chore(deps): consolidate Python security dependency upgrades#12558
Merged
mekarpeles merged 9 commits intomasterfrom May 4, 2026
Merged
chore(deps): consolidate Python security dependency upgrades#12558mekarpeles merged 9 commits intomasterfrom
mekarpeles merged 9 commits intomasterfrom
Conversation
Patch-only bump; no API changes.
Minor version bump; no breaking changes expected.
#11741) Fixes CVE-2026-24486 (arbitrary file write via path traversal, CVSS 8.6) and CVE-2026-40347 (DoS via large multipart preamble/epilogue, CVSS 5.3).
Major version; no direct API usage in codebase — consumed indirectly via FastAPI/web.py middleware.
Fixes CVE-2026-25990 (out-of-bounds write loading PSD images, CVSS 8.6). Code uses stable APIs: Image.open, Image.LANCZOS, ImageOps.exif_transpose, ImageDraw, ImageFont — all unchanged in 12.x.
Fixes CVE-2026-41066 (XXE via iterparse/ETCompatXMLParser, CVSS 7.5). lxml 6.x changes the default resolve_entities from True to 'internal' for iterparse() and ETCompatXMLParser(). Impact analysis: - marc_xml.py uses iterparse() without explicit resolve_entities: behavior change is safe since LoC MARC21 slim XML has no external entities, and the stricter default is a security improvement. - All other callers (importapi, get_ia, scripts, tests) already pass resolve_entities=False explicitly — no change in behavior.
This was referenced May 3, 2026
This was referenced May 3, 2026
mekarpeles
added
the
Priority: 1
Minor version bump. OL uses internal sentry APIs (tracing_utils.add_query_source, tracing_utils.record_sql_queries, utils.capture_internal_exceptions) — verified all still present and importable at 2.58.0.
1 task
Patch bump; no API changes.
This was referenced May 3, 2026
Member
Author
1 task
Member
Author
|
Tested locally, uv pip installed and run with docker. (Assigning myself as the reviewer for the renovate PRs) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Consolidates 8 open Renovate PRs into a single tested and verified upgrade. All packages were installed and tested in Docker before opening this PR.
Packages upgraded
🔴 Security upgrades
python-multipart 0.0.21 → 0.0.26 — Fixes CVE-2026-24486 (arbitrary file write via path traversal, CVSS 8.6) and CVE-2026-40347 (DoS via large multipart preamble/epilogue, CVSS 5.3). v0.0.23 removed
trust_x_headersandX-File-Namefallback, but OL does not set those. Risk: low.multipart 0.2.4 → 1.2.2 — Major version, but no direct imports in the codebase; consumed indirectly via FastAPI middleware. Risk: medium. What could go wrong: file upload endpoints (batch import
/api/import, cover uploads) could be affected if v1 changed how multipart data is exposed to FastAPI route handlers.Pillow 10.4.0 → 12.2.0 — Fixes CVE-2026-25990 (out-of-bounds write loading PSD images, CVSS 8.6). APIs used by OL —
Image.open,Image.LANCZOS,ImageOps.exif_transpose(in_place=True),ImageDraw,ImageFont.truetype— are stable and unchanged in 12.x. Risk: medium.lxml 4.9.4 → 6.1.0 — Fixes CVE-2026-41066 (XXE via
iterparse/ETCompatXMLParser, CVSS 7.5). lxml 6.x changesiterparse()default fromresolve_entities=Truetoresolve_entities='internal'. Impact analysis:marc_xml.pyis the only caller usingiterparse()without an explicitresolve_entitiesargument. It parses LoC MARC21 slim XML, which has no external entities — the stricter default is a security improvement with no functional change.importapi/code.py,catalog/get_ia.py,scripts/lc_marc_update.py, tests) already passresolve_entities=Falseexplicitly.🔧 Maintenance upgrades
psycopg2 2.9.6 → 2.9.12 — Patch-only bump, bugfixes only. Risk: negligible.
beautifulsoup4 4.12.2 → 4.14.3 — Minor version; stable public API, no removals. Risk: low.
feedparser 6.0.11 → 6.0.12 — Patch bump; no API changes. Risk: negligible.
sentry-sdk 2.49.0 → 2.58.0 — Minor version bump. OL uses internal APIs (
tracing_utils.add_query_source,record_sql_queries,utils.capture_internal_exceptions) — all verified present and importable at 2.58.0. Risk: low.Testing
All packages installed cleanly in the running Docker container with no conflicts. Import verification passed for all packages including internal sentry APIs.
HTTP check: static assets return 200; no 500 errors in container logs.
Test results (run inside Docker):
openlibrary/catalog/marc/tests/— 124 passed (lxmliterparse)openlibrary/coverstore/tests/— 21 passed, 7 skipped (Pillow)openlibrary/plugins/importapi/— 61 passed (lxmlXMLParser)Total: 3524 tests, 0 failures.
Checklist
References
Closes #10807, #10892, #11741, #11848, #12084, #12424, #11839, #12564