Commit ea9b8d9
fix(deps): bump pygments lower bound to >=2.20.0 for CVE-2026-4539 [PYSDK-106]
Re-adds the `pygments>=2.20.0` lower bound to `[project].dependencies`
transitive overrides in pyproject.toml. The bound was deliberately
removed in PYSDK-104 (PR #592) to give the daily audit-vulnerabilities
routine a real gap to remediate; this PR closes that gap.
The locked version in uv.lock (pygments 2.20.0) already protects our
dev/CI env from CVE-2026-4539 (Pygments AdlLexer ReDoS, CVSS 4.8 Medium).
This PR closes the remaining downstream-consumer gap so a fresh
`pip install aignostics` / `uv add aignostics` / `uvx aignostics` cannot
resolve `pygments<2.20.0` transitively via rich.
The new lower bound (>=2.20.0) is <= the currently-locked version
(2.20.0), so no dependency is upgraded — uv.lock diff is metadata-only
(adds the new specifier and the dependency edge); no [[package]]
version block changed.
Resolves PYSDK-106.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>1 parent eefed58 commit ea9b8d9
2 files changed
Lines changed: 3 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
138 | 138 | | |
139 | 139 | | |
140 | 140 | | |
| 141 | + | |
141 | 142 | | |
142 | 143 | | |
143 | 144 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments