Skip to content

chore(deps): bump mako from 1.3.0 to 1.3.12#312

Merged
mlissner merged 1 commit into
mainfrom
dependabot/uv/mako-1.3.12
Jun 22, 2026
Merged

chore(deps): bump mako from 1.3.0 to 1.3.12#312
mlissner merged 1 commit into
mainfrom
dependabot/uv/mako-1.3.12

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps mako from 1.3.0 to 1.3.12.

Release notes

Sourced from mako's releases.

1.3.12

Released: Tue Apr 28 2026

bug

  • [bug] [template] Fixed issue in TemplateLookup where a URI with backslash path separators (e.g. \..\secret.txt) could bypass the directory traversal check on Windows, allowing reads of arbitrary files outside of the template directory. Backslash characters in URIs are now normalized to forward slashes before path resolution.

    References: #435

1.3.11

Released: Tue Apr 14 2026

bug

  • [bug] [template] Fixed issue in TemplateLookup where a URI with a double-slash prefix (e.g. //../../) could bypass the directory traversal check in Template, allowing reads of arbitrary files outside of the template directory. The issue was caused by an inconsistency in how leading slashes were stripped between TemplateLookup.get_template() and Template initialization.

    References: #434

1.3.10

Released: Thu Apr 10 2025

bug

  • [bug] [lexer] Fix undefined variable errors when strict_undefined=True when using a nested list comprehension. Pull request courtesy Sébastien Granjoux.

    References: #418

1.3.9

Released: Tue Feb 4 2025

bug

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 22, 2026

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, straightforward Dependabot patch bump of a transitive dev dependency (mako) in uv.lock only.

Extended reasoning...

Overview

This PR is a Dependabot-generated patch-version bump of mako from 1.3.0 to 1.3.12 in uv.lock. Only the lockfile is modified — pyproject.toml is untouched, and the change updates the version string, sdist/wheel URLs, and hashes for mako.

Security risks

None introduced by this PR. On the contrary, the upstream release notes show 1.3.11 and 1.3.12 contain fixes for path-traversal issues in TemplateLookup, so the bump moves to a more secure version. Mako is a transitive dependency (not a direct runtime dep of eyecite, which is a citation-extraction library) and isn't used to render untrusted templates here.

Level of scrutiny

Very low — this is a lockfile-only patch bump of a transitive dependency that doesn't touch any application code, configuration, or critical paths. No CODEOWNER-protected files are affected.

Other factors

The bug hunting system found no issues. There are no outstanding reviewer comments. The PR follows the standard Dependabot pattern used elsewhere in the repo.

Bumps [mako](https://github.com/sqlalchemy/mako) from 1.3.0 to 1.3.12.
- [Release notes](https://github.com/sqlalchemy/mako/releases)
- [Changelog](https://github.com/sqlalchemy/mako/blob/main/CHANGES)
- [Commits](https://github.com/sqlalchemy/mako/commits)

---
updated-dependencies:
- dependency-name: mako
  dependency-version: 1.3.12
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/uv/mako-1.3.12 branch from 2387874 to aa2b8b1 Compare June 22, 2026 18:55
@mlissner
mlissner merged commit 599ce2c into main Jun 22, 2026
6 of 8 checks passed
@mlissner
mlissner deleted the dependabot/uv/mako-1.3.12 branch June 22, 2026 18:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant