Skip to content

chore(deps): [dataflow-gcs-to-alloydb] Update dependency orjson to v3.11.5 [SECURITY] #311

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate-bot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): [dataflow-gcs-to-alloydb] Update dependency orjson to v3.11.5 [SECURITY] #311

renovate-bot wants to merge 1 commit into from
+176 −118

Conversation

@renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Jan 24, 2026

This PR contains the following updates:

Package Change Age Confidence
orjson (changelog) 3.10.113.11.5 age confidence

orjson does not limit recursion for deeply nested JSON documents

CVE-2025-67221 / GHSA-hx9q-6w63-j58v

More information

Details

The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents.

Severity

  • CVSS Score: 5.5 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

ijl/orjson (orjson)

v3.11.5

Compare Source

Changed
  • Show simple error message instead of traceback when attempting to
    build on unsupported Python versions.

v3.11.4

Compare Source

Changed
  • ABI compatibility with CPython 3.15 alpha 1.
  • Publish PyPI wheels for 3.14 and manylinux i686, manylinux arm7,
    manylinux ppc64le, manylinux s390x.
  • Build now requires a C compiler.

v3.11.3

Compare Source

Fixed
  • Fix PyPI project metadata when using maturin 1.9.2 or later.

v3.11.2

Compare Source

Fixed
  • Fix build using Rust 1.89 on amd64.
Changed
  • Build now depends on Rust 1.85 or later instead of 1.82.

v3.11.1

Compare Source

Changed
  • Publish PyPI wheels for CPython 3.14.
Fixed
  • Fix str on big-endian architectures. This was introduced in 3.11.0.

v3.11.0

Compare Source

Changed
  • Use a deserialization buffer allocated per request instead of a shared
    buffer allocated on import.
  • ABI compatibility with CPython 3.14 beta 4.

v3.10.18

Compare Source

Fixed
  • Fix incorrect escaping of the vertical tabulation character. This was
    introduced in 3.10.17.

v3.10.17

Compare Source

Changed
  • Publish PyPI Windows aarch64/arm64 wheels.
  • ABI compatibility with CPython 3.14 alpha 7.
  • Fix incompatibility running on Python 3.13 using WASM.

v3.10.16

Compare Source

Changed
  • Improve performance of serialization on amd64 machines with AVX-512.
  • ABI compatibility with CPython 3.14 alpha 6.
  • Drop support for Python 3.8.
  • Publish additional PyPI wheels for macOS that target only aarch64, macOS 15,
    and recent Python.

v3.10.15

Compare Source

Changed
  • Publish PyPI manylinux aarch64 wheels built and tested on aarch64.
  • Publish PyPI musllinux aarch64 and arm7l wheels built and tested on aarch64.
  • Publish PyPI manylinux Python 3.13 wheels for i686, arm7l, ppc64le, and s390x.

v3.10.14

Compare Source

Changed
  • Specify build system dependency on maturin>=1,<2 again.
  • Allocate memory using PyMem_Malloc() and similar APIs for integration
    with pymalloc, mimalloc, and tracemalloc.
  • Source distribution does not ship compressed test documents and relevant
    tests skip if fixtures are not present.
  • Build now depends on Rust 1.82 or later instead of 1.72.

v3.10.13

Compare Source

Changed
  • Fix compatibility with maturin introducing a breaking change in 1.8.0 and
    specify a fixed version of maturin. Projects relying on any previous version
    being buildable from source by end users (via PEP 517) must upgrade to at
    least this version.

v3.10.12

Compare Source

Changed
  • Publish PyPI manylinux i686 wheels.
  • Publish PyPI musllinux i686 and arm7l wheels.
  • Publish PyPI macOS wheels for Python 3.10 or later built on macOS 15.
  • Publish PyPI Windows wheels using trusted publishing.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate-bot renovate-bot requested a review from a team as a code owner January 24, 2026 01:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@zunhoyi zunhoyi

Labels

p0 SECURITY

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@renovate-bot @zunhoyi