deps: update dependency zipp to v3.19.1 [security] - abandoned #689

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

renovate-bot wants to merge 2 commits into googleapis:main from renovate-bot:renovate/pypi-zipp-vulnerability

Contributor

renovate-bot commented Jul 9, 2024

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
zipp	`==3.6.0` -> `==3.19.1`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-5569

A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the Path module in both zipp and zipfile, such as joinpath, the overloaded division operator, and iterdir. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.

Release Notes

jaraco/zipp (zipp)

`v3.19.1`

`v3.19.0`

`v3.18.2`

`v3.18.1`

`v3.18.0`

`v3.17.0`

`v3.16.2`

`v3.16.1`

`v3.16.0`

`v3.15.0`

`v3.14.0`

`v3.13.0`

`v3.12.1`

`v3.12.0`

`v3.11.0`

`v3.10.0`

`v3.9.1`

`v3.9.0`

`v3.8.1`

`v3.8.0`

`v3.7.0`

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          deps: update dependency zipp to v3.19.1 [security]

f2b80c3

renovate-bot requested review from a team as code owners

July 9, 2024 19:44

product-auto-label bot added the size: xs label

trusted-contributions-gcf bot added kokoro:force-run owlbot:run labels

product-auto-label bot added the api: pubsublite label

gcf-owl-bot bot removed the owlbot:run label


          🦉 Updates from OwlBot post-processor

4d26354

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

product-auto-label bot added size: u and removed size: xs labels

trusted-contributions-gcf bot added the owlbot:run label

gcf-owl-bot bot removed the owlbot:run label

yoshi-kokoro removed the kokoro:force-run label

forking-renovate bot commented Jul 9, 2024

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

renovate-bot changed the title ~~deps: update dependency zipp to v3.19.1 [security]~~ deps: update dependency zipp to v3.19.1 [security] - abandoned

forking-renovate bot commented Jun 6, 2025

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

api: pubsublite size: u