chore(deps): bump pygments 2.19.2 → 2.20.0 (GHSA-5239-wwwm-4pmq, ReDoS)#82
Merged
Merged
Conversation
Closes Dependabot alert #3 on cmeans/mcp-synology. Pygments < 2.20.0 has an inefficient regex for GUID matching that can be triggered into ReDoS by crafted input; severity Low. Pygments is a transitive dev-dep via pytest 9.0.3 (test suite uses it for syntax-highlighting traceback output). Runtime is unaffected. Bumped via `uv lock --upgrade-package pygments`. Only uv.lock changed; no pyproject.toml constraint adjustment needed because pytest doesn't pin Pygments to an upper bound. Verification on the bumped lockfile: - uv run pytest: 554 passed, 100 deselected, 96.13% coverage - uv run ruff check src/ tests/ scripts/: clean - uv run mypy src/ scripts/: clean Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
github-actions
Bot
added
the
Awaiting CI
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
github-actions
Bot
added
Ready for QA
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
github-actions
Bot
removed
the
Ready for QA
cmeans
reviewed
May 1, 2026
Owner
cmeans
left a comment
cmeans
left a comment
There was a problem hiding this comment.
QA Round 1 — PASS
Tight, well-scoped Pygments security bump. Closes Dependabot alert #3 / GHSA-5239-wwwm-4pmq.
Independent advisory verification
| Field | Claim | Verified via gh api /advisories/GHSA-5239-wwwm-4pmq |
|---|---|---|
| Summary | "Inefficient regex for GUID matching → ReDoS" | Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching ✓ |
| Severity | Low | low ✓ |
| Vulnerable range | < 2.20.0 |
< 2.20.0 ✓ |
| First patched | 2.20.0 |
2.20.0 ✓ |
| Ecosystem | pip / Python | pip ✓ |
Scope check
grep -rn pygments src/ scripts/ pyproject.tomlreturned zero hits — confirms Pygments is NOT used by any production or release-tooling code. The PR's "runtime is unaffected — production never imports Pygments" claim is accurate.uv.lockshows the package landing as a transitive dep under pytest (the{ name = "pygments" }line appears in pytest's dependency block). PR's "transitive dev-dep via pytest 9.0.3" claim verified.pyproject.tomldoesn't reference Pygments — no constraint adjustment needed, matching the PR's claim.
Diff sanity
| File | Change |
|---|---|
uv.lock |
Pygments 2.19.2 → 2.20.0; sdist + wheel hashes updated; upload-time on new wheel 2026-03-29T13:29:30Z (published before this scan window). No collateral entries touched. |
CHANGELOG.md |
One new line under ## Unreleased → ### Fixed. References the advisory, the dependabot alert, the dev-only scope. |
Verification
| Check | Result |
|---|---|
uv run pytest |
554 passed, 100 deselected, 96.13% coverage on the bumped lockfile |
uv run ruff check src/ tests/ scripts/ |
clean |
uv run ruff format --check src/ tests/ scripts/ |
72 files already formatted |
uv run mypy src/ scripts/ |
clean (30 files, strict-mode) |
Required CI on 84402b59 |
13/13 green (vdsm completed SUCCESS) |
PR-body manual tests 1–6 all checked. (#6 is post-merge — Dependabot alert auto-close monitors uv.lock and matches < 2.20.0, so it should close on merge.)
Verdict
Ready for QA Signoff. Final maintainer call.
Owner
|
Applying Ready for QA Signoff as the final act of round 1. Pygments 2.19.2 → 2.20.0 to clear GHSA-5239-wwwm-4pmq (Low-severity ReDoS); advisory verified via |
cmeans
added
Ready for QA Signoff
cmeans-claude-dev Bot
added a commit
that referenced
this pull request
May 2, 2026
## Summary Cuts v0.5.2, shipping six PRs that landed since v0.5.1 (2026-05-01): - **#79** mcp-publisher v1.5.0 → v1.7.6 (registry OIDC audience fix) - **#80** keyring exception handler narrowing (closes #38) - **#81** bg update-check executor timeout + log (closes #39) - **#82** pygments 2.19.2 → 2.20.0 (GHSA-5239-wwwm-4pmq, ReDoS) - **#83** `--revert` version-string validation (closes #40) - **#85** per-path serial for `move_files` + `copy_files` (closes #84) ## Why now Two recent bug fixes (#83, #85) are user-visible enough to warrant shipping, and #84 in particular is a confusing silent-no-op regression on multi-file moves — getting that to PyPI promptly matters. The four post-0.5.1 quality fixes (#79–#82) are stacked behind it. This release also exercises **#79's mcp-publisher v1.7.6 pin end-to-end** so the registry can catch up to current. v0.5.1's registry entry is missing because #79 landed AFTER the v0.5.1 tag-push, and `actions/checkout@v6` resolved to the tag's commit on re-runs of the failed `publish-registry` job — the fix wasn't picked up. The v0.5.2 tag will pull the correct pin from main. ## State after merge Bug-labeled issue queue is empty. The structural multi-path-serial fix family (delete + getinfo + move + copy + restore) is now complete on real DSM 7.x — every File Station write tool that takes a `paths: list[str]` issues one DSM task per path, sidestepping the comma-joined-multipath quirk that #68 and #84 each surfaced. ## Files changed - `pyproject.toml` — version 0.5.1 → 0.5.2 - `server.json` — auto-synced via `python scripts/sync-server-json.py` - `uv.lock` — refreshed via `uv lock` - `CHANGELOG.md` — `## Unreleased` (with the six entries above) renamed to `## 0.5.2 (2026-05-01)`, fresh empty `## Unreleased` inserted above it for the next cycle ## Test plan - [x] CI green on this branch (lint, typecheck, test 3.11/3.12/3.13, vdsm integration tests, version-sync, validate-server-json) - [ ] After merge: tag `v0.5.2` push fires `publish.yml`; PyPI publish succeeds - [ ] After merge: `publish-registry` job succeeds end-to-end (this is the validation point for #79's fix — the failure mode in v0.5.1 was `invalid audience: expected https://registry.modelcontextprotocol.io, got [mcp-registry]`) - [ ] After tag: `mcp-synology --check-update` from a v0.5.1 install reports v0.5.2 available; `uv tool install mcp-synology@latest` upgrades cleanly - [ ] Smoke (post-install): two-file `move_files` actually moves both files (the #84 regression scenario) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: cmeans-claude-dev[bot] <272174644+cmeans-claude-dev[bot]@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
18 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes Dependabot alert #3. Pygments < 2.20.0 has an inefficient regex for GUID matching that can be triggered into ReDoS by crafted input — GHSA-5239-wwwm-4pmq (severity Low, patched in 2.20.0).
Scope
pytest9.0.3 (the test suite uses Pygments for syntax-highlighting traceback output). Runtime is unaffected — production never imports Pygments.uv lock --upgrade-package pygments. Onlyuv.lockchanged;pyproject.tomldid not need an adjustment becausepytestdoesn't pin Pygments to an upper bound.Diff at a glance
```diff
[[package]]
name = "pygments"
-version = "2.19.2"
+version = "2.20.0"
```
Plus the corresponding sdist + wheel hash updates in
uv.lockand a one-line CHANGELOG entry.QA
Manual tests
uv run pytest— 554 passed at 96.13% coverage.uv run ruff check src/ tests/ scripts/— clean.uv run ruff format --check src/ tests/ scripts/— clean.uv run mypy src/ scripts/— clean (30 files, strict-mode).grep -A 2 "name = \"pygments\"" uv.lock— version is now2.20.0.uv.lockper the repo's Dependabot config and matches the patched range).Verification I already ran
uv run pytestuv run ruff check src/ tests/ scripts/uv run mypy src/ scripts/< 2.20.0, first_patched_version =2.20.0(matches the bump)🤖 Generated with Claude Code