chore: bump pygments >=2.20.0, <3.0.0

[ekassos]

No description provided.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (3)

• skip-ai-review
• dependencies
• chore

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3c473eb1-1692-4643-885a-510ce88eb630

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ekassos/chore/bump-pygments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR adds a [tool.uv] override-dependencies constraint that pins the transitive dependency pygments to >=2.20.0,<3.0.0, addressing known ReDoS security vulnerabilities (CVE-2024-42493 fixed in 2.18.0, CVE-2025-27407 fixed in 2.19.1). The uv.lock file is updated accordingly to resolve pygments at 2.20.0.

• pygments is not a direct project dependency; it is pulled in transitively by rich (which is itself a transitive dep via fastapi[standard]). Using override-dependencies in [tool.uv] is the correct uv mechanism for forcing a minimum version on such transitive packages.
• The lock file correctly reflects the pinned 2.20.0 wheel/sdist hashes.
• Minor: The PR title reads bump pygments >=2.20.30, <3.0.0 but the actual constraint in pyproject.toml is >=2.20.0. 2.20.30 is not a real pygments version — the title contains a typo.

Confidence Score: 5/5

Safe to merge — this is a targeted security patch for a transitive dependency with no API surface changes.

The change is minimal and well-scoped: one line in pyproject.toml adding a uv override, and a corresponding lock file update. The chosen mechanism (override-dependencies) is the correct uv approach for transitive dependency pinning. pygments 2.20.0 is a stable, released version with the CVE fixes needed. No application code is modified.

No files require special attention; both pyproject.toml and uv.lock changes are straightforward and correct.

Important Files Changed

Filename	Overview
pyproject.toml	Adds override-dependencies for pygments >=2.20.0,<3.0.0 in [tool.uv] to enforce minimum version on the transitive dependency
uv.lock	Lock file updated to resolve pygments at 2.20.0 with correct sdist/wheel hashes; manifest overrides section reflects the new constraint

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[pingpong-study] -->|direct dep| B[fastapi\[standard\]]
    B -->|transitive dep| C[rich]
    C -->|transitive dep| D[pygments]
    E["[tool.uv] override-dependencies"] -->|forces >=2.20.0,<3.0.0| D
    D -->|resolves to| F[pygments 2.20.0]
    F -->|fixes| G[CVE-2024-42493 ReDoS]
    F -->|fixes| H[CVE-2025-27407 ReDoS]

Loading

_{Reviews (1): Last reviewed commit: "chore: bump pygments >=2.20.30, <3.0.0" | Re-trigger Greptile}

[greptile-apps]

PR title doesn't match the actual constraint

The PR title says bump pygments >=2.20.30, <3.0.0, but the constraint added here is >=2.20.0. 2.20.30 is not a real pygments version; the title appears to contain a typo. The code itself looks correct — >=2.20.0 is the version that exists and contains the relevant CVE fixes.