Skip to content

Update python-statemachine[diagrams] requirement from >=3.1.2 to >=3.2.0#346

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/python-statemachine-diagrams--gte-3.2.0
Open

Update python-statemachine[diagrams] requirement from >=3.1.2 to >=3.2.0#346
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/python-statemachine-diagrams--gte-3.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Updates the requirements on python-statemachine[diagrams] to permit the latest version.

Release notes

Sourced from python-statemachine[diagrams]'s releases.

v3.2.0

Highlights

  • Load statecharts from documents. A single, secure statemachine.io.load reads SCXML, JSON and YAML into a running StateChart. From an inline definition:

    from statemachine.io import load
    Light = load(
    """
    states:
    green: {initial: true, on: {next: [{target: red}]}}
    red: {on: {next: [{target: green}]}}
    """,
    format="yaml",
    )
    sm = Light()
    sm.send("next")

    Or from a file, with the format detected from the extension:

    Machine = load("traffic_light.scxml")
  • Safe by default. Expressions in loaded documents are evaluated by a restricted allowlist, never eval — this also closes a code-execution vulnerability in the old SCXML loader (CVE-2026-47103); see Security below.

  • Python 3.10+ now required. Support for the end-of-life Python 3.9 was dropped.

Security: arbitrary code execution when loading SCXML (CVE-2026-47103)

In short: before 3.2.0, loading an SCXML document with SCXMLProcessor evaluated the expressions inside it with Python's eval/exec, so a .scxml file from an untrusted source could run arbitrary code on your machine. 3.2.0 makes loading safe by default: expressions are evaluated by a restricted allowlist and <script> is rejected.

[!NOTE] Am I affected?

  • Yes — only if you loaded .scxml documents you did not author, through SCXMLProcessor (e.g. SCXMLProcessor().parse_scxml(...) or parse_scxml_file(...)) on input you don't control. That class was the only SCXML loader in the affected releases (io.load() did not exist yet).
  • No — if you define your machines in Python (StateMachine / StateChart), or only load .scxml files you wrote yourself. Defining a machine in code never evaluates a document; there is no document to evaluate.

... (truncated)

Commits
  • 4fa6b28 Merge branch 'release/3.2.0'
  • 8baa5a0 chore: prepare release 3.2.0
  • af3db7d docs: document the IO optional extras in install instructions
  • b808f76 chore(deps): update dev tooling and patch vulnerable transitive deps
  • b60be26 docs: note validators dict/JSON fix in 3.2.0 release notes
  • 7e8d886 test(io): use configuration_values instead of deprecated current_state
  • 3c6cb7b fix(io): materialize transition validators from dict definitions
  • ab38143 chore: ignore .env and document 3.1.x fixes in the 3.2.0 notes
  • 6755433 fix(io): harden invoke task lifetime, ParseTime regex, and type checks
  • 9492f3f Merge commit from fork
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Updates the requirements on [python-statemachine[diagrams]](https://github.com/fgmacedo/python-statemachine) to permit the latest version.
- [Release notes](https://github.com/fgmacedo/python-statemachine/releases)
- [Commits](fgmacedo/python-statemachine@v3.1.2...v3.2.0)

---
updated-dependencies:
- dependency-name: python-statemachine[diagrams]
  dependency-version: 3.2.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants