Safety CI > Harmon758/Harmonbot

dependabot/pip/uv-0.9.14

1 week, 5 days ago

fdcdc2b8

Bump uv from 0.8.22 to 0.9.14 Bumps [uv](https://github.com/astral-sh/uv) from 0.8.22 to 0.9.14. -

fonttools 4.60.1 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
fonttools	4.60.1	<4.61.0	show Affected versions of this package are vulnerable to path traversal due to improper handling of file paths. The `varLib.main` function does not correctly sanitize input paths, allowing the use of potentially malicious file paths. An attacker can exploit this vulnerability by crafting a path that traverses directories, potentially accessing unauthorized files or directories on the system.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

fonttools

4.60.1

<4.61.0

show

Affected versions of this package are vulnerable to path traversal due to improper handling of file paths. The `varLib.main` function does not correctly sanitize input paths, allowing the use of potentially malicious file paths. An attacker can exploit this vulnerability by crafting a path that traverses directories, potentially accessing unauthorized files or directories on the system.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/hypothesis-6.148.5

1 week, 5 days ago

2bd073b0

Bump hypothesis from 6.147.0 to 6.148.5 Bumps [hypothesis](https://github.com/HypothesisWorks/hypot

uv 0.8.22, fonttools 4.60.1 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
fonttools	4.60.1	<4.61.0	show Affected versions of this package are vulnerable to path traversal due to improper handling of file paths. The `varLib.main` function does not correctly sanitize input paths, allowing the use of potentially malicious file paths. An attacker can exploit this vulnerability by crafting a path that traverses directories, potentially accessing unauthorized files or directories on the system.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/beautifulsoup4-4.14.3

1 week, 6 days ago

6c3809e8

Bump beautifulsoup4 from 4.14.2 to 4.14.3 Bumps [beautifulsoup4](https://www.crummy.com/software/Be

uv 0.8.22, fonttools 4.60.1 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
fonttools	4.60.1	<4.61.0	show Affected versions of this package are vulnerable to path traversal due to improper handling of file paths. The `varLib.main` function does not correctly sanitize input paths, allowing the use of potentially malicious file paths. An attacker can exploit this vulnerability by crafting a path that traverses directories, potentially accessing unauthorized files or directories on the system.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/rpds-py-0.30.0

1 week, 6 days ago

9493ddfa

Bump rpds-py from 0.28.0 to 0.30.0 Bumps [rpds-py](https://github.com/crate-py/rpds) from 0.28.0 to

uv 0.8.22, fonttools 4.60.1 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
fonttools	4.60.1	<4.61.0	show Affected versions of this package are vulnerable to path traversal due to improper handling of file paths. The `varLib.main` function does not correctly sanitize input paths, allowing the use of potentially malicious file paths. An attacker can exploit this vulnerability by crafting a path that traverses directories, potentially accessing unauthorized files or directories on the system.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/pyspellchecker-0.8.4

2 weeks ago

d4104899

Bump pyspellchecker from 0.8.3 to 0.8.4 Bumps [pyspellchecker](https://github.com/barrust/pyspellch

uv 0.8.22, fonttools 4.60.1 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
fonttools	4.60.1	<4.61.0	show Affected versions of this package are vulnerable to path traversal due to improper handling of file paths. The `varLib.main` function does not correctly sanitize input paths, allowing the use of potentially malicious file paths. An attacker can exploit this vulnerability by crafting a path that traverses directories, potentially accessing unauthorized files or directories on the system.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/anyio-4.12.0

2 weeks, 1 day ago

224e9900

Bump anyio from 4.11.0 to 4.12.0 Bumps [anyio](https://github.com/agronholm/anyio) from 4.11.0 to 4

uv 0.8.22, fonttools 4.60.1 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
fonttools	4.60.1	<4.61.0	show Affected versions of this package are vulnerable to path traversal due to improper handling of file paths. The `varLib.main` function does not correctly sanitize input paths, allowing the use of potentially malicious file paths. An attacker can exploit this vulnerability by crafting a path that traverses directories, potentially accessing unauthorized files or directories on the system.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/ty-0.0.1a29

2 weeks, 1 day ago

ad017499

Bump ty from 0.0.1a25 to 0.0.1a29 Bumps [ty](https://github.com/astral-sh/ty) from 0.0.1a25 to 0.0.

uv 0.8.22, fonttools 4.60.1 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
fonttools	4.60.1	<4.61.0	show Affected versions of this package are vulnerable to path traversal due to improper handling of file paths. The `varLib.main` function does not correctly sanitize input paths, allowing the use of potentially malicious file paths. An attacker can exploit this vulnerability by crafting a path that traverses directories, potentially accessing unauthorized files or directories on the system.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/fonttools-4.61.0

2 weeks, 1 day ago

30660650

Bump fonttools from 4.60.1 to 4.61.0 Bumps [fonttools](https://github.com/fonttools/fonttools) from

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package

Installed

Affected

Info

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/mypy-1.19.0

2 weeks, 1 day ago

ba167609

Bump mypy from 1.18.2 to 1.19.0 Bumps [mypy](https://github.com/python/mypy) from 1.18.2 to 1.19.0.

uv 0.8.22, fonttools 4.60.1 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
fonttools	4.60.1	<4.61.0	show Affected versions of this package are vulnerable to path traversal due to improper handling of file paths. The `varLib.main` function does not correctly sanitize input paths, allowing the use of potentially malicious file paths. An attacker can exploit this vulnerability by crafting a path that traverses directories, potentially accessing unauthorized files or directories on the system.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/ruff-0.14.7

2 weeks, 1 day ago

1169b2da

Bump ruff from 0.14.4 to 0.14.7 Bumps [ruff](https://github.com/astral-sh/ruff) from 0.14.4 to 0.14

uv 0.8.22, fonttools 4.60.1 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
fonttools	4.60.1	<4.61.0	show Affected versions of this package are vulnerable to path traversal due to improper handling of file paths. The `varLib.main` function does not correctly sanitize input paths, allowing the use of potentially malicious file paths. An attacker can exploit this vulnerability by crafting a path that traverses directories, potentially accessing unauthorized files or directories on the system.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/hypothesis-6.148.3

2 weeks, 2 days ago

e358d66a

Bump hypothesis from 6.147.0 to 6.148.3 Bumps [hypothesis](https://github.com/HypothesisWorks/hypot

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package

Installed

Affected

Info

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/uv-0.9.13

2 weeks, 3 days ago

b28c6e4d

Bump uv from 0.8.22 to 0.9.13 Bumps [uv](https://github.com/astral-sh/uv) from 0.8.22 to 0.9.13. -

gitpython 3.1.40 has known security vulnerabilities.

Package	Installed	Affected	Info
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/pydantic-a996aba0cd

2 weeks, 3 days ago

0a38ce48

Bump pydantic from 2.12.4 to 2.12.5 in the pydantic group Bumps the pydantic group with 1 update: [

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package

Installed

Affected

Info

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/ty-0.0.1a28

2 weeks, 4 days ago

065ae551

Bump ty from 0.0.1a25 to 0.0.1a28 Bumps [ty](https://github.com/astral-sh/ty) from 0.0.1a25 to 0.0.

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package

Installed

Affected

Info

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/uv-0.9.12

2 weeks, 4 days ago

b97d1592

Bump uv from 0.8.22 to 0.9.12 Bumps [uv](https://github.com/astral-sh/uv) from 0.8.22 to 0.9.12. -

gitpython 3.1.40 has known security vulnerabilities.

Package	Installed	Affected	Info
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx