Skip to content

v3.0.0 - CVE-2025-69872 fix, diskcache → cachetools

Latest
Latest

Choose a tag to compare

View all tags
@IntegerAlex IntegerAlex released this 23 Feb 16:14
v3.0.0
83ad6c4
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

IndiaPincodeFinder v3.0.0

Security: CVE-2025-69872 addressed

This release replaces diskcache with cachetools.LRUCache to mitigate CVE-2025-69872 (CVSS 9.8). The previous diskcache dependency had its last commit over 2 years ago and used pickle-based persistence, which posed a security risk. We now use the actively maintained cachetools library with a simple in-memory cache.

What's changed

  • Removed diskcache dependency
  • Added cachetools>=7.0.1 as the in-memory cache backend
  • Updated docstrings to reflect that the cache is in-memory (no persistence across restarts)
  • Added version & stress test script (python/scripts/test_version_stress.py) for production validation

Breaking changes

  • Python 3.9 no longer supported. requires-python is now >=3.10 (required by cachetools>=7.0.1)

Performance

All public APIs remain unchanged. Benchmarks on ~18.8k pincodes:

Metric Result
Import + cache load ~0.02–0.03 s
Stress test (200k lookups, random pincodes) ~1.6M–2.45M lookups/s
Tight loop (800k lookups, single pincode) ~0.17–0.29 µs per lookup

The in-memory cache eliminates disk and pickle overhead from the previous diskcache implementation.

Upgrade

pip install --upgrade indiapincodefinder

No code changes required—the public API (pin_to_address, pin_to_state, pin_to_district, pin_to_taluka, load_pincode_data) is unchanged.

Assets 2
Loading