Skip to content

⬆️ Upgrade dependency orjson to v3.11.6 [SECURITY]#47

Open
renovate[bot] wants to merge 2 commits intodevfrom
renovate/pypi-orjson-vulnerability
Open

⬆️ Upgrade dependency orjson to v3.11.6 [SECURITY]#47
renovate[bot] wants to merge 2 commits intodevfrom
renovate/pypi-orjson-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 15, 2026

This PR contains the following updates:

Package Change Age Confidence
orjson (changelog) 3.10.163.11.6 age confidence

GitHub Vulnerability Alerts

CVE-2025-67221

The orjson.dumps function in orjson before 3.11.6 does not limit recursion for deeply nested JSON documents.

Severity
  • CVSS Score: 7.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P

Release Notes

ijl/orjson (orjson)

v3.11.6

Compare Source

Changed
  • orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
  • Drop support for Python 3.9.
  • ABI compatibility with CPython 3.15 alpha 5.
  • Build now depends on Rust 1.89 or later instead of 1.85.
Fixed
  • Fix sporadic crash serializing deeply nested list of dict.

v3.11.5

Compare Source

Changed
  • Show simple error message instead of traceback when attempting to
    build on unsupported Python versions.

v3.11.4

Compare Source

Changed
  • ABI compatibility with CPython 3.15 alpha 1.
  • Publish PyPI wheels for 3.14 and manylinux i686, manylinux arm7,
    manylinux ppc64le, manylinux s390x.
  • Build now requires a C compiler.

v3.11.3

Compare Source

Fixed
  • Fix PyPI project metadata when using maturin 1.9.2 or later.

v3.11.2

Compare Source

Fixed
  • Fix build using Rust 1.89 on amd64.
Changed
  • Build now depends on Rust 1.85 or later instead of 1.82.

v3.11.1

Compare Source

Changed
  • Publish PyPI wheels for CPython 3.14.
Fixed
  • Fix str on big-endian architectures. This was introduced in 3.11.0.

v3.11.0

Compare Source

Changed
  • Use a deserialization buffer allocated per request instead of a shared
    buffer allocated on import.
  • ABI compatibility with CPython 3.14 beta 4.

v3.10.18

Compare Source

Fixed
  • Fix incorrect escaping of the vertical tabulation character. This was
    introduced in 3.10.17.

v3.10.17

Compare Source

Changed
  • Publish PyPI Windows aarch64/arm64 wheels.
  • ABI compatibility with CPython 3.14 alpha 7.
  • Fix incompatibility running on Python 3.13 using WASM.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Apr 15, 2026

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

deps pypi

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants