Skip to content

Comments

[CU-86b4umhm1] Update dependency pip to v26 [SECURITY]#126

Open
dnastack-renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-pip-vulnerability
Open

[CU-86b4umhm1] Update dependency pip to v26 [SECURITY]#126
dnastack-renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-pip-vulnerability

Conversation

@dnastack-renovate
Copy link
Contributor

@dnastack-renovate dnastack-renovate bot commented Oct 25, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
pip (changelog) 25.2 -> 26.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-8869

When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706. Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706 and therefore are not secure to all vulnerabilities in the Python 'tarfile' module. If you're using a Python version that implements PEP 706 then pip doesn't use the "vulnerable" fallback code. Mitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice.

CVE-2026-1703

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

pip's fallback tar extraction doesn't check symbolic links point to extraction directory

BIT-pip-2025-8869 / CVE-2025-8869 / GHSA-4xh5-x5gv-qwph

More information

Details

When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706. Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706 and therefore are not secure to all vulnerabilities in the Python 'tarfile' module. If you're using a Python version that implements PEP 706 then pip doesn't use the "vulnerable" fallback code. Mitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

pip Path Traversal vulnerability

BIT-pip-2026-1703 / CVE-2026-1703 / GHSA-6vgw-5pg2-w6jp

More information

Details

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

Severity

  • CVSS Score: 2.0 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

pypa/pip (pip)

v26.0

Compare Source

v25.3

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@platform-automation-dnastack
Copy link

platform-automation-dnastack commented Oct 25, 2025

Task linked: CU-86b4umhm1 Setup Renovate server and introduce it to wallet

@github-actions
Copy link

github-actions bot commented Oct 25, 2025
edited
Loading

☂️ Python Coverage

current status: ✅

Overall Coverage

Lines Covered Coverage Threshold Status
10675 5949 56% 30% 🟢

New Files

No new covered files...

Modified Files

No covered modified files...

updated for commit: c49bf70 by action🐍

@dnastack-renovate dnastack-renovate bot force-pushed the renovate/pypi-pip-vulnerability branch from 61af616 to 82360fc Compare October 28, 2025 20:45
@dnastack-renovate dnastack-renovate bot force-pushed the renovate/pypi-pip-vulnerability branch from 82360fc to 86033c4 Compare November 4, 2025 21:33
@dnastack-renovate dnastack-renovate bot force-pushed the renovate/pypi-pip-vulnerability branch from 86033c4 to 3cdf3be Compare November 12, 2025 00:39
@dnastack-renovate dnastack-renovate bot force-pushed the renovate/pypi-pip-vulnerability branch from 3cdf3be to 50ce82d Compare December 8, 2025 20:27
@dnastack-renovate dnastack-renovate bot force-pushed the renovate/pypi-pip-vulnerability branch from 50ce82d to ce21119 Compare January 27, 2026 20:39
@codecov-commenter
Copy link

codecov-commenter commented Jan 27, 2026

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@dc43f13). Learn more about missing BASE report.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #126   +/-   ##
=======================================
  Coverage        ?   55.02%           
=======================================
  Files           ?      170           
  Lines           ?    10451           
  Branches        ?        0           
=======================================
  Hits            ?     5751           
  Misses          ?     4700           
  Partials        ?        0
Flag Coverage Δ
unittests 55.02% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@dnastack-renovate dnastack-renovate bot force-pushed the renovate/pypi-pip-vulnerability branch 5 times, most recently from d672043 to 4c82353 Compare January 31, 2026 02:31
@dnastack-renovate dnastack-renovate bot changed the title [CU-86b4umhm1] Update dependency pip to v25.3 [SECURITY] [CU-86b4umhm1] Update dependency pip to v26 [SECURITY] Feb 2, 2026
@dnastack-renovate dnastack-renovate bot force-pushed the renovate/pypi-pip-vulnerability branch 4 times, most recently from 7d5f1a0 to 4fbeac0 Compare February 10, 2026 19:30
@dnastack-renovate dnastack-renovate bot force-pushed the renovate/pypi-pip-vulnerability branch from 4fbeac0 to c49bf70 Compare February 23, 2026 23:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

renovate-security

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@platform-automation-dnastack @codecov-commenter