| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2026-06-03 | Refs #36499 -- Added coverage for non-UTC TIME_ZONE with Trunc(). | Jacob Walls | |
| 2026-06-03 | Fixed #34699 -- Added examples of database comparisons against ↵ | wesley | |
| Extract()/Trunc(). | |||
| 2026-06-03 | Added CVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193, and ↵ | Natalia | |
| CVE-2026-48587 to security archive. | |||
| 2026-06-03 | Added stub release notes for 6.0.7. | Natalia | |
| 2026-06-03 | Fixed CVE-2026-48587 -- Ignored whitespace padding when checking Vary header ↵ | Jake Howard | |
| values. Thanks to Navid Rezazadeh for the report and Jacob Walls for review. | |||
| 2026-06-03 | Fixed CVE-2026-35193 -- Varied on Authorization when caching non-public ↵ | Jacob Walls | |
| responses. Thanks Shai Berger for the report, and Natalia Bidart and Sarah Boyce for reviews. | |||
| 2026-06-03 | Fixed CVE-2026-8404 -- Used Cache-Control directives case-insensitively in ↵ | Jake Howard | |
| UpdateCacheMiddleware. Thanks Ahmed Badawe for the report, and Jacob Walls for reviews. | |||
| 2026-06-03 | Fixed CVE-2026-7666 -- Delayed setting SMTP connection until fully configured. | Jake Howard | |
| Thanks Kasper Dupont for the report, and Jacob Walls and Natalia Bidart for reviews. | |||
| 2026-06-03 | Fixed CVE-2026-6873 -- Prevented signed cookie salt namespace collisions. | Paul McMillan | |
| Made signed cookies derive their signer namespace from an injective encoding of `(name, salt)` while preserving compatibility with legacy `name + salt` cookies behind SIGNED_COOKIE_LEGACY_SALT_FALLBACK. Thanks Peng Zhou for the report, and Shai Berger, Markus Holterman, Jake Howard, and Paul McMillan for reviews. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> | |||
| 2026-06-02 | Updated source translation catalogs. | Jacob Walls | |
| Forwardport of fcbbb1f920f7a7efb16a9871e8905b743447a939 from stable/6.1.x | |||
| 2026-06-02 | Updated translations from Transifex. | Jacob Walls | |
| Forwardport of dd895d6268f1dd544a565a321cb4527ca3ca1173 from stable/6.0.x. | |||
| 2026-06-02 | Made PR quality check require tickets for new contributors. | Jacob Walls | |
| Agents are already abusing the exception for small pull requests by mixing in unrelated typo fixes with their code changes for unreviewed tickets and removing mention of said ticket. | |||
| 2026-06-02 | Refs #36439 -- Added missing thread_sensitive=False to dummy password hasher ↵ | Jacob Walls | |
| path. The existing user path also uses thread_sensitive=False in acheck_password(). Follow-up to 7f66c3b41f0fb0fb938d7b96e20a28dccdaa2ecd. | |||
| 2026-06-02 | Fixed #37103 -- Made HttpRequest.body handle malformed CONTENT_LENGTH. | Lier0102 | |
| 2026-06-01 | Fixed #28800 -- Added a listurls management command. | Chris Rose | |
| Thanks JaeHyuck Sa, Jacob Walls, and Tim McCurrach for reviews. Co-authored-by: Ülgen Sarıkavak <ulgensrkvk@gmail.com> | |||
| 2026-06-01 | Refs #28800 -- Handled escaped literals in simplify_regex(). | Jacob Walls | |
| 2026-06-01 | Refs #28800 -- Lifted some url functions from admindocs into urls.utils. | Chris Rose | |
| 2026-06-01 | Updated translations from Transifex. | Jacob Walls | |
| Forwardport of 9969df4f360221fc408da1604f0369f7594a1818 from stable/6.0.x. | |||
| 2026-06-01 | Fixed #36436 -- Made CookieStorage.signer attribute private. | Skyiesac | |
| Co-authored-by: Sohail Ahmad <sohailahmed34280@gmail.com> | |||
| 2026-06-01 | Fixed #37119 -- Clarified middleware ordering note for nonce access. | vishwa | |
| 2026-06-01 | Fixed #37108 -- Made DjangoJSONEncoder consistently omit .000 microseconds. | Aaryan P | |
| 2026-05-29 | Refs #35514 -- Improved docs for MAILERS setting and mailers migration guide. | Natalia | |
| Thanks Mike Edmunds for flagging these issues and for the review. | |||
| 2026-05-29 | Downgraded node to 24.15.0 in Github Actions configuration. | Jacob Walls | |
| See https://github.com/puppeteer/puppeteer/issues/15071 | |||
| 2026-05-28 | Removed unnecessary direct dev dependency on puppeteer. | Jacob Walls | |
| Checked the PR discussion, and this was added in an attempt to pin the version of puppeteer, but this would have been done with adding an `overrides` entry, not by adding a direct dependency. Bug in d407340e7f8463ee885aaa37789d8aef657b73f5. | |||
| 2026-05-28 | Fixed #36225 -- Coped with lack of get_by_natural_key() in createsuperuser. | babbitt | |
| 2026-05-27 | Fixed #35596 -- Removed mention of unlimited results from QuerySet.get(). | CodeQuiver | |
| Obsolete since 330638b89f14e1fb06e9d313ccc9768ae167c53f. | |||
| 2026-05-27 | Updated links to severity levels in release notes. | Jacob Walls | |
| 2026-05-27 | Fixed #37019 -- Updated login() and logout() to set request.auser. | vishwa | |
| 2026-05-27 | Fixed #36905 -- Deprecated the safe parameter of JSONResponse. | Tim Harris | |
| Peer frameworks have long since dropped their analogous checks for this vulnerability that was fixed in ES5. | |||
| 2026-05-27 | Refactored release script to support testing in isolation. | Natalia | |
| Extracted helpers (get_commit_hash, parse_major_version, find_release_artifacts, create_checksum_file) and isolated all code with side-effects in main() guarded by __name__ == "__main__", allowing the module to be imported without starting the release process. Added tests for the new helpers in scripts/tests.py. Thanks Jacob Walls for the review and IRL test. | |||
| 2026-05-27 | Included commit hash in checksum file when building artifacts for release. | Natalia | |
| 2026-05-27 | Fixed #37065 -- Doc'd method_decorator usage on dispatch for async views. | Carlton Gibson | |
| 2026-05-27 | Added stub release notes and release date for 6.0.6 and 5.2.15. | Natalia | |
| 2026-05-26 | Bumped versions in Github actions configuration. | Jacob Walls | |
| 2026-05-26 | Used Node.js 24 for GitHub actions. | Jacob Walls | |
| 2026-05-26 | Removed version numbers from example tox -l output. | Jacob Walls | |
| 2026-05-26 | Bumped versions in pre-commit and npm configurations. | Jacob Walls | |
| 2026-05-26 | Refs #35514 -- Removed specific Django versions from outside deprecated blocks. | Natalia | |
| This follows the contributing guidelines that state: [...] Avoid referring to a specific version of Django outside a ``deprecated`` block. Even inside a block, it's often redundant to do so as these annotations render as "Deprecated since version A.B". | |||
| 2026-05-26 | Refs #35870 -- Moved deprecated notice at the bottom for USE_BLANK_CHOICE_DASH. | Natalia | |
| Also expended a bit on details for the setting so readers know what is it about. | |||
| 2026-05-26 | Fixed #37116 -- Explained why a code is useful in a ValidationError. | Arthur Vuillard | |
| 2026-05-25 | Corrected indentation in topics/http/shortcuts.txt. | Mariusz Felisiak | |
| 2026-05-24 | Added advancing deprecations to preparing for next release instructions. | Sarah Boyce | |
| 2026-05-24 | Corrected code-block indenting in docs/internals/howto-release-django.txt. | Sarah Boyce | |
| 2026-05-24 | Removed hardcoded Site pks. | Tim Graham | |
| 2026-05-24 | Removed integer pk assumption in AdminCustomQuerysetTest. | Tim Graham | |
| 2026-05-22 | Fixed #37117 -- Used ModelAdmin.get_queryset() for change form actions. | Natalia | |
| Refs #37105, #12090. | |||
| 2026-05-22 | Fixed #37100 -- Prevented control characters in HttpResponse reason_phrase. | Varun Kasyap | |
| 2026-05-21 | Fixed #37088 -- Included attributes in media object equality. | Johannes Maron | |
| Since in the majority of cases the `MediaAsset.attributes` will be empty or small, there's only a tiny performance penalty. However, the accidental use of the `path` property caused a 1_000x performacne degredation (N=1_000_000). | |||
| 2026-05-20 | Increased the default PBKDF2 iterations for Django 6.2. | Sarah Boyce | |
| 2026-05-20 | Advanced deprecation warnings for Django 6.2. | Sarah Boyce | |
