fix: loosen pygments dependency to >=2.16 to allow CVE-2026-4539 fix#338
Open
einarwar wants to merge 1 commit intobackstage:mainfrom
Open
fix: loosen pygments dependency to >=2.16 to allow CVE-2026-4539 fix#338einarwar wants to merge 1 commit intobackstage:mainfrom
einarwar wants to merge 1 commit intobackstage:mainfrom
Conversation
Move pygments from an exact pin to a range constraint in the peer dependencies section. This allows downstream projects to upgrade to pygments 2.20.0+ which fixes CVE-2026-4539. The lower bound of >=2.16 matches mkdocs-material's own requirement. Fixes backstage#334
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Moves
pygmentsfrom an exact pin (==2.19.2) to a range constraint (>=2.16) in the peer dependencies section ofrequirements.txt.Motivation
pygments 2.20.0was released to fix CVE-2026-4539. The previous exact pin prevented downstream projects from upgrading to the patched release, causingpip-auditto flag the vulnerability with no available workaround.Changes
pygmentsfrom the "direct dependencies" section (exact pin) to the "peer dependencies" section (range), consistent with howmkdocsandMarkdownare already handled.>=2.16matchesmkdocs-material's own requirement for pygments.pygmentsis not directly imported bytechdocs-core— it's a transitive dependency ofmkdocs-material(hard dep) andpymdown-extensions(optional extra). A range constraint is more appropriate than an exact pin.Fixes #334