From db5da3c91c3122300680c4e7200a463273a5351e Mon Sep 17 00:00:00 2001 From: Jake Howard <6527489+RealOrangeOne@users.noreply.github.com> Date: Wed, 18 Jun 2025 15:04:34 +0100 Subject: [5.2.x] Clarified that only latest dependency versions are valid for security reports. Backport of bc1bfe12b613334bd625aeb36fd44af96d186c10 from main. --- docs/internals/security.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'docs/internals') diff --git a/docs/internals/security.txt b/docs/internals/security.txt index b0798d052e..567446c30e 100644 --- a/docs/internals/security.txt +++ b/docs/internals/security.txt @@ -55,6 +55,17 @@ set up, run, and reproduce the issue. Please do not attach screenshots of code. +Use supported versions of dependencies +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Django only :ref:`officially supports ` the latest +micro release (A.B.C) of Python. Vulnerabilities must be reproducible when all +relevant dependencies (not limited to Python) are at supported versions. + +For example, vulnerabilities that only occur when Django is run on a version of +Python that is no longer receiving security updates ("end-of-life") are **not +considered valid**, even if that version is listed as supported by Django. + User input must be sanitized ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- cgit v1.3