Versions of the package djangorestframework before 3.15.2 are vulnerable to Cross-site Scripting (XSS) via the break_long_headers template filter due to improper input sanitization before splitting and joining with tags.
Release Notes
encode/django-rest-framework (djangorestframework)
### [`v3.15.2`](https://togithub.com/encode/django-rest-framework/compare/3.15.1...3.15.2)
[Compare Source](https://togithub.com/encode/django-rest-framework/compare/3.15.1...3.15.2)
### [`v3.15.1`](https://togithub.com/encode/django-rest-framework/compare/3.15.0...3.15.1)
[Compare Source](https://togithub.com/encode/django-rest-framework/compare/3.15.0...3.15.1)
### [`v3.15.0`](https://togithub.com/encode/django-rest-framework/compare/3.14.0...3.15.0)
[Compare Source](https://togithub.com/encode/django-rest-framework/compare/3.14.0...3.15.0)
### [`v3.14.0`](https://togithub.com/encode/django-rest-framework/releases/tag/3.14.0): Version 3.14.0
[Compare Source](https://togithub.com/encode/django-rest-framework/compare/3.13.1...3.14.0)
- Django 2.2 is no longer supported. [#8662](https://togithub.com/encode/django-rest-framework/issues/8662)
- Django 4.1 compatibility. [#8591](https://togithub.com/encode/django-rest-framework/issues/8591)
- Add `--api-version` CLI option to `generateschema` management command. [#8663](https://togithub.com/encode/django-rest-framework/issues/8663)
- Enforce `is_valid(raise_exception=False)` as a keyword-only argument. [#7952](https://togithub.com/encode/django-rest-framework/issues/7952)
- Stop calling `set_context` on Validators. [#8589](https://togithub.com/encode/django-rest-framework/issues/8589)
- Return `NotImplemented` from `ErrorDetails.__ne__`. [#8538](https://togithub.com/encode/django-rest-framework/issues/8538)
- Don't evaluate `DateTimeField.default_timezone` when a custom timezone is set. [#8531](https://togithub.com/encode/django-rest-framework/issues/8531)
- Make relative URLs clickable in Browseable API. [#8464](https://togithub.com/encode/django-rest-framework/issues/8464)
- Support `ManyRelatedField` falling back to the default value when the attribute specified by dot notation doesn't exist. Matches `ManyRelatedField.get_attribute` to `Field.get_attribute`. [#7574](https://togithub.com/encode/django-rest-framework/issues/7574)
- Make `schemas.openapi.get_reference` public. [#7515](https://togithub.com/encode/django-rest-framework/issues/7515)
- Make `ReturnDict` support `dict` union operators on Python 3.9 and later. [#8302](https://togithub.com/encode/django-rest-framework/issues/8302)
- Update throttling to check if `request.user` is set before checking if the user is authenticated. [#8370](https://togithub.com/encode/django-rest-framework/issues/8370)
Configuration
š Schedule: Branch creation - "" in timezone America/Lima, Automerge - At any time (no schedule defined).
š¦ Automerge: Enabled.
ā» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
==3.13.1->==3.15.2GitHub Vulnerability Alerts
CVE-2024-21520
Versions of the package djangorestframework before 3.15.2 are vulnerable to Cross-site Scripting (XSS) via the break_long_headers template filter due to improper input sanitization before splitting and joining with
tags.
Release Notes
encode/django-rest-framework (djangorestframework)
### [`v3.15.2`](https://togithub.com/encode/django-rest-framework/compare/3.15.1...3.15.2) [Compare Source](https://togithub.com/encode/django-rest-framework/compare/3.15.1...3.15.2) ### [`v3.15.1`](https://togithub.com/encode/django-rest-framework/compare/3.15.0...3.15.1) [Compare Source](https://togithub.com/encode/django-rest-framework/compare/3.15.0...3.15.1) ### [`v3.15.0`](https://togithub.com/encode/django-rest-framework/compare/3.14.0...3.15.0) [Compare Source](https://togithub.com/encode/django-rest-framework/compare/3.14.0...3.15.0) ### [`v3.14.0`](https://togithub.com/encode/django-rest-framework/releases/tag/3.14.0): Version 3.14.0 [Compare Source](https://togithub.com/encode/django-rest-framework/compare/3.13.1...3.14.0) - Django 2.2 is no longer supported. [#8662](https://togithub.com/encode/django-rest-framework/issues/8662) - Django 4.1 compatibility. [#8591](https://togithub.com/encode/django-rest-framework/issues/8591) - Add `--api-version` CLI option to `generateschema` management command. [#8663](https://togithub.com/encode/django-rest-framework/issues/8663) - Enforce `is_valid(raise_exception=False)` as a keyword-only argument. [#7952](https://togithub.com/encode/django-rest-framework/issues/7952) - Stop calling `set_context` on Validators. [#8589](https://togithub.com/encode/django-rest-framework/issues/8589) - Return `NotImplemented` from `ErrorDetails.__ne__`. [#8538](https://togithub.com/encode/django-rest-framework/issues/8538) - Don't evaluate `DateTimeField.default_timezone` when a custom timezone is set. [#8531](https://togithub.com/encode/django-rest-framework/issues/8531) - Make relative URLs clickable in Browseable API. [#8464](https://togithub.com/encode/django-rest-framework/issues/8464) - Support `ManyRelatedField` falling back to the default value when the attribute specified by dot notation doesn't exist. Matches `ManyRelatedField.get_attribute` to `Field.get_attribute`. [#7574](https://togithub.com/encode/django-rest-framework/issues/7574) - Make `schemas.openapi.get_reference` public. [#7515](https://togithub.com/encode/django-rest-framework/issues/7515) - Make `ReturnDict` support `dict` union operators on Python 3.9 and later. [#8302](https://togithub.com/encode/django-rest-framework/issues/8302) - Update throttling to check if `request.user` is set before checking if the user is authenticated. [#8370](https://togithub.com/encode/django-rest-framework/issues/8370)Configuration
š Schedule: Branch creation - "" in timezone America/Lima, Automerge - At any time (no schedule defined).
š¦ Automerge: Enabled.
ā» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.