Commit f5054df
fix(deps): bump gitpython and urllib3 to resolve HIGH security alerts (#4283)
- git: gitpython >=3.1.45 -> >=3.1.50 (lock 3.1.49 -> 3.1.50)
Fixes GHSA-mv93-w799-cj2w: newline injection in config_writer()
bypasses the CVE-2026-42215 patch, enabling RCE via core.hooksPath.
- fetch: urllib3 2.6.3 -> 2.7.0 (transitive via requests)
Fixes GHSA-qccp-gfcp-xxvc (sensitive headers forwarded across origins
on proxied redirects) and GHSA-mf9v-mfxr-j63j (decompression-bomb
safeguards bypassed in the streaming API).
Resolves Dependabot alerts #129, #131, #132.
Tests pass (fetch: 20 passed; git: all test bodies pass, only
pre-existing Windows tmpdir-teardown errors remain).
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent 3a32d10 commit f5054df
3 files changed
Lines changed: 8 additions & 8 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
17 | 17 | | |
18 | 18 | | |
19 | 19 | | |
20 | | - | |
| 20 | + | |
21 | 21 | | |
22 | 22 | | |
23 | 23 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments