Update pypdf requirement from <7,>=6.13.1 to >=6.13.2,<7

[dependabot]

Updates the requirements on pypdf to permit the latest version.

Release notes

Sourced from pypdf's releases.

Version 6.13.2, 2026-06-10

What's new

Security (SEC)

• Detect multi-hop cyclic /Pages trees in _flatten to prevent SIGSEGV (#3847) by @​fredericoschardong

Robustness (ROB)

• Fix UnboundLocalError in _read_standard_xref_table on a malformed entry (#3841) by @​joszamama
• Raise PdfStreamError on non-hexadecimal bytes in hex readers (#3832) by @​metsw24-max

Full Changelog

Changelog

Sourced from pypdf's changelog.

Version 6.13.2, 2026-06-10

Security (SEC)

• Detect multi-hop cyclic /Pages trees in _flatten to prevent SIGSEGV (#3847)

Robustness (ROB)

• Fix UnboundLocalError in _read_standard_xref_table on a malformed entry (#3841)
• Raise PdfStreamError on non-hexadecimal bytes in hex readers (#3832)

Full Changelog

Version 6.13.1, 2026-06-08

Security (SEC)

• Prevent infinite loops when processing threads/articles (#3839)

Full Changelog

Version 6.13.0, 2026-06-05

Security (SEC)

• Avoid infinite loops for outlines and text extraction (#3830)

New Features (ENH)

• Add Japanese predefined CMaps (#3800)
• Font: Collect all character widths, not only those that can be unicode mapped (#3798)

Robustness (ROB)

• Recover a corrupt trailing startxref pointer (closes #3238) (#3826)
• Handle /Pages node without /Kids during flattening (#3825)
• Accept inline image EI marker at the end of a content stream (#3827)

Maintenance (MAINT)

• Type the always-raising deprecation helpers as NoReturn (#3819)

Full Changelog

Version 6.12.2, 2026-05-26

Security (SEC)

• Optimize _decode_png_prediction regarding memory and speed (#3806)
• Improve loop control in text extraction (#3805)

Full Changelog

Version 6.12.1, 2026-05-22

Security (SEC)

• Limit input size and element count for XMP metadata (#3796)

... (truncated)

Commits

• 6490dff REL: 6.13.2
• d209c2c SEC: Detect multi-hop cyclic /Pages trees in _flatten to prevent SIGSEGV (#3847)
• 06d4106 ROB: Fix UnboundLocalError in _read_standard_xref_table on a malformed entry ...
• c64016a ROB: Raise PdfStreamError on non-hexadecimal bytes in hex readers (#3832)
• 6207d77 ROB: Guard truncated Type1 font program in _type1_alternative (#3835)
• e31de26 DEV: Bump actions/checkout from 6.0.2 to 6.0.3 (#3843)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[claude]

PR Review: Update pypdf >=6.13.1,<7 to >=6.13.2,<7

Overview

Automated Dependabot bump of the minimum required version of pypdf from 6.13.1 to 6.13.2 (1-line change in requirements/base.txt).

---

What's in pypdf 6.13.2

• Security: Detect multi-hop cyclic /Pages trees in _flatten to prevent SIGSEGV (SEC: Detect multi-hop cyclic /Pages trees in _flatten to prevent SIGSEGV py-pdf/pypdf#3847)
• Robustness: Fix UnboundLocalError in _read_standard_xref_table on malformed XRef entry (ROB: Fix UnboundLocalError in _read_standard_xref_table py-pdf/pypdf#3841)
• Robustness: Raise PdfStreamError on non-hexadecimal bytes in hex readers (ROB: Raise PdfStreamError on non-hexadecimal bytes in hex readers py-pdf/pypdf#3832)

---

Analysis

Security - The SIGSEGV fix is the most important item here. A crafted PDF with a cyclic /Pages reference tree could previously crash the Python process outright (signal delivery, no exception, no stack trace). That is a straightforward DoS vector for any user-facing document upload endpoint. Pulling in 6.13.2 closes it.

Correctness / Robustness - The two robustness fixes prevent UnboundLocalError and silent misbehaviour on malformed PDFs. This is directly relevant to OpenContracts, which accepts arbitrary user-uploaded PDFs through its pipeline parsers.

Change scope - Single line, lower bound only. The upper bound <7 is unchanged, so there is no risk of pulling in a breaking major-version bump. No API surface in pypdf changed between 6.13.1 and 6.13.2.

No tests required - Pure dependency floor bump with no logic changes.

Changelog fragment - Per project conventions, a changelog.d/ fragment should accompany security-relevant dependency updates. Since this is a Dependabot PR, maintainers may wish to add one at merge time. Suggested changelog.d/1984.security.md:

- Bump pypdf minimum to 6.13.2 to fix a SIGSEGV DoS via cyclic /Pages trees in crafted PDFs (py-pdf/pypdf#3847).

---

Verdict

Approve and merge. Low-risk, security-positive update with no breaking changes. The SIGSEGV DoS fix alone makes it worth taking immediately.