All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
CLAUDE.mddocumenting project overview, software stack, security practices, publishing workflow, and mandatory commit rules including changelog updates
- Automate GitHub Release creation as a third workflow job (
release) that runs after a successful PyPI publish; release notes are extracted from the matchingCHANGELOG.mdsection - Update DEVNOTES to document the full three-job release sequence
0.9.0 - 2026-04-29
- Harden PNG data URL validation: enforce strict base64 decoding, anchor the
format regex with
\Zto reject trailing newlines, and limit padding to at most two=characters - Expose
validate_png_data_urlas a standalone Django validator that can be imported directly fromsignature_pad - Run PNG validation at the form level (not only at the model level) by
attaching validators in
formfield(), so plainforms.Formusage is now protected as well - Add Subresource Integrity (SRI) hashes to the CDN-hosted JS and CSS in the example project
- Add
SECURITY.mddescribing the private vulnerability reporting process
- Switch dependency and environment management to uv;
remove
requirements.txtin favour of[dependency-groups]inpyproject.tomland a committeduv.lock - Replace manual
hatch publishworkflow with a tag-triggered GitHub Actions release pipeline using PyPI Trusted Publishers (OIDC), a manual-approvalreleaseenvironment, and SHA-pinned third-party actions - Pin the
hatchlingbuild backend to>=1.29.0,<2 - Update DEVNOTES and README to reflect the uv-based workflow
- Reduce pre-commit autoupdate cadence from weekly to quarterly
- GitHub Actions CI workflow running the test matrix (Python 3.10–3.13 × Django 5.0–6.0) on push and pull request
0.8.0 - 2026-02-21
- Django 6.0 support
0.7.0 - 2025-07-20
Initial tracked release.