Skip to content

Bump pymdown-extensions from 10.14 to 10.16.1#785

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/pymdown-extensions-10.16.1
Closed

Bump pymdown-extensions from 10.14 to 10.16.1#785
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/pymdown-extensions-10.16.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Feb 3, 2026
edited
Loading

Bumps pymdown-extensions from 10.14 to 10.16.1.

Release notes

Sourced from pymdown-extensions's releases.

10.6.1

10.16.1

  • FIX: Inefficient regular expression pattern for figure caption numbers.

10.16

  • NEW: Add early support for Python 3.14.
  • NEW: Drop support for Python 3.8.
  • NEW: Snippets: Added max_retries and backoff_retries options to configure new retry logic for HTTP 429 errors (Too Many Requests client error).
  • NEW: Caption: Prefix templates are now preserved exactly as specified allowing the insertion of HTML tags if desired.
  • FIX: Caption: Fix issue where manual numbers in auto were not respected appropriately.

10.15.0

  • NEW: SuperFences: Add relaxed_headers option which can tolerate bad content in the fenced code header. When enabled, code blocks with bad content in the header will likely still convert into code blocks, often respecting the specified language.
  • NEW: Add type hints to the Blocks interface and a few additional files.
  • FIX: Blocks: Fix some corner cases of nested blocks with lists.
  • FIX: Tab and Tabbed: Fix a case where tabs could fail if combine_header_slug was enabled and there was no header.

10.14.3

  • FIX: Blocks: An empty, raw block type should not cause an error.

10.14.2

  • FIX: Blocks: Fix some corner cases with md_in_html.

10.14.1

  • FIX: MagicLink: Ensure that repo names that start with . are handled correctly.
  • FIX: FancyLists: Fix case were lists could be falsely created when a line started with . or ).
Commits

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot
Bump pymdown-extensions from 10.14 to 10.16.1
a956b24 
Bumps [pymdown-extensions](https://github.com/facelessuser/pymdown-extensions) from 10.14 to 10.16.1.
- [Release notes](https://github.com/facelessuser/pymdown-extensions/releases)
- [Commits](facelessuser/pymdown-extensions@10.14...10.16.1)

---
updated-dependencies:
- dependency-name: pymdown-extensions
  dependency-version: 10.16.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Feb 3, 2026
@dependabot dependabot Bot requested a review from a team as a code owner February 3, 2026 14:44
ayeshurun pushed a commit to ayeshurun/fabric-cicd that referenced this pull request Mar 12, 2026
Consolidate all Dependabot security updates into single lock file update
d38ed36 
Resolves all 13 open Dependabot security alerts by upgrading locked
dependencies via uv lock --upgrade:

- cryptography 44.0.0 → 46.0.5 (HIGH: subgroup attack on SECT curves)
- azure-core 1.32.0 → 1.38.2 (HIGH: untrusted data deserialization)
- urllib3 2.3.0 → 2.6.3 (HIGH: decompression bomb, unbounded chain, redirect issues)
- requests 2.32.3 → 2.32.5 (MEDIUM: .netrc credential leak)
- Jinja2 3.1.5 → 3.1.6 (MEDIUM: sandbox breakout via attr filter)
- Markdown 3.7 → 3.9+ (MEDIUM: uncaught exception)
- mkdocs-include-markdown-plugin 7.1.2 → 7.2.1 (MEDIUM: placeholder collision)
- pymdown-extensions 10.14 → 10.21 (LOW: ReDoS in Figure Capture)

All 795 tests pass. This consolidates PRs microsoft#782, microsoft#783, microsoft#784, microsoft#785, microsoft#786, microsoft#787, microsoft#817, microsoft#856.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@ayeshurun ayeshurun mentioned this pull request Mar 12, 2026
Merged
ayeshurun added a commit that referenced this pull request Mar 12, 2026
@ayeshurun
Fixes #875 - Consolidate Dependabot security updates for vulnerable d…
7095dbc 
…ependencies (#876)

## Summary

Targeted upgrade of 8 vulnerable locked dependencies to resolve all 13
open Dependabot security alerts in a single PR, rather than merging 8
separate Dependabot PRs (#782, #783, #784, #785, #786, #787, #817, #856)
that each independently modify `uv.lock`.

## Changes

Only `uv.lock` is modified — `pyproject.toml` is unchanged since all
constraints already use `>=` and allow the patched versions.

### Upgraded packages (targeted via `uv lock --upgrade-package`):

| Package | From | To | Severity |
|---------|------|----|----------|
| cryptography | 44.0.0 | 46.0.5 | HIGH |
| azure-core | 1.32.0 | 1.38.2 | HIGH |
| urllib3 | 2.3.0 | 2.6.3 | HIGH |
| requests | 2.32.3 | 2.32.5 | MEDIUM |
| Jinja2 | 3.1.5 | 3.1.6 | MEDIUM |
| Markdown | 3.7 | 3.9+ | MEDIUM |
| mkdocs-include-markdown-plugin | 7.1.2 | 7.2.1 | MEDIUM |
| pymdown-extensions | 10.14 | 10.21 | LOW |

### Transitive dependency updates:
- cffi 1.17.1 → 2.0.0
- msal 1.31.1 → 1.35.1
- typing-extensions 4.12.2 → 4.15.0

## Validation

- ✅ All 795 tests pass
- ✅ `ruff format --check` clean
- ✅ `ruff check` clean
- ✅ Import test passes

Co-authored-by: Alon Yeshurun <alonyeshurun+microsoft@microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@ayeshurun ayeshurun closed this Mar 12, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Mar 12, 2026

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/uv/pymdown-extensions-10.16.1 branch March 12, 2026 13:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ayeshurun