Merge branch 'main' into release-please--branches--main--changes--next

Author: musa-cf

.github/workflows/semgrep.yml

@@ -1,19 +1,31 @@
+name: Semgrep OSS scan
 on:
+  pull_request: {}
+  push:
+    branches: [main, master]
   workflow_dispatch: {}
   schedule:
-    - cron: '0 4 * * *'
-name: Semgrep config
+    - cron: '0 0 15 * *'
+concurrency:
+  group: semgrep-${{ github.event_name }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+permissions:
+  contents: read
 jobs:
   semgrep:
-    name: semgrep/ci
-    runs-on: ubuntu-latest
-    env:
-      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
-      SEMGREP_URL: https://cloudflare.semgrep.dev
-      SEMGREP_APP_URL: https://cloudflare.semgrep.dev
-      SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version
-    container:
-      image: returntocorp/semgrep
+    name: semgrep-oss
+    runs-on: ubuntu-slim
+    timeout-minutes: 25
     steps:
-      - uses: actions/checkout@v4
-      - run: semgrep ci
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 1
+      - id: cache-semgrep
+        uses: actions/cache@v5
+        with:
+          path: ~/.local
+          key: semgrep-1.160.0-${{ runner.os }}
+      - if: steps.cache-semgrep.outputs.cache-hit != 'true'
+        run: pip install --user semgrep==1.160.0
+      - run: echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+      - run: semgrep scan --config=auto

CHANGELOG.md

@@ -58,6 +58,123 @@ Full Changelog: [v5.0.0-beta.2...v5.0.0-beta.3](https://github.com/cloudflare/cl
 
 * add Authentication section to README ([70d934a](https://github.com/cloudflare/cloudflare-python/commit/70d934abd91cfa8f8444e0651ac97012c1d0edcf))
 
+## 5.0.0 (2026-04-30)
+
+Full Changelog: [v4.3.1...v5.0.0](https://github.com/cloudflare/cloudflare-python/compare/v4.3.1...v5.0.0)
+
+This is a major release of the Cloudflare Python SDK. It drops support for
+Python 3.8, adds 11 new API services, introduces optional aiohttp backend
+support for improved async concurrency, and includes hundreds of type and
+method updates across the entire API surface.
+
+Please review the breaking changes below before upgrading. A migration guide
+is available at [docs/migration-guides/v5.0.0-migration-guide.md](./docs/migration-guides/v5.0.0-migration-guide.md).
+
+---
+
+#### Breaking Changes
+
+- **Python 3.8 is no longer supported.** The minimum required version is now Python 3.9. ([pyproject.toml](https://github.com/cloudflare/cloudflare-python/compare/v4.3.1...v5.0.0))
+- **`typing-extensions` minimum version bumped** from `>=4.10` to `>=4.14`.
+
+Additionally, the following resources have breaking changes:
+
+- `abusereports`
+- `acm.totaltls`
+- `apigateway.configurations`
+- `cloudforceone.threatevents`
+- `d1.database`
+- `intel.indicatorfeeds`
+- `logpush.edge`
+- `origintlsclientauth.hostnames`
+- `queues.consumers`
+- `radar.bgp`
+- `rulesets.rules`
+- `schemavalidation.schemas`
+- `snippets`
+- `zerotrust.dlp`
+- `zerotrust.networks`
+
+See the [v5.0.0 Migration Guide](./docs/migration-guides/v5.0.0-migration-guide.md) for upgrade instructions and resource-specific guidance.
+
+---
+
+#### Features
+
+* **aiohttp backend support:** The async client now supports an optional `aiohttp` HTTP backend for improved concurrency performance. Install with `pip install cloudflare[aiohttp]` and use `DefaultAioHttpClient()` as the `http_client` parameter.
+* **Python 3.13 and 3.14 support** added as tested classifiers.
+
+##### New Services
+
+The following top-level resources are new in this release:
+
+* **AISearch** (`aisearch`): AI-powered search capabilities
+* **Connectivity** (`connectivity`): Connectivity testing and diagnostics
+* **EmailSending** (`email_sending`): Email send and send_raw endpoints
+* **Fraud** (`fraud`): Fraud detection and prevention
+* **GoogleTagGateway** (`google_tag_gateway`): Google Tag Gateway management
+* **Organizations** (`organizations`): Organization audit logs and management
+* **R2DataCatalog** (`r2_data_catalog`): R2 Data Catalog operations
+* **RealtimeKit** (`realtime_kit`): Realtime communication (Calls/TURN)
+* **ResourceTagging** (`resource_tagging`): Resource tagging and labeling
+* **TokenValidation** (`token_validation`): Token validation configuration and rules
+* **VulnerabilityScanner** (`vulnerability_scanner`): Vulnerability scanning, credential sets, and target environments
+
+##### New Endpoints on Existing Services
+
+* **accounts:** update generated types and methods
+* **api_gateway:** add labels endpoints (WAM-1196)
+* **billing:** add billable usage PayGo endpoint
+* **brand_protection:** add v2 endpoints
+* **browser_rendering:** add devtools methods (BRAPI-1051)
+* **cache:** add origin cloud regions resource
+* **custom_origin_trust_store:** enable custom origin trust store
+* **dns:** add dns_records/usage endpoints (DNS-12466)
+* **email_security:** add phishguard reports endpoint
+* **iam:** add user_groups and user_group_members resources
+* **radar:** add Botnet Threat Feed and Post-Quantum endpoints
+* **workers:** add Observability Destinations resources (WO-989)
+* **zero_trust:** add Access Users endpoint (AUTH-7071), DEX rules, Device IP Profile, Device Subnet, WARP Connector connections and failover endpoints, WARP Subnet endpoints, Gateway PAC files (GIN-1439)
+* **zones:** add zone environments endpoints
+
+##### Updated Services
+
+Nearly every existing service received type and method updates through
+composite API spec refreshes. Notable updates include:
+
+* **email_security:** remove deprecated type definitions
+* **radar:** restructured to use per-resource api.md sub-files (no client path changes)
+* **workers_for_platforms:** update generated types
+* **r2:** update generated types
+* **fraud:** update generated types and methods
+
+
+#### Bug Fixes
+
+* **_models:** add `polymorphic_serialization` parameter to `model_dump` overrides ([342b5a8](https://github.com/cloudflare/cloudflare-python/commit/342b5a84daaf5c09e3e1612809d956d916a43621))
+* **pipelines:** add `BaseModel` base to response `SchemaFieldStruct`/`SchemaFieldList` stubs ([d33af8b](https://github.com/cloudflare/cloudflare-python/commit/d33af8b5d5c1705fde4ae73efdbe3bfe3ba321df))
+* **dlp:** add missing `model_rebuild`/`update_forward_refs` for `SharedEntryCustomEntry` classes ([25ec10c](https://github.com/cloudflare/cloudflare-python/commit/25ec10c814d138f8dea08a79f9984b70abb58477))
+* **workers:** make `RunQueryParametersNeedleValue` a `BaseModel` with `arbitrary_types_allowed` ([6b7efbc](https://github.com/cloudflare/cloudflare-python/commit/6b7efbc51e6189ba18225c57637015f050060683))
+* **stream:** remove duplicate `notification_url` field in webhook response types ([fc9fb2f](https://github.com/cloudflare/cloudflare-python/commit/fc9fb2f895c5de968f67c62bb599a6792be9fa8f))
+* resolve pre-existing codegen type errors ([fed88d6](https://github.com/cloudflare/cloudflare-python/commit/fed88d6c5a5e482a9de595a1431915320fa11d23))
+* **radar:** fix `type: ignore[call-arg]` placement for mypy compatibility ([fac9404](https://github.com/cloudflare/cloudflare-python/commit/fac9404ebfa1eb5383a3d3c54f49e4120eb8cd11))
+* fix broken reference for the queues `consumer` model ([3f5cf39](https://github.com/cloudflare/cloudflare-python/commit/3f5cf39405b6b38fc594ce348d93a6e7da92c276))
+
+
+#### Chores
+
+* **build:** migrate from rye to uv for project management ([2f283c2](https://github.com/cloudflare/cloudflare-python/commit/2f283c29584b49e7c000f5e04aa5edc62db36ab9))
+* **ci:** pin single Python version and pydantic v2 for test runs ([86676bc](https://github.com/cloudflare/cloudflare-python/commit/86676bca670d38d5947041bc5677138640dd6d92))
+* **typing:** add mypy configuration with strict mode ([pyproject.toml](https://github.com/cloudflare/cloudflare-python/compare/v4.3.1...v5.0.0))
+* **api:** 80+ composite API spec updates across the release cycle
+
+
+#### Documentation
+
+* add Authentication section to README ([70d934a](https://github.com/cloudflare/cloudflare-python/commit/70d934abd91cfa8f8444e0651ac97012c1d0edcf))
+* add aiohttp backend usage instructions to README
+* add MCP server integration badges (Cursor, VS Code)
+
 ## 5.0.0-beta.2 (2026-04-20)
 
