summaryrefslogtreecommitdiff
path: root/docs
AgeCommit message (Collapse)Author
2026-05-20Advanced deprecation warnings for Django 6.2.Sarah Boyce
2026-05-20Removed versionadded/changed annotations for 6.0.Sarah Boyce
2026-05-20Added stub release notes for 6.2.Sarah Boyce
2026-05-20Bumped version; main is now 6.2 pre-alpha.Sarah Boyce
2026-05-20Updated man page for Django 6.1 alpha 1.Jacob Walls
2026-05-20Made cosmetic edits to docs/releases/6.1.txt.Jacob Walls
2026-05-20Removed empty sections from 6.1 release notes.Jacob Walls
2026-05-20Fixed #37091 -- Confirmed support for GDAL 3.13.Milad Zarour
Thanks David Smith for reviews.
2026-05-20Fixed #37045 -- Renamed savepoint() to savepoint_create().Samuel Searles-Bryant
This makes the name consistent with the `savepoint_commit` and `savepoint_rollback` functions. The previous name is maintained as a deprecated alias. This also frees up the `savepoint` name, which would allow the context manager from `django-subatomic` to be included in Django. Co-authored-by: Lily <code@lilyf.org>
2026-05-20Refs #35514 -- Cleaned up mailers docs.Mike Edmunds
* Fixed typos related to automated EMAIL_PROVIDERS -> MAILERS renaming. * Clarified wording in some recently added/updated sections. * Removed deprecated, extraneous `fail_silently=False` from examples. * Moved EmailBackend API documentation out of "Email backends" intro into a dedicated section in email.txt. * Sorted MAILERS alphabetically in settings.txt.
2026-05-18Fixed #36825 -- Extended admin templates so CSP nonce is included if available.Johannes Maron
Error pages, admin, and registration templates were updated to use `{% csp_nonce %}` on their explicit `<script>`, `<link>`, and `<style>` HTML elements. Co-authored-by: Antoliny0919 <antoliny0919@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2026-05-15Fixed #37062 -- Added preserve_request support to RedirectView.VAIBHAVPANT07
2026-05-13Fixed #35514 -- Implemented dictionary-based MAILERS.Mike Edmunds
See DEP 0018. Added: * MAILERS setting. * django.core.mail.mailers dict-like EmailBackend factory. * `using` argument to mail sending APIs. * `sent_using` attribute to mail.outbox messages in locmem backend. * MAILERS in startproject settings template, set to console backend. * AdminLogHandler.using argument. * BrokenLinkEmailsMiddleware.send_mail() method. Updated: * BaseEmailBackend to track the MAILERS alias used to construct it, and to report errors for unknown kwargs (OPTIONS). * EmailBackend implementations to initialize from kwargs (OPTIONS) only when MAILERS is being used. * smtp.EmailBackend to require `host` option and to default `port` option based on SSL/TLS options. * SimpleTestCase setup to substitute the locmem backend for all defined MAILERS configurations. * Django's tests that send mail to define MAILERS. Deprecated: * EMAIL_BACKEND and other backend-related EMAIL_* settings. * mail.get_connection(). * The `connection`, `fail_silently`, `auth_user`, and `auth_password` arguments to mail functions. * The EmailMessage.connection attribute. * BaseEmailBackend support for `fail_silently`. Backends that support fail_silently (SMTP, console, file) now implement it directly. * AdminEmailHandler.email_backend argument. Removed undocumented features without deprecation: * EmailMessage.get_connection() method. (send() now raises an error if a subclass has attempted to override it.) * EmailMessage.send() no longer sets self.connection to the connection used for sending. (It still _uses_ a pre-existing self.connection.) * AdminEmailHandler.connection() method. (Init now raises an error if a subclass has attempted to override it.) Thanks to Natalia Bidart for shepherding DEP 0018 and for extensive reviews and suggestions on the implementation. Thanks to Jacob Rief for the initial implementation and multiple iterations while refining the design. Co-authored-by: Jacob Rief <jacob.rief@gmail.com>
2026-05-13Fixed #37094 -- Replaced "Go" with "Run" in list_editable alert message.Jacob Walls
Bug in 019acad112da3d00bb81b3022fd25ccd8457e5d9.
2026-05-13Fixed #12090 -- Added admin actions to the admin change form.Marcelo Galigniana
Thank you to Benjamin Balder Bach and Jacob Walls for reviews. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2026-05-12Fixed #27825 -- Doc'd that setting model fields does not convert types.1wos
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2026-05-11Fixed typo in docs/topics/db/search.txt.Stephanie
2026-05-11Refs #36593 -- Replaced reference to select_related() in design philosophies.Jacob Walls
2026-05-11Refs #36593 -- Deprecated setting ModelAdmin.list_select_related to True.Adam Johnson
Now that calling `QuerySet.select_related()` without arguments is deprecated, this commit deprecates the corresponding admin features.
2026-05-11Fixed #36593 -- Deprecated QuerySet.select_related() with no arguments.Adam Johnson
This commit deprecates the "fetch all relations" form of `QuerySet.select_related()` due to its poor performance characteristics, and updates several tests relying on that feature to ignore the new warning.
2026-05-11Refs #36593 -- Made ModelAdmin.list_select_related = False more efficient.Adam Johnson
This change makes `list_select_related = False` avoid unnecessary joins by only selecting the related fields that are actually used in `list_display`. Consequently, it avoids one code path that calls `QuerySet.select_related()` with no arguments, which is targeted for deprecation.
2026-05-07Fixed #37084 -- Added CSP nonce context processor system check.Milad Zarour
2026-05-07Fixed #37085 -- Added support for object-based form media stylesheet assets.Natalia
Thank you James Walls and James Bligh for reviews. Co-authored-by: Johannes Maron <johannes@maron.family>
2026-05-07Refs #15727 -- Moved security.E026 out of list of deploy=True checks.Jacob Walls
2026-05-06Fixed #36784 -- Added csp_nonce_attr template tag for CSP nonce inclusion.Natalia
New default tag `{% csp_nonce_attr %}` was added for explicit CSP nonce inclusion into `<script>` and `<link>` elements. `{% csp_nonce_attr %}` renders `nonce="<value>"` when `csp_nonce` is present in the template context, and renders nothing otherwise. `{% csp_nonce_attr media %}` renders a `Media` object's assets with the nonce attr applied to each tag. Thanks Jacob Walls for the accurate and spot on review comments. Co-authored-by: Johannes Maron <johannes@maron.family>
2026-05-06Refs #36620 -- Mentioned coverage workflow uses PostgreSQL.Jacob Walls
Before c507aaf9abeff4b93b7f9bdbc55801f2ccfc2d01, this workflow used to run on SQLite.
2026-05-06Refs #36862 -- Clarified security note for RemoteUserMiddleware.Jacob Walls
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Co-authored-by: Jake Howard <git@theorangeone.net>
2026-05-06Fixed #36300 -- Restored the semantic where RemoteUserMiddleware.header ↵Jacob Walls
corresponds to request.META under ASGI. Because these tests always passed both WSGI environ values and HTTP headers via `**extra`, this masked a behavior difference between WSGI and ASGI. What should happen: everything should be passed via `headers` but for the default REMOTE_USER case on WSGI, which should be passed via `**extra`. Since that was not done, a regression made it into Django 5.2 (50f89ae850f6b4e35819fe725a08c7e579bfd099) where `.header` no longer corresponded to the request.META key under ASGI. To cope, an ASGI user would have started(*) sending HTTP headers that match the `.header` attribute, which may or may not have been edited to remove the HTTP_ prefix. (Note: the default `REMOTE_USER` case did not work under ASGI, so the change in Django 5.2 had the effect of fixing the default case but changing the semantic of the custom case.) (*): Unless they were getting the sync execution path, which didn't have this bug. See the fix in 0f4fff79d33b7cc84822e66bd1fc16caf8222e3a. Thanks Mykhailo Havelia and Sarah Boyce for reviews.
2026-05-05Fixed #37053 -- Added validate=True to base64.b64decode() calls.Sarah Boyce
2026-05-05Added CVE-2026-5766, CVE-2026-35192, and CVE-2026-6907 to security archive.Sarah Boyce
2026-05-05Added stub release notes for 6.0.6.Sarah Boyce
2026-05-05Fixed CVE-2026-6907 -- Prevented caching of requests when Vary header ↵Sarah Boyce
contains an asterisk. Thank you Ahmad Sadeddin for the report and Jacob Walls for the review.
2026-05-05Fixed CVE-2026-35192 -- Ensured Vary header is sent when setting session ↵Jake Howard
cookie with SESSION_SAVE_EVERY_REQUEST=True. Thank you Jacob Walls and Natalia Bidart for reviews.
2026-05-05Fixed CVE-2026-5766 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE in ↵Jacob Walls
MemoryFileUploadHandler on ASGI. In ASGI deployments, Content-Length is not guaranteed to reflect the actual request body size, so relying on it to gate memory allocation allowed the limit to be bypassed. The handler now enforces DATA_UPLOAD_MAX_MEMORY_SIZE regardless of the declared header value. Thanks to Kyle Agronick for the report. Refs #35289. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2026-05-04Fixed #36767 -- Allowed max redirect URL length to be set on ↵varunkasyap
HttpResponseRedirect.
2026-05-04Fixed #37039 -- Removed outdated note from QuerySet.iterator() docs.Manas225
2026-05-04Fixed #37078 -- Deprecated SHA-1 default for salted_hmac() and base64_hmac() ↵Denny Biasiolli
algorithm. Deprecated the default value of the algorithm argument in django.utils.crypto.salted_hmac() and django.core.signing.base64_hmac(), which will change from 'sha1' to 'sha256' in Django 7.0.
2026-04-30Fixed typo in stub release notes for 5.2.14.Jacob Walls
2026-04-30Fixed #36919 -- Allowed Task and TaskResult to be pickled.varunkasyap
2026-04-29Refs #35738 -- Improved release note for '..' template deprecation.Adam Johnson
2026-04-29Fixed #16429 -- Extracted set_choices() method from FilePathField.__init__().TildaDares
2026-04-29Fixed #37067 -- Added trailing slash in django_file_prefixes().Fashad Ahmed
Ensure skip_file_prefixes does not match sibling packages like django*. Bug in f42b89f1bf49a5b89ed852b60f79342320a81c5e and 34bd3ed944bf38792c631b55e581963d44d52284.
2026-04-28Refs CVE-2026-25674 -- Clarified role of umask in upload permissions.Shai Berger
2026-04-28Fixed #36990 -- Bumped OpenLayers to 10.9.0.VIZZARD-X
2026-04-28Fixed #35738 -- Deprecated double-dot variable lookups.David Smith
2026-04-28Added stub release notes and release date for 6.0.5 and 5.2.14.Sarah Boyce
2026-04-24Replaced references in docs to accepted PEPs with specific Python docs links.Mike Edmunds
Where the docs used `:pep:` links for established Python language features, replaced them with direct references to the Python docs (usually glossary terms).
2026-04-23Refs #12090 -- Documented parameters for contrib.admin.decorators.action().Sarah Boyce
2026-04-22Fixed #10919 -- Added delete_confirmation_max_display to ModelAdmin.Rodrigo Vieira
The new ModelAdmin.delete_confirmation_max_display attribute allows limiting the number of related objects shown on the delete confirmation page. When the limit is reached, a "…and N more objects." message is shown. The feature relies on a new truncated_unordered_list template filter added to django.contrib.admin.templatetags.admin_filters. Thanks Jacob Tyler Walls for the review and guidance, Tobias McNulty for the report, and terminator14 for the solution suggested.
2026-04-22Fixed #35870 -- Made blank choice label in forms more accessible.Annabelle Wiegart
Added new constant django.db.models.fields.BLANK_CHOICE_LABEL for an accessible and translatable blank choice label in forms. Deprecated django.db.models.fields.BLANK_CHOICE_DASH constant. Added the immediately deprecated transitional setting USE_BLANK_CHOICE_DASH. Co-Authored-By: Marijke Luttekes <mail@marijkeluttekes.dev>