Skip to content

chore(deps): bump py7zr from 1.1.0 to 1.1.3#290

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/py7zr-1.1.3
Open

chore(deps): bump py7zr from 1.1.0 to 1.1.3#290
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/py7zr-1.1.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 20, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps py7zr from 1.1.0 to 1.1.3.

Release notes

Sourced from py7zr's releases.

Release version 1.1.3: Fix multiple vulnerabilities

  • CVE-2026-23879: Arbitrary File Write Vulnerability in py7zr (high severity)
    • Harden check of path traversal and enhance test cases to reproduce many attack scenarios.
  • CVE-2026-55206: O(n^2) algorithmic complexity DoS in PackInfo._read() in py7zr
    • Enforced variation of the parameter with a limit and optimized calculation algorithm to prevent excessive CPU consumption.
  • CVE-2026-55195: py7zr <= 1.1.2: Decompression bomb (zip bomb) denial of service via unchecked extraction size
    • Added check of extraction size and introduced max_extract_size as constructor parameter to guard against excessive decompression.

Update path sanitize

No release notes provided.

Changelog

Sourced from py7zr's changelog.

v1.1.3_

Security

  • CVE-2026-23879: Arbitrary File Write Vulnerability in py7zr (high severity)
    • Harden check of path traversal and enhance test cases to reproduce many attack scenarios.
  • CVE-2026-55206: O(n^2) algorithmic complexity DoS in PackInfo._read() in py7zr
    • Enforced variation of the parameter with a limit and optimized calculation algorithm to prevent excessive CPU consumption.
  • CVE-2026-55195: py7zr <= 1.1.2: Decompression bomb (zip bomb) denial of service via unchecked extraction size
    • Added check of extraction size and introduced max_extract_size as constructor parameter to guard against excessive decompression.

Notes:

  • Fixed three security vulnerabilities in the py7zr library.
  • Improvements made include path traversal hardening, optimization of CPU-intensive algorithms, and protection against zip bombs.

Fixed

  • BufferError when calling Py7zBytesIO.size() (#736,#737)
  • fix: extractall() raises TypeError: int() argument must be a string, a bytes-like object or a real number, not 'NoneType' (#734,#735)

Changed

  • feat(io): add Py7zIO.close() lifecycle hook called once per extracted file (#699,#732)
  • test: Bump dependency libarchive@3.8.7
  • ci: bump numerous actions with SHA256 hash and newer versions (#729,#730)

v1.1.2_

Security

  • security: fix Zip-Slip vulnerability by symlink

Removed

  • Remove Code of Conduct from repository.

Changed

  • remove unused _lzma imports

v1.1.1_

Fixed

  • fix: default unix file attributes with proper permissions (#705)

... (truncated)

Commits
  • e278bc0 Release v1.1.3: Multiple security fixes
  • e4a225b docs: update authors and changelog with recent contributions and security fixes
  • 94db766 Merge commit from fork
  • d9ee25c Merge commit from fork
  • c1c8001 Merge commit from fork
  • 7e03185 Merge pull request #732 from SAY-5/feat/issue-699-py7zio-close
  • 2de71fb Merge pull request #735 from gaoflow/fix-734-missing-lastwritetime
  • f429952 Merge branch 'master' into fork/SAY-5/feat/issue-699-py7zio-close
  • b181a4b Merge branch 'master' into fork/gaoflow/fix-734-missing-lastwritetime
  • 1534b3f Merge pull request #737 from miurahr/topic/miurahr/fix-pypy-getbuffer
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 20, 2026
@dependabot dependabot Bot force-pushed the dependabot/uv/py7zr-1.1.3 branch 13 times, most recently from 31f4a2e to 23c5c60 Compare June 22, 2026 10:49
@dependabot
chore(deps): bump py7zr from 1.1.0 to 1.1.3
0adfab7 
Bumps [py7zr](https://github.com/miurahr/py7zr) from 1.1.0 to 1.1.3.
- [Release notes](https://github.com/miurahr/py7zr/releases)
- [Changelog](https://github.com/miurahr/py7zr/blob/master/docs/Changelog.rst)
- [Commits](miurahr/py7zr@v1.1.0...v1.1.3)

---
updated-dependencies:
- dependency-name: py7zr
  dependency-version: 1.1.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/uv/py7zr-1.1.3 branch from 23c5c60 to 0adfab7 Compare June 22, 2026 12:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants