RepoJournal
Django

@django

Python's batteries-included web framework

Pick a date

The Wire · Showcase

DJANGO PATCHES COOKIE SECURITY FLAW, CLEANS UP DEPRECATION DEBT

By RepoJournal · Filed · About Django

Django moved fast on CVE-2026-6873, shifting the deprecation timeline for SIGNED_COOKIE_LEGACY_SALT_FALLBACK as the framework tightens its security posture.

The cookie vulnerability fix [1] lands alongside a broader cleanup of deprecation warnings that have been cluttering the codebase. Django removed asgiref coroutine detection shims from tests [2], a follow-up to earlier refactoring that modernizes how the framework handles async operations. Three additional deprecation notices hit the wire in quick succession: select_related() called without arguments [3] now properly warns developers before it becomes an error, the safe parameter in JSONResponse [4] got its missing deprecation banner, and a smaller but useful fix made Action directly importable from django.contrib.admin [5], reducing boilerplate imports across admin customizations. This is standard Django housekeeping, but the cookie security move signals the team is tightening controls on legacy fallbacks.

Action items

References

  1. [1] Refs CVE-2026-6873 -- Moved deprecation note for SIGNED_COOKIE_LEGACY_SALT_FALLBACK. django/django
  2. [2] Refs #34118 -- Removed further asgiref coroutine detection shims in tests. django/django
  3. [3] Refs #36593 -- Added missing deprecation note for select_related() with no arguments. django/django
  4. [4] Refs #36905 -- Added missing deprecation note for safe parameter of JSONResponse. django/django
  5. [5] Fixed #37176 -- Made Action importable from django.contrib.admin. django/django

FAQ

What changed in Django on June 18, 2026?
Django moved fast on CVE-2026-6873, shifting the deprecation timeline for SIGNED_COOKIE_LEGACY_SALT_FALLBACK as the framework tightens its security posture.
What should Django teams do about it?
Review your use of select_related() and JSONResponse.safe parameter - deprecation warnings are now active • Update admin code to import Action directly from django.contrib.admin instead of submodules • Audit SIGNED_COOKIE_LEGACY_SALT_FALLBACK usage ahead of removal timeline shift
Which Django repositories shipped on June 18, 2026?
django/django

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.