mirror of https://github.com/zulip/zulip.git
70f72a3ae8
Send the `csrftoken` and `sessionid` cookies with `SameSite=Lax`. This adds a layer of defense against CSRF attacks and matches the new default in Django 2.1: https://docs.djangoproject.com/en/2.1/releases/2.1/#samesite-cookies This can be reverted when we upgrade to Django ≥ 2.1. Signed-off-by: Anders Kaseorg <anders@zulipchat.com> |
||
|---|---|---|
| .. | ||
| README.md | ||
| common.in | ||
| dev.in | ||
| dev.txt | ||
| docs.in | ||
| docs.txt | ||
| mypy.in | ||
| mypy.txt | ||
| pip.in | ||
| pip.txt | ||
| prod.in | ||
| prod.txt | ||
| thumbor-dev.in | ||
| thumbor-dev.txt | ||
| thumbor.in | ||
| thumbor.txt | ||
README.md
The dependency graph of the requirements is as follows:
dev prod
+ + +
| +->common<-+
v
mypy,docs
Of the files, only dev, prod, and mypy have been used in the install scripts directly. The rest are implicit dependencies.
common and dev are locked.
Steps to update a lock file, e.g. to update ipython from 5.3.0 to 6.0.0 in
common.in and propagate it to dev.txt and prod.txt:
0. Replace ipython==5.4.1 with ipython==6.0.0 in common.in.
- Run
./tools/update-locked-requirements. - Increase
PROVISION_VERSIONinversion.py. - Run
./tools/provisionto install the new deps and test them. - Commit your changes.