From 23d6b884f7cc2b7e2bb4a541f38ee689fd53a28a Mon Sep 17 00:00:00 2001 From: Oliver Meyer Date: Thu, 8 Jan 2026 09:37:47 +0100 Subject: [PATCH 1/2] security: update urllib3 --- pyproject.toml | 2 +- uv.lock | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index cc603b8d1..cd572713f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -123,7 +123,7 @@ dependencies = [ "tenacity>=9.1.2,<10", "tqdm>=4.67.1,<5", "truststore>=0.10.4,<1", - "urllib3>=2.6.1,<3", + "urllib3>=2.6.3,<3", # CVE-2026-21441 requires >= 2.6.3 "wsidicom>=0.28.1,<1", # Transitive overrides # WARNING: one cannot negate or downgrade a dependency required here. use override-dependencies for that. diff --git a/uv.lock b/uv.lock index e288c4f4c..3de2f8019 100644 --- a/uv.lock +++ b/uv.lock @@ -222,7 +222,7 @@ requires-dist = [ { name = "typer", specifier = ">=0.20.0,<1" }, { name = "uptime", specifier = ">=3.0.1,<4" }, { name = "urllib3", specifier = ">=2.5.0" }, - { name = "urllib3", specifier = ">=2.6.1,<3" }, + { name = "urllib3", specifier = ">=2.6.3,<3" }, { name = "wsidicom", specifier = ">=0.28.1,<1" }, ] provides-extras = ["pyinstaller", "jupyter", "marimo", "qupath"] @@ -1965,6 +1965,7 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/90/c2/ca76afca0c2debef368a42a701d501e696490e0a7138f0337709a724b189/fastparquet-2025.12.0-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:d8d70d90614f19752919037c4a88aaaeda3cd7667aeb54857c48054e2a9e3588", size = 1819692, upload-time = "2025-12-18T21:58:43.095Z" }, { url = "https://files.pythonhosted.org/packages/ab/41/f235c0d8171f6676b9d4fb8468c781fbe7bf90fed2c4383f2d8d82e574db/fastparquet-2025.12.0-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:8e2ccf387f629cb11b72fec6f15a55e0f40759b47713124764a9867097bcd377", size = 1784357, upload-time = "2025-12-18T21:58:13.258Z" }, { url = "https://files.pythonhosted.org/packages/29/7e/c86bf33b363cf5a1ad71d3ebd4a352131ba99566c78aa58d9e56c98526ba/fastparquet-2025.12.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:1978e7f3c32044f2f7a0b35784240dfc3eaeb8065a879fa3011c832fea4e7037", size = 1815777, upload-time = "2025-12-18T21:58:44.432Z" }, + { url = "https://files.pythonhosted.org/packages/d7/0b/769333ab6e6ed401755b550b3338cee96b8f6502db5da55312d86a97db62/fastparquet-2025.12.0-cp312-cp312-win_amd64.whl", hash = "sha256:25e87fff63c011fe658a7547ba83355e02568db1ee26a65e6b75c2287701d5dc", size = 667555, upload-time = "2026-01-06T21:24:36.381Z" }, { url = "https://files.pythonhosted.org/packages/13/cf/1801afbc1e84ad0413ec66bf93590472152462c454593e3be3265861aa0f/fastparquet-2025.12.0-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:1bd79ca75977aaeaae8d2a6cb1958e806991f0ff23207b938522a59a724491b2", size = 893835, upload-time = "2025-12-18T21:53:53.87Z" }, { url = "https://files.pythonhosted.org/packages/79/f9/5539b19ae7e1e0ad77f5b8a1e8d480fdf0193639cf97239734173b8730ab/fastparquet-2025.12.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:b6db801b72433d8227fcb92009a631f14d6d49a43b3c599911b58a8a6ffde9e3", size = 686010, upload-time = "2025-12-18T21:54:15.234Z" }, { url = "https://files.pythonhosted.org/packages/ff/d9/0f39782c500bbf6b2e40a67cac3c9ec2eae70bdaa8b283106c2b3d532a95/fastparquet-2025.12.0-cp313-cp313-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:23cce7202de91b64abb251cec07125d94e8108eb99aab6ffa42570a89a5c869d", size = 1755599, upload-time = "2025-12-18T21:58:15.016Z" }, @@ -7522,11 +7523,11 @@ wheels = [ [[package]] name = "urllib3" -version = "2.6.1" +version = "2.6.3" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/5e/1d/0f3a93cca1ac5e8287842ed4eebbd0f7a991315089b1a0b01c7788aa7b63/urllib3-2.6.1.tar.gz", hash = "sha256:5379eb6e1aba4088bae84f8242960017ec8d8e3decf30480b3a1abdaa9671a3f", size = 432678, upload-time = "2025-12-08T15:25:26.773Z" } +sdist = { url = "https://files.pythonhosted.org/packages/c7/24/5f1b3bdffd70275f6661c76461e25f024d5a38a46f04aaca912426a2b1d3/urllib3-2.6.3.tar.gz", hash = "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed", size = 435556, upload-time = "2026-01-07T16:24:43.925Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/bc/56/190ceb8cb10511b730b564fb1e0293fa468363dbad26145c34928a60cb0c/urllib3-2.6.1-py3-none-any.whl", hash = "sha256:e67d06fe947c36a7ca39f4994b08d73922d40e6cca949907be05efa6fd75110b", size = 131138, upload-time = "2025-12-08T15:25:25.51Z" }, + { url = "https://files.pythonhosted.org/packages/39/08/aaaad47bc4e9dc8c725e68f9d04865dbcb2052843ff09c97b08904852d84/urllib3-2.6.3-py3-none-any.whl", hash = "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4", size = 131584, upload-time = "2026-01-07T16:24:42.685Z" }, ] [package.optional-dependencies] From c5811afcb4caeaa1fcd85ccd30acab3f130f60dd Mon Sep 17 00:00:00 2001 From: Oliver Meyer Date: Thu, 8 Jan 2026 09:38:00 +0100 Subject: [PATCH 2/2] security: update pip-audit ignore --- noxfile.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/noxfile.py b/noxfile.py index 1b6e8ee34..16d084a18 100644 --- a/noxfile.py +++ b/noxfile.py @@ -157,7 +157,7 @@ def audit(session: nox.Session) -> None: "--ignore-vuln", "GHSA-4xh5-x5gv-qwph", # https://pyinstaller.org/en/stable/license.html "--ignore-vuln", - "GHSA-xm59-rqc7-hhvf", # nbconvert CVE-2025-53000: no fix available + "CVE-2025-53000", # no fix available ) except CommandFailed: _format_json_with_jq(session, "reports/vulnerabilities.json")