From 9e973bd91e957f9af6c2e63b00198c2e9d705717 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 8 Jun 2026 19:43:24 +0000 Subject: [PATCH 1/2] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/astral-sh/ruff-pre-commit: v0.15.15 → v0.15.16](https://github.com/astral-sh/ruff-pre-commit/compare/v0.15.15...v0.15.16) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7913e71..c0d1121 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -17,7 +17,7 @@ repos: - id: check-toml - repo: https://github.com/astral-sh/ruff-pre-commit - rev: 'v0.15.15' + rev: 'v0.15.16' hooks: - id: ruff args: [--fix, --exit-non-zero-on-fix] From 5ec809baebdae0cd237fdd50df133634a3aa30df Mon Sep 17 00:00:00 2001 From: "aieng-bot[bot]" Date: Tue, 9 Jun 2026 01:03:57 +0000 Subject: [PATCH 2/2] chore: bump pip to 26.1.2 to fix PYSEC-2026-196 Upgrades pip from 26.1 to 26.1.2 to address PYSEC-2026-196, where pip treated console_scripts/gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory. Co-authored-by: aieng-bot --- pyproject.toml | 2 +- uv.lock | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 085d920..4ba37cc 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -36,7 +36,7 @@ test = [ "pygments>=2.20.0", # Pinning version to address vulnerability CVE-2026-4539 "aiohttp>=3.14.0", "virtualenv>=20.36.1", - "pip>=26.1", # Pinning version to address vulnerability CVE-2026-3219 + "pip>=26.1.2", # Pinning version to address vulnerability CVE-2026-3219 and PYSEC-2026-196 ] docs = [ "jinja2>=3.1.6", # Pinning version to address vulnerability GHSA-cpwx-vrp4-4pq7 diff --git a/uv.lock b/uv.lock index b069a76..5fede06 100644 --- a/uv.lock +++ b/uv.lock @@ -338,7 +338,7 @@ test = [ { name = "codecov", specifier = ">=2.1.13" }, { name = "mypy", specifier = ">=1.7.0" }, { name = "nbqa", extras = ["toolchain"], specifier = ">=1.7.0" }, - { name = "pip", specifier = ">=26.1" }, + { name = "pip", specifier = ">=26.1.2" }, { name = "pip-audit", specifier = ">=2.7.1" }, { name = "pre-commit", specifier = ">=4.0.0" }, { name = "pygments", specifier = ">=2.20.0" }, @@ -2804,11 +2804,11 @@ wheels = [ [[package]] name = "pip" -version = "26.1" +version = "26.1.2" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/73/7e/d2b04004e1068ad4fdfa2f227b839b5d03e602e47cdbbf49de71137c9546/pip-26.1.tar.gz", hash = "sha256:81e13ebcca3ffa8cc85e4deff5c27e1ee26dea0aa7fc2f294a073ac208806ff3", size = 1840316, upload-time = "2026-04-26T21:00:05.406Z" } +sdist = { url = "https://files.pythonhosted.org/packages/01/91/47e7d486260f618783899587af63ccf7980fb60245c3e63dd4571c6b57ad/pip-26.1.2.tar.gz", hash = "sha256:f49cd134c61cf2fd75e0ce2676db03e4054504a5a4986d00f8299ae632dc4605", size = 1840799, upload-time = "2026-05-31T17:33:58.56Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/70/7a/be4bd8bcbb24ea475856dd68159d78b03b2bb53dae369f69c9606b8888f5/pip-26.1-py3-none-any.whl", hash = "sha256:4e8486d821d814b77319acb7b9e8bf5a4ee7590a643e7cb21029f209be8573c1", size = 1812804, upload-time = "2026-04-26T21:00:03.194Z" }, + { url = "https://files.pythonhosted.org/packages/5d/95/6b5cb3461ea5673ba0995989746db58eb18b91b54dbf331e72f569540946/pip-26.1.2-py3-none-any.whl", hash = "sha256:382ff9f685ee3bc25864f820aa50505825f10f5458ffff07e30a6d96e5715cab", size = 1813144, upload-time = "2026-05-31T17:33:56.772Z" }, ] [[package]]