Skip to content

Bump wagtail from 4.2.4 to 7.4.2#1996

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/wagtail-7.4.2
Open

Bump wagtail from 4.2.4 to 7.4.2#1996
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/wagtail-7.4.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps wagtail from 4.2.4 to 7.4.2.

Release notes

Sourced from wagtail's releases.

7.4.2

  • CVE-2026-54259: Improper restriction handling on Documents and Images chosen endpoints
  • CVE-2026-54260: Denial of service via unbounded filter specs in the image preview
  • CVE-2026-54261: Improper permission handling in image preview
  • CVE-2026-54262: Pages translations can be created without page permissions when using simple_translation
  • CVE-2026-54263: Reflected XSS in dynamic image URL generator view
  • Fix: Prevent spurious migrations when there are missing child blocks in StructBlock.Meta.form_layout (Matthias Brück, Sage Abdullah)
  • Fix: Prevent error in usage views when using gettext_lazy for a model's verbose_name (James Biggs)
  • Fix: Prevent development markdown files from being added to virtual environment root upon installation (Dan Braghis)
  • Fix: Prevent StreamField blocks referenced multiple times from losing their required state after deferred validation (Sage Abdullah)
  • Docs: Add missing return in example views for template components (Tibor Leupold)

7.4.1

  • Fix: Reinstate missing file jquery.fileupload-validate.js (Rob Brackett)

7.4 LTS

  • Add is_deferred_validation flag to support skipping custom validation when saving drafts (Daniel Kirkham)
  • Update project template Dockerfile to build dependencies in a separate stage (Brylie Oxley, Akshat Gupta)
  • Add include_root parameter to admin pages API endpoint (Divyansh Mishra)
  • Add support for Flourish oEmbeds (Garrett Coakley)
  • Add support for Heyzine oEmbeds (Baptiste Darthenay)
  • Allow specifying creation_form_class on ChooserViewSet as a dotted path string (K Adithya)
  • Various user experience improvements to autosave and concurrent editing notifications (Sage Abdullah)
  • Allow validation of required StreamField blocks to be deferred on saving drafts (Sage Abdullah)
  • Add WAGTAILDOCS_MAX_UPLOAD_SIZE setting for specifying maximum document file size (Om Harsh)
  • Set the project template WAGTAILDOCS_MAX_UPLOAD_SIZE to 10MB (Thibaud Colas)
  • Optimize combining of querysets in site history report (Alex Bridge)
  • Add more informative error for format-* operations on SVG images (Ankit Kumar)
  • Store preview data in new FormState model to improve compatibility with cookie-based sessions (Sage Abdullah)
  • Change StreamBlock options so groups are shown in declaration order of their blocks (Darshan Kerkar)
  • Add WAGTAILADMIN_PAGE_SEARCH_FILTER_BY_PERMISSIONS setting to disable permission filtering on page searches (Matt Westcott)
  • Use choice label when displaying choice fields in SnippetViewSet/ModelViewSet's list_display (Srishti Jaiswal)
  • Add new content check empty-meta-description to validate meta description tags are not empty (Thibaud Colas)
  • Add extractMetrics method to PreviewController to retrieve content metrics from the preview panel (Thibaud Colas)
  • Refine hover / focus styles for title field’s comment button (Srishti Jaiswal)
  • Preserve "Collapse all" button state when switching between editor tabs (Raghad Dahi)
  • Upgrade modelsearch to 1.3 (Matt Westcott)
  • Implement checker error highlights within the preview panel (Thibaud Colas)
  • Add routablefullpageurl template tag (Pravin Kamble)
  • Add support for customizing page explorer views per page type using PageViewSet (Sage Abdullah)
  • Enhance page content type usage view with custom listings and ability to create new pages (Sage Abdullah)
  • Fix: CVE-2026-44197: Improper permission handling when comparing revisions (Seoyoung Kang, Jake Howard)
  • Fix: CVE-2026-44198: Improper permission handling when viewing page history (Seoyoung Kang, Jake Howard, Dan Braghis)
  • Fix: CVE-2026-44199: Improper permission handling when deleting form submissions (Vishal Shukla, Jake Howard)
  • Fix: CVE-2026-44200: Improper permission handling when copying pages (Sanjok Karki, Matt Westcott)
  • Fix: CVE-2026-44201: Improper restriction handling on Documents and Images API (Sanjok Karki, Jake Howard)
  • Fix: Handle nested inline models when displaying object usage information (Sage Abdullah, Kacper Walęga, Tian Jie Wong)
  • Fix: Avoid duplicate get_object() DB query in API detail view (Siddheshwar Kadam)
  • Fix: Ensure ImageBlock alt text populates on choosing a new image after unchecking decorative state (Pratham Jaiswal)
  • Fix: Set verbose_name_plural for Query model in search promotions app (Saptami)

... (truncated)

Changelog

Sourced from wagtail's changelog.

7.4.2 (15.06.2026)


 * CVE-2026-54259: Improper restriction handling on Documents and Images chosen endpoints
 * CVE-2026-54260: Denial of service via unbounded filter specs in the image preview
 * CVE-2026-54261: Improper permission handling in image preview
 * CVE-2026-54262: Pages translations can be created without page permissions when using simple_translation
 * CVE-2026-54263: Reflected XSS in dynamic image URL generator view
 * Fix: Prevent spurious migrations when there are missing child blocks in `StructBlock.Meta.form_layout` (Matthias Brück, Sage Abdullah)
 * Fix: Prevent error in usage views when using `gettext_lazy` for a model's `verbose_name` (James Biggs)
 * Fix: Prevent development markdown files from being added to virtual environment root upon installation (Dan Braghis)
 * Fix: Prevent StreamField blocks referenced multiple times from losing their required state after deferred validation (Sage Abdullah)
 * Docs: Add missing `return` in example views for template components (Tibor Leupold)

7.4.1 (19.05.2026)

  • Fix: Reinstate missing file jquery.fileupload-validate.js (Rob Brackett)

7.4 LTS (05.05.2026)


 * Add `is_deferred_validation` flag to support skipping custom validation when saving drafts (Daniel Kirkham)
 * Update project template Dockerfile to build dependencies in a separate stage (Brylie Oxley, Akshat Gupta)
 * Add `include_root` parameter to admin pages API endpoint (Divyansh Mishra)
 * Add support for Flourish oEmbeds (Garrett Coakley)
 * Add support for Heyzine oEmbeds (Baptiste Darthenay)
 * Allow specifying `creation_form_class` on `ChooserViewSet` as a dotted path string (K Adithya)
 * Various user experience improvements to autosave and concurrent editing notifications (Sage Abdullah)
 * Allow validation of required StreamField blocks to be deferred on saving drafts (Sage Abdullah)
 * Add `WAGTAILDOCS_MAX_UPLOAD_SIZE` setting for specifying maximum document file size (Om Harsh)
 * Set the project template `WAGTAILDOCS_MAX_UPLOAD_SIZE` to 10MB (Thibaud Colas)
 * Optimize combining of querysets in site history report (Alex Bridge)
 * Add more informative error for `format-*` operations on SVG images (Ankit Kumar)
 * Store preview data in new `FormState` model to improve compatibility with cookie-based sessions (Sage Abdullah)
 * Change StreamBlock options so groups are shown in declaration order of their blocks (Darshan Kerkar)
 * Add `WAGTAILADMIN_PAGE_SEARCH_FILTER_BY_PERMISSIONS` setting to disable permission filtering on page searches (Matt Westcott)
 * Use choice label when displaying choice fields in `SnippetViewSet`/`ModelViewSet`'s `list_display` (Srishti Jaiswal)
 * Add new content check `empty-meta-description` to validate meta description tags are not empty (Thibaud Colas)
 * Add `extractMetrics` method to `PreviewController` to retrieve content metrics from the preview panel (Thibaud Colas)
 * Refine hover / focus styles for title field’s comment button (Srishti Jaiswal)
 * Preserve "Collapse all" button state when switching between editor tabs (Raghad Dahi)
 * Upgrade modelsearch to 1.3 (Matt Westcott)
 * Implement checker error highlights within the preview panel (Thibaud Colas)
 * Add `routablefullpageurl` template tag (Pravin Kamble)
 * Add support for customizing page explorer views per page type using `PageViewSet` (Sage Abdullah)
 * Enhance page content type usage view with custom listings and ability to create new pages (Sage Abdullah)
 * Add CI job for testing with latest versions of all dependencies (Sage Abdullah)
</tr></table>

... (truncated)

Commits
  • 213059f Update codecov CircleCI Orb to v6.0.0
  • 8307b34 Version bump to 7.4.2
  • 7f4e492 Release notes for security fixes in 7.4.2
  • 74f07e5 Add credits for 7.0.8 changelog
  • ce36e59 Release notes for 7.3.3
  • b3fbc91 Release notes for 7.0.8
  • 6091cb7 Bail early from the URL generator view if frontend serve view is absent
  • 314468f Fix reflected XSS by switching URLGeneratorView error handling response to te...
  • cbaf6f6 Add tests
  • b3eb634 Use the "change" / "can edit" permissions
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jun 16, 2026
@dependabot dependabot Bot mentioned this pull request Jun 16, 2026
Closed
@dependabot
Bump wagtail from 4.2.4 to 7.4.2
ad44819 
Bumps [wagtail](https://github.com/wagtail/wagtail) from 4.2.4 to 7.4.2.
- [Release notes](https://github.com/wagtail/wagtail/releases)
- [Changelog](https://github.com/wagtail/wagtail/blob/main/CHANGELOG.txt)
- [Commits](wagtail/wagtail@v4.2.4...v7.4.2)

---
updated-dependencies:
- dependency-name: wagtail
  dependency-version: 7.4.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/pip/wagtail-7.4.2 branch from 3cdb154 to ad44819 Compare June 17, 2026 14:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants