From 02ecaa1639d5a4b6d7c9cfd48c2c9e1dcd5b14e2 Mon Sep 17 00:00:00 2001 From: Jaseem Jas Date: Thu, 11 Jun 2026 20:25:42 +0530 Subject: [PATCH] [FIX] Bump Django 4.2.1 -> 4.2.30 (LTS) to clear SQLi/DoS Dependabot alerts Django was hard-pinned at 4.2.1 in backend/pyproject.toml and the root hook-check-django-migrations group. Bumps to the latest 4.2.x LTS patch, which clears the critical SQL-injection alert (_connector kwarg) plus the high-severity ASGI header spoofing, DATA_UPLOAD bypass, column-alias SQLi, path traversal and several DoS advisories. - pyproject.toml / backend/pyproject.toml: django==4.2.1 -> ==4.2.30 - uv.lock, backend/uv.lock: re-locked (django-only diff, no transitive churn) Verified: both locks pass 'uv lock --check'; pinned Django ecosystem (django-tenants 3.5.0, DRF 3.14.0, django-celery-beat 2.5.0) still resolves. Runtime/test verification deferred to CI (local backend sync is blocked by an unrelated django-celery-beat 2.5.0 wheel packaging quirk). --- backend/pyproject.toml | 2 +- backend/uv.lock | 8 ++++---- pyproject.toml | 2 +- uv.lock | 8 ++++---- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/backend/pyproject.toml b/backend/pyproject.toml index 6305b94c90..3321786596 100644 --- a/backend/pyproject.toml +++ b/backend/pyproject.toml @@ -18,7 +18,7 @@ dependencies = [ "celery[amqp]>=5.3.4", # For Celery "cron-descriptor==1.4.0", # For cron string description "cryptography>=48.0.0", - "django==4.2.1", + "django==4.2.30", "djangorestframework==3.14.0", "django-cors-headers==4.3.1", # Pinning django-celery-beat to avoid build issues diff --git a/backend/uv.lock b/backend/uv.lock index 6997c3b82a..26cc4c81f7 100644 --- a/backend/uv.lock +++ b/backend/uv.lock @@ -781,16 +781,16 @@ wheels = [ [[package]] name = "django" -version = "4.2.1" +version = "4.2.30" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "asgiref" }, { name = "sqlparse" }, { name = "tzdata", marker = "sys_platform == 'win32'" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/89/76/23ee9b9d2bd4119e930eb19164732b79c0a4f6259ca198209b0fe36551ea/Django-4.2.1.tar.gz", hash = "sha256:7efa6b1f781a6119a10ac94b4794ded90db8accbe7802281cd26f8664ffed59c", size = 10420051, upload-time = "2023-05-03T12:58:41.313Z" } +sdist = { url = "https://files.pythonhosted.org/packages/11/b5/f1a53dc68da6429d6e0345bb848161e2381a2e9f02700148911e8582c2b3/django-4.2.30.tar.gz", hash = "sha256:4ebc7a434e3819db6cf4b399fb5b3f536310a30e8486f08b66886840be84b37c", size = 10468707, upload-time = "2026-04-07T14:05:45.57Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/12/13/78e8622180f101e95297965045ff1325ea7301c1b80f756debbeaa84c3be/Django-4.2.1-py3-none-any.whl", hash = "sha256:066b6debb5ac335458d2a713ed995570536c8b59a580005acb0732378d5eb1ee", size = 7988496, upload-time = "2023-05-03T12:58:27.208Z" }, + { url = "https://files.pythonhosted.org/packages/39/b7/a7c96f239cf91313a6589233fed55111c7063b26683b226802732c455dbc/django-4.2.30-py3-none-any.whl", hash = "sha256:4d07aaf1c62f9984842b67c2874ebbf7056a17be253860299b93ae1881faad65", size = 7997231, upload-time = "2026-04-07T14:05:38.241Z" }, ] [[package]] @@ -3746,7 +3746,7 @@ requires-dist = [ { name = "cron-descriptor", specifier = "==1.4.0" }, { name = "croniter", specifier = ">=3.0.3" }, { name = "cryptography", specifier = ">=48.0.0" }, - { name = "django", specifier = "==4.2.1" }, + { name = "django", specifier = "==4.2.30" }, { name = "django-celery-beat", specifier = "==2.5.0" }, { name = "django-cors-headers", specifier = "==4.3.1" }, { name = "django-filter", specifier = ">=24.3" }, diff --git a/pyproject.toml b/pyproject.toml index fd1f325b7d..598cc36d7d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -44,7 +44,7 @@ test-rig = [ hook-check-django-migrations = [ "celery>=5.3.4", "cron-descriptor==1.4.0", - "django==4.2.1", + "django==4.2.30", "djangorestframework==3.14.0", # Pinning django-celery-beat to avoid build issues "django-celery-beat==2.5.0", diff --git a/uv.lock b/uv.lock index 1beb7a74de..482b2f1cdc 100644 --- a/uv.lock +++ b/uv.lock @@ -765,16 +765,16 @@ wheels = [ [[package]] name = "django" -version = "4.2.1" +version = "4.2.30" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "asgiref" }, { name = "sqlparse" }, { name = "tzdata", marker = "sys_platform == 'win32'" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/89/76/23ee9b9d2bd4119e930eb19164732b79c0a4f6259ca198209b0fe36551ea/Django-4.2.1.tar.gz", hash = "sha256:7efa6b1f781a6119a10ac94b4794ded90db8accbe7802281cd26f8664ffed59c", size = 10420051, upload-time = "2023-05-03T12:58:41.313Z" } +sdist = { url = "https://files.pythonhosted.org/packages/11/b5/f1a53dc68da6429d6e0345bb848161e2381a2e9f02700148911e8582c2b3/django-4.2.30.tar.gz", hash = "sha256:4ebc7a434e3819db6cf4b399fb5b3f536310a30e8486f08b66886840be84b37c", size = 10468707, upload-time = "2026-04-07T14:05:45.57Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/12/13/78e8622180f101e95297965045ff1325ea7301c1b80f756debbeaa84c3be/Django-4.2.1-py3-none-any.whl", hash = "sha256:066b6debb5ac335458d2a713ed995570536c8b59a580005acb0732378d5eb1ee", size = 7988496, upload-time = "2023-05-03T12:58:27.208Z" }, + { url = "https://files.pythonhosted.org/packages/39/b7/a7c96f239cf91313a6589233fed55111c7063b26683b226802732c455dbc/django-4.2.30-py3-none-any.whl", hash = "sha256:4d07aaf1c62f9984842b67c2874ebbf7056a17be253860299b93ae1881faad65", size = 7997231, upload-time = "2026-04-07T14:05:38.241Z" }, ] [[package]] @@ -3900,7 +3900,7 @@ dev = [ hook-check-django-migrations = [ { name = "celery", specifier = ">=5.3.4" }, { name = "cron-descriptor", specifier = "==1.4.0" }, - { name = "django", specifier = "==4.2.1" }, + { name = "django", specifier = "==4.2.30" }, { name = "django-celery-beat", specifier = "==2.5.0" }, { name = "django-cors-headers", specifier = ">=4.3.1" }, { name = "django-redis", specifier = "==5.4.0" },