[FIX] Re-bump djangorestframework 3.14.0 → 3.17.1#2105
[FIX] Re-bump djangorestframework 3.14.0 → 3.17.1#2105chandrasekharan-zipstack wants to merge 1 commit into
Conversation
Re-attempts the DRF upgrade reverted in #2098. 3.17.1 is chosen because it: - carries PR encode/django-rest-framework#9766 (3.17.0), so the auto UniqueTogetherValidator honors a UniqueConstraint's violation_error_message for friendly duplicate messages (used by cloud-side create-only serializers), - includes the CVE-2024-21520 (XSS) fix first shipped in 3.15.2. Safe to layer on top of the Meta.validators=[] changes in the parent commit, which neutralize the 3.15+ auto-validator for every upsert / IntegrityError-catch serializer. Django 4.2.30 + Python 3.12 satisfy DRF 3.17's floors. MUST be build + test + staging validated before merge (this bump caused the rc.343 regression). drf-yasg 1.21.7 / drf-standardized-errors compatibility with DRF 3.17 to be verified in CI. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01G8hAHc4HUo42zY1g9LAjKu
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
|
| Filename | Overview |
|---|---|
| pyproject.toml | Bumps DRF to 3.17.1 in the hook-check-django-migrations group, but leaves drf-yasg pinned at ==1.21.7 — an older version that was only ever tested against DRF 3.14, creating a mis-matched combination in the root lock. |
| backend/pyproject.toml | Bumps djangorestframework from 3.14.0 to 3.17.1; drf-yasg floor is already >=1.21.8 (resolves to 1.21.15), but 1.21.15 officially supports only up to DRF 3.15. |
| backend/uv.lock | Lock updated: djangorestframework 3.14.0→3.17.1; pytz removed as a DRF transitive dep (expected); drf-yasg resolves to 1.21.15. |
| uv.lock | Root lock updated: djangorestframework 3.14.0→3.17.1; drf-yasg stays at 1.21.7 — this version predates DRF 3.15 support and is now paired with DRF 3.17.1 in the migration hook group. |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[DRF 3.14.0 → 3.17.1 bump] --> B[backend/pyproject.toml]
A --> C[pyproject.toml hook-check group]
B --> D["drf-yasg >= 1.21.8\n→ resolves to 1.21.15\n(DRF 3.13–3.15 supported officially)"]
B --> E["djangorestframework 3.17.1\n+ pytz dep removed"]
D --> F{Compatible?}
E --> F
F -->|Officially DRF 3.15 max| G[⚠️ Untested — checklist item open]
F -->|Likely works in practice| H[Staging smoke test needed]
C --> I["drf-yasg == 1.21.7 (unchanged)\nreleased Jul 2023 — DRF 3.14 era"]
C --> J["djangorestframework 3.17.1 (bumped)"]
I --> K{Compatible?}
J --> K
K -->|Version predates DRF 3.15 support| L[❌ Migration hook env mismatch]
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
A[DRF 3.14.0 → 3.17.1 bump] --> B[backend/pyproject.toml]
A --> C[pyproject.toml hook-check group]
B --> D["drf-yasg >= 1.21.8\n→ resolves to 1.21.15\n(DRF 3.13–3.15 supported officially)"]
B --> E["djangorestframework 3.17.1\n+ pytz dep removed"]
D --> F{Compatible?}
E --> F
F -->|Officially DRF 3.15 max| G[⚠️ Untested — checklist item open]
F -->|Likely works in practice| H[Staging smoke test needed]
C --> I["drf-yasg == 1.21.7 (unchanged)\nreleased Jul 2023 — DRF 3.14 era"]
C --> J["djangorestframework 3.17.1 (bumped)"]
I --> K{Compatible?}
J --> K
K -->|Version predates DRF 3.15 support| L[❌ Migration hook env mismatch]
Comments Outside Diff (1)
-
pyproject.toml, line 54 (link)drf-yasg==1.21.7in root hook group is now coupled with DRF 3.17.1The
hook-check-django-migrationsdependency group pinsdrf-yasg==1.21.7(released July 2023, only tested against DRF up to 3.14). After this bump, the rootuv.lockresolves that group todrf-yasg 1.21.7 + djangorestframework 3.17.1. If the hook environment runsmanage.pywithdrf_yasginINSTALLED_APPS, its startup introspection of DRF internals could raise anAttributeErrororImportError, causing the migration check to fail or silently skip.The backend's own
pyproject.tomlalready requires>=1.21.8(resolves to 1.21.15) — bringing the root hook group in line with that floor would remove the discrepancy and match what the real backend runs.Prompt To Fix With AI
This is a comment left during a code review. Path: pyproject.toml Line: 54 Comment: **`drf-yasg==1.21.7` in root hook group is now coupled with DRF 3.17.1** The `hook-check-django-migrations` dependency group pins `drf-yasg==1.21.7` (released July 2023, only tested against DRF up to 3.14). After this bump, the root `uv.lock` resolves that group to `drf-yasg 1.21.7 + djangorestframework 3.17.1`. If the hook environment runs `manage.py` with `drf_yasg` in `INSTALLED_APPS`, its startup introspection of DRF internals could raise an `AttributeError` or `ImportError`, causing the migration check to fail or silently skip. The backend's own `pyproject.toml` already requires `>=1.21.8` (resolves to 1.21.15) — bringing the root hook group in line with that floor would remove the discrepancy and match what the real backend runs. How can I resolve this? If you propose a fix, please make it concise.
Prompt To Fix All With AI
Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 2
pyproject.toml:54
**`drf-yasg==1.21.7` in root hook group is now coupled with DRF 3.17.1**
The `hook-check-django-migrations` dependency group pins `drf-yasg==1.21.7` (released July 2023, only tested against DRF up to 3.14). After this bump, the root `uv.lock` resolves that group to `drf-yasg 1.21.7 + djangorestframework 3.17.1`. If the hook environment runs `manage.py` with `drf_yasg` in `INSTALLED_APPS`, its startup introspection of DRF internals could raise an `AttributeError` or `ImportError`, causing the migration check to fail or silently skip.
The backend's own `pyproject.toml` already requires `>=1.21.8` (resolves to 1.21.15) — bringing the root hook group in line with that floor would remove the discrepancy and match what the real backend runs.
### Issue 2 of 2
backend/pyproject.toml:22
**drf-yasg officially supports only up to DRF 3.15**
The drf-yasg PyPI page lists its compatibility matrix as DRF 3.13, 3.14, and 3.15 — even for the latest release (1.21.15, resolved in `backend/uv.lock`). Bumping to DRF 3.17.1 falls outside that matrix. The PR checklist already marks schema generation as unvalidated; flagging here as a reminder that runtime failures (e.g., broken `AutoSchema` introspection used by `drf_yasg` to generate Swagger docs) won't be caught by unit tests and may only surface under full server startup or API docs endpoint hits in staging.
Reviews (1): Last reviewed commit: "[FIX] Re-bump djangorestframework 3.14.0..." | Re-trigger Greptile
| "cryptography>=48.0.1", | ||
| "django==4.2.30", | ||
| "djangorestframework==3.14.0", | ||
| "djangorestframework==3.17.1", |
There was a problem hiding this comment.
The drf-yasg PyPI page lists its compatibility matrix as DRF 3.13, 3.14, and 3.15 — even for the latest release (1.21.15, resolved in backend/uv.lock). Bumping to DRF 3.17.1 falls outside that matrix. The PR checklist already marks schema generation as unvalidated; flagging here as a reminder that runtime failures (e.g., broken AutoSchema introspection used by drf_yasg to generate Swagger docs) won't be caught by unit tests and may only surface under full server startup or API docs endpoint hits in staging.
Prompt To Fix With AI
This is a comment left during a code review.
Path: backend/pyproject.toml
Line: 22
Comment:
**drf-yasg officially supports only up to DRF 3.15**
The drf-yasg PyPI page lists its compatibility matrix as DRF 3.13, 3.14, and 3.15 — even for the latest release (1.21.15, resolved in `backend/uv.lock`). Bumping to DRF 3.17.1 falls outside that matrix. The PR checklist already marks schema generation as unvalidated; flagging here as a reminder that runtime failures (e.g., broken `AutoSchema` introspection used by `drf_yasg` to generate Swagger docs) won't be caught by unit tests and may only surface under full server startup or API docs endpoint hits in staging.
How can I resolve this? If you propose a fix, please make it concise.Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
What
Re-attempts the DRF upgrade, targeting 3.17.1 (not 3.15.2) because it:
UniqueTogetherValidatornow honors aUniqueConstraint'sviolation_error_message, giving friendly duplicate messages for create-only serializers (used by the cloud-side stacked PR).Why it's safe to re-bump now
The parent PR (#2104) sets
Meta.validators = []on every serializer whose view already owns uniqueness (upsert /IntegrityErrorcatch), so the 3.15+ auto-validator can't short-circuit those views anymore. The remaining create-only serializers that keep the validator are all cloud-side (pluggable_apps) and getviolation_error_messagein theunstract-cloudPR.Django 4.2.30 + Python 3.12 satisfy DRF 3.17's minimum floors.
Validation checklist (before un-drafting)
drf-yasg==1.21.7compatible with DRF 3.17 (schema generation doesn't break)drf-standardized-errorserror shape unchangedFiles
pyproject.toml,backend/pyproject.toml,uv.lock,backend/uv.lock— pin + lock3.14.0 → 3.17.1.🤖 Generated with Claude Code