Add Django 5.2.11, protobuf 5.29.6, h2 4.3.0, werkzeug 3.1.5 for security fixes #1896
+4
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BYK
added a commit
to getsentry/sentry
that referenced
this pull request
Feb 10, 2026
Python: - Bump Django minimum to >=5.2.11 (3 HIGH SQL injection, 2 MEDIUM, 3 LOW) - Bump protobuf minimum to >=5.29.6 (HIGH: JSON recursion depth bypass) - Upgrade Werkzeug 3.0.6 -> 3.1.3 (MEDIUM: safe_join device name bypass) - Upgrade filelock 3.13.1 -> 3.20.3 (MEDIUM: TOCTOU race condition) Note: uv.lock will need re-locking once getsentry/pypi#1896 merges to make Django 5.2.11, protobuf 5.29.6, h2 4.3.0, and werkzeug 3.1.5 available on the Sentry PyPI mirror. Until then, werkzeug 3.1.3 and filelock 3.20.3 are the latest available versions on the mirror. npm: - Bump diff 8.0.2 -> 8.0.3 (LOW: DoS in parsePatch/applyPatch) - Add pnpm override for @isaacs/brace-expansion 5.0.1 (HIGH: ReDoS) - Add pnpm overrides for transitive diff@4.x -> 4.0.4, diff@5.x -> 5.2.2 - Add pnpm override for lodash >=4.17.23 in api-docs/ (MEDIUM: prototype pollution)
kddubey
approved these changes
Feb 10, 2026
BYK
added a commit
to getsentry/sentry
that referenced
this pull request
Feb 10, 2026
Python: - Bump Django minimum to >=5.2.11 (3 HIGH SQL injection, 2 MEDIUM, 3 LOW) - Bump protobuf minimum to >=5.29.6 (HIGH: JSON recursion depth bypass) - Upgrade Werkzeug 3.0.6 -> 3.1.3 (MEDIUM: safe_join device name bypass) - Upgrade filelock 3.13.1 -> 3.20.3 (MEDIUM: TOCTOU race condition) Note: uv.lock will need re-locking once getsentry/pypi#1896 merges to make Django 5.2.11, protobuf 5.29.6, h2 4.3.0, and werkzeug 3.1.5 available on the Sentry PyPI mirror. Until then, werkzeug 3.1.3 and filelock 3.20.3 are the latest available versions on the mirror. npm: - Bump diff 8.0.2 -> 8.0.3 (LOW: DoS in parsePatch/applyPatch) - Add pnpm override for @isaacs/brace-expansion 5.0.1 (HIGH: ReDoS) - Add pnpm overrides for transitive diff@4.x -> 4.0.4, diff@5.x -> 5.2.2 - Add pnpm override for lodash >=4.17.23 in api-docs/ (MEDIUM: prototype pollution)
BYK
added a commit
to getsentry/sentry
that referenced
this pull request
Feb 10, 2026
Python: - Bump Django minimum to >=5.2.11 (3 HIGH SQL injection, 2 MEDIUM, 3 LOW) - Bump protobuf minimum to >=5.29.6 (HIGH: JSON recursion depth bypass) - Upgrade Werkzeug 3.0.6 -> 3.1.3 (MEDIUM: safe_join device name bypass) - Upgrade filelock 3.13.1 -> 3.20.3 (MEDIUM: TOCTOU race condition) Note: uv.lock will need re-locking once getsentry/pypi#1896 merges to make Django 5.2.11, protobuf 5.29.6, h2 4.3.0, and werkzeug 3.1.5 available on the Sentry PyPI mirror. Until then, werkzeug 3.1.3 and filelock 3.20.3 are the latest available versions on the mirror. npm: - Bump diff 8.0.2 -> 8.0.3 (LOW: DoS in parsePatch/applyPatch) - Add pnpm override for @isaacs/brace-expansion 5.0.1 (HIGH: ReDoS) - Add pnpm overrides for transitive diff@4.x -> 4.0.4, diff@5.x -> 5.2.2 - Add pnpm override for lodash >=4.17.23 in api-docs/ (MEDIUM: prototype pollution)
BYK
added a commit
to getsentry/sentry
that referenced
this pull request
Feb 10, 2026
Python: - Bump Django minimum to >=5.2.11 (3 HIGH SQL injection, 2 MEDIUM, 3 LOW) - Bump protobuf minimum to >=5.29.6 (HIGH: JSON recursion depth bypass) - Upgrade Werkzeug 3.0.6 -> 3.1.3 (MEDIUM: safe_join device name bypass) - Upgrade filelock 3.13.1 -> 3.20.3 (MEDIUM: TOCTOU race condition) Note: uv.lock will need re-locking once getsentry/pypi#1896 merges to make Django 5.2.11, protobuf 5.29.6, h2 4.3.0, and werkzeug 3.1.5 available on the Sentry PyPI mirror. Until then, werkzeug 3.1.3 and filelock 3.20.3 are the latest available versions on the mirror. npm: - Bump diff 8.0.2 -> 8.0.3 (LOW: DoS in parsePatch/applyPatch) - Add pnpm override for @isaacs/brace-expansion 5.0.1 (HIGH: ReDoS) - Add pnpm overrides for transitive diff@4.x -> 4.0.4, diff@5.x -> 5.2.2 - Add pnpm override for lodash >=4.17.23 in api-docs/ (MEDIUM: prototype pollution)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adds patched versions of 4 packages to the Sentry PyPI mirror to address Dependabot security alerts on
getsentry/sentry:This unblocks upgrading these dependencies in sentry's
pyproject.tomlanduv.lockto resolve 13 open Dependabot alerts (4 HIGH, 4 MEDIUM, 5 LOW).