Safety CI > Harmon758/Harmonbot

dependabot/pip/uv-0.9.5

2 months ago

91c9cc93

Bump uv from 0.8.22 to 0.9.5 Bumps [uv](https://github.com/astral-sh/uv) from 0.8.22 to 0.9.5. - [R

gitpython 3.1.40 has known security vulnerabilities.

Package	Installed	Affected	Info
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/uv-0.9.4

2 months ago

96d0d89b

Bump uv from 0.8.22 to 0.9.4 Bumps [uv](https://github.com/astral-sh/uv) from 0.8.22 to 0.9.4. - [R

gitpython 3.1.40 has known security vulnerabilities.

Package	Installed	Affected	Info
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

rewrite

2 months ago

6f17f5c4

Update discord.py to commit a0b0a97 https://github.com/Rapptz/discord.py/commit/a0b0a97e5256721e8b9

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/google-api-core-2.27.0

2 months ago

1b56a707

Bump google-api-core from 2.25.1 to 2.27.0 Bumps [google-api-core](https://github.com/googleapis/py

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/pyrefly-0.38.2

2 months ago

e78e256f

Bump pyrefly from 0.38.1 to 0.38.2 Bumps [pyrefly](https://github.com/facebook/pyrefly) from 0.38.1

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/hypothesis-6.142.3

2 months ago

b5e2bc37

Bump hypothesis from 6.142.2 to 6.142.3 Bumps [hypothesis](https://github.com/HypothesisWorks/hypot

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/yt-dlp-2025.10.22

2 months ago

0b7b4243

Bump yt-dlp from 2025.10.14 to 2025.10.22 Bumps [yt-dlp](https://github.com/yt-dlp/yt-dlp) from 202

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/rpds-py-0.28.0

2 months ago

ea116005

Bump rpds-py from 0.27.1 to 0.28.0 Bumps [rpds-py](https://github.com/crate-py/rpds) from 0.27.1 to

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/grpcio-635157d31d

2 months ago

6fbda6a9

Bump the grpcio group with 2 updates Bumps the grpcio group with 2 updates: [grpcio](https://github

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/clarifai-ed3b11d669

2 months ago

b2b8a695

Bump the clarifai group with 2 updates Bumps the clarifai group with 2 updates: [clarifai](https://

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/psycopg-064864f8f9

2 months ago

dd2eb00e

Bump the psycopg group with 2 updates Bumps the psycopg group with 2 updates: [psycopg](https://git

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/uv-0.9.5

2 months ago

73552be2

Bump uv from 0.8.22 to 0.9.5 Bumps [uv](https://github.com/astral-sh/uv) from 0.8.22 to 0.9.5. - [R

gitpython 3.1.40 has known security vulnerabilities.

Package	Installed	Affected	Info
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/uv-0.9.4

2 months ago

1411896b

Bump uv from 0.8.22 to 0.9.4 Bumps [uv](https://github.com/astral-sh/uv) from 0.8.22 to 0.9.4. - [R

gitpython 3.1.40 has known security vulnerabilities.

Package	Installed	Affected	Info
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

rewrite

2 months ago

3dd7b5e3

Update discord.py to commit e94fb45 https://github.com/Rapptz/discord.py/commit/e94fb455274d7896992

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/uv-0.9.5

2 months ago

89711baf

Bump uv from 0.8.22 to 0.9.5 Bumps [uv](https://github.com/astral-sh/uv) from 0.8.22 to 0.9.5. - [R

gitpython 3.1.40 has known security vulnerabilities.

Package	Installed	Affected	Info
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx