dependabot/pip/imageio-2.37.2
1 month, 1 week ago
![@dependabot[bot]](https://avatars3.githubusercontent.com/u/49699333?v=3&s=32){kind=small}
Bump imageio from 2.37.0 to 2.37.2
Bumps [imageio](https://github.com/imageio/imageio) from 2.37.0
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
dependabot/pip/unicodedata2-17.0.0
1 month, 1 week ago
Bump unicodedata2 from 15.1.0 to 17.0.0
Bumps [unicodedata2](https://github.com/fonttools/unicodeda
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
dependabot/pip/pydantic-9fae14ff0f
1 month, 1 week ago
Bump pydantic-core from 2.41.4 to 2.41.5 in the pydantic group
Bumps the pydantic group with 1 upda
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
dependabot/pip/clarifai-40be5c471f
1 month, 1 week ago
Bump clarifai-grpc from 11.9.11 to 11.10.0 in the clarifai group
Bumps the clarifai group with 1 up
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
rewrite
1 month, 2 weeks ago
[Discord] Improve in response to text display position for about command
Move in response to text d
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
rewrite
1 month, 2 weeks ago
Update smart-open from 7.4.2 to 7.4.3
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
dependabot/pip/schema-0.7.8
1 month, 2 weeks ago
Bump schema from 0.7.5 to 0.7.8
Bumps [schema](https://github.com/keleshev/schema) from 0.7.5 to 0.
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
rewrite
1 month, 2 weeks ago
Update hypothesis from 6.144.0 to 6.145.1
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
dependabot/pip/smart-open-7.4.3
1 month, 2 weeks ago
Bump smart-open from 7.4.2 to 7.4.3
Bumps [smart-open](https://github.com/piskvorky/smart_open) fro
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
dependabot/pip/hypothesis-6.145.1
1 month, 2 weeks ago
Bump hypothesis from 6.143.1 to 6.145.1
Bumps [hypothesis](https://github.com/HypothesisWorks/hypot
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
dependabot/pip/pyrefly-0.40.0
1 month, 2 weeks ago
Bump pyrefly from 0.39.4 to 0.40.0
Bumps [pyrefly](https://github.com/facebook/pyrefly) from 0.39.4
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
dependabot/pip/libcst-1.8.6
1 month, 2 weeks ago
Bump libcst from 1.8.5 to 1.8.6
Bumps [libcst](https://github.com/Instagram/LibCST) from 1.8.5 to 1
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
rewrite
1 month, 2 weeks ago
[Discord] Change about command to hybrid command
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
rewrite
1 month, 2 weeks ago
[Discord] Improve about command send server invite button name
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
rewrite
1 month, 2 weeks ago
[Discord] Improve about command send server invite button definition
uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| uv | 0.8.22 | <0.9.6 |
show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict. |
| uv | 0.8.22 | <0.9.5 |
show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers. |
| brotli | 1.1.0 | <=1.1.0 |
show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory. |
| gitpython | 3.1.40 | <3.1.41 |
show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx |
Python 3 badge
URL
https://pyup.io/repos/github/Harmon758/Harmonbot/python-3-shield.svg
Markdown
[](https://pyup.io/repos/github/Harmon758/Harmonbot/)
Restructured Text
.. image:: https://pyup.io/repos/github/Harmon758/Harmonbot/python-3-shield.svg
:target: https://pyup.io/repos/github/Harmon758/Harmonbot/
:alt: Python 3
HTML
<a href="https://pyup.io/repos/github/Harmon758/Harmonbot/"><img src="https://pyup.io/repos/github/Harmon758/Harmonbot/shield.svg" alt="Python 3" /></a>
Textile
!https://pyup.io/repos/github/Harmon758/Harmonbot/python-3-shield.svg(Python 3)!:https://pyup.io/repos/github/Harmon758/Harmonbot/
RDoc
{<img src="https://pyup.io/repos/github/Harmon758/Harmonbot/python-3-shield.svg" alt="Python 3" />}[https://pyup.io/repos/github/Harmon758/Harmonbot/]
pyup.io badge
URL
https://pyup.io/repos/github/Harmon758/Harmonbot/shield.svg
Markdown
[](https://pyup.io/repos/github/Harmon758/Harmonbot/)
Restructured Text
.. image:: https://pyup.io/repos/github/Harmon758/Harmonbot/shield.svg
:target: https://pyup.io/repos/github/Harmon758/Harmonbot/
:alt: Updates
HTML
<a href="https://pyup.io/repos/github/Harmon758/Harmonbot/"><img src="https://pyup.io/repos/github/Harmon758/Harmonbot/shield.svg" alt="Updates" /></a>
Textile
!https://pyup.io/repos/github/Harmon758/Harmonbot/shield.svg(Updates)!:https://pyup.io/repos/github/Harmon758/Harmonbot/
RDoc
{<img src="https://pyup.io/repos/github/Harmon758/Harmonbot/shield.svg" alt="Updates" />}[https://pyup.io/repos/github/Harmon758/Harmonbot/]