2026.05.14

This week's push hero is @eviljeff

Previous Release: 2026.04.30

Blockers:

Cherry-picks:

• mozilla/addons-frontend@a927a3b

Before we push:

Before we start:

Before we promote:

After we're done:

• sync cinder policies with ./manage.py sync_cinder_policies - not executed - the sync command has a bug

Addons-Frontend Changelog:

mozilla/addons-frontend@2026.04.30...2026.05.14-1

Addons Server Changelog:

What's Changed

Notable things shipping

• Add logic to find actions that can be automatically executed from a list of policies by @diox in #24807
• Fix some pip packages names by @diox in #24818
• Keep continue-on-error in _test_check.yml for now by @diox in #24820
• Implement policy-based scanner actions by @diox in #24796
• Limit content review triggers to extensions and dictionaries by @eviljeff in #24823
• AMOENG-2480 - Use a FxA secret instead of the access-token for the support API endpoint by @bakulf in #24813
• Update contact form by @bacharakis in #24819
• Always record Promoted Approval when approving add-on versions by @diox in #24824
• Cope with blank enforcement_actions field in cinder policy admin by @diox in #24831
• Allow admins to include a soft-blocked version in their add/change blocklistsubmission by @diox in #24830
• drop ReviewActionReasons support in reviewer tools, and cinder_policy_review_reasons switch by @eviljeff in #24825
• Refactor ReviewBase.set_promoted() to avoid calling promoted_groups() twice by @diox in #24833
• AMOENG-2486 throttling for the contact form submission + input fields max length by @bakulf in #24832
• Make policy selection in scanner rule admin optional by @diox in #24836
• Replace placeholders with empty string in policy text by @diox in #24835
• Remove useless colon character in pull request template by @diox in #24838
• Instruct dependabot to search for requirements starting at the root by @diox in #24843
• drop CinderJob.decision property by @eviljeff in #24864
• When syncing policies disable unpublished in reviewer tools by @eviljeff in #24842
• cache existing Blocks so reversing delayed block actions doesn't fail by @eviljeff in #24863
• update CheckConstraint to use condition kwarg over check by @eviljeff in #24866
• Move auto_approval prevention in rejection code to the ContentAction by @diox in #24871
• Don't allow appeals if content review has been requested already and vice-versa by @diox in #24837

Dependendabots

• Bump nginx from 1.29.8 to 1.29.8 by @dependabot[bot] in #24794
• Bump redis from 6.2.21 to 6.2.21 by @dependabot[bot] in #24795
• Bump mysql from 8.4.8 to 8.4.8 by @dependabot[bot] in #24787
• Bump django-dbbackup from 5.2.0 to 5.3.0 in /requirements by @dependabot[bot] in #24776
• Bump django-tables2 from 2.8.0 to 3.0.0 in /requirements by @dependabot[bot] in #24781
• Bump rich from 14.3.3 to 15.0.0 in /requirements by @dependabot[bot] in #24784
• Bump addons-linter from 10.3.0 to 10.4.0 by @dependabot[bot] in #24814
• Bump nginx from 1.29.8 to 1.29.8 by @dependabot[bot] in #24816
• Bump redis from 6.2.21 to 6.2.21 by @dependabot[bot] in #24817
• Bump stylelint from 17.8.0 to 17.9.1 by @dependabot[bot] in #24828
• Bump vitest from 4.1.4 to 4.1.5 by @dependabot[bot] in #24811
• Bump pip from 26.0.1 to 26.1 by @dependabot[bot] in #24857
• Bump certifi from 2026.2.25 to 2026.4.22 by @dependabot[bot] in #24854
• Bump pathspec from 0.12.1 to 1.1.1 by @dependabot[bot] in #24860
• Bump django from 5.2.13 to 5.2.14 in /requirements by @dependabot[bot] in #24868
• Bump fast-uri from 3.0.1 to 3.1.2 by @dependabot[bot] in #24867
• Bump @babel/plugin-transform-modules-systemjs from 7.29.0 to 7.29.4 by @dependabot[bot] in #24869
• Bump urllib3 from 2.6.3 to 2.7.0 in /requirements by @dependabot[bot] in #24884
• Bump @babel/preset-env from 7.29.2 to 7.29.3 by @dependabot[bot] in #24865
• Bump eslint from 10.2.1 to 10.3.0 by @dependabot[bot] in #24872
• Bump stylelint from 17.9.1 to 17.10.0 by @dependabot[bot] in #24876
• Bump ruff from 0.15.10 to 0.15.12 by @dependabot[bot] in #24859

New Contributors

• @bacharakis made their first contribution in #24819

Full Changelog: 2026.04.30...2026.05.14

2026.04.30

This week's push hero is @eviljeff

Previous Release: 2026.04.16-1

Blockers:

Cherry-picks:

Before we push:

Before we start:

Before we promote:

After we're done:

Addons-Frontend Changelog:

mozilla/addons-frontend@2026.04.16...2026.04.30

Addons Server Changelog:

What's Changed

Notable things shipping

• Always send add-ons to NARC when metadata changes now that summaries are considered by @diox in #24766
• Fix GH actions pin comments to point to the exact version by @diox in #24786
• Bump yara-x to 2024.04.20 by @willdurand in #24777
• Define versions of docker images for local environments more explicitly by @diox in #24761
• Added support for follow-up actions by @eviljeff in #24732
• Give ContentAction classes an action attribute by @diox in #24785
• AMOENG-2475 - Use the correct FxA endpoints for the contact support form (stage/prod) by @bakulf in #24800
• Point to the new BigQuery stats views behind a switch by @willdurand in #24801
• Linkify urls in the scanner result details by @willdurand in #24806
• Unblock addon versions from follow-up actions on appeal by @eviljeff in #24799
• Make configuration of scanner rules possible immediately at creation by @diox in #24808
• Introduce a new WithResultsFilter in the scanner results admin by @willdurand in #24809

Dependendabots

• Bump @eslint/compat from 2.0.3 to 2.0.5 by @dependabot[bot] in #24762
• Bump dotenv from 17.3.1 to 17.4.1 by @dependabot[bot] in #24738
• Bump eslint-plugin-simple-import-sort from 12.1.1 to 13.0.0 by @dependabot[bot] in #24746
• Bump drf-spectacular-sidecar from 2026.3.1 to 2026.4.1 in /requirements by @dependabot[bot] in #24757
• Bump netmask from 2.0.2 to 2.1.0 by @dependabot[bot] in #24744
• Bump regex from 2026.2.28 to 2026.4.4 in /requirements by @dependabot[bot] in #24758
• Bump grpcio from 1.78.0 to 1.80.0 in /requirements by @dependabot[bot] in #24753
• Bump click from 8.3.1 to 8.3.2 in /requirements by @dependabot[bot] in #24734
• Bump attrs from 25.4.0 to 26.1.0 in /requirements by @dependabot[bot] in #24669
• Bump prettier from 3.8.1 to 3.8.2 by @dependabot[bot] in #24772
• Bump ruff from 0.15.9 to 0.15.10 in /requirements by @dependabot[bot] in #24774
• Bump click from 8.3.1 to 8.3.2 in /requirements by @dependabot[bot] in #24768
• Bump lxml from 6.0.2 to 6.0.3 in /requirements by @dependabot[bot] in #24773
• Bump actions/upload-pages-artifact from 4.0.0 to 5.0.0 by @dependabot[bot] in #24765
• Bump lxml from 6.0.3 to 6.1.0 in /requirements by @dependabot[bot] in #24790
• Bump stylelint from 17.6.0 to 17.8.0 by @dependabot[bot] in #24798
• Bump netmask from 2.1.0 to 2.1.1 by @dependabot[bot] in #24767
• Bump drf-spectacular-sidecar from 2026.4.1 to 2026.4.14 in /requirements by @dependabot[bot] in #24793
• Bump tomli from 2.4.0 to 2.4.1 in /requirements by @dependabot[bot] in #24699
• Bump bitarray from 3.8.0 to 3.8.1 in /requirements by @dependabot[bot] in #24750
• Bump panzoom from 9.4.3 to 9.4.4 by @dependabot[bot] in #24700
• Bump dotenv from 17.4.1 to 17.4.2 by @dependabot[bot] in #24780
• Bump vitest from 4.1.2 to 4.1.4 by @dependabot[bot] in #24769
• Bump packaging from 26.0 to 26.1 in /requirements by @dependabot[bot] in #24792
• Bump globals from 17.4.0 to 17.5.0 by @dependabot[bot] in #24782
• Bump prettier from 3.8.2 to 3.8.3 by @dependabot[bot] in #24791
• Bump eslint from 10.2.0 to 10.2.1 by @dependabot[bot] in #24804
• Bump sentry-sdk from 2.56.0 to 2.58.0 in /requirements by @dependabot[bot] in #24788
• Bump actions/setup-node from 6.3.0 to 6.4.0 by @dependabot[bot] in #24805

Full Changelog: 2026.04.16-1...2026.04.30

2026.04.16-1

Cherry-pick for fdd0330 on top of 2026.04.16

2026.04.16

This week's push hero is @diox

Previous Release: 2026.04.02-1

Blockers:

Cherry-picks:

Before we push:

Before we start:

Before we promote:

After we're done:

Addons-Frontend Changelog:

mozilla/addons-frontend@2026.04.02...2026.04.16

Addons Server Changelog:

What's Changed

Notable things shipping

• Switch to forked yara-x by @willdurand in #24677
• Process decisions from Cinder without a known job by @eviljeff in #24679
• Update dependabot.yml by @eviljeff in #24688
• Allow accessing promoted add-on admin page by Add-on GUID or slug by @diox in #24690
• Optimize generate_lowercase_homoglyphs_variants_for_string() by @diox in #24706
• add docker hub token for auth'd requested; add cooldown back into dependabot.yml by @eviljeff in #24703
• switch elasticsearch to use official docker image by @eviljeff in #24714
• Obey relevant max_length when importing strings from the XPI by @diox in #24713
• Add github registry auth to dependabot config by @eviljeff in #24715
• Create a content review cinderjob on created webhook payload by @eviljeff in #24711
• Revert "Add github registry auth to dependabot config" by @diox in #24716
• Check dependabot daily for all ecosystems now that there is cooldown by @diox in #24720
• Add github registry auth to dependabot config by @diox in #24722
• Ask dependabot to ignore elasticsearch 9.x in docker_compose by @diox in #24724
• set override_of on new decision by @eviljeff in #24721
• Don't allow developers to download attachments on private comments by @diox in #24729
• Move yara-x to its own requirements.txt file by @willdurand in #24733
• AMOENG-2436 - Contact Support form UI improvements by @bakulf in #24723
• Add option to scan add-on summaries with NARC by @diox in #24731
• Allow multiple BlocklistSubmission in parallel for the same version by @diox in #24728
• Omit match field in narc results by @willdurand in #24730

Dependendabots

• Bump mozilla/autograph from 7.5.5 to 7.7.4 by @dependabot[bot] in #24696
• Bump mozilla/addons-frontend from 2025.11.27 to 2026.04.02 by @dependabot[bot] in #24695
• Bump actions/deploy-pages from 4 to 5 by @dependabot[bot] in #24691
• Bump elasticsearch/elasticsearch from 8.19.8 to 8.19.13 by @dependabot[bot] in #24692
• Bump rhysd/actionlint from 1.7.9 to 1.7.12 by @dependabot[bot] in #24697
• Bump actions/configure-pages from 5 to 6 by @dependabot[bot] in #24693
• Bump stylelint from 17.5.0 to 17.6.0 by @dependabot[bot] in #24698
• Bump vitest from 4.1.1 to 4.1.2 by @dependabot[bot] in #24705
• Bump @rollup/plugin-babel from 6.1.0 to 7.0.0 by @dependabot[bot] in #24592
• Bump lodash from 4.17.23 to 4.18.1 by @dependabot[bot] in #24707
• Bump vite from 7.3.1 to 7.3.2 by @dependabot[bot] in #24709
• Bump ruff from 0.15.7 to 0.15.8 in /requirements by @dependabot[bot] in #24704
• Bump django-debug-toolbar from 6.2.0 to 6.3.0 in /requirements by @dependabot[bot] in #24725
• Bump ruff from 0.15.8 to 0.15.9 in /requirements by @dependabot[bot] in #24726
• Bump zizmorcore/zizmor from 1.18.0 to 1.23.1 by @dependabot[bot] in #24694
• Bump django from 5.2.12 to 5.2.13 in /requirements by @dependabot[bot] in #24739
• Bump cryptography from 46.0.6 to 46.0.7 in /requirements by @dependabot[bot] in #24740
• Bump pillow from 12.1.1 to 12.2.0 in /requirements by @dependabot[bot] in #24741
• Bump proto-plus from 1.27.1 to 1.27.2 in /requirements by @dependabot[bot] in #24760
• Bump djangorestframework from 3.17.0 to 3.17.1 in /requirements by @dependabot[bot] in #24752
• Bump ipython from 9.11.0 to 9.12.0 in /requirements by @dependabot[bot] in #24755
• Bump pytest from 9.0.2 to 9.0.3 in /requirements by @dependabot[bot] in #24742
• Bump googleapis-common-protos from 1.73.0 to 1.74.0 in /requirements by @dependabot[bot] in #24754
• Bump charset-normalizer from 3.4.6 to 3.4.7 in /requirements by @dependabot[bot] in #24756
• Bump requests from 2.33.0 to 2.33.1 in /requirements by @dependabot[bot] in #24751
• Bump eslint from 10.1.0 to 10.2.0 by @dependabot[bot] in #24737
• Bump @vitest/eslint-plugin from 1.6.13 to 1.6.14 by @dependabot[bot] in #24712

Full Changelog: 2026.04.02...2026.04.16

2026.04.02-1

Cherry-pick for dbbf0ca on top of 2026.04.02

2026.04.02

This week's push hero is @eviljeff

Previous Release: 2026.03.19-1

Blockers:

Cherry-picks:

Before we push:

Before we start:

Before we promote:

After we're done:

Addons-Frontend Changelog:

Addons Server Changelog:

What's Changed

Notable things shipping

• Fix softening of blocks on unban by @diox in #24620
• AMOENG-2377 - Introduce an email lookup API endpoint by @bakulf in #24591
• Add a service_account (UserProfile) FK to ScannerWebhook by @willdurand in #24621
• Remove ohfp from headers that trigger session anomalies, it creates too much noise by @diox in #24624
• Remove obsolete CSS that affect fonts by @diox in #24625
• upgrade django to 5.2 by @eviljeff in #24614
• Wrap long JSON scanner results in the admin by @willdurand in #24622
• Denying an appeal on Listing Content Rejection should drop requested by @eviljeff in #24632
• Introduce a new API endpoint to let scanners push their results by @willdurand in #24601
• Font in developer/reviewer replies in devhub shouldn't be monospace by @diox in #24643
• Move upload source step after details in submission flow by @willdurand in #24589
• Hide API key secret after generation by @diox in #24641
• add tasks that submit new addons and changes for content review to cinder by @eviljeff in #24642
• Update and restyle how we expose listing content rejection in devhub by @diox in #24647
• Expose number of matched add-ons on scanner results (and query results) page by @diox in #24652
• Fix clipboard interaction in manage API key page by @diox in #24654
• Update the style of the scanner details in the reviewer tools by @willdurand in #24633
• Simplify DiscoveryAddon admin filtering by promoted group by @diox in #24655
• Tweak css to better display the narc results in the reviewer tools by @willdurand in #24663
• Additional confusable characters by @diox in #24665
• AMOENG-2407 - Introduce a new serializer for the lookup API endpoint and account retrieval with the Users:Lookup permission by @bakulf in #24653
• Add triggers for new addons and metadata change to submit to Cinder by @eviljeff in #24662
• AMOENG-2401 - support form in devhub by @bakulf in #24646
• Don't consider i18n placeholders as regexp syntax by @diox in #24678
• Add is_active field to ScannerWebhookEvent to prevent data loss when updating events bound to a webhook scanner by @willdurand in #24664

Dependendabots

• Bump less from 4.5.1 to 4.6.2 by @dependabot[bot] in #24619
• Bump less from 4.6.2 to 4.6.3 by @dependabot[bot] in #24623
• Bump flatted from 3.4.1 to 3.4.2 by @dependabot[bot] in #24626
• Bump @vitest/eslint-plugin from 1.6.10 to 1.6.11 by @dependabot[bot] in #24630
• Bump ruff from 0.15.5 to 0.15.6 in /requirements by @dependabot[bot] in #24627
• Bump @vitest/eslint-plugin from 1.6.11 to 1.6.12 by @dependabot[bot] in #24636
• Bump picomatch by @dependabot[bot] in #24656
• Bump knip from 5.86.0 to 5.88.0 by @dependabot[bot] in #24648
• Bump sentry-sdk from 2.54.0 to 2.55.0 in /requirements by @dependabot[bot] in #24651
• Bump addons-linter from 10.1.0 to 10.2.0 by @dependabot[bot] in #24649
• Bump @babel/preset-env from 7.29.0 to 7.29.2 by @dependabot[bot] in #24644
• Bump vitest from 4.0.18 to 4.1.0 by @dependabot[bot] in #24628
• Bump pyjwt from 2.12.0 to 2.12.1 in /requirements by @dependabot[bot] in #24640
• Bump charset-normalizer from 3.4.5 to 3.4.6 in /requirements by @dependabot[bot] in #24639
• Bump requests from 2.32.5 to 2.33.0 in /requirements by @dependabot[bot] in #24657
• Bump imagesize from 1.4.1 to 2.0.0 in /requirements by @dependabot[bot] in #24585
• Bump pytz from 2025.2 to 2026.1.post1 in /requirements by @dependabot[bot] in #24581
• Bump pyuwsgi from 2.0.30 to 2.0.30.post1 in /requirements by @dependabot[bot] in #24559
• Bump dockerflow from 2026.1.26 to 2026.3.4 in /requirements by @dependabot[bot] in #24583
• Bump ruff from 0.15.6 to 0.15.7 in /requirements by @dependabot[bot] in #24667
• Bump stylelint from 17.4.0 to 17.5.0 by @dependabot[bot] in #24666
• Bump the google group across 1 directory with 4 updates by @dependabot[bot] in #24650
• Bump django-model-info from 2024.11.5 to 2026.3.1 in /requirements by @dependabot[bot] in #24637
• Bump protobuf from 6.33.5 to 6.33.6 in /requirements by @dependabot[bot] in #24658
• Bump googleapis-common-protos from 1.72.0 to 1.73.0 in /requirements by @dependabot[bot] in #24611
• Bump actions/checkout from 5 to 6 by @dependabot[bot] in #24179
• Bump brace-expansion by @dependabot[bot] in #24671
• Bump cryptography from 46.0.5 to 46.0.6 in /requirements by @dependabot[bot] in #24672
• Bump @vitest/eslint-plugin from 1.6.12 to 1.6.13 by @dependabot[bot] in #24675
• Bump eslint from 10.0.3 to 10.1.0 by @dependabot[bot] in #24674
• Bump less from 4.6.3 to 4.6.4 by @dependabot[bot] in #24635
• Bump djangorestframework from 3.16.1 to 3.17.0 in /requirements by @dependabot[bot] in #24661
• Bump pygments from 2.19.2 to 2.20.0 in /requirements by @dependabot[bot] in #24680
• Bump addons-linter from 10.2.0 to 10.3.0 by @dependabot[bot] in #24686
• Bump sentry-sdk from 2.55.0 to 2.56.0 in /requirements by @dependabot[bot] in #24685
• Bump stylelint-config-standard-less from 4.0.1 to 4.1.0 by @dependabot[bot] in #24684
• Bump vitest from 4.1.0 to 4.1.1 by @dependabot[bot] in #24683
• Bump google-cloud-storage from 3.10.0 to 3.10.1 in /requirements in the google group across 1 directory by @dependabot[bot] in #24673

Full Changelog: 2026.03.19...2026.04.02

2026.03.19-1

Cherry-pick for df47da3 on top of 2026.03.19

2026.03.19

This week's push hero is @diox

Previous Release: 2026.03.05-2

Before publishing this release:

• Switch addons-customs-scanner deploy job for stage & prod to use Node 22
• Make a new version of addons-customs-scanner, let it be deployed to stage

Blockers:

Cherry-picks:

Before we push:

Before we start:

Before we promote:

After we're done:

• Deploy addons-customs-scanner to prod. Verify that it's running Node 22.

Addons-Frontend Changelog:

mozilla/addons-frontend@2026.03.05...2025.03.19

Addons Server Changelog:

What's Changed

Notable things shipping

• Fix intermittent test failure by @willdurand in #24556
• Add a migration to remove the ScannerResult.state field entirely by @willdurand in #24555
• docs: remove scanner API docs in v4 by @willdurand in #24557
• Make ScannerResult.result field nullable by @willdurand in #24553
• Remove the ScannerResult.model_version field by @willdurand in #24564
• Handle 204 responses when calling webhooks by @willdurand in #24554
• Add a migration to remove the ScannerResult.model_version colum by @willdurand in #24562
• add allow_reasons for reject_listing_content action by @eviljeff in #24563
• Fix file permissions by @willdurand in #24561
• Update scanner pipeline docs by @willdurand in #24566
• Fix mass-block of add-ons with at least one version already blocked by @diox in #24569
• Add a new AutoApprovalSummary check to wait on scanners by @willdurand in #24533
• Add git, make, and jq to setup_and_configuration docs by @eviljeff in #24573
• Bump Node.js to 22.x by @diox in #24577
• docs: mark during_validation as deprecated by @willdurand in #24578
• Add explicit support for scanner annotations by @willdurand in #24572
• docs: move annotations section under webhook scanners by @willdurand in #24582
• Remove old IE CSS directives by @willdurand in #24590
• Add a new permission to download files by @willdurand in #24587
• Record which blocks were performed on ban for each user, revert them on unban by @diox in #24570
• rm unneeded django-dbbackup setting by @eviljeff in #24594
• Bump MySQL client (and server for local environments) to 8.4 by @diox in #24586
• django52 fixes by @eviljeff in #24588
• Additional confusables characters + deduping existing by @diox in #24612
• docs: update scanner example by @willdurand in #24615
• Get rid of pattern and span meta fields in narc scanner results by @willdurand in #24613
• List the permissions of a user in the scanner webhook and user admin pages by @willdurand in #24600
• correct email for cases when add-on will not be public despite approval by @eviljeff in #24606
• replace datetime.utcnow by @eviljeff in #24618

Dependendabots

• Bump @eslint/js from 9.39.2 to 10.0.1 by @dependabot[bot] in #24464
• Bump django from 4.2.28 to 4.2.29 in /requirements by @dependabot[bot] in #24565
• Bump stylelint from 17.3.0 to 17.4.0 by @dependabot[bot] in #24568
• Bump addons-linter from 9.9.1 to 10.0.0 by @dependabot[bot] in #24584
• Bump yara-x from 1.13.0 to 1.14.0 in /requirements by @dependabot[bot] in #24598
• Bump undici from 7.22.0 to 7.24.1 by @dependabot[bot] in #24603
• Bump yauzl and addons-linter by @dependabot[bot] in #24602
• Bump pyjwt from 2.11.0 to 2.12.0 in /requirements by @dependabot[bot] in #24604
• Bump flatted from 3.3.3 to 3.4.1 by @dependabot[bot] in #24605
• Bump knip from 5.85.0 to 5.86.0 by @dependabot[bot] in #24610
• Bump ruff from 0.15.2 to 0.15.5 in /requirements by @dependabot[bot] in #24595
• Bump drf-spectacular-sidecar from 2026.1.1 to 2026.3.1 in /requirements by @dependabot[bot] in #24574
• Bump @eslint/compat from 2.0.2 to 2.0.3 by @dependabot[bot] in #24608
• Bump wrapt from 2.1.1 to 2.1.2 in /requirements by @dependabot[bot] in #24596
• Bump globals from 17.3.0 to 17.4.0 by @dependabot[bot] in #24575
• Bump eslint from 10.0.2 to 10.0.3 by @dependabot[bot] in #24607
• Bump regex from 2026.2.19 to 2026.2.28 in /requirements by @dependabot[bot] in #24576
• Bump sentry-sdk from 2.53.0 to 2.54.0 in /requirements by @dependabot[bot] in #24579
• Bump drf-yasg from 1.21.14 to 1.21.15 in /requirements by @dependabot[bot] in #24558
• Bump certifi from 2026.1.4 to 2026.2.25 in /requirements by @dependabot[bot] in #24560
• Bump charset-normalizer from 3.4.4 to 3.4.5 in /requirements by @dependabot[bot] in #24597
• Bump mmh3 from 5.2.0 to 5.2.1 in /requirements by @dependabot[bot] in #24599
• Bump @vitest/eslint-plugin from 1.6.9 to 1.6.10 by @dependabot[bot] in #24616
• Bump wcwidth from 0.5.3 to 0.6.0 in /requirements by @dependabot[bot] in #24467
• Bump ipython from 9.10.0 to 9.11.0 in /requirements by @dependabot[bot] in #24593

Full Changelog: 2026.03.05...2026.03.19

2026.03.05-2

Cherry-pick of 5f4a0f2 on top of 2026.03.05-1

2026.03.05-1

Cherry-picked the following commits on top of https://github.com/mozilla/addons-server/releases/tag/2026.03.05:

• 12dd190