Skip to content

fix(security): bump pygments 2.19.2 -> 2.20.0 (ENG-13557)#55

Merged
andriy-sudo merged 2 commits into
mainfrom
andriy/eng-13557-fix-pygments-cve-2026-4539
May 7, 2026
Merged

fix(security): bump pygments 2.19.2 -> 2.20.0 (ENG-13557)#55
andriy-sudo merged 2 commits into
mainfrom
andriy/eng-13557-fix-pygments-cve-2026-4539

Conversation

@andriy-sudo

Copy link
Copy Markdown
Contributor

Vulnerability Fix

Package Old New Advisory CVSS Status
pygments 2.19.2 2.20.0 GHSA-5239-wwwm-4pmq 3.3 ✅ Fixed

CVE: CVE-2026-4539 — ReDoS in AdlLexer (pygments/lexers/archetype.py) via inefficient GUID regex. Fix at pygments 2.20.0.

Linear: https://linear.app/tinyfish/issue/ENG-13557

Changes

  • pyproject.toml: added pygments = ">=2.20.0" floor pin (transitive dep via agentql → rich)
  • poetry.lock: regenerated — pygments 2.19.2 → 2.20.0
  • osv-scanner.toml: removed now-resolved pygments suppress
Changelog impact summary
Package Old New Classification Key changes
pygments 2.19.2 2.20.0 Patch/security ReDoS fix in AdlLexer — no API changes

- pygments 2.19.2 -> 2.20.0 (GHSA-5239-wwwm-4pmq, CVE-2026-4539, CVSS 3.3)
- Remove now-resolved osv-scanner.toml suppress

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented May 1, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6f861aae-64f4-47b7-8f8e-00449db1b2c4

📥 Commits

Reviewing files that changed from the base of the PR and between 3bc405e and 9172377.

⛔ Files ignored due to path filters (1)
  • poetry.lock is excluded by !**/*.lock
📒 Files selected for processing (2)
  • osv-scanner.toml
  • pyproject.toml
💤 Files with no reviewable changes (1)
  • osv-scanner.toml

📝 Walkthrough

Walkthrough

This pull request makes two configuration updates: it removes a suppression entry (GHSA-5239-wwwm-4pmq) from osv-scanner.toml that was previously ignored until June 23, 2026, and it adds a new runtime dependency (pygments >=2.20.0) to the pyproject.toml Poetry configuration. Both changes are confined to configuration files with no modifications to the codebase logic or public interfaces.

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: bumping the pygments package from 2.19.2 to 2.20.0 to fix a security vulnerability.
Description check ✅ Passed The description is directly related to the changeset, providing comprehensive vulnerability details, package update rationale, and enumeration of all changes made.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch andriy/eng-13557-fix-pygments-cve-2026-4539

Review rate limit: 2/5 reviews remaining, refill in 31 minutes and 42 seconds.

Comment @coderabbitai help to get the list of available commands and usage tips.

@andriy-sudo andriy-sudo requested a review from paveldudka May 1, 2026 09:18
@andriy-sudo

Copy link
Copy Markdown
Contributor Author

@paveldudka — security review needed. Bumps pygments 2.19.2 → 2.20.0 (GHSA-5239-wwwm-4pmq, CVE-2026-4539, LOW). Lock-file only change. All CI green.

@andriy-sudo andriy-sudo merged commit f534f28 into main May 7, 2026
6 checks passed
@andriy-sudo andriy-sudo deleted the andriy/eng-13557-fix-pygments-cve-2026-4539 branch May 7, 2026 16:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants