[FIX] Revert djangorestframework 3.15.2 → 3.14.0 to unblock staging#2090
[FIX] Revert djangorestframework 3.15.2 → 3.14.0 to unblock staging#2090chandrasekharan-zipstack wants to merge 1 commit into
Conversation
DRF 3.15 auto-generates a UniqueTogetherValidator from model UniqueConstraints, which forces every constraint field to required=True — including the server-set, nullable `organization` FK. Adapter/connector/workflow/api creates then 400 with "organization required", which broke the shared test setup and 146 staging tests on rc.342 (v0.176.1). rc.341 (DRF 3.14) was clean. Pin back to 3.14.0 to unblock; the 3.15 upgrade will be reattempted as its own PR with a serializer-level fix (drop org-scoped auto-validators) + full suite run. Only reverts the DRF entry from #2087; the other batched bumps are untouched. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01DoRxNHky8RoutBCFrSzZQ7
Summary by CodeRabbit
Walkthrough
Changesdjangorestframework version downgrade
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@backend/pyproject.toml`:
- Line 22: The djangorestframework dependency in pyproject.toml is pinned to
version 3.14.0, which contains a known XSS vulnerability that was patched in
version 3.15.2. Update the version constraint for the "djangorestframework"
package from 3.14.0 to 3.15.2 or a later version to resolve this security
vulnerability, or alternatively add documentation explaining why this
vulnerability is acceptable for your use case if downgrading is intentional.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: baa892ba-ac46-4015-b67d-3332398c65b5
⛔ Files ignored due to path filters (2)
backend/uv.lockis excluded by!**/*.lockuv.lockis excluded by!**/*.lock
📒 Files selected for processing (2)
backend/pyproject.tomlpyproject.toml
| "cryptography>=48.0.1", | ||
| "django==4.2.30", | ||
| "djangorestframework==3.15.2", | ||
| "djangorestframework==3.14.0", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Check for security advisories for djangorestframework 3.14.0
# Check for security vulnerabilities using GitHub Advisory Database
gh api graphql -f query='
{
securityVulnerabilities(first: 10, ecosystem: PIP, package: "djangorestframework") {
nodes {
advisory {
summary
severity
publishedAt
}
vulnerableVersionRange
firstPatchedVersion {
identifier
}
}
}
}'Repository: Zipstack/unstract
Length of output: 723
Downgrade to djangorestframework 3.14.0 introduces a known XSS vulnerability.
Security advisories show that djangorestframework versions < 3.15.2 (including 3.14.0) are vulnerable to a Cross-site Scripting (XSS) vulnerability published on 2024-06-26 with LOW severity. The current version 3.15.2 has this vulnerability patched. This downgrade moves the codebase to a known vulnerable version. Either:
- Upgrade to 3.15.2 or later, or
- Document why this vulnerability is acceptable for your use case
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@backend/pyproject.toml` at line 22, The djangorestframework dependency in
pyproject.toml is pinned to version 3.14.0, which contains a known XSS
vulnerability that was patched in version 3.15.2. Update the version constraint
for the "djangorestframework" package from 3.14.0 to 3.15.2 or a later version
to resolve this security vulnerability, or alternatively add documentation
explaining why this vulnerability is acceptable for your use case if downgrading
is intentional.
Unstract test resultsPer-group results
Critical paths
|
|
Superseded — reintroduces CVE-2024-21520 (DRF<3.15.2 XSS). Going with a roll-forward model-level fix on 3.15.2 instead. |
|
What
Reverts only the
djangorestframeworkbump (3.15.2 → 3.14.0) that landed in #2087. The other batched dependabot updates from that PR are untouched.Files:
backend/pyproject.toml,pyproject.toml(pins) +backend/uv.lock,uv.lock(re-resolved). Lock diff is the DRF version flip only — no other package added/removed.Why
DRF 3.15 auto-generates a
UniqueTogetherValidatorfrom modelUniqueConstraints, which forces every field in the constraint torequired=True— including the server-set, nullableorganizationFK (DefaultOrganizationMixin). Clients never sendorganization, so adapter / connector / workflow / api-deployment creates started failing:This broke the shared Playwright test setup (
createAdapters) and cascaded into 146 staging failures on rc.342 (OSS v0.176.1). rc.341 (DRF 3.14, v0.176.0) was clean — 220/244. The DRF bump is the only relevant diff between them, and #2087 was a routine batched dependabot update (no CVE forcing 3.15).Follow-up (separate PR)
Reattempt the 3.15 upgrade deliberately: add a
get_unique_together_validators()override to the shared serializer bases (AuditSerializer+IntegrityErrorMixin) to drop org-scoped auto-validators (restores 3.14 semantics; DB +IntegrityErrorMixinstill enforce uniqueness), fix the cloud stragglers that inherit neither base (MRQ / subscription / agentic_table_settings), audit all ~20 org-scoped models, then cut its own RC + full suite.🤖 Generated with Claude Code