Skip to content

debug toolbar: downgrade to 5.2.0#12919

Merged
Maffooch merged 1 commit into
bugfixfrom
valentijnscholten-patch-10
Aug 7, 2025
Merged

debug toolbar: downgrade to 5.2.0#12919
Maffooch merged 1 commit into
bugfixfrom
valentijnscholten-patch-10

Conversation

@valentijnscholten

@valentijnscholten valentijnscholten commented Aug 4, 2025

Copy link
Copy Markdown
Member

Django Debug Toolbar 6.0.0 no longer working, it crashes the docker build when static files are collected.

Let's wait a bit for 6.0.1 or 6.1.0.

@dryrunsecurity

dryrunsecurity Bot commented Aug 4, 2025

Copy link
Copy Markdown

DryRun Security

This pull request includes an unnecessary dependency (watchdog) in the production Docker image, which was intended to be a development-only library, potentially increasing the system's attack surface without introducing a critical security risk.

Unnecessary Dependency in Production in requirements.txt
Vulnerability Unnecessary Dependency in Production
Description The 'watchdog' library, explicitly noted as a development-only dependency in the requirements.txt comment, is included in the Dockerfile.django-alpine build process. This means it is installed in the production Docker image, potentially increasing the attack surface with unnecessary code, even if no specific CVEs were found for this version.

PyYAML==6.0.2
pyopenssl==25.1.0
parameterized==0.9.0
watchdog==6.0.0 # only needed for development, but would require some docker refactoring if we want to exclude it for production images


All finding details can be found in the DryRun Security Dashboard.

@valentijnscholten valentijnscholten added this to the 2.49.1 milestone Aug 4, 2025
@valentijnscholten

valentijnscholten commented Aug 4, 2025

Copy link
Copy Markdown
Member Author

Raised django-commons/django-debug-toolbar#2190 where I pointed to #12921 to show the problem/logs.

@mtesauro mtesauro left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch

Maffooch commented Aug 7, 2025

Copy link
Copy Markdown
Contributor

Merging with two approvers since this is a package update

@Maffooch Maffooch merged commit 64a118a into bugfix Aug 7, 2025
87 checks passed
@Maffooch Maffooch deleted the valentijnscholten-patch-10 branch August 7, 2025 06:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants