chore(deps): update dependency djangorestframework to >=3.15.2,<=3.15.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
djangorestframework (source, changelog)	>=3.7.0,<=3.13 → >=3.15.2,<=3.15.2

GitHub Vulnerability Alerts

CVE-2024-21520

Versions of the package djangorestframework before 3.15.2 are vulnerable to Cross-site Scripting (XSS) via the break_long_headers template filter due to improper input sanitization before splitting and joining with
tags.

---

Release Notes

encode/django-rest-framework (djangorestframework)

v3.15.2

Compare Source

What's Changed

• Add @​api_view example to caching documentation by @​BradWells in #​9131
• Update docstring by @​jthevos in #​9340
• Apply black formatting to caching markdown by @​jthevos in #​9341
• Update renderers documentation example by @​mgaligniana in #​9362
• Removing live examples of tutorial code that are no longer hosted by @​TGoddessana in #​9363
• Docs: Remove an unnecessary step from quickstart.md by @​gogowitsch in #​9387
• Documentation: Add Python 3.12 to the requirements by @​Szaroslav in #​9382
• Tweak README.md links. by @​tomchristie in #​9375
• Revert "Ensure CursorPagination respects nulls in the ordering field" by @​max-muoto in #​9381
• use warnings rather than logging a warning for DecimalField warnings by @​terencehonles in #​9367
• 2024042 docs by @​peterthomassen in #​9392
• Cleanup by @​peterthomassen in #​9393
• tests: Check urlpatterns after cleanups by @​stanislavlevin in #​9400
• docs: Correct some evaluation results and a httpie option in Tutorial1 by @​wkwkhautbois in #​9421
• Add __hash__ method for permissions.OperandHolder class by @​vanya909 in #​9417
• Fix potential XSS vulnerability in break_long_headers template filter by @​ch4n3-yoon in #​9435
• Version 3.15.2. by @​tomchristie in #​9439

New Contributors

• @​BradWells made their first contribution in #​9131
• @​jthevos made their first contribution in #​9340
• @​gogowitsch made their first contribution in #​9387
• @​Szaroslav made their first contribution in #​9382
• @​wkwkhautbois made their first contribution in #​9421
• @​ch4n3-yoon made their first contribution in #​9435

Full Changelog: encode/django-rest-framework@3.15.1...3.15.2

v3.15.1: Version 3.15.1

Compare Source

What's Changed

• Update the message to be consistent with the Django `HttpResponseBa… by @​maycuatroi in #​9287
• Make inflection package truly optional by @​browniebroke in #​9303
• Fix broken links in release notes for 3.15 by @​browniebroke in #​9305
• TokenAdmin.autocomplete_fields Breaks Some Use Cases, Revert by @​alexdlaird in #​9301
• Add drf-sendables to third-party-packages.md by @​amikrop in #​9261
• Revert "feat: Add some changes to ValidationError to support django style vad…" by @​auvipy in #​9326
• Revert "Re-prefetch related objects after updating" by @​auvipy in #​9327
• Revert #​8863 by @​tomchristie in #​9330
• Revert #​8009 by @​tomchristie in #​9332
• Revert #​9030 by @​tomchristie in #​9333
• Revert "Fix NamespaceVersioning ignoring DEFAULT_VERSION on non-None namespaces" by @​auvipy in #​9335
• SearchFilter.get_search_terms returns list. by @​tomchristie in #​9338
• Version 3.15.1 by @​tomchristie in #​9339

New Contributors

• @​maycuatroi made their first contribution in #​9287
• @​alexdlaird made their first contribution in #​9301

Full Changelog: encode/django-rest-framework@3.15.0...3.15.1

v3.15.0

Compare Source

v3.14.0: Version 3.14.0

Compare Source

• Django 2.2 is no longer supported. #​8662
• Django 4.1 compatibility. #​8591
• Add --api-version CLI option to generateschema management command. #​8663
• Enforce is_valid(raise_exception=False) as a keyword-only argument. #​7952
• Stop calling set_context on Validators. #​8589
• Return NotImplemented from ErrorDetails.__ne__. #​8538
• Don't evaluate DateTimeField.default_timezone when a custom timezone is set. #​8531
• Make relative URLs clickable in Browseable API. #​8464
• Support ManyRelatedField falling back to the default value when the attribute specified by dot notation doesn't exist. Matches ManyRelatedField.get_attribute to Field.get_attribute. #​7574
• Make schemas.openapi.get_reference public. #​7515
• Make ReturnDict support dict union operators on Python 3.9 and later. #​8302
• Update throttling to check if request.user is set before checking if the user is authenticated. #​8370

v3.13.1: Version 3.13.1

Compare Source

• Revert schema naming changes with function based @api_view. #​8297

v3.13.0: Version 3.13.0

Compare Source

• Django 4.0 compatability. #​8178
• Add max_length and min_length options to ListSerializer. #​8165
• Add get_request_serializer and get_response_serializer hooks to AutoSchema. #​7424
• Fix OpenAPI representation of null-able read only fields. #​8116
• Respect UNICODE_JSON setting in API schema outputs. #​7991
• Fix for RemoteUserAuthentication. #​7158
• Make Field constructors keyword-only. #​7632

v3.12.4

Compare Source

v3.12.3

Compare Source

v3.12.2

Compare Source

v3.12.1

Compare Source

v3.12.0

Compare Source

v3.11.2

Compare Source

v3.11.1

Compare Source

v3.11.0

Compare Source

v3.10.3

Compare Source

v3.10.2

Compare Source

v3.10.1

Compare Source

v3.10.0

Compare Source

v3.9.4

Compare Source

v3.9.3: Version 3.9.3

Compare Source

This is the last Django REST Framework release that will support Python 2.
Be sure to upgrade to Python 3 before upgrading to Django REST Framework 3.10.

• Adjusted the compat check for django-guardian to allow the last guardian
  version (v1.4.9) compatible with Python 2. #​6613

v3.9.2: Version 3.9.2

Compare Source

See Release Notes for details.

v3.9.1: Version 3.9.1

Compare Source

Change Notes:
https://www.django-rest-framework.org/community/release-notes/#​39x-series

v3.9.0: Verision 3.9.0

Compare Source

Release announcement:
https://www.django-rest-framework.org/community/3.9-announcement/

Change Notes:
https://www.django-rest-framework.org/community/release-notes/#​39x-series

v3.8.2: Version 3.8.2

Compare Source

Point release for 3.8.x series

• Fix read_only + default unique_together validation. #​5922
• authtoken.views import coreapi from rest_framework.compat, not directly. #​5921
• Docs: Add missing argument 'detail' to Route #​5920

v3.8.1: Version 3.8.1

Compare Source

• Use old url_name behavior in route decorators #​5915

  For list_route and detail_route maintain the old behavior of url_name,
  basing it on the url_path instead of the function name.

v3.8.0: Version 3.8

Compare Source

• Release Announcement

• 3.8.0 Milestone

• Breaking Change: Alter read_only plus default behaviour. #​5886

  read_only fields will now always be excluded from writable fields.

  Previously read_only fields with a default value would use the default for create and update operations.

  In order to maintain the old behaviour you may need to pass the value of read_only fields when calling save() in
  the view:

    def perform_create(self, serializer):
        serializer.save(owner=self.request.user)
  

  Alternatively you may override save() or create() or update() on the serialiser as appropriate.

• Correct allow_null behaviour when required=False #​5888

  Without an explicit default, allow_null implies a default of null for outgoing serialisation. Previously such
  fields were being skipped when read-only or otherwise not required.

  Possible backwards compatibility break if you were relying on such fields being excluded from the outgoing
  representation. In order to restore the old behaviour you can override data to exclude the field when None.

  For example:

    @​property
    def data(self):
        """
        Drop `maybe_none` field if None.
        """
        data = super().data()
        if 'maybe_none' in data and data['maybe_none'] is None:
            del data['maybe_none']
        return data
  

• Refactor dynamic route generation and improve viewset action introspectibility. #​5705

  ViewSets have been provided with new attributes and methods that allow
  it to introspect its set of actions and the details of the current action.

  • Merged list_route and detail_route into a single action decorator.
  • Get all extra actions on a ViewSet with .get_extra_actions().
  • Extra actions now set the url_name and url_path on the decorated method.
  • Enable action url reversing through .reverse_action() method (added in 3.7.4)
  • Example reverse call: self.reverse_action(self.custom_action.url_name)
  • Add detail initkwarg to indicate if the current action is operating on a
    collection or a single instance.

  Additional changes:

  • Deprecated list_route & detail_route in favor of action decorator with detail boolean.
  • Deprecated dynamic list/detail route variants in favor of DynamicRoute with detail boolean.
  • Refactored the router's dynamic route generation.

• Fix formatting of the 3.7.4 release note #​5704

• Docs: Update DRF Writable Nested Serializers references #​5711

• Docs: Fixed typo in auth URLs example. #​5713

• Improve composite field child errors #​5655

• Disable HTML inputs for dict/list fields #​5702

• Fix typo in HostNameVersioning doc #​5709

• Use rsplit to get module and classname for imports #​5712

• Formalize URLPatternsTestCase #​5703

• Add exception translation test #​5700

• Test staticfiles #​5701

• Add drf-yasg to documentation and schema 3rd party packages #​5720

• Remove unused compat._resolve_model() #​5733

• Drop compat workaround for unsupported Python 3.2 #​5734

• Prefer iter(dict) over iter(dict.keys()) #​5736

• Pass python_requires argument to setuptools #​5739

• Remove unused links from docs #​5735

• Prefer https protocol for links in docs when available #​5729

• Add HStoreField, postgres fields tests #​5654

• Always fully qualify ValidationError in docs #​5751

• Remove unreachable code from ManualSchema #​5766

• Allowed customising API documentation code samples #​5752

• Updated docs to use pip show #​5757

• Load 'static' instead of 'staticfiles' in templates #​5773

• Fixed a typo in fields docs #​5783

• Refer to "NamespaceVersioning" instead of "NamespacedVersioning" in the documentation #​5754

• ErrorDetail: add __eq__/__ne__ and __repr__ #​5787

• Replace background-attachment: fixed in docs #​5777

• Make 404 & 403 responses consistent with exceptions.APIException output #​5763

• Small fix to API documentation: schemas #​5796

• Fix schema generation for PrimaryKeyRelatedField #​5764

• Represent serializer DictField as an Object in schema #​5765

• Added docs example reimplementing ObtainAuthToken #​5802

• Add schema to the ObtainAuthToken view #​5676

• Fix request formdata handling #​5800

• Fix authtoken views imports #​5818

• Update pytest, isort #​5815 #​5817 #​5894

• Fixed active timezone handling for non ISO8601 datetimes. #​5833

• Made TemplateHTMLRenderer render IntegerField inputs when value is 0. #​5834

• Corrected endpoint in tutorial instructions #​5835

• Add Django Rest Framework Role Filters to Third party packages #​5809

• Use single copy of static assets. Update jQuery #​5823

• Changes ternary conditionals to be PEP308 compliant #​5827

• Added links to 'A Todo List API with React' and 'Blog API' tutorials #​5837

• Fix comment typo in ModelSerializer #​5844

• Add admin to installed apps to avoid test failures. #​5870

• Fixed schema for UUIDField in SimpleMetadata. #​5872

• Corrected docs on router include with namespaces. #​5843

• Test using model objects for dotted source default #​5880

• Allow traversing nullable related fields #​5849

• Added: Tutorial: Django REST with React (Django 2.0) #​5891

• Add LimitOffsetPagination.get_count to allow method override #​5846

• Don't show hidden fields in metadata #​5854

• Enable OrderingFilter to handle an empty tuple (or list) for the 'ordering' field. #​5899

• Added generic 500 and 400 JSON error handlers. #​5904

v3.7.7: Version 3.7.7

Compare Source

Point release for 3.7.x

Note: 3.7.5-3.7.7 fixed packaging issues introduced by changes in 3.7.4. That's it. Use 3.7.7.

v3.7.6

Compare Source

v3.7.5

Compare Source

v3.7.4: Version 3.7.4

Compare Source

Point Release for 3.7.x series.

• Schema: Extract method for manual_fields processing #​5633

  Allows for easier customisation of manual_fields processing, for example
  to provide per-method manual fields. AutoSchema adds get_manual_fields,
  as the intended override point, and a utility method update_fields, to
  handle by-name field replacement from a list, which, in general, you are not
  expected to override.

  Note: AutoSchema.__init__ now ensures manual_fields is a list.
  Previously may have been stored internally as None.

• Remove ulrparse compatability shim; use six instead #​5579

• Drop compat wrapper for TimeDelta.total_seconds() #​5577

• Clean up all whitespace throughout project #​5578

• Compat cleanup #​5581

• Add pygments CSS block in browsable API views #​5584 #​5587

• Remove set_rollback() from compat #​5591

• Fix request body/POST access #​5590

• Rename test to reference correct issue #​5610

• Documentation Fixes #​5611 #​5612

• Remove references to unsupported Django versions in docs and code #​5602

• Test Serializer exclude for declared fields #​5599

• Fixed schema generation for filter backends #​5613

• Minor cleanup for ModelSerializer tests #​5598

• Reimplement request attribute access w/ __getattr__ #​5617

• Fixed SchemaJSRenderer renders invalid Javascript #​5607

• Make Django 2.0 support official/explicit #​5619

• Perform type check on passed request argument #​5618

• Fix AttributeError hiding on request authenticators #​5600

• Update test requirements #​5626

• Docs: Serializer._declared_fields enable modifying fields on a serializer #​5629

• Fix packaging #​5624

• Fix readme rendering for PyPI, add readme build to CI #​5625

• Update tutorial #​5622

• Non-required fields with allow_null=True should not imply a default value #​5639

• Docs: Add allow_null serialization output note #​5641

• Update to use the Django 2.0 release in tox.ini #​5645

• Fix Serializer.data for Browsable API rendering when provided invalid data #​5646

• Docs: Note AutoSchema limitations on bare APIView #​5649

• Add .basename and .reverse_action() to ViewSet #​5648

• Docs: Fix typos in serializers documentation #​5652

• Fix override_settings compat #​5668

• Add DEFAULT_SCHEMA_CLASS setting #​5658

• Add docs note re generated BooleanField being required=False #​5665

• Add 'dist' build #​5656

• Fix typo in docstring #​5678

• Docs: Add UNAUTHENTICATED_USER = None note #​5679

• Update OPTIONS example from “Documenting Your API” #​5680

• Docs: Add note on object permissions for FBVs #​5681

• Docs: Add example to to_representation docs #​5682

• Add link to Classy DRF in docs #​5683

• Document ViewSet.action #​5685

• Fix schema docs typo #​5687

• Fix URL pattern parsing in schema generation #​5689

• Add example using source=‘*’ to custom field docs. #​5688

• Fix format_suffix_patterns behavior with Django 2 path() routes #​5691

See 3.7.4 Milestone

v3.7.3: Version 3.7.3

Compare Source

• Fix AppRegistryNotReady error importing contrib.auth views #​5567

v3.7.2: Version 3.7.2

Compare Source

Point release for 3.7.x

• Fixed Django 2.1 compatibility due to removal of django.contrib.auth.login()/logout() views. #​5510
• Add missing import for TextLexer. #​5512
• Adding examples and documentation for caching #​5514
• Include date and date-time format for schema generation #​5511
• Use triple backticks for markdown code blocks #​5513
• Interactive docs - make bottom sidebar items sticky #​5516
• Clarify pagination system check #​5524
• Stop JSONBoundField mangling invalid JSON #​5527
• Have JSONField render as textarea in Browsable API #​5530
• Schema: Exclude OPTIONS/HEAD for ViewSet actions #​5532
• Fix ordering for dotted sources #​5533
• Fix: Fields with allow_null=True should imply a default serialization value #​5518
• Ensure Location header is strictly a 'str', not subclass. #​5544
• Add import to example in api-guide/parsers #​5547
• Catch OverflowError for "out of range" datetimes #​5546
• Add djangorestframework-rapidjson to third party packages #​5549
• Increase test coverage for drf_create_token command #​5550
• Add trove classifier for Python 3.6 support. #​5555
• Add pip cache support to the Travis CI configuration #​5556
• Rename [wheel] section to [bdist_wheel] as the former is legacy #​5557
• Fix invalid escape sequence deprecation warnings #​5560
• Add interactive docs error template #​5548
• Add rounding parameter to DecimalField #​5562
• Fix all BytesWarning caught during tests #​5561
• Use dict and set literals instead of calls to dict() and set() #​5559
• Change ImageField validation pattern, use validators from DjangoImageField #​5539
• Fix processing unicode symbols in query_string by Python 2 #​5552

See 3.7.2 Milestone

v3.7.1: Version 3.7.1

Compare Source

• Fix Interactive documentation always uses false for boolean fields in requests #​5492
• Improve compatibility with Django 2.0 alpha. #​5500 #​5503
• Improved handling of schema naming collisions #​5486
• Added additional docs and tests around providing a default value for dotted source fields #​5489

3.7.1 Milestone

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.