Skip to content

fix(deps): bump Pygments to >=2.20.0 for CVE-2026-4539#484

Closed
sergioestebance wants to merge 1 commit into
mainfrom
fix/deps-pygments-2.20.0
Closed

fix(deps): bump Pygments to >=2.20.0 for CVE-2026-4539#484
sergioestebance wants to merge 1 commit into
mainfrom
fix/deps-pygments-2.20.0

Conversation

@sergioestebance

@sergioestebance sergioestebance commented May 18, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add uv constraint to pin Pygments to >=2.20.0 to fix CVE-2026-4539 (ReDoS via inefficient regex for GUID matching)

Production impact

Very low. Pygments is a transitive dependency via rich, used for syntax highlighting. The ReDoS requires crafted GUID-like input to trigger.

Fixes #251

@sergioestebance sergioestebance force-pushed the fix/deps-pygments-2.20.0 branch from 5074b71 to 6776e45 Compare May 18, 2026 12:21
@github-actions

github-actions Bot commented May 18, 2026

Copy link
Copy Markdown
Contributor

Automated low-risk assessment

This PR was evaluated against the repository's Low-Risk Pull Requests procedure and does not qualify as low risk.

The PR changes runtime dependency constraints and the lockfile to bump the transitive package Pygments from 2.19.1 to 2.20.0. Dependency/version changes affect production behaviour and are not limited to the allowed low-risk categories (docs/UI/test config), so this should not be auto-labeled low-risk without a normal review.

This PR requires a manual review before merging.

@sergioestebance

sergioestebance commented May 18, 2026

Copy link
Copy Markdown
Contributor Author

Closing as duplicate of #478, which has been rebased and is conflict-free.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sergioestebance