chore(deps): bump pydantic-settings to 2.14.2 (security) and cut 1.4.0#49
Merged
Conversation
Locked transitive dependency (pulled in by mcp) was 2.14.1, vulnerable to a symlink escape in NestedSecretsSettingsSource that could read files outside secrets_dir and bypass secrets_dir_max_size (GHSA, medium). Fixed in 2.14.2. Lockfile only, no API change.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes Dependabot alert #9. The locked transitive
pydantic-settings(pulled in bymcp) was 2.14.1, which is vulnerable to a symlink escape inNestedSecretsSettingsSource: it could follow symlinks outsidesecrets_dirand bypasssecrets_dir_max_size(medium severity). Bumped to 2.14.2 in the lockfile. No source or API change.Also cuts the changelog for 1.4.0: promotes the
[Unreleased]entries (Streamable HTTP MCP endpoint, auto mode operator-answer rule, tag-driven versioning) under a dated[1.4.0]heading and records the security bump. Thev1.4.0tag will be pushed right after this merges.Test plan
uv lockresolves cleanly, onlypydantic-settingsmoves 2.14.1 to 2.14.2.Notes
No version bump in source: the version is derived from git tags via hatch-vcs. The changelog heading is renamed as part of cutting the release, per the project's documented flow.