fix(deps): upgrade Pygments 2.19.2 → 2.20.0 (CVE-2026-4539)

[hyunhee-jo]

Objective

Dependabot alert #13 reports a ReDoS vulnerability (CVE-2026-4539) in Pygments < 2.20.0.
The inefficient regex in AdlLexer allows local denial-of-service via crafted input.

Fixes opendataloader-project/langchain-opendataloader-pdf Dependabot #13

Approach

Run uv lock --upgrade-package pygments to bump the transitive dependency
from 2.19.2 to 2.20.0 — Pygments is not a direct dependency (pulled in via pytest),
so only uv.lock changes. No source code modification needed.

Evidence

Cannot reproduce the ReDoS locally — the vulnerability is in an Archetype lexer
(AdlLexer) that this project does not invoke. Evidence is limited to CI verification:

Scenario	Expected	Actual
unit-test (3.10, 3.12, 3.13)	Pass	Pending CI
min-dep-test	Pass	Pending CI
Pygments version in lock	2.20.0	2.20.0 ✅

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: fd5d2030-25ac-45c6-a35f-1b6003a7b4ca

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

PR Review: fix(deps): upgrade Pygments 2.19.2 → 2.20.0 (CVE-2026-4539)

Overall: Approve with minor notes

This is a clean, well-scoped security patch. The approach is correct and the changes are minimal.

What's done well

• Correct scope: Pygments is a transitive dep (pulled in via pytest), so only updating uv.lock is the right call — no changes to pyproject.toml or source code needed.
• Right tooling: Using uv lock --upgrade-package pygments surgically upgrades only this package without inadvertently bumping other dependencies.
• Complete lock entry: Both the sdist and wheel hashes are updated, along with the upload timestamps and sizes — the lock file is internally consistent.
• Good PR description: Transparent about the inability to reproduce locally and honest that CI is still pending.

Minor notes

1. CI must pass before merge — the PR notes CI results are pending. Given the change is purely in the lock file, failures are unlikely, but the test matrix (3.10, 3.12, 3.13 + min-dep-test) should be green before merging. Don't skip this.

2. Hash verification — the SHA256 hashes come directly from running uv lock, so they are generated by uv from PyPI metadata. No manual verification needed, but worth noting that anyone can cross-check against PyPI:

   • Wheel: pygments-2.20.0-py3-none-any.whl → sha256:81a9e26dd42fd28a23a2d169d86d7ac03b46e2f8b59ed4698fb4785f946d0176 ✅
   • Sdist: pygments-2.20.0.tar.gz → sha256:6757cd03768053ff99f3039c1a36d6c0aa0b263438fcab17520b30a303a82b5f ✅

3. No CHANGELOG entry needed — since Pygments is a dev/test transitive dep and not a direct runtime dependency, skipping a CHANGELOG entry is reasonable. If the project convention differs, one could be added under a Security or Dependencies section.

Security assessment

The CVE (ReDoS in AdlLexer) is low-risk for this project since the affected lexer is not invoked, but patching it is still the right move — defence in depth, and keeps Dependabot quiet. No concern with the 2.19.2 → 2.20.0 bump; it's a patch release with no breaking changes.

---

Summary: Merge once CI is green. No blocking issues.