Skip to content

chore(deps): bump pygments to 2.20.0 for ReDoS fix#23

Merged
davidchris merged 1 commit intomainfrom
fix/bump-pygments-security
Apr 16, 2026
Merged

chore(deps): bump pygments to 2.20.0 for ReDoS fix#23
davidchris merged 1 commit intomainfrom
fix/bump-pygments-security

Conversation

@davidchris
Copy link
Copy Markdown
Owner

@davidchris davidchris commented Apr 16, 2026

Summary

  • Bumps pygments 2.19.1 → 2.20.0 in uv.lock to resolve Dependabot alert Feat/design upgrade 1 #15 (ReDoS via inefficient GUID regex).
  • Transitive dep via ipython / jupyterlab-pygments; no pyproject.toml changes needed.
  • Dependabot alert Refactor: package fafycat as an installable Python package #19 (python-multipart 0.0.24 → 0.0.26, medium DoS) deferred: fixed version released 2026-04-10 falls inside the [tool.uv] exclude-newer = "7 days" quarantine window. Will be bumped in a follow-up once eligible.

Test plan

  • ruff check — clean
  • uv run pytest — 191 passed
  • uv sync — venv refreshed, pygments==2.20.0 installed
  • Alert Feat/design upgrade 1 #15 auto-dismissed after merge

🤖 Generated with Claude Code

@davidchris @claude
chore(deps): bump pygments to 2.20.0 for ReDoS fix
e288380 
Fixes Dependabot alert #15 (CVE: ReDoS in Pygments GUID matching regex).
Pygments is a transitive dep via ipython / jupyterlab-pygments.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@davidchris davidchris merged commit 57e7999 into main Apr 16, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@davidchris