Safety CI > Harmon758/Harmonbot

dependabot/github_actions/actions/setup-python-6.1.0

2 weeks, 4 days ago

751008c7

Bump actions/setup-python from 6.0.0 to 6.1.0 Bumps [actions/setup-python](https://github.com/actio

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/pyrefly-0.43.1

2 weeks, 5 days ago

cc928243

Bump pyrefly from 0.40.0 to 0.43.1 Bumps [pyrefly](https://github.com/facebook/pyrefly) from 0.40.0

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/networkx-3.6

2 weeks, 5 days ago

f6583c6b

Bump networkx from 3.5 to 3.6 Bumps [networkx](https://github.com/networkx/networkx) from 3.5 to 3.

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/msgspec-0.20.0

2 weeks, 5 days ago

4c3f5c2e

Bump msgspec from 0.19.0 to 0.20.0 Bumps [msgspec](https://github.com/jcrist/msgspec) from 0.19.0 t

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/asyncpg-0.31.0

2 weeks, 5 days ago

3473316e

Bump asyncpg from 0.30.0 to 0.31.0 Bumps [asyncpg](https://github.com/MagicStack/asyncpg) from 0.30

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/sentry-sdk-2.46.0

2 weeks, 5 days ago

d0212515

Bump sentry-sdk from 2.43.0 to 2.46.0 Bumps [sentry-sdk](https://github.com/getsentry/sentry-python

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/github_actions/github/codeql-action-4.31.5

2 weeks, 5 days ago

013a1ebf

Bump github/codeql-action from 4.31.2 to 4.31.5 Bumps [github/codeql-action](https://github.com/git

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/backports-zstd-1.1.0

2 weeks, 6 days ago

af2cb267

Bump backports-zstd from 1.0.0 to 1.1.0 Bumps [backports-zstd](https://github.com/rogdham/backports

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/ruff-0.14.6

3 weeks, 1 day ago

0c2dbf78

Bump ruff from 0.14.4 to 0.14.6 Bumps [ruff](https://github.com/astral-sh/ruff) from 0.14.4 to 0.14

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/pyrefly-0.42.3

3 weeks, 1 day ago

df5c6a66

Bump pyrefly from 0.40.0 to 0.42.3 Bumps [pyrefly](https://github.com/facebook/pyrefly) from 0.40.0

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/psycopg-ff886ca68e

3 weeks, 1 day ago

101a1f79

Bump the psycopg group with 2 updates Bumps the psycopg group with 2 updates: [psycopg](https://git

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/github_actions/astral-sh/setup-uv-7.1.4

3 weeks, 1 day ago

006f6b1e

Bump astral-sh/setup-uv from 6.8.0 to 7.1.4 Bumps [astral-sh/setup-uv](https://github.com/astral-sh

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/pip/uv-0.9.11

3 weeks, 2 days ago

bd402143

Bump uv from 0.8.22 to 0.9.11 Bumps [uv](https://github.com/astral-sh/uv) from 0.8.22 to 0.9.11. -

gitpython 3.1.40 has known security vulnerabilities.

Package	Installed	Affected	Info
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/github_actions/actions/checkout-6.0.0

3 weeks, 2 days ago

0a76831b

Bump actions/checkout from 5.0.0 to 6.0.0 Bumps [actions/checkout](https://github.com/actions/check

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

dependabot/go_modules/retired/Discord-Listener/golang.org/x/crypto-0.45.0

3 weeks, 3 days ago

b7d9942c

Bump golang.org/x/crypto in /retired/Discord Listener Bumps [golang.org/x/crypto](https://github.co

uv 0.8.22 and gitpython 3.1.40 have known security vulnerabilities.

Package	Installed	Affected	Info
uv	0.8.22	<0.9.5	show Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.
uv	0.8.22	<0.9.6	show Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.
gitpython	3.1.40	<3.1.41	show GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. #It only affects Windows users https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Package

Installed

Affected

Info

uv

0.8.22

<0.9.5

show

Affected versions of the uv package are vulnerable to Type Confusion due to inconsistent parsing of PAX header size overrides in TAR archives. The source-distribution unpacking path in uv, implemented via the astral-tokio-tar module, may ignore a PAX “size” override when the ustar header reports size 0, causing file data to be misinterpreted as additional TAR headers and producing a different extracted file set than other Python installers.

uv

0.8.22

<0.9.6

show

Affected versions of the uv package (<= 0.9.5) are vulnerable to Improper Input Validation due to inconsistent parsing of ZIP central directory comment fields and ambiguous filename handling. The ZIP archive parser in uv assumes central directory comments are absent and does not properly validate the filename fields in local headers and central directory entries (including names containing NUL bytes), which can lead uv to misinterpret comment bytes as control structures and to skip files that other Python installers extract, creating an interpretation conflict.

gitpython

3.1.40

<3.1.41

show

GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590. 
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx