Fixed Azure IMDS Metadata header to use lowercase "true" instead of "True", which caused 400 errors during Azure Workload Identity Federation authentication.
  • Fixed default crl_download_max_size to be 20MB instead of 200MB, as the previous value was set too high and could cause out-of-memory issues.
  • Fixed a bug where Azure GET commands would incorrectly set the file status to UPLOADED instead of preserving the DOWNLOADED status during metadata retrieval.
  • Renamed the environment variable for skipping config file permission warnings from SF_SKIP_WARNING_FOR_READ_PERMISSIONS_ON_CONFIG_FILE to SF_SKIP_TOKEN_FILE_PERMISSIONS_VERIFICATION. The old variable is still supported but emits a deprecation warning.
  • Fixed unsafe_skip_file_permissions_check flag not being respected when reading connections.toml.
  • Fixed JSONDecodeError in result_batch._load() when fetching large result sets

4.3.0

• v4.3.0(February 12,2026)
  • Ensured proper list conversion - the converter runs to_snowflake on all list elements.
  • Made the parameter server_session_keep_alive in SnowflakeConnection skip checking for pending async queries, providing faster connection close times especially when many async queries are executed.
  • Fix string representation of INTERVAL YEAR and INTERVAL MONTH types.
  • Log a warning when using http protocol for OAuth urls.
  • Deprecated support for custom revocation error classes in OCSP response cache deserialization. By default, only RevocationCheckError exceptions are deserialized from OCSP cache. Custom exception classes can be temporarily enabled by setting the SNOWFLAKE_ENABLE_CUSTOM_REVOCATION_ERRORS environment variable to true or 1, but this support will be removed in a future release.
  • Bumped up vendored urllib3 to 2.6.3
  • Added force_microseconds_precision to cursor.fetch_arrow_all and cursor.fetch_pandas_all to avoid PyArrow schema incosistency between batches.

4.2.0

• v4.2.0(January 07,2026)
  • Added SnowflakeCursor.stats property to expose granular DML statistics (rows inserted, deleted, updated, and duplicates) for operations like CTAS where rowcount is insufficient.
  • Added support for injecting SPCS service identifier token (SPCS_TOKEN) into login requests when present in SPCS containers.
  • Introduced shared library for extended telemetry to identify and prepare testing platform for native rust extensions.

4.1.1

• v4.1.1(TBD)
  • Relaxed pandas dependency requirements for Python below 3.12.
  • Changed CRL cache cleanup background task to daemon to avoid blocking main thread.
  • Fixed NO_PROXY issues with PUT operations

4.1.0

• v4.1.0(November 18,2025)
  • Added the SNOWFLAKE_AUTH_FORCE_SERVER environment variable to force the use of the local-listening server when using the externalbrowser auth method.
    • This allows headless environments (like Docker or Airflow) running locally to auth via a browser URL.
  • Fix compilation error when building from sources with libc++.
  • Pin lower versions of dependencies to oldest version without vulnerabilities.
  • Added no_proxy parameter for proxy configuration without using environmental variables.
  • Added OAUTH_AUTHORIZATION_CODE and OAUTH_CLIENT_CREDENTIALS to list of authenticators that don't require user to be set
  • Added oauth_socket_uri connection parameter allowing to separate server and redirect URIs for local OAuth server.
  • Made platform_detection logs silent and improved its timeout handling. Added support for ENV_VAR_DISABLE_PLATFORM_DETECTION environment variable.
  • Fixed FIPS environments md5 hash issues with multipart upload on Azure.

4.0.0

• v4.0.0(October 09,2025)
  • Added support for checking certificates revocation using revocation lists (CRLs)
  • Added CERT_REVOCATION_CHECK_MODE to CLIENT_ENVIRONMENT
  • Added the workload_identity_impersonation_path parameter to support service account impersonation for Workload Identity Federation on GCP and AWS workloads only
  • Fixed get_results_from_sfqid when using DictCursor and executing multiple statements at once
  • Added the oauth_credentials_in_body parameter supporting an option to send the oauth client credentials in the request body
  • Fix retry behavior for ECONNRESET error
  • Added an option to exclude botocore and boto3 dependencies by setting SNOWFLAKE_NO_BOTO environment variable during installation
  • Revert changing exception type in case of token expired scenario for Oauth authenticator back to DatabaseError
  • Enhanced configuration file security checks with stricter permission validation.
    • Configuration files writable by group or others now raise a ConfigSourceError with detailed permission information, preventing potential credential tampering.
  • Fixed the return type of SnowflakeConnection.cursor(cursor_class) to match the type of cursor_class
  • Constrained the types of fetchone, fetchmany, fetchall
    • As part of this fix, DictCursor is no longer a subclass of SnowflakeCursor; use SnowflakeCursorBase as a superclass of both.
  • Fix "No AWS region was found" error if AWS region was set in AWS_DEFAULT_REGION variable instead of AWS_REGION for WORKLOAD_IDENTITY authenticator
  • Add ocsp_root_certs_dict_lock_timeout connection parameter to set the timeout (in seconds) for acquiring the lock on the OCSP root certs dictionary. Default value for this parameter is -1 which indicates no timeout.
  • Fixed behaviour of trying S3 Transfer Accelerate endpoint by default for internal stages, and always getting HTTP403 due to permissions missing on purpose. Now /accelerate is not attempted.

3.18.0

• v3.18.0(October 03,2025)
  • Added support for pandas conversion for Day-time and Year-Month Interval types

3.17.4

• v3.17.4(September 22,2025)
  • Added support for intermediate certificates as roots when they are stored in the trust store
  • Bumped up vendored urllib3 to 2.5.0 and requests to v2.32.5