Skip to content

Fix: bump vulnerable dependencies (14.07.2026)#41

Merged
renatgalimov merged 1 commit into
masterfrom
fix/security-dependency-updates-14.07.2026
Jul 14, 2026
Merged

Fix: bump vulnerable dependencies (14.07.2026)#41
renatgalimov merged 1 commit into
masterfrom
fix/security-dependency-updates-14.07.2026

Conversation

@renatgalimov

Copy link
Copy Markdown
Collaborator

Summary

Resolves 4 open Dependabot alerts by bumping pinned dependencies in requirements.txt to their patched releases: idna 3.7→3.15 (regex DoS), urllib3 2.6.3→2.7.0 (cross-origin header leak on low-level redirects, decompression-bomb bypass), and requests 2.32.4→2.33.1 (insecure temp file reuse in extract_zipped_paths). None of these are used in ways that trigger the vulnerable code paths directly, but staying patched avoids exposure through transitive usage.

Test plan

  • Verified pip install -r requirements.txt resolves cleanly with the new pins
  • Confirmed the existing test suite behaves identically before and after the bump (one pre-existing, unrelated fixture error in test_disk_image_downloads.py)

Resolves 4 open Dependabot alerts (idna DoS, urllib3 header leak and
decompression bomb, requests insecure temp file reuse).

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@renatgalimov renatgalimov force-pushed the fix/security-dependency-updates-14.07.2026 branch from 44a72b1 to 4b02630 Compare July 14, 2026 13:50
@renatgalimov renatgalimov merged commit ae770a5 into master Jul 14, 2026
7 checks passed
@renatgalimov renatgalimov deleted the fix/security-dependency-updates-14.07.2026 branch July 14, 2026 13:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants