Skip to content

Upgrade black to 26.3.1 and relock dependencies#39

Merged
druzsan merged 7 commits intomasterfrom
copilot/fix-dependabot-alerts-manually
Apr 1, 2026
Merged

Upgrade black to 26.3.1 and relock dependencies#39
druzsan merged 7 commits intomasterfrom
copilot/fix-dependabot-alerts-manually

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 13, 2026
edited
Loading

Fixes arbitrary file writes vulnerability in black <26.3.1 via unsanitized cache file names.

  • pyproject.toml: Bump black from >=25.9.0,<26.0.0 to >=26.3.1,<27.0.0
  • poetry.lock: Regenerated with Poetry 2.2.1 (matching CI) — previous lock was generated with 2.3.2, causing pyproject.toml changed significantly failures across all CI jobs
  • Makefile: Remove stale --ignore-vuln GHSA-xm59-rqc7-hhvf from pip-audit (already fixed in nbconvert 7.17.0)
  • Code reformatting: 6 files reformatted to satisfy black 26.3.1 (removed extra blank line between imports and # %% cell markers)

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.

Copilot AI and others added 3 commits March 13, 2026 10:11
@markus-stoll
Remove --ignore-vuln GHSA-xm59-rqc7-hhvf from pip-audit since nbconve…
7b50e25 
…rt 7.17.0 fixes CVE-2025-53000

Co-authored-by: markus-stoll <6725742+markus-stoll@users.noreply.github.com>
@dependabot
Bump tornado from 6.5.2 to 6.5.5 in the pip group across 1 directory
9a6e8b2 
Bumps the pip group with 1 update in the / directory: [tornado](https://github.com/tornadoweb/tornado).


Updates `tornado` from 6.5.2 to 6.5.5
- [Changelog](https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst)
- [Commits](tornadoweb/tornado@v6.5.2...v6.5.5)

---
updated-dependencies:
- dependency-name: tornado
  dependency-version: 6.5.5
  dependency-type: indirect
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
Initial plan
4bbb6e3
Copilot AI changed the title [WIP] Fix dependabot alerts that could not be fixed automatically Remove obsolete pip-audit ignore for fixed nbconvert vulnerability Mar 13, 2026
Copilot AI requested a review from markus-stoll March 13, 2026 10:15
@markus-stoll
Fix Black arbitrary file writes vulnerability by upgrading to 26.3.1 …
9aa42e1 
…and remove obsolete pip-audit ignore in Makefile

Co-authored-by: markus-stoll <6725742+markus-stoll@users.noreply.github.com>
Copilot AI changed the title Remove obsolete pip-audit ignore for fixed nbconvert vulnerability Fix Black cache file write vulnerability and remove stale pip-audit ignores Mar 13, 2026
@markus-stoll
Regenerate poetry.lock with Poetry 2.2.1 to match CI version
efa01ab 
Co-authored-by: markus-stoll <6725742+markus-stoll@users.noreply.github.com>
Copilot AI changed the title Fix Black cache file write vulnerability and remove stale pip-audit ignores Upgrade Black to 26.3.1 to fix arbitrary file writes vulnerability Mar 13, 2026
@markus-stoll
Reformat code with Black 26.3.1 to fix CI formatting check
fa4ad2b 
Co-authored-by: markus-stoll <6725742+markus-stoll@users.noreply.github.com>
Copilot AI changed the title Upgrade Black to 26.3.1 to fix arbitrary file writes vulnerability Upgrade black to 26.3.1 and relock dependencies Mar 13, 2026
@markus-stoll markus-stoll marked this pull request as ready for review March 23, 2026 20:27
@druzsan druzsan merged commit 01f717e into master Apr 1, 2026
43 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@druzsan druzsan druzsan approved these changes

+1 more reviewer

@markus-stoll markus-stoll markus-stoll approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@markus-stoll markus-stoll

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@markus-stoll @druzsan