Skip to content

build(deps): bump python-dotenv and gitpython to fix vulnerabilities#7

Merged
christopherhuber merged 2 commits intomainfrom
bump-vuln-deps-rebased
Apr 29, 2026
Merged

build(deps): bump python-dotenv and gitpython to fix vulnerabilities#7
christopherhuber merged 2 commits intomainfrom
bump-vuln-deps-rebased

Conversation

@christopherhuber
Copy link
Copy Markdown
Contributor

@christopherhuber christopherhuber commented Apr 29, 2026

Summary

Test plan

  • CI passes
  • uv sync resolves cleanly

@christopherhuber
build(deps): bump gitpython to >=3.1.47 to fix GHSA-x2qx-6953-8485, G…
8edf6f3 
…HSA-rpm5-65cw-6hj4

Two high-severity command-injection advisories in <3.1.47 where
multi_options validation runs before shlex.split, allowing --config
core.hooksPath=… to bypass the unsafe-options check in Repo.clone()
and Submodule.update().
@christopherhuber
build(deps): bump python-dotenv to >=1.2.2 to fix GHSA-mf9w-mj56-hr94
9bd37a4 
Symlink-following in set_key allowed arbitrary file overwrite when the
dotenv path was attacker-controlled; fixed in 1.2.2.
@christopherhuber christopherhuber merged commit da2a706 into main Apr 29, 2026
1 check passed
@christopherhuber christopherhuber deleted the bump-vuln-deps-rebased branch April 29, 2026 05:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@christopherhuber