chore(deps): bump mako from 1.3.0 to 1.3.12#312
Conversation
There was a problem hiding this comment.
LGTM, straightforward Dependabot patch bump of a transitive dev dependency (mako) in uv.lock only.
Extended reasoning...
Overview
This PR is a Dependabot-generated patch-version bump of mako from 1.3.0 to 1.3.12 in uv.lock. Only the lockfile is modified — pyproject.toml is untouched, and the change updates the version string, sdist/wheel URLs, and hashes for mako.
Security risks
None introduced by this PR. On the contrary, the upstream release notes show 1.3.11 and 1.3.12 contain fixes for path-traversal issues in TemplateLookup, so the bump moves to a more secure version. Mako is a transitive dependency (not a direct runtime dep of eyecite, which is a citation-extraction library) and isn't used to render untrusted templates here.
Level of scrutiny
Very low — this is a lockfile-only patch bump of a transitive dependency that doesn't touch any application code, configuration, or critical paths. No CODEOWNER-protected files are affected.
Other factors
The bug hunting system found no issues. There are no outstanding reviewer comments. The PR follows the standard Dependabot pattern used elsewhere in the repo.
Bumps [mako](https://github.com/sqlalchemy/mako) from 1.3.0 to 1.3.12. - [Release notes](https://github.com/sqlalchemy/mako/releases) - [Changelog](https://github.com/sqlalchemy/mako/blob/main/CHANGES) - [Commits](https://github.com/sqlalchemy/mako/commits) --- updated-dependencies: - dependency-name: mako dependency-version: 1.3.12 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
2387874 to
aa2b8b1
Compare
Bumps mako from 1.3.0 to 1.3.12.
Release notes
Sourced from mako's releases.
... (truncated)
Commits