Skip to content

chore(deps): update filelock and virtualenv for CVE fixes #11542

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
davidkonigsberg merged 3 commits into from
Jan 15, 2026
Merged

chore(deps): update filelock and virtualenv for CVE fixes #11542

davidkonigsberg merged 3 commits into from
Jan 15, 2026

Conversation

@davidkonigsberg
Copy link
Collaborator

@davidkonigsberg davidkonigsberg commented Jan 14, 2026

Description

Updates dev dependencies in the Python generator to address security vulnerabilities.

Requested by @davidkonigsberg

Link to Devin run

Changes Made

  • Updated filelock from 3.20.1 to 3.20.3 to address CVE-2026-22701 (TOCTOU race condition in SoftFileLock)
  • Updated virtualenv from 20.30.0 to 20.36.1 to address CVE-2026-22702 (TOCTOU symlink attack vulnerability)

The lock file was regenerated using Poetry 2.2.1 (matching the version that created the original file).

Human Review Checklist

  • Verify the patched versions match the CVE advisories
  • Note: virtualenv's upstream changes added a conditional typing-extensions dependency for Python < 3.11

Testing

  • Lint checks passed (pnpm run check)
  • CI will validate the lock file and build process

@devin-ai-integration @davidkonigsberg
chore(deps-dev): update filelock and virtualenv for CVE fixes
39383c6 
- Update filelock from 3.20.1 to 3.20.3 to address CVE-2026-22701
- Update virtualenv from 20.30.0 to 20.36.1 to address CVE-2026-22702

Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com>
@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Jan 14, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@davidkonigsberg davidkonigsberg changed the title chore(deps-dev): update filelock and virtualenv for CVE fixes chore(deps): update filelock and virtualenv for CVE fixes Jan 15, 2026
@davidkonigsberg davidkonigsberg merged commit 37c0739 into main Jan 15, 2026
125 checks passed
@davidkonigsberg davidkonigsberg deleted the devin/1768406905-update-filelock-virtualenv-cves branch January 15, 2026 15:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tjb9dc tjb9dc tjb9dc approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@davidkonigsberg @tjb9dc