azneto
commented
3 years ago Hello, The security update is related to unsanitized user input passed to QuerySet.order_by(), which does not happen in our system and is still safe to use. Nevertheless, it's always best to use the latest dependencies' versions and a PR is already in place to address it. In the future, please, feel free to submit PRs to address other dependencies updates. It will be very helpful.
njbooher
Hello,
setup.py requires Django==3.1.12
3.1.13 was released July 1 and is a security release
My site build process is automated and re-installs all packages on each build, and fails if I try to require 3.1.13 because this project pins 3.1.12.
Could the version requirements for everything in setup.py be changed to use
~=instead?https://www.python.org/dev/peps/pep-0440/#compatible-release