Skip to content

deps: bump pygments to 2.20.0 (fix ReDoS GHSA-5239-wwwm-4pmq)#6

Merged
jackchuka merged 1 commit into
mainfrom
fix/pygments-redos-ghsa-5239
Jun 9, 2026
Merged

deps: bump pygments to 2.20.0 (fix ReDoS GHSA-5239-wwwm-4pmq)#6
jackchuka merged 1 commit into
mainfrom
fix/pygments-redos-ghsa-5239

Conversation

@jackchuka

Copy link
Copy Markdown
Owner

What

Bumps pygments 2.19.22.20.0 in uv.lock.

Why

Resolves Dependabot alert #2 — Pygments < 2.20.0 has a Regular Expression Denial of Service (ReDoS) via an inefficient GUID-matching regex (GHSA-5239-wwwm-4pmq, low severity).

pygments is a dev-only transitive dependency (pulled in by pytest), so Dependabot could not auto-open a fix PR: it isn't a direct dependency to bump, and the parent (pytest 9.0.3) doesn't force the upgrade. Pinned directly via uv lock --upgrade-package pygments.

Verification

  • Only uv.lock changed (pygments entry only)
  • uv sync + uv run pytest → 63 passed

Real-world risk is low (ReDoS only matters on attacker-controlled input to the GUID lexer, which doesn't occur in a test runner), but this clears the open alert.

Resolves Dependabot alert #2. Pygments <2.20.0 has a ReDoS vulnerability
in its GUID-matching regex. It is a dev-only transitive dependency (via
pytest), so Dependabot could not auto-open a fix PR; pinned directly in
the lockfile via 'uv lock --upgrade-package pygments'.
@jackchuka jackchuka marked this pull request as ready for review June 9, 2026 15:47
@jackchuka jackchuka merged commit fb9cafe into main Jun 9, 2026
6 checks passed
@jackchuka jackchuka deleted the fix/pygments-redos-ghsa-5239 branch June 9, 2026 15:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant