fix: apply upstream security patch to remove activation_key exposure from account API

CHANGELOG.md

@@ -20,6 +20,11 @@ instructions, because git commits are used to generate release notes:
 
 <!-- scriv-insert-here -->
 
+<a id='changelog-21.0.3'></a>
+## v21.0.3 (2026-04-09)
+
+- [Security] Backport fix to remove `activation_key` exposure from `/api/user/v1/accounts/{username}`, preventing email verification bypass via OAuth2 password grant flow (source: upstream edx-platform commit 21cead238466ca398ba368518f1d3288431d68f4).
+
 <a id='changelog-21.0.2'></a>
 ## v21.0.2 (2026-03-13)
 

changelog.d/20251111_011520_kshitij_env_saved_action.md

@@ -0,0 +1,2 @@
+- [Feature] Add ENV_SAVED Action that allows hooks to run after a save
+  operation. (by @xitij2000)

changelog.d/20260121_123520_feanil_patch_2.md

@@ -0,0 +1,13 @@
+<!--
+Create a changelog entry for every new user-facing change. Please respect the following instructions:
+- Indicate breaking changes by prepending an explosion 💥 character.
+- Prefix your changes with either [Bugfix], [Improvement], [Feature], [Security], [Deprecation].
+- You may optionally append "(by @<author>)" at the end of the line, where "<author>" is either one (just one)
+  of your GitHub username, real name or affiliated organization. These affiliations will be displayed in
+  the release notes for every release.
+-->
+
+<!-- - 💥[Feature] Foobarize the blorginator. This breaks plugins by renaming the `FOO_DO` filter to `BAR_DO`. (by @regisb) -->
+<!-- - [Improvement] This is a non-breaking change. Life is good. (by @billgates) -->
+
+[Improvement] Update to use Python 3.12 for edx-platform

requirements/plugins.txt

@@ -1,14 +1,14 @@
-# change version ranges when upgrading from ulmo
-tutor-android>=21.0.0,<22.0.0
-tutor-cairn>=21.0.0,<22.0.0
-tutor-credentials>=21.0.0,<22.0.0
-tutor-discovery>=21.0.0,<22.0.0
-tutor-deck>=21.0.0,<22.0.0
-tutor-forum>=21.0.0,<22.0.0
-tutor-indigo>=21.0.0,<22.0.0
-tutor-jupyter>=21.0.0,<22.0.0
-tutor-livedeps>=21.0.0,<22.0.0
-tutor-mfe>=21.0.0,<22.0.0
-tutor-minio>=21.0.0,<22.0.0
-tutor-notes>=21.0.0,<22.0.0
-tutor-xqueue>=21.0.0,<22.0.0
+# For Tutor Main, we install plugins from their main branches instead of from PyPI
+tutor-android@git+https://github.com/overhangio/tutor-android@main
+tutor-cairn@git+https://github.com/overhangio/tutor-cairn@main
+tutor-credentials@git+https://github.com/overhangio/tutor-credentials@main
+tutor-deck@git+https://github.com/overhangio/tutor-deck@main
+tutor-discovery@git+https://github.com/overhangio/tutor-discovery@main
+tutor-forum@git+https://github.com/overhangio/tutor-forum@main
+tutor-indigo@git+https://github.com/overhangio/tutor-indigo@main
+tutor-jupyter@git+https://github.com/overhangio/tutor-jupyter@main
+tutor-livedeps@git+https://github.com/overhangio/tutor-livedeps@main
+tutor-mfe@git+https://github.com/overhangio/tutor-mfe@main
+tutor-minio@git+https://github.com/overhangio/tutor-minio@main
+tutor-notes@git+https://github.com/overhangio/tutor-notes@main
+tutor-xqueue@git+https://github.com/overhangio/tutor-xqueue@main

tutor/__about__.py

@@ -2,15 +2,15 @@
 
 # Increment this version number to trigger a new release. See
 # docs/tutor.html#versioning for information on the versioning scheme.
-__version__ = "21.0.2"
+__version__ = "21.0.3"
 
 # The version suffix will be appended to the actual version, separated by a
 # dash. Use this suffix to differentiate between the actual released version and
 # the versions from other branches. For instance: set the suffix to "main" in
 # the main branch.
 # The suffix is cleanly separated from the __version__ in this module to avoid
 # conflicts when merging branches.
-__version_suffix__ = ""
+__version_suffix__ = "main"
 
 # The app name will be used to define the name of the default tutor root and
 # plugin directory. To avoid conflicts between multiple locally-installed

tutor/env.py

@@ -342,6 +342,15 @@ def save(root: str, config: Config) -> None:
         save_all_from(src, os.path.join(root_env, dst), config)
 
     upgrade_obsolete(root)
+
+    config_copy = deepcopy(config)
+    hooks.Actions.ENV_SAVED.do(root_env, config_copy)
+    if config_copy != config:
+        fmt.echo_alert(
+            "A plugin just modified the config during the ENV_SAVED hook. "
+            "This could have unintended consequences."
+        )
+
     fmt.echo_info(f"Environment generated in {base_dir(root)}")
 
 

tutor/hooks/catalog.py

@@ -94,6 +94,16 @@ def run_this_on_start(root, config, name):
     #: :parameter kwargs: job named arguments.
     DO_JOB: Action[[str, Any]] = Action()
 
+    #: This action is called at the end of the tutor.env.save function after all
+    #: the changes to the environment have been applied, all obsolete config has
+    #: been upgraded.
+    #: Modifying the config object will not trigger changes in the configuration.
+    #: For all purposes, it should be considered read-only.
+    #:
+    #: :parameter str root: project root.
+    #: :parameter dict config: project configuration.
+    ENV_SAVED: Action[[str, Config]] = Action()
+
     #: Triggered when a single plugin needs to be loaded. Only plugins that have previously been
     #: discovered can be loaded (see :py:data:`CORE_READY`).
     #:

tutor/templates/build/openedx/Dockerfile

@@ -29,9 +29,9 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
 # Install pyenv
 # https://www.python.org/downloads/
 # https://github.com/pyenv/pyenv/releases
-ARG PYTHON_VERSION=3.11.8
+ARG PYTHON_VERSION=3.12.12
 ENV PYENV_ROOT=/opt/pyenv
-RUN git clone https://github.com/pyenv/pyenv $PYENV_ROOT --branch v2.3.36 --depth 1
+RUN git clone https://github.com/pyenv/pyenv $PYENV_ROOT --branch v2.6.18 --depth 1
 
 # Install Python
 RUN $PYENV_ROOT/bin/pyenv install $PYTHON_VERSION
@@ -64,6 +64,9 @@ RUN git config --global user.email "tutor@overhang.io" \
 {# RUN curl -fsSL https://github.com/openedx/edx-platform/commit/<GITSHA1>.patch | git am #}
 {# Include a comment on why the patch is neccessary. #}
 
+# SECURITY FIX: remove activation_key exposure from account API
+RUN curl -fsSL https://github.com/openedx/openedx-platform/commit/21cead238466ca398ba368518f1d3288431d68f4.patch | git am
+
 {{ patch("openedx-dockerfile-post-git-checkout") }}
 
 ##### Empty layer with just the repo at the root.