django-oauth/django-oauth-toolkit

Minor/patch release cycle with bugfixes

Closed this issue · 4 comments

cristiprg commented

Hi! Do you have any plans to release another minor or patch version before the major upgrade to 3? There are a couple of smaller non-breaking fixes that would be great to have in, such as #1476 and #1465 which fixes this CVE. 🙏

n2ygk commented

I've pushed the date earlier and hope to publish the 3.0.0 version before then. I'm waiting on one or two last PR reviews. See https://github.com/jazzband/django-oauth-toolkit/milestone/35. It seems that oauthlib CVE can be dealt with now by upgrading oauthlib as the DOT 2.4.0 requirements are for oauthlib 3.1+ so 3.2.2+ is included in that. Given the dependency should be >=3.2.2 rather than >=3.2 as it was in #1465 it would be great if you were to submit a PR to push the version dependency to that level.

  • 👍1
cristiprg commented

Thanks @n2ygk! Here's the PR to bump oauthlib #1481

cristiprg commented

@n2ygk sorry, I may have not asked the question clearly. What I'm interested is having those two PRs before a major release with breaking changes, in for example DOT 2.4.1 or 2.5.

The motivation is that they are not breaking changes, so there is no need to only include them in a major release (bundled up with other breaking changes)

n2ygk commented
  • 👍1