Skip to content

⬆️ Updates GitPython to v3.1.41 [SECURITY]#3546

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/pypi-gitpython-vulnerability
Open

⬆️ Updates GitPython to v3.1.41 [SECURITY]#3546
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/pypi-gitpython-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Mar 30, 2026

This PR contains the following updates:

Package Change Age Confidence
GitPython ==3.1.27==3.1.41 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2022-24439

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

CVE-2023-40267

GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from, making it vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.

CVE-2023-40590

Summary

When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment (see big warning in https://docs.python.org/3/library/subprocess.html#popen-constructor). GitPython defaults to use the git command, if a user runs GitPython from a repo has a git.exe or git executable, that program will be run instead of the one in the user's PATH.

Details

This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo.

The execution of the git command happens in

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/cmd.py#L277

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/cmd.py#L983-L996

And there are other commands executed that should probably be aware of this problem.

PoC

On a Windows system, create a git.exe or git executable in any directory, and import or run GitPython from that directory

python -c "import git"

The git executable from the current directory will be run.

Impact

An attacker can trick a user to download a repository with a malicious git executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands.

Possible solutions

  • Default to an absolute path for the git program on Windows, like C:\\Program Files\\Git\\cmd\\git.EXE (default git path installation).
  • Require users to set the GIT_PYTHON_GIT_EXECUTABLE environment variable on Windows systems.
  • Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the GIT_PYTHON_GIT_EXECUTABLE env var to an absolute path.
  • Resolve the executable manually by only looking into the PATH environment variable (suggested by @​Byron)

Note

This vulnerability was reported via email, and it was decided to publish it here and make it public, so the community is aware of it, and a fix can be provided.

CVE-2024-22190

Summary

This issue exists because of an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run git, as well as when it runs bash.exe to interpret hooks. If either of those features are used on Windows, a malicious git.exe or bash.exe may be run from an untrusted repository.

Details

Although GitPython often avoids executing programs found in an untrusted search path since 3.1.33, two situations remain where this still occurs. Either can allow arbitrary code execution under some circumstances.

When a shell is used

GitPython can be told to run git commands through a shell rather than as direct subprocesses, by passing shell=True to any method that accepts it, or by both setting Git.USE_SHELL = True and not passing shell=False. Then the Windows cmd.exe shell process performs the path search, and GitPython does not prevent that shell from finding and running git in the current directory.

When GitPython runs git directly rather than through a shell, the GitPython process performs the path search, and currently omits the current directory by setting NoDefaultCurrentDirectoryInExePath in its own environment during the Popen call. Although the cmd.exe shell will honor this environment variable when present, GitPython does not currently pass it into the shell subprocess's environment.

Furthermore, because GitPython sets the subprocess CWD to the root of a repository's working tree, using a shell will run a malicious git.exe in an untrusted repository even if GitPython itself is run from a trusted location.

This also applies if Git.execute is called directly with shell=True (or after Git.USE_SHELL = True) to run any command.

When hook scripts are run

On Windows, GitPython uses bash.exe to run hooks that appear to be scripts. However, unlike when running git, no steps are taken to avoid finding and running bash.exe in the current directory.

This allows the author of an untrusted fork or branch to cause a malicious bash.exe to be run in some otherwise safe workflows. An example of such a scenario is if the user installs a trusted hook while on a trusted branch, then switches to an untrusted feature branch (possibly from a fork) to review proposed changes. If the untrusted feature branch contains a malicious bash.exe and the user's current working directory is the working tree, and the user performs an action that runs the hook, then although the hook itself is uncorrupted, it runs with the malicious bash.exe.

Note that, while bash.exe is a shell, this is a separate scenario from when git is run using the unrelated Windows cmd.exe shell.

PoC

On Windows, create a git.exe file in a repository. Then create a Repo object, and call any method through it (directly or indirectly) that supports the shell keyword argument with shell=True:

mkdir testrepo
git init testrepo
cp ... testrepo git.exe # Replace "..." with any executable of choice.
python -c "import git; print(git.Repo('testrepo').git.version(shell=True))"

The git.exe executable in the repository directory will be run.

Or use no Repo object, but do it from the location with the git.exe:

cd testrepo
python -c "import git; print(git.Git().version(shell=True))"

The git.exe executable in the current directory will be run.

For the scenario with hooks, install a hook in a repository, create a bash.exe file in the current directory, and perform an operation that causes GitPython to attempt to run the hook:

mkdir testrepo
cd testrepo
git init
mv .git/hooks/pre-commit.sample .git/hooks/pre-commit
cp ... bash.exe # Replace "..." with any executable of choice.
echo "Some text" >file.txt
git add file.txt
python -c "import git; git.Repo().index.commit('Some message')"

The bash.exe executable in the current directory will be run.

Impact

The greatest impact is probably in applications that set Git.USE_SHELL = True for historical reasons. (Undesired console windows had, in the past, been created in some kinds of applications, when it was not used.) Such an application may be vulnerable to arbitrary code execution from a malicious repository, even with no other exacerbating conditions. This is to say that, if a shell is used to run git, the full effect of CVE-2023-40590 is still present. Furthermore, as noted above, running the application itself from a trusted directory is not a sufficient mitigation.

An application that does not direct GitPython to use a shell to run git subprocesses thus avoids most of the risk. However, there is no such straightforward way to prevent GitPython from running bash.exe to interpret hooks. So while the conditions needed for that to be exploited are more involved, it may be harder to mitigate decisively prior to patching.

Possible solutions

A straightforward approach would be to address each bug directly:

  • When a shell is used, pass NoDefaultCurrentDirectoryInExePath into the subprocess environment, because in that scenario the subprocess is the cmd.exe shell that itself performs the path search.
  • Set NoDefaultCurrentDirectoryInExePath in the GitPython process environment during the Popen call made to run hooks with a bash.exe subprocess.

These need only be done on Windows.

CVE-2023-41040

Summary

In order to resolve some git references, GitPython reads files from the .git directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the .git directory. This allows an attacker to make GitPython read any file from the system.

Details

This vulnerability is present in

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175

That code joins the base directory with a user given string without checking if the final path is located outside the base directory.

I was able to exploit it from three places, but there may be more code paths that lead to it:

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/repo/base.py#L605

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/repo/base.py#L620

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/index/base.py#L1353

PoC

Running GitPython within any repo should work, here is an example with the GitPython repo.

import git

r = git.Repo(".")

# This will make GitPython read the README.md file from the root of the repo
r.commit("../README.md")
r.tree("../README.md")
r.index.diff("../README.md")

# Reading /etc/random

# WARNING: this will probably halt your system, run with caution
# r.commit("../../../../../../../../../dev/random")

Impact

I wasn't able to show the contents of the files (that's why "blind" local file inclusion), depending on how GitPython is being used, this can be used by an attacker for something inoffensive as checking if a file exits, or cause a DoS by making GitPython read a big/infinite file (like /dev/random on Linux systems).

Possible solutions

A solution would be to check that the final path isn't located outside the repodir path (maybe even after resolving symlinks). Maybe there could be other checks in place to make sure that the reference names are valid.

Release Notes

gitpython-developers/GitPython (GitPython)

v3.1.41: - fix Windows security issue

Compare Source

The details about the Windows security issue can be found in this advisory.

Special thanks go to @​EliahKagan who reported the issue and fixed it in a single stroke, while being responsible for an incredible amount of improvements that he contributed over the last couple of months ❤️.

What's Changed

New Contributors

Full Changelog: gitpython-developers/GitPython@3.1.40...3.1.41

v3.1.40: - fix downstream CI

Compare Source

What's Changed

Full Changelog: gitpython-developers/GitPython@3.1.38...3.1.40

v3.1.38

Compare Source

What's Changed

New Contributors

Full Changelog: gitpython-developers/GitPython@3.1.37...3.1.38

v3.1.37: - a proper fix CVE-2023-41040

Compare Source

What's Changed

Full Changelog: gitpython-developers/GitPython@3.1.36...3.1.37

v3.1.36

Compare Source

v3.1.35: - a fix for CVE-2023-41040

Compare Source

What's Changed

New Contributors

Full Changelog: gitpython-developers/GitPython@3.1.34...3.1.35

v3.1.34: - fix resource leaking

Compare Source

What's Changed

New Contributors

Full Changelog: gitpython-developers/GitPython@3.1.33...3.1.34

v3.1.33: - with security fix

Compare Source

What's Changed

New Contributors

Full Changelog: gitpython-developers/GitPython@3.1.32...3.1.33

v3.1.32: - with another security update

Compare Source

What's Changed

New Contributors

Full Changelog: gitpython-developers/GitPython@3.1.31...3.1.32

v3.1.31

Compare Source

What's Changed

New Contributors

Full Changelog: gitpython-developers/GitPython@3.1.30...3.1.31

v3.1.30: - with important security fixes

Compare Source

See #​1515 for details.

What's Changed

New Contributors

Full Changelog: gitpython-developers/GitPython@3.1.29...3.1.30

v3.1.29

Compare Source

v3.1.28

Compare Source

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Moscow, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Copy Markdown
Contributor Author

renovate bot commented Mar 30, 2026

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

  • Branch has one or more failed status checks

@github-actions github-actions bot added the docs label Mar 30, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 30, 2026
edited
Loading

@check-spelling-bot Report

Unrecognized words, please review:

  • adr
  • akka
  • alexrogalskiy
  • allcontributors
  • api
  • arcver
  • assing
  • badgen
  • BETTERCODE
  • betterjavacode
  • blogspot
  • boopickle
  • bootcamp
  • brightgreen
  • bugfixes
  • buymeacoffee
  • ceb
  • codeready
  • codesandbox
  • codetriage
  • committers
  • configmaps
  • debezium
  • demystified
  • dependabot
  • devcases
  • devfile
  • dirtyreload
  • DOI
  • dreamix
  • dropdown
  • eab
  • eap
  • eisele
  • embeddableinstantiator
  • embeddables
  • facebook
  • fastai
  • fastpages
  • fastparse
  • firsttimersonly
  • flushmode
  • forthebadge
  • frapsoft
  • freemarker
  • FRP
  • fthomas
  • gerrit
  • getquill
  • GIFs
  • gitbook
  • gitflow
  • githubbox
  • gitpod
  • GPLv
  • Gradle
  • grunwald
  • guideslines
  • gunnar
  • Hashids
  • Hasids
  • helloworld
  • hitsofcode
  • hmil
  • infoworld
  • insidejava
  • Instantiator
  • IPhone
  • istio
  • janssen
  • japgolly
  • javacodegeeks
  • javafx
  • javamelody
  • javaone
  • JAVAPROG
  • jboss
  • jcliff
  • jdbc
  • jdk
  • jextract
  • jfr
  • jfrunit
  • johan
  • jpa
  • JRE
  • jsonignore
  • jsp
  • jsparty
  • julienrf
  • Jupyter
  • kubernetes
  • latestdoi
  • LETSTALK
  • letstalkaboutjava
  • LGPL
  • LGPLv
  • lihaoyi
  • liskov
  • logfile
  • mades
  • makeapullrequest
  • markdownguide
  • markus
  • matryoshka
  • mcve
  • mega
  • microservices
  • milessabin
  • mirrorring
  • mkdocs
  • modelviewculture
  • monix
  • mtl
  • mutationquery
  • namespaces
  • nestjs
  • Netflix
  • newreleases
  • nullables
  • nvie
  • objectmappers
  • odl
  • openapi
  • opengraph
  • opentelemetry
  • osslifecycle
  • oyanglul
  • pagespeedresultmobile
  • pasteable
  • patreon
  • paypal
  • PITMP
  • plumbr
  • podcast
  • precog
  • pufler
  • pypa
  • quarkus
  • quicklens
  • RANDOMTHOUGHTS
  • randomthoughtsonjavaprogramming
  • rce
  • reactify
  • readthedocs
  • reddit
  • renovatebot
  • reporoster
  • repostatus
  • resteasy
  • rfm
  • Rogalskiy
  • rogalsky
  • rubyonrails
  • runtimes
  • scalacss
  • scalafiddle
  • scalafmt
  • scalajs
  • scalameta
  • scalanlp
  • scalastyle
  • scalaz
  • scm
  • seeyoufarm
  • selectionquery
  • softwaremill
  • sourcegraph
  • spamming
  • splunk
  • sql
  • squants
  • squbs
  • sscce
  • stakeholders
  • starchart
  • sttp
  • stylegu
  • suggestig
  • suzaku
  • thejavaprogrammer
  • thorben
  • tilda
  • tokei
  • trufoj
  • tsb
  • tsbleo
  • tscojc
  • tscqlg
  • tsd
  • tsdllr
  • typelevel
  • udash
  • upickle
  • urt
  • ussue
  • violoate
  • vos
  • wget
  • wildfly
  • wix
  • workspaces
  • zenodo
  • zgc
  • zio
Previously acknowledged words that are now absent acl activesupport adaoraul addons aeiou AFile afterall Alexey alfredxing algolia allowfullscreen Anatoliy andreyvit Ankit Anning apps appveyor arengu args ariejan arounds asciinema asdf ashmaroli attr Autobuild autocompletion autogenerated Autolink autoload autoreconf autosave awood awscli backport backtick barcamp baseurl bashrc baz bbatsov bdimcheff bellvat benbalter Beney binstubs bip bitbucket Blogger blogging bonafide Bou breadcrumbs briandoll bridgetown bridgetownrb brightbox brighterplanet buddyworks Bugfix Burela byparker cachegrind calavera callgraphs cartera cavalle CDNs cgi changefreq chango charset Chayoung chcp chdir Cheatsheet Checkoway chmod chown Chrononaut chruby cibuild cimg circleci CJK classname cloudcannon Cloudinary cloudsh CLT CODEOWNERS coderay codeslinger coffeescript colorator commandline commonmark compat compatibilize concat configyml contentblocks CORS Cov CRLFs cron crontab cruft css csv Currin CVE CWD cygwin daringfireball Dassonville datafiles datetime DCEU Debian debuggability defunkt delegators deployer deps dest Devkit devops digitalocean dirs disqus ditaa dnf doclist doctype doeorg dommmel dotfile Dousse downcase downcased duckduckgo duritong Dusseau dysinger ecf editorconfig eduardoboucas Elasticsearch elsif Emacs emails endcapture endcomment endfor endhighlight endif endraw endrender endtablerow Enumerables EOL erb errordocument Espinaco eugenebolshakov evaled exe execjs extensionpack extname exts favicon Fengyun ffi figcaption filesystem Finazzo firstimage FIXME flakey flickr fnmatch fontello forloop formcake formcarry formester formingo formkeep formspark formspree formx Forwardable frameborder freenode frontend frontmatter fsnotify ftp fullstory Gaudino gcc gcnovus gemfile gemset gemspec getform getset getsimpleform gettalong gfm ghp ghpages giraffeacademy githubcom gitignore gitlab gjtorikian globbed globbing google gotcha Goulven gridism GSo gsub gsubbing Hakiri hardcode hashbang hashmap helaili henrik heredoc heroku highlighter hilighting Hoizey hostman hostname htaccess htm htmlproofer httpd httpdocs hyperlinks Iaa ial ico icomoon iconset ified iframe Impl Inlining invokables irc ivey ize jalali jameshamann jamstackthemes jan Jax jayferd jcon jdoe jeffreytse jeffrydegrande Jekpack jekyllbot jekyllconf Jekyllers Jekyllin Jekylling jekyllized jekylllayoutconcept jekyllrb jekyllthemes jemoji jmcglone jneen johnreilly jpg jqr jruby jsonify juretta jwarby Kacper Kasberg kbd Kentico Kewin keycdn kickster Kinnula kiwifruit Kolesky konklone kontent Kotvinsky kramdown Kulig Kwokfu Lamprecht laquo lastmod launchctl launchy laurilehmijoki ldquo learnxinyminutes lexer LGTM libcurl libffi lightgray limjh linenos linkify linux liufengyun livereload localheinz localtime Locher loglevel Losslessly lovin lsi lsquo lstrip lyche macos macromates mademistakes Manmeet markdownify Maroli Marsceill maruku mathjax mathml mattr Maximiliano mchung mdash memberspace Memoize memoized memoizing mentoring mergable Mertcan mertkahyaoglu microdata mimetype mingw minibundle minifier minitest Mittal mixin mkasberg mkd mkdir mkdn mkdown mmistakes modernizr mojombo moncefbelyamani moz mreid msdn mswin MSYS mtime multiline munging Mvvm myblog mycontent mydata mydoc myimage mypage myposts myproject myrepo mysite myvalue myvar myvariable Nadjib nakanishi namespace namespaced navbar nbsp nearlyfreespeech nethack netlify netlifycms Neue nginx ngx nielsenramon nior noifniof nokogiri notextile onclick onebox oneclick onschedule openssl Optim orderofinterpretation orgs OSVDB osx packagecontrol pacman paginator pandoc pantulis params parkr parseable paspagon passthrough pathawks Pathutil paywall pdf Pelykh permalink PHP pinboard Piwigo pjhyett pkill pkpass placeholders planetjekyll plantuml plugin podcasts popen Porcel Posterous postfiles postlayout postmodern prefetching preinstalled prepends Prioritise Probot projectlist pubstorm pufuwozu pwa pwd pygments qrush Quaid rackup Rakefile razorops rbenv rdiscount rdoc rdquo realz rebund redcarpet redcloth redgreen refactor Refheap regen regex regexp remi reqs Responsify revertable rfc rfelix RHEL ridk roadmap rowspan rspec rsquo rstrip rsync rtomayko Rubo rubocop rubychan rubygem rubyinstaller rubyprof Ruparelia Rusiczki rvm ryanflorence saas samplelist samrayner sandboxed Sassc sassify schemastore Schroers Schwartzian scp scrollbar scroller scss scssify sdk SDKROOT sectore seo serverless setenv SFTP shingo shopify shortlog shoulda sieversii sigpipe simplecov Singhaniya siteleaf sitemap SITENAME Slicehost slugified slugify smartforms smartify snipcart somedir sonnym Sonomy sourced sourcemaps spam spotify ssg ssh SSL staticfiles staticman statictastic STDERR stdout Stickyposts strftime stringified Stringify stylesheet subdir subdomain subfolder subfolderitems subnav subpages subpath subpiece subsubfolderitems subthing subvalues subwidget sudo superdirectories superdirs SUSE sverrirs svn swfobject swupd symlink symlinking tablerow tada Taillandier talkyard tbody technicalpickles templating templatize Termux textilize textpattern thead therubyracer Theunissen Thornquest thoughtbot throughs Tidelift timeago timezone titleize TLS tmm tmp toc tok tomjoht toml tomo toolset toshimaru triaged triaging truncatewords tsv ttf Tudou Tumblr Tweetsert txtpen Tyborska tzinfo ubuntu uby ujh ultron undumpable unencode Unescape unescaping unicode uniq upcase uppercasing uri urlset username usr utf utils utime vanpelt Vasovi vendored vercel versioned vertycal Veyor vilcans Vishesh visualstudio vnd vohedge vps vscode vwochnik Walkthroughs wdm We'd webfont webhook webhosting webmentions webrick weekdate whitelist whitelisting wikipedia wildcards willcodeforfoo woff wordpress Workaround wsl xcode xcrun xdg Xhmikos xhtml Xiaoiver XMinutes xmlns xmlschema yajl Yarp Yashu Yastreb Youku youtube yunbox zeropadding Zlatan zlib zoneinfo zpinter Zsh zshrc zypper zzot
To accept these unrecognized words as correct (and remove the previously acknowledged and now absent words), run the following commands

... in a clone of the git@github.com:AlexRogalskiy/java-patterns.git repository
on the renovate/pypi-gitpython-vulnerability branch:

update_files() {
perl -e '
my @expect_files=qw('".github/actions/spelling/expect.txt"');
@ARGV=@expect_files;
my @stale=qw('"$patch_remove"');
my $re=join "|", @stale;
my $suffix=".".time();
my $previous="";
sub maybe_unlink { unlink($_[0]) if $_[0]; }
while (<>) {
if ($ARGV ne $old_argv) { maybe_unlink($previous); $previous="$ARGV$suffix"; rename($ARGV, $previous); open(ARGV_OUT, ">$ARGV"); select(ARGV_OUT); $old_argv = $ARGV; }
next if /^(?:$re)(?:(?:\r|\n)*$| .*)/; print;
}; maybe_unlink($previous);'
perl -e '
my $new_expect_file=".github/actions/spelling/expect.txt";
use File::Path qw(make_path);
use File::Basename qw(dirname);
make_path (dirname($new_expect_file));
open FILE, q{<}, $new_expect_file; chomp(my @words = <FILE>); close FILE;
my @add=qw('"$patch_add"');
my %items; @items{@words} = @words x (1); @items{@add} = @add x (1);
@words = sort {lc($a)."-".$a cmp lc($b)."-".$b} keys %items;
open FILE, q{>}, $new_expect_file; for my $word (@words) { print FILE "$word\n" if $word =~ /\w/; };
close FILE;
system("git", "add", $new_expect_file);
'
}

comment_json=$(mktemp)
curl -L -s -S \
  --header "Content-Type: application/json" \
  "https://api.github.com/repos/AlexRogalskiy/java-patterns/issues/comments/4158568949" > "$comment_json"
comment_body=$(mktemp)
jq -r .body < "$comment_json" > $comment_body
rm $comment_json

patch_remove=$(perl -ne 'next unless s{^</summary>(.*)</details>$}{$1}; print' < "$comment_body")
  

patch_add=$(perl -e '$/=undef;
$_=<>;
s{<details>.*}{}s;
s{^#.*}{};
s{\n##.*}{};
s{(?:^|\n)\s*\*}{}g;
s{\s+}{ }g;
print' < "$comment_body")
  
update_files
rm $comment_body
git add -u
If you see a bunch of garbage

If it relates to a ...

well-formed pattern

See if there's a pattern that would match it.

If not, try writing one and adding it to the patterns.txt file.

Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines.

Note that patterns can't match multiline strings.

binary-ish string

Please add a file path to the excludes.txt file instead of just accepting the garbage.

File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.

^ refers to the file's path from the root of the repository, so ^README\.md$ would exclude README.md (on whichever branch you're using).

@renovate
⬆️ Updates GitPython to v3.1.41 [SECURITY]
67bd36e 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/pypi-gitpython-vulnerability branch from 136c72b to 67bd36e Compare April 6, 2026 01:14
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 6, 2026
edited
Loading

@check-spelling-bot Report

Unrecognized words, please review:

  • adr
  • akka
  • alexrogalskiy
  • allcontributors
  • api
  • arcver
  • assing
  • badgen
  • BETTERCODE
  • betterjavacode
  • blogspot
  • boopickle
  • bootcamp
  • brightgreen
  • bugfixes
  • buymeacoffee
  • ceb
  • codeready
  • codesandbox
  • codetriage
  • committers
  • configmaps
  • debezium
  • demystified
  • dependabot
  • devcases
  • devfile
  • dirtyreload
  • DOI
  • dreamix
  • dropdown
  • eab
  • eap
  • eisele
  • embeddableinstantiator
  • embeddables
  • facebook
  • fastai
  • fastpages
  • fastparse
  • firsttimersonly
  • flushmode
  • forthebadge
  • frapsoft
  • freemarker
  • FRP
  • fthomas
  • gerrit
  • getquill
  • GIFs
  • gitbook
  • gitflow
  • githubbox
  • gitpod
  • GPLv
  • Gradle
  • grunwald
  • guideslines
  • gunnar
  • Hashids
  • Hasids
  • helloworld
  • hitsofcode
  • hmil
  • infoworld
  • insidejava
  • Instantiator
  • IPhone
  • istio
  • janssen
  • japgolly
  • javacodegeeks
  • javafx
  • javamelody
  • javaone
  • JAVAPROG
  • jboss
  • jcliff
  • jdbc
  • jdk
  • jextract
  • jfr
  • jfrunit
  • johan
  • jpa
  • JRE
  • jsonignore
  • jsp
  • jsparty
  • julienrf
  • Jupyter
  • kubernetes
  • latestdoi
  • LETSTALK
  • letstalkaboutjava
  • LGPL
  • LGPLv
  • lihaoyi
  • liskov
  • logfile
  • mades
  • makeapullrequest
  • markdownguide
  • markus
  • matryoshka
  • mcve
  • mega
  • microservices
  • milessabin
  • mirrorring
  • mkdocs
  • modelviewculture
  • monix
  • mtl
  • mutationquery
  • namespaces
  • nestjs
  • Netflix
  • newreleases
  • nullables
  • nvie
  • objectmappers
  • odl
  • openapi
  • opengraph
  • opentelemetry
  • osslifecycle
  • oyanglul
  • pagespeedresultmobile
  • pasteable
  • patreon
  • paypal
  • PITMP
  • plumbr
  • podcast
  • precog
  • pufler
  • pypa
  • quarkus
  • quicklens
  • RANDOMTHOUGHTS
  • randomthoughtsonjavaprogramming
  • rce
  • reactify
  • readthedocs
  • reddit
  • renovatebot
  • reporoster
  • repostatus
  • resteasy
  • rfm
  • Rogalskiy
  • rogalsky
  • rubyonrails
  • runtimes
  • scalacss
  • scalafiddle
  • scalafmt
  • scalajs
  • scalameta
  • scalanlp
  • scalastyle
  • scalaz
  • scm
  • seeyoufarm
  • selectionquery
  • softwaremill
  • sourcegraph
  • spamming
  • splunk
  • sql
  • squants
  • squbs
  • sscce
  • stakeholders
  • starchart
  • sttp
  • stylegu
  • suggestig
  • suzaku
  • thejavaprogrammer
  • thorben
  • tilda
  • tokei
  • trufoj
  • tsb
  • tsbleo
  • tscojc
  • tscqlg
  • tsd
  • tsdllr
  • typelevel
  • udash
  • upickle
  • urt
  • ussue
  • violoate
  • vos
  • wget
  • wildfly
  • wix
  • workspaces
  • zenodo
  • zgc
  • zio
Previously acknowledged words that are now absent acl activesupport adaoraul addons aeiou AFile afterall Alexey alfredxing algolia allowfullscreen Anatoliy andreyvit Ankit Anning apps appveyor arengu args ariejan arounds asciinema asdf ashmaroli attr Autobuild autocompletion autogenerated Autolink autoload autoreconf autosave awood awscli backport backtick barcamp baseurl bashrc baz bbatsov bdimcheff bellvat benbalter Beney binstubs bip bitbucket Blogger blogging bonafide Bou breadcrumbs briandoll bridgetown bridgetownrb brightbox brighterplanet buddyworks Bugfix Burela byparker cachegrind calavera callgraphs cartera cavalle CDNs cgi changefreq chango charset Chayoung chcp chdir Cheatsheet Checkoway chmod chown Chrononaut chruby cibuild cimg circleci CJK classname cloudcannon Cloudinary cloudsh CLT CODEOWNERS coderay codeslinger coffeescript colorator commandline commonmark compat compatibilize concat configyml contentblocks CORS Cov CRLFs cron crontab cruft css csv Currin CVE CWD cygwin daringfireball Dassonville datafiles datetime DCEU Debian debuggability defunkt delegators deployer deps dest Devkit devops digitalocean dirs disqus ditaa dnf doclist doctype doeorg dommmel dotfile Dousse downcase downcased duckduckgo duritong Dusseau dysinger ecf editorconfig eduardoboucas Elasticsearch elsif Emacs emails endcapture endcomment endfor endhighlight endif endraw endrender endtablerow Enumerables EOL erb errordocument Espinaco eugenebolshakov evaled exe execjs extensionpack extname exts favicon Fengyun ffi figcaption filesystem Finazzo firstimage FIXME flakey flickr fnmatch fontello forloop formcake formcarry formester formingo formkeep formspark formspree formx Forwardable frameborder freenode frontend frontmatter fsnotify ftp fullstory Gaudino gcc gcnovus gemfile gemset gemspec getform getset getsimpleform gettalong gfm ghp ghpages giraffeacademy githubcom gitignore gitlab gjtorikian globbed globbing google gotcha Goulven gridism GSo gsub gsubbing Hakiri hardcode hashbang hashmap helaili henrik heredoc heroku highlighter hilighting Hoizey hostman hostname htaccess htm htmlproofer httpd httpdocs hyperlinks Iaa ial ico icomoon iconset ified iframe Impl Inlining invokables irc ivey ize jalali jameshamann jamstackthemes jan Jax jayferd jcon jdoe jeffreytse jeffrydegrande Jekpack jekyllbot jekyllconf Jekyllers Jekyllin Jekylling jekyllized jekylllayoutconcept jekyllrb jekyllthemes jemoji jmcglone jneen johnreilly jpg jqr jruby jsonify juretta jwarby Kacper Kasberg kbd Kentico Kewin keycdn kickster Kinnula kiwifruit Kolesky konklone kontent Kotvinsky kramdown Kulig Kwokfu Lamprecht laquo lastmod launchctl launchy laurilehmijoki ldquo learnxinyminutes lexer LGTM libcurl libffi lightgray limjh linenos linkify linux liufengyun livereload localheinz localtime Locher loglevel Losslessly lovin lsi lsquo lstrip lyche macos macromates mademistakes Manmeet markdownify Maroli Marsceill maruku mathjax mathml mattr Maximiliano mchung mdash memberspace Memoize memoized memoizing mentoring mergable Mertcan mertkahyaoglu microdata mimetype mingw minibundle minifier minitest Mittal mixin mkasberg mkd mkdir mkdn mkdown mmistakes modernizr mojombo moncefbelyamani moz mreid msdn mswin MSYS mtime multiline munging Mvvm myblog mycontent mydata mydoc myimage mypage myposts myproject myrepo mysite myvalue myvar myvariable Nadjib nakanishi namespace namespaced navbar nbsp nearlyfreespeech nethack netlify netlifycms Neue nginx ngx nielsenramon nior noifniof nokogiri notextile onclick onebox oneclick onschedule openssl Optim orderofinterpretation orgs OSVDB osx packagecontrol pacman paginator pandoc pantulis params parkr parseable paspagon passthrough pathawks Pathutil paywall pdf Pelykh permalink PHP pinboard Piwigo pjhyett pkill pkpass placeholders planetjekyll plantuml plugin podcasts popen Porcel Posterous postfiles postlayout postmodern prefetching preinstalled prepends Prioritise Probot projectlist pubstorm pufuwozu pwa pwd pygments qrush Quaid rackup Rakefile razorops rbenv rdiscount rdoc rdquo realz rebund redcarpet redcloth redgreen refactor Refheap regen regex regexp remi reqs Responsify revertable rfc rfelix RHEL ridk roadmap rowspan rspec rsquo rstrip rsync rtomayko Rubo rubocop rubychan rubygem rubyinstaller rubyprof Ruparelia Rusiczki rvm ryanflorence saas samplelist samrayner sandboxed Sassc sassify schemastore Schroers Schwartzian scp scrollbar scroller scss scssify sdk SDKROOT sectore seo serverless setenv SFTP shingo shopify shortlog shoulda sieversii sigpipe simplecov Singhaniya siteleaf sitemap SITENAME Slicehost slugified slugify smartforms smartify snipcart somedir sonnym Sonomy sourced sourcemaps spam spotify ssg ssh SSL staticfiles staticman statictastic STDERR stdout Stickyposts strftime stringified Stringify stylesheet subdir subdomain subfolder subfolderitems subnav subpages subpath subpiece subsubfolderitems subthing subvalues subwidget sudo superdirectories superdirs SUSE sverrirs svn swfobject swupd symlink symlinking tablerow tada Taillandier talkyard tbody technicalpickles templating templatize Termux textilize textpattern thead therubyracer Theunissen Thornquest thoughtbot throughs Tidelift timeago timezone titleize TLS tmm tmp toc tok tomjoht toml tomo toolset toshimaru triaged triaging truncatewords tsv ttf Tudou Tumblr Tweetsert txtpen Tyborska tzinfo ubuntu uby ujh ultron undumpable unencode Unescape unescaping unicode uniq upcase uppercasing uri urlset username usr utf utils utime vanpelt Vasovi vendored vercel versioned vertycal Veyor vilcans Vishesh visualstudio vnd vohedge vps vscode vwochnik Walkthroughs wdm We'd webfont webhook webhosting webmentions webrick weekdate whitelist whitelisting wikipedia wildcards willcodeforfoo woff wordpress Workaround wsl xcode xcrun xdg Xhmikos xhtml Xiaoiver XMinutes xmlns xmlschema yajl Yarp Yashu Yastreb Youku youtube yunbox zeropadding Zlatan zlib zoneinfo zpinter Zsh zshrc zypper zzot
To accept these unrecognized words as correct (and remove the previously acknowledged and now absent words), run the following commands

... in a clone of the git@github.com:AlexRogalskiy/java-patterns.git repository
on the renovate/pypi-gitpython-vulnerability branch:

update_files() {
perl -e '
my @expect_files=qw('".github/actions/spelling/expect.txt"');
@ARGV=@expect_files;
my @stale=qw('"$patch_remove"');
my $re=join "|", @stale;
my $suffix=".".time();
my $previous="";
sub maybe_unlink { unlink($_[0]) if $_[0]; }
while (<>) {
if ($ARGV ne $old_argv) { maybe_unlink($previous); $previous="$ARGV$suffix"; rename($ARGV, $previous); open(ARGV_OUT, ">$ARGV"); select(ARGV_OUT); $old_argv = $ARGV; }
next if /^(?:$re)(?:(?:\r|\n)*$| .*)/; print;
}; maybe_unlink($previous);'
perl -e '
my $new_expect_file=".github/actions/spelling/expect.txt";
use File::Path qw(make_path);
use File::Basename qw(dirname);
make_path (dirname($new_expect_file));
open FILE, q{<}, $new_expect_file; chomp(my @words = <FILE>); close FILE;
my @add=qw('"$patch_add"');
my %items; @items{@words} = @words x (1); @items{@add} = @add x (1);
@words = sort {lc($a)."-".$a cmp lc($b)."-".$b} keys %items;
open FILE, q{>}, $new_expect_file; for my $word (@words) { print FILE "$word\n" if $word =~ /\w/; };
close FILE;
system("git", "add", $new_expect_file);
'
}

comment_json=$(mktemp)
curl -L -s -S \
  --header "Content-Type: application/json" \
  "https://api.github.com/repos/AlexRogalskiy/java-patterns/issues/comments/4189893523" > "$comment_json"
comment_body=$(mktemp)
jq -r .body < "$comment_json" > $comment_body
rm $comment_json

patch_remove=$(perl -ne 'next unless s{^</summary>(.*)</details>$}{$1}; print' < "$comment_body")
  

patch_add=$(perl -e '$/=undef;
$_=<>;
s{<details>.*}{}s;
s{^#.*}{};
s{\n##.*}{};
s{(?:^|\n)\s*\*}{}g;
s{\s+}{ }g;
print' < "$comment_body")
  
update_files
rm $comment_body
git add -u
If you see a bunch of garbage

If it relates to a ...

well-formed pattern

See if there's a pattern that would match it.

If not, try writing one and adding it to the patterns.txt file.

Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines.

Note that patterns can't match multiline strings.

binary-ish string

Please add a file path to the excludes.txt file instead of just accepting the garbage.

File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.

^ refers to the file's path from the root of the repository, so ^README\.md$ would exclude README.md (on whichever branch you're using).

github-actions[bot]
github-actions bot reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Scan Summary

Tool Critical High Medium Low Status
Dependency Scan (universal) 2 12 14 0
Security Audit for Infrastructure 14 92 8 32
Kotlin Security Audit 0 0 0 0
Kotlin Static Analysis 0 0 0 0
Python Source Analyzer 0 0 0 0
Secrets Audit 0 4 0 0
Shell Script Analysis 0 0 0 195

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

No one assigned

Labels

docs javascript dependencies security findings

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants