Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pin django to latest version 5.0.8 #666

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

pyup-bot
Copy link
Collaborator

@pyup-bot pyup-bot commented Aug 6, 2024

This PR pins django to the latest release 5.0.8.

Changelog

5.0.8

==========================

*August 6, 2024*

Django 5.0.8 fixes three security issues with severity "moderate", one security
issue with severity "high", and several bugs in 5.0.7.

CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
================================================================================

If :tfilter:`floatformat` received a string representation of a number in
scientific notation with a large exponent, it could lead to significant memory
consumption.

To avoid this, decimals with more than 200 digits are now returned as is.

CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` and ``AdminURLFieldWidget``
=======================================================================================================================

:tfilter:`urlize`, :tfilter:`urlizetrunc`, and ``AdminURLFieldWidget`` were
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.

CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
======================================================================================

:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
with a ``JSONField`` were subject to SQL injection in column aliases, via a
crafted JSON object key as a passed ``*arg``.

Bugfixes
========

* Added missing validation for ``UniqueConstraint(nulls_distinct=False)`` when
using ``*expressions`` (:ticket:`35594`).

* Fixed a regression in Django 5.0 where ``ModelAdmin.action_checkbox`` could
break the admin changelist HTML page when rendering a model instance with a
``__html__`` method (:ticket:`35606`).

* Fixed a crash when creating a model with a ``Field.db_default`` and a
``Meta.constraints`` constraint composed of ``__endswith``, ``__startswith``,
or ``__contains`` lookups (:ticket:`35625`).

* Fixed a regression in Django 5.0.7 that caused a crash in
``LocaleMiddleware`` when processing a language code over 500 characters
(:ticket:`35627`).

* Fixed a bug in Django 5.0 that caused a system check crash when
``ModelAdmin.date_hierarchy`` was a ``GeneratedField`` with an
``output_field`` of ``DateField`` or ``DateTimeField`` (:ticket:`35628`).

* Fixed a bug in Django 5.0 which caused constraint validation to either crash
or incorrectly raise validation errors for constraints referring to fields
using ``Field.db_default`` (:ticket:`35638`).

* Fixed a crash in Django 5.0 when saving a model containing a ``FileField``
with a ``db_default`` set (:ticket:`35657`).


==========================

5.0.7

==========================

*July 9, 2024*

Django 5.0.7 fixes two security issues with severity "moderate", two security
issues with severity "low", and one bug in 5.0.6.

CVE-2024-38875: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via certain inputs with a very large number of
brackets.

CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
================================================================================================

The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
allowed remote attackers to enumerate users via a timing attack involving login
requests for users with unusable passwords.

CVE-2024-39330: Potential directory-traversal via ``Storage.save()``
====================================================================

Derived classes of the :class:`~django.core.files.storage.Storage` base class
which override :meth:`generate_filename()
<django.core.files.storage.Storage.generate_filename()>` without replicating
the file path validations existing in the parent class, allowed for potential
directory-traversal via certain inputs when calling :meth:`save()
<django.core.files.storage.Storage.save()>`.

Built-in ``Storage`` sub-classes were not affected by this vulnerability.

CVE-2024-39614: Potential denial-of-service vulnerability in ``get_supported_language_variant()``
=================================================================================================

:meth:`~django.utils.translation.get_supported_language_variant` was subject to
a potential denial-of-service attack when used with very long strings
containing specific characters.

To mitigate this vulnerability, the language code provided to
:meth:`~django.utils.translation.get_supported_language_variant` is now parsed
up to a maximum length of 500 characters.

When the language code is over 500 characters, a :exc:`ValueError` will now be
raised if ``strict`` is ``True``, or if there is no generic variant and
``strict`` is ``False``.

Bugfixes
========

* Fixed a bug in Django 5.0 that caused a crash of ``Model.full_clean()`` on
unsaved model instances with a ``GeneratedField`` and certain defined
:attr:`Meta.constraints <django.db.models.Options.constraints>`
(:ticket:`35560`).


==========================

5.0.6

==========================

*May 7, 2024*

Django 5.0.6 fixes a packaging error in 5.0.5.


==========================

5.0.5

==========================

*May 6, 2024*

Django 5.0.5 fixes several bugs in 5.0.4.

Bugfixes
========

* Fixed a bug in Django 5.0 that caused a crash of ``Model.save()`` when
creating an instance of a model with a ``GeneratedField`` and providing a
primary key (:ticket:`35350`).

* Fixed a compatibility issue encountered in Python 3.11.9+ and 3.12.3+ when
validating email max line lengths with content decoded using the
``surrogateescape`` error handling scheme (:ticket:`35361`).

* Fixed a bug in Django 5.0 that caused a crash when applying migrations
including alterations to ``GeneratedField`` such as setting ``db_index=True``
on SQLite (:ticket:`35373`).

* Allowed importing ``aprefetch_related_objects`` from ``django.db.models``
(:ticket:`35392`).

* Fixed a bug in Django 5.0 that caused a migration crash when a
``GeneratedField`` was added before any of the referenced fields from its
``expression`` definition (:ticket:`35359`).

* Fixed a bug in Django 5.0 that caused a migration crash when altering a
``GeneratedField`` referencing a renamed field (:ticket:`35422`).

* Fixed a bug in Django 5.0 where the ``querysets`` argument of
``GenericPrefetch`` was not required (:ticket:`35426`).


==========================

5.0.4

==========================

*April 3, 2024*

Django 5.0.4 fixes several bugs in 5.0.3.

Bugfixes
========

* Fixed a bug in Django 5.0 that caused a crash of ``Model.full_clean()`` on
fields with expressions in ``db_default``. As a consequence,
``Model.full_clean()`` no longer validates for empty values in fields with
``db_default`` (:ticket:`35223`).

* Fixed a regression in Django 5.0 where the ``AdminFileWidget`` could be
rendered with two ``id`` attributes on the "Clear" checkbox
(:ticket:`35273`).

* Fixed a bug in Django 5.0 that caused a migration crash on PostgreSQL 15+
when adding a partial ``UniqueConstraint`` with ``nulls_distinct``
(:ticket:`35329`).

* Fixed a crash in Django 5.0 when performing queries involving table aliases
and lookups on a ``GeneratedField`` of the aliased table (:ticket:`35344`).

* Fixed a bug in Django 5.0 that caused a migration crash when adding a
``GeneratedField`` relying on the ``__contains`` or ``__icontains``
lookups or using a ``Value`` containing a ``"%"`` (:ticket:`35336`).


==========================

5.0.3

==========================

*March 4, 2024*

Django 5.0.3 fixes a security issue with severity "moderate" and several bugs
in 5.0.2.

CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()``
=========================================================================================================

``django.utils.text.Truncator.words()`` method (with ``html=True``) and
:tfilter:`truncatewords_html` template filter were subject to a potential
regular expression denial-of-service attack using a suitably crafted string
(follow up to :cve:`2019-14232` and :cve:`2023-43665`).

Bugfixes
========

* Fixed a regression in Django 5.0.2 where ``intcomma`` template filter could
return a leading comma for string representation of floats (:ticket:`35172`).

* Fixed a bug in Django 5.0 that caused a crash of ``Signal.asend()`` and
``asend_robust()`` when all receivers were asynchronous functions
(:ticket:`35174`).

* Fixed a regression in Django 5.0.1 where :meth:`.ModelAdmin.lookup_allowed`
would prevent filtering against foreign keys using lookups like ``__isnull``
when the field was not included in :attr:`.ModelAdmin.list_filter`
(:ticket:`35173`).

* Fixed a regression in Django 5.0 that caused a crash of
``sensitive_variables`` and ``sensitive_post_parameters`` decorators on
functions loaded from ``.pyc`` files (:ticket:`35187`).

* Fixed a regression in Django 5.0 that caused a crash when reloading a test
database and a base queryset for a base manager used ``prefetch_related()``
(:ticket:`35238`).

* Fixed a bug in Django 5.0 where facet filters in the admin would crash on a
``SimpleListFilter`` using a queryset without primary keys (:ticket:`35198`).


==========================

5.0.2

==========================

*February 6, 2024*

Django 5.0.2 fixes a security issue with severity "moderate" and several bugs
in 5.0.1. Also, the latest string translations from Transifex are incorporated.

CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter
===========================================================================

The ``intcomma`` template filter was subject to a potential denial-of-service
attack when used with very long strings.

Bugfixes
========

* Reallowed, following a regression in Django 5.0.1, filtering against local
foreign keys not included in :attr:`.ModelAdmin.list_filter`
(:ticket:`35087`).

* Fixed a regression in Django 5.0 where links in the admin had an incorrect
color (:ticket:`35121`).

* Fixed a bug in Django 5.0 that caused a crash of ``Model.full_clean()`` on
models with a ``GeneratedField`` (:ticket:`35127`).

* Fixed a regression in Django 5.0 that caused a crash of
``FilteredRelation()`` with querysets as right-hand sides (:ticket:`35135`).
``FilteredRelation()`` now raises a ``ValueError`` on querysets as right-hand
sides.

* Fixed a regression in Django 5.0 that caused a crash of the ``dumpdata``
management command when a base queryset used ``prefetch_related()``
(:ticket:`35159`).

* Fixed a regression in Django 5.0 that caused the ``request_finished`` signal to
sometimes not be fired when running Django through an ASGI server, resulting
in potential resource leaks (:ticket:`35059`).

* Fixed a bug in Django 5.0 that caused a migration crash on MySQL when adding
a ``BinaryField``, ``TextField``, ``JSONField``, or ``GeometryField`` with a
``db_default`` (:ticket:`35162`).

* Fixed a bug in Django 5.0 that caused a migration crash on models with a
literal ``db_default`` of a complex type such as ``dict`` instance of a
``JSONField``. Running ``makemigrations`` might generate no-op ``AlterField``
operations for fields using ``db_default`` (:ticket:`35149`).


==========================

5.0.1

==========================

*January 2, 2024*

Django 5.0.1 fixes several bugs in 5.0.

Bugfixes
========

* Reallowed, following a regression in Django 5.0, using a foreign key to a
model with a primary key that is not ``AutoField`` in
:attr:`.ModelAdmin.list_filter` (:ticket:`35020`).

* Fixed a long standing bug in handling the ``RETURNING INTO`` clause that
caused a crash when creating a model instance with a ``GeneratedField`` which
``output_field`` had backend-specific converters (:ticket:`35024`).

* Fixed a regression in Django 5.0 that caused a crash of ``Model.save()`` for
models with both ``GeneratedField`` and ``ForeignKey`` fields
(:ticket:`35019`).

* Fixed a bug in Django 5.0 that caused a migration crash on Oracle < 23c when
adding a ``GeneratedField`` with ``output_field=BooleanField``
(:ticket:`35018`).

* Fixed a regression in Django 5.0 where admin fields on the same line could
overflow the page and become non-interactive (:ticket:`35012`).

* Added compatibility for ``oracledb`` 2.0.0 (:ticket:`35054`).

* Fixed a regression in Django 5.0 where querysets referenced incorrect field
names from ``FilteredRelation()`` (:ticket:`35050`).

* Fixed a regression in Django 5.0 that caused a system check crash when
``ModelAdmin.filter_horizontal`` or ``filter_vertical`` contained a reverse
many-to-many relation with ``related_name`` (:ticket:`35056`).


========================

5.0

========================

*December 4, 2023*

Welcome to Django 5.0!

These release notes cover the :ref:`new features <whats-new-5.0>`, as well as
some :ref:`backwards incompatible changes <backwards-incompatible-5.0>` you'll
want to be aware of when upgrading from Django 4.2 or earlier. We've
:ref:`begun the deprecation process for some features
<deprecated-features-5.0>`.

See the :doc:`/howto/upgrade-version` guide if you're updating an existing
project.

Python compatibility
====================

Django 5.0 supports Python 3.10, 3.11, and 3.12. We **highly recommend** and
only officially support the latest release of each series.

The Django 4.2.x series is the last to support Python 3.8 and 3.9.

Third-party library support for older version of Django
=======================================================

Following the release of Django 5.0, we suggest that third-party app authors
drop support for all versions of Django prior to 4.2. At that time, you should
be able to run your package's tests using ``python -Wd`` so that deprecation
warnings appear. After making the deprecation warning fixes, your app should be
compatible with Django 5.0.

.. _whats-new-5.0:

What's new in Django 5.0
========================

Facet filters in the admin
--------------------------

Facet counts are now shown for applied filters in the admin changelist when
toggled on via the UI. This behavior can be changed via the new
:attr:`.ModelAdmin.show_facets` attribute. For more information see
:ref:`facet-filters`.

Simplified templates for form field rendering
---------------------------------------------

Django 5.0 introduces the concept of a field group, and field group templates.
This simplifies rendering of the related elements of a Django form field such
as its label, widget, help text, and errors.

For example, the template below:

.. code-block:: html+django

 <form>
 ...
 <div>
   {{ form.name.label_tag }}
   {% if form.name.help_text %}
     <div class="helptext" id="{{ form.name.auto_id }}_helptext">
       {{ form.name.help_text|safe }}
     </div>
   {% endif %}
   {{ form.name.errors }}
   {{ form.name }}
   <div class="row">
     <div class="col">
       {{ form.email.label_tag }}
       {% if form.email.help_text %}
         <div class="helptext" id="{{ form.email.auto_id }}_helptext">
           {{ form.email.help_text|safe }}
         </div>
       {% endif %}
       {{ form.email.errors }}
       {{ form.email }}
     </div>
     <div class="col">
       {{ form.password.label_tag }}
       {% if form.password.help_text %}
         <div class="helptext" id="{{ form.password.auto_id }}_helptext">
           {{ form.password.help_text|safe }}
         </div>
       {% endif %}
       {{ form.password.errors }}
       {{ form.password }}
     </div>
   </div>
 </div>
 ...
 </form>

Can now be simplified to:

.. code-block:: html+django

 <form>
 ...
 <div>
   {{ form.name.as_field_group }}
   <div class="row">
     <div class="col">{{ form.email.as_field_group }}</div>
     <div class="col">{{ form.password.as_field_group }}</div>
   </div>
 </div>
 ...
 </form>

:meth:`~django.forms.BoundField.as_field_group` renders fields with the
``"django/forms/field.html"`` template by default and can be customized on a
per-project, per-field, or per-request basis. See
:ref:`reusable-field-group-templates`.

Database-computed default values
--------------------------------

The new :attr:`Field.db_default <django.db.models.Field.db_default>` parameter
sets a database-computed default value. For example::

 from django.db import models
 from django.db.models.functions import Now, Pi


 class MyModel(models.Model):
     age = models.IntegerField(db_default=18)
     created = models.DateTimeField(db_default=Now())
     circumference = models.FloatField(db_default=2 * Pi())

Database generated model field
------------------------------

The new :class:`~django.db.models.GeneratedField` allows creation of database
generated columns. This field can be used on all supported database backends
to create a field that is always computed from other fields. For example::

 from django.db import models
 from django.db.models import F


 class Square(models.Model):
     side = models.IntegerField()
     area = models.GeneratedField(
         expression=F("side") * F("side"),
         output_field=models.BigIntegerField(),
         db_persist=True,
     )

More options for declaring field choices
----------------------------------------

:attr:`.Field.choices` *(for model fields)* and :attr:`.ChoiceField.choices`
*(for form fields)* allow for more flexibility when declaring their values. In
previous versions of Django, ``choices`` should either be a list of 2-tuples,
or an :ref:`field-choices-enum-types` subclass, but the latter required
accessing the ``.choices`` attribute to provide the values in the expected
form::

 from django.db import models

 Medal = models.TextChoices("Medal", "GOLD SILVER BRONZE")

 SPORT_CHOICES = [
     ("Martial Arts", [("judo", "Judo"), ("karate", "Karate")]),
     ("Racket", [("badminton", "Badminton"), ("tennis", "Tennis")]),
     ("unknown", "Unknown"),
 ]


 class Winner(models.Model):
     name = models.CharField(...)
     medal = models.CharField(..., choices=Medal.choices)
     sport = models.CharField(..., choices=SPORT_CHOICES)

Django 5.0 adds support for accepting a mapping or a callable instead of an
iterable, and also no longer requires ``.choices`` to be used directly to
expand :ref:`enumeration types <field-choices-enum-types>`::

 from django.db import models

 Medal = models.TextChoices("Medal", "GOLD SILVER BRONZE")

 SPORT_CHOICES = {   Using a mapping instead of a list of 2-tuples.
     "Martial Arts": {"judo": "Judo", "karate": "Karate"},
     "Racket": {"badminton": "Badminton", "tennis": "Tennis"},
     "unknown": "Unknown",
 }


 def get_scores():
     return [(i, str(i)) for i in range(10)]


 class Winner(models.Model):
     name = models.CharField(...)
     medal = models.CharField(..., choices=Medal)   Using `.choices` not required.
     sport = models.CharField(..., choices=SPORT_CHOICES)
     score = models.IntegerField(choices=get_scores)   A callable is allowed.

Under the hood the provided ``choices`` are normalized into a list of 2-tuples
as the canonical form whenever the ``choices`` value is updated. For more
information, please check the :ref:`model field reference on choices
<field-choices>`.

Minor features
--------------

:mod:`django.contrib.admin`
~~~~~~~~~~~~~~~~~~~~~~~~~~~

* The new :meth:`.AdminSite.get_log_entries` method allows customizing the
queryset for the site's listed log entries.

* The ``django.contrib.admin.AllValuesFieldListFilter``,
``ChoicesFieldListFilter``, ``RelatedFieldListFilter``, and
``RelatedOnlyFieldListFilter`` admin filters now handle multi-valued query
parameters.

* ``XRegExp`` is upgraded from version 3.2.0 to 5.1.1.

* The new :meth:`.AdminSite.get_model_admin` method returns an admin class for
the given model class.

* Properties in :attr:`.ModelAdmin.list_display` now support ``boolean``
attribute.

* jQuery is upgraded from version 3.6.4 to 3.7.1.


:mod:`django.contrib.auth`
~~~~~~~~~~~~~~~~~~~~~~~~~~

* The default iteration count for the PBKDF2 password hasher is increased from
600,000 to 720,000.

* The new asynchronous functions are now provided, using an
``a`` prefix: :func:`django.contrib.auth.aauthenticate`,
:func:`~.django.contrib.auth.aget_user`,
:func:`~.django.contrib.auth.alogin`, :func:`~.django.contrib.auth.alogout`,
and :func:`~.django.contrib.auth.aupdate_session_auth_hash`.

* ``AuthenticationMiddleware`` now adds an :meth:`.HttpRequest.auser`
asynchronous method that returns the currently logged-in user.

* The new :func:`django.contrib.auth.hashers.acheck_password` asynchronous
function and :meth:`.AbstractBaseUser.acheck_password` method allow
asynchronous checking of user passwords.

:mod:`django.contrib.contenttypes`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* :meth:`.QuerySet.prefetch_related` now supports prefetching
:class:`~django.contrib.contenttypes.fields.GenericForeignKey` with
non-homogeneous set of results.

:mod:`django.contrib.gis`
~~~~~~~~~~~~~~~~~~~~~~~~~

* The new
:class:`ClosestPoint() <django.contrib.gis.db.models.functions.ClosestPoint>`
function returns a 2-dimensional point on the geometry that is closest to
another geometry.

* :ref:`GIS aggregates <gis-aggregation-functions>` now support the ``filter``
argument.

* Support for GDAL 3.7 and GEOS 3.12 is added.

* The new :meth:`.GEOSGeometry.equals_identical` method allows point-wise
equivalence checking of geometries.

:mod:`django.contrib.messages`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* The new :meth:`.MessagesTestMixin.assertMessages` assertion method allows
testing :mod:`~django.contrib.messages` added to a
:class:`response <django.http.HttpResponse>`.

:mod:`django.contrib.postgres`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* The new :attr:`~.ExclusionConstraint.violation_error_code` attribute of
:class:`~django.contrib.postgres.constraints.ExclusionConstraint` allows
customizing the ``code`` of ``ValidationError`` raised during
:ref:`model validation <validating-objects>`.

Asynchronous views
~~~~~~~~~~~~~~~~~~

* Under ASGI, ``http.disconnect`` events are now handled. This allows views to
perform any necessary cleanup if a client disconnects before the response is
generated. See :ref:`async-handling-disconnect` for more details.

Decorators
~~~~~~~~~~

* The following decorators now support wrapping asynchronous view functions:

* :func:`~django.views.decorators.cache.cache_control`
* :func:`~django.views.decorators.cache.never_cache`
* :func:`~django.views.decorators.common.no_append_slash`
* :func:`~django.views.decorators.csrf.csrf_exempt`
* :func:`~django.views.decorators.csrf.csrf_protect`
* :func:`~django.views.decorators.csrf.ensure_csrf_cookie`
* :func:`~django.views.decorators.csrf.requires_csrf_token`
* :func:`~django.views.decorators.debug.sensitive_variables`
* :func:`~django.views.decorators.debug.sensitive_post_parameters`
* :func:`~django.views.decorators.gzip.gzip_page`
* :func:`~django.views.decorators.http.condition`
* ``conditional_page()``
* :func:`~django.views.decorators.http.etag`
* :func:`~django.views.decorators.http.last_modified`
* :func:`~django.views.decorators.http.require_http_methods`
* :func:`~django.views.decorators.http.require_GET`
* :func:`~django.views.decorators.http.require_POST`
* :func:`~django.views.decorators.http.require_safe`
* :func:`~django.views.decorators.vary.vary_on_cookie`
* :func:`~django.views.decorators.vary.vary_on_headers`
* ``xframe_options_deny()``
* ``xframe_options_sameorigin()``
* ``xframe_options_exempt()``

Error Reporting
~~~~~~~~~~~~~~~

* :func:`~django.views.decorators.debug.sensitive_variables` and
:func:`~django.views.decorators.debug.sensitive_post_parameters` can now be
used with asynchronous functions.

File Storage
~~~~~~~~~~~~

* :meth:`.File.open` now passes all positional (``*args``) and keyword
arguments (``**kwargs``) to Python's built-in :func:`python:open`.

Forms
~~~~~

* The new :attr:`~django.forms.URLField.assume_scheme` argument for
:class:`~django.forms.URLField` allows specifying a default URL scheme.

* In order to improve accessibility, the following changes are made:

* Form fields now include the ``aria-describedby`` HTML attribute to enable
 screen readers to associate form fields with their help text.
* Invalid form fields now include the ``aria-invalid="true"`` HTML attribute.

Internationalization
~~~~~~~~~~~~~~~~~~~~

* Support and translations for the Uyghur language are now available.

Migrations
~~~~~~~~~~

* Serialization of functions decorated with :func:`functools.cache` or
:func:`functools.lru_cache` is now supported without the need to write a
custom serializer.

Models
~~~~~~

* The new ``create_defaults`` argument of :meth:`.QuerySet.update_or_create`
and :meth:`.QuerySet.aupdate_or_create` methods allows specifying a different
field values for the create operation.

* The new ``violation_error_code`` attribute of
:class:`~django.db.models.BaseConstraint`,
:class:`~django.db.models.CheckConstraint`, and
:class:`~django.db.models.UniqueConstraint` allows customizing the ``code``
of ``ValidationError`` raised during
:ref:`model validation <validating-objects>`.

* The :ref:`force_insert <ref-models-force-insert>` argument of
:meth:`.Model.save` now allows specifying a tuple of parent classes that must
be forced to be inserted.

* :meth:`.QuerySet.bulk_create` and :meth:`.QuerySet.abulk_create` methods now
set the primary key on each model instance when the ``update_conflicts``
parameter is enabled (if the database supports it).

* The new :attr:`.UniqueConstraint.nulls_distinct` attribute allows customizing
the treatment of ``NULL`` values on PostgreSQL 15+.

* The new :func:`~django.shortcuts.aget_object_or_404` and
:func:`~django.shortcuts.aget_list_or_404` asynchronous shortcuts allow
asynchronous getting objects.

* The new :func:`~django.db.models.aprefetch_related_objects` function allows
asynchronous prefetching of model instances.

* :meth:`.QuerySet.aiterator` now supports previous calls to
``prefetch_related()``.

* On MariaDB 10.7+, ``UUIDField`` is now created as ``UUID`` column rather than
``CHAR(32)`` column. See the migration guide above for more details on
:ref:`migrating-uuidfield`.

* Django now supports `oracledb`_ version 1.3.2 or higher. Support for
``cx_Oracle`` is deprecated as of this release and will be removed in Django
6.0.

Pagination
~~~~~~~~~~

* The new :attr:`django.core.paginator.Paginator.error_messages` argument
allows customizing the error messages raised by :meth:`.Paginator.page`.

Signals
~~~~~~~

* The new :meth:`.Signal.asend` and :meth:`.Signal.asend_robust` methods allow
asynchronous signal dispatch. Signal receivers may be synchronous or
asynchronous, and will be automatically adapted to the correct calling style.

Templates
~~~~~~~~~

* The new :tfilter:`escapeseq` template filter applies :tfilter:`escape` to
each element of a sequence.

Tests
~~~~~

* :class:`~django.test.Client` and :class:`~django.test.AsyncClient` now
provide asynchronous methods, using an ``a`` prefix:
:meth:`~django.test.Client.asession`, :meth:`~django.test.Client.alogin`,
:meth:`~django.test.Client.aforce_login`, and
:meth:`~django.test.Client.alogout`.

* :class:`~django.test.AsyncClient` now supports the ``follow`` parameter.

* :class:`~django.test.runner.DiscoverRunner` now allows showing the duration
of the slowest tests using the :option:`test --durations` option (available
on Python 3.12+).

Validators
~~~~~~~~~~

* The new ``offset`` argument of
:class:`~django.core.validators.StepValueValidator` allows specifying an
offset for valid values.

.. _backwards-incompatible-5.0:

Backwards incompatible changes in 5.0
=====================================

Database backend API
--------------------

This section describes changes that may be needed in third-party database
backends.

* ``DatabaseFeatures.supports_expression_defaults`` should be set to ``False``
if the database doesn't support using database functions as defaults.

* ``DatabaseFeatures.supports_default_keyword_in_insert`` should be set to
``False`` if the database doesn't support the ``DEFAULT`` keyword in
``INSERT`` queries.

* ``DatabaseFeatures.supports_default_keyword_in_bulk_insert`` should be set to
``False`` if the database doesn't support the ``DEFAULT`` keyword in bulk
``INSERT`` queries.

:mod:`django.contrib.gis`
-------------------------

* Support for GDAL 2.2 and 2.3 is removed.

* Support for GEOS 3.6 and 3.7 is removed.

:mod:`django.contrib.sitemaps`
------------------------------

* The ``django.contrib.sitemaps.ping_google()`` function and the
``ping_google`` management command are removed as the Google
Sitemaps ping endpoint is deprecated and will be removed in January 2024.

* The ``django.contrib.sitemaps.SitemapNotFound`` exception class is removed.

Dropped support for MySQL < 8.0.11
----------------------------------

Support for pre-releases of MySQL 8.0.x series is removed. Django 5.0 supports
MySQL 8.0.11 and higher.

Using ``create_defaults__exact`` may now be required with ``QuerySet.update_or_create()``
-----------------------------------------------------------------------------------------

:meth:`.QuerySet.update_or_create` now supports the parameter
``create_defaults``. As a consequence, any models that have a field named
``create_defaults`` that are used with an ``update_or_create()`` should specify
the field in the lookup with ``create_defaults__exact``.

.. _migrating-uuidfield:

Migrating existing ``UUIDField`` on MariaDB 10.7+
-------------------------------------------------

On MariaDB 10.7+, ``UUIDField`` is now created as ``UUID`` column rather than
``CHAR(32)`` column. As a consequence, any ``UUIDField`` created in
Django < 5.0 should be replaced with a ``UUIDField`` subclass backed by
``CHAR(32)``::

 class Char32UUIDField(models.UUIDField):
     def db_type(self, connection):
         return "char(32)"

     def get_db_prep_value(self, value, connection, prepared=False):
         value = super().get_db_prep_value(value, connection, prepared)
         if value is not None:
             value = value.hex
         return value

For example::

 class MyModel(models.Model):
     uuid = models.UUIDField(primary_key=True, default=uuid.uuid4)

Should become::

 class Char32UUIDField(models.UUIDField): ...


 class MyModel(models.Model):
     uuid = Char32UUIDField(primary_key=True, default=uuid.uuid4)

Running the :djadmin:`makemigrations` command will generate a migration
containing a no-op ``AlterField`` operation.

Miscellaneous
-------------

* The ``instance`` argument of the undocumented
``BaseModelFormSet.save_existing()`` method is renamed to ``obj``.

* The undocumented ``django.contrib.admin.helpers.checkbox`` is removed.

* Integer fields are now validated as 64-bit integers on SQLite to match the
behavior of ``sqlite3``.

* The undocumented ``Query.annotation_select_mask`` attribute is changed from a
set of strings to an ordered list of strings.

* ``ImageField.update_dimension_fields()`` is no longer called on the
``post_init`` signal if ``width_field`` and ``height_field`` are not set.

* :class:`~django.db.models.functions.Now` database function now uses
``LOCALTIMESTAMP`` instead of ``CURRENT_TIMESTAMP`` on Oracle.

* :attr:`.AdminSite.site_header` is now rendered in a ``<div>`` tag instead of
``<h1>``. Screen reader users rely on heading elements for navigation within
a page. Having two ``<h1>`` elements was confusing and the site header wasn't
helpful as it is repeated on all pages.

* In order to improve accessibility, the admin's main content area and header
content area are now rendered in a ``<main>`` and ``<header>`` tag instead of
``<div>``.

* On databases without native support for the SQL ``XOR`` operator, ``^`` as
the exclusive or (``XOR``) operator now returns rows that are matched by an
odd number of operands rather than exactly one operand. This is consistent
with the behavior of MySQL, MariaDB, and Python.

* The minimum supported version of ``asgiref`` is increased from 3.6.0 to
3.7.0.

* The minimum supported version of ``selenium`` is increased from 3.8.0 to
4.8.0.

* The ``AlreadyRegistered`` and ``NotRegistered`` exceptions are moved from
``django.contrib.admin.sites`` to ``django.contrib.admin.exceptions``.

* The minimum supported version of SQLite is increased from 3.21.0 to 3.27.0.

* Support for ``cx_Oracle`` < 8.3 is removed.

* Executing SQL queries before the app registry has been fully populated now
raises :exc:`RuntimeWarning`.

* :exc:`~django.core.exceptions.BadRequest` is raised for non-UTF-8 encoded
requests with the :mimetype:`application/x-www-form-urlencoded` content type.
See :rfc:`1866` for more details.

* The minimum supported version of ``colorama`` is increased to 0.4.6.

* The minimum supported version of ``docutils`` is increased to 0.19.

* Filtering querysets against overflowing integer values now always returns an
empty queryset. As a consequence, you may need to use ``ExpressionWrapper()``
to :ref:`explicitly wrap <using-f-with-annotations>` arithmetic against
integer fields in such cases.

.. _deprecated-features-5.0:

Features deprecated in 5.0
==========================

Miscellaneous
-------------

* The ``DjangoDivFormRenderer`` and ``Jinja2DivFormRenderer`` transitional form
renderers are deprecated.

* Passing positional arguments ``name`` and ``violation_error_message`` to
:class:`~django.db.models.BaseConstraint` is deprecated in favor of
keyword-only arguments.

* ``request`` is added to the signature of :meth:`.ModelAdmin.lookup_allowed`.
Support for ``ModelAdmin`` subclasses that do not accept this argument is
deprecated.

* The ``get_joining_columns()`` method of ``ForeignObject`` and
``ForeignObjectRel`` is deprecated. Starting with Django 6.0,
``django.db.models.sql.datastructures.Join`` will no longer fallback to
``get_joining_columns()``. Subclasses should implement
``get_joining_fields()`` instead.

* The ``ForeignObject.get_reverse_joining_columns()`` method is deprecated.

* The default scheme for ``forms.URLField`` will change from ``"http"`` to
``"https"`` in Django 6.0. Set :setting:`FORMS_URLFIELD_ASSUME_HTTPS`
transitional setting to ``True`` to opt into assuming ``"https"`` during the
Django 5.x release cycle.

* ``FORMS_URLFIELD_ASSUME_HTTPS`` transitional setting is deprecated.

* Support for calling ``format_html()`` without passing args or kwargs will be
removed.

* Support for ``cx_Oracle`` is deprecated in favor of `oracledb`_ 1.3.2+ Python
driver.

* ``DatabaseOperations.field_cast_sql()`` is deprecated in favor of
``DatabaseOperations.lookup_cast()``. Starting with Django 6.0,
``BuiltinLookup.process_lhs()`` will no longer call ``field_cast_sql()``.
Third-party database backends should implement ``lookup_cast()`` instead.

* The ``django.db.models.enums.ChoicesMeta`` metaclass is renamed to
``ChoicesType``.

* The ``Prefetch.get_current_queryset()`` method is deprecated.

* The ``get_prefetch_queryset()`` method of related managers and descriptors
is deprecated. Starting with Django 6.0, ``get_prefetcher()`` and
``prefetch_related_objects()`` will no longer fallback to
``get_prefetch_queryset()``. Subclasses should implement
``get_prefetch_querysets()`` instead.

.. _`oracledb`: https://oracle.github.io/python-oracledb/

Features removed in 5.0
=======================

These features have reached the end of their deprecation cycle and are removed
in Django 5.0.

See :ref:`deprecated-features-4.0` for details on these changes, including how
to remove usage of these features.

* The ``SERIALIZE`` test setting is removed.

* The undocumented ``django.utils.baseconv`` module is removed.

* The undocumented ``django.utils.datetime_safe`` module is removed.

* The default value of the ``USE_TZ`` setting is changed from ``False`` to
``True``.

* The default sitemap protocol for sitemaps built outside the context of a
request is changed from ``'http'`` to ``'https'``.

* The ``extra_tests`` argument for ``DiscoverRunner.build_suite()`` and
``DiscoverRunner.run_tests()`` is removed.

* The ``django.contrib.postgres.aggregates.ArrayAgg``, ``JSONBAgg``, and
``StringAgg`` aggregates no longer return ``[]``, ``[]``, and ``''``,
respectively, when there are no rows.

* The ``USE_L10N`` setting is removed.

* The ``USE_DEPRECATED_PYTZ`` transitional setting is removed.

* Support for ``pytz`` timezones is removed.

* The ``is_dst`` argument is removed from:

* ``QuerySet.datetimes()``
* ``django.utils.timezone.make_aware()``
* ``django.db.models.functions.Trunc()``
* ``django.db.models.functions.TruncSecond()``
* ``django.db.models.functions.TruncMinute()``
* ``django.db.models.functions.TruncHour()``
* ``django.db.models.functions.TruncDay()``
* ``django.db.models.functions.TruncWeek()``
* ``django.db.models.functions.TruncMonth()``
* ``django.db.models.functions.TruncQuarter()``
* ``django.db.models.functions.TruncYear()``

* The ``django.contrib.gis.admin.GeoModelAdmin`` and ``OSMGeoAdmin`` classes
are removed.

* The undocumented ``BaseForm._html_output()`` method is removed.

* The ability to return a ``str``, rather than a ``SafeString``, when rendering
an ``ErrorDict`` and ``ErrorList`` is removed.

See :ref:`deprecated-features-4.1` for details on these changes, including how
to remove usage of these features.

* The ``SitemapIndexItem.__str__()`` method is removed.

* The ``CSRF_COOKIE_MASKED`` transitional setting is removed.

* The ``name`` argument of ``django.utils.functional.cached_property()`` is
removed.

* The ``opclasses`` argument of
``django.contrib.postgres.constraints.ExclusionConstraint`` is removed.

* The undocumented ability to pass ``errors=None`` to
``SimpleTestCase.assertFormError()`` and ``assertFormsetError()`` is removed.

* ``django.contrib.sessions.serializers.PickleSerializer`` is removed.

* The usage of ``QuerySet.iterator()`` on a queryset that prefetches related
objects without providing the ``chunk_size`` argument is no longer allowed.

* Passing unsaved model instances to related filters is no longer allowed.

* ``created=True`` is required in the signature of
``RemoteUserBackend.configure_user()`` subclasses.

* Support for logging out via ``GET`` requests in the
``django.contrib.auth.views.LogoutView`` and
``django.contrib.auth.views.logout_then_login()`` is removed.

* The ``django.utils.timezone.utc`` alias to ``datetime.timezone.utc`` is
removed.

* Passing a response object and a form/formset name to
``SimpleTestCase.assertFormError()`` and ``assertFormSetError()`` is no
longer allowed.

* The ``django.contrib.gis.admin.OpenLayersWidget`` is removed.

+ The ``django.contrib.auth.hashers.CryptPasswordHasher`` is removed.

* The ``"django/forms/default.html"`` and
``"django/forms/formsets/default.html"`` templates are removed.

* The default form and formset rendering style is changed to the div-based.

* Passing ``nulls_first=False`` or ``nulls_last=False`` to ``Expression.asc()``
and ``Expression.desc()`` methods, and the ``OrderBy`` expression is no
longer allowed.








===========================

4.2.15

===========================

*August 6, 2024*

Django 4.2.15 fixes three security issues with severity "moderate", one
security issue with severity "high", and a regression in 4.2.14.

CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
================================================================================

If :tfilter:`floatformat` received a string representation of a number in
scientific notation with a large exponent, it could lead to significant memory
consumption.

To avoid this, decimals with more than 200 digits are now returned as is.

CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` and ``AdminURLFieldWidget``
=======================================================================================================================

:tfilter:`urlize`, :tfilter:`urlizetrunc`, and ``AdminURLFieldWidget`` were
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.

CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
======================================================================================

:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
with a ``JSONField`` were subject to SQL injection in column aliases, via a
crafted JSON object key as a passed ``*arg``.

Bugfixes
========

* Fixed a regression in Django 4.2.14 that caused a crash in
``LocaleMiddleware`` when processing a language code over 500 characters
(:ticket:`35627`).


===========================

4.2.14

===========================

*July 9, 2024*

Django 4.2.14 fixes two security issues with severity "moderate" and two
security issues with severity "low" in 4.2.13.

CVE-2024-38875: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via certain inputs with a very large number of
brackets.

CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
================================================================================================

The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
allowed remote attackers to enumerate users via a timing attack involving login
requests for users with unusable passwords.

CVE-2024-39330: Potential directory-traversal via ``Storage.save()``
====================================================================

Derived classes of the :class:`~django.core.files.storage.Storage` base class
which override :meth:`generate_filename()
<django.core.files.storage.Storage.generate_filename()>` without replicating
the file path validations existing in the parent class, allowed for potential
directory-traversal via certain inputs when calling :meth:`save()
<django.core.files.storage.Storage.save()>`.

Built-in ``Storage`` sub-classes were not affected by this vulnerability.

CVE-2024-39614: Potential denial-of-service vulnerability in ``get_supported_language_variant()``
=================================================================================================

:meth:`~django.utils.translation.get_supported_language_variant` was subject to
a potential denial-of-service attack when used with very long strings
containing specific characters.

To mitigate this vulnerability, the language code provided to
:meth:`~django.utils.translation.get_supported_language_variant` is now parsed
up to a maximum length of 500 characters.

When the language code is over 500 characters, a :exc:`ValueError` will now be
raised if ``strict`` is ``True``, or if there is no generic variant and
``strict`` is ``False``.


===========================

4.2.13

===========================

*May 7, 2024*

Django 4.2.13 fixes a packaging error in 4.2.12.


===========================

4.2.12

===========================

*May 6, 2024*

Django 4.2.12 fixes a compatibility issue with Python 3.11.9+ and 3.12.3+.

Bugfixes
========

* Fixed a crash in Django 4.2 when validating email max line lengths with
content decoded using the ``surrogateescape`` error handling scheme
(:ticket:`35361`).


===========================

4.2.11

===========================

*March 4, 2024*

Django 4.2.11 fixes a security issue with severity "moderate" and a regression
in 4.2.10.

CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()``
=========================================================================================================

``django.utils.text.Truncator.words()`` method (with ``html=True``) and
:tfilter:`truncatewords_html` template filter were subject to a potential
regular expression denial-of-service attack using a suitably crafted string
(follow up to :cve:`2019-14232` and :cve:`2023-43665`).

Bugfixes
========

* Fixed a regression in Django 4.2.10 where ``intcomma`` template filter could
return a leading comma for string representation of floats (:ticket:`35172`).


===========================

4.2.10

===========================

*February 6, 2024*

Django 4.2.10 fixes a security issue with severity "moderate" in 4.2.9.

CVE-2024-24680: Potential denial-of-service in ``intcomma`` template filter
===========================================================================

The ``intcomma`` template filter was subject to a potential denial-of-service
attack when used with very long strings.


==========================

4.2.9

==========================

*January 2, 2024*

Django 4.2.9 fixes a bug in 4.2.8.

Bugfixes
========

* Fixed a regression in Django 4.2.8 where admin fields on the same line could
overflow the page and become non-interactive (:ticket:`35012`).


==========================

4.2.8

==========================

*December 4, 2023*

Django 4.2.8 fixes several bugs in 4.2.7 and adds compatibility with Python
3.12.

Bugfixes
========

* Fixed a regression in Django 4.2 that caused :option:`makemigrations --check`
to stop displaying pending migrations (:ticket:`34457`).

* Fixed a regression in Django 4.2 that caused a crash of
``QuerySet.aggregate()`` with aggregates referencing other aggregates or
window functions through conditional expressions (:ticket:`34975`).

* Fixed a regression in Django 4.2 that caused a crash when annotating a
``QuerySet`` with a ``Window`` expressions composed of a ``partition_by``
clause mixing field types and aggregation expressions (:ticket:`34987`).

* Fixed a regression in Django 4.2 where the admin's change list page had
misaligned pagination links and inputs when using ``list_editable``
(:ticket:`34991`).

* Fixed a regression in Django 4.2 where checkboxes in the admin would be
centered on narrower screen widths (:ticket:`34994`).

* Fixed a regression in Django 4.2 that caused a crash of querysets with
aggregations on MariaDB when the ``ONLY_FULL_GROUP_BY`` SQL mode was enabled
(:ticket:`34992`).

* Fixed a regression in Django 4.2 where the admin's read-only password widget
and some help texts were incorrectly aligned at tablet widths
(:ticket:`34982`).

* Fixed a regression in Django 4.2 that caused a migration crash on SQLite when
altering unsupported ``Meta.db_table_comment`` (:ticket:`35006`).


==========================

4.2.7

==========================

*November 1, 2023*

Django 4.2.7 fixes a security issue with severity "moderate" and several bugs
in 4.2.6.

CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows
=========================================================================================

The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was
subject to a potential denial of service attack via certain inputs with a very
large number of Unicode characters.

In order to avoid the vulnerability, invalid values longer than
``UsernameField.max_length`` are no longer normalized, since they cannot pass
validation anyway.

Bugfixes
========

* Fixed a regression in Django 4.2 that caused a crash of
``QuerySet.aggregate()`` with aggregates referencing expressions containing
subqueries (:ticket:`34798`).

* Restored, following a regression in Django 4.2, creating
``varchar/text_pattern_ops`` indexes on ``CharField`` and ``TextField`` with
deterministic collations on PostgreSQL (:ticket:`34932`).


==========================

4.2.6

==========================

*October 4, 2023*

Django 4.2.6 fixes a security issue with severity "moderate" and several bugs
in 4.2.5.

CVE-2023-43665: Denial-of-service possibility in ``django.utils.text.Truncator``
================================================================================

Following the fix for :cve:`2019-14232`, the regular expressions used in the
implementation of ``django.utils.text.Truncator``'s ``chars()`` and ``words()``
methods (with ``html=True``) were revised and improved. However, these regular
expressions still exhibited linear backtracking complexity, so when given a
very long, potentially malformed HTML input, the evaluation would still be
slow, leading to a potential denial of service vulnerability.

The ``chars()`` and ``words()`` methods are used to implement the
:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
filters, which were thus also vulnerable.

The input processed by ``Truncator``, when operating in HTML mode, has been
limited to the first five million characters in order to avoid potential
performance and memory issues.

Bugfixes
========

* Fixed a regression in Django 4.2.5 where overriding the deprecated
``DEFAULT_FILE_STORAGE`` and ``STATICFILES_STORAGE`` settings in tests caused
the main ``STORAGES`` to mutate (:ticket:`34821`).

* Fixed a regression in Django 4.2 that caused unnecessary casting of string
based fields (``CharField``, ``EmailField``, ``TextField``, ``CICharField``,
``CIEmailField``, and ``CITextField``) used with the ``__isnull`` lookup on
PostgreSQL. As a consequence, indexes using an ``__isnull`` expression or
condition created before Django 4.2 wouldn't be used by the query planner,
leading to a performance regression (:ticket:`34840`).

You may need to recreate such indexes created in your database with Django
4.2 to 4.2.5, as they contain unnecessary ``::text`` casting. Find candidate
indexes with this query:

.. code-block:: sql

     SELECT indexname, indexdef
     FROM pg_indexes
     WHERE indexdef LIKE '%::text IS %NULL';


==========================

4.2.5

==========================

*September 4, 2023*

Django 4.2.5 fixes a security issue with severity "moderate" and several bugs
in 4.2.4.

CVE-2023-41164: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()``
===================================================================================================

``django.utils.encoding.uri_to_iri()`` was subject to potential denial of
service attack via certain inputs with a very large number of Unicode
characters.

Bugfixes
========

* Fixed a regression in Django 4.2 that caused an incorrect validation of
``CheckConstraints`` on ``__isnull`` lookups against ``JSONField``
(:ticket:`34754`).

* Fixed a bug in Django 4.2 where the deprecated ``DEFAULT_FILE_STORAGE`` and
``STATICFILES_STORAGE`` settings were not synced with ``STORAGES``
(:ticket:`34773`).

* Fixed a regression in Django 4.2.2 that caused an unnecessary selection of a
non-nullable ``ManyToManyField`` without a natural key during serialization
(:ticket:`34779`).

* Fixed a regression in Django 4.2 that caused a crash of a queryset when
filtering against deeply nested ``OuterRef()`` annotations (:ticket:`34803`).


==========================

4.2.4

==========================

*August 1, 2023*

Django 4.2.4 fixes several bugs in 4.2.3.

Bugfixes
========

* Fixed a regression in Django 4.2 that caused a crash of
``QuerySet.aggregate()`` with aggregates referencing window functions
(:ticket:`34717`).

* Fixed a regression in Django 4.2 that caused a crash when grouping by a
reference in a subquery (:ticket:`34748`).

* Fixed a regression in Django 4.2 that caused aggregation over query that
uses explicit grouping by multi-valued annotations to group against the wrong
columns (:ticket:`34750`).


==========================

4.2.3

==========================

*July 3, 2023*

Django 4.2.3 fixes a security issue with severity "moderate" and several bugs
in 4.2.2.

CVE-2023-36053: Potential regular expression denial of service vulnerability in ``EmailValidator``/``URLValidator``
===================================================================================================================

``EmailValidator`` and ``URLValidator`` were subject to potential regular
expression denial of service attack via a very large number of domain name
labels of emails and URLs.

Bugfixes
========

* Fixed a regression in Django 4.2 that caused incorrect alignment of timezone
warnings for ``DateField`` and ``TimeField`` in the admin (:ticket:`34645`).

* Fixed a regression in Django 4.2 that caused incorrect highlighting of rows
in the admin changelist view when ``ModelAdmin.list_editable`` contained a
``BooleanField`` (:ticket:`34638`).


==========================

4.2.2

==========================

*June 5, 2023*

Django 4.2.2 fixes several bugs in 4.2.1.

Bugfixes
========

* Fixed a regression in Django 4.2 that caused an unnecessary
``DBMS_LOB.SUBSTR()`` wrapping in the ``__isnull`` and ``__exact=None``
lookups for ``TextField()``/``BinaryField()`` on Oracle (:ticket:`34544`).

* Restored, following a regression in Django 4.2, ``get_prep_value()`` call in
``JSONField`` subclasses (:ticket:`34539`).

* Fixed a regression in Django 4.2 that caused a crash of ``QuerySet.defer()``
when passing a ``ManyToManyField`` or ``GenericForeignKey`` reference. While
doing so is a no-op, it was allowed in older version (:ticket:`34570`).

* Fixed a regression in Django 4.2 that caused a crash of ``QuerySet.only()``
when passing a reverse ``OneToOneField`` reference (:ticket:`34612`).

* Fixed a bug in Django 4.2 where :option:`makemigrations --update` didn't
respect the ``--name`` option (:ticket:`34568`).

* Fixed a performance regression in Django 4.2 when compiling queries without
ordering (:ticket:`34580`).

* Fixed a regression in Django 4.2 where nonexistent stylesheet was linked on a
“Congratulations!” page (:ticket:`34588`).

* Fixed a regression in Django 4.2 that caused a crash of
``QuerySet.aggregate()`` with expressions referencing other aggregates
(:ticket:`34551`).

* Fixed a regression in Django 4.2 that caused a crash of
``QuerySet.aggregate()`` with aggregates referencing subqueries
(:ticket:`34551`).

* Fixed a regression in Django 4.2 that caused a crash of querysets on SQLite
when filtering on ``DecimalField`` against values outside of the defined
range (:ticket:`34590`).

* Fixed a regression in Django 4.2 that caused a serialization crash on a
``ManyToManyField`` without a natural key when its ``Manager``’s base
``QuerySet`` used ``select_related()`` (:ticket:`34620`).


==========================

4.2.1

==========================

*May 3, 2023*

Django 4.2.1 fixes a security issue with severity "low" and several bugs in
4.2.

CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field
=================================================================================================

Uploading multiple files using one form field has never been supported by
:class:`.forms.FileField` or :class:`.forms.ImageField` as only the last
uploaded file was validated. Unfortunately, :ref:`uploading_multiple_files`
topic suggested otherwise.

In order to avoid the vulnerability, :class:`~django.forms.ClearableFileInput`
and :class:`~django.forms.FileInput` form widgets now raise ``ValueError`` when
the ``multiple`` HTML attribute is set on them. To prevent the exception and
keep the old behavior, set ``allow_multiple_selected`` to ``True``.

For more details on using the new attribute and handling of multiple files
through a single field, see :ref:`uploading_multiple_files`.

Bugfixes
========

* Fixed a regression in Django 4.2 that caused a crash of ``QuerySet.defer()``
when deferring fields by attribute names (:ticket:`34458`).

* Fixed a regression in Django 4.2 that caused a crash of
:class:`~django.contrib.postgres.search.SearchVector` function with ``%``
characters (:ticket:`34459`).

* Fixed a regression in Django 4.2 that caused aggregation over query that
uses explicit grouping to group against the wrong columns (:ticket:`34464`).

* Reallowed, following a regression in Django 4.2, setting the
``"cursor_factory"`` option in :setting:`OPTIONS` on PostgreSQL
(:ticket:`34466`).

* Enforced UTF-8 client encoding on PostgreSQL, following a regression in
Django 4.2 (:ticket:`34470`).

* Fixed a regression in Django 4.2 where ``i18n_patterns()`` didn't respect the
``prefix_default_language`` argument when a fallback language of the default
language was used (:ticket:`34455`).

* Fixed a regression in Django 4.2 where translated URLs of the default
language from ``i18n_patterns()`` with ``prefix_default_language`` set to
``False`` raised 404 errors for a request with a different language
(:ticket:`34515`).

* Fixed a regression in Django 4.2 where creating copies and deep copies of
``HttpRequest``, ``HttpResponse``, and their subclasses didn't always work
correctly (:ticket:`34482`, :ticket:`34484`).

* Fixed a regression in Django 4.2 where ``timesince`` and ``timeuntil``
template filters returned incorrect results for a datetime with a non-UTC
timezone when a time difference is less than 1 day (:ticket:`34483`).

* Fixed a regression in Django 4.2 that caused a crash of
:class:`~django.contrib.postgres.search.SearchHeadline` function with
``psycopg`` 3 (:ticket:`34486`).

* Fixed a regression in Django 4.2 that caused incorrect ``ClearableFileInput``
margins in the admin (:ticket:`34506`).

* Fixed a regression in Django 4.2 where breadcrumbs didn't appear on admin
site app index views (:ticket:`34512`).

* Made squashing migrations reduce ``AddIndex``, ``RemoveIndex``,
``RenameIndex``, and ``CreateModel`` operations which allows removing a
deprecated ``Meta.index_together`` option from historical migrations and use
``Meta.indexes`` instead (:ticket:`34525`).


========================

4.2

========================

*April 3, 2023*

Welcome to Django 4.2!

These release notes cover the :ref:`new features <whats-new-4.2>`, as well as
some :ref:`backwards incompatible changes <backwards-incompatible-4.2>` you'll
want to be aware of when upgrading from Django 4.1 or earlier. We've
:ref:`begun the deprecation process for some features
<deprecated-features-4.2>`.

See the :doc:`/howto/upgrade-version` guide if you're updating an existing
project.

Django 4.2 is designated as a :term:`long-term support release
<Long-term support release>`. It will receive security updates for at least
three years after its release. Support for the previous LTS, Django 3.2, will
end in April 2024.

Python compatibility
====================

Django 4.2 supports Python 3.8, 3.9, 3.10, 3.11, and 3.12 (as of 4.2.8). We
**highly recommend** and only officially support the latest release of each
series.

.. _whats-new-4.2:

What's new in Django 4.2
========================

Psycopg 3 support
-----------------

Django now supports `psycopg`_ version 3.1.8 or higher. To update your code,
install the :pypi:`psycopg library <psycopg>`, you don't need to change the
:setting:`ENGINE <DATABASE-ENGINE>` as ``django.db.backends.postgresql``
supports both libraries.

Support for ``psycopg2`` is likely to be deprecated and removed at some point
in the future.

Be aware that ``psycopg`` 3 introduces some breaking changes over ``psycopg2``.
As a consequence, you may need to make some changes to account for
`differences from psycopg2`_.

.. _psycopg: https://www.psycopg.org/psycopg3/
.. _differences from psycopg2: https://www.psycopg.org/psycopg3/docs/basic/from_pg2.html

Comments on columns and tables
------------------------------

The new :attr:`Field.db_comment <django.db.models.Field.db_comment>` and
:attr:`Meta.db_table_comment <django.db.models.Options.db_table_comment>`
options allow creating comments on columns and tables, respectively. For
example::

 from django.db import models


 class Question(models.Model):
     text = models.TextField(db_comment="Poll question")
     pub_date = models.DateTimeField(
         db_comment="Date and time when the question was published",
     )

     class Meta:
         db_table_comment = "Poll questions"


 class Answer(models.Model):
     question = models.ForeignKey(
         Question,
         on_delete=models.CASCADE,
         db_comment="Reference to a question",
     )
     answer = models.TextField(db_comment="Question answer")

     class Meta:
         db_table_comment = "Question answers"

Also, the new :class:`~django.db.migrations.operations.AlterModelTableComment`
operation allows changing table comments defined in the
:attr:`Meta.db_table_comment <django.db.models.Options.db_table_comment>`.

Mitigation for the BREACH attack
--------------------------------

:class:`~django.middleware.gzip.GZipMiddleware` now includes a mitigation for
the BREACH attack. It will add up to 100 random bytes to gzip responses to make
BREACH attacks harder. Read more about the mitigation technique in the `Heal
The Breach (HTB) paper`_.

.. _Heal The Breach (HTB) paper: https://ieeexplore.ieee.org/document/9754554

In-memory file storage
----------------------

The new :class:`django.core.files.storage.InMemoryStorage` class provides a
non-persistent storage useful for speeding up tests by avoiding disk access.

Custom file storages
--------------------

The new :setting:`STORAGES` setting allows configuring multiple custom file
storage backends. It also controls storage engines for managing
:doc:`files </topics/files>` (the ``"default"`` key) and :doc:`static files
</ref/contrib/staticfiles>` (the ``"staticfiles"`` key).

The old ``DEFAULT_FILE_STORAGE`` and ``STATICFILES_STORAGE`` settings are
deprecated as of this release.

Minor 

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant