Skip to content

fix: resolve Dependabot security vulnerabilities (v1.3.2)#370

Merged
mxcoppell merged 1 commit into
mainfrom
feature/security-fix-dependabot-20260318
Mar 18, 2026
Merged

fix: resolve Dependabot security vulnerabilities (v1.3.2)#370
mxcoppell merged 1 commit into
mainfrom
feature/security-fix-dependabot-20260318

Conversation

@mxcoppell

Copy link
Copy Markdown
Owner

Summary

  • black 24.10.0 → 26.3.1 — fixes HIGH severity arbitrary file writes from unsanitized user input in cache file name
  • filelock 3.20.2 → 3.25.2 — fixes MEDIUM severity TOCTOU symlink vulnerability in SoftFileLock (patched in 3.20.3)
  • virtualenv 20.36.0 → 21.2.0 — fixes MEDIUM severity TOCTOU vulnerabilities in directory creation (patched in 20.36.1)

Resolves Dependabot alerts #11, #12, #13.

Test plan

  • poetry show black → 26.3.1
  • poetry show filelock → 3.25.2
  • poetry show virtualenv → 21.2.0
  • poetry run black --check src/ tests/ → 78 files unchanged
  • poetry run pytest → 350 tests passed
  • Confirm Dependabot alerts #11, #12, #13 auto-close after merge

- Update black 24.10.0 → 26.3.1 (HIGH: arbitrary file writes in cache file name)
- Update filelock 3.20.2 → 3.25.2 (MEDIUM: TOCTOU symlink vulnerability)
- Update virtualenv 20.36.0 → 21.2.0 (MEDIUM: TOCTOU directory creation vulnerabilities)

Resolves Dependabot alerts #11, #12, #13.
@mxcoppell mxcoppell merged commit eeb3073 into main Mar 18, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant