chore: release v10.36.7 — security: bump pygments to 2.20.0 (CVE-2026-4539)#699
chore: release v10.36.7 — security: bump pygments to 2.20.0 (CVE-2026-4539)#699
Conversation
Fixes a ReDoS via inefficient regex for GUID matching in Pygments' highlighting. Transitive dependency (pulled in via rich); targeted uv.lock update only. GHSA-5239-wwwm-4pmq Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Bump pygments to 2.20.0 to fix CVE-2026-4539 (GHSA-5239-wwwm-4pmq, ReDoS via inefficient regex for GUID matching, transitive via rich). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request increments the project version to 10.36.7 and updates the pygments dependency to 2.20.0 in the lock file to resolve a ReDoS vulnerability (CVE-2026-4539). Feedback suggests explicitly adding pygments>=2.20.0 to the project dependencies in pyproject.toml to ensure protection for users who do not utilize the lock file.
| [project] | ||
| name = "mcp-memory-service" | ||
| version = "10.36.6" | ||
| version = "10.36.7" |
There was a problem hiding this comment.
While updating the lock file addresses the security vulnerability for environments using it, pygments is a transitive dependency (via rich). To ensure that all users—including those installing via pip without the lock file—are protected from CVE-2026-4539, consider adding an explicit version constraint for pygments (e.g., pygments>=2.20.0) to the dependencies section of pyproject.toml.
1 participant
Summary
pygmentsto 2.20.0 to fix CVE-2026-4539 (GHSA-5239-wwwm-4pmq): ReDoS via inefficient regex for GUID matching, transitive dependency viarich10.36.6→10.36.7in_version.py,pyproject.toml,uv.lockTest plan
Ref: CVE-2026-4539, GHSA-5239-wwwm-4pmq, PR #698
🤖 Generated with Claude Code