Skip to content

Bump wagtail from 2.3 to 2.7.4

Marvin Wilke requested to merge dependabot/pip/wagtail-2.7.4 into master

Created by: dependabot[bot]

Bumps wagtail from 2.3 to 2.7.4.

Release notes

Sourced from wagtail's releases.

2.7.4

  • CVE-2020-15118 - prevent HTML injection through form field help text (Timothy Bautista, Matt Westcott)
  • Expand Pillow dependency range to include 7.x (Harris Lapiroff, Matt Westcott)

2.7.3

CVE-2020-11037 - avoid potential timing attack on password-protected private pages (Thibaud Colas)

2.7.2

CVE-2020-11001 - prevent XSS attack via page revision comparison view (Vlad Gerasimenko, Matt Westcott)

2.7.1

  • Fix: Management command startup checks under ManifestStaticFilesStorage no longer fail if collectstatic has not been run first (Alex Tomkins)

2.7

  • Improved StreamField design (Bertrand Bordage)
  • Added WebP image support (frmdstryr, Karl Hobley, Matt Westcott)
  • Added Elasticsearch 7 support (pySilver)
  • Added Python 3.8 support (John Carter, Matt Westcott)
  • Added construct_page_listing_buttons hook (Michael van Tellingen)
  • Added more detailed documentation and troubleshooting for installing OpenCV for feature detection (Daniele Procida)
  • Added Table Block caption for accessibility (Rahmi Pruitt)
  • Move and refactor upgrade notification JS (Jonny Scholes)
  • Add ability to insert internal anchor links/links with fragment identifiers in Draftail (rich text) fields (Iman Syed)
  • Remove need for Elasticsearch update_all_types workaround, upgrade minimum release to 6.4.0 or above (Jonathan Liuti)
  • Add ability for users to change their own name via the account settings page (Kevin Howbrook)
  • Add ability to insert telephone numbers as links in Draftail (rich text) fields (Mikael Engström and Liam Brenner)
  • Increase delay before search in the snippet chooser, to prevent redundant search request round trips (Robert Rollins)
  • Add WAGTAIL_EMAIL_MANAGEMENT_ENABLED setting to determine whether users can change their email address (Janne Alatalo)
  • Recognise Soundcloud artist URLs as embeddable (Kiril Staikov)
  • Add WAGTAILDOCS_SERVE_METHOD setting to determine how document downloads will be linked to and served (Tobias McNulty, Matt Westcott)
  • Add WAGTAIL_MODERATION_ENABLED setting to enable / disable the 'Submit for Moderation' option (Jacob Topp-Mugglestone)
  • Added settings to customise pagination page size for the Images admin area (Brian Whitton)
  • Added ARIA role to TableBlock output (Matt Westcott)
  • Added cache-busting query parameters to static files within the Wagtail admin (Matt Westcott)
  • Allow register_page_action_menu_item and construct_page_action_menu hooks to override the default menu action (Rahmi Pruitt, Matt Westcott)
  • WAGTAILIMAGES_MAX_IMAGE_PIXELS limit now takes the number of animation frames into account (Karl Hobley)
  • Fix: Added line breaks to long filenames on multiple image / document uploader (Kevin Howbrook)
  • Fix: Added https support for Scribd oEmbed provider (Rodrigo)
  • Fix: Changed StreamField group labels color so labels are visible (Catherine Farman)
  • Fix: Prevented images with a very wide aspect ratio from being displayed distorted in the rich text editor (Iman Syed)
  • Fix: Prevent exception when deleting a model with a protected One-to-one relationship (Neal Todd)
  • Fix: Added labels to snippet bulk edit checkboxes for screen reader users (Martey Dodoo)
  • Fix: Middleware responses during page preview are now properly returned to the user (Matt Westcott)
  • Fix: Default text of page links in rich text uses the public page title rather than the admin display title (Andy Chosak)
  • Fix: Specific page permission checks are now enforced when viewing a page revision (Andy Chosak)
  • Fix: pageurl and slugurl tags no longer fail when request.site is None (Samir Shah)
  • Fix: Output form media on add/edit image forms with custom models (Matt Westcott)
  • Fix: Output form media on add/edit document forms with custom models (Sergey Fedoseev)
  • Fix: Layout for the clear checkbox in default FileField widget (Mikalai Radchuk)
  • Fix: Remove ASCII conversion from Postgres search backend, to support stemming in non-Latin alphabets (Pavel Denisov)
Changelog

Sourced from wagtail's changelog.

2.7.4 (20.07.2020)


 * Fix: CVE-2020-15118 - prevent HTML injection through form field help text (Timothy Bautista, Matt Westcott)
 * Fix: Expand Pillow dependency range to include 7.x (Harris Lapiroff, Matt Westcott)
2.7.3 (04.05.2020)
  • Fix: CVE-2020-11037 - avoid potential timing attack on password-protected private pages (Thibaud Colas)

2.7.2 (14.04.2020)


 * Fix: CVE-2020-11001 - prevent XSS attack via page revision comparison view (Vlad Gerasimenko, Matt Westcott)
2.7.1 (08.01.2020)
  • Fix: Management command startup checks under ManifestStaticFilesStorage no longer fail if collectstatic has not been run first (Alex Tomkins)

2.7 LTS (06.11.2019)


 * Improved StreamField design (Bertrand Bordage)
 * Added WebP image support (frmdstryr, Karl Hobley, Matt Westcott)
 * Added Elasticsearch 7 support (pySilver)
 * Added Python 3.8 support (John Carter, Matt Westcott)
 * Added `construct_page_listing_buttons` hook (Michael van Tellingen)
 * Added more detailed documentation and troubleshooting for installing OpenCV for feature detection (Daniele Procida)
 * Added Table Block caption for accessibility (Rahmi Pruitt)
 * Move and refactor upgrade notification JS (Jonny Scholes)
 * Add ability to insert internal anchor links/links with fragment identifiers in Draftail (rich text) fields (Iman Syed)
 * Remove need for Elasticsearch `update_all_types` workaround, upgrade minimum release to 6.4.0 or above (Jonathan Liuti)
 * Add ability for users to change their own name via the account settings page (Kevin Howbrook)
 * Add ability to insert telephone numbers as links in Draftail (rich text) fields (Mikael Engström and Liam Brenner)
 * Increase delay before search in the snippet chooser, to prevent redundant search request round trips (Robert Rollins)
 * Add `WAGTAIL_EMAIL_MANAGEMENT_ENABLED` setting to determine whether users can change their email address (Janne Alatalo)
 * Recognise Soundcloud artist URLs as embeddable (Kiril Staikov)
 * Add `WAGTAILDOCS_SERVE_METHOD` setting to determine how document downloads will be linked to and served (Tobias McNulty, Matt Westcott)
 * Add `WAGTAIL_MODERATION_ENABLED` setting to enable / disable the 'Submit for Moderation' option (Jacob Topp-Mugglestone)
 * Added settings to customise pagination page size for the Images admin area (Brian Whitton)
 * Added ARIA role to TableBlock output (Matt Westcott)
 * Added cache-busting query parameters to static files within the Wagtail admin (Matt Westcott)
 * Allow `register_page_action_menu_item` and `construct_page_action_menu` hooks to override the default menu action (Rahmi Pruitt, Matt Westcott)
 * `WAGTAILIMAGES_MAX_IMAGE_PIXELS` limit now takes the number of animation frames into account (Karl Hobley)
</tr></table> ... (truncated)
Commits
  • c53d060 fix version number reference
  • bedc294 Version bump to 2.7.4
  • 70719a9 Release note for 2.7.4
  • 71dc3c1 Add test to confirm that labels are escaped
  • f437ba4 Add warning about WAGTAILFORMS_HELP_TEXT_ALLOW_HTML
  • 0b80aee Escape help text in form builder forms by default
  • 8939583 Expand Pillow dependency to include 7.x
  • 3f55039 Release note for 2.7.3
  • b3698f9 Version bump to 2.7.3
  • 3c03049 Use constant_time_compare for view restriction password checks
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Merge request reports