Build(deps): [Security] Bump zipp from 3.17.0 to 3.19.1
Bumps zipp from 3.17.0 to 3.19.1. This update includes a security fix.
Vulnerabilities fixed
zipp Denial of Service vulnerability A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the
Pathmodule in both zipp and zipfile, such asjoinpath, the overloaded division operator, anditerdir. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.Patched versions: 3.19.1 Affected versions: < 3.19.1
Changelog
Sourced from zipp's changelog.
v3.19.1
Bugfixes
- Improved handling of malformed zip files. (#119)
v3.19.0
Features
- Implement is_symlink. (#117)
v3.18.2
No significant changes.
v3.18.1
No significant changes.
v3.18.0
Features
- Bypass ZipFile.namelist in glob for better performance. (#106)
- Refactored glob functionality to support a more generalized solution with support for platform-specific path separators. (#108)
Bugfixes
- Add special accounting for pypy when computing the stack level for text encoding warnings. (#114)
Commits
-
6d1cb72Finalize -
fd604bdMerge pull request #120 from jaraco/bugfix/119-malformed-paths -
c18417eAdd news fragment. -
58115d2Employ SanitizedNames in CompleteDirs. Fixes broken test. -
564fcc1Add SanitizedNames mixin. -
79a309fAdd some assertions about malformed paths. -
2d015c2Merge https://github.com/jaraco/skeleton -
a595a0fRename extras to align with core metadata spec. -
608f90aFinalize -
3a22d72Merge pull request #118 from jaraco/feature/is-symlink - Additional commits viewable in compare view