From bc1bfe12b613334bd625aeb36fd44af96d186c10 Mon Sep 17 00:00:00 2001
From: Jake Howard <6527489+RealOrangeOne@users.noreply.github.com>
Date: Wed, 18 Jun 2025 15:04:34 +0100
Subject: [PATCH] Clarified that only latest dependency versions are valid for
security reports.
---
docs/faq/install.txt | 5 ++++-
docs/internals/security.txt | 11 +++++++++++
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/docs/faq/install.txt b/docs/faq/install.txt
index b483d30f5e..8b2aceab74 100644
--- a/docs/faq/install.txt
+++ b/docs/faq/install.txt
@@ -58,7 +58,10 @@ Django version Python versions
============== ===============
For each version of Python, only the latest micro release (A.B.C) is officially
-supported. You can find the latest micro version for each series on the `Python
+supported. Python versions that have reached end-of-life are no longer
+maintained by the Python project and therefore should not be used with Django.
+
+You can find the latest supported micro version for each series on the `Python
download page `_.
We will support a Python version up to and including the first Django LTS
diff --git a/docs/internals/security.txt b/docs/internals/security.txt
index b0798d052e..567446c30e 100644
--- a/docs/internals/security.txt
+++ b/docs/internals/security.txt
@@ -55,6 +55,17 @@ set up, run, and reproduce the issue.
Please do not attach screenshots of code.
+Use supported versions of dependencies
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Django only :ref:`officially supports ` the latest
+micro release (A.B.C) of Python. Vulnerabilities must be reproducible when all
+relevant dependencies (not limited to Python) are at supported versions.
+
+For example, vulnerabilities that only occur when Django is run on a version of
+Python that is no longer receiving security updates ("end-of-life") are **not
+considered valid**, even if that version is listed as supported by Django.
+
User input must be sanitized
~~~~~~~~~~~~~~~~~~~~~~~~~~~~