Bump django from 4.2.13 to 5.0.7 #10552
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
dependabot
bot
added
dependencies
DryRun Security SummaryThe provided code change represents a significant update to the project's dependencies, particularly the upgrade of the Django version from 4.2.14 to 5.0.7, which requires careful testing and review for potential security implications. Expand for full summarySummary: The provided code change represents a significant update to the project's dependencies, particularly the upgrade of the Django version from 4.2.14 to 5.0.7. This is a major version upgrade, which could potentially introduce breaking changes and require careful testing to ensure the application continues to function correctly. From an application security perspective, the version upgrade is worth reviewing for several reasons. First, the new Django version may include security fixes and improvements compared to the previous version, so it's important to review the Django release notes and security advisories to understand if there are any critical security vulnerabilities that have been addressed. Second, the upgrade may also introduce new security features or changes to existing security-related functionality, such as authentication, authorization, or input validation, which should be carefully evaluated to ensure they align with the application's security requirements. Finally, the application's existing security controls and configurations may need to be reviewed and potentially updated to maintain the desired level of security. In addition to the Django version update, several other package versions have been updated, including Files Changed:
Code AnalysisWe ran
Riskiness🟢 Risk threshold not exceeded. |
Yes, I remembered that you started working towards 5.0 in that PR. I believe Cody was looking at #10420 but I also know he doesn't have power thanks to a hurricane so it may be a couple of days before he can comment on that PR. I was thinking that getting 5.0 merged right after 2.37.0 (August) is released would give us a good month of 5.0 running in the dev branch to shake out any bugs. Does that match what you were thinking? |
Sounds good to me 👍 |
dependabot
bot
force-pushed
the
dependabot/pip/dev/django-5.0.7
branch
6 times, most recently
from
1792d4f
to
8c1811f
Compare
|
|
@dependabot rebase |
Bumps [django](https://github.com/django/django) from 4.2.13 to 5.0.7. - [Commits](django/django@4.2.13...5.0.7) --- updated-dependencies: - dependency-name: django dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/pip/dev/django-5.0.7
branch
from
8c1811f
to
24b0d78
Compare
|
Superseded by #10690. |
Bumps django from 4.2.13 to 5.0.7.
Commits
deec9b9[5.0.x] Bumped version for 5.0.7 release.3a7bf7f[5.0.x] Made cosmetic edits to 5.0.7 release notes.8e7a44e[5.0.x] Fixed CVE-2024-39614 -- Mitigated potential DoS in get_supported_lang...9f4f63e[5.0.x] Fixed CVE-2024-39330 -- Added extra file name validation in Storage's...07cefde[5.0.x] Fixed CVE-2024-39329 -- Standarized timing of verify_password() when ...7285644[5.0.x] Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and urlizet...8303400[5.0.x] Fixed 35506 -- Clarified initial references to URLconf in tutorial 1.c76089b[5.0.x] Refs #35560 -- Corrected CheckConstraint argument name in model_field...43aa0c1[5.0.x] Removed outdated note about limitations in Clickjacking protection.0602fc2[5.0.x] Fixed #35560 -- Made Model.full_clean() ignore GeneratedFields for co...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)