fix(deps): update dependency wagtail to v6 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
wagtail (changelog)	==5.2.8 → ==6.3.8

GitHub Vulnerability Alerts

CVE-2026-25517

Impact

Due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Patches

Patched versions have been released as Wagtail 6.3.6, 7.0.4, 7.1.3 and 7.2.2. The new 7.3 feature release also incorporates this fix.

Workarounds

No workaround is available.

Acknowledgements

Many thanks to @​thxtech for reporting this issue.

For more information

If there are any questions or comments about this advisory:

• Visit Wagtail's support channels
• Send an email to security@wagtail.org (view our security policy for more information).

CVE-2026-28222

Impact

A stored Cross-site Scripting (XSS) vulnerability exists on rendering TableBlock blocks within a StreamField. A user with access to create or edit pages containing TableBlock StreamField blocks is able to set specially-crafted class attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock.

Patches

Patched versions have been released as Wagtail 6.3.8, 7.0.6, 7.2.3 and 7.3.1.

Workarounds

Site owners who are unable to upgrade to the new versions can remediate the vulnerability by setting a template attribute on all TableBlock definitions, referencing a template that does not output class attributes. For example:

<!-- For use with TableBlock(template="path/to/table_block.html") -->
<table>
    {% if table_caption %}
        <caption></caption>
    {% endif %}
    {% if table_header %}
        <thead>
            <tr>
                {% for cell in table_header %}
                    <th scope="col"></th>
                {% endfor %}
            </tr>
        </thead>
    {% endif %}
    <tbody>
        {% for row in data %}
            <tr>
                {% for cell in row %}
                    {% if first_col_is_header and forloop.first %}
                        <th scope="row"></th>
                    {% else %}
                        <td></td>
                    {% endif %}
                {% endfor %}
            </tr>
        {% endfor %}
    </tbody>
</table>

Acknowledgements

Many thanks to Guan Chenxian (@​GCXWLP) for reporting this issue.

For more information

If there are any questions or comments about this advisory:

• Visit Wagtail's support channels
• Email Wagtail at security@wagtail.org (view the security policy for more information).

CVE-2026-28223

Impact

A stored Cross-site Scripting (XSS) vulnerability exists on confirmation messages within the wagtail.contrib.simple_translation module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the "Translate" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Patches

Patched versions have been released as Wagtail 6.3.8, 7.0.6, 7.2.3 and 7.3.1.

Workarounds

None

Acknowledgements

Many thanks to Guan Chenxian (@​GCXWLP) for reporting this issue.

For more information

If there are any questions or comments about this advisory:

• Visit Wagtail's support channels
• Email Wagtail at security@wagtail.org (view the security policy for more information).

---

Release Notes

wagtail/wagtail (wagtail)

v6.3.8: 6.3.8

Compare Source

• Fix: CVE-2026-28222: Improper escaping of HTML (Cross-site Scripting) on TableBlock class attributes (Guan Chenxian, Matt Westcott)
• Fix: CVE-2026-28223: Improper escaping of HTML (Cross-site Scripting) in simple_translation admin interface (Guan Chenxian, Matt Westcott)

v6.3.7: 6.3.7

Compare Source

• Remove upper bound on Pillow dependency

v6.3.6: 6.3.6

Compare Source

• Fix: Remove ngram parser on MySQL that prevented autocomplete search from returning results (Vince Salvino)
• Fix: CVE-2026-25517: Improper permission handling on admin preview endpoints (thxtech, Matt Westcott, Jake Howard)

v6.3.5: 6.3.5

Compare Source

• Fix: Use correct URL when redirecting back to the listing after filtering and deleting form submissions (Sage Abdullah)
• Fix: Fix broken migration when ListBlock is defined with a child_block kwarg (Matt Westcott)
• Maintenance: Use utf8mb4 charset and collation for MySQL test database (Sage Abdullah)

v6.3.4: 6.3.4

Compare Source

• Added support for Django 5.2
• Fix: Add missing “Close” label to the upgrade notification dismiss button (Sage Abdullah)
• Fix: Fix white text on white background in previews for sites that use color-scheme without a background-color (Sage Abdullah)
• Maintenance: Remove upper version boundary for django-filter (Dan Braghis)

v6.3.3

Compare Source

• Fix: Correctly place comment buttons next to date / datetime / time fields. (Srishti Jaiswal)
• Fix: Reduce confusing spacing below StreamField blocks help text (Rishabh Sharma)
• Fix: Make sure alt text quality check is on by default as documented (Thibaud Colas)
• Fix: Prevent StreamChildrenToListBlockOperation from duplicating data across multiple StreamField instances (Joshua Munn)
• Fix: Prevent database error when calling permission_order.register on app ready (Daniel Kirkham, Matt Westcott)
• Fix: Prevent error on lazily loading StreamField blocks after the stream has been modified (Stefan Hammer)
• Fix: Prevent syntax error on MySQL search when query includes symbols (Matt Westcott)
• Docs: Update example for customizing "p-as-heading" accessibility check without overriding built-in checks (Cynthia Kiser)
• Docs: Update accessibility considerations on alt text in light of contextual alt text improvements (Cynthia Kiser)
• Docs: Revert incorrect example of appending a RichTextBlock to a StreamField (Matt Westcott)

v6.3.2: 6.3.2

Compare Source

• Fix: Ensure Cloudfront cache invalidation is called with a list, for compatibility with current botocore versions (Jake Howard)
• Fix: Ensure Draftail features wrap when a large amount of features are added (Bart Cieliński)
• Fix: Implement get_block_by_content_path on ImageBlock to prevent errors on commenting (Matt Westcott)
• Docs: Update tutorial to reflect the move of the "Add child page" action to a top-level button in the header as a '+' icon (Clifford Gama)

v6.3.1: 6.3.1

Compare Source

• Fix: Restore ability to upload profile picture through account settings (Sage Abdullah)
• Fix: Correctly handle ImageChooserBlock to ImageBlock data conversions where all inputs to bulk_to_python are null (Storm Heg, Matt Westcott)
• Fix: Improve spacing of page / collection permissions table in Group settings (Sage Abdullah)
• Fix: Remove forced capitalization of site name on admin dashboard (Thibaud Colas)
• Docs: Reword BlogTagIndexPage example for clarity (Clifford Gama)
• Docs: Change title of blog index page in tutorial to avoid slug issues (Thibaud Colas)
• Docs: Fix wagtailcache and wagtailpagecache examples to not use quotes for the fragment_name (Shiv)
• Docs: Lower search result ranking for release notes on readthedocs search (Sage Abdullah)

v6.3: 6.3 (LTS)

Compare Source

• Add support for Python 3.13 (Matt Westcott)
• Add formal support for Django 5.1 (Matt Westcott)
• Add ImageBlock with alt text support (Chiemezuo Akujobi for Google Summer of Code, mentored by Storm Heg, Saptak Sengupta, Thibaud Colas and Matt Westcott)
• Implement incremental dashboard design enhancements (Albina Starykova, Ben Enright)
• Add a new enhanced contrast admin theming option for the admin interface (Albina Starykova, Victoria Ottah)
• Migrate workflow history views to universal listings (Sage Abdullah)
• Refactor documents views to use universal designs (Sage Abdullah)
• Refactor images views to use universal designs (Sage Abdullah)
• Implement universal listings for workflow usage and page type usage views (Sage Abdullah)
• Add search and filters to form pages listing (Sage Abdullah)
• Add support for uploading HEIC / HEIF images (Matt Westcott)
• Allow customization of preview device sizes in the live preview panel (Bart Cieliński, alexkiro, Sage Abdullah)
• Formalize support for MariaDB (Sage Abdullah, Daniel Black)
• Redirect to the last viewed listing page after deleting form submissions (Matthias Brück)
• Provide getTextLabel method on date / time StreamField blocks (Vaughn Dickson)
• Purge frontend cache when modifying redirects (Jake Howard)
• Deprecate the WAGTAIL_AUTO_UPDATE_PREVIEW setting, use WAGTAIL_AUTO_UPDATE_PREVIEW_INTERVAL = 0 instead (Sage Abdullah)
• Consistently use capfirst for title-casing model verbose names (Sébastien Corbin)
• Fire copy_for_translation_done signal when copying translatable models as well as pages (Coen van der Kamp)
• Add support for an image description field across all images, to better support accessible image descriptions (Chiemezuo Akujobi)
• Prompt the user about unsaved changes when editing snippets (Sage Abdullah)
• Make dashboard upgrade banners dismissible (Sage Abdullah)
• Add support for specifying different preview modes to the "View draft" URL for pages (Robin Varghese)
• Implement new designs for the footer actions dropdown with more contrast and larger text (Sage Abdullah)
• All create/edit admin forms now use a sticky submit button, for consistency and to speed up edits (Sage Abdullah)
• Secondary form actions such as "Delete" are now in the header actions menu (Sage Abdullah)
• Allow setting page privacy rules when a restriction already exists on an ancestor page (Bojan Mihelac)
• Automatically create links when pasting content that contain URLs into a rich text input (Thibaud Colas)
• Add Uyghur language support
• Fix: Prevent page type business rules from blocking reordering of pages (Andy Babic, Sage Abdullah)
• Fix: Improve layout of object permissions table (Sage Abdullah)
• Fix: Fix typo in aria-label attribute of page explorer navigation link (Sébastien Corbin)
• Fix: Reinstate transparency indicator on image chooser widgets (Sébastien Corbin)
• Fix: Remove table headers that have no text (Matt Westcott)
• Fix: Fix broken link to user search (Shlomo Markowitz)
• Fix: Ensure that JS slugify function strips Unicode characters disallowed by Django slug validation (Atif Khan)
• Fix: Do not show notices about root / unroutable pages when searching or filtering in the page explorer (Matt Westcott)
• Fix: Resolve contrast issue for page deletion warning (Sanjeev Holla S)
• Fix: Make sure content metrics falls back to body element only when intended (Sage Abdullah)
• Fix: Remove wrongly-added filters from redirects index (Matt Westcott)
• Fix: Prevent popular tags filter from generating overly complex queries when not filtering (Matt Westcott)
• Fix: Fix content path links in usage view to scroll to the correct element (Sage Abdullah)
• Fix: Always show the minimap toggle button (Albina Starykova)
• Fix: Ensure that dropdown button toggles show with a border in high contrast mode (Ishwari8104, LB (Ben) Johnston)
• Fix: Update email notification header to the new logo design (rahulsamant37)
• Fix: Change file_size field on document model to avoid artificial 2Gb limit (Gabriel Getzie)
• Fix: Ensure that TypedTableBlock uses the correct API representations of child blocks (Matt Westcott)
• Fix: Footer action buttons now include their media definitions (Sage Abdullah)
• Fix: Improve the text contrast of the bulk actions "Select all" button (Sage Abdullah)
• Fix: Fix error on workflow settings view with multiple snippet types assigned to the same workflow on Postgres (Sage Abdullah)
• Fix: Fix datetime fields overflowing its parent wrapper in listing filters (Rohit Singh)
• Fix: Prevent multiple URLs from being combined into one when pasting links into a rich text input (Thibaud Colas)
• Fix: Improve layout of report listing tables (Sage Abdullah)
• Fix: Fix regression from creation of AbstractGroupApprovalTask to ensure can_handle checks for the abstract class correctly (Sumana Sree Angajala)
• Docs: Upgrade Sphinx to 7.3 (Matt Westcott)
• Docs: Upgrade sphinx-wagtail-theme to v6.4.0, with a new search integration and Read the Docs Addons bug fixes (Thibaud Colas)
• Docs: Document how to customize date/time format settings (Vince Salvino)
• Docs: Create a new documentation section for deployment and move fly.io deployment from the tutorial to this section (Vince Salvino)
• Docs: Clarify process for UserViewSet customization (Sage Abdullah)
• Docs: Correct WAGTAIL_WORKFLOW_REQUIRE_REAPPROVAL_ON_EDIT documentation to state that it defaults to False (Matt Westcott)
• Docs: Add an example of customizing a default accessibility check (Cynthia Kiser)
• Docs: Demonstrate access protection with TokenAuthentication in the Wagtail API v2 Configuration Guide (Krzysztof Jeziorny)
• Docs: Replace X links with Mastodon in the README (Alex Morega)
• Docs: Re-enable building offline formats in online documentation (Read the docs) for EPUB/PDF/HTML downloads (Joel William, Sage Abdullah)
• Docs: Resolve multiple output errors in the documentation ePub format (Sage Abdullah)
• Docs: Update social media examples to use LinkedIn, Reddit, Facebook (Ayaan Qadri)
• Maintenance: Removed support for Python 3.8 (Matt Westcott)
• Maintenance: Drop pytz dependency in favour of zoneinfo.available_timezones (Sage Abdullah)
• Maintenance: Relax django-taggit dependency to allow 6.0 (Matt Westcott)
• Maintenance: Improve page listing performance (Sage Abdullah)
• Maintenance: Phase out usage of SECRET_KEY in version and icon hashes (Jake Howard)
• Maintenance: Audit all use of localized and non-localized numbers in templates (Matt Westcott)
• Maintenance: Refactor StreamField get_prep_value for closer alignment with JSONField (Sage Abdullah)
• Maintenance: Move search implementation logic from generic IndexView to BaseListingView (Sage Abdullah)
• Maintenance: Upgrade Puppeteer integration tests for reliability (Matt Westcott)
• Maintenance: Restore ability to use .in_bulk() on specific querysets under Django 5.2a0 (Sage Abdullah)
• Maintenance: Add generated test-media to .gitignore (Shlomo Markowitz)
• Maintenance: Improve debounce util's return type for better TypeScript usage (Sage Abdullah)
• Maintenance: Ensure the side panel's show event is dispatched after any hide events (Sage Abdullah)
• Maintenance: Migrate preview-panel JavaScript to Stimulus & TypeScript, add full unit testing (Sage Abdullah)
• Maintenance: Move wagtailConfig values from inline scripts to the wagtail_config template tag (LB (Ben) Johnston, Sage Abdullah)
• Maintenance: Deprecate the {% locales %} and {% js_translation_strings %} template tags (LB (Ben) Johnston, Sage Abdullah)
• Maintenance: Ensure multi-line comments are cleaned from custom icons in addition to just single line comments (Jake Howard)
• Maintenance: Deprecate window.wagtailConfig.BULK_ACTION_ITEM_TYPE usage in JavaScript to reduce reliance on inline scripts (LB (Ben) Johnston)
• Maintenance: Remove window.fileupload_opts usage in JavaScript, use data attributes on fields instead to reduce reliance on inline scripts (LB (Ben) Johnston)
• Maintenance: Remove image_format_name_to_content_type helper function that duplicates Willow functionality (Matt Westcott)
• Maintenance: Improve code reuse for footer actions markup across generic views (Sage Abdullah)
• Maintenance: Deprecate internal DeleteMenuItem API for footer actions (Sage Abdullah)
• Maintenance: Update Pillow dependency to allow 11.x (Storm Heg)

v6.2.4: 6.2.4

Compare Source

• Fix: Fix broken migration when ListBlock is defined with a child_block kwarg (Matt Westcott)

v6.2.3: 6.2.3

Compare Source

• Fix: Prevent multiple URLs from being combined into one when pasting links into a rich text input (Thibaud Colas)
• Fix: Fix error on workflow settings view with multiple snippet types assigned to the same workflow on Postgres (Sage Abdullah)
• Fix: Prevent history view from breaking if a log entry's revision is missing (Matt Westcott)
• Docs: Upgrade sphinx-wagtail-theme to v6.4.0, with a new search integration and Read the Docs Addons bug fixes (Thibaud Colas)

v6.2.2: 6.2.2

Compare Source

• Fix: Fix various instances of USE_THOUSAND_SEPARATOR formatting numbers where formatting is invalid (Sébastien Corbin, Matt Westcott)
• Fix: Fix broken link to user search (Shlomo Markowitz)
• Fix: Make sure content metrics falls back to body element only when intended (Sage Abdullah)
• Fix: Remove wrongly-added filters from redirects index (Matt Westcott)
• Fix: Prevent popular tags filter from generating overly complex queries when not filtering (Matt Westcott)
• Docs: Clarify process for UserViewSet customization (Sage Abdullah)

v6.2.1: 6.2.1

Compare Source

• Fix: Handle child_block being passed as a kwarg in ListBlock migrations (Matt Westcott)
• Fix: Fix broken task type filter in workflow task chooser modal (Sage Abdullah)
• Fix: Prevent circular imports between wagtail.admin.models and custom user models (Matt Westcott)
• Fix: Ensure that concurrent editing check works for users who only have edit access via workflows (Matt Westcott)

v6.2: 6.2

Compare Source

• Optimize and consolidate redirects report view into the index view (Jake Howard, Dan Braghis)
• Support a HOSTNAMES parameter on WAGTAILFRONTENDCACHE to define which hostnames a backend should respond to (Jake Howard, sponsored by Oxfam America)
• Refactor redirects edit view to use the generic EditView and breadcrumbs (Rohit Sharma)
• Allow custom permission policies on snippets to prevent superusers from creating or editing them (Sage Abdullah)
• Do not link to edit view from listing views if user has no permission to edit (Sage Abdullah)
• Allow access to snippets and other model viewsets to users with "View" permission (Sage Abdullah)
• Skip ChooseParentView if only one possible valid parent page is available (Matthias Brück)
• Add copy_for_translation_done signal when a page is copied for translation (Arnar Tumi Þorsteinsson)
• Remove reduced opacity for draft page title in listings (Inju Michorius)
• Adopt more compact representation for StreamField definitions in migrations (Matt Westcott)
• Implement a new design for locale labels in listings (Albina Starykova)
• Add alt text validation rule in the accessibility checker (Albina Starykova)
• Add a deactivate() method to ProgressController (Alex Morega)
• Allow manually specifying credentials for CloudFront frontend cache backend (Jake Howard)
• Automatically register permissions for models registered with a ModelViewSet (Sage Abdullah)
• Implement universal listings UI for report views (Sage Abdullah)
• Make routable_resolver_match attribute available on RoutablePageMixin responses (Andy Chosak)
• Support customizations to UserViewSet via the app config (Sage Abdullah)
• Add word count and reading time metrics within the page editor (Albina Starykova. Sponsored by The Motley Fool)
• Implement a new design for accessibility checks (Albina Starykova)
• Allow changing available privacy options per page model (Shlomo Markowitz)
• Add concurrent editing notifications for pages and snippets (Matt Westcott, Sage Abdullah)
• Add "soft" client-side validation for StreamBlock / ListBlock min_num / max_num (Matt Westcott)
• Log accessibility checker results in the console to help developers with troubleshooting (Thibaud Colas)
• Disable pointer events on checker highlights to simplify DevTools inspections (Thibaud Colas)
• Fix: Make WAGTAILIMAGES_CHOOSER_PAGE_SIZE setting functional again (Rohit Sharma)
• Fix: Enable richtext template tag to convert lazy translation values (Benjamin Bach)
• Fix: Ensure permission labels on group permissions page are translated where available (Matt Westcott)
• Fix: Preserve whitespace in comment replies (Elhussein Almasri)
• Fix: Address layout issues in the title cell of universal listings (Sage Abdullah)
• Fix: Support SVG icon id attributes with single quotes in the styleguide (Sage Abdullah)
• Fix: Do not show delete button on model edit views if per-instance permissions prevent deletion (Matt Westcott)
• Fix: Remove duplicate header in privacy dialog when a privacy setting is set on a parent page or collection (Matthias Brück)
• Fix: Allow renditions of .ico images (Julie Rymer)
• Fix: Handle choice groups as dictionaries in active filters (Sébastien Corbin)
• Fix: Add separators when displaying multiple error messages on a StructBlock (Kyle Bayliss)
• Fix: Specify verbose_name on TranslatableMixin.locale so that it is translated when used as a label (Romein van Buren)
• Fix: Disallow null characters in API filter values (Jochen Wersdörfer)
• Fix: Fix image preview when Willow optimizers are enabled (Alex Tomkins)
• Fix: Ensure external-to-internal link conversion works when the wagtail_serve view is on a non-root path (Sage Abdullah)
• Fix: Add missing for_instance method to PageLogEntryManager (Matt Westcott)
• Fix: Ensure that "User" column on history view is translatable (Romein van Buren)
• Fix: Handle StreamField migrations where the field value is null (Joshua Munn)
• Fix: Prevent incorrect menu ordering when order value is 0 (Ben Dickinson)
• Fix: Fix dynamic image serve view with certain backends (Sébastien Corbin)
• Fix: Show not allowed extension in error message (Sahil Jangra)
• Fix: Fix focal point chooser when localization enabled (Sébastien Corbin)
• Fix: Ensure that system checks for WAGTAIL_DATE_FORMAT, WAGTAIL_DATETIME_FORMAT and WAGTAIL_TIME_FORMAT take FORMAT_MODULE_PATH into account (Sébastien Corbin)
• Fix: Prevent rich text fields inside choosers from being duplicated when opened repeatedly (Sage Abdullah)
• Docs: Remove duplicate section on frontend caching proxies from performance page (Jake Howard)
• Docs: Document restriction_type field on PageViewRestriction (Shlomo Markowitz)
• Docs: Document Wagtail's bug bounty policy (Jake Howard)
• Docs: Fix incorrect Sphinx-style code references to use MyST style (Byron Peebles)
• Docs: Document the fact that Orderable is not required for inline panels (Bojan Mihelac)
• Docs: Add note about prefers-reduced-motion to the accessibility documentation (Roel Koper)
• Docs: Update deployment instructions for Fly.io (Jeroen de Vries)
• Docs: Add better docs for generating URLs on creating admin views (Shlomo Markowitz)
• Docs: Document the vary_fields property for custom image filters (Daniel Kirkham)
• Docs: Fix documentation build errors (Himanshu Garg, Chris Shenton)
• Docs: Fix PDF export (Nathanaël Jourdane)
• Maintenance: Use DjangoJSONEncoder instead of custom LazyStringEncoder to serialize Draftail config (Sage Abdullah)
• Maintenance: Refactor image chooser pagination to check WAGTAILIMAGES_CHOOSER_PAGE_SIZE at runtime (Matt Westcott)
• Maintenance: Exclude the client/scss directory in Tailwind content config to speed up CSS compilation (Sage Abdullah)
• Maintenance: Split contrib.frontend_cache.backends into dedicated sub-modules (Andy Babic)
• Maintenance: Remove unused docs/autobuild.sh script (Sævar Öfjörð Magnússon)
• Maintenance: Replace urlparse with urlsplit to improve performance (Jake Howard)
• Maintenance: Optimise embed finder lookups (Jake Howard)
• Maintenance: Improve performance of initial admin loading by moving sprite hashing out of module import time (Jake Howard)
• Maintenance: Remove workaround and inline scripts for activating workflow actions (Sage Abdullah)
• Maintenance: Prevent 'BlockWidget' object has no attribute '_block_json' from masking errors during StreamField serialization (Matt Westcott)

v6.1.3: 6.1.3

Compare Source

• Fix: CVE-2024-39317: Regular expression denial-of-service via search query parsing (Jake Howard)
• Fix: Allow renditions of .ico images (Julie Rymer)
• Fix: Handle choice groups as dictionaries in active filters (Sébastien Corbin)
• Fix: Fix image preview when Willow optimizers are enabled (Alex Tomkins)
• Fix: Fix dynamic image serve view with certain backends (Sébastien Corbin)

v6.1.2: 6.1.2

Compare Source

• Fix: Fix client-side handling of select inputs within ChoiceBlock (Matt Westcott)
• Fix: Support SVG icon id attributes with single quotes in the styleguide (Sage Abdullah)
• Fix: CVE-2024-35228: Improper handling of insufficient permissions in wagtail.contrib.settings (Victor Miti, Matt Westcott, Jake Howard)

v6.1.1: 6.1.1

Compare Source

• Fix: Fix form action URL in user edit and delete views for custom user models (Sage Abdullah)
• Fix: Fix snippet copy view not prefilling form data (Sage Abdullah)
• Fix: Address layout issues in the title cell of universal listings (Sage Abdullah)
• Fix: Fix incorrect rich text to HTML conversion when multiple link / embed types are present (Andy Chosak, Matt Westcott)
• Fix: Restore ability for custom widgets in StreamField blocks to have multiple top-level nodes (Sage Abdullah, Matt Westcott)

v6.1: 6.1

Compare Source

• Refine wording of page & collection privacy using password is a shared password and should not be used for secure content (Rohit Sharma, Jake Howard)
• Add RelatedObjectsColumn to the table UI framework (Matt Westcott)
• Reduce memory usage when rebuilding search indexes (Jake Howard)
• Support creating images in .ico format (Jake Howard)
• Add the ability to disable the usage of a shared password for enhanced security for the private pages and collections (documents) feature (Salvo Polizzi, Jake Howard)
• Add system checks to ensure that WAGTAIL_DATE_FORMAT, WAGTAIL_DATETIME_FORMAT, WAGTAIL_TIME_FORMAT are correctly configured (Rohit Sharma, Coen van der Kamp)
• Allow custom permissions with the same prefix as built-in permissions (Sage Abdullah)
• Allow displaying permissions linked to the Admin model's content type (Sage Abdullah)
• Add support for Draftail's JavaScript to use chooserUrls provided by entity options & for the Draftail widget to encode lazy URLs/ translations (Elhussein Almasri)
• Reimplement search promotions IndexView using the generic.IndexView (Rohit Sharma, Sage Abdullah, Storm Heg)
• Reimplement redirects IndexView using the generic.IndexView (Rohit Sharma, Sage Abdullah, Temidayo Azeez)
• Add PageListingViewSet for custom per-page-type page listings (Matt Westcott)
• Add ChooseParentView to PageListingViewSet to allow creating pages from custom page listings (Abdelrahman Hamada, Sage Abdullah)
• Implement new universal listings design for image listing view (Sage Abdullah)
• Implement new universal listings design for document listing view (Sage Abdullah)
• Implement new universal listings design for site and locale listing views (Sage Abdullah)
• Implement new universal listings design for page and snippet history view (Sage Abdullah)
• Implement new universal listings design for form builder submissions view (Sage Abdullah)
• Implement new universal listings design for collections listing view (Sage Abdullah)
• Implement new universal listings design for groups views (Sage Abdullah)
• Implement new universal listings design for users views (Sage Abdullah)
• Implement new universal listings design for workflow and task views (Sage Abdullah)
• Refine slim header button style to match designs (Sage Abdullah)
• Add simple admin keyboard shortcuts overview dialog, available in the help sub-menu (Karthik Ayangar, Rohit Sharma)
• Add ability to bulk toggle permissions in the user group editing view, including shift+click for multiple selections (LB (Ben) Johnston, Kalob Taulien)
• Update the minimum version of djangorestframework to 3.15.1 (Sage Abdullah)
• Add support for related fields in generic IndexView.list_display (Abdelrahman Hamada)
• Improve page fetching logic and cache route results per request (Gordon Pendleton)
• Optimise rewriting of links / embeds in rich text using bulk database lookups (Andy Chosak)
• Add normalization mechanism to StreamField so that assignments and defaults can be passed in a wider range of data types (Joshua Munn, Matt Westcott)
• Allow specifying a STORAGES alias name for WAGTAILIMAGES_RENDITION_STORAGE (Alec Baron)
• Update PASSWORD_REQUIRED_TEMPLATE setting to WAGTAIL_PASSWORD_REQUIRED_TEMPLATE with deprecation of previous naming (Saksham Misra, LB (Ben) Johnston)
• Update DOCUMENT_PASSWORD_REQUIRED_TEMPLATE setting to WAGTAILDOCS_PASSWORD_REQUIRED_TEMPLATE with deprecation of previous naming (Saksham Misra, LB (Ben) Johnston)
• When editing settings (contrib) use the same icon in the editing view that was declared when registering the setting (Vince Salvino, Rohit Sharma)
• Populate django-treebeard cache during page routing to improve performance of get_parent (Nigel van Keulen)
• Add a new user profile preference to configure user interface information density (Thibaud Colas)
• Add additional field types to Elasticsearch mapping (scott-8)
• Fix: CVE-2024-32882: Permission check bypass when editing a model with per-field restrictions through wagtail.contrib.settings or ModelViewSet (Ben Morse, Joshua Munn, Jake Howard, Sage Abdullah)
• Fix: Fix typo in __str__ for MySQL search index (Jake Howard)
• Fix: Ensure that unit tests correctly check for migrations in all core Wagtail apps (Matt Westcott)
• Fix: Correctly handle date objects on human_readable_date template tag (Jhonatan Lopes)
• Fix: Ensure re-ordering buttons work correctly when using a nested InlinePanel (Adrien Hamraoui)
• Fix: Consistently remove model's verbose_name in group edit view when listing custom permissions (Sage Abdullah, Neeraj Yetheendran, Omkar Jadhav)
• Fix: Resolve issue local development of docs when running make livehtml (Sage Abdullah)
• Fix: Resolve issue with unwanted padding in chooser modal listings (Sage Abdullah)
• Fix: Ensure form builder emails that have date or datetime fields correctly localize dates based on the configured LANGUAGE_CODE (Mark Niehues)
• Fix: Ensure the Stimulus UnsavedController checks for nested removal/additions of inputs so that the unsaved warning shows in more valid cases when editing a page (Karthik Ayangar)
• Fix: Ensure get_add_url() is always used to re-render the add button when the listing is refreshed in viewsets (Sage Abdullah)
• Fix: Ensure dropdown content cannot get higher than the viewport and add scrolling within content if needed (Chiemezuo Akujobi)
• Fix: Prevent snippets model index view from crashing when a model does not have an objects manager (Jhonatan Lopes)
• Fix: Fix get_dummy_request's resulting host name when running tests with ALLOWED_HOSTS = ["*"] (David Buxton)
• Fix: Fix timezone handling in the timesince_last_update template tag (Matt Westcott)
• Fix: Fix Postgres phrase search to respect the language set in settings (Ihar Marhitych)
• Fix: Retain query parameters when switching between locales in the page chooser (Abdelrahman Hamada, Sage Abdullah)
• Fix: Add w-kbd-scope-value with support for global so that specific keyboard shortcuts (e.g. ctrl+s/cmd+s) trigger consistently even when focused on fields (Neeraj Yetheendran)
• Fix: Improve exception handling when generating image renditions concurrently (Andy Babic)
• Fix: Respect WAGTAIL_ALLOW_UNICODE_SLUGS setting when auto-generating slugs (LB (Ben) Johnston)
• Fix: Use correct URL when redirecting back to page search results after an AJAX search (Sage Abdullah)
• Fix: Reinstate missing static files in style guide (Sage Abdullah)
• Fix: Provide convert_mariadb_uuids management command to assist with upgrading to Django 5.0+ on MariaDB (Matt Westcott)
• Docs: Add contributing development documentation on how to work with a fork of Wagtail (Nix Asteri, Dan Braghis)
• Docs: Make sure the settings panel is listed in tabbed interface examples (Tibor Leupold)
• Docs: Update content and page names to their US spelling instead of UK spelling (Victoria Poromon)
• Docs: Update broken and incorrect links throughout the documentation (EK303)
• Docs: Fix formatting of --purge-only in wagtail_update_image_renditions management command section (Pranith Beeram)
• Docs: Update template components documentation to better explain the usage of the Laces library (Tibor Leupold)
• Docs: Update Sphinx theme to 6.3.0 with a fix for the missing favicon (Sage Abdullah)
• Docs: Document risk of XSS attacks on document upload (Matt Westcott, with thanks to Georgios Roumeliotis of TwelveSec for the original report)
• Docs: Add clarity to how custom StreamField validation works (Tibor Leupold)
• Docs: Add additional reference to the wagtail_update_image_renditions management command on the using images page (LB (Ben) Johnston)
• Docs: Correct information about line endings in Window development docs (Sage Abdullah)
• Docs: Improve code snippets for "Create a footer for all pages" tutorial section (Drikus Roor)
• Docs: Update list of third-party tutorials (LB (Ben) Johnston)
• Docs: Update "Integrating into Django" documentation to emphasise creating page models (Matt Westcott)
• Maintenance: Move RichText HTML whitelist parser to use the faster, built in html.parser (Jake Howard)
• Maintenance: Remove duplicate 'path' in default_exclude_fields_in_copy (Ramchandra Shahi Thakuri)
• Maintenance: Update unit tests to always use the faster, built in html.parser & remove html5lib dependency (Jake Howard)
• Maintenance: Adjust Eslint rules for TypeScript files (Karthik Ayangar)
• Maintenance: Rename the React Button that only renders links (a element) to Link and remove unused prop & behavior that was non-compliant for aria role usage (Advik Kabra)
• Maintenance: Set up an wagtail.models.AbstractWorkflow model to support future customizations around workflows (Hossein)
• Maintenance: Improve classnames template tag to handle nested lists of strings, use template tag for admin body element (LB (Ben) Johnston)
• Maintenance: Merge UploadedDocument and UploadedImage into new UploadedFile model for easier shared code usage (Advik Kabra, Karl Hobley)
• Maintenance: Optimize queries in dashboard panels (Sage Abdullah)
• Maintenance: Optimize queries in group create/edit view (Sage Abdullah)
• Maintenance: Move modal-workflow.js script usage to base admin template instead of ad-hoc imports (Elhussein Almasri)
• Maintenance: Update all Draftail chooserUrls to be passed in via the Entity options instead of using window.chooserUrls globals, removing the need for inline scripts (Elhussein Almasri)
• Maintenance: Enhance w-init (InitController) to support a detail value to be dispatched on events (Chiemezuo Akujobi)
• Maintenance: Remove usage of inline scripts and instead use event dispatching to instantiate standalone Draftail editor instances (Chiemezuo Akujobi)
• Maintenance: Refactor page_breadcrumbs tag to use shared breadcrumbs.html template (Sage Abdullah)
• Maintenance: Add keyboard icon to admin icon set (Rohit Sharma)
• Maintenance: Remove dead code in the minimap when elements are not found (LB (Ben) Johnston)
• Maintenance: Ensure untrusted data sources are logged correctly in the Stimulus SwapController (LB (Ben) Johnston)
• Maintenance: Update Wagtail logo in admin sidebar & favicon plus documentation to the latest version (Osaf AliSayed, Albina Starykova, LB (Ben) Johnston)
• Maintenance: Remove usage of inline scripts and instead use a new Stimulus controller (w-block/BlockController) to instantiate StreamField blocks (Karthik Ayangar)
• Maintenance: Update NPM Babel, TypeScript and Webpack packages (Neeraj Yetheendran)
• Maintenance: Replace ad-hoc JavaScript and vendor Mousetrap usage to a new Stimulus controller (w-kbd/KeyboardController) (Neeraj Yetheendran)
• Maintenance: Update django-filter to 24.x (Sebastian Muthwill)
• Maintenance: Remove jQuery usage in telepath widget classes (Matt Westcott)
• Maintenance: Remove xregexp (IE11 polyfill) along with window.XRegExp global util (LB (Ben) Johnston)
• Maintenance: Refactor the Django port of urlify to use TypeScript, officially deprecate window.URLify global util (LB (Ben) Johnston)

v6.0.6: 6.0.6

Compare Source

• Fix: CVE-2024-39317: Regular expression denial-of-service via search query parsing (Jake Howard)

v6.0.5: 6.0.5

Compare Source

• Fix: CVE-2024-35228: Improper handling of insufficient permissions in wagtail.contrib.settings (Victor Miti, Matt Westcott, Jake Howard)

v6.0.4: 6.0.4

Compare Source

• Fix: Fix snippet copy view not prefilling form data (Sage Abdullah)

v6.0.3: 6.0.3

Compare Source

• Fix: CVE-2024-32882: Permission check bypass when editing a model with per-field restrictions through wagtail.contrib.settings or ModelViewSet (Ben Morse, Joshua Munn, Jake Howard, Sage Abdullah)
• Fix: Respect WAGTAIL_ALLOW_UNICODE_SLUGS setting when auto-generating slugs (LB (Ben) Johnston)
• Fix: Use correct URL when redirecting back to page search results after an AJAX search (Sage Abdullah)
• Fix: Reinstate missing static files in style guide (Sage Abdullah)
• Fix: Provide convert_mariadb_uuids management command to assist with upgrading to Django 5.0+ on MariaDB (Matt Westcott)
• Fix: Fix generic CopyView for models with primary keys that need to be quoted (Sage Abdullah)

v6.0.2: 6.0.2

Compare Source

• Fix: Ensure that modal tabs width are not impacted by side panel opening (LB (Ben) Johnston)
• Fix: Resolve issue local development of docs when running make livehtml (Sage Abdullah)
• Fix: Resolve issue with unwanted padding in chooser modal listings (Sage Abdullah)
• Fix: Ensure get_add_url() is always used to re-render the add button when the listing is refreshed in viewsets (Sage Abdullah)
• Fix: Move modal-workflow.js script usage to base admin template instead of ad-hoc imports so that choosers work in ModelViewSets (Elhussein Almasri)
• Fix: Ensure JavaScript for common widgets such as InlinePanel is included by default in ModelViewSet's create and edit views (Sage Abdullah)
• Fix: Reinstate styles for customizations of extra_footer_actions block in page create/edit templates (LB (Ben) Johnston, Sage Abdullah)
• Fix: Prevent crash when loading an empty table block in the editor (Sage Abdullah)
• Docs: Update Sphinx theme to 6.3.0 with a fix for the missing favicon (Sage Abdullah)

v6.0.1: 6.0.1

Compare Source

• Fix: Ensure BooleanRadioSelect uses the same styles as RadioSelect (Thibaud Colas)
• Fix: Prevent failure on collectstatic when ManifestStaticFilesStorage is in use (Matt Westcott)
• Fix: Prevent error on submitting an empty search in the admin under Elasticsearch (Maikel Martens)

v6.0: 6.0

Compare Source

🎉 Special 10th anniversary release! 🎉

• Added support for Django 5.0
• Implemented universal listings – a unified listing and filtering interface for Pages, Snippets, Forms (Ben Enright, Matt Westcott, Thibaud Colas, Sage Abdullah)
• Add the accessibility checker within the page and snippets editor (Thibaud Colas)
• Added search_index option to StreamField blocks to control whether the block is indexed for searching (Vedant Pandey)
• Remember previous location on returning from page add/edit actions (Robert Rollins)
• Update settings file in project settings to address Django 4.2 deprecations (Sage Abdullah)
• Improve layout and accessibility of the image URL generator page, reduce reliance on JavaScript (Temidayo Azeez)
• Allow UniqueConstraint in place of unique_together for TranslatableMixin's system check (Temidayo Azeez, Sage Abdullah)
• Make use of IndexView.get_add_url() in snippets index view template (Christer Jensen, Sage Abdullah)
• Allow Page.permissions_for_user() to be overridden by specific page types (Sébastien Corbin)
• Improve visual alignment of explore icon in Page listings for longer content (Krzysztof Jeziorny)
• Add extra_actions blocks to Snippets and generic index templates (Bhuvnesh Sharma)
• Added page types usage report (Jhonatan Lopes)
• Add support for defining panels / edit_handler on ModelViewSet (Sage Abdullah)
• Use a single instance of PagePermissionPolicy in wagtail.permissions module (Sage Abdullah)
• Add max tag length validation for multiple uploads (documents/images) (Temidayo Azeez)
• Ensure expanded side panel does not overlap form content for most viewports (Chiemezuo Akujobi)
• Add ability to modify the default ordering for the page explorer view (Shlomo Markowitz)
• Remove overly verbose image captions in image listings for screen readers (Sage Abdullah)
• Ensure screen readers and dictation tools can more easily navigate bulk actions in images, documents and page listings by streamlining labels and descriptions (Sage Abdullah)
• Remove support for Safari 14 (Thibaud Colas)
• Add ability to click to copy the URL in the image URL generator page (Sai Srikar Dumpeti)
• Add ability to filter by page type and date updated in the page listing view (Matt Westcott)
• Add ability to filter by owner and site in the page listing view (Matt Westcott)
• Improve right-to-left support by using flow-relative float styles (Thibaud Colas)
• Improve right-to-left support by mirroring Wagtail icons as needed (Sage Abdullah)
• Add support for mirroring third-party icons added in Wagtail (Sage Abdullah)
• Show edit as a main action in generic history and usage views (Sage Abdullah)
• Make styles for header buttons consistent (Sage Abdullah)
• Improve styles of slim header's search and filters (Sage Abdullah)
• Change page listing's add button to icon-only (Sage Abdullah)
• Add sublabel to breadcrumbs, including history, usage, and inspect views (Sage Abdullah)
• Standardise search form placeholder to 'Search…' (Sage Abdullah)
• Use SlugInput on all SlugFields by default (LB (Ben) Johnston)
• Show character counts on RichTextBlock with max_length (Elhussein Almasri)
• Move locale selector in generic IndexView to a filter (Sage Abdullah)
• Add ability to customise a page's copy form (Neeraj Yetheendran)
• Add optional caption field to TypedTableBlock (Tommaso Amici, Cynthia Kiser)
• Switch the TableBlock header controls to a field that requires user input (Bhuvnesh Sharma, Aman Pandey, Cynthia Kiser)
• Add WAGTAILADMIN_LOGIN_URL setting to allow customising the login URL (Neeraj Yetheendran)
• Replace legacy dropdown component with new Tippy dropdown-button (Thibaud Colas)
• Add ability to filter by existence of child pages in the page listing view (Matt Westcott)
• Polish dark theme styles and update color tokens (Thibaud Colas, Rohit Sharma)
• Keep database state of pages and snippets updated while in draft state (Stefan Hammer)
• Add DrilldownController and w-drilldown component to support drilldown menus (Thibaud Colas)
• Add support for caption on admin UI Table component (Aman Pandey)
• Add API support for a redirects (contrib) endpoint (Rohit Sharma, Jaap Roes, Andreas Donig)
• Add the default ability for all SnippetViewSet & ModelViewSet to support being copied (Shlomo Markowitz)
• Support dynamic Wagtail guide links in the admin that are based on the running version of Wagtail (Tidiane Dia)
• Fix: Update system check for overwriting storage backends to recognise the STORAGES setting introduced in Django 4.2 (phijma-leukeleu)
• Fix: Prevent password change form from raising a validation error when browser autocomplete fills in the "Old password" field (Chiemezuo Akujobi)
• Fix: Ensure that the legacy dropdown options, when closed, do not get accidentally clicked by other interactions on wide viewports (CheesyPhoenix, Christer Jensen)
• Fix: Add a fallback background for the editing preview iframe for sites without a background (Ian Price)
• Fix: Preserve whitespace in rendered comments (Elhussein Almasri)
• Fix: Remove search logging from project template so that new projects without the search promotions module will not error (Matt Westcott)
• Fix: Ensure text only email notifications for updated comments do not escape HTML characters (Rohit Sharma)
• Fix: Use the latest draft when copying an unpublished page for translation (Andrey Nehaychik)
• Fix: Make Workflow and Aging Pages reports only available to users with page-related permissions (Rohit Sharma)
• Fix: Make searching on specific fields work correctly on Elasticsearch when boost is in use (Matt Westcott)
• Fix: Use a visible border and background color to highlight active formatting in the rich text toolbar (Cassidy Pittman)
• Fix: Ensure image focal point box can be removed (Gunnar Scherf)
• Fix: Ensure that Snippets search results correctly use the index_results.html or index_results_template_name override on initial load (Stefan Hammer)
• Fix: Avoid error when attempting to moderate a page drafted by a now deleted user (Dan Braghis)
• Fix: Do not show multiple error messages when editing a Site to use existing hostname and port (Rohit Sharma)
• Fix: Avoid error when exporting Aging Pages report where a page has an empty last_published_by_user (Chiemezuo Akujobi)
• Fix: Ensure Page querysets support using alias and specific (Tomasz Knapik)
• Fix: Ensure workflow dashboard panels work when the page/snippet is missing (Sage Abdullah)
• Fix: Ensure ActionController explicitly checks for elements that allow select functionality (Nandini Arora)
• Fix: Prevent a ValueError with FormSubmissionsPanel on Django 5.0 when creating a new form page (Matt Westcott)
• Fix: Avoid duplicate entries in "Recent edits" panel when copying pages (Matt Westcott)
• Fix: Prevent TitleFieldPanel from raising an error when the slug field is missing or read-only (Rohit Sharma)
• Fix: Ensure that the close button on the new dialog designs is visible in the non-message variant (Nandini Arora)
• Fix: Ensure the sidebar account toggle has no duplicate accessible labels (Nandini Arora)
• Fix: Avoid text overflow issues in comment replies and scroll position issues for long comments (Rohit Sharma)
• Fix: Ensure that page listing re-ordering messages and accessible labels can be translated (Aman Pandey, LB (Ben) Johnston)
• Fix: Resolve multiple issues with page listing re-ordering using keyboard and screen readers (Aman Pandey)
• Fix: Remove 'Page' from page types filter on aging pages report (Matt Westcott)
• Fix: Prevent page types filter from showing other non-Page models that match by name (Matt Westcott)
• Fix: Ensure MultipleChooserPanel modal works correctly when USE_THOUSAND_SEPARATOR is True for pages with ids over 1,000 (Sankalp, Rohit Sharma)
• Fix: When using an empty table header (th) for visual spacing, ensure this is ignored by accessibility tooling (V Rohitansh)
• Fix: Ensure the panel anchor button sizes meet accessibility guidelines for minimum dimensions (Nandini Arora)
• Fix: Raise a 404 for bulk actions for models which don't exist instead of throwing a 500 error (Alex Tomkins)
• Fix: Raise a SiteSetting.DoesNotExist error when retrieving settings for an unrecognised site (Nick Smith)
• Fix: Ensure that defaulted or unique values declared in exclude_fields_in_copy are correctly excluded in new copies, resolving to the default value (Elhussein Almasri)
• Fix: Ensure that default_ordering set on IndexView is preserved if ModelViewSet does not specify an explicit ordering (Cynthia Kiser)
• Fix: Ensure that TableBlock cells are accessible when using keyboard control only (Elhussein Almasri)
• Fix: Resolve issue where clicking Publish for a Page that was in workflow in Safari would block publishing and not trigger the workflow confirmation modal (Alex Morega)
• Fix: Fix pagination links on model history and usage views (Matt Westcott)
• Fix: Fix crash when accessing workflow reports with a deleted snippet (Sage Abdullah)
• Docs: New developer tutorial (Damilola Oladele, Meagen Voss, Thibaud Colas)
• Docs: Document, for contributors, the use of translate string literals passed as arguments to tags and filters using _() within templates (Chiemezuo Akujobi)
• Docs: Document all features for the Documents app in one location (Neeraj Yetheendran)
• Docs: Add section to testing docs about creating pages and working with page content (Mariana Bedran Lesche)
• Docs: Add more nuance to the database recommendations in performance page (Jadesola Kareem)
• Docs: Add clarity that MultipleChooserPanel may require a chooser viewset and how the functionality is expected to work (Andy Chosak)
• Docs: Clarify where documentation build commands should be run (Nikhil S Kalburgi)
• Docs: Add missing import to tutorial BlogPage example (Salvo Polizzi)
• Docs: Update contributing guide documentation and GitHub templates to better support new contributors (Thibaud Colas)
• Docs: Add more CSS authoring guidelines (Thibaud Colas)
• Docs: Update MyST documentation parser library to 2.0.0 (Neeraj Yetheendran)
• Docs: Add documentation writing guidelines for intersphinx / external links (LB (Ben) Johnston)
• Docs: Add Page model reference get_children documentation (Salvo Polizzi)
• Docs: Enforce CI build checks for documentation so that malformed links or missing images will not be allowed (Neeraj Yetheendran)
• Docs: Update spelling on customizing admin template and page model section from British to American English (Victoria Poromon)
• Docs: Add documentation for how to override the file locations for custom image models via get_upload_to methods (Osaf AliSayed, Dharmik Gangani)
• Docs: Update documentation theme (Sphinx Wagtail Theme) to 6.2.0, fixing the incorrect favicon (LB (Ben) Johnston, Sahil Jangra)
• Docs: Refactor promotion banner without jQuery and use sameSite cookies when storing if cleared (LB (Ben) Johnston)
• Docs: Use cross-reference for compatible Python versions in tutorial instead of the out of date listing (mirusu400)
• Maintenance: Update BeautifulSoup upper bound to 4.12.x (scott-8)
• Maintenance: Migrate initialization of classes (such as body.ready) from multiple JavaScript implementations to one Stimulus controller w-init (Chiemezuo Akujobi)
• Maintenance: Adopt the usage of translate string literals using arg=_('...') in all wagtailadmin module templates (Chiemezuo Akujobi)
• Maintenance: Migrate the contrib styleguide index view to a class-based view (Chiemezuo Akujobi)
• Maintenance: Update djhtml to 3.0.6 (Matt Westcott)
• Maintenance: Migrate the contrib settings edit view to a class-based view (Chiemezuo Akujobi, Sage Abdullah)
• Maintenance: Remove django-pattern-library upper bound in testing dependencies (Sage Abdullah)
• Maintenance: Split up functions in Elasticsearch backend for easier extensibility (Marcel Kornblum, Cameron Lamb, Sam Dudley)
• Maintenance: Relax draftjs_exporter dependency to allow using version 5.x (Sylvain Fankhauser)
• Maintenance: Refine styling of listings, account settings panels and the block chooser (Meli Imelda)
• Maintenance: Remove icon font support (Matt Westcott)
• Maintenance: Remove deprecated SVG icons (Matt Westcott)
• Maintenance: Remove icon font styles (Thibaud Colas)
• Maintenance: Migrate account editing view to a class-based view (Kehinde Bobade)
• Maintenance: Upgrade frontend tooling to use Node 20 (LB (Ben) Johnston)
• Maintenance: Upgrade ruff and replace black with ruff format (John-Scott Atlakson)
• Maintenance: Update Willow upper bound to 2.x (Dan Braghis)
• Maintenance: Removed support for Django < 4.2 (Dan Braghis)
• Maintenance: Refactor page explorer in

---

Configuration

📅 Schedule: Branch creation - "" in timezone US/Eastern, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sentry]

Bug: The wagtail upgrade removes the transitive dependency on html5lib, but the code still explicitly uses the "html5lib" parser, which will cause a runtime error.
_{Severity: HIGH}

Suggested Fix

Explicitly add html5lib as a direct dependency to the pyproject.toml file to ensure it is installed, as it is no longer included transitively by wagtail version 6.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: poetry.lock#L1851

Potential issue: The upgrade of `wagtail` from version 5.2.8 to 6.3.6 removes the
transitive dependency on `html5lib`. The code in `mail/api.py` explicitly uses the
`"html5lib"` parser when calling `BeautifulSoup`. Since `html5lib` is not listed as a
direct dependency in `pyproject.toml`, it will no longer be installed after the upgrade.
This will result in a `bs4.FeatureNotFound` runtime error whenever email-related
functionality, specifically the `render_email_templates` function, is executed.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[sentry]

Bug: The after_publish_page hook uses get_edit_handler(), a method removed in Wagtail 6.0, which will cause an AttributeError when publishing pages.
_{Severity: CRITICAL}

Suggested Fix

Refactor the hook in cms/wagtail_hooks.py to stop using the deprecated get_edit_handler(). Instead, use the modern Wagtail API to get the form class. The relevant page models already define a base_form_class, which can likely be used directly, for example: form_class = page.specific_class.base_form_class.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: pyproject.toml#L57

Potential issue: The upgrade to Wagtail 6.3.6 likely removes the `get_edit_handler()`
method, which was deprecated and scheduled for removal. This method is still used in the
`create_product_and_versions_for_courseware_pages` hook, which runs after a course or
program page is published. When this hook is triggered, the call to
`page.specific_class.get_edit_handler()` will raise an `AttributeError`, causing the
page publishing process to fail. While tests exist for this functionality, they may not
be running or may be passing for other reasons, masking this critical runtime error.