Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings

[FIX] Revert djangorestframework 3.15.2 → 3.14.0 to unblock staging#2090

Closed
chandrasekharan-zipstack wants to merge 1 commit into
mainZipstack/unstract:mainfrom
fix/revert-drf-3.14Zipstack/unstract:fix/revert-drf-3.14Copy head branch name to clipboard
Closed

[FIX] Revert djangorestframework 3.15.2 → 3.14.0 to unblock staging#2090
chandrasekharan-zipstack wants to merge 1 commit into
mainZipstack/unstract:mainfrom
fix/revert-drf-3.14Zipstack/unstract:fix/revert-drf-3.14Copy head branch name to clipboard

Conversation

@chandrasekharan-zipstack

Copy link
Copy Markdown
Contributor

What

Reverts only the djangorestframework bump (3.15.2 → 3.14.0) that landed in #2087. The other batched dependabot updates from that PR are untouched.

Files: backend/pyproject.toml, pyproject.toml (pins) + backend/uv.lock, uv.lock (re-resolved). Lock diff is the DRF version flip only — no other package added/removed.

Why

DRF 3.15 auto-generates a UniqueTogetherValidator from model UniqueConstraints, which forces every field in the constraint to required=True — including the server-set, nullable organization FK (DefaultOrganizationMixin). Clients never send organization, so adapter / connector / workflow / api-deployment creates started failing:

400 {"type":"validation_error","errors":[{"code":"required","attr":"organization"}]}

This broke the shared Playwright test setup (createAdapters) and cascaded into 146 staging failures on rc.342 (OSS v0.176.1). rc.341 (DRF 3.14, v0.176.0) was clean — 220/244. The DRF bump is the only relevant diff between them, and #2087 was a routine batched dependabot update (no CVE forcing 3.15).

Follow-up (separate PR)

Reattempt the 3.15 upgrade deliberately: add a get_unique_together_validators() override to the shared serializer bases (AuditSerializer + IntegrityErrorMixin) to drop org-scoped auto-validators (restores 3.14 semantics; DB + IntegrityErrorMixin still enforce uniqueness), fix the cloud stragglers that inherit neither base (MRQ / subscription / agentic_table_settings), audit all ~20 org-scoped models, then cut its own RC + full suite.

🤖 Generated with Claude Code

DRF 3.15 auto-generates a UniqueTogetherValidator from model UniqueConstraints,
which forces every constraint field to required=True — including the server-set,
nullable `organization` FK. Adapter/connector/workflow/api creates then 400 with
"organization required", which broke the shared test setup and 146 staging tests
on rc.342 (v0.176.1). rc.341 (DRF 3.14) was clean.

Pin back to 3.14.0 to unblock; the 3.15 upgrade will be reattempted as its own PR
with a serializer-level fix (drop org-scoped auto-validators) + full suite run.
Only reverts the DRF entry from #2087; the other batched bumps are untouched.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01DoRxNHky8RoutBCFrSzZQ7
@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • Chores
    • Updated framework dependencies for improved stability.

Walkthrough

djangorestframework is downgraded from 3.15.2 to 3.14.0 in two places: the main dependencies list in backend/pyproject.toml and the test-rig dependency group in the root pyproject.toml.

Changes

djangorestframework version downgrade

Layer / File(s) Summary
Downgrade djangorestframework to 3.14.0
backend/pyproject.toml, pyproject.toml
djangorestframework pinned version changed from 3.15.2 to 3.14.0 in both the backend main dependencies and the root test-rig dependency group.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: reverting djangorestframework from 3.15.2 to 3.14.0 to resolve staging failures.
Description check ✅ Passed The description comprehensively covers the required sections: What (revert details), Why (DRF 3.15 validation issue with organization field), and follow-up plan. Most template sections are addressed with relevant context.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/revert-drf-3.14

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@greptile-apps

greptile-apps Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

Reverts djangorestframework from 3.15.2 back to 3.14.0 across both pyproject.toml files and their corresponding uv.lock files; no other packages are touched.

