[FIX] Bump Django 4.2.1 -> 4.2.30 (LTS) to clear SQLi/DoS Dependabot alerts

[jaseemjaskp]

What

Bumps Django 4.2.1 → 4.2.30 (latest 4.2.x LTS patch). Django was hard-pinned at 4.2.1, so this needs a pyproject.toml change (not just a lock bump) in two places:

• backend/pyproject.toml: django==4.2.1 → django==4.2.30
• pyproject.toml (hook-check-django-migrations group): django==4.2.1 → django==4.2.30
• backend/uv.lock, uv.lock: re-locked

Why

Django 4.2.1 carries a long list of open Dependabot alerts. Moving to the latest 4.2 LTS patch clears them in one step:

• 🔴 critical — SQL injection via _connector kwarg in QuerySet/Q
• high — ASGI header spoofing (underscore/hyphen), DATA_UPLOAD_MAX_MEMORY_SIZE bypass, column-alias SQL injection, HasKey Oracle SQLi, path traversal, plus several DoS advisories (Truncator, intcomma, EmailValidator/URLValidator ReDoS, etc.)

How

• Edited both pins to ==4.2.30, then uv lock --upgrade-package django for backend/ and the root workspace.
• Stayed on the 4.2 LTS line deliberately — no major/minor jump, so Django's backward-compatibility policy applies and regression risk is low.

Can this PR break any existing features. If yes, please list possible items. If no, please explain why. (PS: Admins do not merge the PR without this section filled)

Low risk, but this one touches the whole backend so it deserves a full CI/test run before merge.

• Same-minor LTS patch upgrade (4.2.1 → 4.2.30); Django guarantees no breaking changes within a patch series.
• Lock diff is Django-only — no transitive churn. The pinned Django ecosystem still resolves cleanly: django-tenants 3.5.0, djangorestframework 3.14.0, django-celery-beat 2.5.0, asgiref 3.11.1, sqlparse 0.5.5.
• Both locks pass uv lock --check.

Note: a local uv run/import smoke-test could not be run — backend env creation is blocked by an unrelated, pre-existing django-celery-beat==2.5.0 wheel packaging quirk (duplicate ZIP locale entries that uv rejects). This does not affect the Docker build. Runtime verification is left to CI.

Database Migrations

None introduced by this change. (Django's own migrations are unchanged within 4.2.x.)

Env Config

None.

Relevant Docs

Django 4.2 release notes / security releases

Related Issues or PRs

Part of the Dependabot remediation series — follows #2038 (frontend) and #2039 (Python transitive). Authlib + PyMySQL pinned bumps will be a separate PR.

Dependencies Versions

Django 4.2.1 → 4.2.30

Notes on Testing

• uv lock --check on backend/ and root ✓
• Full backend test suite to be validated in CI (local env blocked by the django-celery-beat wheel quirk noted above).

Screenshots

N/A — dependency bump.

Checklist

I have read and understood the Contribution Guidelines.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 026fbcf8-0386-42b2-9713-a8c86dd52bc3

📥 Commits

Reviewing files that changed from the base of the PR and between cafcca7 and 02ecaa1.

⛔ Files ignored due to path filters (2)

• backend/uv.lock is excluded by !**/*.lock
• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• backend/pyproject.toml
• pyproject.toml

---

Summary by CodeRabbit

• Chores
  • Updated Django framework dependencies to version 4.2.30 in both backend and development configurations to ensure the latest patches and stability improvements are applied across all environments.

Walkthrough

Django version is updated from 4.2.1 to 4.2.30 across two configuration files: the backend project dependencies and the development hook-check-django-migrations dependency group. Both changes coordinate a single upstream version bump.

Changes

Django dependency updates

Layer / File(s)	Summary
Django version bump across project dependencies backend/pyproject.toml, pyproject.toml	Django pinned to 4.2.30 in both the main project dependencies list and the hook-check-django-migrations development dependency group, updated from 4.2.1.

---

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: bumping Django from 4.2.1 to 4.2.30 with the stated purpose of clearing security alerts.
Description check	✅ Passed	The description comprehensively covers all required template sections with detailed information about the changes, rationale, risk assessment, and testing approach.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/dependabot-django

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Unstract test results

Per-group results

Status	Group	Tier	Passed	Failed	Errors	Skipped	Duration (s)
❌	unit-connectors	unit	64	12	0	3	16.9
❌	unit-core	unit	0	0	2	0	1.3
❌	unit-platform-service	unit	9	0	1	0	1.4
✅	unit-prompt-service	unit	15	0	0	0	20.8
✅	unit-rig	unit	53	0	0	0	3.5
✅	unit-runner	unit	11	0	0	0	3.3
✅	unit-sdk1	unit	390	0	0	0	20.8
❌	unit-tool-registry	unit	0	0	1	0	1.4
⚪	unit-workers	unit	0	0	0	0	17.9
	TOTAL		542	12	4	3	87.3

