Hi, a number of security issues have been fixed for django 1.11.x which is still used by horizon for python 2.x and also optionally for python 3.x. The horizon gate jobs are already using that version: http://logs.openstack.org/46/651546/1/check/horizon-openstack-tox-python3-django111/7f0a6e0/job-output.txt.gz#_2019-04-10_14_22_10_604693 as they install django without using constraints.txt . Any objections to updating the global requirements constraints to match that? Reviewing the django fixes on the 1.11.x closely only shows security and data corruption bugfixes, so it should be pretty good on the risk/benefit trade-off. Thanks, Dirk