Open kojiromike opened 2 months ago
Might I suggest enabling dependabot or dependabot security updates, to make this process more automatic? (It isn't something I can simply PR because it isn't my repo.)
Having pinned versions of requirements prevents dependent packages from updating in case of vulnerabilities. So, now all packages that use Mercury have vulnerable Django installed along with other requirements, and it is not possible to fix this without breaking Mercury's requirements.
Django 4.2.14 is released with additional vulnerabilities that need to be fixed. https://www.djangoproject.com/weblog/2024/jul/09/security-releases/