Skip to content

Fix for GHSA-4xgf-cpjx-pc3j#186

Closed
keycard-gh-workflows-access[bot] wants to merge 1 commit into
mainfrom
socket/fix/GHSA-4xgf-cpjx-pc3j
Closed

Fix for GHSA-4xgf-cpjx-pc3j#186
keycard-gh-workflows-access[bot] wants to merge 1 commit into
mainfrom
socket/fix/GHSA-4xgf-cpjx-pc3j

Conversation

@keycard-gh-workflows-access

Copy link
Copy Markdown
Contributor

Socket fix for GHSA-4xgf-cpjx-pc3j.

Vulnerability Summary: pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size

Severity: MODERATE

Affected Packages: pydantic-settings (PIP)

…urce follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedpypi/​pydantic-settings@​2.14.0 ⏵ 2.14.2100 +1100 +2100100100

View full report

@Larry-Osakwe

Copy link
Copy Markdown
Contributor

Obsolete: #187 merged (Jul 8) and bumps this package to or past the fixed version this PR targets. Main's uv.lock now resolves aiohttp 3.14.1, authlib 1.7.1, idna 3.15, langchain-core 1.4.8, langsmith 0.8.18, pydantic-ai 2.0.0, pydantic-settings 2.14.2, among others.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant