chore(deps): update dependency wagtail to v5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
wagtail (changelog)	==2.12.5 -> ==5.2.6

GitHub Vulnerability Alerts

CVE-2023-28836

Impact

A stored cross-site scripting (XSS) vulnerability exists on ModelAdmin views within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft pages and documents that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites with ModelAdmin enabled.

• For page, the vulnerability is in the "Choose a parent page" ModelAdmin view (ChooseParentView), available when managing pages via ModelAdmin.
• For documents, the vulnerability is in the ModelAdmin Inspect view (InspectView) when displaying document fields.

Patches

Patched versions have been released as Wagtail 4.1.4 (for the LTS 4.1 branch) and Wagtail 4.2.2 (for the current 4.2 branch).

Workarounds

Site owners who are unable to upgrade to the new versions can disable or override the corresponding functionality.

ChooseParentView

For ChooseParentView:

• Disable ModelAdmin for all page models.
• Or provide a custom view via choose_parent_view_class, with the custom view overriding the get_form method.

One of those steps need to be applied for every ModelAdmin class hooked into Wagtail where the model is a Wagtail Page or sub-class. Here is an example of implementing the custom ChooseParentView with patched HTML escaping:

from django import forms
from django.utils.translation import gettext as _
from wagtail.contrib.modeladmin.views import ChooseParentView
from wagtail.contrib.modeladmin.forms import ParentChooserForm

class PatchedPageChoiceField(forms.ModelChoiceField):
    """PageChoiceField with plain-text breadcrumbs to patch stored XSS."""
    def label_from_instance(self, obj):
        bits = []
        for ancestor in (
            obj.get_ancestors(inclusive=True).exclude(depth=1).specific(defer=True)
        ):
            bits.append(ancestor.get_admin_display_title())
        return ' | '.join(bits)

class PatchedParentChooserForm(ParentChooserForm):
    """ParentChooserForm with custom parent_page to patch stored XSS."""
    parent_page = PatchedPageChoiceField(
        label=_("Parent page"),
        required=True,
        empty_label=None,
        queryset=Page.objects.none(),
        widget=forms.RadioSelect(),
    )

class PatchedChooseParentView(ChooseParentView):
    """ChooseParentView with custom get_form patch stored XSS."""
    def get_form(self, request):
        parents = self.permission_helper.get_valid_parent_pages(request.user)
        return PatchedParentChooserForm(parents, request.POST or None)

InspectView

For InspectView:

• Remove inspect_view_enabled=True or set it to False to disable the view.
• Or use inspect_view_fields or inspect_view_fields_exclude to prevent displaying document fields in the views.
• Or provide a custom view via inspect_view_class, with the custom view overriding the get_document_field_display method.

One of those steps need to be applied for every ModelAdmin class hooked into Wagtail where inspect_view_enabled=True. Here is an example of implementing the custom InspectView with patched HTML escaping:

from django.template.defaultfilters import filesizeformat
from django.utils.html import format_html
from wagtail.contrib.modeladmin.views import InspectView

class PatchedInspectView(InspectView):
    """InspectView with override to patch stored XSS vulnerability."""
    def get_document_field_display(self, field_name, field):
        """Render a link to a document"""
        document = getattr(self.instance, field_name)
        if document:
            return format_html(
                '<a href="{}">{} <span class="meta">({}, {})</span></a>',
                document.url,
                document.title,
                document.file_extension.upper(),
                filesizeformat(document.file.size),
            )
        return self.model_admin.get_empty_value_display(field_name)

CVE-2023-28837

Impact

A memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash or denial of service.

The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents.

Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code.

Patches

Patched versions have been released as Wagtail 4.1.4 (for the LTS 4.1 branch) and Wagtail 4.2.2 (for the current 4.2 branch).

Workarounds

Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files. Exactly how this is done will vary based on your hosting environment, but here are a few references for common setups:

• Nginx: client_max_body_size
• Apache: LimitRequestBody
• Cloudflare: Already imposes a limit of 100MB - 500MB depending on plan
• CloudFront: SizeConstraint
• Traefik: traefik.http.middlewares.limit.buffering.maxRequestBodyBytes

The changes themselves are deep inside Wagtail, making patching incredibly difficult.

CVE-2023-45809

Impact

A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Patches

Patched versions have been released as Wagtail 4.1.9 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release.

Workarounds

None.

Acknowledgements

Many thanks to @​quyenheu for reporting this issue.

For more information

If you have any questions or comments about this advisory:

• Visit Wagtail's support channels
• Email us at [email protected] (view our security policy for more information).

CVE-2024-39317

Impact

A bug in Wagtail's parse_query_string would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, parse_query_string would take an unexpectedly large amount of time to process, resulting in a denial of service.

In an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. If your Wagtail site has a custom search implementation which uses parse_query_string, it may be exploitable by other users (e.g. unauthenticated users).

Patches

Patched versions have been released as Wagtail 5.2.6, 6.0.6 and 6.1.3.

This vulnerability affects all unpatched versions from Wagtail 2.0 onwards.

Workarounds

Site owners who are unable to upgrade to a patched version can limit the length of search terms passed to parse_query_string. Whilst the performance characteristics will depend on your hosting environment, 1000 characters has been shown to still be fairly fast, without triggering this vulnerability.

No workaround is available for the Wagtail admin usage.

Acknowledgements

Many thanks to Jake Howard for reporting this issue.

For more information

If you have any questions or comments about this advisory:

• Visit Wagtail's support channels
• Email us at [email protected] (view our security policy for more information).

---

Release Notes

wagtail/wagtail (wagtail)

v5.2.6: 5.2.6

Compare Source

• Fix: CVE-2024-39317: Regular expression denial-of-service via search query parsing (Jake Howard)
• Fix: Fix image preview when Willow optimizers are enabled (Alex Tomkins)
• Maintenance: Remove django-pattern-library upper bound in testing dependencies (Sage Abdullah)

v5.2.5: 5.2.5

Compare Source

• Fix: Respect WAGTAIL_ALLOW_UNICODE_SLUGS setting when auto-generating slugs (LB (Ben) Johnston)
• Fix: Use correct URL when redirecting back to page search results after an AJAX search (Sage Abdullah)
• Fix: Provide convert_mariadb_uuids management command to assist with upgrading to Django 5.0+ on MariaDB (Matt Westcott)

v5.2.4: 5.2.4

Compare Source

• Fix: Prevent TitleFieldPanel from raising an error when the slug field is missing or read-only (Rohit Sharma)
• Fix: Fix pagination links on model history and usage views (Matt Westcott)
• Fix: Fix crash when accessing workflow reports with a deleted snippet (Sage Abdullah)
• Fix: Prevent error on submitting an empty search in the admin under Elasticsearch (Maikel Martens)

v5.2.3: 5.2.3

Compare Source

• Fix: Prevent a ValueError with FormSubmissionsPanel on Django 5.0 when creating a new form page (Matt Westcott)
• Fix: Specify telepath 0.3.1 as the minimum supported version, for Django 5.0 compatibility (Matt Westcott)

v5.2.2: 5.2.2

Compare Source

• Added support for Django 5.0
• Fix: Use a visible border and background color to highlight active formatting in the rich text toolbar (Cassidy Pittman)
• Fix: Ensure image focal point box can be removed (Gunnar Scherf)
• Fix: Ensure that Snippets search results correctly use the index_results.html or index_results_template_name override on initial load (Stefan Hammer)
• Fix: Avoid error when attempting to moderate a page drafted by a now deleted user (Dan Braghis)
• Fix: Ensure workflow dashboard panels work when the page/snippet is missing (Sage Abdullah)
• Fix: Prevent custom controls from stacking on top of the comment button in Draftail toolbar (Ben Morse)
• Fix: Avoid error when exporting Aging Pages report where a page has an empty last_published_by_user (Chiemezuo Akujobi)

v5.2.1: 5.2.1

Compare Source

• Fix: Add a fallback background for the editing preview iframe for sites without a background (Ian Price)
• Fix: Remove search logging from project template so that new projects without the search promotions module will not error (Matt Westcott)
• Fix: Ensure text only email notifications for updated comments do not escape HTML characters (Rohit Sharma)
• Fix: Use logical OR operator to combine search fields for Django ORM in generic IndexView (Varun Kumar)
• Fix: Ensure that explorer_results views fill in the correct next_url parameter on action URLs (Matt Westcott)
• Fix: Fix crash when accessing the history view for a translatable snippet (Sage Abdullah)
• Fix: Prevent upload of SVG images from failing when image feature detection is enabled (Joshua Munn)
• Fix: Fix crash when using the locale switcher on the snippets create view (Sage Abdullah)
• Fix: Fix performance regression on reports from calling decorate_paginated_queryset before pagination / filtering (Alex Tomkins)
• Fix: Make searching on specific fields work correctly on Elasticsearch when boost is in use (Matt Westcott)
• Fix: Prevent snippet permission post-migrate hook from failing on multiple database configurations (Joe Tsoi)
• Fix: Reinstate ability to filter on page type when searching on an empty query (Sage Abdullah)
• Fix: Prevent error on locked pages report when a user has locked multiple pages (Matt Westcott)
• Docs: Fix code example for {% picture ... as ... %} template tag (Rezyapkin)

v5.2: 5.2 (LTS)

Compare Source

• Redesigned page listing view (Ben Enright, Matt Westcott, Thibaud Colas, Sage Abdullah)
• Support OpenSearch as an alternative to Elasticsearch (Matt Westcott)
• Add support for Python 3.12 (Matt Westcott)
• Add preview-aware and page-aware fragment caching template tags, wagtailcache & wagtailpagecache (Jake Howard)
• Always set help text element ID for form fields with help text in field.html template (Sage Abdullah)
• Move SnippetViewSet menu registration mechanism to base ViewSet class (Sage Abdullah)
• Enable reference index tracking for models registered with ModelViewSet (Sage Abdullah)
• When copying a page or creating an alias, copy its view restrictions to the destination (Sandeep Choudhary, Suyash Singh)
• Support pickling of StreamField values (pySilver)
• Move SnippetViewSet template override mechanism to ModelViewSet (Sage Abdullah)
• Move SnippetViewSet.list_display to ModelViewSet (Sage Abdullah)
• Remove wagtail.publish log action on aliases when they are created from live source pages or the source page is published (Dan Braghis)
• Remove wagtail.unpublish log action on aliases when source page is unpublished (Dan Braghis)
• Add compare buttons to workflow dashboard panel (Matt Westcott)
• Add the ability to use filters and to export listings in generic IndexView (Sage Abdullah)
• Move list_filter, filterset_class, search_fields, search_backend_name, list_export, export_filename, list_per_page, and ordering from SnippetViewSet to ModelViewSet (Sage Abdullah, Cynthia Kiser)
• Add default header titles to generic IndexView and CreateView (Sage Abdullah)
• Allow overriding IndexView.export_headings via ModelViewSet (Christer Jensen, Sage Abdullah)
• Support specifying a get_object_list method on ChooserViewSet (Matt Westcott)
• Add linked_fields mechanism on chooser widgets to allow choices to be limited by fields on the calling page (Matt Westcott)
• Add support for merging cells within TableBlock with the mergedCells option (Gareth Palmer)
• When adding a panel within InlinePanel, focus will now shift to that content similar to StreamField (Faishal Manzar)
• Show the full first published at date within a tooltip on the Page status sidebar on the relative date (Rohit Sharma)
• Extract generic breadcrumbs functionality from page breadcrumbs (Sage Abdullah)
• Add support for placement in the human_readable_date tooltip template tag (Rohit Sharma)
• Add breadcrumbs support to custom ModelViewSet views (Sage Abdullah)
• Support passing extra context variables via the {% component %} tag (Matt Westcott)
• Allow subclasses of PagesAPIViewSet override default Page model via the model attribute (Neeraj Yetheendran, Herbert Poul)
• Allow ModelViewSet to be used with models that have non-integer primary keys (Sage Abdullah)
• Add the ability to set an external link/text for promoted search result entries (TopDevPros, Brad Busenius)
• Add support for subject and body in the Email link chooser form (TopDevPros, Alexandre Joly)
• Extract generic HistoryView from snippets and add it to ModelViewSet (Sage Abdullah)
• Add generic UsageView to ModelViewSet (Sage Abdullah)
• Add the ability to define listing buttons on generic IndexView (Sage Abdullah)
• Add a visual progress bar to the output of the wagtail_update_image_renditions management command (Faishal Manzar)
• Increase the read buffer size to improve efficiency and performance when generating file hashes for document or image uploads, use hashlib.file_digest if available (Python 3.11+) (Jake Howard)
• API ordering now supports multiple fields (Rohit Sharma, Jake Howard)
• Pass block value to Block.get_template to allow varying template based on value (Florian Delizy)
• Add InlinePanel DOM events for when ready and when items added or removed (Faishal Manzar)
• Add a new picture template tag for Django Templates and Jinja (Thibaud Colas)
• Add a new srcset_image template tag for Django Templates and Jinja (Thibaud Colas)
• Support Filter instances as input for AbstractImage.get_renditions() (Thibaud Colas)
• Improve error messages for image template tags (Thibaud Colas)
• Do not render minimap if there are no panel anchors (Sage Abdullah)
• Use dropdown buttons on listings in dashboard panels (Sage Abdullah)
• Implement breadcrumbs design refinements (Thibaud Colas)
• Support extending Wagtail client-side with Stimulus (LB (Ben) Johnston)
• Update all FieldPanel('title') examples to use the recommended TitleFieldPanel('title') panel (Chinedu Ihedioha)
• The purge_revisions management command now respects revisions that have a on_delete=PROTECT foreign key relation and won't delete them (Neeraj P Yetheendran, Meghana Reddy, Sage Abdullah, Storm Heg)
• Add support for Shift + Click behaviour in form submissions and simple translations submissions (LB (Ben) Johnston)
• Improve filtering of audit logging based on the user's permissions (Stefan Hammer)
• Fix: Ensure that StreamField's FieldBlocks correctly set the required and aria-describedby attributes (Storm Heg)
• Fix: Avoid an error when the moderation panel (admin dashboard) contains both snippets and private pages (Matt Westcott)
• Fix: When deleting collections, ensure the collection name is correctly shown in the success message (LB (Ben) Johnston)
• Fix: Filter out comments on Page editing counts that do not correspond to a valid field / block path on the page such as when a field has been removed (Matt Westcott)
• Fix: Allow PublishMenuItem to more easily support overriding its label via construct_page_action_menu (Sébastien Corbin)
• Fix: Allow locale selection when creating a page at the root level (Sage Abdullah)
• Fix: Ensure the admin login template correctly displays all non_fields_errors for any custom form validation (Sébastien Corbin)
• Fix: Ensure 'mark as active' label in workflow bulk action set active form can be translated (Rohit Sharma)
• Fix: Ensure the panel title for a user's settings correctly reflects the WAGTAIL_EMAIL_MANAGEMENT_ENABLED setting by not showing 'email' if disabled (Omkar Jadhav)
• Fix: Update Spotify oEmbed provider URL parsing to resolve correctly (Dhrűv)
• Fix: Update link colours within help blocks to meet accessible contrast requirements (Rohit Sharma)
• Fix: Ensure the search promotions popular search terms picker correctly refers to the correct model (LB (Ben) Johnston)
• Fix: Correctly quote non-numeric primary keys on snippet inspect view (Sage Abdullah)
• Fix: Prevent crash on snippet inspect view when displaying a null foreign key to an image (Sage Abdullah)
• Fix: Ensure that pages in moderation show as "Live + In Moderation" in the page explorer rather than "Live + Draft" (Sage Abdullah)
• Fix: Prevent error when updating reference index for objects with a lazy ParentalKey-related object (Chris Shaw)
• Fix: Ignore conflicts when inserting reference index entries to prevent race conditions causing uniqueness errors (Chris Shaw)
• Fix: Populate the correct return value when creating a new snippet within the snippet chooser (claudobahn)
• Fix: Reinstate missing filter by page type on page search (Matt Westcott)
• Fix: Ensure very long words can wrap when viewing saved comments (Chiemezuo Akujobi)
• Fix: Avoid forgotten password link text conflicting with the supplied aria-label (Thibaud Colas)
• Fix: Fix log message to record the correct restriction type when removing a page view restriction (Rohit Sharma, Hazh. M. Adam)
• Fix: Avoid potential race condition with new Page subscriptions on the edit view (Alex Tomkins)
• Fix: Use the correct action log when creating a redirect (Thibaud Colas)
• Fix: Ensure that all password fields consistently allow leading & trailing whitespace (Neeraj P Yetheendran)
• Docs: Expand documentation on using ViewSet and ModelViewSet (Sage Abdullah)
• Docs: Document WAGTAILADMIN_BASE_URL on "Integrating Wagtail into a Django project" page (Shreshth Srivastava)
• Docs: Replace incorrect screenshot for authors listing on tutorial (Shreshth Srivastava)
• Docs: Add documentation for building non-model-based choosers using the queryish library (Matt Westcott)
• Docs: Fix incorrect tag library import on focal points example (Hatim Makki Hoho)
• Docs: Add reminder about including your custom Draftail feature in any overridden WAGTAILADMIN_RICH_TEXT_EDITORS setting (Charlie Sue)
• Docs: Mention the need to install python3-venv on Ubuntu (Brian Mugo)
• Docs: Document the use of the Google developer documentation style guide in documentation (Damilola Oladele)
• Docs: Fix Inconsistent URL Format in Getting Started tutorial (Olumide Micheal)
• Maintenance: Fix snippet search test to work on non-fallback database backends (Matt Westcott)
• Maintenance: Update Eslint, Prettier, Jest, a11y-dialog, axe-core and js-cookie npm packages (LB (Ben) Johnston)
• Maintenance: Add npm scripts for TypeScript checks and formatting SCSS files (LB (Ben) Johnston)
• Maintenance: Run tests in parallel in some of the CI setup (Sage Abdullah)
• Maintenance: Remove unused WorkflowStatus view, urlpattern, and workflow-status.js (Storm Heg)
• Maintenance: Add support for options/attrs in Telepath widgets so that attrs render on the created DOM (Storm Heg)
• Maintenance: Update pre-commit hooks to be in sync with latest changes to Eslint & Prettier for client-side changes (Storm Heg)
• Maintenance: Add WagtailTestUtils.get_soup() method for testing HTML content (Storm Heg, Sage Abdullah)
• Maintenance: Allow ViewSet subclasses to customise url_prefix and url_namespace logic (Matt Westcott)
• Maintenance: Simplify SnippetViewSet registration code (Sage Abdullah)
• Maintenance: Rename groups IndexView.results_template_name to results.html (Sage Abdullah)
• Maintenance: Migrate form submission listing checkbox toggling to the shared w-bulk Stimulus implementation (LB (Ben) Johnston)
• Maintenance: Allow viewsets to define a common set of view kwargs (Matt Westcott)
• Maintenance: Migrate the editor unsaved messages popup to be driven by Stimulus using the shared w-message controller (LB (Ben) Johnston, Hussain Saherwala)
• Maintenance: Do not use jest inside stubs.js to prevent Storybook from crashing (LB (Ben) Johnston)
• Maintenance: Refactor snippets templates to reuse the shared slim_header.html template (Sage Abdullah)
• Maintenance: Refactor slim_header.html template to reduce code duplication (Sage Abdullah)
• Maintenance: Upgrade Willow to v1.6.2 to support MIME type data without reliance on imghdr (Jake Howard)
• Maintenance: Replace imghdr with Willow's built-in MIME type detection (Jake Howard)
• Maintenance: Migrate all other data-tippy HTML attribute usage to the Stimulus data-*-value attributes for w-tooltip & w-dropdown (Subhajit Ghosh, LB (Ben) Johnston)
• Maintenance: Replace @total_ordering usage with comparison functions implementation (Virag Jain)
• Maintenance: Replace <script type="text/django-form-template"><-/script> template approach with HTML template elements in InlinePanel and expanding formset (Mansi Gundre, Subhajit Ghosh, LB (Ben) Johnston)
• Maintenance: Refactor side panels code for better reuse in pages and snippets (Sage Abdullah)
• Maintenance: Deprecate legacy URL redirects in ModelViewSet and SnippetViewSet (Sage Abdullah)
• Maintenance: Simplify code for registering page listing action buttons (Matt Westcott)
• Maintenance: Removed the unused, legacy, Wagtail userbar views set up for an old iframe approach (Sage Abdullah)
• Maintenance: Optimise lru_cache usage (Jake Howard)
• Maintenance: Implement date_since in get_most_popular inside search_promotions.models.Query (TopDevPros)
• Maintenance: Refactor generic view subclasses to better reuse the generic templates and breadcrumbs (Sage Abdullah)
• Maintenance: Adopt consistent classname (not classnames) attributes for all MenuItem usage, including deprecation warnings (LB (Ben) Johnston)
• Maintenance: Adopt consistent classname (not classnames) attribute within the wagtail.images.formats.Format instance, including deprecation warnings (LB (Ben) Johnston)
• Maintenance: Deprecate context argument of construct_snippet_listing_buttons hook (Sage Abdullah)
• Maintenance: Deprecate legacy moderation system (Sage Abdullah)
• Maintenance: Update CI database versions (Jake Howard)
• Maintenance: Add changelog and issue tracker links to the PyPI project page (Panagiotis H.M. Issaris)
• Maintenance: Add better deprecation warnings to the search.Query & search.QueryDailyHits model, move final set of templates from the admin search module to the search promotions contrib module (LB (Ben) Johnston)
• Maintenance: Add generic InspectView to ModelViewSet (Sage Abdullah)
• Maintenance: Migrate select all on focus/click behavior to Stimulus, used on the image URL generator (Chiemezuo Akujobi)
• Maintenance: Add support for a reset method to support Stimulus driven dynamic field resets via the w-action controller (Chiemezuo Akujobi)
• Maintenance: Add support for a notify target on the Stimulus dialog for dispatching events internally (Chiemezuo Akujobi)
• Maintenance: Migrate publishing schedule dialog field resets to Stimulus (Chiemezuo Akujobi)

v5.1.3: 5.1.3

Compare Source

• Fix: CVE-2023-45809: Disclosure of user names via admin bulk action views (Matt Westcott)
• Fix: Fix SnippetBulkAction not respecting models definition (Sandro Rodrigues)
• Fix: Correctly quote non-numeric primary keys on snippet inspect view (Sage Abdullah)
• Fix: Prevent crash on snippet inspect view when displaying a null foreign key to an image (Sage Abdullah)
• Fix: Populate the correct return value when creating a new snippet within the snippet chooser (claudobahn)
• Fix: Reinstate missing filter by page type on page search (Matt Westcott)
• Fix: Use the correct action log when creating a redirect (Thibaud Colas)

v5.1.2: 5.1.2

Compare Source

• Fix: Avoid use of ignore_conflicts when creating extra permissions for snippets, for SQL Server compatibility (Sage Abdullah)
• Fix: Ensure sequence on wagtailsearchpromotions_query table is correctly set after migrating data (Jake Howard)
• Fix: Change spreadsheet export headings to match listing view column headings (Christer Jensen, Sage Abdullah)
• Fix: Fix numbers, booleans, and None from being exported as strings (Christer Jensen)
• Fix: Restore fallback on full-word search for snippet choosers and generic index views (Matt Westcott)
• Fix: Restore compatibility with pre-7.15 versions of the Elasticsearch Python library, allowing use of Opensearch (Matt Westcott)
• Fix: Fix error when pickling BaseSiteSetting instances (Matt Westcott)
• Maintenance: For Python 3.13 support - upgrade Willow to v1.6.2, replace imghdr with Willow's built-in MIME type detection (Jake Howard)

v5.1.1: 5.1.1

Compare Source

• Introduce wagtail.admin.ui.tables.BooleanColumn to display boolean values as icons (Sage Abdullah)
• Fix: Show not-None falsy values instead of blank in generic table cell template (Sage Abdullah)
• Fix: Fix read_only panels for fields with translatable choice labels (Florent Lebreton)

v5.1: 5.1

Compare Source

• Add support for read-only FieldPanels (Andy Babic)
• Add support for query-time boosting to Elasticsearch 6 and above (Shohan Dutta Roy)
• Add support for Elasticsearch 8 (Matt Westcott, Wesley van Lee)
• Mark calls to md5 as not being used for secure purposes, to avoid flagging on FIPS-mode systems (Sean Kelly)
• Return filters from parse_query_string as a QueryDict to support multiple values (Aman Pandey)
• Explicitly specify MenuItem.name for all admin menu and submenu items (Justin Koestinger)
• Add oEmbed provider patterns for YouTube Shorts and YouTube Live URLs (valnuro, Fabien Le Frapper)
• Add initial implementation of PagePermissionPolicy (Sage Abdullah)
• Refactor UserPagePermissionsProxy and PagePermissionTester to use PagePermissionPolicy (Sage Abdullah, Tidiane Dia)
• Add a predictable default ordering of the "Object/Other permissions" in the Group Editing view, allow this ordering to be customised (Daniel Kirkham)
• Add AbstractImage.get_renditions() for efficient generation of multiple renditions (Andy Babic)
• Optimise queries in collection permission policies using cache on the user object (Sage Abdullah)
• Phone numbers entered via a link chooser will now have any spaces stripped out, ensuring a valid href="tel:..." attribute (Sahil Jangra)
• Auto-select the StreamField block when only one block type is declared (Sébastien Corbin)
• Add support for more advanced Draftail customisation APIs (Thibaud Colas)
• Add the ability to export snippets listing via SnippetViewSet.list_export (Sage Abdullah)
• Add support for adding HTML attrs on FieldPanel, FieldRowPanel, MultiFieldPanel, and others (Aman Pandey, Antoni Martyniuk, LB (Ben) Johnston)
• Add support for --template option to wagtail start (Thibaud Colas)
• Change to always cache renditions (Jake Howard)
• Update link/document rich text tooltips for consistency with the inline toolbar (Albina Starykova)
• Increase the contrast between the rich text / StreamField block picker and the page in dark mode (Albina Starykova)
• Purge revisions of non-page models in purge_revisions command (Sage Abdullah)
• Add support for AVIF images (Aman Pandey)
• Change the default WebP quality to 80 to match AVIF (Aman Pandey)
• Adopt optimised Wagtail logo in the admin interface (Albina Starykova)
• Add support for presenting the userbar (Wagtail button) in dark mode (Albina Starykova)
• Add Inspect view to snippets (Sage Abdullah)
• Fix: Prevent choosers from failing when initial value is an unrecognised ID, e.g. when moving a page from a location where parent_page_types would disallow it (Dan Braghis)
• Fix: Move comment notifications toggle to the comments side panel (Sage Abdullah)
• Fix: Remove comment button on InlinePanel fields (Sage Abdullah)
• Fix: Fix missing link to UsageView from EditView for snippets (Christer Jensen)
• Fix: Prevent lowercase conversions of IndexView column headers (Virag Jain)
• Fix: Ensure that RichText objects with the same values compare as equal (NikilTn)
• Fix: Use gettext_lazy on generic model views so that language settings are correctly used (Matt Westcott)
• Fix: Prevent JS error when reverting the spinner on a submit button after a validation error (LB (Ben) Johnston)
• Fix: Prevent crash when comparing page revisions that include MultipleChooserPanel (Matt Westcott)
• Fix: Ensure that title and slug continue syncing after entering non-URL-safe characters (LB (Ben) Johnston)
• Fix: Ensure that title and slug are synced on keypress, not just on blur (LB (Ben) Johnston)
• Fix: Add a more visible active state for side panel toggle buttons (Thibaud Colas)
• Fix: Debounce and optimise live preview panel to prevent excessive requests (Sage Abdullah)
• Fix: Use constant-time comparison for image serve URL signatures (Jake Howard)
• Fix: Ensure taggit field type-ahead options show correctly in the dark mode theme (Sage Abdullah)
• Fix: Fix the lock description message missing the model_name variable when locked only by system (Sébastien Corbin)
• Fix: Fix empty blocks created in migration operations (Sandil Ranasinghe)
• Fix: Ensure that gettext_lazy works correctly when using verbose_name on a generic Settings models (Sébastien Corbin)
• Fix: Remove unnecessary usage of innerHTML when modifying DOM content (LB (Ben) Johnston)
• Fix: Avoid ValueError when extending PagesAPIViewSet and setting meta_fields to an empty list (Henry Harutyunyan, Alex Morega)
• Fix: Improve accessibility for header search, remove autofocus on page load, advise screen readers that content has changed when results update (LB (Ben) Johnston)
• Fix: Fix incorrect override of PagePermissionHelper.user_can_unpublish_obj() in ModelAdmin (Sébastien Corbin)
• Fix: Prevent memory exhaustion when updating a large number of image renditions (Jake Howard)
• Fix: Add missing Time Zone conversions and date formatting throughout the admin (Stefan Hammer)
• Fix: Ensure that audit logs and revisions consistently use UTC and add migration for existing entries (Stefan Hammer)
• Fix: Make sure "critical" buttons have enough colour contrast in dark mode (Albina Starykova)
• Fix: Improve visibility of scheduled publishing errors in status side panel (Sage Abdullah)
• Fix: Prevent 'choose' permission from being ignored when looking up 'choose', 'edit' and 'delete' permissions in combination (Sage Abdullah)
• Fix: Take user's permissions into account for image / document counts on the admin dashboard (Sage Abdullah)
• Fix: Avoid N+1 queries in users index view (Tidiane Dia)
• Fix: Use a theme-agnostic color token for read-only panels support in dark mode (Thibaud Colas)
• Fix: Ensure collapsible StreamBlocks expand as necessary to show validation errors (Storm Heg)
• Fix: Ensure userbar dialog can sit above other website content (LB (Ben) Johnston)
• Fix: Fix preview panel loading issues (Sage Abdullah)
• Fix: Fix search_promotions 0004_copy_queries migration for long-lived Wagtail instances (Sage Abdullah)
• Fix: Guard against TypeError in 0088_fix_log_entry_json_timestamps migration (Sage Abdullah)
• Fix: Add migration to replace JSON null values with empty objects in log entries' data (Sage Abdullah)
• Fix: Typo in the page_header_buttons template tag when accessing the context's request object (Robert Rollins)
• Docs: Document how to add non-ModelAdmin views to a ModelAdminGroup (Onno Timmerman)
• Docs: Document how to add StructBlock data to a StreamField (Ramon Wenger)
• Docs: Update ReadTheDocs settings to v2 to resolve urllib3 issue in linkcheck extension (Thibaud Colas)
• Docs: Update documentation for log_action parameter on RevisionMixin.save_revision (Christer Jensen)
• Docs: Reorganise snippets documentation to cover customisations and optional features (Sage Abdullah)
• Docs: Update color customisations guidance to include theme-agnostic options (Thibaud Colas)
• Docs: Mark LTS releases in release note page titles (Thiago C. S. Tioma)
• Docs: Revise main Getting started tutorial for clarity (Kevin Chung (kev-odin))
• Docs: Revamp the start of the getting started section, with separate quick install page (Damilola Oladele)
• Docs: Move the tutorial’s snippets section to come before tags (Damilola Oladele)
• Docs: Rewrite the getting started tutorial to address identified friction points (Damilola Oladele)
• Docs: Switch the Getting started tutorial’s snippets example to be more understandable (Damilola Oladele)
• Docs: Update the deployment documentation page and remove outdated information (Jake Howard)
• Docs: Add more items to performance page regarding pre-fetching images and frontend caching (Jake Howard)
• Docs: Add docs for managing stored queries in searchpromotions (Scott Foster)
• Docs: Add docs for migrating from ModelAdmin to Snippets (Sage Abdullah)
• Maintenance: Removed support for Python 3.7 (Dan Braghis)
• Maintenance: Switch to ruff for flake8 / isort code checking (Oliver Parker)
• Maintenance: Deprecate insert_editor_css in favour of insert_global_admin_css (Ester Beltrami)
• Maintenance: Optimise use of specific on Task and TaskState (Matt Westcott)
• Maintenance: Use table UI component for workflow task index view (Matt Westcott)
• Maintenance: Make header search available on generic index view (Matt Westcott)
• Maintenance: Update pagination behaviour to reject out-of-range / invalid page numbers (Matt Westcott)
• Maintenance: Remove color tokens which are duplicates / unused (Thibaud Colas)
• Maintenance: Add tests to help with maintenance of theme color tokens (Thibaud Colas)
• Maintenance: Split out a base listing view from generic index view (Matt Westcott)
• Maintenance: Update type hints in admin/ui/components.py so that parent_context is mutable (Andreas Nüßlein)
• Maintenance: Deprecate UserPagePermissionsProxy (Sage Abdullah)
• Maintenance: Optimise the Settings context processor to avoid redundantly finding a Site to improve cache ratios (Jake Howard)
• Maintenance: Convert page listing to a class-based view (Matt Westcott)
• Maintenance: Clean up page reports and type usage views to be independent of page listing views (Matt Westcott)
• Maintenance: Migrate Tagit initialisation to a Stimulus Controller (LB (Ben) Johnston)
• Maintenance: Refactor GroupPagePermission to use Django's Permission model (Sage Abdullah)
• Maintenance: Convert the CONTRIBUTORS file to Markdown (Dan Braghis)
• Maintenance: Move django-filter version upper bound to v24 (Yuekui)
• Maintenance: Update Pillow dependency to allow 10.x, only include support for >= 9.1.0 (Yuekui)
• Maintenance: Migrate async header search and search within the Task chooser modal to w-swap, a Stimulus controller (LB (Ben) Johnston)
• Maintenance: Replace Bootstrap tooltips with a new w-tooltip Stimulus controller (LB (Ben) Johnston)
• Maintenance: Replace ModelAdmin history header human readable date template tag (LB (Ben) Johnston)
• Maintenance: Update uuid to v9 and Jest to v29, with jest-environment-jsdom and new snapshot format (LB (Ben) Johnston)
• Maintenance: Update test cases producing undesirable console output due to missing mocks, uncaught errors, warnings (LB (Ben) Johnston)
• Maintenance: Remove unused snippets _header_with_history.html template (Thibaud Colas)
• Maintenance: Migrate dialog instantiation to a new w-dialog Stimulus controller (Loveth Omokaro, LB (Ben) Johnston)
• Maintenance: Support dialog template cloning using a new w-teleport Stimulus controller (Loveth Omokaro, LB (Ben) Johnston)
• Maintenance: Migrate away from using the "wagtailadmin/shared/field_as_li.html" template include (Storm Heg)
• Maintenance: Deprecate wagtail.contrib.modeladmin (Sage Abdullah)
• Maintenance: Upgrade documentation theme sphinx_wagtail_theme to v6.1.1 which includes multiple styling fixes and always visible code copy buttons (LB (Ben) Johnston)
• Maintenance: Don't update the reference index while deleting it (Andy Chosak)

v5.0.5: 5.0.5

Compare Source

• Fix: CVE-2023-45809: Disclosure of user names via admin bulk action views (Matt Westcott)

v5.0.4: 5.0.4

Compare Source

• Maintenance: Relax Willow / Pillow dependency to allow use of current Pillow versions with security fixes (Dan Braghis)

v5.0.3: 5.0.3

Compare Source

• Fix: Avoid use of ignore_conflicts when creating extra permissions for snippets, for SQL Server compatibility (Sage Abdullah)
• Fix: Ensure sequence on wagtailsearchpromotions_query table is correctly set after migrating data (Jake Howard)
• Fix: Update Pillow dependency to 9.1.0 (Daniel Kirkham)

v5.0.2: 5.0.2

Compare Source

• Added TitleFieldPanel to support title / slug field synchronisation (LB (Ben) Johnston)
• Fix: Prevent JS error when reverting the spinner on a submit button after a validation error (LB (Ben) Johnston)
• Fix: Prevent crash when comparing page revisions that include MultipleChooserPanel (Matt Westcott)
• Fix: Ensure that title and slug continue syncing after entering non-URL-safe characters (LB (Ben) Johnston)
• Fix: Ensure that title and slug are synced on keypress, not just on blur (LB (Ben) Johnston)
• Fix: Add a more visible active state for side panel toggle buttons (Thibaud Colas)
• Fix: Use custom dark theme colors for revision comparisons (Thibaud Colas)

v5.0.1: 5.0.1

Compare Source

• Fix: Rectify previous fix for TableBlock becoming uneditable after save (Sage Abdullah)
• Fix: Ensure that copying page correctly picks up the latest revision (Matt Westcott)
• Fix: Ensure comment buttons always respect WAGTAILADMIN_COMMENTS_ENABLED (Thibaud Colas)
• Fix: Fix error when deleting a single snippet through the bulk actions interface (Sage Abdullah)
• Fix: Pass the correct for_update value for get_form_class in SnippetViewSet edit views (Sage Abdullah)
• Fix: Move comment notifications toggle to the comments side panel (Sage Abdullah)
• Fix: Remove comment button on InlinePanel fields (Sage Abdullah)
• Fix: Fix missing link to UsageView from EditView for snippets (Christer Jensen)
• Fix: Prevent lowercase conversions of IndexView column headers (Virag Jain)
• Fix: Fix various colour issues in dark mode (Thibaud Colas)
• Docs: Update documentation for log_action parameter on RevisionMixin.save_revision (Christer Jensen)

v5.0: 5.0

Compare Source

• Added support for Django 4.2
• Object usage information on deleting objects (Sage Abdullah)
• Support for SVG images (Joshua Munn, with sponsorship from YouGov)
• Custom validation support for StreamField (Matt Westcott)
• Add WAGTAILIMAGES_EXTENSIONS setting to restrict image uploads to specific file types (Aman Pandey, Ananjan-R)
• Update user list column level to Access level to be easier to understand (Vallabh Tiwari)
• Migrate .button-longrunning behaviour to a Stimulus controller with support for custom label element & duration (Loveth Omokaro)
• Implement new simplified userbar designs (Albina Starykova)
• Add more Axe rules to the accessibility checker (Albina Starykova)
• Sort accessibility checker results by position on the page (Albina Starykova)
• Highlight elements with errors in accessibility checker (Albina Starykova)
• Add usage view for pages (Sage Abdullah)
• Copy page form now updates the slug field dynamically with a slugified value on blur (Loveth Omokaro)
• Ensure selected collection is kept when navigating from documents or images listings to add multiple views & upon upload (Aman Pandey, Bojan Mihelac)
• Keep applied filters when downloading form submissions (Suyash Srivastava)
• Messages added dynamically via JavaScript now have an icon to be consistent with those supplied in the page's HTML (Aman Pandey)
• Switch lock/unlock side panel toggle to a switch, with more appropriate confirmation message status (Sage Abdullah)
• Ensure that changed or cleared selection from choosers will dispatch a DOM change event (George Sakkis)
• Add the ability to disable model indexing by setting search_fields = [] (Daniel Kirkham)
• Enhance wagtail.search.utils.parse_query_string to allow inner single quotes for key/value parsing (Aman Pandey)
• Add helpful properties to Locale for more convenient usage within templates (Andy Babic)
• Allow customising icons for snippets via SnippetViewSet.icon (Daniel Kirkham, Sage Abdullah)
• Allow customising the base URL and URL namespace for snippet views (Sage Abdullah)
• Allow customising the default ordering and number of items per page for snippet listing views (Sage Abdullah)
• Re-label "StreamField blocks" option in block picker to "Blocks" (Thibaud Colas)
• Re-implement styleguide icons list as an auto-generated sequence of tables (Thibaud Colas)
• Switch styleguide navigation to use panel components and minimap (Thibaud Colas)
• Explicitly specify MenuItem.name for Snippets, Reports, and Settings menu items (Sage Abdullah)
• Move the help text of fields and blocks directly below their label for easier reading (Thibaud Colas)
• Allow filters on snippet and generic index views to be customised through the list_filter attribute (Sage Abdullah)
• The select all checkbox in simple translation's submit translation page will now be in sync with other checkbox changes (Hanoon)
• Update Wagtail’s default icon set to Font Awesome 6 (Thibaud Colas)
• Allow admin templates for snippets to be overridden on a per-model or per-app basis (Sage Abdullah)
• Allow overriding the base queryset to be used in snippet IndexView (Sage Abdullah)
• Revise alignment and spacing of form fields and sections (Thibaud Colas)
• Update Wagtail’s type scale so StreamField block labels and field labels are the same size (Thibaud Colas)
• Allow customising the search_fields and search backend via SnippetViewSet (Sage Abdullah)
• Style comments as per page editor design, in side panel (Karl Hobley, Thibaud Colas)
• Add support for custom panel icons, with defaults, displayed for top-level editor panels (Sage Abdullah)
• Add new icons for StreamField blocks (Sage Abdullah)
• Reveal the minimap on click rather than hover, keeping it expanded until dismissed, with state saved between page loads (Thibaud Colas)
• Expand a collapsed form section when navigating to it with the minimap (Thibaud Colas)
• The minimap and "Collapse all" button now appear next to side panels rather than underneath, so they can be used at any time (Thibaud Colas)
• Allow panels / edit_handler to be specified via SnippetViewSet (Sage Abdullah)
• Introduce dark mode support for the Wagtail admin interface, with a toggle in account preferences (Thibaud Colas)
• Allow snippets to be registered into arbitrary admin menu items (Sage Abdullah)
• Add configuration APIs in user bar accessibility checker for simpler customisation of the checks performed
• ReferenceIndex modified to only index Wagtail-related models, and allow other models to be explicitly registered (Daniel Kirkham)
• Fix: Ensure label_format on StructBlock gracefully handles missing variables (Aadi jindal)
• Fix: Adopt a no-JavaScript and more accessible solution for the 'Reset to default' switch to Gravatar when editing user profile (Loveth Omokaro)
• Fix: Ensure Site.get_site_root_paths works on cache backends that do not preserve Python objects (Jaap Roes)
• Fix: Ignore right clicks on side panel resizer (Sage Abdullah)
• Fix: Resize in the correct direction for RTL languages with the side panel resizer (Sage Abdullah)
• Fix: Support creating StructValue copies (Tidiane Dia)
• Fix: Fix image uploads on storage backends that require file pointer to be at the start of the file (Matt Westcott)
• Fix: Fix "Edit this page" missing from userbar (Satvik Vashisht)
• Fix: No longer allow invalid duplicate site hostname creation as hostnames and domain names are a case insensitive (Coen van der Kamp)
• Fix: Image and Document multiple upload update forms now correctly use the progress button (longrunning) behaviour when clicked (Loveth Omokaro)
• Fix: Prevent audit log report from failing on missing models (Andy Chosak)
• Fix: Ensure that the privacy collection privacy edit button is styled as a button (Jatin Kumar)
• Fix: Fix page/snippet cannot proceed a GroupApprovalTask if it's locked by someone outside of the group (Sage Abdullah)
• Fix: Allow manual lock even if WorkflowLock is currently applied (Sage Abdullah)
• Fix: Add missing log information for wagtail.schedule.cancel (Stefan Hammer)
• Fix: Fix timezone activation leaking into subsequent requests in require_admin_access() (Stefan Hammer)
• Fix: Fix dialog component's message to have rounded corners at the top side (Sam)
• Fix: When multiple documents are uploaded and then subsequently updated, ensure that existing success messages are cleared correctly (Aman Pandey)
• Fix: Prevent matches from unrelated models from leaking into SQLite FTS searches (Matt Westcott)
• Fix: Prevent duplicate addition of StreamField blocks with the new block picker (Deepam Priyadarshi)
• Fix: Enable partial search on images and documents index view where available (Mng)
• Fix: Adopt a no-JavaScript and more accessible solution for option selection in reporting, using HTML only radio input fields (Mehul Aggarwal)
• Fix: Ensure that document search results count shows the correct all matches, not the paginate total (Andy Chosak)
• Fix: Fix radio and checkbox elements shrinking when using a long label (Sage Abdullah)
• Fix: Fix select elements expanding beyond their container when using a long option label (Sage Abdullah)
• Fix: Fix timezone handling of TemplateResponses for users with a custom timezone (Stefan Hammer, Sage Abdullah)
• Fix: Ensure TableBlock initialisation correctly runs after load and its width is aligned with the parent panel (Dan Braghis)
• Fix: Ensure that the JavaScript media files are loaded by default in Snippet index listings for date fields (Sage Abdullah)
• Fix: Fix server-side caching of the icons sprite (Thibaud Colas)
• Fix: Avoid showing scrollbars in the block picker unless necessary (Babitha Kumari)
• Fix: Always show Add buttons, guide lines, Move up/down, Duplicate, Delete; in StreamField and Inline Panel (Thibaud Colas)
• Fix: Make admin JS i18n endpoint accessible to non-authenticated users (Matt Westcott)
• Fix: Fix incorrect API serialisation for document download_url when WAGTAILDOCS_SERVE_METHOD is direct (Swojak-A)
• Fix: Fix template configuration of snippets index results view (fidoriel, Sage Abdullah)
• Fix: Prevent long preview mode names from making the select element overflow the side panel (Sage Abdullah)
• Fix: Autosize text area field will now correctly resize when switching between comments toggle states (Suyash Srivastava)
• Fix: When i18n is not enabled, avoid making a Locale query on every page view (Dan Braghis)
• Fix: Fix initialisation of commenting widgets within StreamField (Thibaud Colas)
• Fix: Fix various regressions in the commenting UI (Thibaud Colas)
• Fix: Prevent TableBlock from becoming uneditable after save (Sage Abdullah)
• Fix: Correctly show the "new item" badge within menu sections previously dismissed (Sage Abdullah)
• Fix: Fix side panel stuck in resize state when pointer is released outside the grip (Sage Abdullah)
• Docs: Add code block to make it easier to understand contribution docs (Suyash Singh)
• Docs: Add new "Icons" page for icons customisation and reuse across the admin interface (Coen van der Kamp, Thibaud Colas)
• Docs: Fix broken formatting for MultiFieldPanel / FieldRowPanel permission kwarg docs (Matt Westcott)
• Docs: Add helpful troubleshooting links and refine wording for getting started with development (Loveth Omokaro)
• Docs: Ensure search autocomplete overlay on mobile does not overflow the viewport (Ayman Makroo)
• Docs: Improve documentation for InlinePanel (Vallabh Tiwari)
• Docs: Add contributor guidelines for building Stimulus Controllers (Thibaud Colas, Loveth Omokaro, LB (Ben) Johnston)
• Docs: Fix typo in "Extending Draftail" documentation (Hans Kelson)
• Docs: Clarify ClusterableModel requirements for using relations with RevisionMixin-enabled models (Sage Abdullah)
• Docs: Add guide to making your first contribution (LB (Ben) Johnston)
• Maintenance: Removed features deprecated in Wagtail 3.0 and 4.0 (Matt Westcott)
• Maintenance: Update djhtml (html formatting) library to v 1.5.2 (Loveth Omokaro)
• Maintenance: Re-enable strictPropertyInitialization in tsconfig (Thibaud Colas)
• Maintenance: Refactor accessibility checker userbar item (Albina Starykova)
• Maintenance: Removed unused Page.get_static_site_paths method (Yosr Karoui)
• Maintenance: Provisional Django 5.0 compatibility fixes (Sage Abdullah)
• Maintenance: Add unit tests for CollapseAll and MinimapItem components (Albina Starykova)
• Maintenance: Code quality fixes (GLEF1X)
• Maintenance: Refactor image / document / snippet usage views into a shared generic view (Sage Abdullah)
• Maintenance: Rename the Stimulus AutoFieldController to the less confusing SubmitController (Loveth Omokaro)
• Maintenance: Replace script tags with template tag for image/document bulk uploads (Rishabh Kumar Bahukhandi)
• Maintenance: Remove unneeded float styles on 404 page (Fabien Le Frapper)
• Maintenance: Convert userbar implementation to TypeScript (Albina Starykova)
• Maintenance: Migrate slug field behaviour to a Stimulus controller and create new SlugInput widget (Loveth Omokaro)
• Maintenance: Refactor status HTML usage to shared template tag (Aman Pandey, LB (Ben) Johnston, Himanshu Garg)
• Maintenance: Add curlylint and update djhtml, semgrep versions in pre-commit config (Himanshu Garg)
• Maintenance: Use shared header template for ModelAdmin and Snippets type index header (Aman Pandey)
• Maintenance: Move models and forms for wagtailsearch.Query to `wagtail.contrib.search_promotion

---

Configuration

📅 Schedule: Branch creation - "" in timezone US/Eastern, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.