-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2023-36053: Updated the Django requirement #10
Conversation
Codecov Report
❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more. @@ Coverage Diff @@
## development #10 +/- ##
==============================================
Coverage 100.00% 100.00%
==============================================
Files 25 14 -11
Lines 486 231 -255
Branches 26 26
==============================================
- Hits 486 231 -255
Flags with carried forward coverage won't be shown. Click here to find out more. |
LGTM. However, we should probably figure out how or even whether to deal with vulnerabilities of this kind in the future as we're basically only providing a library based on Django, which in turn is only a dev requirement. We're not forcing anyone to install a vulnerable Django version via the install requirements in Nevertheless, 👍 for fixing the requirements and test workflow. |
That is a valid argument, indeed. I don't know whether we can configure the dependabot within the project settings, but at least it should be possible to use a YAML-based configuration to define certain rules and behaviours. So maybe we can figure out how to restrict the checks to the |
This PR addresses the CVE-2023-36053 that was fixed in Django 3.2.20 Therefore the requirements for the project have been updated to the most recent Django 3.2 version.
In addition, I stumbled across various other problems that occurred when running the CI jobs:
3.6 with arch x64 not found
I guess the Python version was removed from the Github action. As Python 3.6 and also 3.7 have reached their end-of-live I removed them from the Github actions and tox configuration.tox-factor
doesn't support it yet. As tox 4 has a builtinfactor
-flag I removedtox-factor
from the test setup.Testing
Check whether the runserver can be started and test that basic features are functional. Even without a JIRA backend, create a test poker session and some tickets within the Django admin.
If you are starting with a blank project setup, run the following commands before:
npm install npm run build python manage.py createsuperuser # optional python manage.py migrate