Critical paths

⚠️ Critical paths not yet covered

• auth-login — User can log in and obtain a session cookie. (entry: POST /api/v1/auth/login; declared coverage: no groups declared)
• adapter-register-llm — Register and validate an LLM adapter. (entry: POST /api/v1/adapter/; declared coverage: no groups declared)
• workflow-create-execute — Create a workflow, configure source+destination, execute, poll, fetch result. (entry: POST /api/v1/workflow/{id}/execute/; declared coverage: e2e-workflow)
• api-deployment-run — Deploy a workflow as an API, POST a document, receive structured JSON. (entry: POST /deployment/api/{org}/{name}/; declared coverage: e2e-api-deployment)
• prompt-studio-fetch-response — Prompt Studio: create project, add prompt, run single-pass, get response. (entry: POST /api/v1/prompt-studio/prompt-studio-tool/{id}/fetch_response/; declared coverage: e2e-prompt-studio)
• pipeline-etl-execute — Run an ETL pipeline from source connector to destination. (entry: POST /api/v1/pipeline/{id}/execute/; declared coverage: no groups declared)
• usage-token-tracking — Per-execution token usage is recorded and retrievable. (entry: GET /api/v1/usage/get_token_usage/; declared coverage: no groups declared)
• workflow-execution-fan-out — Multi-file workflow execution fans out to file-processing workers and rejoins. (entry: internal: backend → rabbitmq → workers/file_processing; declared coverage: no groups declared)
• callback-result-delivery — Async results are posted back via the callback worker. (entry: internal: workers/callback → backend /internal endpoints; declared coverage: no groups declared)

✅ Covered critical paths

• tool-sandbox-exec — covered by unit-runner

[greptile-apps]

Greptile Summary

This PR bumps the hard-pinned Django version from 4.2.1 to 4.2.30 across both backend/pyproject.toml and the root pyproject.toml (the hook-check-django-migrations group), with the two corresponding uv.lock files regenerated consistently. The change clears a backlog of Dependabot alerts including a critical SQL-injection CVE and several high-severity DoS/spoofing advisories that existed in the 4.2.1 pin.

• backend/pyproject.toml + backend/uv.lock: Pin updated from django==4.2.1 to django==4.2.30; lock hashes regenerated from PyPI with matching upload-time = \"2026-04-07\".
• pyproject.toml + uv.lock: Same version pin and lock update for the root workspace's hook-check-django-migrations dependency group; both lock files reflect identical sdist/wheel hashes.

Confidence Score: 4/5

Safe to merge as an intermediate step — it applies all available 4.2.x security patches — but a follow-up upgrade to Django 5.2 LTS is necessary before the security remediation is complete.

The change is mechanically correct: both pyproject.toml pins and both lock files are updated consistently, hashes match PyPI, and no transitive dependencies changed. The concern is that Django 4.2 reached end-of-life on April 7, 2026, roughly two months before this PR lands. 4.2.30 is the final-ever release of that branch, so any Django vulnerability disclosed after that date goes unpatched. The PR clears every known Dependabot alert today, but the project will start re-accumulating unpatched CVEs immediately unless a follow-up targets Django 5.2 LTS.

backend/pyproject.toml and pyproject.toml — both need a follow-up bump to django==5.2.x to move off the EOL branch.

Security Review

• Django 4.2 EOL (April 7, 2026): django==4.2.30 is the last-ever patch for the 4.2.x branch. New upstream CVEs disclosed after EOL will not receive backport fixes, leaving the application exposed without further action. Upgrading to Django 5.2 LTS is required to restore a receiving-patches posture.
• No secrets, credentials, or injection surfaces are introduced by this change.
• Lock-file hashes in both uv.lock files match the official PyPI entries for django-4.2.30, confirming supply-chain integrity for this bump.

Important Files Changed

Filename	Overview
backend/pyproject.toml	Single-line Django pin bump from 4.2.1 → 4.2.30; correct and consistent with the lock file, but lands on an EOL release.
pyproject.toml	Django pin updated in the hook-check-django-migrations group to match backend; consistent with root uv.lock.
backend/uv.lock	Django entry updated to 4.2.30 with correct sdist/wheel URLs and SHA-256 hashes from PyPI; no transitive dependency churn.
uv.lock	Root lock file updated identically to backend/uv.lock; hashes match between both lock files.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["Django 4.2.1\n(current pin)"] -->|"This PR"| B["Django 4.2.30\n(4.2 LTS final release)"]
    B --> C{"Django 4.2 EOL\nApril 7, 2026"}
    C -->|"EOL — no future patches"| D["⚠️ Unpatched CVEs\naccumulate"]
    C -->|"Recommended path"| E["Django 5.2 LTS\n(supported → April 2028)"]
    E --> F["✅ Continued\nsecurity patches"]

    style A fill:#f66,color:#fff
    style B fill:#fa0,color:#fff
    style C fill:#f90,color:#fff
    style D fill:#f66,color:#fff
    style E fill:#6b6,color:#fff
    style F fill:#6b6,color:#fff

Loading

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
backend/pyproject.toml:21
**Django 4.2 reached end-of-life on April 7, 2026 — no further security patches will be issued**

According to the [official Django download page](https://www.djangoproject.com/download/), `4.2.30` is both the latest *and the final* release of the 4.2 LTS series — extended support ended on April 7, 2026, which is ~2 months before this PR's merge date. Any new vulnerabilities discovered in Django's core from that point onward will not receive backport patches on the 4.2 branch.

