summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2025-12-03[6.0.x] Bumped version for 6.0 release.6.0Natalia
2025-12-03[6.0.x] Updated man page for Django 6.0.Natalia
2025-12-03[6.0.x] Refs #35859 -- Clarified Tasks ref and topics docs regarding ↵Jacob Walls
available backends. Backport of d3f142f2cd36ba0458cc679397555bd5ee7db744 from main.
2025-12-03[6.0.x] Finalized release notes for Django 6.0.Natalia
Backport of ea4920174e3231ff5b72b3ffb2b20432671047d9 from main.
2025-12-03[6.0.x] Made cosmetic edits to docs/releases/6.0.txt.Adam Johnson
Backport of fe42aa6100a2df4702e2399cffb375dbc986b036 from main.
2025-12-02[6.0.x] Updated translations from Transifex.Natalia
2025-12-02[6.0.x] Refs #35444 -- Fixed typo in PostgreSQL StringAgg deprecation warning.Mariusz Felisiak
2025-12-02[6.0.x] Added CVE-2025-13372 and CVE-2025-64460 to security archive.Natalia
Backport of d0d596042e958809a13b681d7a184ac7b95e0aa3 from main.
2025-12-02[6.0.x] Added stub release notes for 5.2.10.Natalia
Backport of 8d4ec9949aedc11a258d718689550eea61ae8d4c from main.
2025-12-02[6.0.x] Fixed CVE-2025-64460 -- Corrected quadratic inner text accumulation ↵Shai Berger
in XML serializer. Previously, `getInnerText()` recursively used `list.extend()` on strings, which added each character from child nodes as a separate list element. On deeply nested XML content, this caused the overall deserialization work to grow quadratically with input size, potentially allowing disproportionate CPU consumption for crafted XML. The fix separates collection of inner texts from joining them, so that each subtree is joined only once, reducing the complexity to linear in the size of the input. These changes also include a mitigation for a xml.dom.minidom performance issue. Thanks Seokchan Yoon (https://ch4n3.kr/) for report. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 50efb718b31333051bc2dcb06911b8fa1358c98c from main.
2025-12-02[6.0.x] Fixed CVE-2025-13372 -- Protected FilteredRelation against SQL ↵Jacob Walls
injection in column aliases on PostgreSQL. Follow-up to CVE-2025-57833. Thanks Stackered for the report, and Simon Charette and Mariusz Felisiak for the reviews. Backport of 5b90ca1e7591fa36fccf2d6dad67cf1477e6293e from main.
2025-12-02[6.0.x] Refs #35444 -- Fixed typo in PostgreSQL StringAgg deprecation warning.Νικόλαος-Διγενής Καραγιάννης
Backport of cb1d2854ed2b13799f2b0cc6e04019df181bacd4 from main
2025-12-01[6.0.x] Fixed #36712 -- Evaluated type annotations lazily in template tag ↵Jacob Walls
registration. Ideally, this will be reverted when an upstream solution is available for https://github.com/python/cpython/issues/141560. Thanks Patrick Rauscher for the report and Augusto Pontes for the first iteration and test. Backport of 34186e731ca20a2344b1f88fd543a854d6b13a00 from main.
2025-12-01[6.0.x] Refs #36743 -- Corrected docstring for DisallowedRedirect.Jacob Walls
Backport of ce36c35e76f82f76cdfa5777456e794d481e5afc from main.
2025-12-01[6.0.x] Closed temporary files in ↵Jacob Walls
OverwritingStorageTests.test_save_overwrite_behavior_temp_file(). Backport of a08f1693f37e9aae9eca395020cce0638cb5aa5f from main.
2025-12-01[6.0.x] Refs #35535 -- Used intended decorator in ↵Jacob Walls
test_simple_block_tag_parens(). Backport of e94b19f6abdda70689aa17e399ce5fdef7897674 from main.
2025-11-30[6.0.x] Added link to Python Pickle documentation in docs/topics/cache.txt.Rida Zouga
Co-authored-by: Rida Zouga <ridazouga@gmail.com> Backport of 3ea0195ca57790d7bd6921ecaa32312eabec78d0 from main
2025-11-27[6.0.x] Fixed outdated redis-py link in cache docs.Bruno Alla
Backport of 7b32485ee98edf7e8b94ad9c8acdccee562bf216 from main
2025-11-27[6.0.x] Highlighted community package upgrade utilities in ↵Tim Schilling
docs/howto/upgrade-version.txt. Backport of bd7940982d6cab386dae7698ab097b91e5d8145e from main.
