Skip to content

fix(deps): update dependency python to v3.14.6#81

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/python-3.x
Open

fix(deps): update dependency python to v3.14.6#81
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/python-3.x

Conversation

@renovate

@renovate renovate Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Update Change
python (source) patch 3.14.53.14.6

Release Notes

python/cpython (python)

v3.14.6

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
    • Only on Sunday and Saturday (* * * * 0,6)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions

Copy link
Copy Markdown

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Python 3.14.6 is a patch release (3.14.5 → 3.14.6) released on June 10, 2026, containing approximately 179 bugfixes, build improvements, and documentation changes. This is the sixth maintenance release in the 3.14 series.

Security Fixes (8 major CVEs):

  • CVE-2026-4224: Fixed unbounded C recursion crash in xml.parsers.expat with deeply nested XML
  • CVE-2026-3644: Reject control characters in http.cookies.Morsel to prevent injection attacks
  • CVE-2026-2297: Fixed SourcelessFileLoader to use secure io.open_code() for .pyc files
  • CVE-2026-3219: Upgraded bundled pip to 26.1 to patch vulnerability
  • CVE-2026-45186: Updated bundled libexpat to 2.8.1
  • OpenSSL Update: Updated to OpenSSL 3.5.7 across all platforms (macOS/iOS/Android/Windows)
  • bz2 Module: Fixed potential stack buffer overflow in bz2.BZ2Decompressor (gh-150599)
  • shutil.move(): Fixed symlink-based directory containment bypass (gh-149835)
  • ftplib: Improved CVE-2021-4189 fix by default-denying IPv4 from PASV (gh-87451)
  • tarfile: Enhanced path traversal protection in tarfile.data_filter() (gh-149486, gh-151987)
  • unicodedata.normalize(): Fixed DoS via quadratic-time algorithm, now uses linear-time counting sort (gh-149079)
  • XML hash-flooding: Improved protection requiring libExpat ≥2.8.0 (gh-149018)
  • wsgiref: Disallow control characters in HTTP status to prevent header injection
  • webbrowser: Reject URLs with leading dashes to prevent command injection
  • http.server: Fixed memory DoS vulnerability on Windows CGI server

Core Bug Fixes:

  • Fixed compiler crashes under OOM conditions (gh-151112)
  • Fixed SystemError in class-scope comprehensions with lambda referencing __class__ (gh-150700)
  • Fixed data race in gc.set_threshold() (gh-148613)
  • Fixed multiple datetime module issues (strftime, fromisoformat, validation)
  • Fixed multiple tkinter crashes and memory leaks
  • Fixed io.TextIOWrapper unbounded memory growth (gh-151814)

No Breaking Changes: As a patch release, Python 3.14.6 maintains full backward compatibility with 3.14.x series. All changes are bugfixes and security improvements.

🎯 Impact Scope Investigation

Python Usage in Codebase:
This codebase uses Python as one of seven supported sandbox runtimes (Node.js, TypeScript, Ruby, Go, Python, Rust, Bash).

Implementation Details:

  • Python runtime executes user-submitted code via /mise/installs/python/current/bin/python3 in an nsjail-isolated sandbox
  • Runtime configuration: internal/sandbox/runtime.go:296-343
    • Command: /mise/installs/python/current/bin/python3 <entryFile>
    • Bind mount: /mise/installs/python/current (read-only)
    • Resource limits: 1024 MiB VAS, 256 MiB physical memory, 32 processes, 900ms CPU/sec
    • No restricted files (users can submit any Python files)
  • Python installation managed via mise in Dockerfile (base stage) and mise.toml

Test Coverage:

  • E2E tests: e2e/tests/runtime/python.yml (14 test cases) and e2e/tests/runtime/python_stdin.yml (stdin test)
  • Tests cover: basic I/O, error handling, multi-file imports, JSON, classes, regex, exceptions

Version Change Impact:

  • Update locations: Dockerfile:69 (ARG PYTHON_VERSION) and mise.toml:10 (python = "3.14.6")
  • Zero code changes required: Python interpreter is invoked via hardcoded path; no API changes affect the sandbox integration
  • Docker rebuild required: New Python binary installed during Docker image build (mise use -g python@${PYTHON_VERSION})

Dependency Impact:

  • Python is a standalone runtime with no Go module dependencies
  • No changes to other language runtimes (Node, Ruby, Go, Rust, Bash)
  • No changes to nsjail configuration or security policies

💡 Recommended Actions

Merge Strategy:

  1. Merge immediately - This is a routine patch update with important security fixes
  2. After merge: Rebuild Docker image via docker compose down && docker compose up --build -d
  3. Run E2E test suite to verify: go test -tags e2e ./e2e/...
  4. No code changes or manual migration required

Why This Is Safe:

  • Patch version update (3.14.5 → 3.14.6) guarantees backward compatibility
  • Interpreter binary is containerized and version-pinned; no host system impact
  • Python runtime interface in codebase (pythonRuntime struct) uses only basic python3 invocation—no dependency on version-specific features
  • Existing E2E tests validate all Python functionality without modification
  • Security fixes reduce attack surface of the sandbox service

Post-Merge Validation:

# Rebuild container
docker compose down && docker compose up --build -d

# Verify Python version
docker compose exec sandbox /mise/installs/python/current/bin/python3 --version
# Expected: Python 3.14.6

# Run E2E tests
go test -tags e2e ./e2e/...

🔗 Reference Links

Generated by koki-develop/claude-renovate-review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants