The Wire · Showcase
DJANGO PATCHES COOKIE SECURITY FLAW, CLEANS UP DEPRECATION DEBT
By RepoJournal · Filed · About Django
Django moved fast on CVE-2026-6873, shifting the deprecation timeline for SIGNED_COOKIE_LEGACY_SALT_FALLBACK as the framework tightens its security posture.
The cookie vulnerability fix [1] lands alongside a broader cleanup of deprecation warnings that have been cluttering the codebase. Django removed asgiref coroutine detection shims from tests [2], a follow-up to earlier refactoring that modernizes how the framework handles async operations. Three additional deprecation notices hit the wire in quick succession: select_related() called without arguments [3] now properly warns developers before it becomes an error, the safe parameter in JSONResponse [4] got its missing deprecation banner, and a smaller but useful fix made Action directly importable from django.contrib.admin [5], reducing boilerplate imports across admin customizations. This is standard Django housekeeping, but the cookie security move signals the team is tightening controls on legacy fallbacks.
Action items
- → Review your use of select_related() and JSONResponse.safe parameter - deprecation warnings are now active django/django [plan]
- → Update admin code to import Action directly from django.contrib.admin instead of submodules django/django [monitor]
- → Audit SIGNED_COOKIE_LEGACY_SALT_FALLBACK usage ahead of removal timeline shift django/django [plan]
References
- [1] Refs CVE-2026-6873 -- Moved deprecation note for SIGNED_COOKIE_LEGACY_SALT_FALLBACK. django/django
- [2] Refs #34118 -- Removed further asgiref coroutine detection shims in tests. django/django
- [3] Refs #36593 -- Added missing deprecation note for select_related() with no arguments. django/django
- [4] Refs #36905 -- Added missing deprecation note for safe parameter of JSONResponse. django/django
- [5] Fixed #37176 -- Made Action importable from django.contrib.admin. django/django
FAQ
- What changed in Django on June 18, 2026?
- Django moved fast on CVE-2026-6873, shifting the deprecation timeline for SIGNED_COOKIE_LEGACY_SALT_FALLBACK as the framework tightens its security posture.
- What should Django teams do about it?
- Review your use of select_related() and JSONResponse.safe parameter - deprecation warnings are now active • Update admin code to import Action directly from django.contrib.admin instead of submodules • Audit SIGNED_COOKIE_LEGACY_SALT_FALLBACK usage ahead of removal timeline shift
- Which Django repositories shipped on June 18, 2026?
- django/django