 Full Changelog: [v5.0.0-beta.1...v5.0.0-beta.2](https://github.com/cloudflare/cloudflare-python/compare/v5.0.0-beta.1...v5.0.0-beta.2)

README.md

@@ -26,7 +26,7 @@ The REST API documentation can be found on [developers.cloudflare.com](https://d
 
 ```sh
 # install from PyPI
-pip install --pre cloudflare
+pip install cloudflare
 ```
 
 ## Usage
@@ -90,7 +90,7 @@ You can enable this by installing `aiohttp`:
 
 ```sh
 # install from PyPI
-pip install --pre cloudflare[aiohttp]
+pip install cloudflare[aiohttp]
 ```
 
 Then you can enable it by instantiating the client with `http_client=DefaultAioHttpClient()`:

docs/v5-migration-guide.md …gration-guides/v5.0.0-migration-guide.mddocs/v5-migration-guide.md renamed to docs/migration-guides/v5.0.0-migration-guide.md docs/v5-migration-guide.md renamed to docs/migration-guides/v5.0.0-migration-guide.md

@@ -6,9 +6,50 @@ This guide helps you migrate your code from v4.3.1 to v5 of the Cloudflare Pytho
 
 Version 5 introduces several breaking changes across multiple resources. This guide provides detailed migration instructions for each affected resource.
 
-**Important**: This is a beta release. APIs and types may change before the final v5.0.0 release.
+## Broad Breaking Changes
 
-## Quick Reference
+### 1. Python 3.8 is no longer supported
+
+**What changed:**
+The minimum required Python version is now 3.9. Python 3.8 reached end-of-life
+in October 2024.
+
+**Impact:**
+If you are running Python 3.8, your application will fail to install or run
+with cloudflare v5.0.0.
+
+**Actions Needed:**
+1. Upgrade to Python 3.9 or later (3.12+ recommended).
+2. Update any CI/CD pipelines or Docker images that pin Python 3.8.
+3. Review your `pyproject.toml` or `setup.py` for `python_requires` constraints.
+
+**Before (v4.x):**
+```
+requires-python = ">= 3.8"
+```
+
+**After (v5.0.0):**
+```
+requires-python = ">= 3.9"
+```
+
+### 2. typing-extensions minimum version bumped
+
+**What changed:**
+The minimum version of `typing-extensions` was raised from `>=4.10` to `>=4.14`.
+
+**Impact:**
+If you pin `typing-extensions` to a version below 4.14, dependency resolution
+will fail.
+
+**Actions Needed:**
+1. Update any version pins on `typing-extensions` to `>=4.14`.
+2. Run `pip install --upgrade typing-extensions` or let your dependency
+   resolver handle it.
+
+---
+
+## Quick Reference for Resource Changes
 
 Resources with breaking changes: