chore(deps): update dependency django to v6.0.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
django (changelog)	==6.0 → ==6.0.2

GitHub Vulnerability Alerts

CVE-2025-13473

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

The django.contrib.auth.handlers.modwsgi.check_password() function for authentication via mod_wsgi allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Stackered for reporting this issue.

CVE-2025-14550

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

ASGIRequest allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Jiyong Yang for reporting this issue.

CVE-2026-1285

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the truncatechars_html and truncatewords_html template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Seokchan Yoon for reporting this issue.

CVE-2026-1207

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

Raster lookups on RasterField (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Tarek Nakkouch for reporting this issue.

CVE-2026-1287

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

FilteredRelation is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet methods annotate(), aggregate(), extra(), values(), values_list(), and alias(). Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Solomon Kebede for reporting this issue.

CVE-2026-1312

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

.QuerySet.order_by() is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in FilteredRelation. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Solomon Kebede for reporting this issue.

---

Release Notes

django/django (django)

v6.0.2

Compare Source

v6.0.1

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Test results for commit 6472d9e

Test coverage for 6472d9e

Name           Stmts   Miss Branch BrPart  Cover   Missing
----------------------------------------------------------
src/charm.py      54      9      2      1    82%   72-78, 99-101, 114-116
src/state.py      85      1     16      1    98%   204
----------------------------------------------------------
TOTAL            139     10     18      2    92%

Static code analysis report

Run started:2026-02-10 07:31:25.546234+00:00

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 975
  Total lines skipped (#nosec): 0
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 0

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):

[github-actions]

Test results for commit 6472d9e

Test coverage for 6472d9e

Name            Stmts   Miss Branch BrPart  Cover   Missing
-----------------------------------------------------------
src/charm.py      140     31     36     14    73%   103-106, 111-112, 116, 123-125, 130->136, 135, 138, 149-150, 152, 154->160, 159, 165-166, 173-176, 209-210, 231, 237, 240, 255-278
src/policy.py      98     68     20      0    25%   24-26, 31, 40-44, 55, 72-76, 89-103, 133-134, 142, 175-196, 219-238, 249-257, 265-271, 279-284, 295-298
src/relay.py      142      8     46      2    95%   155->178, 252-268, 398-401
src/timer.py       11      4      0      0    64%   48-61
-----------------------------------------------------------
TOTAL             391    111    102     16    70%

Static code analysis report

Run started:2026-02-10 07:31:34.737226+00:00

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 1810
  Total lines skipped (#nosec): 6
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 1

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):

[github-actions]

Test results for commit 6472d9e

Test coverage for 6472d9e

Name           Stmts   Miss Branch BrPart  Cover   Missing
----------------------------------------------------------
src/charm.py     176     36     38      8    78%   67-69, 76-77, 81, 94, 97-98, 128, 170-200, 213->228, 221-227, 353-367
src/squid.py     110      6     34      5    92%   65, 75, 175, 264, 313, 322, 344->351, 346->348
----------------------------------------------------------
TOTAL            286     42     72     13    84%

Static code analysis report

Run started:2026-02-10 07:31:52.544489+00:00

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 2243
  Total lines skipped (#nosec): 1
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 1

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):