[Snyk] Security upgrade django from 3.2.25 to 4.2.28 #820
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-15183335
There was a problem hiding this comment.
Pull request overview
This PR attempts to fix a security vulnerability (SNYK-PYTHON-DJANGO-15183335) by upgrading Django from version 3.2.25 to 4.2.28. However, the codebase currently specifies django==5.2.3 in requirements/base.txt, revealing significant issues with the project's Django version management.
Changes:
- Adds
django>=4.2.28to requirements/local.txt as a Snyk-pinned dependency - Aims to address a SQL injection vulnerability
| django-coverage-plugin==3.1.0 # https://github.com/nedbat/django_coverage_plugin | ||
| pytest-django==4.7.0 # https://github.com/pytest-dev/pytest-django | ||
| tornado>=6.4.1 # not directly required, pinned by Snyk to avoid a vulnerability | ||
| django>=4.2.28 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
This change introduces a version conflict with the Django version already specified in base.txt. The base.txt file (which is included via -r base.txt on line 1) specifies django==5.2.3 on line 30, but this change adds django>=4.2.28.
This creates conflicting requirements:
- base.txt requires exactly Django 5.2.3
- local.txt now requires Django >= 4.2.28
Since Django 5.2.3 satisfies the >=4.2.28 constraint, pip might resolve this to Django 5.2.3, making this line redundant. However, this approach is confusing and can lead to maintenance issues.
The correct approach would be to update the Django version in base.txt to address the security vulnerability, rather than adding a conflicting requirement in local.txt. The security fix should apply to all environments (local, production, etc.), not just the local development environment.
| django>=4.2.28 # not directly required, pinned by Snyk to avoid a vulnerability |
| django-coverage-plugin==3.1.0 # https://github.com/nedbat/django_coverage_plugin | ||
| pytest-django==4.7.0 # https://github.com/pytest-dev/pytest-django | ||
| tornado>=6.4.1 # not directly required, pinned by Snyk to avoid a vulnerability | ||
| django>=4.2.28 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
The PR description mentions upgrading Django from 3.2.25 to 4.2.28, but the codebase actually has Django 5.2.3 specified in requirements/base.txt (line 30). This indicates a significant discrepancy between what the PR claims to do and the actual state of the codebase.
Either:
- The PR description is based on outdated information about the project's Django version, or
- There's confusion about which version is currently in use
The security vulnerability fix (SNYK-PYTHON-DJANGO-15183335) should be evaluated against Django 5.2.3, not 3.2.25, to determine if it's even necessary. Django 5.2.3 may already have the security fix that this PR is attempting to apply.
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-15183335
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
requirements/local.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 SQL Injection