Skip to content

fix(deps): bump python-liquid to >=2.2.0 for high severity CVE#459

Merged
sergioestebance merged 3 commits into
mainfrom
fix/deps-bump-python-liquid-to-2.2.0
May 12, 2026
Merged

fix(deps): bump python-liquid to >=2.2.0 for high severity CVE#459
sergioestebance merged 3 commits into
mainfrom
fix/deps-bump-python-liquid-to-2.2.0

Conversation

@sergioestebance

Copy link
Copy Markdown
Contributor

Summary

  • Bumps python-liquid from 2.1.0 to 2.2.0 to fix a high severity CVE
  • GHSA-8p4x-wr7x-3788: Absolute paths escape filesystem loader search path
  • python-liquid is a transitive dependency (via langwatch), so a [tool.uv] constraint-dependencies entry was added to pyproject.toml to enforce >=2.2.0
  • The lockfile (uv.lock) was updated with the new version and hashes from PyPI

Closes Dependabot alert #354

rogeriochaves
rogeriochaves previously approved these changes May 12, 2026
@sergioestebance

Copy link
Copy Markdown
Contributor Author

Review Assessment

Risk: Very Low — Safe to merge (after #457, with rebase)

Diff Analysis

  • Adds [tool.uv] constraint-dependencies = ["python-liquid>=2.2.0"] — correct uv mechanism for constraining transitive deps
  • Lockfile bump: version 2.1.0 → 2.2.0, sdist URL, wheel URL, and hashes all updated
  • PyPI hash verification: hashes match PyPI (both whl and sdist confirmed)
  • Dependencies unchanged (babel, markupsafe, python-dateutil, pytz)
  • No other packages changed in the lockfile

Usage

python-liquid is a transitive dependency — not imported directly anywhere in python/. It's pulled in by langwatch. No API surface is consumed directly, so a minor bump (2.1→2.2) is transparent. The fix is security-only (path traversal in FileSystemLoader).

Merge Conflict

This PR conflicts with #457 (urllib3) — both add a new [tool.uv] section at the same location in pyproject.toml. Merge #457 first, then rebase this PR to combine both constraints into a single constraint-dependencies list:

[tool.uv]
constraint-dependencies = [
    "urllib3>=2.7.0",
    "python-liquid>=2.2.0",
]

Verdict

Safe to merge after #457 lands and this PR is rebased. No production code changes, hashes verified, minor security-only bump on a transitive dep.

@github-actions

Copy link
Copy Markdown
Contributor

Automated low-risk assessment

This PR was evaluated against the repository's Low-Risk Pull Requests procedure and does not qualify as low risk.

This PR's diff exceeds the size limit for automated low-risk evaluation. Manual review required.

This PR requires a manual review before merging.

@sergioestebance sergioestebance merged commit 60bad76 into main May 12, 2026
8 checks passed
@sergioestebance sergioestebance deleted the fix/deps-bump-python-liquid-to-2.2.0 branch May 12, 2026 17:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants