repos/6to4_converter
6
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Releases 14 Activity

[SECURITY] Update dependency black to v26.3.1 [SECURITY] #25

Merged
renovate-bot merged 1 commits from renovate/pypi-black-vulnerability into main 2026-03-14 05:00:50 +00:00
Conversation 0 Commits 1 Files Changed 1 +8 -8
renovate-bot commented 2026-03-14 05:00:47 +00:00
Member
Copy Link

This PR contains the following updates:

Package Change Age Confidence
black (changelog) 26.3.026.3.1 age confidence

Black: Arbitrary file writes from unsanitized user input in cache file name

CVE-2026-32274 / GHSA-3936-cmfr-pm3m

More information

Details

Impact

Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations.

Patches

Fixed in Black 26.3.1.

Workarounds

Do not allow untrusted user input into the value of the --python-cell-magics option.

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

psf/black (black)

v26.3.1

Compare Source

Stable style
  • Prevent Jupyter notebook magic masking collisions from corrupting cells by using
    exact-length placeholders for short magics and aborting if a placeholder can no longer
    be unmasked safely (#​5038)
Configuration
  • Always hash cache filename components derived from --python-cell-magics so custom
    magic names cannot affect cache paths (#​5038)
Blackd
  • Disable browser-originated requests by default, add configurable origin allowlisting
    and request body limits, and bound executor submissions to improve backpressure
    (#​5039)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [black](https://github.com/psf/black) ([changelog](https://github.com/psf/black/blob/main/CHANGES.md)) | `26.3.0` → `26.3.1` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/black/26.3.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/black/26.3.0/26.3.1?slim=true) | --- ### Black: Arbitrary file writes from unsanitized user input in cache file name [CVE-2026-32274](https://nvd.nist.gov/vuln/detail/CVE-2026-32274) / [GHSA-3936-cmfr-pm3m](https://github.com/advisories/GHSA-3936-cmfr-pm3m) <details> <summary>More information</summary> #### Details ##### Impact Black writes a cache file, the name of which is computed from various formatting options. The value of the `--python-cell-magics` option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. ##### Patches Fixed in Black 26.3.1. ##### Workarounds Do not allow untrusted user input into the value of the `--python-cell-magics` option. #### Severity - CVSS Score: 8.7 / 10 (High) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m](https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m) - [https://nvd.nist.gov/vuln/detail/CVE-2026-32274](https://nvd.nist.gov/vuln/detail/CVE-2026-32274) - [https://github.com/psf/black/pull/5038](https://github.com/psf/black/pull/5038) - [https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d](https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d) - [https://github.com/psf/black](https://github.com/psf/black) - [https://github.com/psf/black/releases/tag/26.3.1](https://github.com/psf/black/releases/tag/26.3.1) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-3936-cmfr-pm3m) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>psf/black (black)</summary> ### [`v26.3.1`](https://github.com/psf/black/blob/HEAD/CHANGES.md#2631) [Compare Source](https://github.com/psf/black/compare/26.3.0...26.3.1) ##### Stable style - Prevent Jupyter notebook magic masking collisions from corrupting cells by using exact-length placeholders for short magics and aborting if a placeholder can no longer be unmasked safely ([#&#8203;5038](https://github.com/psf/black/issues/5038)) ##### Configuration - Always hash cache filename components derived from `--python-cell-magics` so custom magic names cannot affect cache paths ([#&#8203;5038](https://github.com/psf/black/issues/5038)) ##### *Blackd* - Disable browser-originated requests by default, add configurable origin allowlisting and request body limits, and bound executor submissions to improve backpressure ([#&#8203;5039](https://github.com/psf/black/issues/5039)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My43My4xIiwidXBkYXRlZEluVmVyIjoiNDMuNzMuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsic2VjdXJpdHkiXX0=-->
renovate-bot added 1 commit 2026-03-14 05:00:47 +00:00
[SECURITY] Update dependency black to v26.3.1 [SECURITY]
Some checks failed
Validate PR Title / validate (pull_request) Failing after 4s
Details
CI / ci (pull_request) Successful in 32s
Details
f12d139f85
renovate-bot requested review from luke 2026-03-14 05:00:47 +00:00
renovate-bot scheduled this pull request to auto merge when all checks succeed 2026-03-14 05:00:48 +00:00
renovate-bot merged commit 591cdceea7 into main 2026-03-14 05:00:50 +00:00
renovate-bot deleted branch renovate/pypi-black-vulnerability 2026-03-14 05:00:50 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
luke
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
Compat/Breaking
Breaking change that won't be backward compatible
 Kind/Bug
Something is not working
 Kind/Documentation
Documentation changes
 Kind/Enhancement
Improve existing functionality
 Kind/Feature
New functionality
 Kind/Security
This is security issue
 Kind/Testing
Issue or pull request related to testing
Priority
Critical
The priority is critical
Priority
High
The priority is high
Priority
Low
The priority is low
Priority
Medium
The priority is medium
Reviewed
Confirmed
Issue has been confirmed
Reviewed
Duplicate
This issue or pull request already exists
Reviewed
Invalid
Invalid issue
Reviewed
Won't Fix
This issue won't be fixed
Status
Abandoned
Somebody has started to work on this but abandoned work
Status
Blocked
Something is blocking this issue or pull request
Status
Need More Info
Feedback is required to reproduce issue or to continue work
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
ai-review-bot flows-bot gitea-actions-bot luke renovate-bot
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: repos/6to4_converter#25
Delete Branch "renovate/pypi-black-vulnerability"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?