fix(deps): Bump fonttools to address cve #4125
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
CHANGELOG.md
Outdated
| ## 0.18.22 | ||
|
|
||
| ### Fixes | ||
| - Bump fonttools to 4.60.2 to address CVE-2025-66034 |
There was a problem hiding this comment.
Same here, should we say 4.61.0?
There was a problem hiding this comment.
updated to Constrain fonttools to >=4.60.2 to address CVE-2025-66034
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| # (yao) issues with pdfminer-six above 20250416 | ||
| pdfminer.six<20250416 | ||
| # nickf: CVE-2025-66034 fix for fonttools | ||
| fonttools>=4.60.2 |
There was a problem hiding this comment.
Bug: Fonttools constraint version may allow vulnerable versions
The constraint fonttools>=4.60.2 is inconsistent with the pinned version 4.61.0 in the resolved requirements files. According to Snyk, 4.61.0 is listed as the "latest non vulnerable version" for CVE-2025-66034. The PR discussion also questions whether the constraint should specify 4.61.0 instead. If the CVE fix is actually in version 4.61.0 rather than 4.60.2, the current constraint would allow installation of still-vulnerable versions (4.60.2, 4.60.3, etc.).
Additional Locations (1)
There was a problem hiding this comment.
the link here shows it is patched in 4.60.2. same with https://nvd.nist.gov/vuln/detail/CVE-2025-66034
4.60.2 is fine and so is 4.61.0
Note
Constrain fonttools to >=4.60.2 (CVE-2025-66034), bump extras to 4.61.0, switch setup_ingest to ubuntu-latest-m, and release 0.18.22.
fonttools>=4.60.2inrequirements/deps/constraints.txtto address CVE-2025-66034.fonttoolsto4.61.0inrequirements/extra-*.txt; refresh files via uv and align constraint references.setup_ingestjob in.github/workflows/ci.ymlto run onubuntu-latest-m.0.18.22and updateCHANGELOG.md.Written by Cursor Bugbot for commit 6ec072e. This will update automatically on new commits. Configure here.