Pin pygments>=2.20.0 to fix CVE-2026-4539 (ReDoS) by tylerlam-warp · Pull Request #37 · warpdotdev/oz-sdk-python

tylerlam-warp · 2026-06-24T17:38:39Z

Summary

Pins pygments>=2.20.0 to resolve CVE-2026-4539 (GHSA-5239-wwwm-4pmq), a ReDoS (catastrophic backtracking) in the archetype AdlLexer GUID regex affecting all versions < 2.20.0. The lockfile previously resolved 2.19.2.

pygments is a dev/test-only transitive dependency (via pytest + rich); it is not a runtime dependency of the published oz-agent-sdk, so end users are unaffected. This clears the scanner alert for local/CI environments.

Changes

Add pygments>=2.20.0 to [tool.uv] constraint-dependencies (alongside the existing idna pin), consolidated into a concise comment.
Re-lock: uv.lock now resolves pygments to 2.20.0.
Regenerate requirements-dev.lock via uv export -o requirements-dev.lock --no-hashes.

Notes

Severity is Low (CVSS v4 1.9, local attack vector). Patched upstream in pygments 2.20.0 (released 2026-03-29).

Conversation: https://staging.warp.dev/conversation/410ce270-787a-4290-81f8-376499efc97b

Co-Authored-By: Oz oz-agent@warp.dev

pygments is a dev/test-only transitive dependency (via pytest + rich). Versions <2.20.0 have a ReDoS in the archetype AdlLexer GUID regex (CVE-2026-4539 / GHSA-5239-wwwm-4pmq). Add a uv constraint pin alongside the existing idna pin and re-lock. Co-Authored-By: Oz <oz-agent@warp.dev>

tylerlam-warp requested a review from liliwilson June 24, 2026 17:40

tylerlam-warp marked this pull request as ready for review June 24, 2026 17:40

tylerlam-warp closed this Jun 24, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Pin pygments>=2.20.0 to fix CVE-2026-4539 (ReDoS)#37

Pin pygments>=2.20.0 to fix CVE-2026-4539 (ReDoS)#37
tylerlam-warp wants to merge 1 commit into
mainfrom
tyler/pygments-cve-2026-4539

tylerlam-warp commented Jun 24, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant