fix: upgrade Pygments to 2.20.0#216
Merged
Merged
Conversation
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
🧪 Test Results for
|
| Test Suite | Status | Passed | Failed | Skipped | Duration |
|---|---|---|---|---|---|
| Unit Tests - Python 3.11 | ✅ | 966 | 0 | 0 | 14s |
| Unit Tests - Python 3.14 | ✅ | 966 | 0 | 0 | 15s |
| Unit Tests - Python 3.13 | ✅ | 966 | 0 | 0 | 14s |
| Unit Tests - Python 3.12 | ✅ | 966 | 0 | 0 | 14s |
| Integration | ✅ | 5 | 0 | 0 | 0s |
| E2E | ✅ | 29 | 0 | 0 | 40s |
| Total | ✅ | 3898 | 0 | 0 | - |
📊 Coverage
Coverage reports are available in the workflow artifacts.
📦 Download Reports
williajm
added a commit
that referenced
this pull request
May 20, 2026
…ow-unneeded ignore The prior fix (commit f0bf518, PR #216) only upgraded pygments in .github/requirements/bandit.txt — the project's own uv.lock was left at 2.19.2, meaning the runtime dependency was still vulnerable and the --ignore-vuln CVE-2026-4539 in pip-audit was masking it. Bumps pygments in uv.lock to 2.20.0 (the published fix) and removes the now-superfluous ignore and its TODO from the pip-audit step. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
williajm
added a commit
that referenced
this pull request
May 20, 2026
…026-45409) (#222) * security: Bump authlib 1.7.0 → 1.7.2 and idna 3.11 → 3.15 for Dependabot alerts - authlib: CVE-2026-44681 (moderate) - idna: CVE-2026-45409 (moderate) Updates uv.lock (resolved versions) and .clusterfuzzlite/requirements.txt (hash-pinned). Lock regenerated with --exclude-newer 2026-05-17 per the 3-day supply-chain buffer documented in CLAUDE.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix: tighten authlib floor to >=1.7.1 and remove exclude-newer marker CI failed on the prior commit because `uv lock` (with UV_EXCLUDE_NEWER=7d in my local env) stamped `exclude-newer` into uv.lock's manifest. CI runs `uv sync --locked` without that env var and refused the lockfile ("Resolving despite existing lockfile due to removal of global exclude newer"). The 3-day buffer is incompatible with --locked installs (per mcp_kafka/CLAUDE.md guidance, applies equally here) — it is only useful during lock generation, not in CI. Regenerated uv.lock with UV_EXCLUDE_NEWER unset so the resulting lockfile matches what CI will produce. Result is byte-identical to the previous commit minus the exclude-newer manifest line. Also bumps the authlib floor in pyproject.toml from >=1.6.11 to >=1.7.1 to prevent regression on CVE-2026-44681. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * ci: ignore disputed pyjwt PYSEC-2025-183 in pip-audit Adds --ignore-vuln PYSEC-2025-183 to the pip-audit step, matching the existing pattern for pygments CVE-2026-4539. The advisory is disputed by the supplier (key length is the consumer's responsibility, not the library's), and pyjwt 2.12.1 is the latest published version — no fix is available to upgrade to. This is a pre-existing issue surfaced by the OSV database; it affects main too and was blocking the authlib/idna PR from going green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * security: Upgrade pygments 2.19.2 → 2.20.0 (CVE-2026-4539) and drop now-unneeded ignore The prior fix (commit f0bf518, PR #216) only upgraded pygments in .github/requirements/bandit.txt — the project's own uv.lock was left at 2.19.2, meaning the runtime dependency was still vulnerable and the --ignore-vuln CVE-2026-4539 in pip-audit was masking it. Bumps pygments in uv.lock to 2.20.0 (the published fix) and removes the now-superfluous ignore and its TODO from the pip-audit step. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/requirements/bandit.txtTest plan
🤖 Generated with Claude Code