Skip to content

fix: update idna lockfile dependency#38

Merged
cesarenaldi merged 1 commit into
mainfrom
fix/idna-vulnerability
May 22, 2026
Merged

fix: update idna lockfile dependency#38
cesarenaldi merged 1 commit into
mainfrom
fix/idna-vulnerability

Conversation

@cesarenaldi
Copy link
Copy Markdown
Collaborator

@cesarenaldi cesarenaldi commented May 22, 2026
edited by cursor Bot
Loading

Summary

Dependency path

  • idna is transitive through httpx and anyio
  • no direct dependency constraint change was needed

Verification

  • uv tree --package idna --invert
  • make lint
  • make format-check
  • make typecheck
  • make test

Note

Low Risk
Low risk because this is a lockfile-only transitive dependency bump, with no application code changes. Runtime behavior could change slightly for URL/IDNA handling in httpx-related paths.

Overview
Bumps the resolved idna package in uv.lock from 3.13 to 3.16 (updating the recorded sdist/wheel URLs and hashes) to address the associated vulnerability advisory.

No direct dependency constraints or application code are modified; only the lockfile resolution changes for this transitive dependency (used via httpx/anyio).

Reviewed by Cursor Bugbot for commit 24ca1db. Bugbot is set up for automated code reviews on this repo. Configure here.

@cesarenaldi cesarenaldi merged commit 60a1139 into main May 22, 2026
7 checks passed
@cesarenaldi cesarenaldi deleted the fix/idna-vulnerability branch May 22, 2026 15:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cesarenaldi