CVE-2026-28684, CVE-2026-25645: bump python-dotenv and requests floors#268
Closed
saileshwar-skyflow wants to merge 11 commits into
Closed
CVE-2026-28684, CVE-2026-25645: bump python-dotenv and requests floors#268saileshwar-skyflow wants to merge 11 commits into
saileshwar-skyflow wants to merge 11 commits into
Conversation
requests >= 2.33.0 (CVE-2026-25645 fix) requires Python >= 3.10. SDK currently supports Python >= 3.9 so 2.33.0 cannot be installed. Pinning to >= 2.32.2 (highest available on 3.9, avoids yanked 2.32.0 and 2.32.1). Full remediation of CVE-2026-25645 requires dropping Python 3.9 support — tracked separately. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
saileshwar-skyflow
changed the title
python-dotenv 1.2.2 requires Python >= 3.10; highest available on Python 3.9 is 1.2.1. Partially mitigates CVE-2026-28684 — full remediation (1.2.2+) blocked until Python 3.9 support is dropped. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2.32.2 was the CVE-patched minimum but still constrained consumers on older stable releases. 2.28.0 is the minimum that works with the SDK and is widely available on Python 3.9. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps dependency floors to patch two CVEs reported against the SDK's transitive dependencies.
Why
CVE-2026-28684 — python-dotenv < 1.2.2
set_key()andunset_key()follow symbolic links when rewriting.envfiles, allowing a local attacker to overwrite arbitrary files via a crafted symlink. Fixed inpython-dotenv 1.2.2.CVE-2026-25645 — requests < 2.33.0
requests.utils.extract_zipped_paths()uses a predictable filename in the system temp directory, allowing a local attacker to pre-create a malicious file. Fixed inrequests 2.33.0.Goal
python-dotenv >= 1.2.2)requests >= 2.32.2); full fix blocked by Python 3.9 supportChanges
python-dotenv>= 1.1.0, < 2>= 1.2.2, < 2requests>= 2.28.0>= 2.32.2Python 3.10 migration note
To fully remediate CVE-2026-25645, the SDK needs to:
python_requiresfrom>=3.9to>=3.10insetup.pyrequests >= 2.33.0This should be tracked and decided before the next release.
Testing
requests >= 2.32.2requests 2.33.0is excluded as it requires Python >= 3.10Tech debt