Skip to content

fix(deps): Update dependency black to v26.3.1 [SECURITY]#213

Merged
kodiakhq[bot] merged 1 commit intomainfrom
renovate/pypi-black-vulnerability
Mar 12, 2026
Merged

fix(deps): Update dependency black to v26.3.1 [SECURITY]#213
kodiakhq[bot] merged 1 commit intomainfrom
renovate/pypi-black-vulnerability

Conversation

@cq-bot
Copy link
Contributor

@cq-bot cq-bot commented Mar 12, 2026

This PR contains the following updates:

Package Change Age Confidence
black (changelog) ==26.1.0==26.3.1 age confidence

GitHub Vulnerability Alerts

CVE-2026-32274

Impact

Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations.

Patches

Fixed in Black 26.3.1.

Workarounds

Do not allow untrusted user input into the value of the --python-cell-magics option.

Release Notes

psf/black (black)

v26.3.1

Compare Source

Stable style
  • Prevent Jupyter notebook magic masking collisions from corrupting cells by using
    exact-length placeholders for short magics and aborting if a placeholder can no longer
    be unmasked safely (#​5038)
Configuration
  • Always hash cache filename components derived from --python-cell-magics so custom
    magic names cannot affect cache paths (#​5038)
Blackd
  • Disable browser-originated requests by default, add configurable origin allowlisting
    and request body limits, and bound executor submissions to improve backpressure
    (#​5039)

v26.3.0

Compare Source

Stable style
  • Don't double-decode input, causing non-UTF-8 files to be corrupted (#​4964)
  • Fix crash on standalone comment in lambda default arguments (#​4993)
  • Preserve parentheses when # type: ignore comments would be merged with other
    comments on the same line, preventing AST equivalence failures (#​4888)
Preview style
  • Fix bug where if guards in case blocks were incorrectly split when the pattern had
    a trailing comma (#​4884)
  • Fix string_processing crashing on unassigned long string literals with trailing
    commas (one-item tuples) (#​4929)
  • Simplify implementation of the power operator "hugging" logic (#​4918)
Packaging
  • Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in
    frozen environments (#​4930)
Performance
  • Introduce winloop for windows as an alternative to uvloop (#​4996)
  • Remove deprecated function uvloop.install() in favor of uvloop.new_event_loop()
    (#​4996)
  • Rename maybe_install_uvloop function to maybe_use_uvloop to simplify loop
    installation and creation of either a uvloop/winloop evenloop or default eventloop
    (#​4996)
Output
  • Emit a clear warning when the target Python version is newer than the running Python
    version, since AST safety checks cannot parse newer syntax. Also replace the
    misleading "INTERNAL ERROR" message with an actionable error explaining the version
    mismatch (#​4983)
Blackd
  • Introduce winloop to be used when windows in use which enables blackd to run faster on
    windows when winloop is installed. (#​4996)
Integrations
  • Remove unused gallery script (#​5030)
  • Harden parsing of black requirements in the GitHub Action when use_pyproject is
    enabled so that only version specifiers are accepted and direct references such as
    black @​ https://... are rejected. Users should upgrade to the latest version of the
    action as soon as possible. This update is received automatically when using
    psf/black@stable, and is independent of the version of Black installed by the
    action. (#​5031)
Documentation
  • Expand preview style documentation with detailed examples for wrap_comprehension_in,
    simplify_power_operator_hugging, and wrap_long_dict_values_in_parens features
    (#​4987)
  • Add detailed documentation for formatting Jupyter Notebooks (#​5009)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@cq-bot cq-bot added automerge Add to automerge PRs once requirements are met security labels Mar 12, 2026
@kodiakhq kodiakhq bot merged commit 9480fe7 into main Mar 12, 2026
6 checks passed
@kodiakhq kodiakhq bot deleted the renovate/pypi-black-vulnerability branch March 12, 2026 22:53
@cq-bot cq-bot mentioned this pull request Mar 12, 2026
Merged
kodiakhq bot pushed a commit that referenced this pull request Mar 13, 2026
@cq-bot
chore(main): Release v0.0.54 (#214)
d3a43bd 
🤖 I have created a release *beep* *boop*
---


## [0.0.54](v0.0.53...v0.0.54) (2026-03-12)


### Bug Fixes

* **deps:** Update dependency black to v26.3.1 [SECURITY] ([#213](#213)) ([9480fe7](9480fe7))

---
This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kodiakhq kodiakhq[bot] kodiakhq[bot] approved these changes

Assignees

No one assigned

Labels

automerge Add to automerge PRs once requirements are met security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cq-bot