Skip to content

fix(deps): bump black to ^26.0.0 to resolve CVE-2026-32274 (audit-vuln-docs)#12

Merged
YushaArif99 merged 1 commit into
mainfrom
feature/audit-vuln-docs
Jun 22, 2026
Merged

fix(deps): bump black to ^26.0.0 to resolve CVE-2026-32274 (audit-vuln-docs)#12
YushaArif99 merged 1 commit into
mainfrom
feature/audit-vuln-docs

Conversation

@YushaArif99

@YushaArif99 YushaArif99 commented Jun 22, 2026

Copy link
Copy Markdown
Member

Summary

Security vulnerability remediation for the docs repo (Track C of 4-track parallel audit).

  • CVE-2026-32274 (HIGH/OVERDUE) — black: bumped constraint from ^24.3.0 to ^26.0.0; poetry.lock now locks 26.5.1

Pre-existing fixes on main (already present via PR #11)

These were resolved before this branch and are confirmed at safe versions in the lockfile:

CVE Package Old version New version Severity
CVE-2025-43859 h11 0.14.0 0.16.0 CRITICAL
CVE-2026-42311 pillow 11.1.0 12.2.0 HIGH/OVERDUE
CVE-2025-47273 setuptools 76.0.0 82.0.1 HIGH/OVERDUE
CVE-2025-69223 aiohttp 3.11.14 3.14.1 HIGH
urllib3 cluster urllib3 2.3.0 2.7.0 HIGH

Changes

  • pyproject.toml: black = "^24.3.0"black = "^26.0.0"
  • poetry.lock: updated black 24.10.0 → 26.5.1 and transitive dependency updates

Test plan

  • Verify poetry install succeeds
  • Verify black --check runs cleanly on existing Python files

@YushaArif99
fix(deps): bump black to ^26.0.0 to resolve CVE-2026-32274
f264e5a 
Bumps black from 24.10.0 to 26.5.1 to address CVE-2026-32274.

The ^24.3.0 constraint was capped below 25.0.0 and could not
resolve the patched release. Widening to ^26.0.0 allows poetry
to lock 26.5.1 which contains the fix.

Other previously reported vulnerabilities (h11 CVE-2025-43859,
pillow CVE-2026-42311, setuptools CVE-2025-47273, aiohttp
CVE-2025-69223, urllib3 cluster) were already resolved in
the lockfile via PR #11 on main.
@mintlify

mintlify Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
unify-d270b1a5 🟢 Ready View Preview Jun 22, 2026, 7:54 AM

💡 Tip: Enable Workflows to automatically generate PRs for you.

@YushaArif99 YushaArif99 merged commit f5a0522 into main Jun 22, 2026
1 of 3 checks passed
@YushaArif99 YushaArif99 deleted the feature/audit-vuln-docs branch June 22, 2026 08:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@YushaArif99