Skip to content

chore(deps-dev): bump py7zr from 0.22.0 to 1.1.3 in /python#866

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/python/py7zr-1.1.3
Closed

chore(deps-dev): bump py7zr from 0.22.0 to 1.1.3 in /python#866
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/python/py7zr-1.1.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor

Bumps py7zr from 0.22.0 to 1.1.3.

Release notes

Sourced from py7zr's releases.

Release version 1.1.3: Fix multiple vulnerabilities

  • CVE-2026-23879: Arbitrary File Write Vulnerability in py7zr (high severity)
    • Harden check of path traversal and enhance test cases to reproduce many attack scenarios.
  • CVE-2026-55206: O(n^2) algorithmic complexity DoS in PackInfo._read() in py7zr
    • Enforced variation of the parameter with a limit and optimized calculation algorithm to prevent excessive CPU consumption.
  • CVE-2026-55195: py7zr <= 1.1.2: Decompression bomb (zip bomb) denial of service via unchecked extraction size
    • Added check of extraction size and introduced max_extract_size as constructor parameter to guard against excessive decompression.

Update path sanitize

No release notes provided.

Release version 1.1.0

Requirements

  • Minimum required Python 3.10
  • Add support for Python 3.14

Security

Fixed

  • The is_78zfile accept any path-like
  • The SevenZipFile accept IO[bytes]
  • Make FileInfo and ArchiveInfo dataclasses
  • The getInfo() returns FileInfo object

What's Changed in details

... (truncated)

Changelog

Sourced from py7zr's changelog.

v1.1.3_

Security

  • CVE-2026-23879: Arbitrary File Write Vulnerability in py7zr (high severity)
    • Harden check of path traversal and enhance test cases to reproduce many attack scenarios.
  • CVE-2026-55206: O(n^2) algorithmic complexity DoS in PackInfo._read() in py7zr
    • Enforced variation of the parameter with a limit and optimized calculation algorithm to prevent excessive CPU consumption.
  • CVE-2026-55195: py7zr <= 1.1.2: Decompression bomb (zip bomb) denial of service via unchecked extraction size
    • Added check of extraction size and introduced max_extract_size as constructor parameter to guard against excessive decompression.

Notes:

  • Fixed three security vulnerabilities in the py7zr library.
  • Improvements made include path traversal hardening, optimization of CPU-intensive algorithms, and protection against zip bombs.

Fixed

  • BufferError when calling Py7zBytesIO.size() (#736,#737)
  • fix: extractall() raises TypeError: int() argument must be a string, a bytes-like object or a real number, not 'NoneType' (#734,#735)

Changed

  • feat(io): add Py7zIO.close() lifecycle hook called once per extracted file (#699,#732)
  • test: Bump dependency libarchive@3.8.7
  • ci: bump numerous actions with SHA256 hash and newer versions (#729,#730)

v1.1.2_

Security

  • security: fix Zip-Slip vulnerability by symlink

Removed

  • Remove Code of Conduct from repository.

Changed

  • remove unused _lzma imports

v1.1.1_

Fixed

  • fix: default unix file attributes with proper permissions (#705)

... (truncated)

Commits
  • e278bc0 Release v1.1.3: Multiple security fixes
  • e4a225b docs: update authors and changelog with recent contributions and security fixes
  • 94db766 Merge commit from fork
  • d9ee25c Merge commit from fork
  • c1c8001 Merge commit from fork
  • 7e03185 Merge pull request #732 from SAY-5/feat/issue-699-py7zio-close
  • 2de71fb Merge pull request #735 from gaoflow/fix-734-missing-lastwritetime
  • f429952 Merge branch 'master' into fork/SAY-5/feat/issue-699-py7zio-close
  • b181a4b Merge branch 'master' into fork/gaoflow/fix-734-missing-lastwritetime
  • 1534b3f Merge pull request #737 from miurahr/topic/miurahr/fix-pypy-getbuffer
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps-dev): bump py7zr from 0.22.0 to 1.1.3 in /python
eb4b028 
Bumps [py7zr](https://github.com/miurahr/py7zr) from 0.22.0 to 1.1.3.
- [Release notes](https://github.com/miurahr/py7zr/releases)
- [Changelog](https://github.com/miurahr/py7zr/blob/master/docs/Changelog.rst)
- [Commits](miurahr/py7zr@v0.22.0...v1.1.3)

---
updated-dependencies:
- dependency-name: py7zr
  dependency-version: 1.1.3
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python labels Jun 23, 2026
@codecov-commenter

codecov-commenter commented Jun 23, 2026

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.63%. Comparing base (28d181c) to head (eb4b028).
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #866      +/-   ##
==========================================
+ Coverage   79.26%   81.63%   +2.36%     
==========================================
  Files          81       81              
  Lines        4712     4682      -30     
  Branches      554      574      +20     
==========================================
+ Hits         3735     3822      +87     
+ Misses        977      860     -117

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@SemyonSinchenko

SemyonSinchenko commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator

Will be done as part of the #849

@dependabot @github

dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/pip/python/py7zr-1.1.3 branch June 23, 2026 11:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@codecov-commenter @SemyonSinchenko