Update Django to resolve Dependabot alerts - Dec 2024

[jsjiang]

There are two security alerts:

1. Dependabot alerts #157
   Django SQL injection in HasKey(lhs, rhs) on Oracle Link checker - migrate cron tabs to new instance #157

• Severity: High
• Solution: Upgrade Django to version 4.2.17 or later.

2. Dependabot alerts #158
   Django denial-of-service in django.utils.html.strip_tags()

• Severity: Moderate 6.6/10
• solution: upgrade Django to 4.2.17

Current Django version: 4.2.15

• Review Django to 4.2.17 release note
• Upgrade Django
• Test

[jsjiang]

• Created branch 807_upgrade_django_4.2.17
• Ran poetry add [email protected] command to manually upgrade Django to 4.2.17 - 12/12
• compared the changes

(ezid-py311) CDL-jjiang-9m:ezid jjiang$ poetry add [email protected]

Updating dependencies
Resolving dependencies... (0.1s)

Package operations: 0 installs, 12 updates, 0 removals

  - Downgrading six (1.17.0 -> 1.16.0)
  - Downgrading amqp (5.3.1 -> 5.2.0)
  - Downgrading charset-normalizer (3.4.0 -> 3.3.2)
  - Downgrading botocore (1.35.79 -> 1.35.29)
  - Downgrading sqlparse (0.5.3 -> 0.5.1)
  - Downgrading cryptography (44.0.0 -> 43.0.1)
  - Downgrading markupsafe (3.0.2 -> 2.1.5)
  - Downgrading mysqlclient (2.2.6 -> 2.2.4)
  - Downgrading opensearch-py (2.8.0 -> 2.7.1)
  - Downgrading s3transfer (0.10.4 -> 0.10.2)
  - Downgrading boto3 (1.35.79 -> 1.35.29)
  - Downgrading sqlalchemy (2.0.36 -> 2.0.35)

Writing lock file

The changes:

(ezid-py311) CDL-jjiang-9m:ezid jjiang$ git diff
diff --git a/poetry.lock b/poetry.lock
index 81d9620d..dfe62adb 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -501,13 +501,13 @@ test-randomorder = ["pytest-randomly"]
 
 [[package]]
 name = "django"
-version = "4.2.16"
+version = "4.2.17"
 description = "A high-level Python web framework that encourages rapid development and clean, pragmatic design."
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "Django-4.2.16-py3-none-any.whl", hash = "sha256:1ddc333a16fc139fd253035a1606bb24261951bbc3a6ca256717fa06cc41a898"},
-    {file = "Django-4.2.16.tar.gz", hash = "sha256:6f1616c2786c408ce86ab7e10f792b8f15742f7b7b7460243929cb371e7f1dad"},
+    {file = "Django-4.2.17-py3-none-any.whl", hash = "sha256:3a93350214ba25f178d4045c0786c61573e7dbfa3c509b3551374f1e11ba8de0"},
+    {file = "Django-4.2.17.tar.gz", hash = "sha256:6b56d834cc94c8b21a8f4e775064896be3b4a4ca387f2612d4406a5927cd2fdc"},
 ]
 
 [package.dependencies]
@@ -1442,4 +1442,4 @@ files = [
 [metadata]
 lock-version = "2.0"
 python-versions = "^3.11"
-content-hash = "f7c1267d5563336334602aeb63c400a6f2d97200e18b761dcb39c3399ae63d65"
+content-hash = "e7eeb05e2f8a1eccfff89b3df4f392538572dfa70b5f830e5e8993cc253cc7b1"
diff --git a/pyproject.toml b/pyproject.toml
index 38900397..5f3ec3bf 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -38,7 +38,7 @@ packages = [
 
 [tool.poetry.dependencies]
 python = "^3.11"
-django = "^4.2.15"
+django = "4.2.17"
 aiomysql = "^0.2.0"
 mysqlclient = "^2.2.4"
 boto3 = "^1.35.29"