django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard
verified publisher icon DefectDojo

Bump django-filter from 23.5 to 24.2

Open dependabot[bot] opened this issue 1 year ago • 7 comments

Bumps django-filter from 23.5 to 24.2.

Changelog

Sourced from django-filter's changelog.

Version 24.2 (2024-03-27)

  • Fixed a regression in v23.4 where callable choices were incorrectly evaluated at filter instantiation, on Django versions prior to 5.0.

    Thanks to Craig de Stigter for the report and reproduce.

Version 24.1 (2024-03-08)

  • Updated supported Python and Django versions, and resolved upcoming Django deprecations.

    Required versions are now at least Python 3.8 and Django 4.2.

    Thanks to Michael Manganiello.

  • Allowed passing a FilterSet class to the filterset_factory().

    Thanks to Birger Schacht.

  • Set empty default value of filterset data to MultiValueDict.

    Thanks to Shlomo Gordon.

  • Preserve list values passed to the data dict in CSV widgets.

    Thanks to Bryan Brancotte.

  • Updates French and Ukrainian localisations.

    Thanks to Weblate.

Commits
  • 920a79f Bumped version and changes for 24.2 release.
  • 0311653 Fixed setting callable choices on Django <5.0. (#1648)
  • 89c65d4 Adjusted sample code in docs. (#1651)
  • 690a906 Replace codecov with python-coverage-comment-action (#1649)
  • 6e2a698 Bump the github-actions group with 3 updates (#1646)
  • f5d4b67 Keep GitHub Actions up to date with GitHub's Dependabot (#1645)
  • 6da0ccd Bumped version and changes for 24.1 release.
  • 3ece0ed Allowed passing a FilterSet class to the filterset_factory(). (#1644)
  • a5f3f1a Fixed trailing whitespace in test file.
  • 296cabe Set default value of filterset data to MultiValueDict (#1634)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependabot[bot] avatar Apr 22 '24 19:04 dependabot[bot]

Hi there :wave:, @dryrunsecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Server-Side Request Forgery Analyzer :white_check_mark: 0 findings
Configured Codepaths Analyzer :white_check_mark: 0 findings
IDOR Analyzer :white_check_mark: 0 findings
Sensitive Files Analyzer :grey_exclamation: 1 finding
SQL Injection Analyzer :white_check_mark: 0 findings
Authn/Authz Analyzer :white_check_mark: 0 findings
Secrets Analyzer :white_check_mark: 0 findings

[!Note] :green_circle: Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy :robot:. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code change is an update to the requirements.txt file for the DefectDojo application. The key change is the update of the django-filter library from version 23.5 to 24.2. This is a positive security enhancement, as older versions of the django-filter library have had reported security vulnerabilities, such as CRLF injection (CVE-2022-24713) and Denial of Service (CVE-2022-24714) vulnerabilities. Updating to the latest version of django-filter helps ensure the application is using the most up-to-date and secure version of the library.

Additionally, the requirements.txt file contains a large number of dependencies, which is common for a complex web application like DefectDojo. It's important to ensure that all of these dependencies are kept up-to-date and that any known security vulnerabilities are addressed in a timely manner. Regular dependency scanning and updating can help mitigate the risk of introducing security vulnerabilities through outdated libraries.

Files Changed:

  • requirements.txt: The key change in this file is the update of the django-filter library from version 23.5 to 24.2. This update helps address known security vulnerabilities in older versions of the library and is a positive security enhancement for the DefectDojo application.

Powered by DryRun Security

dryrunsecurity[bot] avatar Apr 22 '24 19:04 dryrunsecurity[bot]

Looks like they only support Django >= 4.2 now, so this will have to wait on #9493

#12 17.22 ERROR: Cannot install -r ./requirements.txt (line 10), -r ./requirements.txt (line 12), -r ./requirements.txt (line 8), -r ./requirements.txt (line 9) and Django==4.1.13 because these package versions have conflicting dependencies.
#12 17.22 
#12 17.22 The conflict is caused by:
#12 17.22     The user requested Django==4.1.13
#12 17.22     django-celery-results 2.5.1 depends on Django>=3.2.18
#12 17.22     django-auditlog 2.3.0 depends on Django>=3.2
#12 17.22     django-dbbackup 4.1.0 depends on django>=2.2
#12 17.22     django-filter 24.2 depends on Django>=4.2

cneill avatar Apr 23 '24 00:04 cneill

This pull request has conflicts, please resolve those before we can evaluate the pull request.

github-actions[bot] avatar Apr 25 '24 14:04 github-actions[bot]

@dependabot rebase

mtesauro avatar Apr 25 '24 19:04 mtesauro

Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry!

If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

dependabot[bot] avatar Apr 25 '24 19:04 dependabot[bot]

@dependabot recreate

mtesauro avatar Apr 25 '24 20:04 mtesauro

Conflicts have been resolved. A maintainer will review the pull request shortly.

github-actions[bot] avatar Apr 25 '24 20:04 github-actions[bot]

@dependabot rebase

Maffooch avatar Jun 17 '24 13:06 Maffooch