Skip to content

security: Bump authlib → 1.7.2 and idna → 3.15 (CVE-2026-44681, CVE-2026-45409) #222

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
williajm merged 4 commits into from
May 20, 2026
Merged

security: Bump authlib → 1.7.2 and idna → 3.15 (CVE-2026-44681, CVE-2026-45409) #222

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
53105cd
security: Bump authlib 1.7.0 → 1.7.2 and idna 3.11 → 3.15 for Dependa…
williajm May 20, 2026
2486d40
fix: tighten authlib floor to >=1.7.1 and remove exclude-newer marker
williajm May 20, 2026
afb07e5
ci: ignore disputed pyjwt PYSEC-2025-183 in pip-audit
williajm May 20, 2026
c8905cc
security: Upgrade pygments 2.19.2 → 2.20.0 (CVE-2026-4539) and drop n…
williajm May 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions .clusterfuzzlite/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,8 @@ cryptography==46.0.7 \
--hash=sha256:5ad9ef796328c5e3c4ceed237a183f5d41d21150f972455a9d926593a1dcb308

# OAuth/OIDC authentication dependencies (added in v1.1.0)
authlib==1.6.11 \
--hash=sha256:c8687a9a26451c51a34a06fa17bb97cb15bba46a6a626755e2d7f50da8bff3e3
authlib==1.7.2 \
--hash=sha256:3e1faedc9d87e7d56a164eca3ccb6ace0d61b94abe83e92242f8dc8bba9b4a9f

httpx==0.28.1 \
--hash=sha256:d909fcccc110f8c7faf814ca82a9a4d816bc5a6dbfea25d6591d6985b8ba59ad
Expand Down Expand Up @@ -91,8 +91,8 @@ sniffio==1.3.1 \
certifi==2025.11.12 \
--hash=sha256:97de8790030bbd5c2d96b7ec782fc2f7820ef8dba6db909ccf95449f2d062d4b

idna==3.11 \
--hash=sha256:771a87f49d9defaf64091e6e6fe9c18d4833f140bd19464795bc32d966ca37ea
idna==3.15 \
--hash=sha256:048adeaf8c2d788c40fee287673ccaa74c24ffd8dcf09ffa555a2fbb59f10ac8

exceptiongroup==1.3.0 \
--hash=sha256:4d111e6e0c13d0644cad6ddaa7ed0261a0b36971f6d23e7ec9b4b9097da78a10
7 changes: 4 additions & 3 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -291,10 +291,11 @@ jobs:
- name: Run pip-audit (CVE scanning)
run: |
uv export --no-emit-project > /tmp/requirements.txt
# TODO: Remove --ignore-vuln once pygments releases a fix for CVE-2026-4539
# (ReDoS in AdlLexer, local access only, no fix available as of 2026-03-26)
# TODO: Remove --ignore-vuln PYSEC-2025-183 once pyjwt addresses it or
# the advisory is withdrawn. Disputed by supplier — key strength is the
# consumer's responsibility; no fix version available as of 2026-05-20.
uvx pip-audit --strict --desc --require-hashes -r /tmp/requirements.txt \
--ignore-vuln CVE-2026-4539
--ignore-vuln PYSEC-2025-183

build:
name: Build Package
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ dependencies = [
"limits>=5.8.0",
"cachetools>=7.0.5",
"secure>=1.0.1",
"authlib>=1.6.11", # GHSA-jj8c-mmj3-mmgv
"authlib>=1.7.1", # GHSA-jj8c-mmj3-mmgv + GHSA-r95x-qfjj-fjj2 (CVE-2026-44681)
"httpx>=0.28.1",
"typer>=0.24.1",
"python-multipart>=0.0.27", # CVE-2026-24486 / CVE-2026-40347 / GHSA-pp6c-gr5w-3c5g: Path traversal + unbounded part-header DoS
Expand Down
20 changes: 10 additions & 10 deletions uv.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading