[Snyk] Security upgrade django from 3.2.25 to 4.2.26#771
[Snyk] Security upgrade django from 3.2.25 to 4.2.26#771robertatakenaka wants to merge 1 commit intomainfrom
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-13836728 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-13837025
There was a problem hiding this comment.
Pull Request Overview
This PR upgrades Django from version 3.2.25 to 4.2.26 to address 2 security vulnerabilities (SQL Injection and another vulnerability) identified by Snyk.
Key Changes:
- Django version upgraded from 3.2.25 to 4.2.26
- Addition of explicit Django dependency constraint in production requirements
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # ------------------------------------------------------------------------------ | ||
| elastic-apm==6.21.4.post8347027212 No newline at end of file | ||
| elastic-apm==6.21.4.post8347027212 | ||
| django>=4.2.26 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file |
There was a problem hiding this comment.
The comment 'not directly required' is misleading since Django is clearly a core framework dependency, not a transitive one. Consider updating the comment to accurately reflect that this is pinning the Django version for security reasons, e.g., '# pinned by Snyk to address security vulnerabilities'.
| django>=4.2.26 # not directly required, pinned by Snyk to avoid a vulnerability | |
| django>=4.2.26 # pinned by Snyk to address security vulnerabilities |
| # ------------------------------------------------------------------------------ | ||
| elastic-apm==6.21.4.post8347027212 No newline at end of file | ||
| elastic-apm==6.21.4.post8347027212 | ||
| django>=4.2.26 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file |
There was a problem hiding this comment.
Using '>=' allows any version 4.2.26 or higher, which could introduce breaking changes in future major versions (e.g., 5.x). Consider using a more restrictive version constraint like 'django>=4.2.26,<5.0' to prevent unintended upgrades while still receiving 4.x security patches.
| django>=4.2.26 # not directly required, pinned by Snyk to avoid a vulnerability | |
| django>=4.2.26,<5.0 # not directly required, pinned by Snyk to avoid a vulnerability |
Snyk has created this PR to fix 2 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
requirements/production.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 SQL Injection