Skip to content

deps(deps): Bump the python-patch group across 1 directory with 3 updates#9

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/python-patch-ab35549065
Open

deps(deps): Bump the python-patch group across 1 directory with 3 updates#9
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/python-patch-ab35549065

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown

Bumps the python-patch group with 3 updates in the / directory: striprtf, rapidfuzz and py7zr.

Updates striprtf from 0.0.29 to 0.0.32

Release notes

Sourced from striprtf's releases.

new release v0.0.32

No release notes provided.

new release

Fixes #66

new release

Fixed joshy/striprtf#63

Changelog

Sourced from striprtf's changelog.

v0.0.32 - 27.04.206

  • Wrong _version file

v0.0.31 - 23.04.206

  • Accidently added twine as runtime dependency

v0.0.30 - 23.04.206

Commits

Updates rapidfuzz from 3.14.3 to 3.14.5

Release notes

Sourced from rapidfuzz's releases.

Release 3.14.5

Fixed

  • fix release ci attempting to upload a pyodide wheel

Release 3.14.4

Added

  • add risc64 wheels
  • add support for taskflow 4.0.0

Changed

  • upgrade to Cython==3.2.4.

Fixed

  • fix type hints for extractOne when no score_cutoff is provided
Changelog

Sourced from rapidfuzz's changelog.

Changelog

[3.14.5] - 2026-08-07 ^^^^^^^^^^^^^^^^^^^^^ Fixed

* fix release ci attempting to upload a pyodide wheel

[3.14.4] - 2026-04-06 ^^^^^^^^^^^^^^^^^^^^^ Added

  • add risc64 wheels
  • add support for taskflow 4.0.0

Changed

* upgrade to ``Cython==3.2.4``.

Fixed

* fix type hints for extractOne when no score_cutoff is provided

[3.14.3] - 2025-11-01
^^^^^^^^^^^^^^^^^^^^^
Fixed

  • add missing pypy and freethreaded linux wheels

Removed

  • drop s390x and ppc64le wheels since they are virtually unused and require extremly long to build under emulation

[3.14.2] - 2025-10-30 ^^^^^^^^^^^^^^^^^^^^^ Changed

* upgrade to ``Cython==3.1.6``
* enable free threading

[3.14.1] - 2025-09-08 ^^^^^^^^^^^^^^^^^^^^^ Fixed

* Fully disable line tracing in release builds

[3.14.0] - 2025-08-27
^^^^^^^^^^^^^^^^^^^^^
Changed
</tr></table>
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>

<ul>
<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/edf9f3c2d016c878dae1511301f8b4a501bba871&quot;&gt;&lt;code&gt;edf9f3c&lt;/code&gt;&lt;/a> fix release ci</li>
<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/3d8470bf60062dda5c200517f61a8ff43e3e9ef2&quot;&gt;&lt;code&gt;3d8470b&lt;/code&gt;&lt;/a> enable verbose publish</li>
<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/7fd4ee202b5e3cc9f158f505a33d934a68c14148&quot;&gt;&lt;code&gt;7fd4ee2&lt;/code&gt;&lt;/a> Bump the github-actions group across 1 directory with 3 updates</li>
<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/9691cf1bf985eaf59f6c968f3d7cd8e59054ebaa&quot;&gt;&lt;code&gt;9691cf1&lt;/code&gt;&lt;/a> tag release</li>
<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/fd16748843be7d1a4842604fa3429e3943e80e5c&quot;&gt;&lt;code&gt;fd16748&lt;/code&gt;&lt;/a> ci: switch riscv64 from QEMU to native RISE runner</li>
<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/7f7d58b91a2716eaaec939a72b476ab1bf1ead1b&quot;&gt;&lt;code&gt;7f7d58b&lt;/code&gt;&lt;/a> ci: add riscv64 wheel builds via QEMU</li>
<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/f4b56942bdbbb99bba556656ea8a0aef1e8c12f0&quot;&gt;&lt;code&gt;f4b5694&lt;/code&gt;&lt;/a> Bump pypa/cibuildwheel from 3.3.1 to 3.4.0 in the github-actions group</li>
<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/f2873ce9868285eca1d05d8645791d76a2b545fe&quot;&gt;&lt;code&gt;f2873ce&lt;/code&gt;&lt;/a> Bump the github-actions group across 1 directory with 3 updates</li>
<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/4e48509d858454ea994521f90ae8c5d66eb15073&quot;&gt;&lt;code&gt;4e48509&lt;/code&gt;&lt;/a> support Taskflow 4.0.0</li>
<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/70480396a66fadabd897407ce289978dec2c13c0&quot;&gt;&lt;code&gt;7048039&lt;/code&gt;&lt;/a> Bump the github-actions group across 1 directory with 4 updates</li>
<li>Additional commits viewable in <a href="https://github.com/rapidfuzz/RapidFuzz/compare/v3.14.3...v3.14.5&quot;&gt;compare view</a></li>
</ul>
</details>

<br />

Updates py7zr from 1.1.0 to 1.1.3

Release notes

Sourced from py7zr's releases.

Release version 1.1.3: Fix multiple vulnerabilities

  • CVE-2026-23879: Arbitrary File Write Vulnerability in py7zr (high severity)
    • Harden check of path traversal and enhance test cases to reproduce many attack scenarios.
  • CVE-2026-55206: O(n^2) algorithmic complexity DoS in PackInfo._read() in py7zr
    • Enforced variation of the parameter with a limit and optimized calculation algorithm to prevent excessive CPU consumption.
  • CVE-2026-55195: py7zr <= 1.1.2: Decompression bomb (zip bomb) denial of service via unchecked extraction size
    • Added check of extraction size and introduced max_extract_size as constructor parameter to guard against excessive decompression.

Update path sanitize

No release notes provided.

Changelog

Sourced from py7zr's changelog.

v1.1.3_

Security

  • CVE-2026-23879: Arbitrary File Write Vulnerability in py7zr (high severity)
    • Harden check of path traversal and enhance test cases to reproduce many attack scenarios.
  • CVE-2026-55206: O(n^2) algorithmic complexity DoS in PackInfo._read() in py7zr
    • Enforced variation of the parameter with a limit and optimized calculation algorithm to prevent excessive CPU consumption.
  • CVE-2026-55195: py7zr <= 1.1.2: Decompression bomb (zip bomb) denial of service via unchecked extraction size
    • Added check of extraction size and introduced max_extract_size as constructor parameter to guard against excessive decompression.

Notes:

  • Fixed three security vulnerabilities in the py7zr library.
  • Improvements made include path traversal hardening, optimization of CPU-intensive algorithms, and protection against zip bombs.

Fixed

  • BufferError when calling Py7zBytesIO.size() (#736,#737)
  • fix: extractall() raises TypeError: int() argument must be a string, a bytes-like object or a real number, not 'NoneType' (#734,#735)

Changed

  • feat(io): add Py7zIO.close() lifecycle hook called once per extracted file (#699,#732)
  • test: Bump dependency libarchive@3.8.7
  • ci: bump numerous actions with SHA256 hash and newer versions (#729,#730)

v1.1.2_

Security

  • security: fix Zip-Slip vulnerability by symlink

Removed

  • Remove Code of Conduct from repository.

Changed

  • remove unused _lzma imports

v1.1.1_

Fixed

  • fix: default unix file attributes with proper permissions (#705)

... (truncated)

Commits
  • e278bc0 Release v1.1.3: Multiple security fixes
  • e4a225b docs: update authors and changelog with recent contributions and security fixes
  • 94db766 Merge commit from fork
  • d9ee25c Merge commit from fork
  • c1c8001 Merge commit from fork
  • 7e03185 Merge pull request #732 from SAY-5/feat/issue-699-py7zio-close
  • 2de71fb Merge pull request #735 from gaoflow/fix-734-missing-lastwritetime
  • f429952 Merge branch 'master' into fork/SAY-5/feat/issue-699-py7zio-close
  • b181a4b Merge branch 'master' into fork/gaoflow/fix-734-missing-lastwritetime
  • 1534b3f Merge pull request #737 from miurahr/topic/miurahr/fix-pypy-getbuffer
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

…ates

Bumps the python-patch group with 3 updates in the / directory: [striprtf](https://github.com/joshy/striprtf), [rapidfuzz](https://github.com/rapidfuzz/RapidFuzz) and [py7zr](https://github.com/miurahr/py7zr).


Updates `striprtf` from 0.0.29 to 0.0.32
- [Release notes](https://github.com/joshy/striprtf/releases)
- [Changelog](https://github.com/joshy/striprtf/blob/master/CHANGELOG.md)
- [Commits](joshy/striprtf@v0.0.29...v0.0.32)

Updates `rapidfuzz` from 3.14.3 to 3.14.5
- [Release notes](https://github.com/rapidfuzz/RapidFuzz/releases)
- [Changelog](https://github.com/rapidfuzz/RapidFuzz/blob/main/CHANGELOG.rst)
- [Commits](rapidfuzz/RapidFuzz@v3.14.3...v3.14.5)

Updates `py7zr` from 1.1.0 to 1.1.3
- [Release notes](https://github.com/miurahr/py7zr/releases)
- [Changelog](https://github.com/miurahr/py7zr/blob/master/docs/Changelog.rst)
- [Commits](miurahr/py7zr@v1.1.0...v1.1.3)

---
updated-dependencies:
- dependency-name: striprtf
  dependency-version: 0.0.32
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-patch
- dependency-name: rapidfuzz
  dependency-version: 3.14.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-patch
- dependency-name: py7zr
  dependency-version: 1.1.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: dependencies, python. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants