Skip to content

Bump distlib from 0.4.1 to 0.4.3#132

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/distlib-0.4.3
Open

Bump distlib from 0.4.1 to 0.4.3#132
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/distlib-0.4.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 14, 2026

Copy link
Copy Markdown
Contributor

Bumps distlib from 0.4.1 to 0.4.3.

Changelog

Sourced from distlib's changelog.

0.4.3


Released: 2026-06-12
  • resources

    • Removed too-restrictive check for escaping resources.

0.4.2

Released: 2026-06-08

  • locators

    • Fix URL percent-encoding using space-padding instead of zero-padding. Thanks to Kadir Can Ozden for the patch.

    • Harden decompression against malicious input. Thanks to tonghuaroot for the patch, which was adapted slightly.

  • manifest

    • Use os.lstat in findall to correctly detect symlinked directories. Thanks to Kadir Can Ozden for the patch.
  • metadata

    • Improve logic to incorporate newer metadata versions.
  • resources

    • Ensure that constructed resource paths don't escape the package. Thanks to tonghuaroot for the patch.
  • util

    • Fix #255: Update cache_from_source() for Python 3.15. Thanks to Victor Stinner for the patch.

    • Check during unarchiving that the destination directory isn't escaped via symlinks. Thanks to tonghuaroot for the patch.

    • Improved performance of normalize_name using dual replace. Thanks to Hugo van Kemenade for the patch.

  • wheel

... (truncated)

Commits
  • 3f4a377 Changes for 0.4.3.
  • 5ee19e6 Relax too-strict escaping check for resources.
  • f0e3d1a Bump version.
  • 06e010d Add upper version limit for setuptools for build, to keep metadata version to...
  • 8b5aa55 Added tag 0.4.2 for changeset 5295c0ceb419
  • 8183ea6 Update change log.
  • 55ca016 Changes for 0.4.2.
  • 7e282ab Update metadata logic to incorporate newer versions.
  • fa4ea50 Remove non-portable portion of test.
  • e06a1d5 Further refine tests.
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jun 14, 2026
@dependabot dependabot Bot changed the title Bump distlib from 0.4.0 to 0.4.3 Bump distlib from 0.4.1 to 0.4.3 Jul 6, 2026
@dependabot
dependabot Bot force-pushed the dependabot/pip/distlib-0.4.3 branch from 7fb844f to 045f758 Compare July 6, 2026 07:01
Bumps [distlib](https://github.com/pypa/distlib) from 0.4.1 to 0.4.3.
- [Release notes](https://github.com/pypa/distlib/releases)
- [Changelog](https://github.com/pypa/distlib/blob/master/CHANGES.rst)
- [Commits](pypa/distlib@0.4.1...0.4.3)

---
updated-dependencies:
- dependency-name: distlib
  dependency-version: 0.4.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/pip/distlib-0.4.3 branch from 045f758 to 3b4bc5c Compare July 7, 2026 00:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants