deps(py-dev): bump the uv-dev-minor-patch group across 1 directory with 2 updates#88
deps(py-dev): bump the uv-dev-minor-patch group across 1 directory with 2 updates#88dependabot[bot] wants to merge 1 commit into
Conversation
…th 2 updates Bumps the uv-dev-minor-patch group with 2 updates in the / directory: [pre-commit](https://github.com/pre-commit/pre-commit) and [selenium](https://github.com/SeleniumHQ/Selenium). Updates `pre-commit` from 4.5.1 to 4.6.0 - [Release notes](https://github.com/pre-commit/pre-commit/releases) - [Changelog](https://github.com/pre-commit/pre-commit/blob/main/CHANGELOG.md) - [Commits](pre-commit/pre-commit@v4.5.1...v4.6.0) Updates `selenium` from 4.41.0 to 4.43.0 - [Release notes](https://github.com/SeleniumHQ/Selenium/releases) - [Commits](SeleniumHQ/selenium@selenium-4.41.0...selenium-4.43.0) --- updated-dependencies: - dependency-name: pre-commit dependency-version: 4.6.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: uv-dev-minor-patch - dependency-name: selenium dependency-version: 4.43.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: uv-dev-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
|
PR author is in the excluded authors list. |
Codacy's Analysis Summary0 new issue (≤ 0 issue)
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
This PR successfully updates the development dependencies pre-commit to version 4.6.0 and selenium to 4.43.0. Codacy analysis reports that the changes are up to standards. However, a security vulnerability (CVE-2026-28684) was detected in the python-dotenv package (v1.2.1) within the uv.lock file. This vulnerability permits arbitrary file overwrites via symbolic link following. While not introduced by the specific bumps requested, it is present in the modified file and should be resolved by upgrading python-dotenv to version 1.2.2 or higher.
About this PR
- The uv.lock file specifies python-dotenv version 1.2.1, which is associated with CVE-2026-28684. This is a medium-severity vulnerability allowing arbitrary file overwrites. It is recommended to update this dependency to version 1.2.2 as part of this or a subsequent PR.
1 comment outside of the diff
uv.lock
line 417🟡 MEDIUM RISK
Dependency 'python-dotenv@1.2.1' is vulnerable to CVE-2026-28684, which permits arbitrary file overwrite via symbolic link following. You should upgrade to version 1.2.2 or higher.Try running the following prompt in your IDE agent:
Update the python-dotenv dependency in this project to version 1.2.2 to address CVE-2026-28684 and regenerate the uv.lock file.
Test suggestions
- Verify pre-commit package version and specifier are bumped to 4.6.0 in uv.lock
- Verify selenium package version and specifier are bumped to 4.43.0 in uv.lock
TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback
Bumps the uv-dev-minor-patch group with 2 updates in the / directory: pre-commit and selenium.
Updates
pre-commitfrom 4.5.1 to 4.6.0Release notes
Sourced from pre-commit's releases.
Changelog
Sourced from pre-commit's changelog.
Commits
f35134bv4.6.02a51ffcMerge pull request #3662 from pre-commit/hook-impl-optional-hook-dird7dee32make --hook-dir optional for hook-impl965aeb1Merge pull request #3661 from pre-commit/hook-impl-required2eacc06--hook-type is required for hook-implf5678bfMerge pull request #3657 from pre-commit/pre-commit-ci-update-config054cc5b[pre-commit.ci] pre-commit autoupdate5c0f302Merge pull request #3652 from pre-commit/pre-commit-ci-update-configa5d9114[pre-commit.ci] pre-commit autoupdate129a1f5Merge pull request #3641 from pre-commit/mxr-patch-1Updates
seleniumfrom 4.41.0 to 4.43.0Release notes
Sourced from selenium's releases.
... (truncated)
Commits
dd0f534[build] Prepare for release of selenium-4.43.0 (#17329)52a38c6fix(release): add rust:update command to version reset workflow7cee048fix(pypirc): remove setup_pypirc method and update nightly credentials handling8382015fix(credentials): add support for nightly PyPI credentials63e8662Update mirror info (Thu Apr 9 18:16:15 UTC 2026)5615f64fix(version): update selenium-manager to 0.4.43-nightly9887116fix(release): specify path for downloading release packagese2d089cfix(dependencies): update selenium-webdriver to 4.43.0.nightlyc68d3deReverting changes done for 4.42.0 releasecb536adBumping versions to nightlyDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions