chore(deps): update dependency django to v5.1.5 [security] - autoclosed #13061

renovate-bot · 2025-01-15T03:19:51Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
Django (changelog)	`==3.2.25` -> `==5.1.5`
Django (changelog)	`==4.2.17` -> `==5.1.5`
Django (changelog)	`==5.1.4` -> `==5.1.5`

GitHub Vulnerability Alerts

CVE-2024-56374

An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)

Release Notes

django/django (Django)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

code-review-assist

Hi team,

I'm currently reviewing this pull request and will provide my feedback shortly. In the meantime, here's a summary for you and other reviewers to quickly get up to speed:

This pull request, submitted by Renovate Bot, updates the Django dependency across several requirements.txt files within the python-docs-samples repository. The goal is to address a security vulnerability (CVE-2024-56374) identified in older versions of Django.

Here's a breakdown of the changes:

Intent: Upgrade Django to version 5.1.5 to patch a security vulnerability (CVE-2024-56374) related to IPv6 validation.
Changes: The PR modifies the following files:
- appengine/flexible/django_cloudsql/requirements.txt
- appengine/flexible/hello_world_django/requirements.txt
- appengine/flexible_python37_and_earlier/django_cloudsql/requirements.txt
- appengine/flexible_python37_and_earlier/hello_world_django/requirements.txt
- kubernetes_engine/django_tutorial/requirements.txt
- run/django/requirements.txt
In each file, the Django dependency is updated from various versions (3.2.25, 4.2.17, 5.1.4) to 5.1.5, ensuring consistency and addressing the security issue across all Python versions supported.
Activity: The PR was automatically generated by Renovate Bot and is ready for manual merge after review.

The specific changes in each file are detailed in the diff, but the core change is simply updating the Django version number in the requirements.txt files. The PR also includes release notes and details about the vulnerability.

Here's a little something to brighten your day:

Code flows like a river,
Bugs swim, a testing endeavor,
Fixes make it clear.

Thanks!
Gemini

code-review-assist

This pull request updates the Django dependency to v5.1.5 to address a security vulnerability (CVE-2024-56374). Upgrading to 5.1.5 is the correct approach for versions 5.1.x, 5.0.x, and 4.2.x. However, applying this same update to all versions, including those using 3.2.25, introduces a significant jump across multiple major versions. This can lead to compatibility issues and requires careful consideration.

It's crucial to test this change thoroughly, especially for the applications previously on Django 3.2.25, to ensure compatibility with the substantial changes introduced between these versions. Consider providing a separate upgrade path for the older Django versions, potentially incrementally upgrading to a compatible 4.x version first before jumping to 5.1.5.

chore(deps): update dependency django to v5.1.5 [security]

1df2def

renovate-bot requested review from a team as code owners January 15, 2025 03:19

trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Jan 15, 2025

product-auto-label bot added samples Issues that are directly related to samples. api: appengine Issues related to the App Engine Admin API API. api: container Issues related to the Kubernetes Engine API API. api: run Issues related to the Cloud Run API. labels Jan 15, 2025

code-review-assist bot reviewed Jan 15, 2025

View reviewed changes

blunderbuss-gcf bot assigned jinglundong Jan 15, 2025

kokoro-team removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jan 15, 2025

code-review-assist bot suggested changes Jan 15, 2025

View reviewed changes

renovate-bot changed the title ~~chore(deps): update dependency django to v5.1.5 [security]~~ chore(deps): update dependency django to v5.1.5 [security] - autoclosed Jan 16, 2025

renovate-bot closed this Jan 16, 2025

renovate-bot deleted the renovate/pypi-django-vulnerability branch January 16, 2025 20:21

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency django to v5.1.5 [security] - autoclosed #13061

chore(deps): update dependency django to v5.1.5 [security] - autoclosed #13061

renovate-bot commented Jan 15, 2025

code-review-assist bot left a comment

code-review-assist bot left a comment

chore(deps): update dependency django to v5.1.5 [security] - autoclosed #13061

chore(deps): update dependency django to v5.1.5 [security] - autoclosed #13061

Conversation

renovate-bot commented Jan 15, 2025

GitHub Vulnerability Alerts

Release Notes

Configuration

code-review-assist bot left a comment

Choose a reason for hiding this comment

code-review-assist bot left a comment

Choose a reason for hiding this comment