Safety CI > Harmon758/Harmonbot

rewrite

1 month, 2 weeks ago

[Discord] Change about command to hybrid command

uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
brotli	1.1.0	<=1.1.0	show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

rewrite

1 month, 2 weeks ago

332fc7cd

[Discord] Improve about command send server invite button name

uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
brotli	1.1.0	<=1.1.0	show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

rewrite

1 month, 2 weeks ago

4ac6e6f1

[Discord] Improve about command send server invite button definition

uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
brotli	1.1.0	<=1.1.0	show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

rewrite

1 month, 2 weeks ago

3ffbce70

[Discord] Appropriately disable about command send server invite button Disable about command send

uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
brotli	1.1.0	<=1.1.0	show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

rewrite

1 month, 2 weeks ago

d0856399

[Discord] Disable about command server invite send button on timeout Disable about command server i

uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
brotli	1.1.0	<=1.1.0	show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

rewrite

1 month, 2 weeks ago

c4707ae8

[Discord] Disable about command server invite button on timeout and stop

uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
brotli	1.1.0	<=1.1.0	show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

rewrite

1 month, 2 weeks ago

63381259

[Discord] Improve AboutContainer formatting

uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
brotli	1.1.0	<=1.1.0	show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

rewrite

1 month, 2 weeks ago

153c25f7

[Discord] Use Components V2 ui.LayoutView in about command

uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
brotli	1.1.0	<=1.1.0	show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

rewrite

1 month, 2 weeks ago

2ede5637

[Discord] Simplify about command discord.ui usage discord.ui -> ui

uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
brotli	1.1.0	<=1.1.0	show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/hypothesis-6.144.0

1 month, 2 weeks ago

a1716852

Bump hypothesis from 6.143.1 to 6.144.0 Bumps [hypothesis](https://github.com/HypothesisWorks/hypot

uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
brotli	1.1.0	<=1.1.0	show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/uv-0.9.7

1 month, 2 weeks ago

efd37ddf

Bump uv from 0.8.22 to 0.9.7 Bumps [uv](https://github.com/astral-sh/uv) from 0.8.22 to 0.9.7. - [R

brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
brotli	1.1.0	<=1.1.0	show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

brotli

1.1.0

<=1.1.0

show

Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/uv-0.9.6

1 month, 2 weeks ago

05012360

Bump uv from 0.8.22 to 0.9.6 Bumps [uv](https://github.com/astral-sh/uv) from 0.8.22 to 0.9.6. - [R

brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
brotli	1.1.0	<=1.1.0	show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

brotli

1.1.0

<=1.1.0

show

Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

rewrite

1 month, 2 weeks ago

5edbaf44

Update discord.py to commit 38c6407 https://github.com/Rapptz/discord.py/commit/38c6407ffd642234118

uv 0.8.22, brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
brotli	1.1.0	<=1.1.0	show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/uv-0.9.6

1 month, 2 weeks ago

064a54d3

Bump uv from 0.8.22 to 0.9.6 Bumps [uv](https://github.com/astral-sh/uv) from 0.8.22 to 0.9.6. - [R

brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
brotli	1.1.0	<=1.1.0	show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

brotli

1.1.0

<=1.1.0

show

Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/uv-0.9.7

1 month, 2 weeks ago

da76f2f6

Bump uv from 0.8.22 to 0.9.7 Bumps [uv](https://github.com/astral-sh/uv) from 0.8.22 to 0.9.7. - [R

brotli 1.1.0 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
brotli	1.1.0	<=1.1.0	show Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

brotli

1.1.0

<=1.1.0

show

Affected versions of the brotli package are vulnerable to Denial of Service (DoS) due to unbounded memory allocation during decompression of highly compressible inputs. The Python streaming API method Decompressor.process expands its output buffer without an enforceable limit, so a crafted Brotli stream (for example, zero-filled data with an extreme compression ratio) can inflate to a massive size and exhaust memory.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx