fix(security): update dependencies [SECURITY]#5014
Open
renovate[bot] wants to merge 1 commit intomainfrom
Open
fix(security): update dependencies [SECURITY]#5014renovate[bot] wants to merge 1 commit intomainfrom
renovate[bot] wants to merge 1 commit intomainfrom
Conversation
renovate
Bot
force-pushed
the
renovate/security
branch
from
3e6a9a4 to
2301e7e
Compare
ansibuddy
approved these changes
Apr 10, 2026
renovate
Bot
force-pushed
the
renovate/security
branch
from
2301e7e to
647988d
Compare
ansibuddy
approved these changes
Apr 13, 2026
renovate
Bot
force-pushed
the
renovate/security
branch
from
647988d to
f076132
Compare
ansibuddy
approved these changes
Apr 18, 2026
renovate
Bot
force-pushed
the
renovate/security
branch
from
f076132 to
3d39da9
Compare
ansibuddy
approved these changes
Apr 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==46.0.6→==46.0.746.0.6→46.0.726.0.1→26.19.0.2→9.0.30.10.10→0.11.6Cryptography vulnerable to buffer overflow if non-contiguous buffers were passed to APIs
CVE-2026-39892 / GHSA-p423-j2cm-9vmq
More information
Details
If a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g.
Hash.update()), this could lead to buffer overflows. For example:would read past the end of the buffer on Python >3.11
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Cryptography vulnerable to buffer overflow if non-contiguous buffers were passed to APIs
CVE-2026-39892 / GHSA-p423-j2cm-9vmq
More information
Details
If a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g.
Hash.update()), this could lead to buffer overflows. For example:would read past the end of the buffer on Python >3.11
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files
CVE-2026-3219 / GHSA-58qw-9mgm-455v
More information
Details
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.
Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
pytest has vulnerable tmpdir handling
CVE-2025-71176 / GHSA-6w46-j5rx-g56g
More information
Details
pytest through 9.0.2 on UNIX relies on directories with the
/tmp/pytest-of-{user}name pattern, which allows local users to cause a denial of service or possibly gain privileges.Severity
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
pytest has vulnerable tmpdir handling
CVE-2025-71176 / GHSA-6w46-j5rx-g56g
More information
Details
pytest through 9.0.2 on UNIX relies on directories with the
/tmp/pytest-of-{user}name pattern, which allows local users to cause a denial of service or possibly gain privileges.Severity
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
uv vulnerable to arbitrary file deletion through RECORD entries
GHSA-pjjw-68hj-v9mw
More information
Details
Impact
Wheel RECORD entries can contain relative paths that traverse outside of the wheel’s installation prefix. In versions 0.11.5 and earlier of uv, these wheels were not rejected on installation and the RECORD was respected without validation on uninstall.
uv uses the RECORD to determine files to remove on uninstall. Consequently, a malicious or malformed wheel could induce deletion of arbitrary files outside of the wheel’s installation prefix on uninstall.
uv does not use the RECORD file to determine wheel file paths. Invalid RECORD entries cannot be used to create or modify files in arbitrary locations.
Standards-compliant Python packaging tooling does not produce RECORD files that exhibit this behavior; an attacker must manually manipulate the RECORD. A user must install and uninstall the malformed wheel to be affected. An attack must guess the depth of the installation prefix path in order to target system files.
Absolute paths in RECORD files are not allowed by the specification and, when present, uv always treats them as rooted in the wheel’s installation prefix. Absolute paths cannot be used to delete arbitrary files.
Only files can be deleted, attempts to delete a directory via an invalid RECORD entry will fail.
Patches
Versions 0.11.6 and newer of uv address the validation gap above, by removing invalid entries from RECORD files on wheel installation and ignoring RECORD paths that would escape the installation prefix on uninstall.
Workarounds
Users are advised to upgrade to 0.11.6 or newer to address this advisory.
Users should experience no breaking changes as a result of the patch above.
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
uv vulnerable to arbitrary file deletion through RECORD entries
GHSA-pjjw-68hj-v9mw
More information
Details
Impact
Wheel RECORD entries can contain relative paths that traverse outside of the wheel’s installation prefix. In versions 0.11.5 and earlier of uv, these wheels were not rejected on installation and the RECORD was respected without validation on uninstall.
uv uses the RECORD to determine files to remove on uninstall. Consequently, a malicious or malformed wheel could induce deletion of arbitrary files outside of the wheel’s installation prefix on uninstall.
uv does not use the RECORD file to determine wheel file paths. Invalid RECORD entries cannot be used to create or modify files in arbitrary locations.
Standards-compliant Python packaging tooling does not produce RECORD files that exhibit this behavior; an attacker must manually manipulate the RECORD. A user must install and uninstall the malformed wheel to be affected. An attack must guess the depth of the installation prefix path in order to target system files.
Absolute paths in RECORD files are not allowed by the specification and, when present, uv always treats them as rooted in the wheel’s installation prefix. Absolute paths cannot be used to delete arbitrary files.
Only files can be deleted, attempts to delete a directory via an invalid RECORD entry will fail.
Patches
Versions 0.11.6 and newer of uv address the validation gap above, by removing invalid entries from RECORD files on wheel installation and ignoring RECORD paths that would escape the installation prefix on uninstall.
Workarounds
Users are advised to upgrade to 0.11.6 or newer to address this advisory.
Users should experience no breaking changes as a result of the patch above.
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
pyca/cryptography (cryptography)
v46.0.7Compare Source
pypa/pip (pip)
v26.1Compare Source
pytest-dev/pytest (pytest)
v9.0.3Compare Source
pytest 9.0.3 (2026-04-07)
Bug fixes
#12444: Fixed
pytest.approxwhich now correctly takes into account~collections.abc.Mappingkeys order to compare them.#13634: Blocking a
conftest.pyfile using the-p no:option is now explicitly disallowed.Previously this resulted in an internal assertion failure during plugin loading.
Pytest now raises a clear
UsageErrorexplaining that conftest files are not plugins and cannot be disabled via-p.#13734: Fixed crash when a test raises an exceptiongroup with
__tracebackhide__ = True.#14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.
#14343: Fixed use of insecure temporary directory (CVE-2025-71176).
Improved documentation
-pvsPYTEST_PLUGINSplugin loading and fixed an incorrect-pexample.capsysandcapfd) take precedence over the-s/--capture=nocommand-line options inAccessing captured output from a test function <accessing-captured-output>.pytest_collectionhook setssession.itemsbefore it callspytest_collection_finish, not after.Contributor-facing changes
#12689: The test reports are now published to Codecov from GitHub Actions.
The test statistics is visible on the web interface.
-- by
aleguy02astral-sh/uv (uv)
v0.11.6Compare Source
Released on 2026-04-09.
Bug fixes
RECORDduring installation (#18943)uv cache cleanerrors due to Win32 path normalization (#18856)v0.11.5Compare Source
Released on 2026-04-08.
Python
Enhancements
build_system.requireserror message (#18911)Preview features
exclude-newerto[[tool.uv.index]](#18839)uv audit: add context/warnings for ignored vulnerabilities (#18905)Bug fixes
Documentation
PIP_COMPATIBILITY.mdredirect file (#18928)uv init example-bare --bareexamples (#18822, #18925)v0.11.4Compare Source
Released on 2026-04-07.
Python
Enhancements
--upgrade-group(#18266)Bug fixes
pyproject.tomldependencies (#18786)--lockedand--frozenwhen script lockfile is missing (#18832)uv exportextra resolution for workspace member and conflicting extras (#18888)exclude-newervalues duringuv tree --outdated(#18899)--exclude-newerinuv tool list --outdated(#18861)Cargo.lockinuv-buildsource distributions (#18831)Documentation
--exclude-newercompares artifact upload times (#18830)v0.11.3Compare Source
Released on 2026-04-01.
Enhancements
uv workspace metadatawith dependency information from the lock (#18356)/installers/uv/lateston the mirror (#18725)Preview features
--ignoreand--ignore-until-fixedtouv audit(#18737)Bug fixes
blake2bhashes (#18794)powerpc64-unknown-linux-gnufrom release build targets (#18800)uv pip check(#18742)Documentation
falseopt-out forexclude-newer-package(#18768, #18803)v0.11.2Compare Source
Released on 2026-03-26.
Enhancements
uv self updatefetch the manifest from the mirror first (#18679)uv self updatesuccess and failure messages with--quiet(#18645)Preview features
Bug fixes
uv run(#17890)v0.11.1Compare Source
Released on 2026-03-24.
Bug fixes
riscv64gc-unknown-linux-musl(#18686)==Python version request ranges (#9697)Documentation
--python <dir>in "Using arbitrary Python environments" (#6457)PS_MODULE_PATHandUV_WORKING_DIR(#18691)v0.11.0Compare Source
Released on 2026-03-23.
Breaking changes
This release includes changes to the networking stack used by uv. While we think that breakage will be rare, it is possible that these changes will result in the rejection of certificates previously trusted by uv so we have marked the change as breaking out of an abundance of caution.
The changes are largely driven by the upgrade of reqwest, which powers uv's HTTP clients, to v0.13 which included some breaking changes to TLS certificate verification.
The following changes are included:
rustls-platform-verifieris used instead ofrustls-native-certsandwebpkifor certificate verificationThis change should have no effect unless you are using the
native-tlsoption to enable reading system certificates.rustls-platform-verifierdelegates to the system for certificate validation (e.g.,Security.frameworkon macOS) instead of eagerly loading certificates from the system and verifying them viawebpki. The effects of this change will vary based on the operating system. In general, uv's certificate validation should now be more consistent with browsers and other native applications. However, this is the most likely cause of breaking changes in this release. Some previously failing certificate chains may succeed, and some previously accepted certificate chains may fail. In either case, we expect the validation to be more correct and welcome reports of regressions.In particular, because more responsibility for validating the certificate is transferred to your system's security library, some features like CA constraints or revocation of certificates via OCSP and CRLs may now be used.
This change should improve performance when using system certificate on macOS, as uv no longer needs to load all certificates from the keychain at startup.
aws-lcis used instead ofringfor a cryptography backendThere should not be breaking changes from this change. We expect this to expand support for certificate signature algorithms.
--native-tlsis deprecated in favor of a new--system-certsflagThe
--native-tlsflag is still usable and has identical behavior to--system-certs.This change was made to reduce confusion about the TLS implementation uv uses. uv always uses
rustlsnotnative-tls.Building uv on x86-64 and i686 Windows requires NASM
NASM is required by
aws-lc. If not found on the system, a prebuilt blob provided byaws-lc-syswill be used.If you are not building uv from source, this change has no effect.
See the CONTRIBUTING guide for details.
Empty
SSL_CERT_FILEvalues are ignored (for consistency withSSL_CERT_DIR)See #18550 for details.
Python
See the python-build-standalone release notes for details.
Enhancements
Preview features
--service-formatand--service-urltouv audit(#18571)Performance
Bug fixes
uv tool list --outdated(#18586)uv exportfor workspace member packages with conflicts (#18635)Documentation
FLASH_ATTENTION_SKIP_CUDA_BUILDguidance forflash-attninstalls (#18473)v0.10.12Compare Source
Released on 2026-03-19.
Python
Enhancements
--no-emit-package(#18565)Preview features
uv auditin the CLI help (#18540)Bug fixes
uv python list(#18459)Documentation
uv-docker-example(#18558)v0.10.11Compare Source
Released on 2026-03-16.
Enhancements
Performance
Bug fixes
--projectto refer to apyproject.tomldirectly and reduce to a warning on other files (#18513)SYSTEM_VERSION_COMPATwhen querying interpreters on macOS (#18452)uv sync --activerecreating active environments whenUV_PYTHON_INSTALL_DIRis relative (#18398)Documentation
-o requirements.txtinuv pip compileexample (#12308)Configuration
📅 Schedule: (in timezone UTC)
* 0-3 * * 1)🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.