Source: GitHub Dependabot alert #3 — `Pygments < 2.20.0` in `uv.lock`.
Advisory: GHSA-5239-wwwm-4pmq / CVE-2026-4539 — ReDoS via inefficient regex in `AdlLexer` (pygments/lexers/archetype.py).
Severity: LOW (CVSS 3.1 = 3.3, `AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L`). Fixed in: Pygments 2.20.0.
Exposure assessment. Pygments in Untether is a transitive dependency via the mkdocs/docs pipeline (and is used by structlog for ConsoleRenderer). The `AdlLexer` (archetype language) is never invoked by Untether code. Attack vector is local (`AV:L`) and requires local user access. Risk in practice: low, but a clean fix is cheap.
Fix.
- `uv lock --upgrade-package pygments` → verify lockfile bumps Pygments to ≥2.20.0.
- If pinned elsewhere, bump `pyproject.toml` constraint.
- CI `pip-audit` should go clean after.
Cross-ref: also tracked under v0.35.7 broader dep-audit sweep (#398).
Source: GitHub Dependabot alert #3 — `Pygments < 2.20.0` in `uv.lock`.
Advisory: GHSA-5239-wwwm-4pmq / CVE-2026-4539 — ReDoS via inefficient regex in `AdlLexer` (pygments/lexers/archetype.py).
Severity: LOW (CVSS 3.1 = 3.3, `AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L`). Fixed in: Pygments 2.20.0.
Exposure assessment. Pygments in Untether is a transitive dependency via the mkdocs/docs pipeline (and is used by structlog for ConsoleRenderer). The `AdlLexer` (archetype language) is never invoked by Untether code. Attack vector is local (`AV:L`) and requires local user access. Risk in practice: low, but a clean fix is cheap.
Fix.
Cross-ref: also tracked under v0.35.7 broader dep-audit sweep (#398).