Merge branch 'main' into ci/merge-pre-commit-main-workflows

2026-02-17 20:50:35 +03:00 · 2026-02-11 20:32:08 +00:00 · 2026-02-11 20:32:08 +00:00 · d9d3f0a2ef
commit d9d3f0a2ef
parent 21acd8eb52 cf38c94ec1
17 changed files with 67 additions and 28 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -13,3 +13,37 @@ updates:
      interval: weekly
    cooldown:
      default-days: 7
+  
+  - package-ecosystem: "pip"
+    directory: "/"
+
+    groups:
+      test:
+        patterns:
+          - "pytest*"
+          - "attrs"
+          - "importlib-metadata"
+          - "pytz"
+
+      docs:
+        patterns:
+          - "mkdocs"
+          - "pylinkvalidator"
+
+      optional:
+        patterns:
+          - "coreapi"
+          - "coreschema"
+          - "django-filter"
+          - "django-guardian"
+          - "inflection"
+          - "legacy-cgi"
+          - "markdown"
+          - "psycopg*"
+          - "pygments"
+          - "pyyaml"
+
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -84,7 +84,6 @@ jobs:
    - run: if [ $WAIT_TIME == 5 ]; then echo cannot start mkdocs server on http://localhost:8000; exit 1; fi
    
    - name: Check links
-      continue-on-error: true
      run: pylinkvalidate.py -P http://localhost:8000/
  
    - run: echo "Done"
--- a/docs/api-guide/authentication.md
+++ b/docs/api-guide/authentication.md
@ -89,7 +89,7 @@ Note that when a request may successfully authenticate, but still be denied perm

 ## Django 5.1+ `LoginRequiredMiddleware`

-If you're running Django 5.1+ and use the [`LoginRequiredMiddleware`][login-required-middleware], please note that all views from DRF are opted-out of this middleware.  This is because the authentication in DRF is based authentication and permissions classes, which may be determined after the middleware has been applied.  Additionally, when the request is not authenticated, the middleware redirects the user to the login page, which is not suitable for API requests, where it's preferable to return a 401 status code.
+If you're running Django 5.1+ and use the [`LoginRequiredMiddleware`][login-required-middleware], please note that all views from DRF are opted-out of this middleware.  This is because the authentication in DRF is based on authentication and permissions classes, which may be determined after the middleware has been applied.  Additionally, when the request is not authenticated, the middleware redirects the user to the login page, which is not suitable for API requests, where it's preferable to return a 401 status code.

 REST framework offers an equivalent mechanism for DRF views via the global settings, `DEFAULT_AUTHENTICATION_CLASSES` and `DEFAULT_PERMISSION_CLASSES`.  They should be changed accordingly if you need to enforce that API requests are logged in.

--- a/docs/api-guide/permissions.md
+++ b/docs/api-guide/permissions.md
@ -138,7 +138,10 @@ Provided they inherit from `rest_framework.permissions.BasePermission`, permissi
            return Response(content)

 !!! note
-    Composition of permissions supports `&` (and), `|` (or) and `~` (not) operators.
+    Composition of permissions supports the `&` (and), `|` (or) and `~` (not) operators, and also allows the use of brackets `(` `)` to group expressions.
+
+    Operators follow the same precedence and associativity rules as standard logical operators (`~` highest, then `&`, then `|`).
+

 # API Reference

--- a/docs/community/3.10-announcement.md
+++ b/docs/community/3.10-announcement.md
@ -145,4 +145,4 @@ continued development by **[signing up for a paid plan][funding]**.

 [legacy-core-api-docs]:https://github.com/encode/django-rest-framework/blob/3.14.0/docs/coreapi/index.md
 [sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors
-[funding]: funding.md
+[funding]: https://opencollective.com/django-rest-framework
--- a/docs/community/3.11-announcement.md
+++ b/docs/community/3.11-announcement.md
@ -111,4 +111,4 @@ continued development by **[signing up for a paid plan][funding]**.
 *Many thanks to all our [wonderful sponsors][sponsors], and in particular to our premium backers, [Sentry](https://getsentry.com/welcome/), [Stream](https://getstream.io/?utm_source=drf&utm_medium=banner&utm_campaign=drf), [ESG](https://software.esg-usa.com/), [Rollbar](https://rollbar.com/?utm_source=django&utm_medium=sponsorship&utm_campaign=freetrial), [Cadre](https://cadre.com), [Kloudless](https://hubs.ly/H0f30Lf0), [Lights On Software](https://lightsonsoftware.com), and [Retool](https://retool.com/?utm_source=djangorest&utm_medium=sponsorship).*

 [sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors
-[funding]: funding.md
+[funding]: https://opencollective.com/django-rest-framework
--- a/docs/community/3.12-announcement.md
+++ b/docs/community/3.12-announcement.md
@ -178,4 +178,4 @@ continued development by **[signing up for a paid plan][funding]**.
 *Many thanks to all our [wonderful sponsors][sponsors], and in particular to our premium backers, [Sentry](https://getsentry.com/welcome/), [Stream](https://getstream.io/?utm_source=drf&utm_medium=banner&utm_campaign=drf), [ESG](https://software.esg-usa.com/), [Rollbar](https://rollbar.com/?utm_source=django&utm_medium=sponsorship&utm_campaign=freetrial), [Cadre](https://cadre.com), [Kloudless](https://hubs.ly/H0f30Lf0), [Lights On Software](https://lightsonsoftware.com), and [Retool](https://retool.com/?utm_source=djangorest&utm_medium=sponsorship).*

 [sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors
-[funding]: funding.md
+[funding]: https://opencollective.com/django-rest-framework
--- a/docs/community/3.4-announcement.md
+++ b/docs/community/3.4-announcement.md
@ -177,7 +177,7 @@ The full set of itemized release notes [are available here][release-notes].

 [sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors
 [moss]: mozilla-grant.md
-[funding]: funding.md
+[funding]: https://opencollective.com/django-rest-framework
 [core-api]: https://www.coreapi.org/
 [command-line-client]: https://github.com/encode/django-rest-framework/blob/3.4.7/docs/topics/api-clients.md#command-line-client
 [client-library]: https://github.com/encode/django-rest-framework/blob/3.4.7/docs/topics/api-clients.md#python-client-library
--- a/docs/community/3.5-announcement.md
+++ b/docs/community/3.5-announcement.md
@ -251,7 +251,7 @@ in version 3.3 and raised a deprecation warning in 3.4. Its usage is now mandato
 ---

 [sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors
-[funding]: funding.md
+[funding]: https://opencollective.com/django-rest-framework
 [uploads]: https://core-api.github.io/python-client/api-guide/utils/#file
 [downloads]: https://core-api.github.io/python-client/api-guide/codecs/#downloadcodec
 [schema-generation-api]: ../api-guide/schemas.md#schemagenerator
--- a/docs/community/3.6-announcement.md
+++ b/docs/community/3.6-announcement.md
@ -193,7 +193,7 @@ Once work on those refinements is complete, we'll be starting feature work
 on realtime support, for the 3.7 release.

 [sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors
-[funding]: funding.md
+[funding]: https://opencollective.com/django-rest-framework
 [api-docs]: ../topics/documenting-your-api.md
 [js-docs]: https://github.com/encode/django-rest-framework/blob/3.14.0/docs/topics/api-clients.md#javascript-client-library
 [py-docs]: https://github.com/encode/django-rest-framework/blob/3.14.0/docs/topics/api-clients.md#python-client-library
--- a/docs/community/3.7-announcement.md
+++ b/docs/community/3.7-announcement.md
@ -125,6 +125,6 @@ We're still planning to work on improving real-time support for REST framework b

 This will likely be timed so that any REST framework development here ties in with similar work on [API Star][api-star].

-[funding]: funding.md
+[funding]: https://opencollective.com/django-rest-framework
 [schema-docs]: ../api-guide/schemas.md
 [api-star]: https://github.com/encode/apistar
--- a/docs/community/3.8-announcement.md
+++ b/docs/community/3.8-announcement.md
@ -91,7 +91,7 @@ We're currently working towards moving to using [OpenAPI][openapi] as our defaul

 We're doing some consolidation in order to make this happen. It's planned that 3.9 will drop the `coreapi` and `coreschema` libraries, and instead use `apistar` for the API documentation generation, schema generation, and API client libraries.

-[funding]: funding.md
+[funding]: https://opencollective.com/django-rest-framework
 [gh5886]: https://github.com/encode/django-rest-framework/issues/5886
 [gh5705]: https://github.com/encode/django-rest-framework/issues/5705
 [openapi]: https://www.openapis.org/
--- a/docs/community/3.9-announcement.md
+++ b/docs/community/3.9-announcement.md
@ -203,7 +203,7 @@ web framework, which is building a foundational set of tooling for working with
 ASGI.


-[funding]: funding.md
+[funding]: https://opencollective.com/django-rest-framework
 [gh5886]: https://github.com/encode/django-rest-framework/issues/5886
 [gh5705]: https://github.com/encode/django-rest-framework/issues/5705
 [openapi]: https://www.openapis.org/
--- a/docs/community/jobs.md
+++ b/docs/community/jobs.md
@ -1,6 +1,6 @@
 # Jobs

-Looking for a new Django REST Framework related role? On this site we provide a list of job resources that may be helpful. It's also worth checking out if any of [our sponsors are hiring][drf-funding].
+Looking for a new Django REST Framework related role? On this site we provide a list of job resources that may be helpful. It's also worth checking out if any of [our sponsors are hiring][sponsors].


