fix(dependencies): update django to 4.2.13

mljar / mercury

Convert Jupyter Notebooks to Web Apps

https://RunMercury.com

GNU Affero General Public License v3.0

3.87k stars 243 forks source link

fix(dependencies): update django to 4.2.13 #449

Open kojiromike opened 2 months ago

kojiromike commented 2 months ago

CVE-2024-24680 (patched in 4.2.10)
CVE-2024-27351 (patched in 4.2.11)

kojiromike commented 2 months ago

Might I suggest enabling dependabot or dependabot security updates, to make this process more automatic? (It isn't something I can simply PR because it isn't my repo.)

rominf commented 1 week ago

Having pinned versions of requirements prevents dependent packages from updating in case of vulnerabilities. So, now all packages that use Mercury have vulnerable Django installed along with other requirements, and it is not possible to fix this without breaking Mercury's requirements.

kojiromike commented 1 week ago

Django 4.2.14 is released with additional vulnerabilities that need to be fixed. https://www.djangoproject.com/weblog/2024/jul/09/security-releases/