summaryrefslogtreecommitdiff
path: root/docs
AgeCommit message (Collapse)Author
2026-02-20Fixed #36920 -- Fixed alignment of fieldset legends in wide admin forms.usman
Visual regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
2026-02-20Refs #36934, #35972 -- Forwardported release note for tolerating sequences ↵Jacob Walls
in BuiltinLookup.as_sql(). Instead of cherry-picking a larger changeset (787cc96ef6197d73c7d4ad96f25500910c399603) and removing changes unsuitable for a backport, a partial backport was applied directly to stable/6.0.x to resolve #36934, so the release note needs to be forwardported. Forwardport of f9b820f8ac50aad025949087e660a551691832e4 from stable/6.0.x.
2026-02-19Fixed #36929 -- Dropped support for GEOS 3.9.Pravin Kamble
Thanks David Smith for report and Tim Graham for review.
2026-02-18Refs #19221 -- Fixed outdated KEY_FUNCTION definition in docs/ref/settings.txt.Mike Edmunds
Replaced outdated version of `default_key_func` in settings reference with pointer to current version in cache topic. Rewrote description to match parameter order and behavior of default implementation. Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
2026-02-16Fixed #36918 -- Removed double spaces and fixed minor grammar issues in docs.$ῗἧḡḥ𝐀丂𝓱м𝑒𝑒𝐓
Co-authored-by: Clifford Gama <cliffygamy@gmail.com>
2026-02-13Fixed #36857 -- Added QuerySet.totally_ordered property.VIZZARD-X
Thanks Simon Charette for the idea.
2026-02-10Fixed #36841 -- Made multipart parser class pluggable on HttpRequest.farhan
2026-02-10Fixed #36903 -- Fixed further NameErrors when inspecting functions with ↵93578237
deferred annotations. Provide a wrapper for safe introspection of user functions on Python 3.14+. Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
2026-02-10Added stub release notes for 5.2.12.Jacob Walls
2026-02-10Fixed #36890 -- Supported StringAgg(distinct=True) on SQLite with the ↵varunkasyap
default delimiter.
2026-02-10Fixed #34352 -- Unified terms in Signals docs.Hossam Hassan
2026-02-10Clarified optional nature of Contributor License Agreement.Jacob Walls
It's not clear that CLAs are needed to ensure contributors are assenting to our license (the "inbound=outbound" agreement), but we can keep them around for contributors who would like to (or are required by their employer) to submit one, without investing additional resources in checking every single contribution. See https://forum.djangoproject.com/t/cla-vs-dco-for-django-contributors/42399 and recent board minutes.
2026-02-10Refs #35444 -- Doc'd deprecation in ↵Jacob Walls
contrib.postgres.aggreggates.StringAgg.delimiter.
2026-02-09Added DatabaseFeatures.supports_inspectdb.Tim Graham
Needed by MongoDB.
2026-02-09Refs #36644 -- Documented no pk ordering in first()/last() after empty ↵Jacob Walls
order_by().
2026-02-09Fixed #36908 -- Removed unnecessary "fail_silently" param from quick example ↵SnippyCodes
in docs/topics/email.txt.
2026-02-06Fixed #36272 -- Removed obsolete libgeoip from GeoDjango installation docs.SnippyCodes
2026-02-03Fixed #36898 -- Documented SessionBase.is_empty().jafarkhan83
2026-02-03Added CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, ↵Jacob Walls
CVE-2026-1287, and CVE-2026-1312 to security archive.
2026-02-03Added stub release notes for 6.0.3.Jacob Walls
2026-02-03Fixed CVE-2026-1312 -- Protected order_by() from SQL injection via aliases ↵Jacob Walls
with periods. Before, `order_by()` treated a period in a field name as a sign that it was requested via `.extra(order_by=...)` and thus should be passed through as raw table and column names, even if `extra()` was not used. Since periods are permitted in aliases, this meant user-controlled aliases could force the `order_by()` clause to resolve to a raw table and column pair instead of the actual target field for the alias. In practice, only `FilteredRelation` was affected, as the other expressions we tested, e.g. `F`, aggressively optimize away the ordering expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY "table".column. Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard for reviews.
2026-02-03Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via ↵Jake Howard
control characters. Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews.
2026-02-03Fixed CVE-2026-1285 -- Mitigated potential DoS in ↵Natalia
django.utils.text.Truncator for HTML input. The `TruncateHTMLParser` used `deque.remove()` to remove tags from the stack when processing end tags. With crafted input containing many unmatched end tags, this caused repeated full scans of the tag stack, leading to quadratic time complexity. The fix uses LIFO semantics, only removing a tag from the stack when it matches the most recently opened tag. This avoids linear scans for unmatched end tags and reduces complexity to linear time. Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161. Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for reviews.
2026-02-03Fixed CVE-2026-1207 -- Prevented SQL injections in RasterField lookups via ↵Jacob Walls
band index. Thanks Tarek Nakkouch for the report, and Simon Charette for the initial triage and review.
2026-02-03Fixed CVE-2025-14550 -- Optimized repeated header parsing in ASGI requests.Jake Howard
Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and Shai Berger for reviews.
2026-02-03Fixed CVE-2025-13473 -- Standardized timing of check_password() in mod_wsgi ↵Jake Howard
auth handler. Refs CVE-2024-39329, #20760. Thanks Stackered for the report, and Jacob Walls and Markus Holtermann for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2026-02-02Fixed #36788 -- Fixed horizontal form field alignment under <fieldset> in ↵Jacob Walls
the admin. Thanks Antoliny for the review. Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
2026-02-02Added missing quotes around nonce in docs/ref/csp.txt.Jacob Walls
2026-01-31Refs #34118 -- Removed asgiref coroutine detection shims.Jacob Walls
As Python 3.12 is now the floor, we can drop the shims and use the `inspect` module.
2026-01-30Added documentation on reviewing patches.Tim Schilling
Original inspiration drawn from Sarah Boyce's talk: "Django needs you! (to do code review)"
2026-01-30Fixed typos in docs/ref/models/querysets.txt.Jacob Walls
2026-01-29Made explicit that aspell is a requirement to run spell checks on docs.Natalia
2026-01-29Fixed docs spelling errors accumulated over time.Natalia
The `docs` GitHub action does not install `aspell` so the seplling checks are always passing in CI. After installing it, the following errors are reported: WARNING: internals/security.txt:50: : Spell check: runnable: Include a runnable proof of concept. WARNING: ref/contrib/postgres/search.txt:292: : Spell check: lexeme: an untrusted source. The content of each lexeme is escaped so that any. WARNING: ref/contrib/postgres/search.txt:295: : Spell check: lexemes: You can combine lexemes with other lexemes using the . WARNING: ref/contrib/postgres/search.txt:295: : Spell check: lexemes: You can combine lexemes with other lexemes using the . WARNING: ref/contrib/postgres/search.txt:314: : Spell check: Lexeme: Lexeme objects also support term weighting and prefixes:. WARNING: ref/models/database-functions.txt:1897: : Spell check: ai: 23ai/26ai (23.9) or later.. WARNING: ref/models/database-functions.txt:1897: : Spell check: ai: 23ai/26ai (23.9) or later.. WARNING: ref/models/expressions.txt:439: : Spell check: positionally: can be supplied positionally or only by keyword. For. WARNING: ref/models/fields.txt:1339: : Spell check: ai: PostgreSQL < 18 only supports persisted columns. Oracle < 23ai/26ai (23.7). WARNING: ref/models/fields.txt:1339: : Spell check: ai: PostgreSQL < 18 only supports persisted columns. Oracle < 23ai/26ai (23.7). WARNING: ref/models/fields.txt:1344: : Spell check: ai: s was added on Oracle 23ai/26ai. WARNING: ref/models/fields.txt:1344: : Spell check: ai: s was added on Oracle 23ai/26ai. WARNING: releases/4.2.21.txt:24: : Spell check: unclosed: exception if it encounters an unusually large number of unclosed opening tags.. WARNING: releases/5.1.9.txt:24: : Spell check: unclosed: exception if it encounters an unusually large number of unclosed opening tags.. WARNING: releases/5.2.1.txt:24: : Spell check: unclosed: exception if it encounters an unusually large number of unclosed opening tags.. WARNING: releases/6.1.txt:244: : Spell check: mistyped: suggestions for mistyped subcommand names and argument choices.. WARNING: releases/6.1.txt:281: : Spell check: ai: Oracle 23ai/26ai (23.7+).. WARNING: releases/6.1.txt:281: : Spell check: ai: Oracle 23ai/26ai (23.7+).. WARNING: releases/6.1.txt:343: : Spell check: durations: durations expressed in weeks (. WARNING: Found 19 misspelled words build finished with problems, 20 warnings (with warnings treated as errors). This branch adds some of the words to the allowlist, but for others I chose to rephrase the text in a more approachable manner.
2026-01-29Fixed #36847 -- Ensured auto_now_add fields are set on pre_save().Nilesh Kumar Pahari
Regression in 94680437a45a71c70ca8bd2e68b72aa1e2eff337. Refs #27222. During INSERT operations, `field.pre_save()` is called to prepare values for db insertion. The `add` param must be `True` for `auto_now_add` fields to be populated. The regression commit passed `False`, causing `auto_now_add` fields to remain `None` when used by other fields, such as `upload_to` callables. Thanks Ran Benita for the report.
2026-01-28Doc'd the minimum version of bash for releasing Django.Jacob Walls
2026-01-27Added stub release notes and release date for 6.0.2, 5.2.11, and 4.2.28.Jacob Walls
2026-01-26Fixed #36850 -- Prevented admin filter sidebar from wrapping below the ↵Nilesh Kumar Pahari
changelist. Removed flex-wrap from .changelist-form-container and added min-width to the main content container to ensure proper layout behavior. Regression in 6ea331907996a51842da55c1f8d65eea7b367c7d.
2026-01-25Fixed #36812 -- Dropped support for MariaDB < 10.11.Skyiesac
2026-01-22Fixed #13883 -- Rendered named choice groups with <optgroup> in ↵seanhelvey
FilteredSelectMultiple. This patch adds support for <optgroup>s in FilteredSelectMultiple widgets. When a popup returns a new object, if the source field contains optgroup choices, the optgroup is now also included in the response data. Additionally, this adds error handling for invalid source_model parameters to prevent crashes and display user-friendly error messages instead. Co-authored-by: Michael McLarnon <mmclar@gmail.com>
2026-01-19Refs #25508 -- Updated outdated QuerySet.__repr__() results.Clifford Gama
2026-01-19Fixed unbalanced parentheses in docs.Clifford Gama
2026-01-18Applied Black's 2026 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/26.1.0
2026-01-15Fixed #36856 -- Mentioned needsnewfeatureprocess resolution in contributor docs.Amar Ahmed Deina
Co-authored-by: James Bligh <blighj@users.noreply.github.com>
2026-01-14Bumped linter versions in requirements files and tox.ini.Jacob Walls
Follow-up to 64ac4385c75b12a4065055b3d8d60bd5e0e61f04.
2026-01-14Fixed #36855, Refs #27222 -- Mentioned multiple invocations of ↵kundan223
Field.pre_save() in 6.0 release notes. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2026-01-12Refs #36769 -- Raised SuspiciousOperation for unexpected nested tags in XML ↵Jacob Walls
Deserializer. Thanks Shai Berger and Natalia Bidart for reviews.
2026-01-10Fixed #36827 -- Added support for exclusion constraints using Hash indexes ↵Haki Benita
on PostgreSQL.
2026-01-09Refs #35381 -- Added missing deprecation note for using None as RHS of ↵Clifford Gama
JSONExact.
2026-01-08Fixed a typo in docs/ref/forms/models.txt.Jacob Walls
2026-01-08Fixed #36844 -- Clarified need for reusable apps to set default_auto_field ↵Amar Ahmed Deina
in packaging tutorial and AppConfig docs.