summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2025-12-05Fixed #36367 -- Added a label to the date_hierarchy in admin changelist.Chaitanya
Thanks Sarah Boyce for the implementation idea.
2025-12-04Added DatabaseFeatures.prohibits_dollar_signs_in_column_aliases.Tim Graham
This is also applicable on CockroachDB.
2025-12-04Fixed #36620 -- Fixed workflow to summarize coverage in PRs.saurabh
Follow-up to a89183e63844a937aacd3ddb73c4952ef869d2cc, which was reverted in e4c4a178aa642f8493b7ae2c0ad58527af51f67e because a change to the workflow trigger resulted in the PR branch not being checked out. We used this opportunity to reimplement the coverage tracing and coverage commenting in a two-workflow pattern with more granular permissions. To reduce duplicative workflows, we removed the existing python test workflow on PRs, at least until we run more distinct configurations on GitHub actions. The run with coverage tracing enabled is sufficient for now. The existing workflow still runs on pushes to main. We can revisit when adding more test configurations.
2025-12-04Fixed #36744 -- Improved scrypt password hasher docs.Dmitry Chestnykh
- Corrected work_factor description and its requirements. - Added block_size description. - Changed parallelism description to mention computations, rather than threads (currently it's not multithreaded.) - For all of the above, added standard scrypt terminology (N, r, p). - Mentioned that in multithreaded implementations, parallelism also influences the memory requirements.
2025-12-03Closed pool when parallel test runner encounters unpicklable exceptions.Jacob Walls
2025-12-03Fixed #35729 -- Enabled natural key serialization opt-out for subclasses.rimi0108
Refactored serialization logic to allow models inheriting a natural_key() method (e.g. AbstractBaseUser) to explicitly opt out of natural key serialization by returning an empty tuple from the method. Thanks Jonas Dittrich for the report. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2025-12-03Refs #36520 -- Removed release note for refactored `parse_header_parameters`.Jake Howard
2025-12-03Added stub release notes for 6.0.1.Natalia
2025-12-03Refs #35859 -- Clarified Tasks ref and topics docs regarding available backends.Jacob Walls
2025-12-03Finalized release notes for Django 6.0.Natalia
2025-12-03Made cosmetic edits to docs/releases/6.0.txt.Adam Johnson
2025-12-03Fixed #36280 -- Replaced exception checks with assertRaisesMessage().Skyiesac
2025-12-02Updated translations from Transifex.Natalia
Forwardport of 00575b79312c719a6b37035067095e2d679bb5d7 from stable/6.0.x.
2025-12-02Added CVE-2025-13372 and CVE-2025-64460 to security archive.Natalia
2025-12-02Added stub release notes for 5.2.10.Natalia
2025-12-02Fixed CVE-2025-64460 -- Corrected quadratic inner text accumulation in XML ↵Shai Berger
serializer. Previously, `getInnerText()` recursively used `list.extend()` on strings, which added each character from child nodes as a separate list element. On deeply nested XML content, this caused the overall deserialization work to grow quadratically with input size, potentially allowing disproportionate CPU consumption for crafted XML. The fix separates collection of inner texts from joining them, so that each subtree is joined only once, reducing the complexity to linear in the size of the input. These changes also include a mitigation for a xml.dom.minidom performance issue. Thanks Seokchan Yoon (https://ch4n3.kr/) for report. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-12-02Fixed CVE-2025-13372 -- Protected FilteredRelation against SQL injection in ↵Jacob Walls
column aliases on PostgreSQL. Follow-up to CVE-2025-57833. Thanks Stackered for the report, and Simon Charette and Mariusz Felisiak for the reviews.
2025-12-02Refs #35444 -- Fixed typo in PostgreSQL StringAgg deprecation warning.Νικόλαος-Διγενής Καραγιάννης
2025-12-01Fixed #36712 -- Evaluated type annotations lazily in template tag registration.Jacob Walls
Ideally, this will be reverted when an upstream solution is available for https://github.com/python/cpython/issues/141560. Thanks Patrick Rauscher for the report and Augusto Pontes for the first iteration and test.
2025-12-01Refs #36743 -- Corrected docstring for DisallowedRedirect.Jacob Walls
2025-12-01Refs #35535 -- Used intended decorator in test_simple_block_tag_parens().Jacob Walls
2025-11-30Added link to Python Pickle documentation in docs/topics/cache.txt.Rida Zouga
Co-authored-by: Rida Zouga <ridazouga@gmail.com>
2025-11-27Fixed outdated redis-py link in cache docs.Bruno Alla
2025-11-27Highlighted community package upgrade utilities in ↵Tim Schilling
docs/howto/upgrade-version.txt.
2025-11-27Reduced subjective tone and improved clarity in docs/howto/upgrade-version.txt.Natalia
2025-11-26Included usage of new scripts in docs/internals/howto-release-django.txt.Natalia
2025-11-26Added script to archive EOL stable branches.Natalia
This also fixed a small bash issue in `confirm_release.sh` script.
2025-11-26Refs #36743 -- Added missing release notes for 5.1.15 and 4.2.27.Natalia
The fix landed in a8cf8c292cfee98fe6cc873ca5221935f1d02271 will be backported to 5.1 and 4.2 since the 2048 limit was rolled out as part of the security release for CVE-2025-64458.
2025-11-26Fixed #36743 -- Increased URL max length enforced in HttpResponseRedirectBase.varunkasyap
Refs CVE-2025-64458. The previous limit of 2048 characters reused the URLValidator constant and proved too restrictive for legitimate redirects to some third-party services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH` constant (defaulting to 16384) and uses it in HttpResponseRedirectBase. Thanks Jacob Walls for report and review.
2025-11-26Refs #36619 -- Included third-party licenses with vendored eslint ↵Jacob Walls
configuration files.
2025-11-26Fixed #31506 -- Clarified that ExpressionWrapper does not perform database ↵Cha Hwa Young
casts. Added warning in DateField documentation about type differences when using timedelta on PostgreSQL and MySQL. Mentioned Cast() and integer arithmetic solutions.
2025-11-26Added timeout-minutes directive to all GitHub Actions workflows.Natalia
GitHub Actions defaults to a 360-minute (6-hour) timeout. We've had jobs hang due to issues in the parallel test runner, causing them to run for the full 6 hours. This wastes resources and negatively impacts CI availability, so explicit timeouts have been added to prevent long-running hangs.
2025-11-26Closed temporary files in ↵Jacob Walls
OverwritingStorageTests.test_save_overwrite_behavior_temp_file().
2025-11-25Reverted "Fixed #36620 -- Added coverage workflow to summarize coverage in ↵Natalia
pull requests." This reverts commit a89183e63844a937aacd3ddb73c4952ef869d2cc.
2025-11-25Added stub release notes and release date for 5.2.9, 5.1.15, and 4.2.27.Natalia
2025-11-25Fixed #36756 -- Dropped support for GDAL 3.1 and 3.2.Mariusz Felisiak
2025-11-25Fixed #35783 -- Added NumDimensions GIS database function and ↵David Smith
__num_dimensions lookup.
2025-11-25Refs #21961 -- Added required_db_features to delete's RelatedDbOptionParent.Tim Graham
2025-11-24Fixed #36738 -- Confirmed support for GDAL 3.12.Varun Kasyap Pentamaraju
Thanks David Smith for reviews.
2025-11-24Corrected assertions for True/False results in ↵Jake Howard
tests/auth_tests/test_handlers.py.
2025-11-24Fixed #36751 -- Fixed empty filtered aggregation crash over annotated queryset.Simon Charette
Regression in b8e5a8a9a2a767f584cbe89a878a42363706f939. Refs #36404. The replace_expressions method was innapropriately dealing with falsey but not None source expressions causing them to also be potentially evaluated when __bool__ was invoked (e.g. QuerySet.__bool__ evaluates the queryset). The changes introduced in b8e5a8a9a2, which were to deal with a similar issue, surfaced the problem as aggregation over an annotated queryset requires an inlining (or pushdown) of aggregate references which is achieved through replace_expressions. In cases where an empty Q object was provided as an aggregate filter, such as when the admin facetting feature was used as reported, it would wrongly be turned into None, instead of an empty WhereNode, causing a crash at aggregate filter compilation. Note that the crash signature differed depending on whether or not the backend natively supports aggregate filtering (supports_aggregate_filter_clause) as the fallback, which makes use Case / When expressions, would result in a TypeError instead of a NoneType AttributeError. Thanks Rafael Urben for the report, Antoliny and Youngkwang Yang for the triage.
2025-11-23Refs #21961 -- Added DatabaseFeatures.supports_on_delete_db_(cascade/null) ↵Tim Graham
feature flags. Needed on MongoDB. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2025-11-22Removed outdated build guidance in release docs.Jacob Walls
Follow-up to 4686541691dbe986f58ac87630c3b7a04db4ff93.
2025-11-22Fixed #35774 -- Dropped support for GEOS 3.8.David Smith
GEOS 3.8 (released Oct-2019) will be more than 5 years old when Django 6.1 is released (Aug-2026).
2025-11-21Fixed #36256 -- Removed unnecessary titles from admin UI elements.Skyiesac
Thanks Eliana Rosselli and the Accessibility Team for the recommendation.
2025-11-21Fixed #36741 -- Linked to custom save()/delete() caveats in ↵VIZZARD-X
docs/ref/models/querysets.txt.
2025-11-21Fixed #36620 -- Added coverage workflow to summarize coverage in pull requests.saurabh
Part of GSoC 2025. Thanks Lily for mentorship, and Sarah Boyce and Jacob Walls for reviews.
2025-11-21Configured dangerous-triggers zizmor rule.Jacob Walls
2025-11-21Addressed unpinned-uses zizmor finding.Jacob Walls
2025-11-21Simplified actions after applying zizmor auto-fixes.Jacob Walls