  • DRF 3.15 introduced automatic UniqueTogetherValidator generation from model UniqueConstraints, which forced server-set nullable FKs (e.g. organization via DefaultOrganizationMixin) to required=True, breaking adapter/connector/workflow create endpoints with a 400 {\"code\":\"required\",\"attr\":\"organization\"} error.
  • The lock diff is strictly scoped to the DRF entry (sdist + wheel hashes updated); re-running uv lock introduced no transitive changes, confirming the revert is clean.

Confidence Score: 5/5

Safe to merge — the change is a clean, targeted revert of a single dependency version with no transitive side-effects confirmed by the lock diff.

Every changed line maps directly to the DRF version string or its corresponding sdist/wheel hash. Both lock files show no other package added, removed, or re-resolved. The root cause (DRF 3.15's automatic UniqueTogetherValidator injection) is well-understood and documented, and rc.341 at 3.14.0 had a clean test run (220/244), so this revert restores a known-good state.

No files require special attention — all four changes are mechanical version-pin and hash updates.

Important Files Changed

Filename Overview
backend/pyproject.toml Single-line revert: djangorestframework==3.15.23.14.0; all other deps unchanged.
pyproject.toml Same DRF pin revert as backend/pyproject.toml; workspace-level lock spec updated to match.
backend/uv.lock Lock re-resolved; only djangorestframework entry flipped to 3.14.0 with updated sdist/wheel hashes. No other package added, removed, or bumped.
uv.lock Workspace-root lock re-resolved; identical scope to backend/uv.lock — only DRF version changed.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["PR #2087: Dependabot batch bump\n(DRF 3.14.0 → 3.15.2)"] --> B["DRF 3.15 auto-generates\nUniqueTogetherValidator\nfrom model UniqueConstraint"]
    B --> C["organization FK marked\nrequired=True by serializer\n(DefaultOrganizationMixin)"]
    C --> D["Clients never send 'organization'\n→ 400 validation_error on\nadapter/connector/workflow creates"]
    D --> E["146 staging failures on rc.342"]
    E --> F["This PR: Revert DRF → 3.14.0\n(backend/pyproject.toml + pyproject.toml\n+ both uv.lock files)"]
    F --> G["Staging unblocked\n(restores 3.14 semantics)"]
    H["Follow-up PR\n(separate)"] --> I["Override get_unique_together_validators()\nin AuditSerializer + IntegrityErrorMixin\nto drop org-scoped auto-validators"]
    I --> J["Safe re-upgrade to DRF 3.15.2"]
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A["PR #2087: Dependabot batch bump\n(DRF 3.14.0 → 3.15.2)"] --> B["DRF 3.15 auto-generates\nUniqueTogetherValidator\nfrom model UniqueConstraint"]
    B --> C["organization FK marked\nrequired=True by serializer\n(DefaultOrganizationMixin)"]
    C --> D["Clients never send 'organization'\n→ 400 validation_error on\nadapter/connector/workflow creates"]
    D --> E["146 staging failures on rc.342"]
    E --> F["This PR: Revert DRF → 3.14.0\n(backend/pyproject.toml + pyproject.toml\n+ both uv.lock files)"]
    F --> G["Staging unblocked\n(restores 3.14 semantics)"]
    H["Follow-up PR\n(separate)"] --> I["Override get_unique_together_validators()\nin AuditSerializer + IntegrityErrorMixin\nto drop org-scoped auto-validators"]
    I --> J["Safe re-upgrade to DRF 3.15.2"]
Loading

Reviews (1): Last reviewed commit: "[FIX] Revert djangorestframework 3.15.2 ..." | Re-trigger Greptile

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@backend/pyproject.toml`:
- Line 22: The djangorestframework dependency in pyproject.toml is pinned to
version 3.14.0, which contains a known XSS vulnerability that was patched in
version 3.15.2. Update the version constraint for the "djangorestframework"
package from 3.14.0 to 3.15.2 or a later version to resolve this security
vulnerability, or alternatively add documentation explaining why this
vulnerability is acceptable for your use case if downgrading is intentional.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: baa892ba-ac46-4015-b67d-3332398c65b5

📥 Commits

Reviewing files that changed from the base of the PR and between 49ef65a and 72a9e3a.

⛔ Files ignored due to path filters (2)
  • backend/uv.lock is excluded by !**/*.lock
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (2)
  • backend/pyproject.toml
  • pyproject.toml

Comment thread backend/pyproject.toml
"cryptography>=48.0.1",
"django==4.2.30",
"djangorestframework==3.15.2",
"djangorestframework==3.14.0",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check for security advisories for djangorestframework 3.14.0

# Check for security vulnerabilities using GitHub Advisory Database
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: PIP, package: "djangorestframework") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: Zipstack/unstract

Length of output: 723


Downgrade to djangorestframework 3.14.0 introduces a known XSS vulnerability.

Security advisories show that djangorestframework versions < 3.15.2 (including 3.14.0) are vulnerable to a Cross-site Scripting (XSS) vulnerability published on 2024-06-26 with LOW severity. The current version 3.15.2 has this vulnerability patched. This downgrade moves the codebase to a known vulnerable version. Either:

  • Upgrade to 3.15.2 or later, or
  • Document why this vulnerability is acceptable for your use case
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/pyproject.toml` at line 22, The djangorestframework dependency in
pyproject.toml is pinned to version 3.14.0, which contains a known XSS
vulnerability that was patched in version 3.15.2. Update the version constraint
for the "djangorestframework" package from 3.14.0 to 3.15.2 or a later version
to resolve this security vulnerability, or alternatively add documentation
explaining why this vulnerability is acceptable for your use case if downgrading
is intentional.

@github-actions

Copy link
Copy Markdown
Contributor

Unstract test results

Per-group results

Status Group Tier Passed Failed Errors Skipped Duration (s)
unit-connectors unit 64 12 0 3 16.7
unit-core unit 0 0 4 0 1.2
unit-platform-service unit 9 0 1 0 1.3
unit-prompt-service unit 15 0 0 0 19.8
unit-rig unit 53 0 0 0 3.4
unit-runner unit 11 0 0 0 3.0
unit-sdk1 unit 390 0 0 0 20.1
unit-tool-registry unit 0 0 1 0 1.3
unit-workers unit 0 0 0 0 17.7
TOTAL 542 12 6 3 84.4

Critical paths

⚠️ Critical paths not yet covered

  • auth-login — User can log in and obtain a session cookie. (entry: POST /api/v1/auth/login; declared coverage: no groups declared)
  • adapter-register-llm — Register and validate an LLM adapter. (entry: POST /api/v1/adapter/; declared coverage: no groups declared)
  • workflow-create-execute — Create a workflow, configure source+destination, execute, poll, fetch result. (entry: POST /api/v1/workflow/{id}/execute/; declared coverage: e2e-workflow)
  • api-deployment-run — Deploy a workflow as an API, POST a document, receive structured JSON. (entry: POST /deployment/api/{org}/{name}/; declared coverage: e2e-api-deployment)
  • prompt-studio-fetch-response — Prompt Studio: create project, add prompt, run single-pass, get response. (entry: POST /api/v1/prompt-studio/prompt-studio-tool/{id}/fetch_response/; declared coverage: e2e-prompt-studio)
  • pipeline-etl-execute — Run an ETL pipeline from source connector to destination. (entry: POST /api/v1/pipeline/{id}/execute/; declared coverage: no groups declared)
  • usage-token-tracking — Per-execution token usage is recorded and retrievable. (entry: GET /api/v1/usage/get_token_usage/; declared coverage: no groups declared)
  • workflow-execution-fan-out — Multi-file workflow execution fans out to file-processing workers and rejoins. (entry: internal: backend → rabbitmq → workers/file_processing; declared coverage: no groups declared)
  • callback-result-delivery — Async results are posted back via the callback worker. (entry: internal: workers/callback → backend /internal endpoints; declared coverage: no groups declared)
✅ Covered critical paths
  • tool-sandbox-exec — covered by unit-runner

@chandrasekharan-zipstack

Copy link
Copy Markdown
Contributor Author

Superseded — reintroduces CVE-2024-21520 (DRF<3.15.2 XSS). Going with a roll-forward model-level fix on 3.15.2 instead.

@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant

Morty Proxy This is a proxified and sanitized view of the page, visit original site.