From a275957c7c5b42a71ce444f2cf16516b76c466e0 Mon Sep 17 00:00:00 2001 From: Christopher Date: Wed, 29 Apr 2026 10:29:20 +0900 Subject: [PATCH 1/2] build(deps): bump gitpython to >=3.1.47 to fix GHSA-x2qx-6953-8485, GHSA-rpm5-65cw-6hj4 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two high-severity command-injection advisories in <3.1.47 where multi_options validation runs before shlex.split, allowing --config core.hooksPath=… to bypass the unsafe-options check in Repo.clone() and Submodule.update(). --- pyproject.toml | 2 +- uv.lock | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 50c4a41..aeb280c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -14,7 +14,7 @@ readme = "README.md" requires-python = ">=3.12" dependencies = [ "django>=6.0.4", - "gitpython>=3.1.42", + "gitpython>=3.1.47", "psycopg[binary]>=3.0", "python-dotenv>=1.0.1", ] diff --git a/uv.lock b/uv.lock index a070d55..6cedcbf 100644 --- a/uv.lock +++ b/uv.lock @@ -312,7 +312,7 @@ test = [ [package.metadata] requires-dist = [ { name = "django", specifier = ">=6.0.4" }, - { name = "gitpython", specifier = ">=3.1.42" }, + { name = "gitpython", specifier = ">=3.1.47" }, { name = "psycopg", extras = ["binary"], specifier = ">=3.0" }, { name = "python-dotenv", specifier = ">=1.0.1" }, ] @@ -398,14 +398,14 @@ wheels = [ [[package]] name = "gitpython" -version = "3.1.46" +version = "3.1.49" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "gitdb" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/df/b5/59d16470a1f0dfe8c793f9ef56fd3826093fc52b3bd96d6b9d6c26c7e27b/gitpython-3.1.46.tar.gz", hash = "sha256:400124c7d0ef4ea03f7310ac2fbf7151e09ff97f2a3288d64a440c584a29c37f", size = 215371, upload-time = "2026-01-01T15:37:32.073Z" } +sdist = { url = "https://files.pythonhosted.org/packages/e1/63/210aaa302d6a0a78daa67c5c15bbac2cad361722841278b0209b6da20855/gitpython-3.1.49.tar.gz", hash = "sha256:42f9399c9eb33fc581014bedd76049dfbaf6375aa2a5754575966387280315e1", size = 219367, upload-time = "2026-04-29T00:31:20.478Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/6a/09/e21df6aef1e1ffc0c816f0522ddc3f6dcded766c3261813131c78a704470/gitpython-3.1.46-py3-none-any.whl", hash = "sha256:79812ed143d9d25b6d176a10bb511de0f9c67b1fa641d82097b0ab90398a2058", size = 208620, upload-time = "2026-01-01T15:37:30.574Z" }, + { url = "https://files.pythonhosted.org/packages/fd/6f/b842bfa6f21d6f87c57f9abf7194225e55279d96d869775e19e9f7236fc5/gitpython-3.1.49-py3-none-any.whl", hash = "sha256:024b0422d7f84d15cd794844e029ffebd4c5d42a7eb9b936b458697ef550a02c", size = 212190, upload-time = "2026-04-29T00:31:18.412Z" }, ] [[package]] From abf484e0b2e0daab6aff8307f4bc049f62c57f3a Mon Sep 17 00:00:00 2001 From: Christopher Date: Wed, 29 Apr 2026 10:29:29 +0900 Subject: [PATCH 2/2] build(deps): bump python-dotenv to >=1.2.2 to fix GHSA-mf9w-mj56-hr94 Symlink-following in set_key allowed arbitrary file overwrite when the dotenv path was attacker-controlled; fixed in 1.2.2. --- pyproject.toml | 2 +- uv.lock | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index aeb280c..6492ae9 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -16,7 +16,7 @@ dependencies = [ "django>=6.0.4", "gitpython>=3.1.47", "psycopg[binary]>=3.0", - "python-dotenv>=1.0.1", + "python-dotenv>=1.2.2", ] [dependency-groups] diff --git a/uv.lock b/uv.lock index 6cedcbf..402606d 100644 --- a/uv.lock +++ b/uv.lock @@ -314,7 +314,7 @@ requires-dist = [ { name = "django", specifier = ">=6.0.4" }, { name = "gitpython", specifier = ">=3.1.47" }, { name = "psycopg", extras = ["binary"], specifier = ">=3.0" }, - { name = "python-dotenv", specifier = ">=1.0.1" }, + { name = "python-dotenv", specifier = ">=1.2.2" }, ] [package.metadata.requires-dev] @@ -921,11 +921,11 @@ wheels = [ [[package]] name = "python-dotenv" -version = "1.2.1" +version = "1.2.2" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/f0/26/19cadc79a718c5edbec86fd4919a6b6d3f681039a2f6d66d14be94e75fb9/python_dotenv-1.2.1.tar.gz", hash = "sha256:42667e897e16ab0d66954af0e60a9caa94f0fd4ecf3aaf6d2d260eec1aa36ad6", size = 44221, upload-time = "2025-10-26T15:12:10.434Z" } +sdist = { url = "https://files.pythonhosted.org/packages/82/ed/0301aeeac3e5353ef3d94b6ec08bbcabd04a72018415dcb29e588514bba8/python_dotenv-1.2.2.tar.gz", hash = "sha256:2c371a91fbd7ba082c2c1dc1f8bf89ca22564a087c2c287cd9b662adde799cf3", size = 50135, upload-time = "2026-03-01T16:00:26.196Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/14/1b/a298b06749107c305e1fe0f814c6c74aea7b2f1e10989cb30f544a1b3253/python_dotenv-1.2.1-py3-none-any.whl", hash = "sha256:b81ee9561e9ca4004139c6cbba3a238c32b03e4894671e181b671e8cb8425d61", size = 21230, upload-time = "2025-10-26T15:12:09.109Z" }, + { url = "https://files.pythonhosted.org/packages/0b/d7/1959b9648791274998a9c3526f6d0ec8fd2233e4d4acce81bbae76b44b2a/python_dotenv-1.2.2-py3-none-any.whl", hash = "sha256:1d8214789a24de455a8b8bd8ae6fe3c6b69a5e3d64aa8a8e5d68e694bbcb285a", size = 22101, upload-time = "2026-03-01T16:00:25.09Z" }, ] [[package]]