fix(dependencies): update django to 4.2.13

[kojiromike]

• CVE-2024-24680 (patched in 4.2.10)
• CVE-2024-27351 (patched in 4.2.11)

[kojiromike]

Might I suggest enabling dependabot or dependabot security updates, to make this process more automatic? (It isn't something I can simply PR because it isn't my repo.)

[rominf]

Having pinned versions of requirements prevents dependent packages from updating in case of vulnerabilities. So, now all packages that use Mercury have vulnerable Django installed along with other requirements, and it is not possible to fix this without breaking Mercury's requirements.

[kojiromike]

Django 4.2.14 is released with additional vulnerabilities that need to be fixed. https://www.djangoproject.com/weblog/2024/jul/09/security-releases/

[kojiromike]

Django 4.2.15 fixes three security issues with severity “moderate”, one security issue with severity “high”, and a regression in 4.2.14.

https://docs.djangoproject.com/en/5.0/releases/4.2.15/

[henry28zhang]

Go for it