Skip to content

deps: Django 4.2.30 SQLi fix (F-011) + consolidated Dependabot bumps#318

Merged
vedharish merged 3 commits into
mainfrom
security/enigma-django-sqli-f011
Jul 15, 2026
Merged

deps: Django 4.2.30 SQLi fix (F-011) + consolidated Dependabot bumps#318
vedharish merged 3 commits into
mainfrom
security/enigma-django-sqli-f011

Conversation

@KrishnaSuravarapu

@KrishnaSuravarapu KrishnaSuravarapu commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

Consolidated dependency PR — the F-011 Django security fix plus all the open Dependabot dependency bumps folded into one branch (so they land/CI together instead of 11 separate red PRs).

Security fix

Folded-in Dependabot bumps (supersedes these PRs)

Package Bump PR
idna 3.7 → 3.15 #303
Jinja2 3.1.4 → 3.1.6 #266
Markdown 3.3.3 → 3.8.1 #284
Pygments 2.15.0 → 2.20.0 #290
PyNaCl 1.5.0 → 1.6.2 #279
requests 2.32.3 → 2.33.0 #288
soupsieve 2.0.1 → 2.8.4 #310
sqlparse 0.5.1 → 0.5.4 #291
js-yaml (npm) 4.1.0 → 4.3.0 #309
Django → 4.2.30 #292 (dup of the security fix above)

Excluded (cannot merge)

Full requirements.txt resolves cleanly on Python 3.12 (verified locally).

Once merged, close #303/#266/#284/#290/#279/#288/#310/#291/#309/#292 as superseded.

🤖 Generated with Claude Code

Django 4.2.25 is below the 4.2.26 fix for the QuerySet annotate/aggregate
_connector SQL injection (CVE-2025-64459 / GHSA-frmv-pr5f-9mcr, CVSS 9.8,
CTO-4859). Bump to the latest 4.2 LTS patch (4.2.30). Same LTS line already
green on the 3.12-3.14 matrix; full requirements resolve verified locally.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
tech-sushant
tech-sushant previously approved these changes Jul 14, 2026
dependabot Bot and others added 2 commits July 14, 2026 19:45
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.0 to 4.3.0.
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.3.0)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.3.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit b493e89)
Fold the remaining open dependency PRs into one:
  idna 3.7->3.15 (#303), Jinja2 3.1.4->3.1.6 (#266), Markdown 3.3.3->3.8.1 (#284),
  Pygments 2.15.0->2.20.0 (#290), PyNaCl 1.5.0->1.6.2 (#279),
  requests 2.32.3->2.33.0 (#288), soupsieve 2.0.1->2.8.4 (#310),
  sqlparse 0.5.1->0.5.4 (#291), js-yaml 4.1.0->4.3.0 (#309, package-lock.json).
Django 4.2.30 (#292) already in this PR.

EXCLUDED: social-auth-app-django 5.6.0 (#274) requires Django>=5.1; incompatible
with the Django 4.2 LTS line — needs a separate Django 5.x migration.

Full requirements resolve verified locally on Python 3.12.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@KrishnaSuravarapu KrishnaSuravarapu changed the title security(deps): Django 4.2.25->4.2.30 for _connector SQLi (F-011, CTO-4859, CVSS 9.8) deps: Django 4.2.30 SQLi fix (F-011) + consolidated Dependabot bumps Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants