Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump django-crispy-forms from 2.0 to 2.2 #10414

Merged
merged 1 commit into from
Jun 17, 2024
Merged

Bump django-crispy-forms from 2.0 to 2.2 #10414

merged 1 commit into from
Jun 17, 2024

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jun 17, 2024

Bumps django-crispy-forms from 2.0 to 2.2.

Release notes

Sourced from django-crispy-forms's releases.

2.2

  • Added support for Django 5.1.
  • Allowed pass through of context when rendering a Fieldset layout object.

Full Changelog: django-crispy-forms/django-crispy-forms@2.1...2.2

2.1

What's Changed

  • Added support for Django 5.0.
  • Dropped support for Django 3.2, 4.0 and 4.1.
  • Added support for Python 3.12.
  • Dropped support for Python 3.7.

New Contributors

Full Changelog: django-crispy-forms/django-crispy-forms@2.0...2.1

Changelog

Sourced from django-crispy-forms's changelog.

2.2 (2024-06-15)

  • Added support for Django 5.1.
  • Allowed pass through of context when rendering a Fieldset layout object.

2.1 (2023-10-15)

  • Added support for Django 5.0.
  • Dropped support for Django 3.2, 4.0 and 4.1.
  • Added support for Python 3.12.
  • Dropped support for Python 3.7.

See the 2.1 Milestone for the full change list.

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump django-crispy-forms from 2.0 to 2.2
15bd377 
Bumps [django-crispy-forms](https://github.com/django-crispy-forms/django-crispy-forms) from 2.0 to 2.2.
- [Release notes](https://github.com/django-crispy-forms/django-crispy-forms/releases)
- [Changelog](https://github.com/django-crispy-forms/django-crispy-forms/blob/main/CHANGELOG.md)
- [Commits](django-crispy-forms/django-crispy-forms@2.0...2.2)

---
updated-dependencies:
- dependency-name: django-crispy-forms
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jun 17, 2024
@dependabot dependabot bot mentioned this pull request Jun 17, 2024
Closed
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jun 17, 2024
edited
Loading

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Server-Side Request Forgery Analyzer 0 findings
Configured Codepaths Analyzer 0 findings
IDOR Analyzer 0 findings
Sensitive Files Analyzer 1 finding
SQL Injection Analyzer 0 findings
Authn/Authz Analyzer 0 findings
Secrets Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes are related to the Python package dependencies in the requirements.txt file for the DefectDojo application. The key changes include updating the django-crispy-forms package from version 2.0 to 2.2, which is a minor version update, and the presence of two outdated dependencies, django-multiselectfield and django-tagging. While the changes themselves do not directly introduce any known vulnerabilities, the presence of these outdated dependencies should be investigated further to ensure the ongoing security and stability of the application.

As an application security engineer, I would recommend the following:

  1. Dependency Management: Regularly reviewing and updating dependencies is a crucial aspect of application security. Outdated dependencies can introduce security vulnerabilities, which can be exploited by attackers. It's important to ensure that all dependencies are kept up-to-date with the latest security patches.

  2. Vulnerable Dependencies: The outdated dependencies, django-multiselectfield and django-tagging, should be reviewed for any known security issues and either updated or replaced with more secure alternatives.

  3. Secure Configuration: The requirements.txt file is used to manage the application's Python dependencies. It's important to ensure that the versions and sources of these dependencies are properly vetted and configured to avoid the introduction of malicious or compromised packages.

  4. Dependency Auditing: Implementing a regular dependency auditing process, either manually or through automated tools, can help identify and address security issues in the application's dependencies. This can include checking for known vulnerabilities, reviewing dependency sources, and ensuring that all dependencies are up-to-date.

Files Changed:

  • requirements.txt: This file contains the Python package dependencies for the DefectDojo application. The key changes include:
    • Updating the django-crispy-forms package from version 2.0 to 2.2, which is a minor version update.
    • The presence of two outdated dependencies, django-multiselectfield and django-tagging, which should be reviewed for potential security vulnerabilities and considered for replacement with more modern alternatives.

Powered by DryRun Security

mtesauro
mtesauro approved these changes Jun 17, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit 0b1153d into dev Jun 17, 2024
126 checks passed
@dependabot dependabot bot deleted the dependabot/pip/dev/django-crispy-forms-2.2 branch June 17, 2024 15:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtesauro mtesauro mtesauro approved these changes

@Maffooch Maffooch Maffooch approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file python Pull requests that update Python code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mtesauro @Maffooch