Stirling-PDF

mirror of https://github.com/Frooodle/Stirling-PDF.git synced 2025-11-01 01:21:18 +01:00

History

Ludy 655471ef29 fix(ci): 🛡️ mitigate CVE-2025-8869 by enforcing wheels-only pip installs and upgrading pinned dependencies (#4598 ) # Description of Changes This PR mitigates CVE-2025-8869 (GHSA-4xh5-x5gv-qwph), a high-severity vulnerability in `pip` ≤ 25.2 that allows arbitrary file overwrite via unsafe tar extraction in sdist fallback handling. What was changed: - Added environment variables to all GitHub Actions (`pre_commit.yml`, `sync_files.yml`) to enforce binary-only installs: - `PIP_ONLY_BINARY=":all:"` - `PIP_DISABLE_PIP_VERSION_CHECK="1"` - Updated multiple `.github/scripts/.txt` requirements to use Python 3.12 as the generation base. - Upgraded pinned dependencies to latest secure versions: - `filelock 3.19.1`, `identify 2.6.15`, `platformdirs 4.4.0`, `pyyaml 6.0.3`, `behave 1.3.3`, `pypdf 6.1.1`, `reportlab 4.4.4`, `requests 2.32.5` - Adjusted file path formatting (`\` → `/`) for consistent cross-platform compatibility. Why the change was made:* To prevent exploitation of the tar extraction vulnerability in vulnerable pip versions when installing from source distributions during CI runs. --- ## Checklist ### General - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing) for more details.		2025-10-04 12:50:37 +01:00
..
cucumber	fix(ci): 🛡️ mitigate CVE-2025-8869 by enforcing wheels-only pip installs and upgrading pinned dependencies (#4598 )	2025-10-04 12:50:37 +01:00
testdriver	Test cleanup, JVM GC and api (#2787 )	2025-01-26 13:10:16 +00:00
allEndpointsRemovedSettings.yml	Defaulting JWT settings to `false` (#4416 )	2025-09-30 12:02:11 +01:00
endpoints.txt	Add Attachments Feature (#3781 )	2025-06-24 23:52:17 +01:00
test2.sh	Test cleanup, JVM GC and api (#2787 )	2025-01-26 13:10:16 +00:00
test_disabledEndpoints.sh	Pipeline shows disabled endpoints fix (#2881 ) (#3282 )	2025-04-09 11:03:40 +01:00
test_webpages.sh	Upgrade Gradle to 8.14 in CI Workflows and Gradle Wrapper (#3425 )	2025-04-27 16:17:07 +01:00
test.sh	refactor: move modules under app/ directory and update file paths (#3938 )	2025-07-14 20:53:11 +01:00
webpage_urls_full.txt	Security fixes, enterprise stuff and more (#3241 )	2025-03-25 17:57:17 +00:00
webpage_urls.txt	Add Attachments Feature (#3781 )	2025-06-24 23:52:17 +01:00