fix(security): update dependencies [SECURITY]#578
Open
renovate[bot] wants to merge 1 commit intomainfrom
Open
Conversation
|
Label error. Requires at least 1 of: breaking, chore, feat, fix. Found: . Follow https://www.conventionalcommits.org to get auto-labeling to work correctly. |
renovate
Bot
force-pushed
the
renovate/security
branch
from
63b1370 to
83df386
Compare
renovate
Bot
force-pushed
the
renovate/security
branch
from
83df386 to
fb5a795
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
26.0.1→26.19.0.2→9.0.30.11.3→0.11.6pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files
CVE-2026-3219 / GHSA-58qw-9mgm-455v
More information
Details
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.
Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
pytest has vulnerable tmpdir handling
CVE-2025-71176 / GHSA-6w46-j5rx-g56g
More information
Details
pytest through 9.0.2 on UNIX relies on directories with the
/tmp/pytest-of-{user}name pattern, which allows local users to cause a denial of service or possibly gain privileges.Severity
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
pytest has vulnerable tmpdir handling
CVE-2025-71176 / GHSA-6w46-j5rx-g56g
More information
Details
pytest through 9.0.2 on UNIX relies on directories with the
/tmp/pytest-of-{user}name pattern, which allows local users to cause a denial of service or possibly gain privileges.Severity
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
uv vulnerable to arbitrary file deletion through RECORD entries
GHSA-pjjw-68hj-v9mw
More information
Details
Impact
Wheel RECORD entries can contain relative paths that traverse outside of the wheel’s installation prefix. In versions 0.11.5 and earlier of uv, these wheels were not rejected on installation and the RECORD was respected without validation on uninstall.
uv uses the RECORD to determine files to remove on uninstall. Consequently, a malicious or malformed wheel could induce deletion of arbitrary files outside of the wheel’s installation prefix on uninstall.
uv does not use the RECORD file to determine wheel file paths. Invalid RECORD entries cannot be used to create or modify files in arbitrary locations.
Standards-compliant Python packaging tooling does not produce RECORD files that exhibit this behavior; an attacker must manually manipulate the RECORD. A user must install and uninstall the malformed wheel to be affected. An attack must guess the depth of the installation prefix path in order to target system files.
Absolute paths in RECORD files are not allowed by the specification and, when present, uv always treats them as rooted in the wheel’s installation prefix. Absolute paths cannot be used to delete arbitrary files.
Only files can be deleted, attempts to delete a directory via an invalid RECORD entry will fail.
Patches
Versions 0.11.6 and newer of uv address the validation gap above, by removing invalid entries from RECORD files on wheel installation and ignoring RECORD paths that would escape the installation prefix on uninstall.
Workarounds
Users are advised to upgrade to 0.11.6 or newer to address this advisory.
Users should experience no breaking changes as a result of the patch above.
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
uv vulnerable to arbitrary file deletion through RECORD entries
GHSA-pjjw-68hj-v9mw
More information
Details
Impact
Wheel RECORD entries can contain relative paths that traverse outside of the wheel’s installation prefix. In versions 0.11.5 and earlier of uv, these wheels were not rejected on installation and the RECORD was respected without validation on uninstall.
uv uses the RECORD to determine files to remove on uninstall. Consequently, a malicious or malformed wheel could induce deletion of arbitrary files outside of the wheel’s installation prefix on uninstall.
uv does not use the RECORD file to determine wheel file paths. Invalid RECORD entries cannot be used to create or modify files in arbitrary locations.
Standards-compliant Python packaging tooling does not produce RECORD files that exhibit this behavior; an attacker must manually manipulate the RECORD. A user must install and uninstall the malformed wheel to be affected. An attack must guess the depth of the installation prefix path in order to target system files.
Absolute paths in RECORD files are not allowed by the specification and, when present, uv always treats them as rooted in the wheel’s installation prefix. Absolute paths cannot be used to delete arbitrary files.
Only files can be deleted, attempts to delete a directory via an invalid RECORD entry will fail.
Patches
Versions 0.11.6 and newer of uv address the validation gap above, by removing invalid entries from RECORD files on wheel installation and ignoring RECORD paths that would escape the installation prefix on uninstall.
Workarounds
Users are advised to upgrade to 0.11.6 or newer to address this advisory.
Users should experience no breaking changes as a result of the patch above.
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
pypa/pip (pip)
v26.1Compare Source
pytest-dev/pytest (pytest)
v9.0.3Compare Source
pytest 9.0.3 (2026-04-07)
Bug fixes
#12444: Fixed
pytest.approxwhich now correctly takes into account~collections.abc.Mappingkeys order to compare them.#13634: Blocking a
conftest.pyfile using the-p no:option is now explicitly disallowed.Previously this resulted in an internal assertion failure during plugin loading.
Pytest now raises a clear
UsageErrorexplaining that conftest files are not plugins and cannot be disabled via-p.#13734: Fixed crash when a test raises an exceptiongroup with
__tracebackhide__ = True.#14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.
#14343: Fixed use of insecure temporary directory (CVE-2025-71176).
Improved documentation
-pvsPYTEST_PLUGINSplugin loading and fixed an incorrect-pexample.capsysandcapfd) take precedence over the-s/--capture=nocommand-line options inAccessing captured output from a test function <accessing-captured-output>.pytest_collectionhook setssession.itemsbefore it callspytest_collection_finish, not after.Contributor-facing changes
#12689: The test reports are now published to Codecov from GitHub Actions.
The test statistics is visible on the web interface.
-- by
aleguy02astral-sh/uv (uv)
v0.11.6Compare Source
Released on 2026-04-09.
Bug fixes
RECORDduring installation (#18943)uv cache cleanerrors due to Win32 path normalization (#18856)v0.11.5Compare Source
Released on 2026-04-08.
Python
Enhancements
build_system.requireserror message (#18911)Preview features
exclude-newerto[[tool.uv.index]](#18839)uv audit: add context/warnings for ignored vulnerabilities (#18905)Bug fixes
Documentation
PIP_COMPATIBILITY.mdredirect file (#18928)uv init example-bare --bareexamples (#18822, #18925)v0.11.4Compare Source
Released on 2026-04-07.
Python
Enhancements
--upgrade-group(#18266)Bug fixes
pyproject.tomldependencies (#18786)--lockedand--frozenwhen script lockfile is missing (#18832)uv exportextra resolution for workspace member and conflicting extras (#18888)exclude-newervalues duringuv tree --outdated(#18899)--exclude-newerinuv tool list --outdated(#18861)Cargo.lockinuv-buildsource distributions (#18831)Documentation
--exclude-newercompares artifact upload times (#18830)Configuration
📅 Schedule: (in timezone UTC)
* 0-3 * * 1)🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.