Skip to content

chore(deps): update wagtail requirement from <7.5,>=7.0 to >=7.4.2,<7.5#45

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/wagtail-gte-7.4.2-and-lt-7.5
Open

chore(deps): update wagtail requirement from <7.5,>=7.0 to >=7.4.2,<7.5#45
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/wagtail-gte-7.4.2-and-lt-7.5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 16, 2026

Copy link
Copy Markdown
Contributor

Updates the requirements on wagtail to permit the latest version.

Release notes

Sourced from wagtail's releases.

7.4.2

  • CVE-2026-54259: Improper restriction handling on Documents and Images chosen endpoints
  • CVE-2026-54260: Denial of service via unbounded filter specs in the image preview
  • CVE-2026-54261: Improper permission handling in image preview
  • CVE-2026-54262: Pages translations can be created without page permissions when using simple_translation
  • CVE-2026-54263: Reflected XSS in dynamic image URL generator view
  • Fix: Prevent spurious migrations when there are missing child blocks in StructBlock.Meta.form_layout (Matthias Brück, Sage Abdullah)
  • Fix: Prevent error in usage views when using gettext_lazy for a model's verbose_name (James Biggs)
  • Fix: Prevent development markdown files from being added to virtual environment root upon installation (Dan Braghis)
  • Fix: Prevent StreamField blocks referenced multiple times from losing their required state after deferred validation (Sage Abdullah)
  • Docs: Add missing return in example views for template components (Tibor Leupold)
Changelog

Sourced from wagtail's changelog.

7.4.2 (15.06.2026)


 * CVE-2026-54259: Improper restriction handling on Documents and Images chosen endpoints
 * CVE-2026-54260: Denial of service via unbounded filter specs in the image preview
 * CVE-2026-54261: Improper permission handling in image preview
 * CVE-2026-54262: Pages translations can be created without page permissions when using simple_translation
 * CVE-2026-54263: Reflected XSS in dynamic image URL generator view
 * Fix: Prevent spurious migrations when there are missing child blocks in `StructBlock.Meta.form_layout` (Matthias Brück, Sage Abdullah)
 * Fix: Prevent error in usage views when using `gettext_lazy` for a model's `verbose_name` (James Biggs)
 * Fix: Prevent development markdown files from being added to virtual environment root upon installation (Dan Braghis)
 * Fix: Prevent StreamField blocks referenced multiple times from losing their required state after deferred validation (Sage Abdullah)
 * Docs: Add missing `return` in example views for template components (Tibor Leupold)

7.4.1 (19.05.2026)

  • Fix: Reinstate missing file jquery.fileupload-validate.js (Rob Brackett)

7.4 LTS (05.05.2026)


 * Add `is_deferred_validation` flag to support skipping custom validation when saving drafts (Daniel Kirkham)
 * Update project template Dockerfile to build dependencies in a separate stage (Brylie Oxley, Akshat Gupta)
 * Add `include_root` parameter to admin pages API endpoint (Divyansh Mishra)
 * Add support for Flourish oEmbeds (Garrett Coakley)
 * Add support for Heyzine oEmbeds (Baptiste Darthenay)
 * Allow specifying `creation_form_class` on `ChooserViewSet` as a dotted path string (K Adithya)
 * Various user experience improvements to autosave and concurrent editing notifications (Sage Abdullah)
 * Allow validation of required StreamField blocks to be deferred on saving drafts (Sage Abdullah)
 * Add `WAGTAILDOCS_MAX_UPLOAD_SIZE` setting for specifying maximum document file size (Om Harsh)
 * Set the project template `WAGTAILDOCS_MAX_UPLOAD_SIZE` to 10MB (Thibaud Colas)
 * Optimize combining of querysets in site history report (Alex Bridge)
 * Add more informative error for `format-*` operations on SVG images (Ankit Kumar)
 * Store preview data in new `FormState` model to improve compatibility with cookie-based sessions (Sage Abdullah)
 * Change StreamBlock options so groups are shown in declaration order of their blocks (Darshan Kerkar)
 * Add `WAGTAILADMIN_PAGE_SEARCH_FILTER_BY_PERMISSIONS` setting to disable permission filtering on page searches (Matt Westcott)
 * Use choice label when displaying choice fields in `SnippetViewSet`/`ModelViewSet`'s `list_display` (Srishti Jaiswal)
 * Add new content check `empty-meta-description` to validate meta description tags are not empty (Thibaud Colas)
 * Add `extractMetrics` method to `PreviewController` to retrieve content metrics from the preview panel (Thibaud Colas)
 * Refine hover / focus styles for title field’s comment button (Srishti Jaiswal)
 * Preserve "Collapse all" button state when switching between editor tabs (Raghad Dahi)
 * Upgrade modelsearch to 1.3 (Matt Westcott)
 * Implement checker error highlights within the preview panel (Thibaud Colas)
 * Add `routablefullpageurl` template tag (Pravin Kamble)
 * Add support for customizing page explorer views per page type using `PageViewSet` (Sage Abdullah)
 * Enhance page content type usage view with custom listings and ability to create new pages (Sage Abdullah)
 * Fix: CVE-2026-44197: Improper permission handling when comparing revisions (Seoyoung Kang, Jake Howard)
</tr></table> 

... (truncated)

Commits
  • 213059f Update codecov CircleCI Orb to v6.0.0
  • 8307b34 Version bump to 7.4.2
  • 7f4e492 Release notes for security fixes in 7.4.2
  • 74f07e5 Add credits for 7.0.8 changelog
  • ce36e59 Release notes for 7.3.3
  • b3fbc91 Release notes for 7.0.8
  • 6091cb7 Bail early from the URL generator view if frontend serve view is absent
  • 314468f Fix reflected XSS by switching URLGeneratorView error handling response to te...
  • cbaf6f6 Add tests
  • b3eb634 Use the "change" / "can edit" permissions
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Updates the requirements on [wagtail](https://github.com/wagtail/wagtail) to permit the latest version.
- [Release notes](https://github.com/wagtail/wagtail/releases)
- [Changelog](https://github.com/wagtail/wagtail/blob/main/CHANGELOG.txt)
- [Commits](wagtail/wagtail@v7.0...v7.4.2)

---
updated-dependencies:
- dependency-name: wagtail
  dependency-version: 7.4.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jun 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants