Skip to content

pip: (deps): bump wagtail from 7.3.2 to 7.4.2#3257

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/wagtail-7.4.2
Open

pip: (deps): bump wagtail from 7.3.2 to 7.4.2#3257
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/wagtail-7.4.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps wagtail from 7.3.2 to 7.4.2.

Release notes

Sourced from wagtail's releases.

7.4.2

  • CVE-2026-54259: Improper restriction handling on Documents and Images chosen endpoints
  • CVE-2026-54260: Denial of service via unbounded filter specs in the image preview
  • CVE-2026-54261: Improper permission handling in image preview
  • CVE-2026-54262: Pages translations can be created without page permissions when using simple_translation
  • CVE-2026-54263: Reflected XSS in dynamic image URL generator view
  • Fix: Prevent spurious migrations when there are missing child blocks in StructBlock.Meta.form_layout (Matthias Brück, Sage Abdullah)
  • Fix: Prevent error in usage views when using gettext_lazy for a model's verbose_name (James Biggs)
  • Fix: Prevent development markdown files from being added to virtual environment root upon installation (Dan Braghis)
  • Fix: Prevent StreamField blocks referenced multiple times from losing their required state after deferred validation (Sage Abdullah)
  • Docs: Add missing return in example views for template components (Tibor Leupold)

7.4.1

  • Fix: Reinstate missing file jquery.fileupload-validate.js (Rob Brackett)

7.4 LTS

  • Add is_deferred_validation flag to support skipping custom validation when saving drafts (Daniel Kirkham)
  • Update project template Dockerfile to build dependencies in a separate stage (Brylie Oxley, Akshat Gupta)
  • Add include_root parameter to admin pages API endpoint (Divyansh Mishra)
  • Add support for Flourish oEmbeds (Garrett Coakley)
  • Add support for Heyzine oEmbeds (Baptiste Darthenay)
  • Allow specifying creation_form_class on ChooserViewSet as a dotted path string (K Adithya)
  • Various user experience improvements to autosave and concurrent editing notifications (Sage Abdullah)
  • Allow validation of required StreamField blocks to be deferred on saving drafts (Sage Abdullah)
  • Add WAGTAILDOCS_MAX_UPLOAD_SIZE setting for specifying maximum document file size (Om Harsh)
  • Set the project template WAGTAILDOCS_MAX_UPLOAD_SIZE to 10MB (Thibaud Colas)
  • Optimize combining of querysets in site history report (Alex Bridge)
  • Add more informative error for format-* operations on SVG images (Ankit Kumar)
  • Store preview data in new FormState model to improve compatibility with cookie-based sessions (Sage Abdullah)
  • Change StreamBlock options so groups are shown in declaration order of their blocks (Darshan Kerkar)
  • Add WAGTAILADMIN_PAGE_SEARCH_FILTER_BY_PERMISSIONS setting to disable permission filtering on page searches (Matt Westcott)
  • Use choice label when displaying choice fields in SnippetViewSet/ModelViewSet's list_display (Srishti Jaiswal)
  • Add new content check empty-meta-description to validate meta description tags are not empty (Thibaud Colas)
  • Add extractMetrics method to PreviewController to retrieve content metrics from the preview panel (Thibaud Colas)
  • Refine hover / focus styles for title field’s comment button (Srishti Jaiswal)
  • Preserve "Collapse all" button state when switching between editor tabs (Raghad Dahi)
  • Upgrade modelsearch to 1.3 (Matt Westcott)
  • Implement checker error highlights within the preview panel (Thibaud Colas)
  • Add routablefullpageurl template tag (Pravin Kamble)
  • Add support for customizing page explorer views per page type using PageViewSet (Sage Abdullah)
  • Enhance page content type usage view with custom listings and ability to create new pages (Sage Abdullah)
  • Fix: CVE-2026-44197: Improper permission handling when comparing revisions (Seoyoung Kang, Jake Howard)
  • Fix: CVE-2026-44198: Improper permission handling when viewing page history (Seoyoung Kang, Jake Howard, Dan Braghis)
  • Fix: CVE-2026-44199: Improper permission handling when deleting form submissions (Vishal Shukla, Jake Howard)
  • Fix: CVE-2026-44200: Improper permission handling when copying pages (Sanjok Karki, Matt Westcott)
  • Fix: CVE-2026-44201: Improper restriction handling on Documents and Images API (Sanjok Karki, Jake Howard)
  • Fix: Handle nested inline models when displaying object usage information (Sage Abdullah, Kacper Walęga, Tian Jie Wong)
  • Fix: Avoid duplicate get_object() DB query in API detail view (Siddheshwar Kadam)
  • Fix: Ensure ImageBlock alt text populates on choosing a new image after unchecking decorative state (Pratham Jaiswal)
  • Fix: Set verbose_name_plural for Query model in search promotions app (Saptami)

... (truncated)

Changelog

Sourced from wagtail's changelog.

7.4.2 (15.06.2026)


 * CVE-2026-54259: Improper restriction handling on Documents and Images chosen endpoints
 * CVE-2026-54260: Denial of service via unbounded filter specs in the image preview
 * CVE-2026-54261: Improper permission handling in image preview
 * CVE-2026-54262: Pages translations can be created without page permissions when using simple_translation
 * CVE-2026-54263: Reflected XSS in dynamic image URL generator view
 * Fix: Prevent spurious migrations when there are missing child blocks in `StructBlock.Meta.form_layout` (Matthias Brück, Sage Abdullah)
 * Fix: Prevent error in usage views when using `gettext_lazy` for a model's `verbose_name` (James Biggs)
 * Fix: Prevent development markdown files from being added to virtual environment root upon installation (Dan Braghis)
 * Fix: Prevent StreamField blocks referenced multiple times from losing their required state after deferred validation (Sage Abdullah)
 * Docs: Add missing `return` in example views for template components (Tibor Leupold)

7.4.1 (19.05.2026)

  • Fix: Reinstate missing file jquery.fileupload-validate.js (Rob Brackett)

7.4 LTS (05.05.2026)


 * Add `is_deferred_validation` flag to support skipping custom validation when saving drafts (Daniel Kirkham)
 * Update project template Dockerfile to build dependencies in a separate stage (Brylie Oxley, Akshat Gupta)
 * Add `include_root` parameter to admin pages API endpoint (Divyansh Mishra)
 * Add support for Flourish oEmbeds (Garrett Coakley)
 * Add support for Heyzine oEmbeds (Baptiste Darthenay)
 * Allow specifying `creation_form_class` on `ChooserViewSet` as a dotted path string (K Adithya)
 * Various user experience improvements to autosave and concurrent editing notifications (Sage Abdullah)
 * Allow validation of required StreamField blocks to be deferred on saving drafts (Sage Abdullah)
 * Add `WAGTAILDOCS_MAX_UPLOAD_SIZE` setting for specifying maximum document file size (Om Harsh)
 * Set the project template `WAGTAILDOCS_MAX_UPLOAD_SIZE` to 10MB (Thibaud Colas)
 * Optimize combining of querysets in site history report (Alex Bridge)
 * Add more informative error for `format-*` operations on SVG images (Ankit Kumar)
 * Store preview data in new `FormState` model to improve compatibility with cookie-based sessions (Sage Abdullah)
 * Change StreamBlock options so groups are shown in declaration order of their blocks (Darshan Kerkar)
 * Add `WAGTAILADMIN_PAGE_SEARCH_FILTER_BY_PERMISSIONS` setting to disable permission filtering on page searches (Matt Westcott)
 * Use choice label when displaying choice fields in `SnippetViewSet`/`ModelViewSet`'s `list_display` (Srishti Jaiswal)
 * Add new content check `empty-meta-description` to validate meta description tags are not empty (Thibaud Colas)
 * Add `extractMetrics` method to `PreviewController` to retrieve content metrics from the preview panel (Thibaud Colas)
 * Refine hover / focus styles for title field’s comment button (Srishti Jaiswal)
 * Preserve "Collapse all" button state when switching between editor tabs (Raghad Dahi)
 * Upgrade modelsearch to 1.3 (Matt Westcott)
 * Implement checker error highlights within the preview panel (Thibaud Colas)
 * Add `routablefullpageurl` template tag (Pravin Kamble)
 * Add support for customizing page explorer views per page type using `PageViewSet` (Sage Abdullah)
 * Enhance page content type usage view with custom listings and ability to create new pages (Sage Abdullah)
 * Add CI job for testing with latest versions of all dependencies (Sage Abdullah)
</tr></table>

... (truncated)

Commits
  • 213059f Update codecov CircleCI Orb to v6.0.0
  • 8307b34 Version bump to 7.4.2
  • 7f4e492 Release notes for security fixes in 7.4.2
  • 74f07e5 Add credits for 7.0.8 changelog
  • ce36e59 Release notes for 7.3.3
  • b3fbc91 Release notes for 7.0.8
  • 6091cb7 Bail early from the URL generator view if frontend serve view is absent
  • 314468f Fix reflected XSS by switching URLGeneratorView error handling response to te...
  • cbaf6f6 Add tests
  • b3eb634 Use the "change" / "can edit" permissions
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jun 22, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 22, 2026 06:20
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jun 22, 2026
@dependabot dependabot Bot mentioned this pull request Jun 22, 2026
Closed
@dependabot @jrdh
pip: (deps): bump wagtail from 7.3.2 to 7.4.2
a82509f 
Bumps [wagtail](https://github.com/wagtail/wagtail) from 7.3.2 to 7.4.2.
- [Release notes](https://github.com/wagtail/wagtail/releases)
- [Changelog](https://github.com/wagtail/wagtail/blob/main/CHANGELOG.txt)
- [Commits](wagtail/wagtail@v7.3.2...v7.4.2)

---
updated-dependencies:
- dependency-name: wagtail
  dependency-version: 7.4.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@jrdh jrdh force-pushed the dependabot/pip/wagtail-7.4.2 branch from 3dc6751 to a82509f Compare June 22, 2026 10:05
@sonarqubecloud

sonarqubecloud Bot commented Jun 22, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants