rewrite
1 month, 1 week ago
Update ruff from 0.14.3 to 0.14.4
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
rewrite
1 month, 1 week ago
Update hypothesis from 6.146.0 to 6.147.0
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
dependabot/pip/ruff-0.14.4
1 month, 1 week ago
![@dependabot[bot]](https://avatars3.githubusercontent.com/u/49699333?v=3&s=32){kind=small}
Bump ruff from 0.14.3 to 0.14.4
Bumps [ruff](https://github.com/astral-sh/ruff) from 0.14.3 to 0.14
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
dependabot/pip/hypothesis-6.147.0
1 month, 1 week ago
Bump hypothesis from 6.145.1 to 6.147.0
Bumps [hypothesis](https://github.com/HypothesisWorks/hypot
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
dependabot/pip/googleapis-common-protos-1.72.0
1 month, 1 week ago
Bump googleapis-common-protos from 1.71.0 to 1.72.0
Bumps [googleapis-common-protos](https://github
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
dependabot/pip/weasel-0.4.2
1 month, 1 week ago
Bump weasel from 0.4.1 to 0.4.2
Bumps [weasel](https://github.com/explosion/weasel) from 0.4.1 to 0
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
dependabot/pip/brotli-1.2.0
1 month, 1 week ago
Bump brotli from 1.1.0 to 1.2.0
Bumps [brotli](https://github.com/google/brotli) from 1.1.0 to 1.2.
uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
dependabot/pip/hypothesis-6.146.0
1 month, 1 week ago
Bump hypothesis from 6.145.1 to 6.146.0
Bumps [hypothesis](https://github.com/HypothesisWorks/hypot
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
dependabot/pip/pydantic-ae90cd1678
1 month, 1 week ago
Bump the pydantic group across 1 directory with 2 updates
Bumps the pydantic group with 2 updates i
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
dependabot/pip/google-auth-2.43.0
1 month, 1 week ago
Bump google-auth from 2.42.1 to 2.43.0
Bumps [google-auth](https://github.com/googleapis/google-aut
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
dependabot/pip/clarifai-40be5c471f
1 month, 1 week ago
Bump clarifai-grpc from 11.9.11 to 11.10.0 in the clarifai group
Bumps the clarifai group with 1 up
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
rewrite
1 month, 1 week ago
Update smart-open from 7.4.3 to 7.4.4
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
rewrite
1 month, 1 week ago
Update pyrefly from 0.39.4 to 0.40.0
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
rewrite
1 month, 1 week ago
[Discord] Improve tasks command formatting
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
dependabot/pip/smart-open-7.4.4
1 month, 1 week ago
Bump smart-open from 7.4.3 to 7.4.4
Bumps [smart-open](https://github.com/piskvorky/smart_open) fro
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
Python 3 badge
URL
https://pyup.io/repos/github/Harmon758/Harmonbot/python-3-shield.svg
Markdown
[](https://pyup.io/repos/github/Harmon758/Harmonbot/)
Restructured Text
.. image:: https://pyup.io/repos/github/Harmon758/Harmonbot/python-3-shield.svg
:target: https://pyup.io/repos/github/Harmon758/Harmonbot/
:alt: Python 3
HTML
<a href="https://pyup.io/repos/github/Harmon758/Harmonbot/"><img src="https://pyup.io/repos/github/Harmon758/Harmonbot/shield.svg" alt="Python 3" /></a>
Textile
!https://pyup.io/repos/github/Harmon758/Harmonbot/python-3-shield.svg(Python 3)!:https://pyup.io/repos/github/Harmon758/Harmonbot/
RDoc
{<img src="https://pyup.io/repos/github/Harmon758/Harmonbot/python-3-shield.svg" alt="Python 3" />}[https://pyup.io/repos/github/Harmon758/Harmonbot/]
pyup.io badge
URL
https://pyup.io/repos/github/Harmon758/Harmonbot/shield.svg
Markdown
[](https://pyup.io/repos/github/Harmon758/Harmonbot/)
Restructured Text
.. image:: https://pyup.io/repos/github/Harmon758/Harmonbot/shield.svg
:target: https://pyup.io/repos/github/Harmon758/Harmonbot/
:alt: Updates
HTML
<a href="https://pyup.io/repos/github/Harmon758/Harmonbot/"><img src="https://pyup.io/repos/github/Harmon758/Harmonbot/shield.svg" alt="Updates" /></a>
Textile
!https://pyup.io/repos/github/Harmon758/Harmonbot/shield.svg(Updates)!:https://pyup.io/repos/github/Harmon758/Harmonbot/
RDoc
{<img src="https://pyup.io/repos/github/Harmon758/Harmonbot/shield.svg" alt="Updates" />}[https://pyup.io/repos/github/Harmon758/Harmonbot/]