PARINetwork / pari

Django/Wagtail based PARI webapp
http://ruralindiaonline.org
BSD 3-Clause "New" or "Revised" License
37 stars 11 forks source link

Bump wagtail from 1.12.2 to 2.7.4 #414

Closed dependabot[bot] closed 3 years ago

dependabot[bot] commented 4 years ago

Bumps wagtail from 1.12.2 to 2.7.4.

Release notes

Sourced from wagtail's releases.

2.7.4

  • CVE-2020-15118 - prevent HTML injection through form field help text (Timothy Bautista, Matt Westcott)
  • Expand Pillow dependency range to include 7.x (Harris Lapiroff, Matt Westcott)

2.7.3

CVE-2020-11037 - avoid potential timing attack on password-protected private pages (Thibaud Colas)

2.7.2

CVE-2020-11001 - prevent XSS attack via page revision comparison view (Vlad Gerasimenko, Matt Westcott)

2.7.1

  • Fix: Management command startup checks under ManifestStaticFilesStorage no longer fail if collectstatic has not been run first (Alex Tomkins)

2.7

  • Improved StreamField design (Bertrand Bordage)
  • Added WebP image support (frmdstryr, Karl Hobley, Matt Westcott)
  • Added Elasticsearch 7 support (pySilver)
  • Added Python 3.8 support (John Carter, Matt Westcott)
  • Added construct_page_listing_buttons hook (Michael van Tellingen)
  • Added more detailed documentation and troubleshooting for installing OpenCV for feature detection (Daniele Procida)
  • Added Table Block caption for accessibility (Rahmi Pruitt)
  • Move and refactor upgrade notification JS (Jonny Scholes)
  • Add ability to insert internal anchor links/links with fragment identifiers in Draftail (rich text) fields (Iman Syed)
  • Remove need for Elasticsearch update_all_types workaround, upgrade minimum release to 6.4.0 or above (Jonathan Liuti)
  • Add ability for users to change their own name via the account settings page (Kevin Howbrook)
  • Add ability to insert telephone numbers as links in Draftail (rich text) fields (Mikael Engström and Liam Brenner)
  • Increase delay before search in the snippet chooser, to prevent redundant search request round trips (Robert Rollins)
  • Add WAGTAIL_EMAIL_MANAGEMENT_ENABLED setting to determine whether users can change their email address (Janne Alatalo)
  • Recognise Soundcloud artist URLs as embeddable (Kiril Staikov)
  • Add WAGTAILDOCS_SERVE_METHOD setting to determine how document downloads will be linked to and served (Tobias McNulty, Matt Westcott)
  • Add WAGTAIL_MODERATION_ENABLED setting to enable / disable the 'Submit for Moderation' option (Jacob Topp-Mugglestone)
  • Added settings to customise pagination page size for the Images admin area (Brian Whitton)
  • Added ARIA role to TableBlock output (Matt Westcott)
  • Added cache-busting query parameters to static files within the Wagtail admin (Matt Westcott)
  • Allow register_page_action_menu_item and construct_page_action_menu hooks to override the default menu action (Rahmi Pruitt, Matt Westcott)
  • WAGTAILIMAGES_MAX_IMAGE_PIXELS limit now takes the number of animation frames into account (Karl Hobley)
  • Fix: Added line breaks to long filenames on multiple image / document uploader (Kevin Howbrook)
  • Fix: Added https support for Scribd oEmbed provider (Rodrigo)
  • Fix: Changed StreamField group labels color so labels are visible (Catherine Farman)
  • Fix: Prevented images with a very wide aspect ratio from being displayed distorted in the rich text editor (Iman Syed)
  • Fix: Prevent exception when deleting a model with a protected One-to-one relationship (Neal Todd)
  • Fix: Added labels to snippet bulk edit checkboxes for screen reader users (Martey Dodoo)
  • Fix: Middleware responses during page preview are now properly returned to the user (Matt Westcott)
  • Fix: Default text of page links in rich text uses the public page title rather than the admin display title (Andy Chosak)
  • Fix: Specific page permission checks are now enforced when viewing a page revision (Andy Chosak)
  • Fix: pageurl and slugurl tags no longer fail when request.site is None (Samir Shah)
  • Fix: Output form media on add/edit image forms with custom models (Matt Westcott)
  • Fix: Output form media on add/edit document forms with custom models (Sergey Fedoseev)
  • Fix: Layout for the clear checkbox in default FileField widget (Mikalai Radchuk)
  • Fix: Remove ASCII conversion from Postgres search backend, to support stemming in non-Latin alphabets (Pavel Denisov)
Changelog

Sourced from wagtail's changelog.

2.7.4 (20.07.2020)


 * Fix: CVE-2020-15118 - prevent HTML injection through form field help text (Timothy Bautista, Matt Westcott)
 * Fix: Expand Pillow dependency range to include 7.x (Harris Lapiroff, Matt Westcott)

2.7.3 (04.05.2020)

  • Fix: CVE-2020-11037 - avoid potential timing attack on password-protected private pages (Thibaud Colas)

2.7.2 (14.04.2020)


 * Fix: CVE-2020-11001 - prevent XSS attack via page revision comparison view (Vlad Gerasimenko, Matt Westcott)

2.7.1 (08.01.2020)

  • Fix: Management command startup checks under ManifestStaticFilesStorage no longer fail if collectstatic has not been run first (Alex Tomkins)

2.7 LTS (06.11.2019)


 * Improved StreamField design (Bertrand Bordage)
 * Added WebP image support (frmdstryr, Karl Hobley, Matt Westcott)
 * Added Elasticsearch 7 support (pySilver)
 * Added Python 3.8 support (John Carter, Matt Westcott)
 * Added `construct_page_listing_buttons` hook (Michael van Tellingen)
 * Added more detailed documentation and troubleshooting for installing OpenCV for feature detection (Daniele Procida)
 * Added Table Block caption for accessibility (Rahmi Pruitt)
 * Move and refactor upgrade notification JS (Jonny Scholes)
 * Add ability to insert internal anchor links/links with fragment identifiers in Draftail (rich text) fields (Iman Syed)
 * Remove need for Elasticsearch `update_all_types` workaround, upgrade minimum release to 6.4.0 or above (Jonathan Liuti)
 * Add ability for users to change their own name via the account settings page (Kevin Howbrook)
 * Add ability to insert telephone numbers as links in Draftail (rich text) fields (Mikael Engström and Liam Brenner)
 * Increase delay before search in the snippet chooser, to prevent redundant search request round trips (Robert Rollins)
 * Add `WAGTAIL_EMAIL_MANAGEMENT_ENABLED` setting to determine whether users can change their email address (Janne Alatalo)
 * Recognise Soundcloud artist URLs as embeddable (Kiril Staikov)
 * Add `WAGTAILDOCS_SERVE_METHOD` setting to determine how document downloads will be linked to and served (Tobias McNulty, Matt Westcott)
 * Add `WAGTAIL_MODERATION_ENABLED` setting to enable / disable the 'Submit for Moderation' option (Jacob Topp-Mugglestone)
 * Added settings to customise pagination page size for the Images admin area (Brian Whitton)
 * Added ARIA role to TableBlock output (Matt Westcott)
 * Added cache-busting query parameters to static files within the Wagtail admin (Matt Westcott)
 * Allow `register_page_action_menu_item` and `construct_page_action_menu` hooks to override the default menu action (Rahmi Pruitt, Matt Westcott)
 * `WAGTAILIMAGES_MAX_IMAGE_PIXELS` limit now takes the number of animation frames into account (Karl Hobley)
</tr></table> ... (truncated)
Commits
  • c53d060 fix version number reference
  • bedc294 Version bump to 2.7.4
  • 70719a9 Release note for 2.7.4
  • 71dc3c1 Add test to confirm that labels are escaped
  • f437ba4 Add warning about WAGTAILFORMS_HELP_TEXT_ALLOW_HTML
  • 0b80aee Escape help text in form builder forms by default
  • 8939583 Expand Pillow dependency to include 7.x
  • 3f55039 Release note for 2.7.3
  • b3698f9 Version bump to 2.7.3
  • 3c03049 Use constant_time_compare for view restriction password checks
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/PARINetwork/pari/network/alerts).
dependabot[bot] commented 3 years ago

Superseded by #426.