In many pipelines, the dependency-update.yml did not properly run due to a parsing issue. This should be resolved.
Run set -o pipefail
Using version ^1.10.0 for poetry-plugin-export
Updating dependencies
Resolving dependencies...
No dependencies to install or update
Writing lock file
nox > Running session dependency:audit
[
{
"name": "msgpack",
"version": "1.2.0",
"refs": [
"GHSA-6v7p-g79w-8964"
],
"description": "### Impact If the Unpacker is used repeatedly after an error occurs, the process may crash with a SEGV. If the Unpacker is used repeatedly to unpack untrusted input from external sources, it may be vulnerable to a DoS attack. ### Patches v1.2.1 ### Workarounds Users should create a new Unpacker instead of reusing the same Unpacker after an error occurs. Applying the above patch can prevent SEGV, but reusing the Streaming Unpacker after it has encountered an error will not yield correct data. If an error occurs during Streaming Unpacking, the Stream and Streaming Unpacker should be discarded. Therefore, this is not just a workaround but the correct solution. The above patch only prevents crashes from incorrect usage.",
"coordinates": "msgpack:1.2.0",
"references": [
"https://github.com/advisories/GHSA-6v7p-g79w-8964"
]
},
{
"name": "pydantic-settings",
"version": "2.14.1",
"refs": [
"GHSA-4xgf-cpjx-pc3j"
],
"description": "### Summary `NestedSecretsSettingsSource` reads secret values from files in a configured `secrets_dir`. When `secrets_nested_subdir=True`, a directory entry inside `secrets_dir` that is a symbolic link pointing **outside** `secrets_dir` is followed, so files outside the configured directory are read into settings values. The same code path bypasses the documented `secrets_dir_max_size` protection. An attacker or lower-privileged component able to influence entries in the configured secrets directory (for example, a writable or shared secrets mount) can turn this into an unintended local file read into settings and can defeat the advertised loading-size cap. This report does not claim network reachability by itself. ### Details `NestedSecretsSettingsSource` performed two passes over `secrets_dir` using two different, inconsistent directory-traversal implementations: * The size check in `validate_secrets_path()` used `Path.glob('**/*')`, which does **not** descend into a symbolically-linked directory. * The loader in `load_secrets()` used `glob.iglob(f'{path}/**/*', recursive=True)` followed by `read_text()`, which **does** follow symlinked directories and reads through the link target. Because the two passes disagreed on symlinks, a symlinked directory inside `secrets_dir` whose target lives elsewhere was invisible to the size accounting (counted as 0 bytes) while still being fully read by the loader. This produces two distinct problems: 1. **Out-of-tree read (CWE-22 / CWE-59).** A symlinked directory (or file) inside `secrets_dir` that resolves outside it is followed, and the external file's contents are loaded into the corresponding settings field. 2. **`secrets_dir_max_size` bypass (CWE-400).** The size check never sees the out-of-tree content, so the documented size cap is neither respected nor able to reject the oversized external file. A related amplification exists for cyclic in-tree symlinks, which `glob.iglob(recursive=True)` re-traverses, inflating the size accounting and the number of loaded secrets. #### Reproduction In a clean Linux container, with a `secrets_dir` containing a symlink `secrets/db -> /path/outside` and an `outside/passwd` file of 512 bytes, while `secrets_dir_max_size=100`: ```python from pydantic import BaseModel from pydantic_settings import ( BaseSettings, SettingsConfigDict, NestedSecretsSettingsSource, ) class Db(BaseModel): passwd: str | None = None class Settings(BaseSettings): model_config = SettingsConfigDict( secrets_dir='secrets', secrets_nested_subdir=True, secrets_dir_max_size=100, # outside/passwd is 512 bytes ) db: Db = Db() @classmethod def settings_customise_sources( cls, settings_cls, init_settings, env_settings, dotenv_settings, file_secret_settings ): return (NestedSecretsSettingsSource(file_secret_settings),) ``` On affected versions, `Settings().db.passwd` is populated with the 512-byte out-of-tree file and **no** `SettingsError` is raised, even though the file exceeds `secrets_dir_max_size`. ### Impact Applications that opt into `NestedSecretsSettingsSource` with `secrets_nested_subdir=True` and load secrets from a directory whose entries can be influenced by an attacker or a lower-privileged component (for example, a writable or shared secrets mount, or a secrets directory partially populated from untrusted input) are affected. The impact is: * **Confidentiality:** files outside the configured `secrets_dir` can be read into settings values (local file read). * **Integrity / availability of the safeguard:** the advertised `secrets_dir_max_size` cap can be bypassed, and cyclic symlinks can inflate resource usage during loading. The vulnerability requires the ability to place a symbolic link inside the configured secrets directory; it is not remotely reachable on its own. Applications that do not use `NestedSecretsSettingsSource`, or that point `secrets_dir` at a directory fully under the application's control, are not affected. ### Mitigation Upgrade to **pydantic-settings 2.14.2**, which: * walks the secrets directory explicitly and only descends into directories whose resolved path stays within `secrets_dir`, so symlinked directories pointing outside are never followed; * uses a single, cycle-safe iterator for both the size check and the loader, so the size accounting and the loaded set are always consistent and each real directory is visited at most once; * skips any file whose resolved path escapes `secrets_dir`, as defense in depth. If upgrading is not immediately possible, ensure the configured `secrets_dir` is fully owned and controlled by the application (no writable or attacker-influenced entries), or avoid `secrets_nested_subdir=True`.",
"coordinates": "pydantic-settings:2.14.1",
"references": [
"https://github.com/advisories/GHSA-4xgf-cpjx-pc3j"
]
},
{
"name": "starlette",
"version": "1.3.0",
"refs": [
"CVE-2026-54283",
"GHSA-82w8-qh3p-5jfq"
],
"description": "### Summary `request.form()` accepts `max_fields` and `max_part_size` to bound resource consumption while parsing form data. These limits are enforced for `multipart/form-data`, but silently ignored for `application/x-www-form-urlencoded`. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. ### Details `request.form()` dispatches to a different parser depending on the `Content-Type`. For `multipart/form-data` the `max_files`, `max_fields`, and `max_part_size` limits are forwarded to the parser, but for `application/x-www-form-urlencoded` the parser is constructed without them. It has no `max_fields` or `max_part_size` parameter to receive them, and it appends every field with no count check and accumulates each field's name and value with no size check. The configured limits are therefore both unreachable and unenforced for url-encoded bodies. Because the url-encoded parser does its work synchronously between stream reads, the two attack shapes have different effects: - **Field count** drives CPU and event-loop blocking. A body of ~1,000,000 fields (a sub-10MB payload such as `f0=v&f1=v&...`) blocks the worker's event loop for several seconds while parsing, during which the worker serves no other request. - **Field size** drives memory. A single large field value (e.g. a 50MB value) is buffered in full to build the `FormData`, forcing memory allocation proportional to the request body. The equivalent `multipart/form-data` request is correctly rejected with `400 Too many fields` / `400 Field exceeded maximum size`. ### Impact This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) that call `request.form()` on `application/x-www-form-urlencoded` requests. A single request with a very large number of fields blocks the event loop for several seconds, and a single request with a very large field forces unbounded memory allocation; in either case, parallel requests can render the service unusable. A reverse proxy that enforces a request body size limit reduces but does not eliminate the exposure, since a sub-10MB body is already enough to block the event loop. ### Mitigation Upgrade to a patched version, which forwards `max_fields` and `max_part_size` to the url-encoded parser and enforces them while parsing, raising before the oversized field or excess fields are accumulated. The defaults match `multipart/form-data` (`max_fields=1000`, `max_part_size=1MB`) and can be customized via `request.form(max_fields=..., max_part_size=...)`.",
"coordinates": "starlette:1.3.0",
"references": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-54283",
"https://github.com/advisories/GHSA-82w8-qh3p-5jfq"
]
}
]nox > Session dependency:audit was successful in 5 seconds.
jq: parse error: Invalid numeric literal at line 40, column 5
Checklist
In many pipelines, the dependency-update.yml did not properly run due to a parsing issue. This should be resolved.