Release v1.2.1 — Security: bump black to address GHSA-3936-cmfr-pm3m · Mandark-droid/genai_otel_instrument

Patch release covering one dev-dependency security advisory. No runtime API changes — end users installing genai-otel-instrument==1.2.1 from PyPI get exactly the same library surface as 1.2.0.

Security

Bump black to >=26.3.1 on Python 3.10+ to address GHSA-3936-cmfr-pm3m (high severity: arbitrary file writes from unsanitized user input in the cache file name). Black is dev-only and not shipped in the wheel, so this only affects contributor / CI environments.
Python 3.9 dev environments stay on the latest 3.9-compatible black release (<26), because the patched version dropped 3.9 support. The residual exposure on 3.9 dev machines is acceptable since black is not in the runtime path.

Fixed

Restore CI matrix install on Python 3.9. The interim unconditional black>=26.3.1 pin failed pip install -e ".[dev]" on 3.9 because the fixed version requires 3.10+. The pin is now conditional on python_version.

Test matrix

All 17 jobs green: test × {ubuntu, windows, macos} × {3.9, 3.10, 3.11, 3.12} (12 jobs), build-and-install-test × {ubuntu, windows} × {3.9, 3.12} (4 jobs), security (1 job).

Diff vs v1.2.0

pyproject.toml, requirements.txt: conditional black pin
CHANGELOG.md: 1.2.1 entry

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v1.2.1 — Security: bump black to address GHSA-3936-cmfr-pm3m

Choose a tag to compare

Sorry, something went wrong.