Chore(deps-dev): [security] bump zipp from 3.18.1 to 3.19.1
Bumps zipp from 3.18.1 to 3.19.1. This update includes a security fix.
Vulnerabilities fixed
zipp Denial of Service vulnerability
A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting thePath
module in both zipp and zipfile, such asjoinpath
, the overloaded division operator, anditerdir
. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.Patched versions: 3.19.1
Affected versions: < 3.19.1
Changelog
Sourced from zipp's changelog.
v3.19.1
Bugfixes
- Improved handling of malformed zip files. (#119)
v3.19.0
Features
- Implement is_symlink. (#117)
v3.18.2
No significant changes.
Commits
-
6d1cb72
Finalize -
fd604bd
Merge pull request #120 from jaraco/bugfix/119-malformed-paths -
c18417e
Add news fragment. -
58115d2
Employ SanitizedNames in CompleteDirs. Fixes broken test. -
564fcc1
Add SanitizedNames mixin. -
79a309f
Add some assertions about malformed paths. -
2d015c2
Merge https://github.com/jaraco/skeleton -
a595a0f
Rename extras to align with core metadata spec. -
608f90a
Finalize -
3a22d72
Merge pull request #118 from jaraco/feature/is-symlink - Additional commits viewable in compare view