chore(deps): update dependency django-filter to >=2.4.0,<2.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
django-filter (changelog)	>=2.0.0,<2.1 -> >=2.4.0,<2.5

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2020-15225

Impact

Automatically generated NumberFilter instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents.

Patches

Version 2.4.0+ applies a MaxValueValidator with a a default limit_value of 1e50 to the form field used by NumberFilter instances.

In addition, NumberFilter implements the new get_max_validator() which should return a configured validator instance to customise the limit, or else None to disable the additional validation.

Workarounds

Users may manually apply an equivalent validator if they are not able to upgrade.

For more information

If you have any questions or comments about this advisory:

• Open an issue in the django-filter repo

Thanks to Marcin Waraksa for the report.

---

Release Notes

carltongibson/django-filter (django-filter)

v2.4.0

Compare Source

• SECURITY: Added a MaxValueValidator to the form field for
  NumberFilter. This prevents a potential DoS attack if numbers with very
  large exponents were subsequently converted to integers.

  The default limit value for the validator is 1e50.

  The new NumberFilter.get_max_validator() allows customising the used
  validator, and may return None to disable the validation entirely.

• Added testing against Django 3.1 and Python 3.9.

  In addition tests against Django main development branch are now required to
  pass.

v2.3.0

Compare Source

• Fixed import of FieldDoesNotExist. (#​1127)
• Added testing against Django 3.0. (#​1125)
• Declared support for, and added testing against, Python 3.8. (#​1138)
• Fix filterset multiple inheritance bug (#​1131)
• Allowed customising default lookup expression. (#​1129)
• Drop Django 2.1 and below (#​1180)
• Fixed IsoDateTimeRangeFieldTests for Django 3.1
• Require tests to pass against Django master.

v2.2.0: Version 2.2

Compare Source

Highlights:

• Added DjangoFilterBackend.get_schema_operation_parameters() for DRF 3.10+
  OpenAPI schema generation. (#​1086)
• Added lookup_expr to MultipleChoiceFilter (#​1054)
• Dropped support for EOL Python 3.4

v2.1.0: Version 2.1.0

Compare Source

• Fixed a regression in FilterView introduced in 2.0. An empty QuerySet was
  incorrectly used whenever the FilterSet was unbound (i.e. when there were
  no GET parameters). The correct, pre-2.0 behaviour is now restored.

  A workaround was to set strict=False on the FilterSet. This is no
  longer necessary, so you may restore strict behaviour as desired.

• Added IsoDateTimeFromToRangeFilter. Allows From-To filtering using
  ISO-8601 formatted dates.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

---

Thanks for the PR!

Deployments, as required, will be available below:

• Frontend
• Backend

Please create PRs in draft mode. Mark as ready to enable:

• Analysis Workflow

After merge, new images are deployed in:

• Merge Workflow

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (>=2.4.0,<2.5). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.