Skip to content

build(deps): bump py7zr from 0.22.0 to 1.1.3 in /scrapers/py_importers#287

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/scrapers/py_importers/py7zr-1.1.3
Open

build(deps): bump py7zr from 0.22.0 to 1.1.3 in /scrapers/py_importers#287
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/scrapers/py_importers/py7zr-1.1.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor

Bumps py7zr from 0.22.0 to 1.1.3.

Release notes

Sourced from py7zr's releases.

Release version 1.1.3: Fix multiple vulnerabilities

  • CVE-2026-23879: Arbitrary File Write Vulnerability in py7zr (high severity)
    • Harden check of path traversal and enhance test cases to reproduce many attack scenarios.
  • CVE-2026-55206: O(n^2) algorithmic complexity DoS in PackInfo._read() in py7zr
    • Enforced variation of the parameter with a limit and optimized calculation algorithm to prevent excessive CPU consumption.
  • CVE-2026-55195: py7zr <= 1.1.2: Decompression bomb (zip bomb) denial of service via unchecked extraction size
    • Added check of extraction size and introduced max_extract_size as constructor parameter to guard against excessive decompression.

Update path sanitize

No release notes provided.

Release version 1.1.0

Requirements

  • Minimum required Python 3.10
  • Add support for Python 3.14

Security

Fixed

  • The is_78zfile accept any path-like
  • The SevenZipFile accept IO[bytes]
  • Make FileInfo and ArchiveInfo dataclasses
  • The getInfo() returns FileInfo object

What's Changed in details

... (truncated)

Changelog

Sourced from py7zr's changelog.

v1.1.3_

Security

  • CVE-2026-23879: Arbitrary File Write Vulnerability in py7zr (high severity)
    • Harden check of path traversal and enhance test cases to reproduce many attack scenarios.
  • CVE-2026-55206: O(n^2) algorithmic complexity DoS in PackInfo._read() in py7zr
    • Enforced variation of the parameter with a limit and optimized calculation algorithm to prevent excessive CPU consumption.
  • CVE-2026-55195: py7zr <= 1.1.2: Decompression bomb (zip bomb) denial of service via unchecked extraction size
    • Added check of extraction size and introduced max_extract_size as constructor parameter to guard against excessive decompression.

Notes:

  • Fixed three security vulnerabilities in the py7zr library.
  • Improvements made include path traversal hardening, optimization of CPU-intensive algorithms, and protection against zip bombs.

Fixed

  • BufferError when calling Py7zBytesIO.size() (#736,#737)
  • fix: extractall() raises TypeError: int() argument must be a string, a bytes-like object or a real number, not 'NoneType' (#734,#735)

Changed

  • feat(io): add Py7zIO.close() lifecycle hook called once per extracted file (#699,#732)
  • test: Bump dependency libarchive@3.8.7
  • ci: bump numerous actions with SHA256 hash and newer versions (#729,#730)

v1.1.2_

Security

  • security: fix Zip-Slip vulnerability by symlink

Removed

  • Remove Code of Conduct from repository.

Changed

  • remove unused _lzma imports

v1.1.1_

Fixed

  • fix: default unix file attributes with proper permissions (#705)

... (truncated)

Commits
  • e278bc0 Release v1.1.3: Multiple security fixes
  • e4a225b docs: update authors and changelog with recent contributions and security fixes
  • 94db766 Merge commit from fork
  • d9ee25c Merge commit from fork
  • c1c8001 Merge commit from fork
  • 7e03185 Merge pull request #732 from SAY-5/feat/issue-699-py7zio-close
  • 2de71fb Merge pull request #735 from gaoflow/fix-734-missing-lastwritetime
  • f429952 Merge branch 'master' into fork/SAY-5/feat/issue-699-py7zio-close
  • b181a4b Merge branch 'master' into fork/gaoflow/fix-734-missing-lastwritetime
  • 1534b3f Merge pull request #737 from miurahr/topic/miurahr/fix-pypy-getbuffer
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump py7zr from 0.22.0 to 1.1.3 in /scrapers/py_importers
7d0e277 
Bumps [py7zr](https://github.com/miurahr/py7zr) from 0.22.0 to 1.1.3.
- [Release notes](https://github.com/miurahr/py7zr/releases)
- [Changelog](https://github.com/miurahr/py7zr/blob/master/docs/Changelog.rst)
- [Commits](miurahr/py7zr@v0.22.0...v1.1.3)

---
updated-dependencies:
- dependency-name: py7zr
  dependency-version: 1.1.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants