mirror of
https://github.com/Frooodle/Stirling-PDF.git
synced 2025-12-18 20:04:17 +01:00
6281db58c9
3 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Ludy
|
2a91d73871
|
fix(ci): 🛡️mitigate CVE-2025-6176 by pinning brotli to patched commit and upgrading dev dependency pins (#4802)
# Description of Changes This pull request updates the development requirements to address security vulnerabilities and improve dependency management. The most important changes include switching the `brotli` dependency to a specific commit for CVE mitigation, and upgrading the `filelock` package. **Security and Dependency Management Updates:** * Pinned the `brotli` package to a specific commit from the official GitHub repository in both `requirements_dev.in` and `requirements_dev.txt` to mitigate CVE-2025-6176. This replaces the previous PyPI version and removes hash checks, ensuring a secure and up-to-date version is used. [[1]](diffhunk://#diff-8ea1287e3b069fa12ef70955fbeffacf656f7b409d13c8f52d7506ac7eb383abL1-R9) [[2]](diffhunk://#diff-5d7664bae1e6bf71ccbc8e524e6777e3a05e5899ae64cbdccabe36eccd15520dL7-R13) * Upgraded the `filelock` package from version 3.19.1 to 3.20.0 in `requirements_dev.txt`, updating hashes accordingly. --- ## Checklist ### General - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing) for more details. |
||
|
Ludy
|
9ed0283f15
|
fix(ci): 🛡️mitigate CVE-2025-8869 by pinning pip to patched commit and upgrading dev dependency pins (#4630)
# Description of Changes **Summary** - Enforce wheels-only installs for CI/dev workflows where feasible and pin `pip` to a specific, patched VCS commit as an interim mitigation. - Replace the explicit `pip==25.2` entry with a VCS-pinned `pip` reference in `.github/scripts/requirements_dev.in` and the regenerated `.github/scripts/requirements_dev.txt`. - Refresh and re-hash multiple development dependency pins in the locked `requirements_dev.txt` to ensure reproducible installs and reduce exposure to vulnerable transitive packages. - Add notes and guidance for maintainers on reverting the VCS pin once an official pip release contains the fix. **Why the change was made** - CVE-2025-8869 allows malicious sdists to include links that escape the intended extraction directory, enabling arbitrary file overwrite during `pip install`. CI and developer automation that installs dev dependencies are at risk if they process attacker-controlled sdists. - This PR reduces immediate attack surface by preferring wheel installations where possible and pinning pip to a known patched commit until an official fixed pip release is available. --- ## Checklist ### General - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing) for more details. |
||
|
Ludy
|
f5f011f1e0
|
deps: Pin Python dev dependencies and lock hashes to remediate security alert 302 (#4173)
## Description of Changes - **What was changed** - Added `.github/scripts/requirements_dev.in` and an autogenerated, hash-locked `.github/scripts/requirements_dev.txt` to control Python dev dependencies via `pip-compile`. - **Why the change was made** - To remediate a GitHub code scanning alert by removing vulnerable transitive ranges and ensuring reproducible installs with vetted versions and hashes. - **Any challenges encountered** - Reconciling version constraints among image/PDF tooling (e.g., Pillow, pdf2image, OpenCV, WeasyPrint) while keeping wheels available across CI platforms. - Ensuring the generated lockfile remains maintainable and can be refreshed with `pip-compile` when needed. Closes #https://github.com/Stirling-Tools/Stirling-PDF/security/code-scanning/302 --- ## Checklist ### General - [x] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [x] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing) for more details. |