 ## Places to look for Django REST Framework Jobs
@ -22,7 +22,7 @@ Looking for a new Django REST Framework related role? On this site we provide a

 Know of any other great resources for Django REST Framework jobs that are missing in our list? Please [submit a pull request][submit-pr] or [email us][anna-email].

-Wonder how else you can help? One of the best ways you can help Django REST Framework is to ask interviewers if their company is signed up for [REST Framework sponsorship][drf-funding] yet.
+Wonder how else you can help? One of the best ways you can help Django REST Framework is to ask interviewers if their company is signed up for [REST Framework sponsorship][sponsors] yet.


 [djangoproject-website]: https://www.djangoproject.com/community/jobs/
@ -38,6 +38,6 @@ Wonder how else you can help? One of the best ways you can help Django REST Fram
 [remoteok-com]: https://remoteok.com/remote-django-jobs
 [remotepython-com]: https://www.remotepython.com/jobs/
 [pyjobs-com]: https://www.pyjobs.com/
-[drf-funding]: https://fund.django-rest-framework.org/topics/funding/
+[sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors
 [submit-pr]: https://github.com/encode/django-rest-framework
 [anna-email]: mailto:anna@django-rest-framework.org
--- a/docs/community/mozilla-grant.md
+++ b/docs/community/mozilla-grant.md
@ -37,7 +37,7 @@ at the end of May 2016.
 I have formed a UK limited company, [Encode](https://www.encode.io/), which will
 act as the business entity behind REST framework. I will be issuing monthly reports
 from Encode on progress both towards the Mozilla grant, and for development time
-funded via the [REST framework paid plans](funding.md).
+funded via the REST framework paid plans.

 <!-- Begin MailChimp Signup Form -->
 <link href="//cdn-images.mailchimp.com/embedcode/classic-10_7.css" rel="stylesheet" type="text/css">
--- a/pyproject.toml
+++ b/pyproject.toml
@ -44,13 +44,11 @@ dev = [
  { include-group = "test" },
 ]
 test = [
-  # temporary pin of attrs
-  "attrs==22.1.0",
-  "importlib-metadata<5.0",
+  "importlib-metadata<9.0",

  # Pytest for running the tests.
-  "pytest>=7.0.1,<8",
-  "pytest-cov>=4.0.0,<5.0",
+  "pytest==9.*",
+  "pytest-cov==7.*",
  "pytest-django>=4.5.2,<5",

  # Remove when dropping support for Django<5.0
@ -58,22 +56,24 @@ test = [
 ]
 docs = [
  # MkDocs to build our documentation.
-  "mkdocs==1.6.0",
+  "mkdocs==1.6.1",
  # pylinkvalidator to check for broken links in documentation.
  "pylinkvalidator==0.3",
 ]
 optional = [
  # Optional packages which may be used with REST framework.
-  "coreapi==2.3.1",
+  "coreapi==2.3.3",
  "coreschema==0.0.4",
  "django-filter",
-  "django-guardian>=2.4.0,<2.5",
+  "django-guardian>=2.4.0,<3.3",
  "inflection==0.5.1",
  "legacy-cgi; python_version>='3.13'",
  "markdown>=3.3.7",
  "psycopg[binary]>=3.1.8",
-  "pygments~=2.17.0",
-  "pyyaml>=5.3.1,<5.4",
+  "pygments>=2.17,<2.20",
+  "pyyaml>=5.3.1,<6.1",
+  # setuptools is needed for coreapi (imports pkg_resources)
+  "setuptools<82",
 ]
 django42 = [ "django>=4.2,<5.0" ]
 django50 = [ "django>=5.0,<5.1" ]
@ -118,7 +118,10 @@ keep_full_version = true
 [tool.pytest.ini_options]
 addopts = "--tb=short --strict-markers -ra"
 testpaths = [ "tests" ]
-filterwarnings = [ "ignore:CoreAPI compatibility is deprecated*:rest_framework.RemovedInDRF318Warning" ]
+filterwarnings = [
+  "ignore:CoreAPI compatibility is deprecated*:rest_framework.RemovedInDRF318Warning",
+  "ignore:'cgi' is deprecated:DeprecationWarning",
+]

 [tool.coverage.run]
 # NOTE: source is ignored with pytest-cov (but uses the same).
--- a/tox.ini
+++ b/tox.ini
@ -10,7 +10,7 @@ envlist =
       docs

 [testenv]
-commands = python -W error::DeprecationWarning -W error::PendingDeprecationWarning runtests.py --coverage {posargs}
+commands = pytest --cov --cov-report xml {posargs}
 envdir = {toxworkdir}/venvs/{envname}
 setenv =
       PYTHONDONTWRITEBYTECODE=1