Skip to content

chore: bump pygments and cryptography for security fixes#75

Merged
lipikaramaswamy merged 1 commit into
mainfrom
lipikaramaswamy/chore/bump-security-deps
Mar 30, 2026
Merged

chore: bump pygments and cryptography for security fixes#75
lipikaramaswamy merged 1 commit into
mainfrom
lipikaramaswamy/chore/bump-security-deps

Conversation

@lipikaramaswamy
Copy link
Copy Markdown
Collaborator

@lipikaramaswamy lipikaramaswamy commented Mar 30, 2026

Summary

Upgrades two transitive dependencies in uv.lock to remediate known security vulnerabilities:

  • pygments 2.19.2 -> 2.20.0 -- fixes CVE-2026-4539 (ReDoS in AdlLexer GUID regex, CVSS 4.8 Medium)
  • cryptography 46.0.5 -> 46.0.6 -- fixes CVE-2026-34073 (X.509 wildcard SAN name constraint bypass)

No changes to pyproject.toml -- both are transitive deps and the existing constraints already allow the newer versions.

Test plan

  • CI passes (lock-file-only change, no code changes)
  • uv sync --all-extras installs cleanly

@lipikaramaswamy
chore: bump pygments and cryptography for security fixes
b23076f 
Upgrade transitive deps to remediate:
- CVE-2026-4539: pygments 2.19.2 -> 2.20.0 (ReDoS in AdlLexer)
- CVE-2026-34073: cryptography 46.0.5 -> 46.0.6 (X.509 wildcard name constraint bypass)

Made-with: Cursor
@lipikaramaswamy lipikaramaswamy requested a review from a team as a code owner March 30, 2026 20:08
mckornfield
mckornfield reviewed Mar 30, 2026
View reviewed changes
Comment thread uv.lock
@@ -1,5 +1,5 @@
version = 1
revision = 3
revision = 2
Copy link
Copy Markdown
Contributor

@mckornfield mckornfield Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm wonder if this is just a uv version thing, this diff in particular

Copy link
Copy Markdown
Collaborator Author

@lipikaramaswamy lipikaramaswamy Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yea i think just a version thing

❯ uv --version
uv 0.7.22 (78d6d1134 2025-07-17)

@lipikaramaswamy lipikaramaswamy merged commit 3772f0a into main Mar 30, 2026
6 checks passed
@lipikaramaswamy lipikaramaswamy deleted the lipikaramaswamy/chore/bump-security-deps branch March 30, 2026 20:11
@lipikaramaswamy lipikaramaswamy mentioned this pull request Mar 30, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mckornfield mckornfield mckornfield approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lipikaramaswamy @mckornfield