dj-plotly-dash
dj-plotly-dash copied to clipboard
pikhovkin
Pin django to latest version 6.0
This PR pins Django to the latest release 6.0.
Changelog
6.0
========================
*December 3, 2025*
Welcome to Django 6.0!
These release notes cover the :ref:`new features <whats-new-6.0>`, as well as
some :ref:`backwards incompatible changes <backwards-incompatible-6.0>` you
should be aware of when upgrading from Django 5.2 or earlier. We've
:ref:`begun the deprecation process for some features
<deprecated-features-6.0>`.
See the :doc:`/howto/upgrade-version` guide if you're updating an existing
project.
Python compatibility
====================
Django 6.0 supports Python 3.12, 3.13, and 3.14. We **highly recommend**, and
only officially support, the latest release of each series.
The Django 5.2.x series is the last to support Python 3.10 and 3.11.
Third-party library support for older versions of Django
========================================================
Following the release of Django 6.0, we suggest that third-party app authors
drop support for all versions of Django prior to 5.2. At that time, you should
be able to run your package's tests using ``python -Wd`` so that deprecation
warnings appear. After making the deprecation warning fixes, your app should be
compatible with Django 6.0.
.. _whats-new-6.0:
What's new in Django 6.0
========================
Content Security Policy support
-------------------------------
Built-in support for the :ref:`Content Security Policy (CSP) <security-csp>`
standard is now available, making it easier to protect web applications against
content injection attacks such as cross-site scripting (XSS). CSP allows
declaring trusted sources of content by giving browsers strict rules about
which scripts, styles, images, or other resources can be loaded.
CSP policies can now be enforced or monitored directly using built-in tools:
headers are added via the
:class:`~django.middleware.csp.ContentSecurityPolicyMiddleware`, nonces are
supported through the :func:`~django.template.context_processors.csp` context
processor, and policies are configured using the :setting:`SECURE_CSP` and
:setting:`SECURE_CSP_REPORT_ONLY` settings.
These settings accept Python dictionaries and support Django-provided constants
for clarity and safety. For example::
from django.utils.csp import CSP
SECURE_CSP = {
"default-src": [CSP.SELF],
"script-src": [CSP.SELF, CSP.NONCE],
"img-src": [CSP.SELF, "https:"],
}
The resulting ``Content-Security-Policy`` header would be set to:
.. code-block:: text
default-src 'self'; script-src 'self' 'nonce-SECRET'; img-src 'self' https:
To get started, follow the :doc:`CSP how-to guide </howto/csp>`. For in-depth
guidance, see the :ref:`CSP security overview <security-csp>` and the
:doc:`reference docs </ref/csp>`, which include details about decorators to
override or disable policies on a per-view basis.
Template Partials
-----------------
The :ref:`Django Template Language <template-language-intro>` now supports
:ref:`template partials <template-partials>`, making it easier to encapsulate
and reuse small named fragments within a template file. The new tags
:ttag:`{% partialdef %} <partialdef>` and :ttag:`{% partial %} <partial>`
define a partial and render it, respectively.
Partials can also be referenced using the ``template_namepartial_name`` syntax
with :func:`~django.template.Engine.get_template`,
:func:`~django.shortcuts.render`, :ttag:`{% include %}<include>`, and other
template-loading tools, enabling more modular and maintainable templates
without needing to split components into separate files.
A `migration guide`_ is available if you're updating from the
:pypi:`django-template-partials` third-party package.
.. _migration guide: https://github.com/carltongibson/django-template-partials/blob/main/Migration.md
Background Tasks
----------------
Django now includes a built-in Tasks framework for running code outside the
HTTP request–response cycle. This enables offloading work, such as sending
emails or processing data, to background workers.
The framework provides task definition, validation, queuing, and result
handling. Django guarantees consistent behavior for creating and managing
tasks, while the responsibility for running them continues to belong to
external worker processes.
Tasks are defined using the :func:`~django.tasks.task` decorator::
from django.core.mail import send_mail
from django.tasks import task
task
def email_users(emails, subject, message):
return send_mail(subject, message, None, emails)
Once defined, tasks can be enqueued through a configured backend::
email_users.enqueue(
emails=["userexample.com"],
subject="You have a message",
message="Hello there!",
)
Backends are configured via the :setting:`TASKS` setting. The :ref:`two
built-in backends <task-available-backends>` included in this release are
primarily intended for development and testing.
Django handles task creation and queuing, but does not provide a worker
mechanism to run tasks. Execution must be managed by external infrastructure,
such as a separate process or service.
See :doc:`/topics/tasks` for an overview and the :doc:`Tasks reference
</ref/tasks>` for API details.
Adoption of Python's modern email API
-------------------------------------
Email handling in Django now uses Python's modern email API, introduced in
Python 3.6. This API, centered around the
:class:`email.message.EmailMessage` class, offers a cleaner and
Unicode-friendly interface for composing and sending emails. It replaces use of
Python's older legacy (``Compat32``) API, which relied on lower-level MIME
classes (from :mod:`email.mime`) and required more manual handling of
message structure and encoding.
Notably, the return type of the :meth:`EmailMessage.message()
<django.core.mail.EmailMessage.message>` method is now an instance of Python's
:class:`email.message.EmailMessage`. This supports the same API as the
previous ``SafeMIMEText`` and ``SafeMIMEMultipart`` return types, but is not an
instance of those now-deprecated classes.
Minor features
--------------
:mod:`django.contrib.admin`
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The Font Awesome Free icon set (version 6.7.2) is now used for the admin
interface icons.
* The new :attr:`.AdminSite.password_change_form` attribute allows customizing
the form used in the admin site password change view.
* Message levels ``messages.DEBUG`` and ``messages.INFO`` now have distinct
icons and CSS styling. Previously, both levels shared the same appearance as
``messages.SUCCESS``. Given that :meth:`.ModelAdmin.message_user` uses
``messages.INFO`` by default, set the level to ``messages.SUCCESS`` to keep
the previous icon and styling.
:mod:`django.contrib.auth`
~~~~~~~~~~~~~~~~~~~~~~~~~~
* The default iteration count for the PBKDF2 password hasher is increased from
1,000,000 to 1,200,000.
:mod:`django.contrib.gis`
~~~~~~~~~~~~~~~~~~~~~~~~~
* The new :attr:`.GEOSGeometry.hasm` property checks whether the geometry has
the M dimension.
* The new :class:`~django.contrib.gis.db.models.functions.Rotate` database
function rotates a geometry by a specified angle around the origin or a
specified point.
* The new :attr:`.BaseGeometryWidget.base_layer` attribute allows specifying a
JavaScript map base layer, enabling customization of map tile providers.
* :lookup:`coveredby` and :lookup:`isvalid` lookups,
:class:`~django.contrib.gis.db.models.Collect` aggregation, and
:class:`~django.contrib.gis.db.models.functions.GeoHash` and
:class:`~django.contrib.gis.db.models.functions.IsValid` database functions
are now supported on MariaDB 12.0.1+.
* The new :lookup:`geom_type` lookup and
:class:`GeometryType() <django.contrib.gis.db.models.functions.GeometryType>`
database function allow filtering geometries by their types.
* Widgets from :mod:`django.contrib.gis.forms.widgets` now render without
inline JavaScript in templates. If you have customized any geometry widgets
or their templates, you may need to :ref:`update them
<geometry-widgets-customization>` to match the new layout.
:mod:`django.contrib.postgres`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The new :class:`Lexeme <django.contrib.postgres.search.Lexeme>` expression
for full text search provides fine-grained control over search terms.
``Lexeme`` objects automatically escape their input and support logical
combination operators (``&``, ``|``, ``~``), prefix matching, and term
weighting.
* Model fields, indexes, and constraints from :mod:`django.contrib.postgres`
now include system checks to verify that ``django.contrib.postgres`` is an
installed app.
* The :class:`.CreateExtension`, :class:`.BloomExtension`,
:class:`.BtreeGinExtension`, :class:`.BtreeGistExtension`,
:class:`.CITextExtension`, :class:`.CryptoExtension`,
:class:`.HStoreExtension`, :class:`.TrigramExtension`, and
:class:`.UnaccentExtension` operations now support the optional ``hints``
parameter. This allows providing database hints to database routers to assist
them in :ref:`making routing decisions <topics-db-multi-db-hints>`.
:mod:`django.contrib.staticfiles`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* :class:`~django.contrib.staticfiles.storage.ManifestStaticFilesStorage` now
ensures consistent path ordering in manifest files, making them more
reproducible and reducing unnecessary diffs.
* The :djadmin:`collectstatic` command now reports only a summary for skipped
files (and for deleted files when using ``--clear``) at ``--verbosity`` 1. To
see per-file details for either case, set ``--verbosity`` to 2 or higher.
Email
~~~~~
* The new ``policy`` argument for :meth:`EmailMessage.message()
<django.core.mail.EmailMessage.message>` allows specifying the email policy,
the set of rules for updating and serializing the representation of the
message. Defaults to :data:`email.policy.default`.
* :meth:`EmailMessage.attach() <django.core.mail.EmailMessage.attach>` now
accepts a :class:`~email.message.MIMEPart` object from Python's modern email
API.
Internationalization
~~~~~~~~~~~~~~~~~~~~
* Added support and translations for the Haitian Creole language.
Management Commands
~~~~~~~~~~~~~~~~~~~
* The :djadmin:`startproject` and :djadmin:`startapp` commands now create the
custom target directory if it doesn't exist.
* Common utilities, such as ``django.conf.settings``, are now automatically
imported to the :djadmin:`shell` by default.
Migrations
~~~~~~~~~~
* Squashed migrations can now themselves be squashed before being transitioned
to normal migrations.
* Migrations now support serialization of :class:`zoneinfo.ZoneInfo` instances.
* Serialization of deconstructible objects now supports keyword arguments with
names that are not valid Python identifiers.
Models
~~~~~~
* :doc:`Constraints </ref/models/constraints>` now implement a ``check()``
method that is already registered with the check framework.
* The new ``order_by`` argument for :class:`~django.db.models.Aggregate` allows
specifying the ordering of the elements in the result.
* The new :attr:`.Aggregate.allow_order_by` class attribute determines whether
the aggregate function allows passing an ``order_by`` keyword argument.
* The new :class:`~django.db.models.StringAgg` aggregate returns the input
values concatenated into a string, separated by the ``delimiter`` string.
This aggregate was previously supported only for PostgreSQL.
* The :meth:`~django.db.models.Model.save` method now raises a specialized
:exc:`Model.NotUpdated <django.db.models.Model.NotUpdated>` exception, when
:ref:`a forced update <ref-models-force-insert>` results in no affected rows,
instead of a generic :exc:`django.db.DatabaseError`.
* :meth:`.QuerySet.raw` now supports models with a
:class:`~django.db.models.CompositePrimaryKey`.
* Subqueries returning a :class:`~django.db.models.CompositePrimaryKey` can now
be used as the target of lookups other than ``__in``, such as ``__exact``.
* :class:`~django.db.models.JSONField` now supports
:ref:`negative array indexing <key-index-and-path-transforms>` on SQLite.
* The new :class:`~django.db.models.AnyValue` aggregate returns an arbitrary
value from the non-null input values. This is supported on SQLite, MySQL,
Oracle, and PostgreSQL 16+.
* :class:`~django.db.models.GeneratedField`\s and :ref:`fields assigned
expressions <avoiding-race-conditions-using-f>` are now refreshed from the
database after :meth:`~django.db.models.Model.save` on backends that support
the ``RETURNING`` clause (SQLite, PostgreSQL, and Oracle). On backends that
don't support it (MySQL and MariaDB), the fields are marked as deferred to
trigger a refresh on subsequent accesses.
* Using a :ref:`ForeignObject <cpk-and-relations>` with multiple
``from_fields`` in Model indexes, constraints, or :attr:`unique_together
<django.db.models.Options.unique_together>` now emits a system check error.
Pagination
~~~~~~~~~~
* The new :class:`~django.core.paginator.AsyncPaginator` and
:class:`~django.core.paginator.AsyncPage` provide async implementations of
:class:`~django.core.paginator.Paginator` and
:class:`~django.core.paginator.Page` respectively.
Requests and Responses
~~~~~~~~~~~~~~~~~~~~~~
* Multiple ``Cookie`` headers are now supported for HTTP/2 requests when
running with ASGI.
Templates
~~~~~~~~~
* The new variable ``forloop.length`` is now available within a :ttag:`for`
loop.
* The :ttag:`querystring` template tag now consistently prefixes the returned
query string with a ``?``, ensuring reliable link generation behavior.
* The :ttag:`querystring` template tag now accepts multiple positional
arguments, which must be mappings, such as :class:`~django.http.QueryDict`
or :class:`dict`.
Tests
~~~~~
* The :class:`.DiscoverRunner` now supports parallel test execution on systems
using the ``forkserver`` :mod:`multiprocessing` start method.
.. _backwards-incompatible-6.0:
Backwards incompatible changes in 6.0
=====================================
Database backend API
--------------------
This section describes changes that may be needed in third-party database
backends.
* :class:`~django.db.backends.base.schema.BaseDatabaseSchemaEditor` and
PostgreSQL backends no longer use ``CASCADE`` when dropping a column.
* ``DatabaseOperations.return_insert_columns()`` and
``DatabaseOperations.fetch_returned_insert_rows()`` methods are renamed to
``returning_columns()`` and ``fetch_returned_rows()``, respectively, to
denote they can be used in the context of ``UPDATE … RETURNING`` statements
as well as ``INSERT … RETURNING``.
* The ``DatabaseOperations.fetch_returned_insert_columns()`` method is removed
and the ``fetch_returned_rows()`` method replacing
``fetch_returned_insert_rows()`` expects both a ``cursor`` and
``returning_params`` to be provided, just like
``fetch_returned_insert_columns()`` did.
* If the database supports ``UPDATE … RETURNING`` statements, backends can set
``DatabaseFeatures.can_return_rows_from_update=True``.
Dropped support for MariaDB 10.5
--------------------------------
Upstream support for MariaDB 10.5 ends in June 2025. Django 6.0 supports
MariaDB 10.6 and higher.
Dropped support for Python < 3.12
---------------------------------
Because Python 3.12 is now the minimum supported version for Django, any
optional dependencies must also meet that requirement. The following versions
of each library are the first to add or confirm compatibility with Python 3.12:
* ``aiosmtpd`` 1.4.5
* ``argon2-cffi`` 23.1.0
* ``bcrypt`` 4.1.1
* ``docutils`` 0.22
* ``geoip2`` 4.8.0
* ``Pillow`` 10.1.0
* ``mysqlclient`` 2.2.1
* ``numpy`` 1.26.0
* ``PyYAML`` 6.0.2
* ``psycopg`` 3.1.12
* ``psycopg2`` 2.9.9
* ``redis-py`` 5.1.0
* ``selenium`` 4.23.0
* ``sqlparse`` 0.5.0
* ``tblib`` 3.0.0
Email
-----
* The undocumented ``mixed_subtype`` and ``alternative_subtype`` properties
of :class:`~django.core.mail.EmailMessage` and
:class:`~django.core.mail.EmailMultiAlternatives` are no longer supported.
* The undocumented ``encoding`` property of
:class:`~django.core.mail.EmailMessage` no longer supports Python legacy
:class:`email.charset.Charset` objects.
* As the internal implementations of :class:`~django.core.mail.EmailMessage`
and :class:`~django.core.mail.EmailMultiAlternatives` have changed
significantly, closely examine any custom subclasses that rely on overriding
undocumented, internal underscore methods.
``DEFAULT_AUTO_FIELD`` setting now defaults to ``BigAutoField``
---------------------------------------------------------------
Since Django 3.2, when the :setting:`DEFAULT_AUTO_FIELD` setting was added,
the default :djadmin:`startproject` template's ``settings.py`` contained::
DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"
and the default :djadmin:`startapp` template's ``AppConfig`` contained::
default_auto_field = "django.db.models.BigAutoField"
At that time, the default value of :setting:`DEFAULT_AUTO_FIELD` remained
:class:`django.db.models.AutoField` for backwards compatibility.
In Django 6.0, :setting:`DEFAULT_AUTO_FIELD` now defaults to
:class:`django.db.models.BigAutoField` and the aforementioned lines in the
project and app templates are removed.
Most projects shouldn't be affected, since Django 3.2 has raised the system
check warning **models.W042** for projects that don't set
:setting:`DEFAULT_AUTO_FIELD`.
If you haven't dealt with this warning by now, add
``DEFAULT_AUTO_FIELD = 'django.db.models.AutoField'`` to your project's
settings, or ``default_auto_field = 'django.db.models.AutoField'`` to an app's
``AppConfig``, as needed.
Custom ORM expressions should return params as a tuple
------------------------------------------------------
Prior to Django 6.0, :doc:`custom lookups </howto/custom-lookups>` and
:ref:`custom expressions <writing-your-own-query-expressions>` implementing the
``as_sql()`` method (and its supporting methods ``process_lhs()`` and
``process_rhs()``) were allowed to return a sequence of params in either a list
or a tuple. To address the interoperability problems that resulted, the second
return element of the ``as_sql()`` method should now be a tuple::
def as_sql(self, compiler, connection) -> tuple[str, tuple]: ...
If your custom expressions support multiple versions of Django, you should
adjust any pre-processing of parameters to be resilient against either tuples
or lists. For instance, prefer unpacking like this::
params = (*lhs_params, *rhs_params)
Miscellaneous
-------------
* The :ref:`JSON <serialization-formats-json>` serializer now writes a newline
at the end of the output, even without the ``indent`` option set.
* The undocumented ``django.utils.http.parse_header_parameters()`` function is
refactored to use Python's :class:`email.message.Message` for parsing.
Input headers exceeding 10000 characters will now raise :exc:`ValueError`.
* The minimum supported version of ``asgiref`` is increased from 3.8.1 to
3.9.1.
.. _deprecated-features-6.0:
Features deprecated in 6.0
==========================
Positional arguments in ``django.core.mail`` APIs
-------------------------------------------------
:mod:`django.core.mail` APIs now require keyword arguments for less commonly
used parameters. Using positional arguments for these now emits a deprecation
warning and will raise a :exc:`TypeError` when the deprecation period ends:
* All *optional* parameters (``fail_silently`` and later) must be passed as
keyword arguments to :func:`.get_connection`, :func:`.mail_admins`,
:func:`.mail_managers`, :func:`.send_mail`, and :func:`.send_mass_mail`.
* All parameters must be passed as keyword arguments when creating an
:class:`.EmailMessage` or :class:`.EmailMultiAlternatives` instance, except
for the first four (``subject``, ``body``, ``from_email``, and ``to``), which
may still be passed either as positional or keyword arguments.
Miscellaneous
-------------
* ``BaseDatabaseCreation.create_test_db(serialize)`` is deprecated. Use
``serialize_db_to_string()`` instead.
* The PostgreSQL ``StringAgg`` class is deprecated in favor of the generally
available :class:`~django.db.models.StringAgg` class.
* The PostgreSQL ``OrderableAggMixin`` is deprecated in favor of the
``order_by`` attribute now available on the
:class:`~django.db.models.Aggregate` class.
* The default protocol in :tfilter:`urlize` and :tfilter:`urlizetrunc` will
change from HTTP to HTTPS in Django 7.0. Set the transitional setting
:setting:`URLIZE_ASSUME_HTTPS` to ``True`` to opt into assuming HTTPS during
the Django 6.x release cycle.
* The :setting:`URLIZE_ASSUME_HTTPS` transitional setting is deprecated.
* Setting :setting:`ADMINS` or :setting:`MANAGERS` to a list of (name, address)
tuples is deprecated. Set to a list of email address strings instead. Django
never used the name portion. To include a name, format the address string as
``'"Name" <address>'`` or use Python's :func:`email.utils.formataddr`.
* Support for the ``orphans`` argument being larger than or equal to the
``per_page`` argument of :class:`django.core.paginator.Paginator` and
:class:`django.core.paginator.AsyncPaginator` is deprecated.
* Using a percent sign in a column alias or annotation is deprecated.
* Support for passing Python's legacy email :class:`~email.mime.base.MIMEBase`
object to
:meth:`EmailMessage.attach() <django.core.mail.EmailMessage.attach>` (or
including one in the message's ``attachments`` list) is deprecated. For
complex attachments requiring additional headers or parameters, switch to the
modern email API's :class:`~email.message.MIMEPart`.
* The ``django.core.mail.BadHeaderError`` exception is deprecated. Python's
modern email raises a :exc:`!ValueError` for email headers containing
prohibited characters.
* The ``django.core.mail.SafeMIMEText`` and ``SafeMIMEMultipart`` classes are
deprecated.
* The undocumented ``django.core.mail.forbid_multi_line_headers()`` and
``django.core.mail.message.sanitize_address()`` functions are deprecated.
Features removed in 6.0
=======================
These features have reached the end of their deprecation cycle and are removed
in Django 6.0.
See :ref:`deprecated-features-5.0` for details on these changes, including how
to remove usage of these features.
* Support for passing positional arguments to ``BaseConstraint`` is removed.
* The ``DjangoDivFormRenderer`` and ``Jinja2DivFormRenderer`` transitional form
renderers are removed.
* ``BaseDatabaseOperations.field_cast_sql()`` is removed.
* ``request`` is required in the signature of ``ModelAdmin.lookup_allowed()``
subclasses.
* Support for calling ``format_html()`` without passing args or kwargs is
removed.
* The default scheme for ``forms.URLField`` has changed from ``"http"`` to
``"https"``.
* The ``FORMS_URLFIELD_ASSUME_HTTPS`` transitional setting is removed.
* The ``django.db.models.sql.datastructures.Join`` no longer falls back to
``get_joining_columns()``.
* The ``get_joining_columns()`` method of ``ForeignObject`` and
``ForeignObjectRel`` is removed.
* The ``ForeignObject.get_reverse_joining_columns()`` method is removed.
* Support for ``cx_Oracle`` is removed.
* The ``ChoicesMeta`` alias to ``django.db.models.enums.ChoicesType`` is
removed.
* The ``Prefetch.get_current_queryset()`` method is removed.
* The ``get_prefetch_queryset()`` method of related managers and descriptors is
removed.
* ``get_prefetcher()`` and ``prefetch_related_objects()`` no longer fall back
to ``get_prefetch_queryset()``.
See :ref:`deprecated-features-5.1` for details on these changes, including how
to remove usage of these features.
* ``django.urls.register_converter()`` no longer allows overriding existing
converters.
* The ``ModelAdmin.log_deletion()`` and ``LogEntryManager.log_action()``
methods are removed.
* The undocumented ``django.utils.itercompat.is_iterable()`` function and the
``django.utils.itercompat`` module are removed.
* The ``django.contrib.gis.geoip2.GeoIP2.coords()`` method is removed.
* The ``django.contrib.gis.geoip2.GeoIP2.open()`` method is removed.
* Support for passing positional arguments to ``Model.save()`` and
``Model.asave()`` is removed.
* The setter for ``django.contrib.gis.gdal.OGRGeometry.coord_dim`` is removed.
* The ``check`` keyword argument of ``CheckConstraint`` is removed.
* The ``get_cache_name()`` method of ``FieldCacheMixin`` is removed.
* The ``OS_OPEN_FLAGS`` attribute of
:class:`~django.core.files.storage.FileSystemStorage` is removed.
==========================
5.2.9
==========================
*December 2, 2025*
Django 5.2.9 fixes one security issue with severity "high", one security issue
with severity "moderate", and several bugs in 5.2.8.
CVE-2025-13372: Potential SQL injection in ``FilteredRelation`` column aliases on PostgreSQL
============================================================================================
:class:`.FilteredRelation` was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias` on
PostgreSQL.
CVE-2025-64460: Potential denial-of-service vulnerability in XML ``Deserializer``
=================================================================================
:ref:`XML Serialization <serialization-formats-xml>` was subject to a potential
denial-of-service attack due to quadratic time complexity when deserializing
crafted documents containing many nested invalid elements. The internal helper
``django.core.serializers.xml_serializer.getInnerText()`` previously
accumulated inner text inefficiently during recursion. It now collects text per
element, avoiding excessive resource usage.
Bugfixes
========
* Fixed a bug in Django 5.2 where
``django.utils.feedgenerator.Stylesheet.__str__()`` did not escape
the ``url``, ``mimetype``, and ``media`` attributes, potentially leading
to invalid XML markup (:ticket:`36733`).
* Fixed a bug in Django 5.2 on PostgreSQL where ``bulk_create()`` did not apply
a field's custom query placeholders (:ticket:`36748`).
* Fixed a regression in Django 5.2.2 that caused a crash when using aggregate
functions with an empty ``Q`` filter over a queryset with annotations
(:ticket:`36751`).
* Fixed a regression in Django 5.2.8 where ``DisallowedRedirect`` was raised by
:class:`~django.http.HttpResponseRedirect` and
:class:`~django.http.HttpResponsePermanentRedirect` for URLs longer than 2048
characters. The limit is now 16384 characters (:ticket:`36743`).
* Fixed a crash on Python 3.14+ that prevented template tag functions from
being registered when their type annotations required deferred evaluation
(:ticket:`36712`).
==========================
5.2.8
==========================
*November 5, 2025*
Django 5.2.8 fixes one security issue with severity "high", one security issue
with severity "moderate", and several bugs in 5.2.7. It also adds compatibility
with Python 3.14.
CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
======================================================================================================================================
Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
denial-of-service attack via certain inputs with a very large number of Unicode
characters (follow up to :cve:`2025-27556`).
CVE-2025-64459: Potential SQL injection via ``_connector`` keyword argument
===========================================================================
:meth:`.QuerySet.filter`, :meth:`~.QuerySet.exclude`, :meth:`~.QuerySet.get`,
and :class:`~.Q` were subject to SQL injection using a suitably crafted
dictionary, with dictionary expansion, as the ``_connector`` argument.
Bugfixes
========
* Added compatibility for ``oracledb`` 3.4.0 (:ticket:`36646`).
* Fixed a bug in Django 5.2 where ``QuerySet.first()`` and ``QuerySet.last()``
raised an error on querysets performing aggregation that selected all fields
of a composite primary key (:ticket:`36648`).
* Fixed a bug in Django 5.2 where proxy models having a ``CompositePrimaryKey``
incorrectly raised a ``models.E042`` system check error (:ticket:`36704`).
==========================
5.2.7
==========================
*October 1, 2025*
Django 5.2.7 fixes one security issue with severity "high", one security issue
with severity "low", and one bug in 5.2.6. Also, the latest string translations
from Transifex are incorporated.
CVE-2025-59681: Potential SQL injection in ``QuerySet.annotate()``, ``alias()``, ``aggregate()``, and ``extra()`` on MySQL and MariaDB
======================================================================================================================================
:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.alias`,
:meth:`~.QuerySet.aggregate`, and :meth:`~.QuerySet.extra` methods were subject
to SQL injection in column aliases, using a suitably crafted dictionary, with
dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to
:cve:`2022-28346`).
CVE-2025-59682: Potential partial directory-traversal via ``archive.extract()``
===============================================================================
The ``django.utils.archive.extract()`` function, used by
:option:`startapp --template` and :option:`startproject --template`, allowed
partial directory-traversal via an archive with file paths sharing a common
prefix with the target directory (follow up to :cve:`2021-3281`).
Bugfixes
========
* Fixed a regression in Django 5.2 that reduced the color contrast of
the chosen label of ``filter_horizontal`` and ``filter_vertical`` widgets
within a ``TabularInline`` (:ticket:`36601`).
==========================
5.2.6
==========================
*September 3, 2025*
Django 5.2.6 fixes a security issue with severity "high" and one bug in 5.2.5.
CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
==============================================================================
:class:`.FilteredRelation` was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.
Bugfixes
========
* Fixed a bug where using ``QuerySet.values()`` or ``values_list()`` with a
``ForeignObject`` composed of multiple fields returned incorrect results
instead of tuples of the referenced fields (:ticket:`36431`).
==========================
5.2.5
==========================
*August 6, 2025*
Django 5.2.5 fixes several bugs in 5.2.4.
Bugfixes
========
* Fixed a regression in Django 5.2.1 that prevented the usage of ``UNNEST``
PostgreSQL strategy of ``QuerySet.bulk_create()`` with foreign keys
(:ticket:`36502`).
* Fixed a crash in Django 5.2 when filtering against a composite primary key
using a tuple containing expressions (:ticket:`36522`).
* Fixed a crash in Django 5.2 when validating a model that uses
``GeneratedField`` or constraints composed of ``Q`` and ``Case`` lookups
(:ticket:`36518`).
* Added compatibility for ``docutils`` 0.22 (:ticket:`36535`).
* Fixed a crash in Django 5.2 when using a ``ManyToManyField`` on a model with
a composite primary key, by extending the ``fields.E347`` system check
(:ticket:`36530`).
==========================
5.2.4
==========================
*July 2, 2025*
Django 5.2.4 fixes several bugs in 5.2.3.
Bugfixes
========
* Fixed a regression in Django 5.2.2 where
:meth:`HttpRequest.get_preferred_type() <django.http.HttpRequest.get_preferred_type>`
incorrectly preferred more specific media types with a lower quality
(:ticket:`36447`).
* Fixed a regression in Django 5.2.3 where ``Value(None, JSONField())`` used in
a :class:`~django.db.models.expressions.When` condition was incorrectly
serialized as SQL ``NULL`` instead of JSON ``null`` (:ticket:`36453`).
* Fixed a crash in Django 5.2 when performing an ``__in`` lookup involving a
composite primary key and a subquery on backends that lack native support for
tuple lookups (:ticket:`36464`).
==========================
5.2.3
==========================
*June 10, 2025*
Django 5.2.3 fixes several bugs in 5.2.2. Also, the latest string translations
from Transifex are incorporated.
Bugfixes
========
* Fixed a log injection possibility by migrating remaining response logging
to ``django.utils.log.log_response()``, which safely escapes arguments such
as the request path to prevent unsafe log output (:cve:`2025-48432`).
* Fixed a regression in Django 5.2 that caused :meth:`.QuerySet.bulk_update` to
incorrectly convert ``None`` to JSON ``null`` instead of SQL ``NULL`` for
``JSONField`` (:ticket:`36419`).
* Fixed a regression in Django 5.2.2 where the ``q`` parameter was removed from
the internal ``django.http.MediaType.params`` property (:ticket:`36446`).
==========================
5.2.2
==========================
*June 4, 2025*
Django 5.2.2 fixes a security issue with severity "low" and several bugs in
5.2.1.
CVE-2025-48432: Potential log injection via unescaped request path
==================================================================
Internal HTTP response logging used ``request.path`` directly, allowing control
characters (e.g. newlines or ANSI escape sequences) to be written unescaped
into logs. This could enable log injection or forgery, letting attackers
manipulate log appearance or structure, especially in logs processed by
external systems or viewed in terminals.
Although this does not directly impact Django's security model, it poses risks
when logs are consumed or interpreted by other tools. To fix this, the internal
``django.utils.log.log_response()`` function now escapes all positional
formatting arguments using a safe encoding.
Bugfixes
========
* Fixed a crash when using ``select_related`` against a ``ForeignObject``
originating from a model with a ``CompositePrimaryKey`` (:ticket:`36373`).
* Fixed a bug in Django 5.2 where subqueries using ``"pk"`` to reference models
with a ``CompositePrimaryKey`` failed to raise ``ValueError`` when too many
or too few columns were selected (:ticket:`36392`).
* Fixed a regression in Django 5.2 that caused a crash when no arguments were
passed into ``QuerySet.union()`` (:ticket:`36388`).
* Fixed a regression in Django 5.2 where subclasses of ``RemoteUserMiddleware``
that had overridden ``process_request()`` were no longer supported
(:ticket:`36390`).
* Fixed a regression in Django 5.2 that caused a crash when using ``OuterRef``
in the ``filter`` argument of an ``Aggregate`` expression (:ticket:`36404`).
* Fixed a regression in Django 5.2 that caused a crash when using ``OuterRef``
in PostgreSQL aggregate functions ``ArrayAgg``, ``StringAgg``, and
``JSONBAgg`` (:ticket:`36405`).
* Fixed a regression in Django 5.2 where admin's ``filter_horizontal`` buttons
lacked ``type="button"``, causing them to intercept form submission when
pressing the Enter key (:ticket:`36423`).
* Fixed a bug in Django 5.2 where calling ``QuerySet.in_bulk()`` with an
``id_list`` argument on models with a ``CompositePrimaryKey`` failed to
observe database parameter limits (:ticket:`36416`).
* Fixed a bug in Django 5.2 where :meth:`HttpRequest.get_preferred_type()
<django.http.HttpRequest.get_preferred_type>` did not account for media type
parameters in ``Accept`` headers, reducing specificity in content negotiation
(:ticket:`36411`).
* Fixed a regression in Django 5.2 that caused a crash when using
``QuerySet.prefetch_related()`` to prefetch a foreign key with a ``Prefetch``
queryset for a subclass of the foreign target (:ticket:`36432`).
==========================
5.2.1
==========================
*May 7, 2025*
Django 5.2.1 fixes a security issue with severity "moderate" and several bugs
in 5.2.
This release was built using an upgraded :pypi:`setuptools`, producing
filenames compliant with :pep:`491` and :pep:`625` and thus addressing a PyPI
warning about non-compliant distribution filenames. This change only affects
the Django packaging process and does not impact Django's behavior.
CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
=================================================================
:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
containing large sequences of incomplete HTML tags. This function is used to
implement the :tfilter:`striptags` template filter, which was thus also
vulnerable.
:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
exception if it encounters an unusually large number of unclosed opening tags.
Bugfixes
========
* Fixed a regression in Django 5.2 that caused a crash when annotating
aggregate expressions over query that uses explicit grouping by transforms
followed by field references (:ticket:`36292`).
* Fixed a regression in Django 5.2 that caused unnecessary queries when
prefetching nullable foreign key relationships (:ticket:`36290`).
* Fixed a regression in Django 5.2 that caused a crash of
``QuerySet.bulk_create()`` with nullable geometry fields on PostGIS
(:ticket:`36289`).
* Fixed a regression in Django 5.2 that caused fields to be incorrectly
selected when using ``QuerySet.alias()`` after ``values()``
(:ticket:`36299`).
* Fixed a data corruption possibility in ``file_move_safe()`` when
``allow_overwrite=True``, where leftover content from a previously larger
file could remain after overwriting with a smaller one due to lack of
truncation (:ticket:`36298`).
* Fixed a regression in Django 5.2 that caused a crash when using
``QuerySet.select_for_update(of=(…))`` with ``values()/values_list()``
including expressions (:ticket:`36301`).
* Fixed a regression in Django 5.2 that caused improper values to be returned
from ``QuerySet.values_list()`` when duplicate field names were specified
(:ticket:`36288`).
* Fixed a regression in Django 5.2 where the password validation error message
from ``MinimumLengthValidator`` was not translated when using non-English
locales (:ticket:`36314`).
* Fixed a regression in Django 5.2 that caused the ``object-tools`` block to be
rendered twice when using custom admin templates with overridden blocks due
to changes in the base admin page block structure (:ticket:`36331`).
* Fixed a regression in Django 5.2, introduced when fixing :cve:`2025-26699`,
where the :tfilter:`wordwrap` template filter did not preserve empty lines
between paragraphs after wrapping text (:ticket:`36341`).
* Fixed a regression in Django 5.2 that caused a crash when serializing email
alternatives or attachments due to named tuple mismatches (:ticket:`36309`).
* Fixed a regression in Django 5.2 that caused a crash when using ``update()``
on a ``QuerySet`` filtered against a related model and including references
to annotations through ``values()`` (:ticket:`36360`).
* Fixed a bug in Django 5.2 that caused composite primary key introspection to
wrongly identify ``IntegerField`` as ``AutoField`` on SQLite
(:ticket:`36358`).
* Fixed a bug in Django 5.2 that caused a redundant ``unique_together``
constraint to be generated for composite primary keys when using
:djadmin:`inspectdb` (:ticket:`36357`).
========================
5.2
========================
*April 2, 2025*
Welcome to Django 5.2!
These release notes cover the :ref:`new features <whats-new-5.2>`, as well as
some :ref:`backwards incompatible changes <backwards-incompatible-5.2>` you
should be aware of when upgrading from Django 5.1 or earlier. We've
:ref:`begun the deprecation process for some features
<deprecated-features-5.2>`.
See the :doc:`/howto/upgrade-version` guide if you're updating an existing
project.
Django 5.2 is designated as a :term:`long-term support release
<Long-term support release>`. It will receive security updates for at least
three years after its release. Support for the previous LTS, Django 4.2, will
end in April 2026.
Python compatibility
====================
Django 5.2 supports Python 3.10, 3.11, 3.12, 3.13, and 3.14 (as of 5.2.8). We
**highly recommend** and only officially support the latest release of each
series.
.. _whats-new-5.2:
What's new in Django 5.2
========================
Automatic models import in the ``shell``
----------------------------------------
The :djadmin:`shell` management command now automatically imports models from
all installed apps. You can view further details of the imported objects by
setting the ``--verbosity`` flag to 2 or more:
.. console::
$ python -Wall manage.py shell --verbosity=2
6 objects imported automatically, including:
from django.contrib.admin.models import LogEntry
from django.contrib.auth.models import Group, Permission, User
from django.contrib.contenttypes.models import ContentType
from django.contrib.sessions.models import Session
This :ref:`behavior can be customized <customizing-shell-auto-imports>` to add
or remove automatic imports.
Composite Primary Keys
----------------------
The new :class:`django.db.models.CompositePrimaryKey` allows tables to be
created with a primary key consisting of multiple fields.
To use a composite primary key, when defining a model set the ``pk`` attribute
to be a ``CompositePrimaryKey``::
from django.db import models
class Release(models.Model):
pk = models.CompositePrimaryKey("version", "name")
version = models.IntegerField()
name = models.CharField(max_length=20)
See :doc:`/topics/composite-primary-key` for more details.
Simplified override of :class:`~django.forms.BoundField`
--------------------------------------------------------
Prior to version 5.2, overriding :meth:`.Field.get_bound_field` was the only
option to use a custom :class:`~django.forms.BoundField`. Django now supports
specifying the following attributes to customize form rendering:
* :attr:`.BaseRenderer.bound_field_class` at the project level,
* :attr:`.Form.bound_field_class` at the form level, and
* :attr:`.Field.bound_field_class` at the field level.
For example, to customize the ``BoundField`` of a ``Form`` class::
from django import forms
class CustomBoundField(forms.BoundField):
custom_class = "custom"
def css_classes(self, extra_classes=None):
result = super().css_classes(extra_classes)
if self.custom_class not in result:
result += f" {self.custom_class}"
return result.strip()
class CustomForm(forms.Form):
bound_field_class = CustomBoundField
name = forms.CharField(
label="Your Name",
max_length=100,
required=False,
widget=forms.TextInput(attrs={"class": "name-input-class"}),
)
email = forms.EmailField(label="Your Email")
When rendering a ``CustomForm`` instance, the following HTML is included:
.. code:: html
<div class="custom">
<label for="id_name">Your Name:</label>
<input type="text" name="name" class="name-input-class" maxlength="100" id="id_name">
</div>
<div class="custom">
<label for="id_email">Your Email:</label>
<input type="email" name="email" maxlength="320" required="" id="id_email">
</div>
See :ref:`custom-boundfield` for more details about this feature.
Minor features
--------------
:mod:`django.contrib.admin`
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The ``admin/base.html`` template now has a new block
:ref:`extrabody <extrabody>` for adding custom code before the closing
``</body>`` tag.
* The value of a :class:`~django.db.models.URLField` now renders as a link.
:mod:`django.contrib.admindocs`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Links to components in docstrings now supports custom link text, using the
format ``:role:`link text <link>. See :ref:`documentation helpers
<admindocs-helpers>` for more details.
* The :ref:`model pages <admindocs-model-reference>` are now restricted to
users with the corresponding view or change permissions.
:mod:`django.contrib.auth`
~~~~~~~~~~~~~~~~~~~~~~~~~~
* The default iteration count for the PBKDF2 password hasher is increased from
870,000 to 1,000,000.
* The following new asynchronous methods are now provided, using an ``a``
prefix:
* :meth:`.UserManager.acreate_user`
* :meth:`.UserManager.acreate_superuser`
* :meth:`.BaseUserManager.aget_by_natural_key`
* :meth:`.User.aget_user_permissions`
* :meth:`.User.aget_all_permissions`
* :meth:`.User.aget_group_permissions`
* :meth:`.User.ahas_perm`
* :meth:`.User.ahas_perms`
* :meth:`.User.ahas_module_perms`
* :meth:`.ModelBackend.aauthenticate`
* :meth:`.ModelBackend.aget_user_permissions`
* :meth:`.ModelBackend.aget_group_permissions`
* :meth:`.ModelBackend.aget_all_permissions`
* :meth:`.ModelBackend.ahas_perm`
* :meth:`.ModelBackend.ahas_module_perms`
* :meth:`.RemoteUserBackend.aauthenticate`
* :meth:`.RemoteUserBackend.aconfigure_user`
* Auth backends can now provide async implementations which are used when
calling async auth functions (e.g.
:func:`~.django.contrib.auth.aauthenticate`) to reduce context-switching
which improves performance. See :ref:`adding an async interface
<writing-authentication-backends-async-interface>` for more details.
* The :ref:`password validator classes <included-password-validators>`
now have a new method ``get_error_message()``, which can be overridden in
subclasses to customize the error messages.
:mod:`django.contrib.gis`
~~~~~~~~~~~~~~~~~~~~~~~~~
* GDAL now supports curved geometries ``CurvePolygon``, ``CompoundCurve``,
``CircularString``, ``MultiSurface``, and ``MultiCurve`` via the new
:attr:`.OGRGeometry.has_curve` property, and the
:meth:`.OGRGeometry.get_linear_geometry` and
:meth:`.OGRGeometry.get_curve_geometry` methods.
* :lookup:`coveredby` and :lookup:`covers` lookup are now supported on MySQL.
:mod:`django.contrib.syndication`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* All :class:`~django.utils.feedgenerator.SyndicationFeed` classes now support
a ``stylesheets`` attribute. If specified, an ``<? xml-stylesheet ?>``
processing instruction will be added to the top of the document for each
stylesheet in the given list. See :ref:`feed-stylesheets` for more details.
Database backends
~~~~~~~~~~~~~~~~~
* MySQL connections now default to using the ``utf8mb4`` character set,
instead of ``utf8``, which is an alias for the deprecated character set
``utf8mb3``.
* Oracle backends now support :ref:`connection pools <oracle-pool>`, by setting
``"pool"`` in the :setting:`OPTIONS` part of your database configuration.
Decorators
~~~~~~~~~~
* :func:`~django.utils.decorators.method_decorator` now supports wrapping
asynchronous view methods.
Email
~~~~~
* Tuple items of :class:`EmailMessage.attachments
<django.core.mail.EmailMessage>` and
:class:`EmailMultiAlternatives.attachments
<django.core.mail.EmailMultiAlternatives>` are now named tuples, as opposed
to regular tuples.
* :attr:`EmailMultiAlternatives.alternatives
<django.core.mail.EmailMultiAlternatives.alternatives>` is now a list of
named tuples, as opposed to regular tuples.
* The new :meth:`~django.core.mail.EmailMultiAlternatives.body_contains` method
returns a boolean indicating whether a provided text is contained in the
email ``body`` and in all attached MIME type ``text/*`` alternatives.
Error Reporting
~~~~~~~~~~~~~~~
* The attribute :attr:`.SafeExceptionReporterFilter.hidden_settings` now
treats values as sensitive if their name includes ``AUTH``.
Forms
~~~~~
* The new :class:`~django.forms.ColorInput` form widget is for entering a color
in ``rrggbb`` hexadecimal format and renders as ``<input type="color" ...>``.
Some browsers support a visual color picker interface for this input type.
* The new :class:`~django.forms.SearchInput` form widget is for entering search
queries and renders as ``<input type="search" ...>``.
* The new :class:`~django.forms.TelInput` form widget is for entering telephone
numbers and renders as ``<input type="tel" ...>``.
* The new ``field_id`` argument for :class:`~django.forms.ErrorList` allows an
HTML ``id`` attribute to be added in the error template. See
:attr:`.ErrorList.field_id` for details.
* An :attr:`~django.forms.BoundField.aria_describedby` property is added to
``BoundField`` to ease use of this HTML attribute in templates.
* To improve accessibility for screen reader users ``aria-describedby`` is used
to associate form fields with their error messages. See
:ref:`how form errors are displayed <form-error-display>` for details.
* The new asset object :class:`~django.forms.Script` is available for adding
custom HTML-attributes to JavaScript in form media. See
:ref:`paths as objects <form-media-asset-objects>` for more details.
Management Commands
~~~~~~~~~~~~~~~~~~~
* A new warning is displayed when running :djadmin:`runserver`, indicating that
it is unsuitable for production. This warning can be suppressed by setting
the :envvar:`DJANGO_RUNSERVER_HIDE_WARNING` environment variable to
``"true"``.
* The :djadmin:`makemigrations` and :djadmin:`migrate` commands have a new
``Command.autodetector`` attribute for subclasses to override in order to use
a custom autodetector class.
* The new :meth:`.BaseCommand.get_check_kwargs` method can be overridden in
custom commands to control the running of system checks, e.g. to opt into
database-dependent checks.
Migrations
~~~~~~~~~~
* The new operation :class:`.AlterConstraint` is a no-op operation that alters
constraints without dropping and recreating constraints in the database.
Models
~~~~~~
* The ``SELECT`` clause generated when using :meth:`.QuerySet.values` and
:meth:`.QuerySet.values_list` now matches the specified order of the
referenced expressions. Previously, the order was based on a set of
counterintuitive rules which made query combination through methods such as
:meth:`.QuerySet.union` unpredictable.
* Added support for validation of model constraints which use a
:class:`~django.db.models.GeneratedField`.
* The new :attr:`.Expression.set_returning` attribute specifies that the
expression contains a set-returning function, enforcing subquery evaluation.
This is necessary for many Postgres set-returning functions.
* :attr:`CharField.max_length <django.db.models.CharField.max_length>` is no
longer required to be set on SQLite, which supports unlimited ``VARCHAR``
columns.
* :meth:`.QuerySet.explain` now supports the ``memory`` and ``serialize``
options on PostgreSQL 17+.
* The new :class:`~django.db.models.functions.JSONArray` database function
accepts a list of field names or expressions and returns a JSON array
containing those values.
* The new :attr:`.Expression.allows_composite_expressions` attribute specifies
that the expression allows composite expressions, for example, to support
:ref:`composite primary keys <cpk-and-database-functions>`.
Requests and Responses
~~~~~~~~~~~~~~~~~~~~~~
* The new :attr:`.HttpResponse.text` property provides the string
representation of :attr:`.HttpResponse.content`.
* The new :meth:`.HttpRequest.get_preferred_type` method can be used to query
the preferred media type the client accepts.
* The new ``preserve_request`` argument for
:class:`~django.http.HttpResponseRedirect` and
:class:`~django.http.HttpResponsePermanentRedirect`
determines whether the HTTP status codes 302/307 or 301/308 are used,
respectively.
* The new ``preserve_request`` argument for
:func:`~django.shortcuts.redirect` allows to instruct the user agent to reuse
the HTTP method and body during redirection using specific status codes.
Serialization
~~~~~~~~~~~~~
* Each serialization format now defines a ``Deserializer`` class, rather than a
function, to improve extensibility when defining a
:ref:`custom serialization format <custom-serialization-formats>`.
Templates
~~~~~~~~~
* The new :meth:`~django.template.Library.simple_block_tag` decorator enables
the creation of simple block tags, which can accept and use a section of the
template.
Tests
~~~~~
* Stack frames from Django's custom assertions are now hidden. This makes test
failures easier to read and enables :option:`test --pdb` to directly enter
into the failing test method.
* Data loaded from :attr:`~django.test.TransactionTestCase.fixtures` and from
migrations enabled with :ref:`serialized_rollback=True
<test-case-serialized-rollback>` are now available during
``TransactionTestCase.setUpClass()``.
URLs
~~~~
* :func:`~django.urls.reverse` and :func:`~django.urls.reverse_lazy` now accept
``query`` and ``fragment`` keyword arguments, allowing the addition of a
query string and/or fragment identifier in the generated URL, respectively.
Utilities
~~~~~~~~~
* :class:`~django.utils.safestring.SafeString` now returns
:data:`NotImplemented` in ``__add__`` for non-string right-hand side
values. This aligns with the :class:`str` addition behavior and allows
``__radd__`` to be used if available.
* :func:`~django.utils.html.format_html_join` now supports taking an iterable
of mappings, passing their contents as keyword arguments to
:func:`~django.utils.html.format_html`.
.. _backwards-incompatible-5.2:
Backwards incompatible changes in 5.2
=====================================
Database backend API
--------------------
This section describes changes that may be needed in third-party database
backends.
* The new :meth:`Model._is_pk_set() <django.db.models.Model._is_pk_set>` method
allows checking if a Model instance's primary key is defined.
* ``BaseDatabaseOperations.adapt_decimalfield_value()`` is now a no-op, simply
returning the given value.
:mod:`django.contrib.gis`
-------------------------
* Support for PostGIS 3.0 is removed.
* Support for GDAL 3.0 is removed.
Dropped support for PostgreSQL 13
---------------------------------
Upstream support for PostgreSQL 13 ends in November 2025. Django 5.2 supports
PostgreSQL 14 and higher.
Changed MySQL connection character set default
----------------------------------------------
MySQL connections now default to using the ``utf8mb4`` character set, instead
of ``utf8``, which is an alias for the deprecated character set ``utf8mb3``.
``utf8mb3`` can be specified in the ``OPTIONS`` part of the ``DATABASES``
setting, if needed for legacy databases.
Miscellaneous
-------------
* Adding :attr:`.EmailMultiAlternatives.alternatives` is now only supported via
the :meth:`~.EmailMultiAlternatives.attach_alternative` method.
* The minimum supported version of ``gettext`` is increased from 0.15 to 0.19.
* ``HttpRequest.accepted_types`` is now sorted by the client's preference,
based on the request's ``Accept`` header.
* The attributes :attr:`.UniqueConstraint.violation_error_code` and
:attr:`.UniqueConstraint.violation_error_message` are now always used when
provided. Previously, they were ignored if :attr:`.UniqueConstraint.fields`
was set without a :attr:`.UniqueConstraint.condition`.
* The :func:`~django.template.context_processors.debug` context processor is no
longer included in the default project template.
* The following methods now have ``alters_data=True`` set to prevent side
effects when :ref:`rendering a template context <alters-data-description>`:
* :meth:`.UserManager.create_user`
* :meth:`.UserManager.acreate_user`
* :meth:`.UserManager.create_superuser`
* :meth:`.UserManager.acreate_superuser`
* :meth:`.QuerySet.create`
* :meth:`.QuerySet.acreate`
* :meth:`.QuerySet.bulk_create`
* :meth:`.QuerySet.abulk_create`
* :meth:`.QuerySet.get_or_create`
* :meth:`.QuerySet.aget_or_create`
* :meth:`.QuerySet.update_or_create`
* :meth:`.QuerySet.aupdate_or_create`
* The minimum supported version of ``oracledb`` is increased from 1.3.2 to
2.3.0.
* Built-in aggregate functions accepting only one argument (``Avg``, ``Count``,
``Max``, ``Min``, ``StdDev``, ``Sum``, and ``Variance``) now raise
:exc:`TypeError` when called with an incorrect number of arguments.
.. _deprecated-features-5.2:
Features deprecated in 5.2
==========================
Miscellaneous
-------------
* The ``all`` argument for the ``django.contrib.staticfiles.finders.find()``
function is deprecated in favor of the ``find_all`` argument.
* Fallbacks to ``request.user`` and ``request.auser()`` when ``user`` is
``None`` in ``django.contrib.auth.login()`` and
``django.contrib.auth.alogin()``, respectively, are deprecated.
* The ``ordering`` keyword argument of the PostgreSQL specific aggregation
functions ``django.contrib.postgres.aggregates.ArrayAgg``,
``django.contrib.postgres.aggregates.JSONBAgg``, and
``django.contrib.postgres.aggregates.StringAgg`` is deprecated in favor
of the ``order_by`` argument.
* Support for subclasses of ``RemoteUserMiddleware`` that override
``process_request()`` without overriding ``aprocess_request()`` is
deprecated.
===========================
5.1.15
===========================
*December 2, 2025*
Django 5.1.15 fixes one security issue with severity "high", one security issue
with severity "moderate", and one bug in 5.1.14.
CVE-2025-13372: Potential SQL injection in ``FilteredRelation`` column aliases on PostgreSQL
============================================================================================
:class:`.FilteredRelation` was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias` on
PostgreSQL.
CVE-2025-64460: Potential denial-of-service vulnerability in XML ``Deserializer``
=================================================================================
:ref:`XML Serialization <serialization-formats-xml>` was subject to a potential
denial-of-service attack due to quadratic time complexity when deserializing
crafted documents containing many nested invalid elements. The internal helper
``django.core.serializers.xml_serializer.getInnerText()`` previously
accumulated inner text inefficiently during recursion. It now collects text per
element, avoiding excessive resource usage.
Bugfixes
========
* Fixed a regression in Django 5.1.14 where ``DisallowedRedirect`` was raised
by :class:`~django.http.HttpResponseRedirect` and
:class:`~django.http.HttpResponsePermanentRedirect` for URLs longer than 2048
characters. The limit is now 16384 characters (:ticket:`36743`).
===========================
5.1.14
===========================
*November 5, 2025*
Django 5.1.14 fixes one security issue with severity "high" and one security
issue with severity "moderate" in 5.1.13.
CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
======================================================================================================================================
Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
denial-of-service attack via certain inputs with a very large number of Unicode
characters (follow up to :cve:`2025-27556`).
CVE-2025-64459: Potential SQL injection via ``_connector`` keyword argument
===========================================================================
:meth:`.QuerySet.filter`, :meth:`~.QuerySet.exclude`, :meth:`~.QuerySet.get`,
and :class:`~.Q` were subject to SQL injection using a suitably crafted
dictionary, with dictionary expansion, as the ``_connector`` argument.
===========================
5.1.13
===========================
*October 1, 2025*
Django 5.1.13 fixes one security issue with severity "high" and one security
issue with severity "low" in 5.1.12.
CVE-2025-59681: Potential SQL injection in ``QuerySet.annotate()``, ``alias()``, ``aggregate()``, and ``extra()`` on MySQL and MariaDB
======================================================================================================================================
:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.alias`,
:meth:`~.QuerySet.aggregate`, and :meth:`~.QuerySet.extra` methods were subject
to SQL injection in column aliases, using a suitably crafted dictionary, with
dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to
:cve:`2022-28346`).
CVE-2025-59682: Potential partial directory-traversal via ``archive.extract()``
===============================================================================
The ``django.utils.archive.extract()`` function, used by
:option:`startapp --template` and :option:`startproject --template`, allowed
partial directory-traversal via an archive with file paths sharing a common
prefix with the target directory (follow up to :cve:`2021-3281`).
===========================
5.1.12
===========================
*September 3, 2025*
Django 5.1.12 fixes a security issue with severity "high" in 5.1.11.
CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
==============================================================================
:class:`.FilteredRelation` was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.
===========================
5.1.11
===========================
*June 10, 2025*
Django 5.1.11 fixes a potential log injection issue in 5.1.10.
Bugfixes
========
* Fixed a log injection possibility by migrating remaining response logging
to ``django.utils.log.log_response()``, which safely escapes arguments such
as the request path to prevent unsafe log output (:cve:`2025-48432`).
===========================
5.1.10
===========================
*June 4, 2025*
Django 5.1.10 fixes a security issue with severity "low" in 5.1.9.
CVE-2025-48432: Potential log injection via unescaped request path
==================================================================
Internal HTTP response logging used ``request.path`` directly, allowing control
characters (e.g. newlines or ANSI escape sequences) to be written unescaped
into logs. This could enable log injection or forgery, letting attackers
manipulate log appearance or structure, especially in logs processed by
external systems or viewed in terminals.
Although this does not directly impact Django's security model, it poses risks
when logs are consumed or interpreted by other tools. To fix this, the internal
``django.utils.log.log_response()`` function now escapes all positional
formatting arguments using a safe encoding.
==========================
