fix(deps): bump python-liquid to >=2.2.0 for high severity CVE#459
Conversation
Review AssessmentRisk: Very Low — Safe to merge (after #457, with rebase) Diff Analysis
Usagepython-liquid is a transitive dependency — not imported directly anywhere in Merge ConflictThis PR conflicts with #457 (urllib3) — both add a new [tool.uv]
constraint-dependencies = [
"urllib3>=2.7.0",
"python-liquid>=2.2.0",
]VerdictSafe to merge after #457 lands and this PR is rebased. No production code changes, hashes verified, minor security-only bump on a transitive dep. |
1dd5f3b to
5b4968e
Compare
|
Automated low-risk assessment This PR was evaluated against the repository's Low-Risk Pull Requests procedure and does not qualify as low risk.
This PR requires a manual review before merging. |
Summary
python-liquidfrom 2.1.0 to 2.2.0 to fix a high severity CVEpython-liquidis a transitive dependency (vialangwatch), so a[tool.uv] constraint-dependenciesentry was added topyproject.tomlto enforce>=2.2.0uv.lock) was updated with the new version and hashes from PyPICloses Dependabot alert #354