Skip to content

Bump pygments to 2.20.0 in lockfile (ReDoS fix)#628

Merged
jhamon merged 1 commit intomainfrom
jhamon/bump-pygments-2.20.0
Apr 1, 2026
Merged

Bump pygments to 2.20.0 in lockfile (ReDoS fix)#628
jhamon merged 1 commit intomainfrom
jhamon/bump-pygments-2.20.0

Conversation

@jhamon
Copy link
Copy Markdown
Collaborator

@jhamon jhamon commented Apr 1, 2026
edited by cursor bot
Loading

Summary

  • Bumps transitive pygments from 2.19.2 to 2.20.0 in uv.lock
  • Fixes ReDoS vulnerability due to inefficient regex for GUID matching
  • Dev-only dependency (via sphinx), lockfile-only change
  • Resolves Dependabot alert #63

Test plan

  • Lockfile-only change, no code or dependency spec changes

Note

Low Risk
Lockfile-only change updating the resolved pygments artifact URLs/hashes; minimal runtime risk unless downstream tooling relies on the previous transitive version.

Overview
Updates the uv.lock resolution for transitive dependency pygments from 2.19.2 to 2.20.0, including the associated sdist/wheel URLs, hashes, and metadata (security patch release).

No application code or dependency specifications are changed—this PR only alters the lockfile resolution.

Written by Cursor Bugbot for commit d1fb488. This will update automatically on new commits. Configure here.

@jhamon
Bump pygments to 2.20.0 in lockfile (dependabot alert #63)
d1fb488 
pygments < 2.20.0 has a ReDoS vulnerability in GUID matching regex.
It's a transitive dev-only dependency via sphinx. Lockfile-only change.
@jhamon jhamon merged commit f9ab85c into main Apr 1, 2026
75 checks passed
@jhamon jhamon deleted the jhamon/bump-pygments-2.20.0 branch April 1, 2026 20:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jhamon