2025-11-26[6.0.x] Included usage of new scripts in ↵Natalia
docs/internals/howto-release-django.txt. Backport of 60b08ad5e1701b1a9b2a03e5897670d5af32d379 from main.
2025-11-26[6.0.x] Added script to archive EOL stable branches.Natalia
This also fixed a small bash issue in `confirm_release.sh` script. Backport of 532c1058a7dd2616181259c94eb92f2477038d2c from main.
2025-11-26[6.0.x] Refs #36743 -- Added missing release notes for 5.1.15 and 4.2.27.Natalia
The fix landed in a8cf8c292cfee98fe6cc873ca5221935f1d02271 will be backported to 5.1 and 4.2 since the 2048 limit was rolled out as part of the security release for CVE-2025-64458. Backport of 18b13cf6c48ff0a20b2a74d3b90d1fc1602608e4 from main.
2025-11-26[6.0.x] Fixed #36743 -- Increased URL max length enforced in ↵varunkasyap
HttpResponseRedirectBase. Refs CVE-2025-64458. The previous limit of 2048 characters reused the URLValidator constant and proved too restrictive for legitimate redirects to some third-party services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH` constant (defaulting to 16384) and uses it in HttpResponseRedirectBase. Thanks Jacob Walls for report and review. Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main.
2025-11-26[6.0.x] Fixed #31506 -- Clarified that ExpressionWrapper does not perform ↵Cha Hwa Young
database casts. Added warning in DateField documentation about type differences when using timedelta on PostgreSQL and MySQL. Mentioned Cast() and integer arithmetic solutions. Backport of 55af4749b9a48b2978e893e7d7be313c0b2abdb1 from main.
2025-11-26[6.0.x] Added timeout-minutes directive to all GitHub Actions workflows.Natalia
GitHub Actions defaults to a 360-minute (6-hour) timeout. We've had jobs hang due to issues in the parallel test runner, causing them to run for the full 6 hours. This wastes resources and negatively impacts CI availability, so explicit timeouts have been added to prevent long-running hangs. Backport of e48527f91d341c85a652499a5baaf725d36ae54f from main.
2025-11-25[6.0.x] Added stub release notes and release date for 5.2.9, 5.1.15, and 4.2.27.Natalia
Backport of d62e811acfc6a056e847bfcc460092a98511ed00 from main.
2025-11-24[6.0.x] Corrected assertions for True/False results in ↵Jake Howard
tests/auth_tests/test_handlers.py. Backport of d08ae991a83950aba5043f5a34f5af12d2effe9e from main.
2025-11-24[6.0.x] Fixed #36751 -- Fixed empty filtered aggregation crash over ↵Simon Charette
annotated queryset. Regression in b8e5a8a9a2a767f584cbe89a878a42363706f939. Refs #36404. The replace_expressions method was innapropriately dealing with falsey but not None source expressions causing them to also be potentially evaluated when __bool__ was invoked (e.g. QuerySet.__bool__ evaluates the queryset). The changes introduced in b8e5a8a9a2, which were to deal with a similar issue, surfaced the problem as aggregation over an annotated queryset requires an inlining (or pushdown) of aggregate references which is achieved through replace_expressions. In cases where an empty Q object was provided as an aggregate filter, such as when the admin facetting feature was used as reported, it would wrongly be turned into None, instead of an empty WhereNode, causing a crash at aggregate filter compilation. Note that the crash signature differed depending on whether or not the backend natively supports aggregate filtering (supports_aggregate_filter_clause) as the fallback, which makes use Case / When expressions, would result in a TypeError instead of a NoneType AttributeError. Thanks Rafael Urben for the report, Antoliny and Youngkwang Yang for the triage. Backport of 2a6e0bd72d4a69725b957d6748a4b834f21b12b5 from main
2025-11-21[6.0.x] Configured dangerous-triggers zizmor rule.Jacob Walls
Backport of 846613e521104fa2f2e1c2023e4a1a9886a2ff48 from main.
2025-11-21[6.0.x] Addressed unpinned-uses zizmor finding.Jacob Walls
Backport of 86b8058b40145fb5ba4fd859676225f533eca986 from main.
2025-11-21[6.0.x] Simplified actions after applying zizmor auto-fixes.Jacob Walls
Backport of 08f4901b3fd3f352ef9cea830d000aee73152556 from main.
2025-11-21[6.0.x] Applied auto-fixes from zizmor findings.Jacob Walls
Backport of e8958c4690faef27b6715524ecb5c49c3ecb6a09 from main.
