Skip to content

build(deps): update dulwich requirement from <0.23,>=0.21.7 to >=1.2.6,<1.3 in /requirements#396

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/requirements/dulwich-gte-1.2.6-and-lt-1.3
Open

build(deps): update dulwich requirement from <0.23,>=0.21.7 to >=1.2.6,<1.3 in /requirements#396
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/requirements/dulwich-gte-1.2.6-and-lt-1.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 1, 2026

Copy link
Copy Markdown
Contributor

Updates the requirements on dulwich to permit the latest version.

Changelog

Sourced from dulwich's changelog.

1.2.6 2026-05-31

  • SECURITY: Honor core.protectNTFS/core.protectHFS on all work-tree updates. The 1.2.5 path hardening (CVE-2026-42305) only reached checkout and reset; update_working_tree (used by merge, pull and others) fell back to the default validator, so a crafted branch could still check out an NTFS-unsafe name such as git~2 even with core.protectNTFS=true. (Jelmer Vernooij; reported by donovan-jasper)

  • SECURITY: Reject patch target paths that escape the work tree in apply_patches. Patch headers are untrusted (e.g. git am of a mailbox), so a +++/rename path such as ../../etc/cron.d/x or an absolute path was joined onto the repo path and written outside the working tree. Such paths are now refused. (netliomax25-code)

  • porcelain: Validate caller-supplied paths in checkout, restore and reset_file before writing, as defense in depth, so a .git or .. component (including NTFS/HFS .git aliases) cannot escape the work tree or write into the control directory. (Jelmer Vernooij)

  • Remove the force_remove_untracked argument from index.update_working_tree. It had been a no-op since the function was rewritten to apply changes from a diff iterator, and removing untracked files is not part of reset --hard semantics. (Jelmer Vernooij)

1.2.5 2026-05-28

  • SECURITY(GHSA-gfhv-vqv2-4544): Validate submodule paths in porcelain.submodule_update (and thus porcelain.clone(recurse_submodules=True)). A crafted upstream repository could carry a submodule whose path was .git/hooks (or any other path inside .git or above the work tree), causing the submodule's tree contents to be written there with their executable bits intact -- dropping a hook that later commands would run. Submodule paths are now rejected if they are absolute or carry a component that the configured path validator refuses, and the submodule's own tree is materialized with the same validator. This is the dulwich analogue of git's CVE-2024-32002 / CVE-2024-32004. (Jelmer Vernooij; reported by tonghuaroot)

  • SECURITY(CVE-2026-42305): Harden tree path validation against entry names that are harmless on POSIX but dangerous when checked out on Windows. A crafted tree could previously carry such names through to the work tree. validate_path_element_ntfs now also rejects:

    • Windows path separators, so an entry named

... (truncated)

Commits
  • bf903a4 Release 1.2.6
  • 8856523 porcelain: Validate paths in checkout, restore and reset_file (#2204)
  • 5ebfa95 porcelain: Validate paths in checkout, restore and reset_file
  • dc3298b Update NEWS
  • b463a91 index: Honor core.protectNTFS on all work-tree updates (#2203)
  • af29aae index: Drop dead force_remove_untracked argument
  • 6c2d385 reject patch paths that escape the work tree in apply_patches (#2200)
  • 78b09f8 reject patch paths that escape the work tree in apply_patches
  • 3305b85 index: Honor core.protectNTFS on all work-tree updates
  • 44b284f http: scope basic-auth credentials to the configured origin (#2202)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Updates the requirements on [dulwich](https://github.com/dulwich/dulwich) to permit the latest version.
- [Release notes](https://github.com/dulwich/dulwich/releases)
- [Changelog](https://github.com/jelmer/dulwich/blob/main/NEWS)
- [Commits](jelmer/dulwich@dulwich-0.21.7...dulwich-1.2.6)

---
updated-dependencies:
- dependency-name: dulwich
  dependency-version: 1.2.6
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies UI User interface: forms, widgets...

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants