Skip to content

fix: github vulnerabilities (urllib, idna, pytest, black, requests, filelock, pytest)#223

Merged
krowvin merged 2 commits into
mainfrom
patch_github_vuln
Jun 12, 2026
Merged

fix: github vulnerabilities (urllib, idna, pytest, black, requests, filelock, pytest)#223
krowvin merged 2 commits into
mainfrom
patch_github_vuln

Conversation

@msweier

@msweier msweier commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator

The following are patched (only idna is patched for python 3.9) :

  • idna: Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix (medium) — fixed for all Python versions
  • urllib3: Sensitive headers forwarded across origins in proxied low-level redirects (high) — fixed for Python 3.10+
  • urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API (high) — fixed for Python 3.10+
  • pytest: Vulnerable tmpdir handling (medium) — fixed for Python 3.10+
  • requests: Insecure Temp File Reuse in extract_zipped_paths() utility function (medium) — fixed for Python 3.10+
  • black: Arbitrary file writes from unsanitized user input in cache file name (high) — fixed for Python 3.10+
  • filelock: TOCTOU Symlink Vulnerability in SoftFileLock (medium) — fixed for Python 3.10+
  • filelock: TOCTOU race condition which allows symlink attacks during lock file creation (medium) — fixed for Python 3.10+

Black formatting updated on

  • cwmscli/commands/commands_cwms.py
  • cwmscli/commands/users.py
  • tests/usgs/test_rating_ini_file_import.py

@msweier msweier requested review from Enovotny and krowvin as code owners June 10, 2026 14:36
krowvin
krowvin approved these changes Jun 10, 2026
View reviewed changes

@krowvin krowvin left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks to have some formatting changes in addition to version bumps.

Assuming you tested on your end I'm approving the version bump!

Comment thread cwmscli/commands/commands_cwms.py
@krowvin krowvin merged commit 0935234 into main Jun 12, 2026
9 checks passed
@krowvin krowvin deleted the patch_github_vuln branch June 12, 2026 18:24
@github-actions github-actions Bot mentioned this pull request Jun 12, 2026
Merged
Enovotny pushed a commit that referenced this pull request Jun 25, 2026
@github-actions
chore(main): release 0.7.4 (#221)
73128e1 
🤖 I have created a release *beep* *boop*
---


##
[0.7.4](v0.7.3...v0.7.4)
(2026-06-25)


### Bug Fixes

* add failback for shef infile import when tsid doesn't exist
([#218](#218))
([77172d2](77172d2))
* github vulnerabilities (urllib, idna, pytest, black, requests,
filelock, pytest)
([#223](#223))
([0935234](0935234))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@krowvin krowvin krowvin approved these changes
@Enovotny Enovotny Awaiting requested review from Enovotny Enovotny is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@msweier @krowvin