From a0dbadc00f06699b249a5eae7716d667097a7726 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jun 2026 09:54:04 +0000 Subject: [PATCH 1/2] Bump actions/checkout from 6.0.2 to 6.0.3 Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v6.0.2...v6.0.3) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/code_checks.yml | 2 +- .github/workflows/publish.yml | 2 +- .github/workflows/unit_tests.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/code_checks.yml b/.github/workflows/code_checks.yml index 687f169..31e3c50 100644 --- a/.github/workflows/code_checks.yml +++ b/.github/workflows/code_checks.yml @@ -29,7 +29,7 @@ jobs: run-code-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@v6.0.3 - name: Install uv uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 768bd32..4eef0a8 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -19,7 +19,7 @@ jobs: run: | sudo apt-get update sudo apt-get install libcurl4-openssl-dev libssl-dev - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@v6.0.3 - name: Install uv uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml index ebca370..c63185e 100644 --- a/.github/workflows/unit_tests.yml +++ b/.github/workflows/unit_tests.yml @@ -37,7 +37,7 @@ jobs: unit-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@v6.0.3 - name: Install uv uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 From 14db3dd44985e4538b5f63cd9e770ab8492b1720 Mon Sep 17 00:00:00 2001 From: "aieng-bot[bot]" Date: Tue, 9 Jun 2026 01:04:23 +0000 Subject: [PATCH 2/2] chore: bump pip to 26.1.2 to fix PYSEC-2026-196 pip 26.1.1 is vulnerable to PYSEC-2026-196 (entry point path traversal). Bumping minimum version constraint from >=26.1 to >=26.1.2 which contains the fix. Co-authored-by: aieng-bot --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 2aa2b0b..481bce0 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -53,7 +53,7 @@ dev = [ "jupyter>=1.1.1", "jupyterlab>=4.5.7", # CVE-2026-42266/42557: extension allow-list bypass and command linker XSS fixed in 4.5.7 "nbqa>=1.9.1", - "pip>=26.1.2", # Pinning version to address vulnerability GHSA-6vgw-5pg2-w6jp, CVE-2026-3219, PYSEC-2026-196 + "pip>=26.1.2", # Pinning version to address vulnerability GHSA-6vgw-5pg2-w6jp, CVE-2026-3219; PYSEC-2026-196: entry point path traversal fixed in 26.1.2 "pip-audit>=2.9.0", "pre-commit>=4.2.0", "pytest>=9.0.3", # CVE-2025-71176: tmp dir privilege escalation fixed in 9.0.3