Mako is a Python template library that uses a familiar, non-XML syntax, compiling templates into Python modules for performance. It is useful for building flexible, componentized layouts with inheritance, while keeping templates closely aligned with Python calling and scoping semantics.
Project status
- Actively maintained: Recent updates (notably 1.3.11 and 1.3.12 in April 2026) include security bug fixes and targeted hardening, indicating ongoing maintenance rather than a dormant project.
- Cadence: After several updates in 2024 and early 2025 (roughly every 1 to 6 months), there is a larger gap before 1.3.11 (2026-04-14), followed quickly by 1.3.12 (2026-04-28), suggesting renewed activity and follow-up patching.
AI summary generated 2 weeks ago
Recent updates
rel_1_3_12
1 month agoRelease 1.3.12 is a bug fix focused on preventing directory traversal in TemplateLookup when template URIs contain Windows-style backslash separators. The changes normalize backslashes to forward slashes before path resolution to block escaping the configured template directories.
Securityrel_1_3_11
1 month agoRelease 1.3.11 is a security-related bug fix focused on preventing directory traversal via specially crafted template URIs. It also includes minor documentation and project metadata updates (versioning, changelog build config, and a new security policy file).
Securityrel_1_3_10
4/10/2025Release 1.3.10 contains a bug fix for the lexer behavior under strict_undefined when nested list or dict comprehensions are used inside functions. It also bumps the package version and updates documentation and changelog entries.
rel_1_3_9
2/4/2025Release 1.3.9 is primarily a test-related fix and version/documentation updates. The release notes describe adjusting the tests around Template.future_imports so they no longer rely on legacy behavior of the "future division" statement.
rel_1_3_8
12/7/2024Version 1.3.8 is a targeted release that claims to revert the lexer fix from 1.3.7 that caused regressions in existing user code. The release notes, however, do not mention several additional behavioral and internal changes visible in the code diff, particularly around default escape handling and parsing quirks.
rel_1_3_7
12/3/2024Release 1.3.7 focuses on lexer and codegen behavior changes. It addresses (1) undeclared identifiers that conflict with built-in escape/filter flags during code generation, and (2) parsing and handling of dictionary literals passed directly in call expressions, fixing nested brace related errors.
rel_1_3_6
10/21/2024Release 1.3.6 is a small lexer-focused bug fix. It updates the lexer logic to correctly handle the sequence "<&" so it is not misinterpreted, and it adds a regression test.
rel_1_3_5
5/14/2024Release 1.3.5 is a lexer-focused regression rollback that reverts a prior change associated with issues #400 and #401. The release notes only mention the behavioral revert, not the specific parsing logic that changed.
rel_1_3_4
5/14/2024Release 1.3.4 primarily fixes two regressions around Mako expression parsing: one in the parser related to list and dictionary comprehensions, and another in the lexer/parsing of expressions containing sub-brackets such as dictionary literals. The release notes only describe these bug fixes, but the code diff shows at least one additional behavior-affecting change in expression interpolation handling.
rel_1_3_3
4/10/2024Release 1.3.3 fixes two parser/codegen edge cases reported in issues 146 and 320. It corrects generated Python for templates that have leading control blocks with only comments, and it adjusts strict_undefined handling for comprehensions inside function blocks.