summaryrefslogtreecommitdiff
path: root/docs/internals
AgeCommit message (Collapse)Author
13 daysRefs CVE-2026-6873 -- Moved deprecation note for ↵Jacob Walls
SIGNED_COOKIE_LEGACY_SALT_FALLBACK.
13 daysRefs #36593 -- Added missing deprecation note for select_related() with no ↵Jacob Walls
arguments.
13 daysRefs #36905 -- Added missing deprecation note for safe parameter of ↵Jacob Walls
JSONResponse.
2026-06-16Fixed #37157 -- Doc'd usage of sphinx-autobuild for documentation ↵SnippyCodes
auto-reloading.
2026-06-11Doc'd security standards in howto-release-django.txt.Jacob Walls
2026-06-10Fixed #37142 -- Moved django_file_prefixes() to django.utils.warnings.zhengkangyang
2026-06-09Fixed #37106 -- Clarified pylibmc workaround in unit test docs.kikobarr
2026-06-03Refs CVE-2026-6873 -- Defaulted SIGNED_COOKIE_LEGACY_SALT_FALLBACK ↵Jacob Walls
transitional setting to False.
2026-05-26Removed version numbers from example tox -l output.Jacob Walls
2026-05-26Bumped versions in pre-commit and npm configurations.Jacob Walls
2026-05-24Added advancing deprecations to preparing for next release instructions.Sarah Boyce
2026-05-24Corrected code-block indenting in docs/internals/howto-release-django.txt.Sarah Boyce
2026-05-20Advanced deprecation warnings for Django 6.2.Sarah Boyce
2026-05-20Fixed #37045 -- Renamed savepoint() to savepoint_create().Samuel Searles-Bryant
This makes the name consistent with the `savepoint_commit` and `savepoint_rollback` functions. The previous name is maintained as a deprecated alias. This also frees up the `savepoint` name, which would allow the context manager from `django-subatomic` to be included in Django. Co-authored-by: Lily <code@lilyf.org>
2026-05-13Fixed #35514 -- Implemented dictionary-based MAILERS.Mike Edmunds
See DEP 0018. Added: * MAILERS setting. * django.core.mail.mailers dict-like EmailBackend factory. * `using` argument to mail sending APIs. * `sent_using` attribute to mail.outbox messages in locmem backend. * MAILERS in startproject settings template, set to console backend. * AdminLogHandler.using argument. * BrokenLinkEmailsMiddleware.send_mail() method. Updated: * BaseEmailBackend to track the MAILERS alias used to construct it, and to report errors for unknown kwargs (OPTIONS). * EmailBackend implementations to initialize from kwargs (OPTIONS) only when MAILERS is being used. * smtp.EmailBackend to require `host` option and to default `port` option based on SSL/TLS options. * SimpleTestCase setup to substitute the locmem backend for all defined MAILERS configurations. * Django's tests that send mail to define MAILERS. Deprecated: * EMAIL_BACKEND and other backend-related EMAIL_* settings. * mail.get_connection(). * The `connection`, `fail_silently`, `auth_user`, and `auth_password` arguments to mail functions. * The EmailMessage.connection attribute. * BaseEmailBackend support for `fail_silently`. Backends that support fail_silently (SMTP, console, file) now implement it directly. * AdminEmailHandler.email_backend argument. Removed undocumented features without deprecation: * EmailMessage.get_connection() method. (send() now raises an error if a subclass has attempted to override it.) * EmailMessage.send() no longer sets self.connection to the connection used for sending. (It still _uses_ a pre-existing self.connection.) * AdminEmailHandler.connection() method. (Init now raises an error if a subclass has attempted to override it.) Thanks to Natalia Bidart for shepherding DEP 0018 and for extensive reviews and suggestions on the implementation. Thanks to Jacob Rief for the initial implementation and multiple iterations while refining the design. Co-authored-by: Jacob Rief <jacob.rief@gmail.com>
2026-05-13Fixed #12090 -- Added admin actions to the admin change form.Marcelo Galigniana
Thank you to Benjamin Balder Bach and Jacob Walls for reviews. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2026-05-11Refs #36593 -- Deprecated setting ModelAdmin.list_select_related to True.Adam Johnson
Now that calling `QuerySet.select_related()` without arguments is deprecated, this commit deprecates the corresponding admin features.
2026-05-11Fixed #36593 -- Deprecated QuerySet.select_related() with no arguments.Adam Johnson
This commit deprecates the "fetch all relations" form of `QuerySet.select_related()` due to its poor performance characteristics, and updates several tests relying on that feature to ignore the new warning.
2026-05-06Refs #36620 -- Mentioned coverage workflow uses PostgreSQL.Jacob Walls
Before c507aaf9abeff4b93b7f9bdbc55801f2ccfc2d01, this workflow used to run on SQLite.
2026-05-04Fixed #37078 -- Deprecated SHA-1 default for salted_hmac() and base64_hmac() ↵Denny Biasiolli
algorithm. Deprecated the default value of the algorithm argument in django.utils.crypto.salted_hmac() and django.core.signing.base64_hmac(), which will change from 'sha1' to 'sha256' in Django 7.0.
2026-04-28Fixed #35738 -- Deprecated double-dot variable lookups.David Smith
2026-04-22Fixed #35870 -- Made blank choice label in forms more accessible.Annabelle Wiegart
Added new constant django.db.models.fields.BLANK_CHOICE_LABEL for an accessible and translatable blank choice label in forms. Deprecated django.db.models.fields.BLANK_CHOICE_DASH constant. Added the immediately deprecated transitional setting USE_BLANK_CHOICE_DASH. Co-Authored-By: Marijke Luttekes <mail@marijkeluttekes.dev>
2026-04-19Fixed #35007 -- Replaced ESLint with Biome for JavaScript linting and ↵Tom Carrick
formatting.
2026-04-19Updated release procedure with new CVE workflows.Jacob Walls
Now that the DSF is a CVE Numbering Authority (CNA), we manage our own CVE assignments.
2026-04-18Fixed #37028 -- Added BitAnd(), BitOr(), and BitXor() aggregates.Mariusz Felisiak
2026-04-17Clarified that reporters shouldn't set their own tickets as "Accepted".Jonathan Biemond
2026-04-10Fixed #37020 -- Removed guidance to edit fetched .po files by hand.Jacob Walls
Altering the .po files by hand was causing incorrect line numbers and plural forms. Since our fetching procedure does not recompile any hand-edited .po files to .mo files for production use, just accept Transifex's plural forms as a source of truth. https://forum.djangoproject.com/t/discourage-releasers-from-editing-po-files-by-hand/44441
2026-04-10Refs #37020 -- Corrected example command to update translation catalogs.Jacob Walls
Passing the --domain flag again just overwrites the prior value.
2026-04-02Added section for respecting maintainer time to the security policy.Natalia
This follows a post from Seth Larson (Security Developer-in-Residence at the PSF): https://sethmlarson.dev/respecting-maintainer-time-should-be-in-security-policies
2026-04-02Fixed #36862 -- Doc'd the need for a proxy when deploying ↵Jacob Walls
RemoteUserMiddleware under ASGI. We have a flood of nuisance security reports describing ASGI deployments using RemoteUserMiddleware without a fronting proxy, which is not realistic.
2026-03-31Fixed #36799 -- Added a how-to guide for testing pre-releases.VIZZARD-X
Thanks Sarah Boyce for the idea and Tim McCurrach for the review. Co-authored-by: Timothy McCurrach <tim.mccurrach@gmail.com> Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2026-03-20Made it clear that unreviewed tickets shouldn't be claimed or started.Jake Howard
2026-03-19Refs #36795 -- Deprecated SQLCompiler.quote_name_unless_alias().Simon Charette
It has been superseded with .quote_name(), which ensures aliases are always quoted.
2026-03-16Combined scripts confirm_release.sh and test_new_version.sh into ↵Natalia
verify_release.sh. This reuses the same download for both artifacts and checks both GPG signature and minimal correctness in the same script. Docs and script do_django_release.py were updated.
2026-03-15Fixed typo in docs/internals/contributing/accessibility.txt.dcsid
2026-03-12Fixed #36727 -- Deprecated Field.get_placeholder in favor of ↵Simon Charette
get_placeholder_sql. The lack of ability of the get_placeholder call chain to return SQL and parameters separated so they can be mogrified by the backend at execution time forced implementations to dangerously interpolate potentially user controlled values. The get_placeholder_sql name was chosen due to its proximity to the previous method, but other options such as Field.as_sql were considered but ultimately rejected due to its different input signature compared to Expression.as_sql that might have lead to confusion. There is a lot of overlap between what Field.get_db_prep_value and get_placeholder_sql do but folding the latter in the former would require changing its return signature to return expression which is a way more invasive change than what is proposed here. Given we always call get_db_prep_value it might still be an avenue worth exploring in the future to offer a publicly documented interface to allow field to take an active part in the compilation chain. Thanks Jacob for the review.
2026-03-12Discouraged automated AI reviews of pull requests.Natalia
Some contributors have been requesting Copilot reviews on pull requests submitted to the Django repository. These automated reviews add noise to the PR history, making it harder to follow the discussion, and Django does not incorporate them into its review process. This change discourages the practice by: - Adding a `copilot-instructions.md` file instructing Copilot to decline review requests in this repository. - Adding a checklist item to the PR template asking contributors not to request automated AI reviews for their PR. - Documenting the policy in the contributing guidelines.
2026-03-06Extended committing code docs to add detailed instructions for backports.Natalia
Thanks to Jacob Walls for the original idea and the review.
2026-03-06Extended checks and docs for proper commit message format and edition.Jacob Walls
Thanks to Tim Schilling for the review. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2026-02-26Adjusted default DoS severity level in Security Policy.Natalia
2026-02-10Clarified optional nature of Contributor License Agreement.Jacob Walls
It's not clear that CLAs are needed to ensure contributors are assenting to our license (the "inbound=outbound" agreement), but we can keep them around for contributors who would like to (or are required by their employer) to submit one, without investing additional resources in checking every single contribution. See https://forum.djangoproject.com/t/cla-vs-dco-for-django-contributors/42399 and recent board minutes.
2026-01-30Added documentation on reviewing patches.Tim Schilling
Original inspiration drawn from Sarah Boyce's talk: "Django needs you! (to do code review)"
2026-01-29Made explicit that aspell is a requirement to run spell checks on docs.Natalia
2026-01-29Fixed docs spelling errors accumulated over time.Natalia
The `docs` GitHub action does not install `aspell` so the seplling checks are always passing in CI. After installing it, the following errors are reported: WARNING: internals/security.txt:50: : Spell check: runnable: Include a runnable proof of concept. WARNING: ref/contrib/postgres/search.txt:292: : Spell check: lexeme: an untrusted source. The content of each lexeme is escaped so that any. WARNING: ref/contrib/postgres/search.txt:295: : Spell check: lexemes: You can combine lexemes with other lexemes using the . WARNING: ref/contrib/postgres/search.txt:295: : Spell check: lexemes: You can combine lexemes with other lexemes using the . WARNING: ref/contrib/postgres/search.txt:314: : Spell check: Lexeme: Lexeme objects also support term weighting and prefixes:. WARNING: ref/models/database-functions.txt:1897: : Spell check: ai: 23ai/26ai (23.9) or later.. WARNING: ref/models/database-functions.txt:1897: : Spell check: ai: 23ai/26ai (23.9) or later.. WARNING: ref/models/expressions.txt:439: : Spell check: positionally: can be supplied positionally or only by keyword. For. WARNING: ref/models/fields.txt:1339: : Spell check: ai: PostgreSQL < 18 only supports persisted columns. Oracle < 23ai/26ai (23.7). WARNING: ref/models/fields.txt:1339: : Spell check: ai: PostgreSQL < 18 only supports persisted columns. Oracle < 23ai/26ai (23.7). WARNING: ref/models/fields.txt:1344: : Spell check: ai: s was added on Oracle 23ai/26ai. WARNING: ref/models/fields.txt:1344: : Spell check: ai: s was added on Oracle 23ai/26ai. WARNING: releases/4.2.21.txt:24: : Spell check: unclosed: exception if it encounters an unusually large number of unclosed opening tags.. WARNING: releases/5.1.9.txt:24: : Spell check: unclosed: exception if it encounters an unusually large number of unclosed opening tags.. WARNING: releases/5.2.1.txt:24: : Spell check: unclosed: exception if it encounters an unusually large number of unclosed opening tags.. WARNING: releases/6.1.txt:244: : Spell check: mistyped: suggestions for mistyped subcommand names and argument choices.. WARNING: releases/6.1.txt:281: : Spell check: ai: Oracle 23ai/26ai (23.7+).. WARNING: releases/6.1.txt:281: : Spell check: ai: Oracle 23ai/26ai (23.7+).. WARNING: releases/6.1.txt:343: : Spell check: durations: durations expressed in weeks (. WARNING: Found 19 misspelled words build finished with problems, 20 warnings (with warnings treated as errors). This branch adds some of the words to the allowlist, but for others I chose to rephrase the text in a more approachable manner.
2026-01-28Doc'd the minimum version of bash for releasing Django.Jacob Walls
2026-01-19Fixed unbalanced parentheses in docs.Clifford Gama
2026-01-15Fixed #36856 -- Mentioned needsnewfeatureprocess resolution in contributor docs.Amar Ahmed Deina
Co-authored-by: James Bligh <blighj@users.noreply.github.com>
2026-01-14Bumped linter versions in requirements files and tox.ini.Jacob Walls
Follow-up to 64ac4385c75b12a4065055b3d8d60bd5e0e61f04.
2026-01-09Refs #35381 -- Added missing deprecation note for using None as RHS of ↵Clifford Gama
JSONExact.
2026-01-08Added guidance on AI-assisted code submission to contributing docs.Natalia