From 0bec0f8be5ef7cf493e6ead7a304b3f56dcb8953 Mon Sep 17 00:00:00 2001
From: Tom Hu <thomas.hu@sentry.io>
Date: Thu, 26 Feb 2026 06:17:53 +0900
Subject: [PATCH] fix(security): bump Django, cryptography, certifi, lxml to
 patch CVEs

Addresses critical/high security vulnerabilities tracked in internal-issues:
- Django 4.2.27 -> 4.2.28: fixes CVE-2025-64459 and CVE-2026-1207 (api, worker)
- cryptography 43.0.1 -> 43.0.3: latest 43.x security patch
- certifi 2024.7.4 -> 2025.1.31: updated CA certificate bundle
- lxml 5.3.0 -> 5.3.2: bundles libxml2 security fixes (CVE-2024-34459, CVE-2025-27113)

Made-with: Cursor
---
 pyproject.toml |  9 ++++-----
 uv.lock        | 30 +++++++++++++++---------------
 2 files changed, 19 insertions(+), 20 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 70b39de8fa..18b5dd8ec1 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -23,12 +23,12 @@ shared = [
     "cerberus>=1.3.5",
     "codecov-ribs>=0.1.18",
     "colour>=0.1.5",
-    "cryptography>=43.0.1",
+    "cryptography>=43.0.3",
     "django-better-admin-arrayfield>=1.4.2",
     "django-model-utils>=4.5.1",
     "django-postgres-extra>=2.0.8",
     "django-prometheus>=2.3.1",
-    "django>=4.2.27,<5.0.0",
+    "django>=4.2.28,<5.0.0",
     "google-auth>=2.21.1",
     "google-cloud-pubsub>=2.27.1",
     "httpx>=0.23.1",
@@ -63,7 +63,7 @@ codecov-api = [
     "aiodataloader>=0.4.0",
     "ariadne-django>=0.3.0",
     "ariadne>=0.23.0",
-    "certifi>=2024.7.4",
+    "certifi>=2025.1.31",
     "django-autocomplete-light>=3.11.0",
     "django-cors-headers>=3.7.0",
     "django-csp==3.8.0",
@@ -84,7 +84,7 @@ worker = [
     "asgiref>=3.7.2",
     "click>=8.1.7",
     "jinja2>=3.1.5",
-    "lxml>=5.3.0",
+    "lxml>=5.3.2",
     "openai>=1.2.4",
     "pyyaml>=6.0.1",
     "sqlalchemy<2",
@@ -126,5 +126,4 @@ dev = [
     "pytest-freezer>=0.4.9",
     "django-debug-toolbar>=6.0.0",
 ]
-
 prod = [{ include-group = "codecov-api" }, { include-group = "worker" }]
diff --git a/uv.lock b/uv.lock
index 3c2c55a6d2..9737d05c9d 100644
--- a/uv.lock
+++ b/uv.lock
@@ -449,16 +449,16 @@ wheels = [
 
 [[package]]
 name = "django"
-version = "4.2.27"
+version = "4.2.28"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "asgiref" },
     { name = "sqlparse" },
     { name = "tzdata", marker = "sys_platform == 'win32'" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/ce/ff/6aa5a94b85837af893ca82227301ac6ddf4798afda86151fb2066d26ca0a/django-4.2.27.tar.gz", hash = "sha256:b865fbe0f4a3d1ee36594c5efa42b20db3c8bbb10dff0736face1c6e4bda5b92", size = 10432781, upload-time = "2025-12-02T14:01:49.006Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/fa/a9/25b75b11a4c7a6efe1661c181afe504992e0659ca6eedb72a065cdd91a25/django-4.2.28.tar.gz", hash = "sha256:a4b9cd881991add394cafa8bb3b11ad1742d1e1470ba99c3ef53dc540316ccfe", size = 10464933, upload-time = "2026-02-03T13:55:27.686Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/dd/f5/1a2319cc090870bfe8c62ef5ad881a6b73b5f4ce7330c5cf2cb4f9536b12/django-4.2.27-py3-none-any.whl", hash = "sha256:f393a394053713e7d213984555c5b7d3caeee78b2ccb729888a0774dff6c11a8", size = 7995090, upload-time = "2025-12-02T14:01:44.234Z" },
+    { url = "https://files.pythonhosted.org/packages/68/20/6d0808bc7500a6c654eae17b53f791a50af2c3f3ac4f328cbec324948c31/django-4.2.28-py3-none-any.whl", hash = "sha256:49a23c1b83ef31525f8d71a57b040f91d34660edb3f086280a8519855655ed3c", size = 7995543, upload-time = "2026-02-03T13:55:09.798Z" },
 ]
 
 [[package]]
@@ -2731,11 +2731,11 @@ codecov-api = [
     { name = "cachetools", specifier = ">=4.1.1" },
     { name = "celery", specifier = ">=5.3.6" },
     { name = "cerberus", specifier = ">=1.3.5" },
-    { name = "certifi", specifier = ">=2024.7.4" },
+    { name = "certifi", specifier = ">=2025.1.31" },
     { name = "codecov-ribs", specifier = ">=0.1.18" },
     { name = "colour", specifier = ">=0.1.5" },
-    { name = "cryptography", specifier = ">=43.0.1" },
-    { name = "django", specifier = ">=4.2.27,<5.0.0" },
+    { name = "cryptography", specifier = ">=43.0.3" },
+    { name = "django", specifier = ">=4.2.28,<5.0.0" },
     { name = "django-autocomplete-light", specifier = ">=3.11.0" },
     { name = "django-better-admin-arrayfield", specifier = ">=1.4.2" },
     { name = "django-cors-headers", specifier = ">=3.7.0" },
@@ -2819,12 +2819,12 @@ prod = [
     { name = "cachetools", specifier = ">=4.1.1" },
     { name = "celery", specifier = ">=5.3.6" },
     { name = "cerberus", specifier = ">=1.3.5" },
-    { name = "certifi", specifier = ">=2024.7.4" },
+    { name = "certifi", specifier = ">=2025.1.31" },
     { name = "click", specifier = ">=8.1.7" },
     { name = "codecov-ribs", specifier = ">=0.1.18" },
     { name = "colour", specifier = ">=0.1.5" },
-    { name = "cryptography", specifier = ">=43.0.1" },
-    { name = "django", specifier = ">=4.2.27,<5.0.0" },
+    { name = "cryptography", specifier = ">=43.0.3" },
+    { name = "django", specifier = ">=4.2.28,<5.0.0" },
     { name = "django-autocomplete-light", specifier = ">=3.11.0" },
     { name = "django-better-admin-arrayfield", specifier = ">=1.4.2" },
     { name = "django-cors-headers", specifier = ">=3.7.0" },
@@ -2844,7 +2844,7 @@ prod = [
     { name = "idna", specifier = ">=3.7" },
     { name = "ijson", specifier = ">=3.2.3" },
     { name = "jinja2", specifier = ">=3.1.5" },
-    { name = "lxml", specifier = ">=5.3.0" },
+    { name = "lxml", specifier = ">=5.3.2" },
     { name = "minio", specifier = ">=7.2.15" },
     { name = "mmh3", specifier = ">=5.0.1" },
     { name = "msgpack", specifier = ">=1.1.0" },
@@ -2887,8 +2887,8 @@ shared = [
     { name = "cerberus", specifier = ">=1.3.5" },
     { name = "codecov-ribs", specifier = ">=0.1.18" },
     { name = "colour", specifier = ">=0.1.5" },
-    { name = "cryptography", specifier = ">=43.0.1" },
-    { name = "django", specifier = ">=4.2.27,<5.0.0" },
+    { name = "cryptography", specifier = ">=43.0.3" },
+    { name = "django", specifier = ">=4.2.28,<5.0.0" },
     { name = "django-better-admin-arrayfield", specifier = ">=1.4.2" },
     { name = "django-model-utils", specifier = ">=4.5.1" },
     { name = "django-postgres-extra", specifier = ">=2.0.8" },
@@ -2931,8 +2931,8 @@ worker = [
     { name = "click", specifier = ">=8.1.7" },
     { name = "codecov-ribs", specifier = ">=0.1.18" },
     { name = "colour", specifier = ">=0.1.5" },
-    { name = "cryptography", specifier = ">=43.0.1" },
-    { name = "django", specifier = ">=4.2.27,<5.0.0" },
+    { name = "cryptography", specifier = ">=43.0.3" },
+    { name = "django", specifier = ">=4.2.28,<5.0.0" },
     { name = "django-better-admin-arrayfield", specifier = ">=1.4.2" },
     { name = "django-model-utils", specifier = ">=4.5.1" },
     { name = "django-postgres-extra", specifier = ">=2.0.8" },
@@ -2942,7 +2942,7 @@ worker = [
     { name = "httpx", specifier = ">=0.23.1" },
     { name = "ijson", specifier = ">=3.2.3" },
     { name = "jinja2", specifier = ">=3.1.5" },
-    { name = "lxml", specifier = ">=5.3.0" },
+    { name = "lxml", specifier = ">=5.3.2" },
     { name = "minio", specifier = ">=7.2.15" },
     { name = "mmh3", specifier = ">=5.0.1" },
     { name = "msgpack", specifier = ">=1.1.0" },