Skip to content

chore(deps): update dependency click to v8.3.3 [security] (release/v5.6)#1256

Merged
williamlin-suse merged 1 commit into
neuvector:release/v5.6from
williamlin-suse:update-pypi-click-vulnerability
Jul 14, 2026
Merged

chore(deps): update dependency click to v8.3.3 [security] (release/v5.6)#1256
williamlin-suse merged 1 commit into
neuvector:release/v5.6from
williamlin-suse:update-pypi-click-vulnerability

Conversation

@williamlin-suse

@williamlin-suse williamlin-suse commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
click (changelog) ==8.1.8==8.3.3 age confidence

CVE-2026-7246 / GHSA-47fr-3ffg-hgmw / PYSEC-2026-2132

More information

Details

Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from an unprivileged account.

Severity

  • CVSS Score: 7.2 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).


Package Change Age Confidence
setuptools (changelog) ==80.10.2==83.0.0 age confidence

BIT-setuptools-2026-59890 / CVE-2026-59890 / GHSA-h35f-9h28-mq5c / PYSEC-2026-3447

More information

Details

setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode normalization, so on macOS APFS or HFS+ an NFD file name could bypass an NFC exclusion rule and be packed into a source distribution. This issue is fixed in version 83.0.0.

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).


@williamlin-suse
williamlin-suse requested a review from a team as a code owner July 14, 2026 22:54
@williamlin-suse
williamlin-suse requested review from kyledong-suse, lsongsuse and pohanhuang and removed request for a team and kyledong-suse July 14, 2026 22:54
@williamlin-suse

Copy link
Copy Markdown
Contributor Author

ref:
#1251
#1252

@williamlin-suse
williamlin-suse merged commit 62545c8 into neuvector:release/v5.6 Jul 14, 2026
@williamlin-suse williamlin-suse changed the title chore(deps): update dependency click to v8.3.3 [security] chore(deps): update dependency click to v8.3.3 [security] (release/v5.6) Jul 14, 2026
@williamlin-suse
williamlin-suse deleted the update-pypi-click-vulnerability branch July 14, 2026 23:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants