Skip to content

fix(deps): relax idna pin to >=3.7,<4 for CVE-2026-45409#500

Open
davidnichols-ops wants to merge 1 commit into
roboflow:mainfrom
davidnichols-ops:fix/idna-cve-2026-45409
Open

fix(deps): relax idna pin to >=3.7,<4 for CVE-2026-45409#500
davidnichols-ops wants to merge 1 commit into
roboflow:mainfrom
davidnichols-ops:fix/idna-cve-2026-45409

Conversation

@davidnichols-ops

@davidnichols-ops davidnichols-ops commented Jun 30, 2026

Copy link
Copy Markdown

Summary

  • Relaxes the exact idna==3.7 pin in requirements.txt to idna>=3.7,<4, unblocking consumers from receiving the CVE-2026-45409 fix (shipped in idna 3.15).
  • requirements-slim.txt already ships an unpinned idna; this brings the full SDK in line.
  • setup.py reads install_requires from requirements.txt, so no other files need changes.

Closes #481.

Test plan

  • git diff shows only the one-line requirements change
  • python -m unittest passes — 729 tests, OK (skipped=1) on Python 3.14.6 with idna 3.18
  • pip install -e . resolves idna to 3.18 (>= 3.15, the CVE fix version)
  • pip-audit reports No known vulnerabilities foundCVE-2026-45409 cleared
idna 3.7 is pinned exactly in requirements.txt, blocking consumers from
picking up the CVE-2026-45409 DoS fix that shipped in idna 3.15. Relax
to a bounded range; requirements-slim.txt already ships an unpinned idna.
@socket-security

socket-security Bot commented Jun 30, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedpypi/​certifi@​1.0.110010010010070

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant