[Backline] Update gitpython to remove vulnerabilities in requirements.txt

[backline-ai]

🔐 Security Vulnerability Fixes

This pull request was created and verified by Backline to fix security vulnerabilities in your dependencies.

---

📋 Remediation Overview

Verification

• Local build: Passed (pip install --dry-run)
• Tests: Not executed — no code changes were required beyond the package version upgrade

📄 A detailed report is available in a comment below.

📦 Package Updates & Vulnerability Fixes

gitpython

v3.1.31 → v3.1.50 (Recommended: >= 3.1.50)

• 🟧 GHSA-mv93-w799-cj2w - GitPython: Newline injection in config_writer() section parameter bypasses CVE-2026-42215 patch, enabling RCE via core.hooksPath. See more in Endor Labs

^{Legend: 🟥 Critical | 🟧 High | 🟨 Medium | 🟦 Low}

[backline-ai]

Reasoning for the change

This remediation was triggered by a critical remote code execution (RCE) vulnerability in GitPython that allows attackers to bypass the previous CVE-2026-42215 patch by injecting newlines into the section parameter of the config_writer() method. This incomplete patch validation enables attackers to write arbitrary section headers into the .git/config file, including a forged [core] section with a malicious hooksPath that points to attacker-controlled code, leading to RCE when any git hook is triggered.

Package: gitpython

Vulnerabilities addressed
GHSA-mv93-w799-cj2w

Analyze upgrade options

• Current version: 3.1.31 (direct dependency)
• Fixed version range: >= 3.1.50
• Selected target version: 3.1.50 — This is the lowest version that fully patches the newline injection vulnerability in the config_writer() section parameter, completing the incomplete CVE-2026-42215 patch from version 3.1.49.
• Reason for target version:
  • Version 3.1.50 introduces proper input validation for the section and option parameters in addition to the value parameter, closing the bypass vector that existed in 3.1.49.
  • This is a patch-level upgrade (3.1.31 → 3.1.50) that avoids unnecessary major or minor version changes while delivering the critical security fix.
  • No dependency conflicts were detected during analysis.
• Dependency path:
  • requirements.txt → gitpython

Breaking changes

No breaking changes detected. Our analysis did not identify any that affect the existing codebase.

---

What Backline did

Upgrade packages

• Updated dependencies:
  • gitpython: 3.1.31 → 3.1.50
• Updated lockfile to ensure resolved versions match the secure targets.

Apply code fixes

• No code modifications were required. All vulnerabilities were resolved through dependency version updates alone.

Planned vs applied differences

• The remediation proceeded as planned.

---

How Backline verified the fix

Local build

• Result: Passed
• Build command: pip install --dry-run completed successfully, confirming the upgraded version resolves cleanly without dependency conflicts.

Tests

• Existing tests were not executed — no code changes were required beyond the package version upgrade itself.