[Snyk] Fix for 3 vulnerabilities

[robertatakenaka]

Snyk has created this PR to fix 3 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

• requirements/local.txt

⚠️ Warning

django-extensions 3.2.3 requires Django, which is not installed.
django-debug-toolbar 3.8.1 requires sqlparse, which is not installed.
django-debug-toolbar 3.8.1 requires django, which is not installed.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.
• Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 SQL Injection
🦉 Allocation of Resources Without Limits or Throttling

[Copilot]

Pull request overview

This Snyk-generated PR attempts to fix 3 security vulnerabilities by updating Django and sqlparse. However, the implementation has critical issues that need to be addressed before merging.

Key Issues:

• The PR adds django>=4.2.27 to local.txt, but Django is already pinned at 5.2.7 in base.txt, creating a dependency conflict
• A duplicate entry for django-test-migrations==1.3.0 exists in the file
• The sqlparse pinning may be redundant since Django 5.2.7 likely already includes a safe version

Recommended Action: Reject this PR and manually verify that the existing Django 5.2.7 in base.txt already addresses these vulnerabilities. If not, update Django in base.txt rather than adding conflicting pins in local.txt.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

While sqlparse is a transitive dependency of Django and django-debug-toolbar, pinning it with >= instead of == could lead to unexpected version updates that may introduce breaking changes or incompatibilities.

Following the pattern used elsewhere in this file (e.g., tornado>=6.3.3 on line 39) and in requirements/base.txt (e.g., certifi>=2025.10.5), the >= operator is acceptable for security pins. However, note that sqlparse is included with Django, so if Django is already at 5.2.7 in base.txt, it likely already includes a safe version of sqlparse. Verify this is necessary to avoid redundant pinning.

Suggested change

	django>=4.2.27 # not directly required, pinned by Snyk to avoid a vulnerability
	sqlparse>=0.5.4 # not directly required, pinned by Snyk to avoid a vulnerability
	django>=4.2.27 # not directly required, pinned by Snyk to avoid a vulnerability

[Copilot]

This line is a duplicate of line 15. The dependency django-test-migrations==1.3.0 is already declared earlier in the file and should not be repeated.

Suggested change

django-test-migrations==1.3.0

[Copilot]

This Django version constraint conflicts with the existing pinned version in requirements/base.txt (line 19: django==5.2.7). Since local.txt includes base.txt via -r base.txt, adding django>=4.2.27 here will create a conflict during installation. Django is already pinned at 5.2.7 in base.txt, which is higher than the 4.2.27 minimum specified here.

If the intent is to fix vulnerabilities in Django, the fix should be applied to requirements/base.txt instead, as that's where Django is directly managed for this project. The current approach will either be ignored (if base.txt takes precedence) or cause installation issues.

Suggested change

django>=4.2.27 # not directly required, pinned by Snyk to avoid a vulnerability