Commit d786f70
security: add msgpack as direct dependency for security fix
Add msgpack>=1.2.0 as a direct dependency to ensure the security
fixes for Unpacker reuse vulnerability are properly enforced.
The dependabot PR #67 already updated msgpack from 1.1.2 to 1.2.1 in uv.lock,
but adding it as a direct dependency ensures the security constraint is
explicitly declared and maintained.
Security fixes in msgpack 1.2.1:
- Harden Unpacker.__init__ re-entry cleanup to prevent buffer/context leaks
- Fix use-after-free in get_data_from_buffer
- Avoid memory leak when decoding invalid nested arrays
- Check return codes in unpack callback functions
Also fix ruff formatting issue in doctor.py docstring.
Generated with [Devin](https://devin.ai)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>1 parent 0b5f0cc commit d786f70
3 files changed
Lines changed: 5 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
25 | 25 | | |
26 | 26 | | |
27 | 27 | | |
| 28 | + | |
28 | 29 | | |
29 | 30 | | |
30 | 31 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1005 | 1005 | | |
1006 | 1006 | | |
1007 | 1007 | | |
1008 | | - | |
| 1008 | + | |
1009 | 1009 | | |
1010 | 1010 | | |
1011 | 1011 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments