Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

[FIX] Bump Django 4.2.1 -> 4.2.30 (LTS) to clear SQLi/DoS Dependabot alerts#2040

Merged
jaseemjaskp merged 2 commits into
mainZipstack/unstract:mainfrom
fix/dependabot-djangoZipstack/unstract:fix/dependabot-djangoCopy head branch name to clipboard
Jun 18, 2026
Merged

[FIX] Bump Django 4.2.1 -> 4.2.30 (LTS) to clear SQLi/DoS Dependabot alerts#2040
jaseemjaskp merged 2 commits into
mainZipstack/unstract:mainfrom
fix/dependabot-djangoZipstack/unstract:fix/dependabot-djangoCopy head branch name to clipboard

Conversation

@jaseemjaskp

@jaseemjaskp jaseemjaskp commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

What

Bumps Django 4.2.1 → 4.2.30 (latest 4.2.x LTS patch). Django was hard-pinned at 4.2.1, so this needs a pyproject.toml change (not just a lock bump) in two places:

  • backend/pyproject.toml: django==4.2.1django==4.2.30
  • pyproject.toml (hook-check-django-migrations group): django==4.2.1django==4.2.30
  • backend/uv.lock, uv.lock: re-locked

Why

Django 4.2.1 carries a long list of open Dependabot alerts. Moving to the latest 4.2 LTS patch clears them in one step:

  • 🔴 critical — SQL injection via _connector kwarg in QuerySet/Q
  • high — ASGI header spoofing (underscore/hyphen), DATA_UPLOAD_MAX_MEMORY_SIZE bypass, column-alias SQL injection, HasKey Oracle SQLi, path traversal, plus several DoS advisories (Truncator, intcomma, EmailValidator/URLValidator ReDoS, etc.)

How

  • Edited both pins to ==4.2.30, then uv lock --upgrade-package django for backend/ and the root workspace.
  • Stayed on the 4.2 LTS line deliberately — no major/minor jump, so Django's backward-compatibility policy applies and regression risk is low.

Can this PR break any existing features. If yes, please list possible items. If no, please explain why. (PS: Admins do not merge the PR without this section filled)

Low risk, but this one touches the whole backend so it deserves a full CI/test run before merge.

  • Same-minor LTS patch upgrade (4.2.1 → 4.2.30); Django guarantees no breaking changes within a patch series.
  • Lock diff is Django-only — no transitive churn. The pinned Django ecosystem still resolves cleanly: django-tenants 3.5.0, djangorestframework 3.14.0, django-celery-beat 2.5.0, asgiref 3.11.1, sqlparse 0.5.5.
  • Both locks pass uv lock --check.

Note: a local uv run/import smoke-test could not be run — backend env creation is blocked by an unrelated, pre-existing django-celery-beat==2.5.0 wheel packaging quirk (duplicate ZIP locale entries that uv rejects). This does not affect the Docker build. Runtime verification is left to CI.

Database Migrations

None introduced by this change. (Django's own migrations are unchanged within 4.2.x.)

Env Config

None.

Relevant Docs

Django 4.2 release notes / security releases

Related Issues or PRs

Part of the Dependabot remediation series — follows #2038 (frontend) and #2039 (Python transitive). Authlib + PyMySQL pinned bumps will be a separate PR.

Dependencies Versions

Django 4.2.1 → 4.2.30

Notes on Testing

  • uv lock --check on backend/ and root ✓
  • Full backend test suite to be validated in CI (local env blocked by the django-celery-beat wheel quirk noted above).

Screenshots

N/A — dependency bump.

Checklist

I have read and understood the Contribution Guidelines.

@jaseemjaskp
[FIX] Bump Django 4.2.1 -> 4.2.30 (LTS) to clear SQLi/DoS Dependabot …
02ecaa1 
…alerts

Django was hard-pinned at 4.2.1 in backend/pyproject.toml and the root
hook-check-django-migrations group. Bumps to the latest 4.2.x LTS patch,
which clears the critical SQL-injection alert (_connector kwarg) plus the
high-severity ASGI header spoofing, DATA_UPLOAD bypass, column-alias SQLi,
path traversal and several DoS advisories.

- pyproject.toml / backend/pyproject.toml: django==4.2.1 -> ==4.2.30
- uv.lock, backend/uv.lock: re-locked (django-only diff, no transitive churn)

Verified: both locks pass 'uv lock --check'; pinned Django ecosystem
(django-tenants 3.5.0, DRF 3.14.0, django-celery-beat 2.5.0) still resolves.
Runtime/test verification deferred to CI (local backend sync is blocked by an
unrelated django-celery-beat 2.5.0 wheel packaging quirk).
@coderabbitai

coderabbitai Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (2)
  • backend/uv.lock is excluded by !**/*.lock
  • uv.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 77a0bae3-c968-4c22-8dc1-9dce7d1001ba

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Walkthrough

Django version is updated from 4.2.1 to 4.2.30 across two configuration files: the backend project dependencies and the development hook-check-django-migrations dependency group. Both changes coordinate a single upstream version bump.

Changes

Django dependency updates

Layer / File(s) Summary
Django version bump across project dependencies
backend/pyproject.toml, pyproject.toml		 Django pinned to 4.2.30 in both the main project dependencies list and the hook-check-django-migrations development dependency group, updated from 4.2.1.

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically summarizes the main change: bumping Django from 4.2.1 to 4.2.30 with the stated purpose of clearing security alerts.
Description check ✅ Passed The description comprehensively covers all required template sections with detailed information about the changes, rationale, risk assessment, and testing approach.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/dependabot-django

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@greptile-apps

greptile-apps Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Greptile Summary

Bumps the hard-pinned Django dependency from 4.2.1 to 4.2.30 across both backend/pyproject.toml and the root pyproject.toml (hook-check-django-migrations group), and re-locks both uv.lock files to match. This clears a batch of Dependabot alerts (SQL injection, ASGI header spoofing, ReDoS, and several DoS vectors) in a single same-minor patch step.

  • Both pyproject.toml pins updated to django==4.2.30; both lock files regenerated with matching sdist/wheel hashes and no transitive churn.
  • Lock files confirm 4.2.30 (upload-time 2026-04-07) is the final release of the 4.2.x LTS series — all known CVEs in 4.2.x are addressed by this bump.

Confidence Score: 5/5

Safe to merge — this is a same-minor patch bump with no code logic changes and no transitive dependency churn.

All four changed files are pure dependency manifests or lock files. Both pyproject.toml pins and both uv.lock files are internally consistent: Django moves from 4.2.1 to 4.2.30, sdist/wheel URLs and hashes match what PyPI publishes for that version, and no other packages were touched.

No files require special attention.

Important Files Changed
Filename Overview
backend/pyproject.toml Django pin updated from 4.2.1 to 4.2.30; all surrounding pins unchanged.
pyproject.toml Django pin in hook-check-django-migrations group updated from 4.2.1 to 4.2.30; no other changes.
backend/uv.lock Lock file re-generated with correct Django 4.2.30 sdist/wheel hashes; no transitive dependency churn.
uv.lock Root lock file re-generated with correct Django 4.2.30 sdist/wheel hashes; no transitive dependency churn.

Flowchart

 
%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[backend/pyproject.toml\ndjango==4.2.1 → 4.2.30] --> C[uv lock --upgrade-package django]
    B[pyproject.toml\nhook-check-django-migrations\ndjango==4.2.1 → 4.2.30] --> D[uv lock --upgrade-package django]
    C --> E[backend/uv.lock\nNew sdist + wheel hashes]
    D --> F[uv.lock\nNew sdist + wheel hashes]
    E --> G{uv lock --check ✓}
    F --> G
    G --> H[Dependabot alerts cleared\nSQLi / DoS CVEs in 4.2.1–4.2.29]
Loading 
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[backend/pyproject.toml\ndjango==4.2.1 → 4.2.30] --> C[uv lock --upgrade-package django]
    B[pyproject.toml\nhook-check-django-migrations\ndjango==4.2.1 → 4.2.30] --> D[uv lock --upgrade-package django]
    C --> E[backend/uv.lock\nNew sdist + wheel hashes]
    D --> F[uv.lock\nNew sdist + wheel hashes]
    E --> G{uv lock --check ✓}
    F --> G
    G --> H[Dependabot alerts cleared\nSQLi / DoS CVEs in 4.2.1–4.2.29]
Loading

Reviews (2): Last reviewed commit: "Merge branch 'main' into fix/dependabot-..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Jun 11, 2026
View reviewed changes
Comment thread backend/pyproject.toml
This was referenced Jun 11, 2026
Merged
Merged
jaseemjaskp
jaseemjaskp commented Jun 12, 2026
View reviewed changes

@jaseemjaskp jaseemjaskp left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Review Toolkit — automated pass.

This PR is a dependency-only change (Django 4.2.1 → 4.2.30 across two pyproject.toml pins + two re-locked uv.lock files). It carries no application code, types, comments, or test changes, so the code-focused toolkit agents (Type Design, Silent Failure Hunter, Comment Analyzer, Code Simplifier, PR Test Analyzer) have no surface to review. I instead ran dependency-bump-specific checks:

Pin consistency — both Django pins in the monorepo (backend/pyproject.toml:21, root pyproject.toml:47) and both lock files (uv.lock, backend/uv.lock) are updated to 4.2.30. No stray django==4.2.1 remains anywhere in the repo.
Lock integrity / no transitive churn — each lock diff is exactly 4 lines (the django package block + its requires-dist specifier); asgiref/sqlparse/tzdata are untouched, confirming the "django-only diff" claim.
LTS-line patch upgrade — stays within 4.2.x, so Django's intra-series backward-compat policy applies; security remediation rationale is sound.

One forward-looking compatibility note left inline. (The Django-4.2-EOL concern is already covered by the existing @greptile-apps P1 comment — not re-raised here.)

Comment thread backend/pyproject.toml
@sonarqubecloud

sonarqubecloud Bot commented Jun 18, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Unstract test results

Per-group results

Status Group Tier Passed Failed Errors Skipped Duration (s)
unit-connectors unit 64 12 0 3 16.6
unit-core unit 0 0 4 0 1.2
unit-platform-service unit 9 0 1 0 1.4
unit-prompt-service unit 15 0 0 0 19.5
unit-rig unit 53 0 0 0 3.4
unit-runner unit 11 0 0 0 3.2
unit-sdk1 unit 390 0 0 0 20.0
unit-tool-registry unit 0 0 1 0 1.3
unit-workers unit 0 0 0 0 17.5
TOTAL 542 12 6 3 84.0

Critical paths

⚠️ Critical paths not yet covered

  • auth-login — User can log in and obtain a session cookie. (entry: POST /api/v1/auth/login; declared coverage: no groups declared)
  • adapter-register-llm — Register and validate an LLM adapter. (entry: POST /api/v1/adapter/; declared coverage: no groups declared)
  • workflow-create-execute — Create a workflow, configure source+destination, execute, poll, fetch result. (entry: POST /api/v1/workflow/{id}/execute/; declared coverage: e2e-workflow)
  • api-deployment-run — Deploy a workflow as an API, POST a document, receive structured JSON. (entry: POST /deployment/api/{org}/{name}/; declared coverage: e2e-api-deployment)
  • prompt-studio-fetch-response — Prompt Studio: create project, add prompt, run single-pass, get response. (entry: POST /api/v1/prompt-studio/prompt-studio-tool/{id}/fetch_response/; declared coverage: e2e-prompt-studio)
  • pipeline-etl-execute — Run an ETL pipeline from source connector to destination. (entry: POST /api/v1/pipeline/{id}/execute/; declared coverage: no groups declared)
  • usage-token-tracking — Per-execution token usage is recorded and retrievable. (entry: GET /api/v1/usage/get_token_usage/; declared coverage: no groups declared)
  • workflow-execution-fan-out — Multi-file workflow execution fans out to file-processing workers and rejoins. (entry: internal: backend → rabbitmq → workers/file_processing; declared coverage: no groups declared)
  • callback-result-delivery — Async results are posted back via the callback worker. (entry: internal: workers/callback → backend /internal endpoints; declared coverage: no groups declared)
✅ Covered critical paths
  • tool-sandbox-exec — covered by unit-runner

@jaseemjaskp jaseemjaskp merged commit 6a021e4 into main Jun 18, 2026
10 checks passed
@jaseemjaskp jaseemjaskp deleted the fix/dependabot-django branch June 18, 2026 13:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments
@muhammad-ali-e muhammad-ali-e Awaiting requested review from muhammad-ali-e

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jaseemjaskp
Morty Proxy This is a proxified and sanitized view of the page, visit original site.