summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-06-03Refs #36499 -- Added coverage for non-UTC TIME_ZONE with Trunc().Jacob Walls
2026-06-03Fixed #34699 -- Added examples of database comparisons against ↵wesley
Extract()/Trunc().
2026-06-03Added CVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193, and ↵Natalia
CVE-2026-48587 to security archive.
2026-06-03Added stub release notes for 6.0.7.Natalia
2026-06-03Fixed CVE-2026-48587 -- Ignored whitespace padding when checking Vary header ↵Jake Howard
values. Thanks to Navid Rezazadeh for the report and Jacob Walls for review.
2026-06-03Fixed CVE-2026-35193 -- Varied on Authorization when caching non-public ↵Jacob Walls
responses. Thanks Shai Berger for the report, and Natalia Bidart and Sarah Boyce for reviews.
2026-06-03Fixed CVE-2026-8404 -- Used Cache-Control directives case-insensitively in ↵Jake Howard
UpdateCacheMiddleware. Thanks Ahmed Badawe for the report, and Jacob Walls for reviews.
2026-06-03Fixed CVE-2026-7666 -- Delayed setting SMTP connection until fully configured.Jake Howard
Thanks Kasper Dupont for the report, and Jacob Walls and Natalia Bidart for reviews.
2026-06-03Fixed CVE-2026-6873 -- Prevented signed cookie salt namespace collisions.Paul McMillan
Made signed cookies derive their signer namespace from an injective encoding of `(name, salt)` while preserving compatibility with legacy `name + salt` cookies behind SIGNED_COOKIE_LEGACY_SALT_FALLBACK. Thanks Peng Zhou for the report, and Shai Berger, Markus Holterman, Jake Howard, and Paul McMillan for reviews. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2026-06-02Updated source translation catalogs.Jacob Walls
Forwardport of fcbbb1f920f7a7efb16a9871e8905b743447a939 from stable/6.1.x
2026-06-02Updated translations from Transifex.Jacob Walls
Forwardport of dd895d6268f1dd544a565a321cb4527ca3ca1173 from stable/6.0.x.
2026-06-02Made PR quality check require tickets for new contributors.Jacob Walls
Agents are already abusing the exception for small pull requests by mixing in unrelated typo fixes with their code changes for unreviewed tickets and removing mention of said ticket.
2026-06-02Refs #36439 -- Added missing thread_sensitive=False to dummy password hasher ↵Jacob Walls
path. The existing user path also uses thread_sensitive=False in acheck_password(). Follow-up to 7f66c3b41f0fb0fb938d7b96e20a28dccdaa2ecd.
2026-06-02Fixed #37103 -- Made HttpRequest.body handle malformed CONTENT_LENGTH.Lier0102
2026-06-01Fixed #28800 -- Added a listurls management command.Chris Rose
Thanks JaeHyuck Sa, Jacob Walls, and Tim McCurrach for reviews. Co-authored-by: Ülgen Sarıkavak <ulgensrkvk@gmail.com>
2026-06-01Refs #28800 -- Handled escaped literals in simplify_regex().Jacob Walls
2026-06-01Refs #28800 -- Lifted some url functions from admindocs into urls.utils.Chris Rose
2026-06-01Updated translations from Transifex.Jacob Walls
Forwardport of 9969df4f360221fc408da1604f0369f7594a1818 from stable/6.0.x.
2026-06-01Fixed #36436 -- Made CookieStorage.signer attribute private.Skyiesac
Co-authored-by: Sohail Ahmad <sohailahmed34280@gmail.com>
2026-06-01Fixed #37119 -- Clarified middleware ordering note for nonce access.vishwa
2026-06-01Fixed #37108 -- Made DjangoJSONEncoder consistently omit .000 microseconds.Aaryan P
2026-05-29Refs #35514 -- Improved docs for MAILERS setting and mailers migration guide.Natalia
Thanks Mike Edmunds for flagging these issues and for the review.
2026-05-29Downgraded node to 24.15.0 in Github Actions configuration.Jacob Walls
See https://github.com/puppeteer/puppeteer/issues/15071
2026-05-28Removed unnecessary direct dev dependency on puppeteer.Jacob Walls
Checked the PR discussion, and this was added in an attempt to pin the version of puppeteer, but this would have been done with adding an `overrides` entry, not by adding a direct dependency. Bug in d407340e7f8463ee885aaa37789d8aef657b73f5.
2026-05-28Fixed #36225 -- Coped with lack of get_by_natural_key() in createsuperuser.babbitt
2026-05-27Fixed #35596 -- Removed mention of unlimited results from QuerySet.get().CodeQuiver
Obsolete since 330638b89f14e1fb06e9d313ccc9768ae167c53f.
2026-05-27Updated links to severity levels in release notes.Jacob Walls
2026-05-27Fixed #37019 -- Updated login() and logout() to set request.auser.vishwa
2026-05-27Fixed #36905 -- Deprecated the safe parameter of JSONResponse.Tim Harris
Peer frameworks have long since dropped their analogous checks for this vulnerability that was fixed in ES5.
2026-05-27Refactored release script to support testing in isolation.Natalia
Extracted helpers (get_commit_hash, parse_major_version, find_release_artifacts, create_checksum_file) and isolated all code with side-effects in main() guarded by __name__ == "__main__", allowing the module to be imported without starting the release process. Added tests for the new helpers in scripts/tests.py. Thanks Jacob Walls for the review and IRL test.
2026-05-27Included commit hash in checksum file when building artifacts for release.Natalia
2026-05-27Fixed #37065 -- Doc'd method_decorator usage on dispatch for async views.Carlton Gibson
2026-05-27Added stub release notes and release date for 6.0.6 and 5.2.15.Natalia
2026-05-26Bumped versions in Github actions configuration.Jacob Walls
2026-05-26Used Node.js 24 for GitHub actions.Jacob Walls
2026-05-26Removed version numbers from example tox -l output.Jacob Walls
2026-05-26Bumped versions in pre-commit and npm configurations.Jacob Walls
2026-05-26Refs #35514 -- Removed specific Django versions from outside deprecated blocks.Natalia
This follows the contributing guidelines that state: [...] Avoid referring to a specific version of Django outside a ``deprecated`` block. Even inside a block, it's often redundant to do so as these annotations render as "Deprecated since version A.B".
2026-05-26Refs #35870 -- Moved deprecated notice at the bottom for USE_BLANK_CHOICE_DASH.Natalia
Also expended a bit on details for the setting so readers know what is it about.
2026-05-26Fixed #37116 -- Explained why a code is useful in a ValidationError.Arthur Vuillard
2026-05-25Corrected indentation in topics/http/shortcuts.txt.Mariusz Felisiak
2026-05-24Added advancing deprecations to preparing for next release instructions.Sarah Boyce
2026-05-24Corrected code-block indenting in docs/internals/howto-release-django.txt.Sarah Boyce
2026-05-24Removed hardcoded Site pks.Tim Graham
2026-05-24Removed integer pk assumption in AdminCustomQuerysetTest.Tim Graham
2026-05-22Fixed #37117 -- Used ModelAdmin.get_queryset() for change form actions.Natalia
Refs #37105, #12090.
2026-05-22Fixed #37100 -- Prevented control characters in HttpResponse reason_phrase.Varun Kasyap
2026-05-21Fixed #37088 -- Included attributes in media object equality.Johannes Maron
Since in the majority of cases the `MediaAsset.attributes` will be empty or small, there's only a tiny performance penalty. However, the accidental use of the `path` property caused a 1_000x performacne degredation (N=1_000_000).
2026-05-20Increased the default PBKDF2 iterations for Django 6.2.Sarah Boyce
2026-05-20Advanced deprecation warnings for Django 6.2.Sarah Boyce