2025-11-21[6.0.x] Added GitHub Actions linter (zizmor).Jacob Walls
At the direction of the Security Team. Thanks Markus Holtermann, Jake Howard, and Natalia Bidart for reviews. Backport of 09d4bf5cd9c95c588d3ec22edea5db1f5f146900 from main.
2025-11-21[6.0.x] Added scripts for building and releasing Django artifacts.Natalia
Backport of a523d5c8336f5f7f5e24a1cc8034ce65aedec3c6 from main.
2025-11-21[6.0.x] Skipped scripts/ folder from built release artifacts.Natalia
Backport of 971c76f735d2d61051d887b62a244d743794699a from main.
2025-11-20[6.0.x] Added missing ticket links in docs/releases/5.2.8.txt.Jacob Walls
Backport of 8ce3e1f9d0cdfdcba91e7e544804fa33f6fa9177 from main.
2025-11-20[6.0.x] Fixed #36748 -- Filtered non-standard placeholders from UNNEST queries.Chris Wesseling
Backport of 5834643f43a767fe19f2c6d10217b204e7584ec8 from main.
2025-11-20[6.0.x] Ensured that Sitemap.items is described as a method in ↵nessita
docs/ref/contrib/sitemaps.txt. Backport of ee2e0e202874db31449d3c7c292504652fa87f69 from main.
2025-11-19[6.0.x] Bumped version for 6.0 release candidate 1 release.6.0rc1Natalia
2025-11-18[6.0.x] Fixed #36733 -- Escaped attributes in Stylesheet.__str__().varunkasyap
Thanks Mustafa Barakat for the report, Baptiste Mispelon for the triage, and Jake Howard for the review. Backport of e05f2a75695b5f5faa7682d4053db4776d4d6f93 from main.
2025-11-18[6.0.x] Fixed #36141 -- Checked for applied replaced migrations recursively.Georgi Yanchev
Regression in 64b1ac7292c72d3551b2ad70b2a78c8fe4af3249. Backport of b07298a73a8d444b3618aad8005055bee5ead8cb from main.
2025-11-17[6.0.x] Fixed #26379 -- Doc'd that the first filter() on a many-to-many ↵Annabelle Wiegart
relation is sticky. Backport of 3c005b5f79bf6d71f3f4c3692ed670e1722b0fb6 from main.
2025-11-13[6.0.x] Fixed #36686 -- Clarified Meta.ordering is ignored in GROUP BY queries.Kasyap Pentamaraju
Backport of 7e765a68598b2b798e49bf1f4b431a7bcac085a4 from main.
2025-11-13[6.0.x] Fixed #36730 -- Fixed constraint validation crash for excluded FK ↵Adam Johnson
attnames. Regression in e44e8327d3d88d86895735c0e427102063ff5b55. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> Backport of abfa4619fb818ff694c22e962a280673e085239e from main
2025-11-10[6.0.x] Fixed typo in docs/ref/databases.txt.Clifford Gama
Backport of 2b0f24e6223bf7e294fba63741f58eb7b0bf49ff from main.
2025-11-10Refs #36680 -- Avoided manipulating PATH in AdminScriptTestCase.Jacob Walls
This mostly reverts 6436ec321073bf0622af815e0af08f54c97f9b30, which was fragile. Instead, if black is present, we use it to format the expected and actual results, instead of hard-coding the expected formatted value. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-11-10[6.0.x] Fixed unsafe variable interpolation in GitHub Action workflow.Markus Holtermann
Thank you Davide Netti for the report and initial patch. Co-authored-by: Davide Netti <davide.netti4@gmail.com> Backport of 01c70ba14899409e86dc3f6c6bcae0afc48094e7 from main.
2025-11-10[6.0.x] Clarified "get_db_prep_value" default result in ↵Clifford Gama
docs/ref/models/fields.txt. Backport of c135be349ddd9fd71b15d4b20e7fc46814e4ca7c from main.
2025-11-10[6.0.x] Clarified EmailValidator docs to specify it validates an email address.Hong Xu
Updated the EmailValidator docs in docs/ref/validators.txt to explicitly state that it validates an email address, to avoid confusion with validating email message content. Backport of a4f76741340fb23566795e83f830a3f2d49acce0 from main.
2025-11-06[6.0.x] Removed community packages admonition from settings docs.Tim Schilling
Backport of 5ef870fbc5a65cce65b42a8f9cdb208a32d3dd31 from main.
generated by cgit v1.3 (git 2.53.0) at 2026-06-30 19:19:05 +0000