RepoJournal
Django

@django

Python's batteries-included web framework

Pick a date

  1. Tue 5 may
  2. Wed 6 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Sun 10 may
  7. Mon 11 may
  8. Tue 12 may
  9. Wed 13 may
  10. Thu 14 may
  11. Fri 15 may
  12. Sat 16 may
  13. Sun 17 may
  14. Mon 18 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

DJANGO TIGHTENS CSP SECURITY CHECKS AND FIXES MIGRATION EDGE CASES

By RepoJournal · Filed · About Django

Django added automatic system checks to catch misconfigured Content Security Policy middleware, while patching a critical migration bug that broke AlterField propagation through relation chains.

The framework shipped a new security system check [1] that warns developers when ContentSecurityPolicyMiddleware is enabled with CSP nonce support but the required context processor isn't configured—a footgun that would silently break template rendering in production. Alongside that, the ORM landed a fix [2] for AlterField migrations that failed to propagate type changes when relations used `to_field` with attribute name aliases instead of explicit field names, a subtle trap for complex model inheritance. Form media handling got smarter [3] with support for object-based stylesheet assets, letting you define media dependencies without string manipulation. On the security desk, a system check for deploy-time validation [4] was moved out of the deploy checks list after being misclassified. The docs team cleaned up security release checklists [5] with better code formatting for future disclosure posts [6], and added validation to the CVE year field [7] to ensure consistency with sorting. If you're using CSP nonces or complex migration chains, these fixes matter. If you're shipping form media objects soon, this is your green light.

Action items

References

  1. [1] Fixed #37084 -- Added CSP nonce context processor system check. ↗ django/django
  2. [2] Fixed #37060 -- Propagated AlterField through attname-based to_field … ↗ django/django
  3. [3] Fixed #37085 -- Added support for object-based form media stylesheet assets. ↗ django/django
  4. [4] Refs #15727 -- Moved security.E026 out of list of deploy=True checks. django/django
  5. [5] [checklists] Minor improvements following recent security release ↗ django/djangoproject.com
  6. [6] [checklists] Minor corrections to security checklist bullets. django/djangoproject.com
  7. [7] [checklists] Added RegexValidator to cve_year_number to ensure created issues are compatible with cve_sort_key. django/djangoproject.com

FAQ

What changed in Django on May 8, 2026?
Django added automatic system checks to catch misconfigured Content Security Policy middleware, while patching a critical migration bug that broke AlterField propagation through relation chains.
What should Django teams do about it?
Review ContentSecurityPolicyMiddleware setup for csp context processor configuration • Test any migrations with AlterField on transitive relations using to_field • Update form media definitions to use object-based assets if applicable
Which Django repositories shipped on May 8, 2026?
django/django, django/djangoproject.com

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.