chore(deps): update dependency marshmallow to v4.1.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
marshmallow (changelog)	==4.0.0 → ==4.1.2

---

Marshmallow has DoS in Schema.load(many)

CVE-2025-68480 / GHSA-428g-f7cq-pgp5

More information

Details

Impact

Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time.

Patches

4.1.2, 3.26.2

Workarounds

##### Fail fast
def load_many(schema, data, **kwargs):
    if not isinstance(data, list):
        raise ValidationError(['Invalid input type.'])
    return [schema.load(item, **kwargs) for item in data]

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/marshmallow-code/marshmallow/security/advisories/GHSA-428g-f7cq-pgp5
• https://github.com/marshmallow-code/marshmallow/commit/d24a0c9df061c4daa92f71cf85aca25b83eee508
• https://nvd.nist.gov/vuln/detail/CVE-2025-68480
• https://github.com/advisories/GHSA-428g-f7cq-pgp5

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

marshmallow-code/marshmallow (marshmallow)

v4.1.2

Compare Source

Bug fixes:

• :cve:2025-68480: Merge error store messages without rebuilding collections.
  Thanks 카푸치노 for reporting and :user:deckar01 for the fix.

v4.1.1

Compare Source

Bug fixes:

• Ensure URL validator is case-insensitive when using custom schemes (:pr:2874).
  Thanks :user:T90REAL for the PR.

v4.1.0

Compare Source

Other changes:

• Add __len__ implementation to missing so that it can be used with
  validate.Length <marshmallow.validate.Length> (:pr:2861).
  Thanks :user:agentgodzilla for the PR.
• Drop support for Python 3.9 (:pr:2363).
• Test against Python 3.14 (:pr:2864).

v4.0.1

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
heimdallr	Error		Apr 27, 2026 11:02pm

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud