fix(deps): relax idna pin to >=3.7,<4 for CVE-2026-45409#500
Open
davidnichols-ops wants to merge 1 commit into
Open
fix(deps): relax idna pin to >=3.7,<4 for CVE-2026-45409#500davidnichols-ops wants to merge 1 commit into
davidnichols-ops wants to merge 1 commit into
Conversation
idna 3.7 is pinned exactly in requirements.txt, blocking consumers from picking up the CVE-2026-45409 DoS fix that shipped in idna 3.15. Relax to a bounded range; requirements-slim.txt already ships an unpinned idna.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
This was referenced Jun 30, 2026
99e8215 to
27ab88e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
idna==3.7pin inrequirements.txttoidna>=3.7,<4, unblocking consumers from receiving the CVE-2026-45409 fix (shipped in idna 3.15).requirements-slim.txtalready ships an unpinnedidna; this brings the full SDK in line.setup.pyreadsinstall_requiresfromrequirements.txt, so no other files need changes.Closes #481.
Test plan
git diffshows only the one-line requirements changepython -m unittestpasses — 729 tests, OK (skipped=1) on Python 3.14.6 with idna 3.18pip install -e .resolves idna to 3.18 (>= 3.15, the CVE fix version)pip-auditreportsNo known vulnerabilities found— CVE-2026-45409 cleared