Skip to content

fix(deps): upgrade click to 8.4.2 to resolve PYSEC-2026-2132#20

Merged
joeysbase merged 1 commit into
mainfrom
fix/click-pysec-2026-2132
Jul 13, 2026
Merged

fix(deps): upgrade click to 8.4.2 to resolve PYSEC-2026-2132#20
joeysbase merged 1 commit into
mainfrom
fix/click-pysec-2026-2132

Conversation

@joeysbase

Copy link
Copy Markdown
Contributor

Summary

  • click 8.3.1 has a command injection vulnerability in click.edit() (PYSEC-2026-2132, fixed in 8.3.3)
  • The CVE appeared in the vulnerability database today, breaking the pip-audit step in the Quality Gate for all open PRs
  • Pins click>=8.3.3 as an explicit dependency so uv resolves to 8.4.2

Notes

click is a transitive dep via typer — this adds a direct lower-bound to force the upgrade. Unblocks PR #19 and any other PRs open against main.

🤖 Generated with Claude Code

click 8.3.1 has a command injection vulnerability in click.edit()
(PYSEC-2026-2132, fixed in 8.3.3). Pin click>=8.3.3 explicitly so uv
resolves to 8.4.2.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown

Claude finished @joeysbase's task in 1m 27s —— View job


Code Review for PR #20: fix(deps): upgrade click to 8.4.2

Todo List:

  • Read .github/code_review.md for review guidelines
  • Read CLAUDE.md for project conventions
  • Examine the full diff (git diff origin/main...HEAD)
  • Read complete files for context (pyproject.toml and uv.lock)
  • Perform cross-file consistency checks
  • Conduct "what's missing" analysis
  • Provide comprehensive review following the specified format

@joeysbase joeysbase merged commit bba8645 into main Jul 13, 2026
14 checks passed
@joeysbase joeysbase deleted the fix/click-pysec-2026-2132 branch July 13, 2026 21:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants