Skip to content

build(deps): bump pydantic-settings from 2.12.0 to 2.14.2#322

Merged
abrookins merged 1 commit into
mainfrom
dependabot/uv/pydantic-settings-2.14.2
Jun 30, 2026
Merged

build(deps): bump pydantic-settings from 2.12.0 to 2.14.2#322
abrookins merged 1 commit into
mainfrom
dependabot/uv/pydantic-settings-2.14.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor

Bumps pydantic-settings from 2.12.0 to 2.14.2.

Release notes

Sourced from pydantic-settings's releases.

v2.14.2

What's Changed

This is a security patch release.

Security

Fixes GHSA-4xgf-cpjx-pc3j: NestedSecretsSettingsSource with secrets_nested_subdir=True could follow a symbolic link inside secrets_dir pointing outside it, reading out-of-tree files into settings values and bypassing the secrets_dir_max_size cap. Affected versions: >= 2.12.0, < 2.14.2.

Full Changelog: pydantic/pydantic-settings@v2.14.1...v2.14.2

v2.14.1

What's Changed

Full Changelog: pydantic/pydantic-settings@v2.14.0...v2.14.1

v2.14.0

What's Changed

... (truncated)

Commits
  • d703bd7 Prepare release 2.14.2 (#890)
  • e95c30b Prepare release 2.14.1 (#859)
  • 0c87345 Fix field named cls conflicting with classmethod parameter (#858)
  • 7bd0072 Bump the python-packages group with 2 updates (#856)
  • b03e573 Bump the github-actions group with 3 updates (#853)
  • eaa3b43 Bump the python-packages group with 5 updates (#854)
  • 9f95615 Bump the python-packages group with 4 updates (#850)
  • 8916bee Prepare release 2.14.0 (#848)
  • 39e551c Fix CLI descriptions lost under python -OO by falling back to `json_schema_...
  • 9ed7f48 Bump the python-packages group with 4 updates (#847)
  • Additional commits viewable in compare view


Note

Low Risk
Dependency version pin update with no application code changes; reduces exposure to a known settings/secrets symlink issue on affected versions.

Overview
Updates the locked pydantic-settings dependency from 2.12.0 to 2.14.2 in uv.lock (sdist/wheel URLs and hashes only).

The motivating change in upstream 2.14.2 is a security fix (GHSA-4xgf-cpjx-pc3j): NestedSecretsSettingsSource with secrets_nested_subdir=True no longer follows symlinks inside secrets_dir that point outside it, which could previously load out-of-tree files into settings and bypass secrets_dir_max_size.

Reviewed by Cursor Bugbot for commit 344ba27. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 23, 2026
@jit-ci

jit-ci Bot commented Jun 23, 2026

Copy link
Copy Markdown

🛡️ Jit Security Scan Results

CRITICAL HIGH MEDIUM

✅ No security findings were detected in this PR


Security scan by Jit

@abrookins

Copy link
Copy Markdown
Collaborator

@dependabot rebase

Bumps [pydantic-settings](https://github.com/pydantic/pydantic-settings) from 2.12.0 to 2.14.2.
- [Release notes](https://github.com/pydantic/pydantic-settings/releases)
- [Commits](pydantic/pydantic-settings@v2.12.0...v2.14.2)

---
updated-dependencies:
- dependency-name: pydantic-settings
  dependency-version: 2.14.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/uv/pydantic-settings-2.14.2 branch from bf7cb1b to 344ba27 Compare June 30, 2026 01:35

@abrookins abrookins left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the rebased pydantic-settings lockfile update. Diff is uv.lock-only for pydantic-settings 2.14.2. GitHub checks are green after rerunning the transient redis:latest working-memory index assertion. Local uv sync --locked and pytest tests/test_dependencies.py tests/test_aws_config.py tests/test_models.py tests/test_api.py passed: 68 passed, 32 skipped.

@abrookins abrookins merged commit 8404169 into main Jun 30, 2026
26 of 27 checks passed
@abrookins abrookins deleted the dependabot/uv/pydantic-settings-2.14.2 branch June 30, 2026 01:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant