chore(deps): update dependency black to v26.3.1 [security]#3369
Merged
JohnVillalovos merged 1 commit intomainfrom Mar 12, 2026
Merged
chore(deps): update dependency black to v26.3.1 [security]#3369JohnVillalovos merged 1 commit intomainfrom
JohnVillalovos merged 1 commit intomainfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==26.3.0→==26.3.1GitHub Vulnerability Alerts
CVE-2026-32274
Impact
Black writes a cache file, the name of which is computed from various formatting options. The value of the
--python-cell-magicsoption was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations.Patches
Fixed in Black 26.3.1.
Workarounds
Do not allow untrusted user input into the value of the
--python-cell-magicsoption.Release Notes
psf/black (black)
v26.3.1Compare Source
Stable style
exact-length placeholders for short magics and aborting if a placeholder can no longer
be unmasked safely (#5038)
Configuration
--python-cell-magicsso custommagic names cannot affect cache paths (#5038)
Blackd
and request body limits, and bound executor submissions to improve backpressure
(#5039)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.