Security vulnerability in regex

[cod3licious]

There was a security vulnerability found in the regex library, which marker depends on: https://data.safetycli.com/vulnerabilities/PVE-2025-78558/78558/

Since your pyproject.toml specifies regex = "^2024.4.28", which also implies "<2025.0.0", relying on marker-pdf prevents us from installing the latest version of regex that includes the security fix.

Would be great if you could update your dependencies to allow a more recent version of regex.

[PrivateGER]

Can you link a CVE that isn't behind a login gate?

[cod3licious]

Sorry, couldn't find it anywhere else, this is all I get from safety:

-> Vulnerability found in regex version 2024.11.6
Vulnerability ID: 78558
Affected spec: <2025.2.10
ADVISORY: Affected versions of this package are potentially vulnerable to Regular Expression Denial of Service (ReDoS) due to catastrophic backtracking in the V1
engine when processing patterns that combine full‑casefolding with the [\s\S]* quantifier. The engine’s AnyAll node fails to prevent nested quantifier backtracking,...
PVE-2025-78558
For more information, please visit https://data.safetycli.com/v/78558/f17

But since the regex library does not seem to follow semantic versioning anyways, limiting yourself to versions that start with 2024 seems like an unnecessary restriction, especially considering that the interface of that library should be pretty stable as it's just a replacement for re. Being more lenient with the specified versions of your dependencies would help everyone who installs your library avoid dependency conflicts.

[cod3licious]

Oh, and now there is also another vulnerability in pillow: https://nvd.nist.gov/vuln/detail/CVE-2026-25990
Again a library that has a pretty stable interface. PLEASE, do not constrain your dependency versions unnecessarily, this makes it really hard to rely on your library in an even semi-production environment where you want to stay as up-to-date as possible.