Permalink
Comparing changes
Choose two branches to see what’s changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
...
- 2 commits
- 4 files changed
- 2 contributors
Commits on Mar 26, 2026
-
fix(deps): Update security updates [SECURITY] (#4303)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [pypdf](https://redirect.github.com/py-pdf/pypdf) ([changelog](https://pypdf.readthedocs.io/en/latest/meta/CHANGELOG.html)) | `6.9.1` → `6.9.2` |  |  | | [requests](https://redirect.github.com/psf/requests) ([changelog](https://redirect.github.com/psf/requests/blob/master/HISTORY.md)) | `2.32.5` → `2.33.0` |  |  | ### GitHub Vulnerability Alerts #### [CVE-2026-33699](https://redirect.github.com/py-pdf/pypdf/security/advisories/GHSA-87mj-5ggw-8qc3) ### Impact An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. ### Patches This has been fixed in [pypdf==6.9.2](https://redirect.github.com/py-pdf/pypdf/releases/tag/6.9.2). ### Workarounds If users cannot upgrade yet, consider applying the changes from PR [#​3693](https://redirect.github.com/py-pdf/pypdf/pull/3693). #### [CVE-2026-25645](https://redirect.github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2) ### Impact The `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. ### Affected usages **Standard usage of the Requests library is not affected by this vulnerability.** Only applications that call `extract_zipped_paths()` directly are impacted. ### Remediation Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access. --- ### Release Notes <details> <summary>py-pdf/pypdf (pypdf)</summary> ### [`v6.9.2`](https://redirect.github.com/py-pdf/pypdf/blob/HEAD/CHANGELOG.md#Version-692-2026-03-23) [Compare Source](https://redirect.github.com/py-pdf/pypdf/compare/6.9.1...6.9.2) ##### Security (SEC) - Avoid infinite loop in read\_from\_stream for broken files ([#​3693](https://redirect.github.com/py-pdf/pypdf/issues/3693)) ##### Robustness (ROB) - Resolve UnboundLocalError for xobjs in \_get\_image ([#​3684](https://redirect.github.com/py-pdf/pypdf/issues/3684)) [Full Changelog](https://redirect.github.com/py-pdf/pypdf/compare/6.9.1...6.9.2) </details> <details> <summary>psf/requests (requests)</summary> ### [`v2.33.0`](https://redirect.github.com/psf/requests/blob/HEAD/HISTORY.md#2330-2026-03-25) [Compare Source](https://redirect.github.com/psf/requests/compare/v2.32.5...v2.33.0) **Announcements** - 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at [#​7271](https://redirect.github.com/psf/requests/issues/7271). Give it a try, and report any gaps or feedback you may have in the issue. 📣 **Security** - CVE-2026-25645 `requests.utils.extract_zipped_paths` now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly. **Improvements** - Migrated to a PEP 517 build system using setuptools. ([#​7012](https://redirect.github.com/psf/requests/issues/7012)) **Bugfixes** - Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. ([#​7205](https://redirect.github.com/psf/requests/issues/7205)) **Deprecations** - Dropped support for Python 3.9 following its end of support. ([#​7196](https://redirect.github.com/psf/requests/issues/7196)) **Documentation** - Various typo fixes and doc improvements. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xMCIsInVwZGF0ZWRJblZlciI6IjQyLjkyLjEwIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJzZWN1cml0eSJdfQ==--> Co-authored-by: utic-renovate[bot] <235200891+utic-renovate[bot]@users.noreply.github.com>
Loading
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff 0.22.4...0.22.6