From 27ab88e75840e9be129a75af095eb0be0d745ccc Mon Sep 17 00:00:00 2001 From: davidnichols-ops Date: Mon, 29 Jun 2026 22:37:02 -0500 Subject: [PATCH] fix(deps): relax idna pin to >=3.7,<4 for CVE-2026-45409 (#481) idna 3.7 is pinned exactly in requirements.txt, blocking consumers from picking up the CVE-2026-45409 DoS fix that shipped in idna 3.15. Relax to a bounded range; requirements-slim.txt already ships an unpinned idna. --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 3984d070..659d3c02 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,5 @@ certifi -idna==3.7 +idna>=3.7,<4 # CVE-2026-45409 fix ships in 3.15; allow security patches (#481) cycler kiwisolver>=1.3.1 matplotlib