summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2025-12-11Refs #35444 -- Clarified StringAgg deprecation notice in ↵David Sanders
docs/ref/contrib/postgres/aggregates.txt.
2025-12-11Included ASGI servers when noting what the server does.Jake Howard
2025-12-11Fixed #36769 -- Avoided visiting deeply nested nodes in XML deserializer.Pravin Kamble
Only children at one level of depth need to be visited. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2025-12-11Noted testing uses for ContentTypeManager.clear_cache() method.Carlton Gibson
It is often necessary to reset the cache between tests, or after preparing test state, when using content types. Django's test suite already does this when needed, but users will need to do similar in their own tests.
2025-12-11Refs #27890 -- Avoided overwriting TMPDIR in runtests.py under forkserver mode.Jacob Walls
This variable should only be set once. Under forkserver, this module was getting executed multiple times, causing nested temporary dirs that didn't clean up properly, raising FileNotFoundError. This similar to #27890 although a slightly different cause.
2025-12-11Fixed #36789 -- Added missing PDF file for ↵Pravin Kamble
docs/internals/_images/contribution_process.svg. The PDF is needed to build the PDF version of the whole docs.
2025-12-11Refs #36499 -- Adjusted test_strip_tags following Python behavior change for ↵Jacob Walls
incomplete entities.
2025-12-10Refs #36025 -- Made get_prep_lookup() pass output_field when wrapping direct ↵Clifford Gama
values in Value. Previously, only strings were supplied with an output_field when wrapping direct value iterable elements in Value expressions for ExpressionList. This caused problems for __in lookups on JSONField when using expressions alongside direct values, as JSONField values can have different types which need to be adapted by the field's get_db_prep_value(). Refs #36689. Thanks Jacob Walls for the review.
2025-12-10Refs #36689 -- Serialized JSONIn rhs parameters wrapped in Value expressions.Clifford Gama
2025-12-10Fixed #36689 -- Fixed top-level JSONField __in lookup failures on MySQL and ↵Clifford Gama
Oracle. Added a JSONIn lookup to handle correct serialization and extraction for JSONField top-level __in queries on backends without native JSON support. KeyTransformIn now subclasses JSONIn. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Thanks Jacob Walls for the report and review.
2025-12-09Added tests for MultiPointField, MultiLineStringField, and ↵Tim Graham
GeometryCollectionField.
2025-12-09Fixed #36768 -- Optimized string concatenation in File.__iter__().varunkasyap
2025-12-08Fixed #36778 -- Extended advice to sanitize input before using in query ↵Jacob Walls
expressions. Thanks Clifford Gama and Simon Charette for reviews.
2025-12-08Refs #35581 -- Fixed email image inline attachment example.Adam Johnson
1. Added imports and setup for clarity. 2. Removed adding `<` and `>` to Content-ID, as `make_msgid()` already includes them. 3. Removed `$` from reference in HTML, and instead stripped `<>` there, as required by HTML `cid:` references.
2025-12-07Refs #36620 -- Added contributor documentation for code coverage reports.saurabh
This was included in the original reverted patch: a89183e63844a937aacd3ddb73c4952ef869d2cc Follow-up to 26b0e2bb92caf2d16cabe455792350f20d6f42ca.
2025-12-06Refs #36620 -- Fixed PR number extraction in coverage_comment workflow.saurabh
Passing the PR number as an artifact is more reliable in cross-fork workflows.
2025-12-05Refs #27834 -- Restored "expression" in StrIndex's docs signature.Clifford Gama
Documentation regression in 20dbf19fc505f0383e96b323905953c863817fe4.
2025-12-05Refs #36620 -- Removed PR number null check from coverage_comment workflow.saurabh
2025-12-05Fixed #36728 -- Validated template tag arguments at definition time.Jake Howard
Before, `context` and `content` were validated at compile time.
2025-12-05Fixed #36722 -- Moved AutoFieldMixin validate_autopk_value() check to ↵Clifford Gama
get_db_prep_save. The validation in validate_autopk_value is specific to saving. Having it in get_db_prep_value caused Value(0, AutoField()) to fail unexpectedly when used in a filter on MySQL. Thanks Jacob Walls for the review.
2025-12-05Fixed #36367 -- Added a label to the date_hierarchy in admin changelist.Chaitanya
Thanks Sarah Boyce for the implementation idea.
2025-12-04Added DatabaseFeatures.prohibits_dollar_signs_in_column_aliases.Tim Graham
This is also applicable on CockroachDB.
2025-12-04Fixed #36620 -- Fixed workflow to summarize coverage in PRs.saurabh
Follow-up to a89183e63844a937aacd3ddb73c4952ef869d2cc, which was reverted in e4c4a178aa642f8493b7ae2c0ad58527af51f67e because a change to the workflow trigger resulted in the PR branch not being checked out. We used this opportunity to reimplement the coverage tracing and coverage commenting in a two-workflow pattern with more granular permissions. To reduce duplicative workflows, we removed the existing python test workflow on PRs, at least until we run more distinct configurations on GitHub actions. The run with coverage tracing enabled is sufficient for now. The existing workflow still runs on pushes to main. We can revisit when adding more test configurations.
2025-12-04Fixed #36744 -- Improved scrypt password hasher docs.Dmitry Chestnykh
- Corrected work_factor description and its requirements. - Added block_size description. - Changed parallelism description to mention computations, rather than threads (currently it's not multithreaded.) - For all of the above, added standard scrypt terminology (N, r, p). - Mentioned that in multithreaded implementations, parallelism also influences the memory requirements.
2025-12-03Closed pool when parallel test runner encounters unpicklable exceptions.Jacob Walls
2025-12-03Fixed #35729 -- Enabled natural key serialization opt-out for subclasses.rimi0108
Refactored serialization logic to allow models inheriting a natural_key() method (e.g. AbstractBaseUser) to explicitly opt out of natural key serialization by returning an empty tuple from the method. Thanks Jonas Dittrich for the report. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2025-12-03Refs #36520 -- Removed release note for refactored `parse_header_parameters`.Jake Howard
2025-12-03Added stub release notes for 6.0.1.Natalia
2025-12-03Refs #35859 -- Clarified Tasks ref and topics docs regarding available backends.Jacob Walls
2025-12-03Finalized release notes for Django 6.0.Natalia
2025-12-03Made cosmetic edits to docs/releases/6.0.txt.Adam Johnson
2025-12-03Fixed #36280 -- Replaced exception checks with assertRaisesMessage().Skyiesac
2025-12-02Updated translations from Transifex.Natalia
Forwardport of 00575b79312c719a6b37035067095e2d679bb5d7 from stable/6.0.x.
2025-12-02Added CVE-2025-13372 and CVE-2025-64460 to security archive.Natalia
2025-12-02Added stub release notes for 5.2.10.Natalia
2025-12-02Fixed CVE-2025-64460 -- Corrected quadratic inner text accumulation in XML ↵Shai Berger
serializer. Previously, `getInnerText()` recursively used `list.extend()` on strings, which added each character from child nodes as a separate list element. On deeply nested XML content, this caused the overall deserialization work to grow quadratically with input size, potentially allowing disproportionate CPU consumption for crafted XML. The fix separates collection of inner texts from joining them, so that each subtree is joined only once, reducing the complexity to linear in the size of the input. These changes also include a mitigation for a xml.dom.minidom performance issue. Thanks Seokchan Yoon (https://ch4n3.kr/) for report. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-12-02Fixed CVE-2025-13372 -- Protected FilteredRelation against SQL injection in ↵Jacob Walls
column aliases on PostgreSQL. Follow-up to CVE-2025-57833. Thanks Stackered for the report, and Simon Charette and Mariusz Felisiak for the reviews.
2025-12-02Refs #35444 -- Fixed typo in PostgreSQL StringAgg deprecation warning.Νικόλαος-Διγενής Καραγιάννης
2025-12-01Fixed #36712 -- Evaluated type annotations lazily in template tag registration.Jacob Walls
Ideally, this will be reverted when an upstream solution is available for https://github.com/python/cpython/issues/141560. Thanks Patrick Rauscher for the report and Augusto Pontes for the first iteration and test.
2025-12-01Refs #36743 -- Corrected docstring for DisallowedRedirect.Jacob Walls
2025-12-01Refs #35535 -- Used intended decorator in test_simple_block_tag_parens().Jacob Walls
2025-11-30Added link to Python Pickle documentation in docs/topics/cache.txt.Rida Zouga
Co-authored-by: Rida Zouga <ridazouga@gmail.com>
2025-11-27Fixed outdated redis-py link in cache docs.Bruno Alla
2025-11-27Highlighted community package upgrade utilities in ↵Tim Schilling
docs/howto/upgrade-version.txt.
2025-11-27Reduced subjective tone and improved clarity in docs/howto/upgrade-version.txt.Natalia
2025-11-26Included usage of new scripts in docs/internals/howto-release-django.txt.Natalia
2025-11-26Added script to archive EOL stable branches.Natalia
This also fixed a small bash issue in `confirm_release.sh` script.
2025-11-26Refs #36743 -- Added missing release notes for 5.1.15 and 4.2.27.Natalia
The fix landed in a8cf8c292cfee98fe6cc873ca5221935f1d02271 will be backported to 5.1 and 4.2 since the 2048 limit was rolled out as part of the security release for CVE-2025-64458.
2025-11-26Fixed #36743 -- Increased URL max length enforced in HttpResponseRedirectBase.varunkasyap
Refs CVE-2025-64458. The previous limit of 2048 characters reused the URLValidator constant and proved too restrictive for legitimate redirects to some third-party services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH` constant (defaulting to 16384) and uses it in HttpResponseRedirectBase. Thanks Jacob Walls for report and review.
2025-11-26Refs #36619 -- Included third-party licenses with vendored eslint ↵Jacob Walls
configuration files.