Skip to content

chore(deps): upgrade Pygments 2.19.2 → 2.20.0 (security)#42

Merged
jmf-pobox merged 1 commit intomainfrom
chore/security-deps
Apr 14, 2026
Merged

chore(deps): upgrade Pygments 2.19.2 → 2.20.0 (security)#42
jmf-pobox merged 1 commit intomainfrom
chore/security-deps

Conversation

@jmf-pobox
Copy link
Copy Markdown
Owner

@jmf-pobox jmf-pobox commented Apr 14, 2026
edited by cursor Bot
Loading

Resolves Dependabot alert #2 (Pygments ReDoS). Transitive via pytest.

Also regens the one e2e fixture with the v1.2.0 version string.

  • make check (3505 tests)
  • make test-e2e (141 passed)

Note

Low Risk
Low risk: this is a lockfile-only dependency bump (transitive via test tooling) plus a regenerated example fixture string, with no production logic changes.

Overview
Resolves a Pygments security update by bumping the locked pygments version from 2.19.2 to 2.20.0 in uv.lock (including updated artifact URLs/hashes) and adjusting the lockfile revision.

Regenerates the examples/11_text_blocks/bibliography_example.tex fixture to reflect txt2tex v1.2.0 in the PDF metadata (\hypersetup{...pdfcreator=...}).

Reviewed by Cursor Bugbot for commit ee42671. Bugbot is set up for automated code reviews on this repo. Configure here.

@jmf-pobox
chore(deps): upgrade Pygments 2.19.2 → 2.20.0 (GHSA ReDoS fix)
ee42671 
Resolves Dependabot alert #2 (Pygments ReDoS via inefficient GUID
regex). Transitive dependency via pytest.

Also regenerates the one e2e fixture affected by the v1.1.0 → v1.2.0
version bump (bibliography_example.tex pdfcreator hypersetup line).

All gates green: 3505 unit + 141 e2e.
Copilot AI review requested due to automatic review settings April 14, 2026 17:03
Copilot AI reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the project’s pinned dependencies to address a Dependabot security alert (Pygments ReDoS), and refreshes a generated LaTeX example to reflect the current txt2tex version string.

Changes:

  • Bump transitive pygments pin in uv.lock from 2.19.2 to 2.20.0.
  • Regenerate examples/11_text_blocks/bibliography_example.tex metadata (pdfcreator) to txt2tex v1.2.0.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
uv.lock Updates the resolved Pygments version (and lockfile header metadata).
examples/11_text_blocks/bibliography_example.tex Updates generated pdfcreator version string to match v1.2.0.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 14, 2026

✅ Quality Gates Status

Commit: ee42671
Status: All quality checks passed

  • ✅ Linting (Ruff)
  • ✅ Type checking (MyPy strict)
  • ✅ Formatting
  • ✅ Tests with coverage

View workflow run

@jmf-pobox jmf-pobox merged commit 31c7498 into main Apr 14, 2026
7 checks passed
@jmf-pobox jmf-pobox deleted the chore/security-deps branch April 14, 2026 17:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jmf-pobox