Skip to content

fix: update black to fix ReDoS vulnerability#582

Merged
vdusek merged 2 commits intomasterfrom
fix/security-update-black
Jan 26, 2026
Merged

fix: update black to fix ReDoS vulnerability#582
vdusek merged 2 commits intomasterfrom
fix/security-update-black

Conversation

@B4nan
Copy link
Member

@B4nan B4nan commented Jan 21, 2026
edited by vdusek
Loading

Summary

Test plan

  • uv lock completes successfully
  • black version updated to 26.1.0
  • CI tests pass

🤖 Generated with Claude Code

@B4nan @claude
fix: update black to ≥24.3.0 to fix ReDoS vulnerability
2c4017d 
Addresses Dependabot alert #65:
- CVE-2024-21503: Regular Expression Denial of Service (ReDoS) vulnerability

Added explicit black>=24.3.0 constraint to dev dependencies and updated uv.lock.

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@github-actions github-actions bot added this to the 132nd sprint - Tooling team milestone Jan 21, 2026
@github-actions github-actions bot added the t-tooling Issues with this label are in the ownership of the tooling team. label Jan 21, 2026
@codecov
Copy link

codecov bot commented Jan 21, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.01%. Comparing base (ff61ea0) to head (b8904f3).
⚠️ Report is 9 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #582   +/-   ##
=======================================
  Coverage   76.01%   76.01%           
=======================================
  Files          42       42           
  Lines        2468     2468           
=======================================
  Hits         1876     1876           
  Misses        592      592
Flag Coverage Δ
integration 68.96% <ø> (ø)
unit 64.58% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@B4nan
Copy link
Member Author

B4nan commented Jan 21, 2026

No idea if this is correct, feel free to resolve the security issue otherwise.

@B4nan B4nan requested a review from vdusek January 21, 2026 14:01
@B4nan B4nan added the adhoc Ad-hoc unplanned task added during the sprint. label Jan 21, 2026
@vdusek
Copy link
Contributor

vdusek commented Jan 21, 2026

No idea if this is correct, feel free to resolve the security issue otherwise.

Isn't this just a false positive, taking into account that this is a transitive dependency of pydoc, and we use pydoc as a dev dependency? Meaning the black is not part of our production package.

Of course, it is completely wrong for pydoc (and its dependencies) to use black (linter & formatter) as a production dependency. But it is what it is...

@B4nan
Copy link
Member Author

B4nan commented Jan 21, 2026

Security issues in dev dependencies are also valid, because we use them in our CI where we have various secrets that could leak. But you are right that those issues are less important and often invalid for us. Still, if we can resolve them with a dependency bump, we should do so.

What's the alternative here? I guess waiting for pydoc to update their dependencies? We can surely wait a bit with this, I was mostly testing how claude handles this kind of task, since it will get worse once we include more repositories in those checks.

@vdusek
Copy link
Contributor

vdusek commented Jan 22, 2026

Security issues in dev dependencies are also valid, because we use them in our CI where we have various secrets that could leak. But you are right that those issues are less important and often invalid for us. Still, if we can resolve them with a dependency bump, we should do so.

That makes sense, thanks.

What's the alternative here? I guess waiting for pydoc to update their dependencies? We can surely wait a bit with this, I was mostly testing how claude handles this kind of task, since it will get worse once we include more repositories in those checks.

The issue is that pydoc-markdown, which we use for documentation generation, uses docspec-python to parse Python source code, and docspec-python depends on black for parsing. While docspec-python has already updated to a newer version of black, pydoc-markdown is not very actively maintained and still uses an older docspec-python version, which results in the outdated black.

We can try to resolve this as proposed in the PR by explicitly constraining the black version on our side. Hopefully, this won't break anything in the docs generation.

vdusek
vdusek reviewed Jan 26, 2026
View reviewed changes
Copy link
Contributor

@vdusek vdusek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll add a more explanatory comment with a note to revisit this in the future and merge it

vdusek
vdusek reviewed Jan 26, 2026
View reviewed changes
vdusek
vdusek approved these changes Jan 26, 2026
View reviewed changes
Copy link
Contributor

@vdusek vdusek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's see how this will work with the API reference doc generation.

@vdusek vdusek merged commit aae2eb9 into master Jan 26, 2026
28 checks passed
@vdusek vdusek deleted the fix/security-update-black branch January 26, 2026 15:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vdusek vdusek vdusek approved these changes

Assignees

@B4nan B4nan

Labels

adhoc Ad-hoc unplanned task added during the sprint. t-tooling Issues with this label are in the ownership of the tooling team.

Projects

None yet

Milestone

132nd sprint - Tooling team

Development

Successfully merging this pull request may close these issues.

2 participants

@B4nan @vdusek