From 9b6db047a7d310bf7da15fbb6b4b78d53ec8f48e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jun 2026 13:18:04 +0000 Subject: [PATCH 1/2] Bump astral-sh/setup-uv from 8.1.0 to 8.2.0 Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 8.1.0 to 8.2.0. - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](https://github.com/astral-sh/setup-uv/compare/v8.1.0...v8.2.0) --- updated-dependencies: - dependency-name: astral-sh/setup-uv dependency-version: 8.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/code_checks.yml | 2 +- .github/workflows/docs.yml | 2 +- .github/workflows/publish.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/code_checks.yml b/.github/workflows/code_checks.yml index 8aa73e3..e94fff5 100644 --- a/.github/workflows/code_checks.yml +++ b/.github/workflows/code_checks.yml @@ -32,7 +32,7 @@ jobs: - uses: actions/checkout@v6.0.3 - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 with: enable-cache: true diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 1149b55..06da973 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -45,7 +45,7 @@ jobs: uses: actions/checkout@v6.0.3 - name: Install uv - uses: astral-sh/setup-uv@v8.1.0 + uses: astral-sh/setup-uv@v8.2.0 with: version: "0.5.21" enable-cache: true diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 30197fe..efd144a 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -19,7 +19,7 @@ jobs: - uses: actions/checkout@v6.0.3 - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 with: enable-cache: true From 512c38c05e27fdfe943373f294a9b4916f3ebff8 Mon Sep 17 00:00:00 2001 From: "aieng-bot[bot]" Date: Tue, 9 Jun 2026 01:02:52 +0000 Subject: [PATCH 2/2] chore: bump pip to 26.1.2 to fix PYSEC-2026-196 Bumps pip minimum version from 26.1 to 26.1.2 to address security vulnerability PYSEC-2026-196, where pip treated console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory. Co-authored-by: aieng-bot --- pyproject.toml | 2 +- uv.lock | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 085d920..4ba37cc 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -36,7 +36,7 @@ test = [ "pygments>=2.20.0", # Pinning version to address vulnerability CVE-2026-4539 "aiohttp>=3.14.0", "virtualenv>=20.36.1", - "pip>=26.1", # Pinning version to address vulnerability CVE-2026-3219 + "pip>=26.1.2", # Pinning version to address vulnerability CVE-2026-3219 and PYSEC-2026-196 ] docs = [ "jinja2>=3.1.6", # Pinning version to address vulnerability GHSA-cpwx-vrp4-4pq7 diff --git a/uv.lock b/uv.lock index b069a76..5fede06 100644 --- a/uv.lock +++ b/uv.lock @@ -338,7 +338,7 @@ test = [ { name = "codecov", specifier = ">=2.1.13" }, { name = "mypy", specifier = ">=1.7.0" }, { name = "nbqa", extras = ["toolchain"], specifier = ">=1.7.0" }, - { name = "pip", specifier = ">=26.1" }, + { name = "pip", specifier = ">=26.1.2" }, { name = "pip-audit", specifier = ">=2.7.1" }, { name = "pre-commit", specifier = ">=4.0.0" }, { name = "pygments", specifier = ">=2.20.0" }, @@ -2804,11 +2804,11 @@ wheels = [ [[package]] name = "pip" -version = "26.1" +version = "26.1.2" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/73/7e/d2b04004e1068ad4fdfa2f227b839b5d03e602e47cdbbf49de71137c9546/pip-26.1.tar.gz", hash = "sha256:81e13ebcca3ffa8cc85e4deff5c27e1ee26dea0aa7fc2f294a073ac208806ff3", size = 1840316, upload-time = "2026-04-26T21:00:05.406Z" } +sdist = { url = "https://files.pythonhosted.org/packages/01/91/47e7d486260f618783899587af63ccf7980fb60245c3e63dd4571c6b57ad/pip-26.1.2.tar.gz", hash = "sha256:f49cd134c61cf2fd75e0ce2676db03e4054504a5a4986d00f8299ae632dc4605", size = 1840799, upload-time = "2026-05-31T17:33:58.56Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/70/7a/be4bd8bcbb24ea475856dd68159d78b03b2bb53dae369f69c9606b8888f5/pip-26.1-py3-none-any.whl", hash = "sha256:4e8486d821d814b77319acb7b9e8bf5a4ee7590a643e7cb21029f209be8573c1", size = 1812804, upload-time = "2026-04-26T21:00:03.194Z" }, + { url = "https://files.pythonhosted.org/packages/5d/95/6b5cb3461ea5673ba0995989746db58eb18b91b54dbf331e72f569540946/pip-26.1.2-py3-none-any.whl", hash = "sha256:382ff9f685ee3bc25864f820aa50505825f10f5458ffff07e30a6d96e5715cab", size = 1813144, upload-time = "2026-05-31T17:33:56.772Z" }, ] [[package]]