Skip to content

chore(deps): bump mako 1.3.11 -> 1.3.12 (CVE-2026-44307)#283

Merged
vredchenko merged 1 commit into
mainfrom
chore/bump-mako-cve-2026-44307
May 11, 2026
Merged

chore(deps): bump mako 1.3.11 -> 1.3.12 (CVE-2026-44307)#283
vredchenko merged 1 commit into
mainfrom
chore/bump-mako-cve-2026-44307

Conversation

@vredchenko
Copy link
Copy Markdown
Collaborator

@vredchenko vredchenko commented May 11, 2026
edited
Loading

Summary

  • Bumps mako 1.3.11 → 1.3.12 in uv.lock to clear code scanning alert #20 (CVE-2026-44307, GHSA-2h4p-vjrc-8xpq).
  • Mako is a transitive dependency via alembic. The vulnerability is a Windows-only path traversal in TemplateLookup that requires user-controlled template URIs — alembic renders migration scaffolding from package-internal paths, so we are not exploitable. Bump is purely to silence the scanner.
  • Lockfile-only change (3 lines).

Test plan

  • uv lock --upgrade-package mako resolves cleanly
  • uv sync --extra backend succeeds
  • import mako, alembic in the synced env reports mako 1.3.12 / alembic 1.17.2
  • CI passes

@vredchenko
chore(deps): bump mako 1.3.11 -> 1.3.12 (CVE-2026-44307)
99abdeb 
Fixes osv-scanner alert. Mako is a transitive dep via alembic;
the vulnerability is a Windows-only path traversal in TemplateLookup
that requires user-controlled template URIs - not exploitable in our
usage (alembic renders migration scaffolding from internal paths)
but bumping clears the alert.
@vredchenko vredchenko merged commit 87ab226 into main May 11, 2026
10 checks passed
@vredchenko vredchenko deleted the chore/bump-mako-cve-2026-44307 branch May 11, 2026 10:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vredchenko