chore(deps): update dependencies [security]#669

Merged

renovate[bot] merged 1 commit intomainfrom

renovate/pypi-django-vulnerability

Feb 3, 2026

Contributor

renovate bot commented Feb 3, 2026

This PR contains the following updates:

Package	Change	Age	Confidence
django (changelog)	`5.2.10` → `5.2.11`

GitHub Vulnerability Alerts

CVE-2025-13473

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

The django.contrib.auth.handlers.modwsgi.check_password() function for authentication via mod_wsgi allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Stackered for reporting this issue.

CVE-2025-14550

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

ASGIRequest allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Jiyong Yang for reporting this issue.

CVE-2026-1285

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the truncatechars_html and truncatewords_html template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Seokchan Yoon for reporting this issue.

CVE-2026-1207

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

Raster lookups on RasterField (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Tarek Nakkouch for reporting this issue.

CVE-2026-1287

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

FilteredRelation is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet methods annotate(), aggregate(), extra(), values(), values_list(), and alias(). Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Solomon Kebede for reporting this issue.

CVE-2026-1312

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

.QuerySet.order_by() is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in FilteredRelation. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Solomon Kebede for reporting this issue.

Release Notes

django/django (django)

`v5.2.11`

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) in timezone UTC.

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          chore(deps): update dependencies [security]

5ea7893

renovate bot requested a review from a team as a code owner

February 3, 2026 20:46

renovate bot added chore dependencies labels

github-project-automation bot added this to 🧰 devtools project board

renovate bot enabled auto-merge (squash)

February 3, 2026 20:46

renovate bot temporarily deployed to ack

February 3, 2026 20:46

Inactive

github-actions bot added chore and removed chore labels

ansibuddy approved these changes

View reviewed changes

github-project-automation bot moved this to Review in 🧰 devtools project board

renovate bot temporarily deployed to ack

February 3, 2026 20:46

Inactive

github-actions bot added chore and removed chore labels

ansibuddy approved these changes

View reviewed changes

renovate bot merged commit 4eaf3f7 into main

29 checks passed

renovate bot deleted the renovate/pypi-django-vulnerability branch

February 3, 2026 20:57

github-project-automation bot moved this from Review to Done in 🧰 devtools project board

renovate bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request


          chore(deps): update dependency ansible-dev-tools to v26.2.0

4e35b26

##### [\`26.2.0\`](https://github.com/ansible/ansible-dev-tools/releases/tag/v26.2.0)

#### Features

- feat: add dynamic creator API endpoints for schema-driven scaffolding ([#676](ansible/ansible-dev-tools#676)) [@cidrblock](https://github.com/cidrblock)
- feat: bump minimal direct dependencies ([#688](ansible/ansible-dev-tools#688)) [@ssbarnea](https://github.com/ssbarnea)
- feat: add execution environment project endpoint to ADT server ([#675](ansible/ansible-dev-tools#675)) [@cidrblock](https://github.com/cidrblock)

#### Fixes

- fix: disable gunicorn control socket to prevent post-fork deadlock ([#693](ansible/ansible-dev-tools#693)) [@cidrblock](https://github.com/cidrblock)
- fix: update base image to Fedora 42 as Fedora 41 is EOL ([#672](ansible/ansible-dev-tools#672)) [@dmzoneill](https://github.com/dmzoneill)

#### Maintenance

- chore: improve adt server execution during testing ([#691](ansible/ansible-dev-tools#691)) [@ssbarnea](https://github.com/ssbarnea)
- chore(deps): update pep621 ([#690](ansible/ansible-dev-tools#690)) @[renovate\[bot\]](https://github.com/apps/renovate)
- chore: update test deps ([#689](ansible/ansible-dev-tools#689)) [@ssbarnea](https://github.com/ssbarnea)
- chore: update pytest config ([#685](ansible/ansible-dev-tools#685)) [@ssbarnea](https://github.com/ssbarnea)
- chore: fix devel pipeline loop (chardet regression) ([#687](ansible/ansible-dev-tools#687)) [@ssbarnea](https://github.com/ssbarnea)
- chore: fix devspaces pipeline getting stuck (tox nested call) ([#681](ansible/ansible-dev-tools#681)) [@ssbarnea](https://github.com/ssbarnea)
- chore: migrate hooks from pre-commit to prek ([#678](ansible/ansible-dev-tools#678)) [@ssbarnea](https://github.com/ssbarnea)
- chore: add selenium-adt container for testing extension ([#677](ansible/ansible-dev-tools#677)) [@ssbarnea](https://github.com/ssbarnea)
- chore(deps): bump pillow from 12.1.0 to 12.1.1 in the uv group across 1 directory ([#674](ansible/ansible-dev-tools#674)) @[dependabot\[bot\]](https://github.com/apps/dependabot)
- chore(deps): bump cryptography from 46.0.4 to 46.0.5 in the uv group across 1 directory ([#673](ansible/ansible-dev-tools#673)) @[dependabot\[bot\]](https://github.com/apps/dependabot)
- chore(deps): update dependencies \[security] ([#669](ansible/ansible-dev-tools#669)) @[renovate\[bot\]](https://github.com/apps/renovate)
- chore(deps): update all dependencies ([#668](ansible/ansible-dev-tools#668)) @[renovate\[bot\]](https://github.com/apps/renovate)
- chore(deps): update all dependencies ([#667](ansible/ansible-dev-tools#667)) @[renovate\[bot\]](https://github.com/apps/renovate)
- chore(deps): update all dependencies ([#666](ansible/ansible-dev-tools#666)) @[renovate\[bot\]](https://github.com/apps/renovate)
- chore(deps): update all dependencies ([#664](ansible/ansible-dev-tools#664)) @[renovate\[bot\]](https://github.com/apps/renovate)

sdwilsh pushed a commit to sdwilsh/ansible-playbooks that referenced this pull request


          chore(deps): update dependency ansible-dev-tools to v26.2.0

c5c6aaf

##### [\`26.2.0\`](https://github.com/ansible/ansible-dev-tools/releases/tag/v26.2.0)

#### Features

- feat: add dynamic creator API endpoints for schema-driven scaffolding ([#676](ansible/ansible-dev-tools#676)) [@cidrblock](https://github.com/cidrblock)
- feat: bump minimal direct dependencies ([#688](ansible/ansible-dev-tools#688)) [@ssbarnea](https://github.com/ssbarnea)
- feat: add execution environment project endpoint to ADT server ([#675](ansible/ansible-dev-tools#675)) [@cidrblock](https://github.com/cidrblock)

#### Fixes

- fix: disable gunicorn control socket to prevent post-fork deadlock ([#693](ansible/ansible-dev-tools#693)) [@cidrblock](https://github.com/cidrblock)
- fix: update base image to Fedora 42 as Fedora 41 is EOL ([#672](ansible/ansible-dev-tools#672)) [@dmzoneill](https://github.com/dmzoneill)

#### Maintenance

- chore: improve adt server execution during testing ([#691](ansible/ansible-dev-tools#691)) [@ssbarnea](https://github.com/ssbarnea)
- chore(deps): update pep621 ([#690](ansible/ansible-dev-tools#690)) @[renovate\[bot\]](https://github.com/apps/renovate)
- chore: update test deps ([#689](ansible/ansible-dev-tools#689)) [@ssbarnea](https://github.com/ssbarnea)
- chore: update pytest config ([#685](ansible/ansible-dev-tools#685)) [@ssbarnea](https://github.com/ssbarnea)
- chore: fix devel pipeline loop (chardet regression) ([#687](ansible/ansible-dev-tools#687)) [@ssbarnea](https://github.com/ssbarnea)
- chore: fix devspaces pipeline getting stuck (tox nested call) ([#681](ansible/ansible-dev-tools#681)) [@ssbarnea](https://github.com/ssbarnea)
- chore: migrate hooks from pre-commit to prek ([#678](ansible/ansible-dev-tools#678)) [@ssbarnea](https://github.com/ssbarnea)
- chore: add selenium-adt container for testing extension ([#677](ansible/ansible-dev-tools#677)) [@ssbarnea](https://github.com/ssbarnea)
- chore(deps): bump pillow from 12.1.0 to 12.1.1 in the uv group across 1 directory ([#674](ansible/ansible-dev-tools#674)) @[dependabot\[bot\]](https://github.com/apps/dependabot)
- chore(deps): bump cryptography from 46.0.4 to 46.0.5 in the uv group across 1 directory ([#673](ansible/ansible-dev-tools#673)) @[dependabot\[bot\]](https://github.com/apps/dependabot)
- chore(deps): update dependencies \[security] ([#669](ansible/ansible-dev-tools#669)) @[renovate\[bot\]](https://github.com/apps/renovate)
- chore(deps): update all dependencies ([#668](ansible/ansible-dev-tools#668)) @[renovate\[bot\]](https://github.com/apps/renovate)
- chore(deps): update all dependencies ([#667](ansible/ansible-dev-tools#667)) @[renovate\[bot\]](https://github.com/apps/renovate)
- chore(deps): update all dependencies ([#666](ansible/ansible-dev-tools#666)) @[renovate\[bot\]](https://github.com/apps/renovate)
- chore(deps): update all dependencies ([#664](ansible/ansible-dev-tools#664)) @[renovate\[bot\]](https://github.com/apps/renovate)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

chore dependencies