Bump whitenoise from 6.11.0 to 6.12.0

[dependabot]

Bumps whitenoise from 6.11.0 to 6.12.0.

Changelog

Sourced from whitenoise's changelog.

6.12.0 (2026-02-27)

• Drop Python 3.9 support.
• Fix potential unauthorised file access vulnerability in "autorefesh" mode. See PR [#684](https://github.com/evansd/whitenoise/issues/684) <https://github.com/evansd/whitenoise/pull/684>__ for details, and a reminder that autorefresh mode has always been documented as unsuitable for production use. Thanks Seth Larson for reporting.

Commits

• 1e3a30b Version 6.12.0
• bc4c738 Merge pull request #684 from evansd/use-commonpath
• 505ed8d Use os.path.commonpath() to identify child paths
• b6d8ed4 Upgrade dependencies (#683)
• edc79de [pre-commit.ci] pre-commit autoupdate (#682)
• 79fb2f1 Bump the github-actions group with 2 updates (#680)
• 2b245df [pre-commit.ci] pre-commit autoupdate (#681)
• dcb50f3 Upgrade dependencies (#678)
• 1c4a746 [pre-commit.ci] pre-commit autoupdate (#677)
• e7f970a Bump actions/checkout from 5 to 6 in the github-actions group (#676)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[claude]

Dependency Update Review: whitenoise 6.11.0 → 6.12.0

Summary: This is a routine Dependabot dependency bump. The change is minimal (one line in requirements/base.txt) and low risk.

What changed in whitenoise 6.12.0

1. Security fix: Patched a potential unauthorised file access vulnerability in "autorefresh" mode (via os.path.commonpath() instead of string prefix checking). See whitenoise PR #684.
2. Dropped Python 3.9 support: No longer tested/supported on Python 3.9.

Assessment

Security fix: The autorefresh vulnerability does not affect this project in production. Inspecting config/settings/base.py, the project uses:

• whitenoise.middleware.WhiteNoiseMiddleware (standard middleware)
• whitenoise.storage.CompressedManifestStaticFilesStorage (production storage backend)

Neither WHITENOISE_AUTOREFRESH nor any autorefresh configuration is present in the codebase, and the whitenoise docs have always documented autorefresh as unsuitable for production use. That said, patching is still the right call.

Python 3.9 drop: Not a concern — the project's base Docker image is pytorch/pytorch:2.7.1-cuda12.6-cudnn9-runtime, which ships Python 3.11+. The project is well above the dropped floor.

Verdict

Approve and merge. This is a clean patch-level security fix with no functional changes to the APIs used by this project. No test changes needed.