Pin djangorestframework to 3.15.1

[Odilhao]

Right now djangorestframework to 3.15.2 ships with one dir that was intent to be created only by the documentation example:

├── djangorestframework.egg-info
├── LICENSE.md
├── MANIFEST.in
├── PKG-INFO
├── README.md
├── rest_framework
├── setup.cfg
├── setup.py
├── tests
└── tutorial

 tree tutorial/
tutorial/
├── asgi.py
├── __init__.py
├── quickstart
│   ├── admin.py
│   ├── apps.py
│   ├── __init__.py
│   ├── migrations
│   │   └── __init__.py
│   ├── models.py
│   ├── serializers.py
│   ├── tests.py
│   └── views.py
├── settings.py
├── urls.py
└── wsgi.py

In the RPM side of packaging this is easy to solve, we can just add the macro %exclude , for users installing from pypi this might be a problem. We caught this here theforeman/pulpcore-packaging#1323

[ggainey]

Is there an upstream issue opened for this?

[Odilhao]

It's already reported here https://github.com/encode/django-rest-framework/discussions/9517 and here https://github.com/encode/django-rest-framework/issues/9600

[ggainey]

3.15.2 includes a fix for a XSS attack - see encode/django-rest-framework#9435 . I would hesitate to disallow installing it until there's a version with that fix available.