Skip to content

[pull] main from modelcontextprotocol:main#129

Merged
pull[bot] merged 8 commits into
threatcode:mainfrom
modelcontextprotocol:main
Jun 6, 2025
Merged

[pull] main from modelcontextprotocol:main#129
pull[bot] merged 8 commits into
threatcode:mainfrom
modelcontextprotocol:main

Conversation

@pull

@pull pull Bot commented Jun 5, 2025
edited
Loading

Copy link
Copy Markdown

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.1)

Can you help keep this open source service alive? 💖 Please sponsor : )

@pull pull Bot added the ⤵️ pull label Jun 5, 2025
@pull pull Bot merged commit 7652ae0 into threatcode:main Jun 6, 2025
11 checks passed
pull Bot pushed a commit that referenced this pull request Jun 5, 2026
@olaservo @claude
fix(deps): bump gitpython and urllib3 to resolve HIGH security alerts (
f5054df 
…modelcontextprotocol#4283)

- git: gitpython >=3.1.45 -> >=3.1.50 (lock 3.1.49 -> 3.1.50)
  Fixes GHSA-mv93-w799-cj2w: newline injection in config_writer()
  bypasses the CVE-2026-42215 patch, enabling RCE via core.hooksPath.
- fetch: urllib3 2.6.3 -> 2.7.0 (transitive via requests)
  Fixes GHSA-qccp-gfcp-xxvc (sensitive headers forwarded across origins
  on proxied redirects) and GHSA-mf9v-mfxr-j63j (decompression-bomb
  safeguards bypassed in the streaming API).

Resolves Dependabot alerts #129, #131, #132.
Tests pass (fetch: 20 passed; git: all test bodies pass, only
pre-existing Windows tmpdir-teardown errors remain).

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

⤵️ pull

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BfdCampos @cliffhall @tadasant