Issue 340: Django security releases 6.0.6 and 5.2.15

        June 5, 2026

Issue 340: Django security releases 6.0.6 and 5.2.15

        News
Django security releases issued: 6.0.6 and 5.2.15
Five CVEs are fixed in this latest release. As ever, perhaps the best security step you can take is to always update to the latest version of Django.

Updates to Django
Today, "Updates to Django" is presented by Hwayoung from Djangonaut Space! 🚀
Last week we had 13 pull requests merged into Django by 8 different contributors - including 4 first-time contributors! Congratulations to Vishwa, Tim Harris, Codequiver, and Joe Babbitt for having their first commits merged into Django - welcome on board!
This week's Django highlights: 🦄

Deprecated the safe parameter of JsonResponse, as the browser vulnerability it protected against was fixed in ECMAScript 5. #36905

Releases
Python Release Python 3.15.0b2
Python 3.15.0b2, the second beta of four, is out with an explicit push for third-party maintainers to test now and file issues as early as possible. The release targets feature-complete beta with no ABI changes after beta 4, and recommends delaying production releases until 3.15.0rc1.

Python Software Foundation
PSF Strategic Plan 2026 Draft: Open for Community Feedback
PSF is publishing the full Strategic Plan 2026 draft and opening a three-week feedback window ending June 25. The board asks reviewers to focus on whether the goals and objectives are right, while implementation details will be shaped later by staff.

Sponsored Link
Middleware, but for AI agents
Django middleware composes request handlers. Harnesses do the same for AI agents - Claude Code, Codex, Gemini in one coordinated system. Learn what a harness actually is, why it's a new primitive, and how to engineer one that holds in production. Apache 2.0, open source.

Articles
Showcasing allauth IdP: build an MCP server | allauth
Learn how to use Django and django-allauth to secure MCP endpoints with OIDC, including token validation, client registration, and host authorization flows.
Django: introducing django-integrity-policy
From Adam Johnson, a new security header and detailed article laying out the "why."
Dependency Pruning
Tips on how to treat every lockfile entry as an attack surface and maintenance burden you do not want, then start by deleting dependencies you never import.
Loopwerk: uv is fantastic, but its package management UX is a mess
uv shines for Python toolchains, but its package maintenance UX is rough: there is no straightforward uv outdated, and the upgrade workflow (uv lock --upgrade) can aggressively pull in breaking major releases.
Python 3.15: features that didn't make the headlines
Python 3.15 beta highlights worth a look: TaskGroup.cancel for graceful cancellation, ContextDecorator fixing decorator lifecycles for async and generators, a new threading iterator helpers to avoid broken state, and immutable JSON support via frozendict and an array_hook.
Please add an RSS Feed to Your Site
RSS is still the cleanest way to keep up with the people you actually want to hear from. If you host a personal site with Django, add an RSS feed quickly with a simple, up-to-date tutorial and ship it.
Using Read the Docs to benefit Django
Read the Docs can integrate with EthicalAds, letting maintainers earn a little from their documentation.
The Pursuit Of Purity (The Right Way To Do AI)
A thoughtful look at competing takes on AI ethics, from safety-first big-lab work to open, locally run, consensually sourced models.

Django Forum
django-alauth 65.18.0 released: IdP demo time
django-allauth 65.18.0 was just shipped with a bunch of Identity Provider (IdP) improvements! 
Daphne v4.2.2 release
Daphne v4.2.2 is now available on PyPI. It fixes a couple of moderate/low security issues and is a recommended update for all users.

Django Fellow Reports
Natalia Bidart
My primary focus this week was polishing the upcoming security release. I spent time going deeper into areas I am less familiar with to ensure everything was in good shape for release. As release manager, this included reviewing and completing release notes, preparing backports for all three supported stable branches, and crafting the corresponding CVE metadata so records are ready ahead of disclosure (this is part of our CNA responsibilities).
Sarah Boyce
I was at PyCon Italia this week, which was fantastic, highly recommend going if you get the chance.
Jacob Walls
After a Monday holiday in the US, I spent a week focusing on contributions from the prior week’s PyCon sprint.

Events
PyBay 2026
October 3rd in San Francisco this year. The Call for Proposals (CP) is open until July 8th.

Django Job Board
Founding Engineer at MyDataValue

Projects
feincms/feincms3-cookiecontrol
Cookie banner with support for embedded media.
adamghill/dj-lite-tenant
Multi-tenant SQLite databases for Django.

Django News is not associated with the Django Software Foundation.
Django is a registered trademark of the Django Software Foundation.

                                Don't miss what's next. Subscribe to Django News Newsletter:

            Email address (required)