Closed dependabot-preview[bot] closed 4 years ago
Merging #108 into master will not change coverage. The diff coverage is
n/a
.
@@ Coverage Diff @@
## master #108 +/- ##
=======================================
Coverage 95.74% 95.74%
=======================================
Files 12 12
Lines 541 541
=======================================
Hits 518 518
Misses 23 23
Bumps django from 2.2.7 to 2.2.8. This update includes a security fix.
Vulnerabilities fixed
*Sourced from The GitHub Security Advisory Database.* > **Moderate severity vulnerability that affects django** > Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.) > > Affected versions: >= 2.2.0, < 2.2.8Commits
- [`b8782c5`](https://github.com/django/django/commit/b8782c52c99175916a1dceaece758608ac5856d0) [2.2.x] Bumped version for 2.2.8 release. - [`d6fa509`](https://github.com/django/django/commit/d6fa50995261bf8863a4292845b95d396f43b507) [2.2.x] Added release dates for 2.1.15, 2.2.8 and 3.0. - [`36f580a`](https://github.com/django/django/commit/36f580a17f0b3cb087deadf3b65eea024f479c21) Fixed CVE-2019-19118 -- Required edit permissions on parent model for editabl... - [`70311e1`](https://github.com/django/django/commit/70311e1d00ef5b6bbbc8961eac81b5c814396a43) [2.2.x] Refs [#30953](https://github-redirect.dependabot.com/django/django/issues/30953) -- Added 2.1.15 release note for 0107e3d1058f653f66032f7f... - [`6cf3b6f`](https://github.com/django/django/commit/6cf3b6f5cf0cc3b11e86e511ec5201999913286f) [2.2.x] Fixed [#30953](https://github-redirect.dependabot.com/django/django/issues/30953) -- Made select_for_update() lock queryset's model when u... - [`9a17ae5`](https://github.com/django/django/commit/9a17ae50c61a3a0ea6c552ce4e3eab27f796d094) [2.2.x] Fixed [#31021](https://github-redirect.dependabot.com/django/django/issues/31021) -- Fixed proxy model permissions data migration crash wi... - [`019a1b9`](https://github.com/django/django/commit/019a1b9274c645db82593bc5898a279d134b464b) [2.2.x] Fixed [#31029](https://github-redirect.dependabot.com/django/django/issues/31029) -- Used more specific links to RFCs. - [`57f5a7e`](https://github.com/django/django/commit/57f5a7e36b514e078fc92f9014771f94b945acb4) [2.2.x] Refs [#31029](https://github-redirect.dependabot.com/django/django/issues/31029) -- Added note about :rfc: role in writing documentation d... - [`3cf70df`](https://github.com/django/django/commit/3cf70df468d4453fb315cb74db0232ac9a1e89be) [2.2.x] Fixed [#31018](https://github-redirect.dependabot.com/django/django/issues/31018) -- Removed django-nonrel in NoSQL databases FAQ. - [`e82a1bc`](https://github.com/django/django/commit/e82a1bcf622e5c9cf37f28bde21af8176b6dd118) [2.2.x] Improved custom MultiWidget example in docs. - Additional commits viewable in [compare view](https://github.com/django/django/compare/2.2.7...2.2.8)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)