RepoJournal
Django

@django

Python's batteries-included web framework

Pick a date

  1. Tue 5 may
  2. Wed 6 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Sun 10 may
  7. Mon 11 may
  8. Tue 12 may
  9. Wed 13 may
  10. Thu 14 may
  11. Fri 15 may
  12. Sat 16 may
  13. Sun 17 may
  14. Mon 18 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

DJANGO TIGHTENS REDIRECT LIMITS AND CRYPTO DEFAULTS

By RepoJournal · Filed · About Django

Django now lets you override hardcoded redirect URL length caps, while quietly deprecating SHA-1 as the default hash algorithm ahead of a breaking change in 7.0.

The headline story: HttpResponseRedirect and the redirect() shortcut now accept an optional max_length parameter [1], finally giving you control over URL length validation instead of hitting a wall. This ships with a sensible default but lets you disable the limit entirely for edge cases that demand it. Separately, Django is deprecating SHA-1 as the default algorithm for salted_hmac() and base64_hmac() [2]—the shift to SHA-256 lands in 7.0, so any custom crypto code relying on implicit SHA-1 needs attention now. On the accessibility front, AdminDate Widget buttons now carry proper Aria labels [3], closing a long-standing a11y gap that affects screen reader users. The ecosystem page also corrected a routing error: django-impersonate was pointing to an unmaintained fork; the original repository is now the official link [4]. Documentation cleanup continued with outdated iterator() notes removed .

Action items

References

  1. [1] Fixed #36767 -- Allowed max redirect URL length to be set on HttpResponseRedirect. ↗ django/django
  2. [2] Fixed #37078 -- Deprecated SHA-1 default for salted_hmac() and base64_hmac() algorithm. django/django
  3. [3] Fixed #36459 -- Added Aria labels to the buttons inside the AdminDate Widget. ↗ django/django
  4. [4] Link maintained version of django-impersonate django/djangoproject.com

FAQ

What changed in Django on May 5, 2026?
Django now lets you override hardcoded redirect URL length caps, while quietly deprecating SHA-1 as the default hash algorithm ahead of a breaking change in 7.0.
What should Django teams do about it?
Audit code using salted_hmac() or base64_hmac() — add explicit algorithm='sha256' before Django 7.0 • If you've hit redirect URL limits, test the new max_length parameter in your next sprint • Update any bookmarks or docs pointing to django-impersonate — use the maintained original repo
Which Django repositories shipped on May 5, 2026?
django/django, django/djangoproject.com

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.