RepoJournal
Django

@django

Python's batteries-included web framework

Pick a date

  1. Tue 5 may
  2. Wed 6 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Sun 10 may
  7. Mon 11 may
  8. Tue 12 may
  9. Wed 13 may
  10. Thu 14 may
  11. Fri 15 may
  12. Sat 16 may
  13. Sun 17 may
  14. Mon 18 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

DJANGO DROPS UNSAFE JSON RESPONSE PARAMETER

By RepoJournal · Filed · About Django

Django is deprecating the safe parameter in JSONResponse, finally closing a vulnerability that JavaScript frameworks eliminated years ago.

The safe parameter, a quirk of pre-ES5 JavaScript that allowed JSON injection attacks, is being removed [1]. Every peer framework has already dropped this check. This is a straightforward deprecation path for anyone still passing safe=False to JSONResponse. In related infrastructure work, the release script got hardened with git tag commit hashes and expanded test coverage [2], so future releases will be even more bulletproof. The security docs also got a cleanup pass to link directly to severity level definitions instead of burying context in the disclosure process [3]. On the async auth front, login() and logout() now properly update request.auser when it exists on the request object [4], completing a follow-up that started with earlier async authentication work. Documentation also got a minor fix removing outdated language about unlimited results in QuerySet.get() [5]. The djangoproject.com admin gained better security issue tracking with discovery field exposure and UTC time rendering for checklists [6] [7] [8].

Action items

References

  1. [1] Fixed #36905 -- Deprecated the safe parameter of JSONResponse. django/django
  2. [2] Improved release script by adding git tag commit hash and extra tests. ↗ django/django
  3. [3] Updated links to severity levels in release notes. ↗ django/django
  4. [4] Fixed #37019 -- Updated login() and logout() to set request.auser. ↗ django/django
  5. [5] Fixed #35596 -- Removed mention of unlimited results from QuerySet.get(). django/django
  6. [6] [checklists] Expose "discovery" in SecurityIssue admin fields. ↗ django/djangoproject.com
  7. [7] [checklists] Render checklists title using UTC time. django/djangoproject.com
  8. [8] [checklists] Expose "discovery" in SecurityIssue admin fields. django/djangoproject.com

FAQ

What changed in Django on May 28, 2026?
Django is deprecating the safe parameter in JSONResponse, finally closing a vulnerability that JavaScript frameworks eliminated years ago.
What should Django teams do about it?
Review code using JSONResponse with safe parameter - plan deprecation removal • Test async login/logout flows to confirm request.auser updates correctly • Run security issue audits against updated admin checklist tools
Which Django repositories shipped on May 28, 2026?
django/django, django/djangoproject.com

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.