[Snyk] Security upgrade django from 3.2.25 to 4.2.26#772
[Snyk] Security upgrade django from 3.2.25 to 4.2.26#772robertatakenaka wants to merge 1 commit intomainfrom
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-13836728 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-13837025
There was a problem hiding this comment.
Pull Request Overview
This PR upgrades Django from version 3.2.25 to 4.2.26 to address two security vulnerabilities (SNYK-PYTHON-DJANGO-13836728 and SNYK-PYTHON-DJANGO-13837025) identified by Snyk. This is a major version upgrade that fixes SQL injection and other security issues.
- Upgrades Django from 3.2.25 (LTS) to 4.2.26 (LTS) to patch security vulnerabilities
- Adds a Snyk-pinned Django dependency constraint to local requirements
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| django-coverage-plugin==3.1.0 # https://github.com/nedbat/django_coverage_plugin | ||
| pytest-django==4.7.0 # https://github.com/pytest-dev/pytest-django | ||
| tornado>=6.4.1 # not directly required, pinned by Snyk to avoid a vulnerability | ||
| django>=4.2.26 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
Adding django>=4.2.26 to local.txt creates a dependency conflict. Django 3.2.x is likely pinned in a base requirements file (e.g., base.txt or production.txt), but this adds a conflicting constraint requiring 4.2.26+. This is a major version upgrade (3.2→4.2) that requires updating the primary Django dependency declaration and testing for breaking changes, not just adding a constraint in local.txt. The PR should update the main Django requirement instead of adding a duplicate constraint.
| django>=4.2.26 # not directly required, pinned by Snyk to avoid a vulnerability |
| django-coverage-plugin==3.1.0 # https://github.com/nedbat/django_coverage_plugin | ||
| pytest-django==4.7.0 # https://github.com/pytest-dev/pytest-django | ||
| tornado>=6.4.1 # not directly required, pinned by Snyk to avoid a vulnerability | ||
| django>=4.2.26 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
The comment 'not directly required' is misleading since Django is clearly a direct dependency of this project (as indicated by django-extensions requiring it). The comment should accurately reflect that this is upgrading an existing Django dependency for security reasons.
| django>=4.2.26 # not directly required, pinned by Snyk to avoid a vulnerability | |
| django>=4.2.26 # direct dependency; version pinned/upgraded for security reasons |
2 participants
Snyk has created this PR to fix 2 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
requirements/local.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 SQL Injection