Safety CI > mzollin/qr-pirate

master

2 days, 1 hour ago

fe2d0614

Merge pull request #333 from mzollin/pyup-update-pillow-12.1.0-to-12.1.1 Update pillow to 12.1.1

No dependencies with known security vulnerabilities.

pyup-update-pillow-12.1.0-to-12.1.1

1 week ago

e74c069b

Update pillow from 12.1.0 to 12.1.1

No dependencies with known security vulnerabilities.

master

1 week, 6 days ago

c61637da

Merge pull request #332 from mzollin/pyup-update-zbarlight-2.3-to-4.0 Update zbarlight to 4.0

No dependencies with known security vulnerabilities.

pyup-update-zbarlight-2.3-to-4.0

2 weeks, 2 days ago

3b3a6179

Update zbarlight from 2.3 to 4.0

No dependencies with known security vulnerabilities.

master

2 weeks, 3 days ago

b11cd869

Merge pull request #331 from mzollin/pyup-update-soupsieve-2.8.1-to-2.8.3 Update soupsieve to 2.8.3

No dependencies with known security vulnerabilities.

pyup-update-soupsieve-2.8.1-to-2.8.3

4 weeks, 1 day ago

2ee8b46a

Update soupsieve from 2.8.1 to 2.8.3

No dependencies with known security vulnerabilities.

pyup-update-soupsieve-2.8.1-to-2.8.2

1 month ago

c93da2e1

Update soupsieve from 2.8.1 to 2.8.2

No dependencies with known security vulnerabilities.

master

1 month, 1 week ago

c8669f65

Merge pull request #328 from mzollin/pyup-update-certifi-2025.11.12-to-2026.1.4 Update certifi to 2

No dependencies with known security vulnerabilities.

master

1 month, 1 week ago

60dfc4a8

Merge pull request #327 from mzollin/pyup-update-pillow-12.0.0-to-12.1.0 Update pillow to 12.1.0

No dependencies with known security vulnerabilities.

pyup-update-soupsieve-2.8-to-2.8.1

1 month, 1 week ago

a278127f

Merge branch 'master' into pyup-update-soupsieve-2.8-to-2.8.1

No dependencies with known security vulnerabilities.

master

1 month, 1 week ago

6fdf9c08

Merge pull request #325 from mzollin/pyup-update-soupsieve-2.8-to-2.8.1 Update soupsieve to 2.8.1

No dependencies with known security vulnerabilities.

master

1 month, 1 week ago

369293d2

Merge pull request #329 from mzollin/pyup-update-urllib3-2.5.0-to-2.6.3 Update urllib3 to 2.6.3

No dependencies with known security vulnerabilities.

pyup-update-urllib3-2.5.0-to-2.6.3

1 month, 1 week ago

05b30330

Update urllib3 from 2.5.0 to 2.6.3

No dependencies with known security vulnerabilities.

pyup-update-certifi-2025.11.12-to-2026.1.4

1 month, 2 weeks ago

9ff9c61b

Update certifi from 2025.11.12 to 2026.1.4

urllib3 2.5.0 has known security vulnerabilities.

Package	Installed	Affected	Info
urllib3	2.5.0	>=1.22,<2.6.3	show Affected versions of the urllib3 package are vulnerable to Denial of Service (DoS) due to redirect handling that drains connections by decompressing redirect response bodies without enforcing streaming read limits. The issue occurs when using urllib3’s streaming mode (for example, preload_content=False) while allowing redirects, because urllib3.response.HTTPResponse.drain_conn() would call HTTPResponse.read() in a way that decoded/decompressed the entire redirect response body even before any streaming reads were performed, effectively bypassing decompression-bomb safeguards.
urllib3	2.5.0	>=1.0,<2.6.0	show Affected versions of the urllib3 package are vulnerable to Denial of Service (DoS) due to improper handling of highly compressed HTTP response bodies during streaming decompression. The urllib3.HTTPResponse methods stream(), read(), read1(), read_chunked(), and readinto() may fully decompress a minimal but highly compressed payload based on the Content-Encoding header into an internal buffer instead of limiting the decompressed output to the requested chunk size, causing excessive CPU usage and massive memory allocation on the client side.
urllib3	2.5.0	>=1.24,<2.6.0	show Affected versions of the urllib3 package are vulnerable to Denial of Service (DoS) due to allowing an unbounded number of content-encoding decompression steps for HTTP responses. The HTTPResponse content decoding pipeline in urllib3 follows the Content-Encoding header and applies each advertised compression algorithm in sequence without enforcing a maximum chain length or effective output size, so a malicious peer can send a response with a very long encoding chain that triggers excessive CPU use and massive memory allocation during decompression.

Package

Installed

Affected

Info

urllib3

2.5.0

>=1.22,<2.6.3

show

Affected versions of the urllib3 package are vulnerable to Denial of Service (DoS) due to redirect handling that drains connections by decompressing redirect response bodies without enforcing streaming read limits. The issue occurs when using urllib3’s streaming mode (for example, preload_content=False) while allowing redirects, because urllib3.response.HTTPResponse.drain_conn() would call HTTPResponse.read() in a way that decoded/decompressed the entire redirect response body even before any streaming reads were performed, effectively bypassing decompression-bomb safeguards.

urllib3

2.5.0

>=1.0,<2.6.0

show

Affected versions of the urllib3 package are vulnerable to Denial of Service (DoS) due to improper handling of highly compressed HTTP response bodies during streaming decompression. The urllib3.HTTPResponse methods stream(), read(), read1(), read_chunked(), and readinto() may fully decompress a minimal but highly compressed payload based on the Content-Encoding header into an internal buffer instead of limiting the decompressed output to the requested chunk size, causing excessive CPU usage and massive memory allocation on the client side.

urllib3

2.5.0

>=1.24,<2.6.0

show

Affected versions of the urllib3 package are vulnerable to Denial of Service (DoS) due to allowing an unbounded number of content-encoding decompression steps for HTTP responses. The HTTPResponse content decoding pipeline in urllib3 follows the Content-Encoding header and applies each advertised compression algorithm in sequence without enforcing a maximum chain length or effective output size, so a malicious peer can send a response with a very long encoding chain that triggers excessive CPU use and massive memory allocation during decompression.

pyup-update-pillow-12.0.0-to-12.1.0

1 month, 2 weeks ago

bfc19446

Update pillow from 12.0.0 to 12.1.0

urllib3 2.5.0 has known security vulnerabilities.

Package	Installed	Affected	Info
urllib3	2.5.0	>=1.22,<2.6.3	show Affected versions of the urllib3 package are vulnerable to Denial of Service (DoS) due to redirect handling that drains connections by decompressing redirect response bodies without enforcing streaming read limits. The issue occurs when using urllib3’s streaming mode (for example, preload_content=False) while allowing redirects, because urllib3.response.HTTPResponse.drain_conn() would call HTTPResponse.read() in a way that decoded/decompressed the entire redirect response body even before any streaming reads were performed, effectively bypassing decompression-bomb safeguards.
urllib3	2.5.0	>=1.0,<2.6.0	show Affected versions of the urllib3 package are vulnerable to Denial of Service (DoS) due to improper handling of highly compressed HTTP response bodies during streaming decompression. The urllib3.HTTPResponse methods stream(), read(), read1(), read_chunked(), and readinto() may fully decompress a minimal but highly compressed payload based on the Content-Encoding header into an internal buffer instead of limiting the decompressed output to the requested chunk size, causing excessive CPU usage and massive memory allocation on the client side.
urllib3	2.5.0	>=1.24,<2.6.0	show Affected versions of the urllib3 package are vulnerable to Denial of Service (DoS) due to allowing an unbounded number of content-encoding decompression steps for HTTP responses. The HTTPResponse content decoding pipeline in urllib3 follows the Content-Encoding header and applies each advertised compression algorithm in sequence without enforcing a maximum chain length or effective output size, so a malicious peer can send a response with a very long encoding chain that triggers excessive CPU use and massive memory allocation during decompression.

Package

Installed

Affected

Info

urllib3

2.5.0

>=1.22,<2.6.3

show

Affected versions of the urllib3 package are vulnerable to Denial of Service (DoS) due to redirect handling that drains connections by decompressing redirect response bodies without enforcing streaming read limits. The issue occurs when using urllib3’s streaming mode (for example, preload_content=False) while allowing redirects, because urllib3.response.HTTPResponse.drain_conn() would call HTTPResponse.read() in a way that decoded/decompressed the entire redirect response body even before any streaming reads were performed, effectively bypassing decompression-bomb safeguards.

urllib3

2.5.0

>=1.0,<2.6.0

show

Affected versions of the urllib3 package are vulnerable to Denial of Service (DoS) due to improper handling of highly compressed HTTP response bodies during streaming decompression. The urllib3.HTTPResponse methods stream(), read(), read1(), read_chunked(), and readinto() may fully decompress a minimal but highly compressed payload based on the Content-Encoding header into an internal buffer instead of limiting the decompressed output to the requested chunk size, causing excessive CPU usage and massive memory allocation on the client side.

urllib3

2.5.0

>=1.24,<2.6.0

show

Affected versions of the urllib3 package are vulnerable to Denial of Service (DoS) due to allowing an unbounded number of content-encoding decompression steps for HTTP responses. The HTTPResponse content decoding pipeline in urllib3 follows the Content-Encoding header and applies each advertised compression algorithm in sequence without enforcing a maximum chain length or effective output size, so a malicious peer can send a response with a very long encoding chain that triggers excessive CPU use and massive memory allocation during decompression.