RepoJournal
Django

@django

Python's batteries-included web framework

Pick a date

  1. Tue 5 may
  2. Wed 6 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Sun 10 may
  7. Mon 11 may
  8. Tue 12 may
  9. Wed 13 may
  10. Thu 14 may
  11. Fri 15 may
  12. Sat 16 may
  13. Sun 17 may
  14. Mon 18 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

DJANGO PATCHES REDIRECT LENGTH BUG AND PYTHON 3.14 TEST FAILURES

By RepoJournal · Filed · About Django

Django shipped fixes for a percent-encoded redirect length vulnerability and Python 3.14 compatibility issues that were breaking test suites.

The core fixes land in django/django this cycle: a critical redirect length check [1] now validates against percent-encoded URLs (catching bypass attempts that rely on encoding tricks), and a test compatibility fix [2] resolves failures on Python 3.14.5+ caused by upstream cpython changes. Documentation also got a clarification [3] on why setting model fields doesn't auto-convert types — a common source of subtle bugs. The redirect fix is the one to watch: it closes a security gap in how Django validates max_length on redirects, and teams relying on that validation should verify their implementations handle encoded URLs correctly. Over on djangoproject.com, dependency updates [4] [5] rolled through: requests 2.33.1 cleans up test artifacts from CVE work, and django-debug-toolbar 6.3.0 shipped new improvements. These are routine maintenance — no breaking changes.

Action items

References

  1. [1] Fixed #37095 -- Checked maximum redirect lengths against percent-encoded URLs. django/django
  2. [2] Fixed #37096 -- Fixed test_invalid_choice_db_option on Python 3.14.5+. django/django
  3. [3] Fixed #27825 -- Doc'd that setting model fields does not convert types. django/django
  4. [4] Bump requests from 2.33.0 to 2.33.1 in /requirements ↗ django/djangoproject.com
  5. [5] Bump django-debug-toolbar from 6.2.0 to 6.3.0 in /requirements ↗ django/djangoproject.com

FAQ

What changed in Django on May 13, 2026?
Django shipped fixes for a percent-encoded redirect length vulnerability and Python 3.14 compatibility issues that were breaking test suites.
What should Django teams do about it?
Review redirect validation logic in your views if you use max_length checks • Merge the Python 3.14 test fix before upgrading test infrastructure • Update requests and django-debug-toolbar in your requirements
Which Django repositories shipped on May 13, 2026?
django/django, django/djangoproject.com

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.