Skip to content

[pull] main from modelcontextprotocol:main#324

Merged
pull[bot] merged 1 commit into
threatcode:mainfrom
modelcontextprotocol:main
Jun 5, 2026
Merged

[pull] main from modelcontextprotocol:main#324
pull[bot] merged 1 commit into
threatcode:mainfrom
modelcontextprotocol:main

Conversation

@pull
Copy link
Copy Markdown

@pull pull Bot commented Jun 5, 2026
edited
Loading

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

@olaservo @claude
fix(deps): bump gitpython and urllib3 to resolve HIGH security alerts (
f5054df 
…#4283)

- git: gitpython >=3.1.45 -> >=3.1.50 (lock 3.1.49 -> 3.1.50)
  Fixes GHSA-mv93-w799-cj2w: newline injection in config_writer()
  bypasses the CVE-2026-42215 patch, enabling RCE via core.hooksPath.
- fetch: urllib3 2.6.3 -> 2.7.0 (transitive via requests)
  Fixes GHSA-qccp-gfcp-xxvc (sensitive headers forwarded across origins
  on proxied redirects) and GHSA-mf9v-mfxr-j63j (decompression-bomb
  safeguards bypassed in the streaming API).

Resolves Dependabot alerts #129, #131, #132.
Tests pass (fetch: 20 passed; git: all test bodies pass, only
pre-existing Windows tmpdir-teardown errors remain).

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@pull pull Bot locked and limited conversation to collaborators Jun 5, 2026
@pull pull Bot added the ⤵️ pull label Jun 5, 2026
@pull pull Bot merged commit f5054df into threatcode:main Jun 5, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

⤵️ pull

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@olaservo