Week ending 2025-10-12 (Week 41)

A security-heavy week with a steady flow of incoming reports keeping things quite busy (and sadly not that fun). The CNA process also moved forward, with hands-on testing and API study taking a fair share of focus. I also started work on the release checklist generator to update the CVE management process in preparation when CNA status is fully confirmed.

Add to that a full lineup of meetings and follow-ups, and it made for a packed but hopefully productive week. The new auto-magic roadmap pages also landed in djangoproject.com, with links from the Download page: this reduces the manual work required for future feature freezes/alpha releases.

Triaged

• https://code.djangoproject.com/ticket/36646 - oracledb 3.4.0 TypeError: isinstance() arg 2 must be a type, a tuple of types, or a union (accepted)
• https://code.djangoproject.com/ticket/36642 - makemessages provides invalid locale suggestions when attempting to format the locale string (accepted)
• https://code.djangoproject.com/ticket/36494 - Various failures in JSONField lookups when using expressions in right-hand side (re-triaged to accepted)
• https://code.djangoproject.com/ticket/36648 - “pk” exception when using first() on unordered queryset with aggregation does not consider composite pk fields provided separately (accepted)
• https://code.djangoproject.com/ticket/36647 - Annotation with Coalesce subquery unexpectedly included in group by (invalid)
• https://code.djangoproject.com/ticket/36643 - Migrate should not check for consistent history when faking migrations (wontfix)
• https://code.djangoproject.com/ticket/36655 - GZipMiddleware buffers streaming responses (duplicate)

Reviewed

• https://github.com/django/django/pull/19928 - Refs #36595 – Ran GitHub tests against PostGIS 3.6.
  • Had to take a look also to https://github.com/django/django/pull/19916 to understand why #36595 wasn’t marked as “fixed”.
• https://github.com/django/dsf-working-groups/pull/56 - Add draft of security team charter.
• https://github.com/django/django/pull/19927 - Pinned “New contributor” GitHub action to v3.0 to fix “Error: Input required and not supplied: issue_message”.
• https://github.com/django/django/pull/18246 - Removing unnecessary section in the second step of the tutorial
• https://github.com/django/django/pull/19593 - Fixed #36470 – Potential log injection in development server (runserver) logging
• https://github.com/django/django/pull/18892/ - Fixed #35961 – Conformed license metadata to PEP 639 specification.
• https://github.com/django/django/pull/19941 - [5.1.x] Refs #36646 – Doc’d that oracledb < 3.3.0 is required.
• https://github.com/nessita/checklist-generator/pull/20 - Multiple fixes following security release from Oct 1st.

Authored

• https://github.com/django/django/pull/19792 - Fixed #36526 – Doc’d QuerySet.bulk_update() memory usage when batching. (updated and merged)

Other/Misc

• Migrated every wiki page for “VersionX.YRoadmap” (X > 1) to the new roadmap pages in https://www.djangoproject.com/download/X.Y/roadmap/.
• Monthly catch up with the Steering Council.
• Biweekly meeting with Fellows and Board Liaison (Jeff Triplett).
• Biweekly meeting with Fellows and Line Manager (Andrew Godwin).
• Attended DSF Office Hours.
• Engaged in security topics and report triage.
  • Incoming report rate continues to be higher than past-year average. The quality of reports is poor but still time-consuming.
  • CNA update: the DSF was given test credentials to issue test CVEs. I reviewed docs, tried a few options to interact with the CVE RESTful APIs, and completed some exercises.