The PR clears all *known* Dependabot alerts in one step, which is valuable. However, landing on an EOL dependency inverts the intent: the project will accumulate unpatched CVEs again as soon as Django discloses its next advisory. The current actively maintained LTS is **Django 5.2** (supported until April 2028, latest `5.2.15`).

A follow-up PR to upgrade to `django==5.2.x` would be the complete remediation — the same-minor patch guarantee cited in the PR description doesn't apply to an EOL branch.

_{Reviews (1): Last reviewed commit: "[FIX] Bump Django 4.2.1 -> 4.2.30 (LTS) ..." | Re-trigger Greptile}

[greptile-apps]

Django 4.2 reached end-of-life on April 7, 2026 — no further security patches will be issued

According to the official Django download page, 4.2.30 is both the latest and the final release of the 4.2 LTS series — extended support ended on April 7, 2026, which is ~2 months before this PR's merge date. Any new vulnerabilities discovered in Django's core from that point onward will not receive backport patches on the 4.2 branch.

The PR clears all known Dependabot alerts in one step, which is valuable. However, landing on an EOL dependency inverts the intent: the project will accumulate unpatched CVEs again as soon as Django discloses its next advisory. The current actively maintained LTS is Django 5.2 (supported until April 2028, latest 5.2.15).

A follow-up PR to upgrade to django==5.2.x would be the complete remediation — the same-minor patch guarantee cited in the PR description doesn't apply to an EOL branch.

Prompt To Fix With AI

This is a comment left during a code review.
Path: backend/pyproject.toml
Line: 21

Comment:
**Django 4.2 reached end-of-life on April 7, 2026 — no further security patches will be issued**

According to the [official Django download page](https://www.djangoproject.com/download/), `4.2.30` is both the latest *and the final* release of the 4.2 LTS series — extended support ended on April 7, 2026, which is ~2 months before this PR's merge date. Any new vulnerabilities discovered in Django's core from that point onward will not receive backport patches on the 4.2 branch.

The PR clears all *known* Dependabot alerts in one step, which is valuable. However, landing on an EOL dependency inverts the intent: the project will accumulate unpatched CVEs again as soon as Django discloses its next advisory. The current actively maintained LTS is **Django 5.2** (supported until April 2028, latest `5.2.15`).

A follow-up PR to upgrade to `django==5.2.x` would be the complete remediation — the same-minor patch guarantee cited in the PR description doesn't apply to an EOL branch.

How can I resolve this? If you propose a fix, please make it concise.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[jaseemjaskp]

PR Review Toolkit — automated pass.

This PR is a dependency-only change (Django 4.2.1 → 4.2.30 across two pyproject.toml pins + two re-locked uv.lock files). It carries no application code, types, comments, or test changes, so the code-focused toolkit agents (Type Design, Silent Failure Hunter, Comment Analyzer, Code Simplifier, PR Test Analyzer) have no surface to review. I instead ran dependency-bump-specific checks:

✅ Pin consistency — both Django pins in the monorepo (backend/pyproject.toml:21, root pyproject.toml:47) and both lock files (uv.lock, backend/uv.lock) are updated to 4.2.30. No stray django==4.2.1 remains anywhere in the repo.
✅ Lock integrity / no transitive churn — each lock diff is exactly 4 lines (the django package block + its requires-dist specifier); asgiref/sqlparse/tzdata are untouched, confirming the "django-only diff" claim.
✅ LTS-line patch upgrade — stays within 4.2.x, so Django's intra-series backward-compat policy applies; security remediation rationale is sound.

One forward-looking compatibility note left inline. (The Django-4.2-EOL concern is already covered by the existing @greptile-apps P1 comment — not re-raised here.)

[jaseemjaskp]

Compatibility note (Low) — multipart file-count limit changed within this jump.

The 4.2.x security series bumped between 4.2.1 and 4.2.30 introduced DATA_UPLOAD_MAX_NUMBER_FILES (default 100), which makes Django raise TooManyFilesSent when a single multipart request carries more than 100 file fields. Django 4.2.1 had no such ceiling.

Unstract has bulk file-upload paths (e.g. Prompt Studio document uploads / ManageDocsModal). If any endpoint accepts >100 files in one multipart/form-data POST, it will start 400-ing after this bump.

Suggested fix / verification: confirm upload endpoints batch ≤100 files per request, or set DATA_UPLOAD_MAX_NUMBER_FILES explicitly in backend/backend/settings/base.py to a value that matches the intended bulk-upload limit. This is the one behavioral change in the 4.2.x range likely to be operationally visible; the rest (ReDoS / SQLi / DoS fixes) are pure hardening with no API change.