Alert
Dependabot alert #29
- Severity: medium
- CVE: CVE-2025-69872
- Package:
diskcache <= 5.6.3
- Issue: DiskCache uses Python
pickle for serialization by default. An attacker with write access to the cache directory can achieve arbitrary code execution when a victim application reads from the cache.
- Upstream fix: none available (latest release 5.6.3 is still vulnerable).
Our exposure
Zero. diskcache is not imported anywhere in src/ or examples/, and uv tree --invert shows marimo-flow itself as the only consumer:
diskcache v5.6.3
└── marimo-flow v0.2.0
The pin was added in commit 6c01457 as a security floor for a transitive dependency that has since gone away (probably dropped when we slimmed dependencies for 0.2.0).
Fix
Remove the line from pyproject.toml:
Then uv lock && uv sync. diskcache drops out of the resolution tree, the Dependabot alert auto-closes.
Alternatives (if we ever need diskcache back)
Alert
Dependabot alert #29
diskcache <= 5.6.3picklefor serialization by default. An attacker with write access to the cache directory can achieve arbitrary code execution when a victim application reads from the cache.Our exposure
Zero.
diskcacheis not imported anywhere insrc/orexamples/, anduv tree --invertshows marimo-flow itself as the only consumer:The pin was added in commit 6c01457 as a security floor for a transitive dependency that has since gone away (probably dropped when we slimmed dependencies for 0.2.0).
Fix
Remove the line from
pyproject.toml:- "diskcache>=5.6.3",Then
uv lock && uv sync.diskcachedrops out of the resolution tree, the Dependabot alert auto-closes.Alternatives (if we ever need diskcache back)