Safety CI > Harmon758/Harmonbot

rewrite

1 month, 3 weeks ago

7b143ef2

Update hypothesis from 6.142.3 to 6.142.4

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/hypothesis-6.142.4

1 month, 3 weeks ago

123705a0

Bump hypothesis from 6.142.3 to 6.142.4 Bumps [hypothesis](https://github.com/HypothesisWorks/hypot

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/psutil-7.1.2

1 month, 3 weeks ago

185c9d04

Bump psutil from 7.1.1 to 7.1.2 Bumps [psutil](https://github.com/giampaolo/psutil) from 7.1.1 to 7

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/psycopg-064864f8f9

1 month, 3 weeks ago

771d3f19

Bump the psycopg group with 2 updates Bumps the psycopg group with 2 updates: [psycopg](https://git

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/tweepy-4.16.0

1 month, 3 weeks ago

3cfcc3b6

Bump tweepy from 4.14.0 to 4.16.0 Dependabot couldn't find the original pull request head commit, 6

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

rewrite

1 month, 3 weeks ago

7392ae3b

Update orjson from 3.11.3 to 3.11.4

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

rewrite

1 month, 3 weeks ago

af675022

Bump github/codeql-action from 4.30.9 to 4.31.0 Bumps [github/codeql-action](https://github.com/git

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

rewrite

1 month, 3 weeks ago

2ddf27b9

Update FFmpeg to 8.0

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/orjson-3.11.4

1 month, 3 weeks ago

76fa1a20

Bump orjson from 3.11.3 to 3.11.4 Bumps [orjson](https://github.com/ijl/orjson) from 3.11.3 to 3.11

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/psycopg-064864f8f9

1 month, 3 weeks ago

003708db

Bump the psycopg group with 2 updates Bumps the psycopg group with 2 updates: [psycopg](https://git

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/github_actions/github/codeql-action-4.31.0

1 month, 3 weeks ago

a8a0cf66

Bump github/codeql-action from 4.30.9 to 4.31.0 Bumps [github/codeql-action](https://github.com/git

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

rewrite

1 month, 3 weeks ago

a6de0715

[Discord] Ensure yt-dlp uses FFmpeg in bin folder

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

rewrite

1 month, 3 weeks ago

6cbea097

[Discord] Add and use Bot.bin_path attribute

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

rewrite

1 month, 3 weeks ago

570bf757

Update FFmpeg to 7.0

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

rewrite

1 month, 3 weeks ago

996fca69

[Discord] Update yt-dlp from 2025.10.14 to 2025.10.22

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx