[FIX] Bump DRF version to 3.17 to address vulnerability and drop DRF auto UniqueTogetherValidator on upsert/catch serializers (#2104)

* [FIX] Drop DRF auto UniqueTogetherValidator on upsert/catch serializers

DRF 3.15+ auto-generates a UniqueTogetherValidator from each model's
Meta.constraints UniqueConstraint. For serializers whose view already owns
uniqueness (upsert via update_or_create, or IntegrityError->Duplicate catch),
that validator fires at is_valid() and 400s on a legitimate re-save before the
view can run, short-circuiting the view's duplicate handling.

Set Meta.validators = [] on those serializers so the view/DB own uniqueness.
No-op on the currently-pinned DRF 3.14 (which only auto-validates legacy
unique_together); required once DRF is re-bumped to 3.17.x.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01G8hAHc4HUo42zY1g9LAjKu

* [FIX] Re-bump djangorestframework 3.14.0 → 3.17.1 (#2105)

* [FIX] Re-bump djangorestframework 3.14.0 -> 3.17.1

Re-attempts the DRF upgrade reverted in #2098. 3.17.1 is chosen because it:
- carries PR encode/django-rest-framework#9766 (3.17.0), so the auto
  UniqueTogetherValidator honors a UniqueConstraint's violation_error_message
  for friendly duplicate messages (used by cloud-side create-only serializers),
- includes the CVE-2024-21520 (XSS) fix first shipped in 3.15.2.

Safe to layer on top of the Meta.validators=[] changes in the parent commit,
which neutralize the 3.15+ auto-validator for every upsert / IntegrityError-catch
serializer. Django 4.2.30 + Python 3.12 satisfy DRF 3.17's floors.

MUST be build + test + staging validated before merge (this bump caused the
rc.343 regression). drf-yasg 1.21.7 / drf-standardized-errors compatibility with
DRF 3.17 to be verified in CI.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01G8hAHc4HUo42zY1g9LAjKu

* [FIX] Remove unused hook-check-django-migrations dep group

Group had no consumer (migration check runs in backend env); its pinned
drf-yasg==1.21.7 paired with DRF 3.17.1 in the root lock was an incompatible
skew. Drop the group and relock.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01G8hAHc4HUo42zY1g9LAjKu

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

Author: chandrasekharan-zipstack

backend/adapter_processor_v2/serializers.py

@@ -34,6 +34,9 @@ class BaseAdapterSerializer(AuditSerializer):
     class Meta:
         model = AdapterInstance
         fields = "__all__"
+        # View owns uniqueness (IntegrityError->DuplicateData); drop the DRF
+        # auto-validator that 400s on re-save before the view can handle it.
+        validators = []
         extra_kwargs = {
             "shared_users": {"read_only": True},
             "shared_to_org": {"read_only": True},

backend/api_v2/serializers.py

@@ -44,6 +44,9 @@ class APIDeploymentSerializer(IntegrityErrorMixin, AuditSerializer):
     class Meta:
         model = APIDeployment
         fields = "__all__"
+        # IntegrityErrorMixin owns uniqueness; drop the DRF auto-validator
+        # that 400s on re-save before the mixin can map a friendly message.
+        validators = []
         extra_kwargs = {
             "shared_users": {"read_only": True},
             "shared_to_org": {"read_only": True},

backend/connector_v2/serializers.py

@@ -34,6 +34,9 @@ class ConnectorInstanceSerializer(AuditSerializer):
     class Meta:
         model = ConnectorInstance
         fields = "__all__"
+        # View owns uniqueness (IntegrityError->DuplicateData); drop the DRF
+        # auto-validator that 400s on re-save before the view can handle it.
+        validators = []
         extra_kwargs = {
             "connector_name": {"required": False},
             # connector_mode is derived from the catalog in to_representation.

backend/notification_v2/serializers.py

@@ -25,6 +25,9 @@ class NotificationSerializer(serializers.ModelSerializer):
     class Meta:
         model = Notification
         fields = "__all__"
+        # Custom validate_name already enforces uniqueness with friendly per-field
+        # errors; drop the redundant DRF auto-validator (fragile on partial PATCH).
+        validators = []
 
     def validate(self, data):
         """Validate the data for the NotificationSerializer."""

backend/pipeline_v2/serializers/crud.py

@@ -38,6 +38,9 @@ class PipelineSerializer(IntegrityErrorMixin, AuditSerializer):
     class Meta:
         model = Pipeline
         fields = "__all__"
+        # IntegrityErrorMixin / view own uniqueness; drop the DRF auto-validator
+        # that 400s on re-save before the view can map a friendly message.
+        validators = []
         extra_kwargs = {
             "shared_users": {"read_only": True},
             "shared_to_org": {"read_only": True},

backend/prompt_studio/prompt_profile_manager_v2/serializers.py

@@ -14,6 +14,9 @@ class ProfileManagerSerializer(AuditSerializer):
     class Meta:
         model = ProfileManager
         fields = "__all__"
+        # View owns uniqueness (IntegrityError->DuplicateData on create); drop
+        # the DRF auto-validator that 400s on re-save / PUT before the view runs.
+        validators = []
 
     def to_representation(self, instance):  # type: ignore
         rep: dict[str, str] = super().to_representation(instance)

backend/prompt_studio/prompt_studio_v2/serializers.py

@@ -26,6 +26,9 @@ class ToolStudioPromptSerializer(AuditSerializer):
     class Meta:
         model = ToolStudioPrompt
         fields = "__all__"
+        # View owns uniqueness (IntegrityError->DuplicateData on create); drop
+        # the DRF auto-validator that 400s on re-save / PUT before the view runs.
+        validators = []
 
 
 class ToolStudioIndexSerializer(serializers.Serializer):

backend/pyproject.toml

@@ -19,7 +19,7 @@ dependencies = [
     "cron-descriptor==1.4.0", # For cron string description
     "cryptography>=48.0.1",
     "django==4.2.30",
-    "djangorestframework==3.14.0",
+    "djangorestframework==3.17.1",
     "django-cors-headers==4.3.1",
     # Pinning django-celery-beat to avoid build issues
     "django-celery-beat==2.5.0",

backend/uv.lock

@@ -41,6 +41,9 @@ class WorkflowSerializer(IntegrityErrorMixin, AuditSerializer):
     class Meta:
         model = Workflow
         fields = "__all__"
+        # IntegrityErrorMixin owns uniqueness; drop the DRF auto-validator
+        # that 400s on re-save before the mixin can map a friendly message.
+        validators = []
         extra_kwargs = {
             WorkflowKey.LLM_RESPONSE: {
                 "required": False,