Skip to content

security: bump idna 3.11 -> 3.18 (CVE-2026-45409)#32

Merged
JRemitz merged 2 commits into
mainfrom
security/fix-idna-cve
Jun 9, 2026
Merged

security: bump idna 3.11 -> 3.18 (CVE-2026-45409)#32
JRemitz merged 2 commits into
mainfrom
security/fix-idna-cve

Conversation

@JRemitz

@JRemitz JRemitz commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Closes the open Dependabot alert on idna < 3.15 (GHSA-65pc-fj4g-8rjx / CVE-2026-45409, severity: medium).

idna < 3.15 is vulnerable to a denial-of-service via specially crafted unicode inputs to idna.encode(). This is a follow-up to #29 — the broader uv lock --upgrade pass in that PR happened to land before idna 3.15 was published, so idna stayed pinned at 3.11.

Bumped via:

uv lock --upgrade-package idna

pyproject.toml unchanged. Bumps idna to 3.18 (latest within the 3.x line).

Fixes GHSA-65pc-fj4g-8rjx

Test plan

  • CI green on this branch (3.11/3.12/3.13)
  • Dependabot auto-dismisses alert Release v0.0.26 #7 on merge

🤖 Generated with Claude Code

@JRemitz @claude
security: bump idna 3.11 -> 3.18 (CVE-2026-45409)
0e2593a 
idna < 3.15 is vulnerable to a DoS via specially crafted unicode input
to idna.encode() (GHSA-65pc-fj4g-8rjx). Bump via `uv lock --upgrade-package
idna`; pyproject.toml unchanged.

Co-Authored-By: Claude <noreply@anthropic.com>
@JRemitz JRemitz force-pushed the security/fix-idna-cve branch from a8550ce to 0e2593a Compare June 9, 2026 01:58
@JRemitz JRemitz merged commit 0929c18 into main Jun 9, 2026
8 checks passed
@JRemitz JRemitz deleted the security/fix-idna-cve branch June 9, 2026 02:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JRemitz