Skip to content

Bump idna and pymdown-extensions for advisories#124

Merged
chris-colinsky merged 1 commit into
mainfrom
chore/bump-vulnerable-deps
Jun 3, 2026
Merged

Bump idna and pymdown-extensions for advisories#124
chris-colinsky merged 1 commit into
mainfrom
chore/bump-vulnerable-deps

Conversation

@chris-colinsky

Copy link
Copy Markdown
Member

Summary

Closes the two Dependabot vulnerability alerts on main. Both transitive, both medium-severity, both fixable by a single uv lock --upgrade-package invocation that respects parent-package constraints.

Package Before After Advisory Used by Surface
idna 3.13 3.18 Specially-crafted inputs to idna.encode() can bypass the CVE-2024-3651 fix (first patched 3.15) httpx + anyio runtime (LLM provider HTTP path)
pymdown-extensions 10.21.2 10.21.3 Regression in pymdownx.snippets reintroduces sibling-prefix path traversal bypass despite restrict_base_path (first patched 10.21.3) mkdocs-material + mkdocstrings dev-only (docs build)

Lower risk on the pymdown-extensions one in practice since this project doesn't configure pymdownx.snippets, but taking it for hygiene.

No code changes needed — both are transitive, no direct pin gets added.

Test plan

  • uv sync resolves cleanly
  • uv run pytest tests/unit/ — 531 pass
  • uv run pytest tests/test_examples_smoke.py — 13 pass
  • uv run mkdocs build --strict — clean
  • uv run ruff check + pyright — clean

Both flagged by Dependabot on main, both transitive, both
medium-severity. Bumping via ``uv lock --upgrade-package`` so
parent-package constraints stay respected and no direct pin gets
added to pyproject.toml.

- ``idna`` 3.13 -> 3.18 (advisory: specially-crafted inputs to
  ``idna.encode()`` can bypass the CVE-2024-3651 fix; first
  patched in 3.15). Pulled in transitively via httpx + anyio —
  runtime path for LLM provider HTTP calls.

- ``pymdown-extensions`` 10.21.2 -> 10.21.3 (advisory: regression
  in ``pymdownx.snippets`` reintroduces sibling-prefix path
  traversal bypass despite ``restrict_base_path``; first patched
  in 10.21.3). Pulled in via mkdocs-material + mkdocstrings —
  dev-only (docs build). Lower risk in practice since we don't
  configure ``pymdownx.snippets``, but worth taking for hygiene.

Verified:
- ``uv sync`` resolves cleanly
- 531/531 unit tests pass
- 13/13 examples smoke tests pass
- ``mkdocs build --strict`` clean
- ruff + pyright clean
Copilot AI review requested due to automatic review settings June 3, 2026 05:36

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@chris-colinsky chris-colinsky merged commit f7aafbc into main Jun 3, 2026
5 checks passed
@chris-colinsky chris-colinsky deleted the chore/bump-vulnerable-deps branch June 3, 2026 05:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants