mirror of
https://github.com/zulip/zulip.git
synced 2025-11-02 04:53:36 +00:00
70f72a3ae8
Send the `csrftoken` and `sessionid` cookies with `SameSite=Lax`. This adds a layer of defense against CSRF attacks and matches the new default in Django 2.1: https://docs.djangoproject.com/en/2.1/releases/2.1/#samesite-cookies This can be reverted when we upgrade to Django ≥ 2.1. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
The dependency graph of the requirements is as follows:
dev prod
+ + +
| +->common<-+
v
mypy,docs
Of the files, only dev, prod, and mypy have been used in the install scripts directly. The rest are implicit dependencies.
common and dev are locked.
Steps to update a lock file, e.g. to update ipython from 5.3.0 to 6.0.0 in
common.in and propagate it to dev.txt and prod.txt:
0. Replace ipython==5.4.1 with ipython==6.0.0 in common.in.
- Run
./tools/update-locked-requirements. - Increase
PROVISION_VERSIONinversion.py. - Run
./tools/provisionto install the new deps and test them. - Commit your changes.