Skip to content

Commit 8659b13

Browse files
committed
fix: bump vulnerable transitive dependencies to patched versions
Address open Dependabot alerts by pinning minimum safe versions: - gitpython 3.1.47 → 3.1.50 (high: RCE via newline injection in config_writer()) - idna 3.10 → 3.18 (medium: bypass of CVE-2024-3651 fix in idna.encode()) - pymdown-extensions 10.21.2 → 10.21.3 (medium: path traversal in snippets) Floor constraints added to pyproject.toml to prevent regression on lock regeneration.
1 parent d53117a commit 8659b13

2 files changed

Lines changed: 23 additions & 9 deletions

File tree

pyproject.toml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,13 @@ mkdocs = [
5050
"mkdocs-material>=9.6.3",
5151
"mike>=2.1.3",
5252
"mkdocs-git-revision-date-localized-plugin>=1.3.0",
53+
"gitpython>=3.1.50", # CVE: RCE via newline injection in config_writer()
54+
"pymdown-extensions>=10.21.3", # CVE: path traversal bypass in snippets
55+
]
56+
57+
[tool.uv]
58+
constraint-dependencies = [
59+
"idna>=3.15", # CVE: bypass of CVE-2024-3651 fix in idna.encode()
5360
]
5461

5562
[tool.pdm.build]

uv.lock

Lines changed: 16 additions & 9 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)