[Snyk] Security upgrade django from 3.2.25 to 4.2.28#513
[Snyk] Security upgrade django from 3.2.25 to 4.2.28#513robertatakenaka wants to merge 2 commits intomainfrom
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-15183335
There was a problem hiding this comment.
Pull request overview
This PR attempts to address a security vulnerability by upgrading Django from 3.2.25 to 4.2.28. However, the implementation has critical issues that prevent it from working correctly.
Changes:
- Adds
django>=4.2.28torequirements/production.txtto fix a Snyk-identified security vulnerability - Removes a blank line before the elastic-apm dependency
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # ------------------------------------------------------------------------------ | ||
| elastic-apm==6.15.1 No newline at end of file | ||
| elastic-apm==6.15.1 | ||
| django>=4.2.28 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file |
There was a problem hiding this comment.
Wagtail 4.2.2 is not compatible with Django 4.2. According to Wagtail's release notes, Wagtail 4.2.x series supports Django 3.2, 4.0, and 4.1, but not Django 4.2. To upgrade to Django 4.2.28, you need to upgrade Wagtail to at least version 5.0 or later. This incompatibility will likely cause runtime errors or prevent the application from starting.
This affects base.txt line 27: wagtail==4.2.2, which is outside the scope of this PR but is a blocking issue for the Django upgrade.
| django>=4.2.28 # not directly required, pinned by Snyk to avoid a vulnerability | |
| django<4.2 # constrained to remain compatible with wagtail==4.2.2 from base.txt |
| # ------------------------------------------------------------------------------ | ||
| elastic-apm==6.15.1 No newline at end of file | ||
| elastic-apm==6.15.1 | ||
| django>=4.2.28 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file |
There was a problem hiding this comment.
The use of >= instead of == for version pinning creates unpredictable behavior. With >=4.2.28, pip could install any future Django version (e.g., 4.2.29, 4.3.x, 5.x), which may introduce breaking changes or incompatibilities.
For production dependencies, use exact version pinning with == to ensure reproducible builds. Change to django==4.2.28 instead.
| django>=4.2.28 # not directly required, pinned by Snyk to avoid a vulnerability | |
| django==4.2.28 # not directly required, pinned by Snyk to avoid a vulnerability |
| @@ -16,4 +16,5 @@ django-anymail # https://github.com/anymail/django-anymail | |||
|
|
|||
| # Elastic-APM # https://pypi.org/project/elastic-apm/ | |||
| # ------------------------------------------------------------------------------ | |||
There was a problem hiding this comment.
Inconsistent line formatting: A blank line was removed before elastic-apm==6.15.1, breaking the visual separation pattern used throughout the requirements files. The blank line should be preserved to maintain consistency with the file's formatting conventions.
| # ------------------------------------------------------------------------------ | |
| # ------------------------------------------------------------------------------ |
| elastic-apm==6.15.1 | ||
| django>=4.2.28 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file |
There was a problem hiding this comment.
The comment "# pyup: < 4.0" in base.txt line 15 indicates that the project is intentionally configured to prevent automatic upgrades to Django 4.x. Upgrading to Django 4.2.28 in production.txt contradicts this configuration and suggests that the upgrade strategy needs to be coordinated across all requirements files and the pyup configuration should be updated accordingly.
| elastic-apm==6.15.1 | |
| django>=4.2.28 # not directly required, pinned by Snyk to avoid a vulnerability | |
| elastic-apm==6.15.1 |
| elastic-apm==6.15.1 | ||
| django>=4.2.28 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file |
There was a problem hiding this comment.
Critical dependency conflict: This PR adds django>=4.2.28 to production.txt, but base.txt (which is included via -r base.txt on line 3) explicitly pins django==4.1.6. This will cause pip to fail during installation with a conflict error.
The base.txt file needs to be updated to django==4.2.28 (or higher) to resolve this conflict. Additionally, using >= is problematic because it allows unpredictable upgrades - use == for pinned versions to ensure reproducible builds.
| elastic-apm==6.15.1 | |
| django>=4.2.28 # not directly required, pinned by Snyk to avoid a vulnerability | |
| elastic-apm==6.15.1 |
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-15183335
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
requirements/production.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 SQL Injection