Skip to content

Commit d786f70

Browse files
security: add msgpack as direct dependency for security fix
Add msgpack>=1.2.0 as a direct dependency to ensure the security fixes for Unpacker reuse vulnerability are properly enforced. The dependabot PR #67 already updated msgpack from 1.1.2 to 1.2.1 in uv.lock, but adding it as a direct dependency ensures the security constraint is explicitly declared and maintained. Security fixes in msgpack 1.2.1: - Harden Unpacker.__init__ re-entry cleanup to prevent buffer/context leaks - Fix use-after-free in get_data_from_buffer - Avoid memory leak when decoding invalid nested arrays - Check return codes in unpack callback functions Also fix ruff formatting issue in doctor.py docstring. Generated with [Devin](https://devin.ai) Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
1 parent 0b5f0cc commit d786f70

3 files changed

Lines changed: 5 additions & 2 deletions

File tree

pyproject.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ classifiers = [
2525
dependencies = [
2626
"bandit>=1.9.4",
2727
"cryptography>=48.0.1",
28+
"msgpack>=1.2.0",
2829
"python-multipart>=0.0.31",
2930
"starlette>=1.3.1",
3031
]

teaagent/cli/_handlers/_doctor.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1005,7 +1005,7 @@ def doctor_config_lint_command(args: argparse.Namespace) -> int:
10051005

10061006
def print_json(value: Any) -> None:
10071007
"""Doctor-specific JSON output with additional sanitization layers.
1008-
1008+
10091009
This function applies doctor-specific redaction before delegating to the
10101010
centralized print_json function for final serialization and output.
10111011
"""

uv.lock

Lines changed: 3 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)