chore(deps): [repository-management] Update dependency pygments to v2.20.0 [SECURITY] by renovate-bot · Pull Request #415 · GoogleCloudPlatform/cloud-solutions

renovate-bot · 2026-03-29T14:15:00Z

This PR contains the following updates:

Package	Change	Age	Confidence
pygments (changelog)	`== 2.19.2` → `==2.20.0`
pygments (changelog)	`2.19.2` → `2.20.0`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-4539

A security flaw has been discovered in pygments before 2.20.0. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching

CVE-2026-4539 / GHSA-5239-wwwm-4pmq

More information

Details

A security flaw has been discovered in pygments before 2.20.0. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Severity

CVSS Score: 1.9 / 10 (Low)
Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

pygments/pygments (pygments)

`v2.20.0`

Compare Source

(released March 29th, 2026)

New lexers:
- Rell (#2914)
Updated lexers:
- archetype: Fix catastrophic backtracking in GUID and ID patterns (#3064)
- ASN.1: Recognize minus sign and fix range operator (#3014, #3060)
- C++: Add C++26 keywords (#2955), add integer literal suffixes (#2966)
- ComponentPascal: Fix analyse_text (#3028, #3032)
- Coq renamed to Rocq (#2883, #2908)
- Cython: Various improvements (#2932, #2933)
- Debian control: Improve architecture parsing (#3052)
- Devicetree: Add support for overlay/fragments (#3021), add bytestring support (#3022), fix catastrophic backtracking (#3057)
- Fennel: Various improvements (#2911)
- Haskell: Handle escape sequences in character literals (#3069, #1795)
- Java: Add module keywords (#2955)
- Lean4: Add operators ]', ]?, ]! (#2946)
- LESS: Support single-line comments (#3005)
- LilyPond: Update to 2.25.29 (#2974)
- LLVM: Support C-style comments (#3023, #2978)
- Lua(u): Fix catastrophic backtracking (#3047)
- Macaulay2: Update to 1.25.05 (#2893), 1.25.11 (#2988)
- Mathematica: Various improvements (#2957)
- meson: Add additional operators (#2919)
- MySQL: Update keywords (#2970)
- org-Mode: Support both schedule and deadline (#2899)
- PHP: Add __PROPERTY__ magic constant (#2924), add reserved keywords (#3002)
- PostgreSQL: Add more keywords (#2985)
- protobuf: Fix namespace tokenization (#2929)
- Python: Add t-string support (#2973, #3009, #3010)
- Tablegen: Fix infinite loop (#2972, #2940)
- Tera Term macro: Add commands introduced in v5.3 through v5.6 (#2951)
- TOML: Support TOML 1.1.0 (#3026, #3027)
- Turtle: Allow empty comment lines (#2980)
- XML: Added .xbrl as file ending (#2890, #2891)
Drop Python 3.8, and add Python 3.14 as a supported version (#2987, #3012)
Various improvements to autopygmentize (#2894)
Update onedark style to support more token types (#2977)
Update rtt style to support more token types (#2895)
Cache entry points to improve performance (#2979)
Fix xterm-256 color table (#3043)
Fix kwargs dictionary getting mutated on each call (#3044)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

….20.0 [SECURITY]

forking-renovate bot added dependencies Pull requests that update a dependency file p0 SECURITY labels Mar 29, 2026

renovate-bot requested review from a team, aburhan and ferrarimarco as code owners March 29, 2026 14:15

ferrarimarco self-assigned this Mar 30, 2026

renovate-bot force-pushed the renovate/pypi-pygments-vulnerability branch 12 times, most recently from afc7496 to b22b836 Compare April 3, 2026 13:55

chore(deps): [repository-management] Update dependency pygments to v2…

9153d74

….20.0 [SECURITY]

renovate-bot force-pushed the renovate/pypi-pygments-vulnerability branch from b22b836 to 9153d74 Compare April 4, 2026 07:43

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): [repository-management] Update dependency pygments to v2.20.0 [SECURITY]#415

chore(deps): [repository-management] Update dependency pygments to v2.20.0 [SECURITY]#415
renovate-bot wants to merge 1 commit intoGoogleCloudPlatform:mainfrom
renovate-bot:renovate/pypi-pygments-vulnerability

renovate-bot commented Mar 29, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

renovate-bot commented Mar 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

CVE-2026-4539

Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching

Details

Severity

References

Release Notes

v2.20.0

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

renovate-bot commented Mar 29, 2026 •

edited

Loading

`v2.20.0`