From 488ce86ebee4306c9c1212f0c1e6c34d0688335d Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 8 Jun 2026 19:43:30 +0000 Subject: [PATCH 1/2] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/astral-sh/uv-pre-commit: 0.11.17 → 0.11.19](https://github.com/astral-sh/uv-pre-commit/compare/0.11.17...0.11.19) - [github.com/astral-sh/ruff-pre-commit: v0.15.15 → v0.15.16](https://github.com/astral-sh/ruff-pre-commit/compare/v0.15.15...v0.15.16) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 377e6ab..376c9d9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -20,12 +20,12 @@ repos: - id: check-toml - repo: https://github.com/astral-sh/uv-pre-commit - rev: 0.11.17 + rev: 0.11.19 hooks: - id: uv-lock - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.15.15 + rev: v0.15.16 hooks: - id: ruff-check args: [--fix, --exit-non-zero-on-fix] From 1cb9f95f39a14d93df9b7b79e48798de4fa354b8 Mon Sep 17 00:00:00 2001 From: "aieng-bot[bot]" Date: Tue, 9 Jun 2026 01:02:32 +0000 Subject: [PATCH 2/2] chore: bump pip to 26.1.2 to fix PYSEC-2026-196 pip 26.1.1 has a path traversal vulnerability (PYSEC-2026-196) where console_scripts and gui_scripts entry points could be installed outside the installation directory. Fix version 26.1.2 is available on PyPI. Co-authored-by: aieng-bot --- pyproject.toml | 2 +- uv.lock | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index f3232f6..2aa2b0b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -53,7 +53,7 @@ dev = [ "jupyter>=1.1.1", "jupyterlab>=4.5.7", # CVE-2026-42266/42557: extension allow-list bypass and command linker XSS fixed in 4.5.7 "nbqa>=1.9.1", - "pip>=26.1", # Pinning version to address vulnerability GHSA-6vgw-5pg2-w6jp, CVE-2026-3219 + "pip>=26.1.2", # Pinning version to address vulnerability GHSA-6vgw-5pg2-w6jp, CVE-2026-3219, PYSEC-2026-196 "pip-audit>=2.9.0", "pre-commit>=4.2.0", "pytest>=9.0.3", # CVE-2025-71176: tmp dir privilege escalation fixed in 9.0.3 diff --git a/uv.lock b/uv.lock index 050650c..67178d8 100644 --- a/uv.lock +++ b/uv.lock @@ -151,7 +151,7 @@ dev = [ { name = "mypy", specifier = ">=1.19.0" }, { name = "nbqa", specifier = ">=1.9.1" }, { name = "pandas-stubs", specifier = ">=2.3.3.260113" }, - { name = "pip", specifier = ">=26.1" }, + { name = "pip", specifier = ">=26.1.2" }, { name = "pip-audit", specifier = ">=2.9.0" }, { name = "pre-commit", specifier = ">=4.2.0" }, { name = "pytest", specifier = ">=9.0.3" }, @@ -4508,11 +4508,11 @@ wheels = [ [[package]] name = "pip" -version = "26.1.1" +version = "26.1.2" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/b6/48/cb9b7a682f6fe01a4221e1728941dd4ac3cd9090a17db3779d6ff490b602/pip-26.1.1.tar.gz", hash = "sha256:d36762751d156a4ee895de8af39aa0abeeeb577f93a2eca6ab62467bbf0f8a78", size = 1840400, upload-time = "2026-05-04T19:02:21.248Z" } +sdist = { url = "https://files.pythonhosted.org/packages/01/91/47e7d486260f618783899587af63ccf7980fb60245c3e63dd4571c6b57ad/pip-26.1.2.tar.gz", hash = "sha256:f49cd134c61cf2fd75e0ce2676db03e4054504a5a4986d00f8299ae632dc4605", size = 1840799, upload-time = "2026-05-31T17:33:58.56Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/3a/eb/fea4d1d51c49832120f7f285d07306db3960f423a2612c6057caf3e8196f/pip-26.1.1-py3-none-any.whl", hash = "sha256:99cb1c2899893b075ff56e4ed0af55669a955b49ad7fb8d8603ecdaf4ed653fb", size = 1812777, upload-time = "2026-05-04T19:02:18.9Z" }, + { url = "https://files.pythonhosted.org/packages/5d/95/6b5cb3461ea5673ba0995989746db58eb18b91b54dbf331e72f569540946/pip-26.1.2-py3-none-any.whl", hash = "sha256:382ff9f685ee3bc25864f820aa50505825f10f5458ffff07e30a6d96e5715cab", size = 1813144, upload-time = "2026-05-31T17:33:56.772Z" }, ] [[package]]