Skip to content

fix(security): bump black to 26.3.1 (ENG-12907)#143

Merged
andriy-sudo merged 1 commit intomainfrom
andriy/ENG-12907-fix-black-cve
Mar 18, 2026
Merged

fix(security): bump black to 26.3.1 (ENG-12907)#143
andriy-sudo merged 1 commit intomainfrom
andriy/ENG-12907-fix-black-cve

Conversation

@andriy-sudo
Copy link
Contributor

@andriy-sudo andriy-sudo commented Mar 18, 2026

Summary

Fixes CVE-2026-32274 (GHSA-3936-cmfr-pm3m) in examples/python.

Package Old New Advisory CVSS Status
black * (resolved 25.11.0) ~=26.3.1 GHSA-3936-cmfr-pm3m HIGH ✅ Fixed

Note: Added python = ">=3.10" marker to the black dependency — black 26.3.1 dropped Python 3.9 support. The project's python = "^3.9" is unchanged as CI already runs Python 3.11.

Closes ENG-12907.

@andriy-sudo
fix(security): bump black to 26.3.1 (ENG-12907)
b2c436d 
- black * → ~=26.3.1 (GHSA-3936-cmfr-pm3m, CVE-2026-32274, CVSS HIGH)
  Added python = ">=3.10" marker since black 26.3.1 dropped Python 3.9 support
@andriy-sudo andriy-sudo requested a review from KateZhang98 March 18, 2026 15:21
@coderabbitai
Copy link

coderabbitai bot commented Mar 18, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 64b20e7e-a877-47f6-b30a-3af2ec512a98

📥 Commits

Reviewing files that changed from the base of the PR and between cacd86b and b2c436d.

⛔ Files ignored due to path filters (1)
  • examples/python/poetry.lock is excluded by !**/*.lock
📒 Files selected for processing (1)
  • examples/python/pyproject.toml
📝 Walkthrough

Walkthrough

The examples/python/pyproject.toml file was updated to pin the black code formatter dependency to a specific version constraint. The dev dependency for black was changed from an unspecified wildcard version ("*") to version = "~=26.3.1" with a Python version requirement of ">=3.10". This modification provides a more explicit control over which black version is used in the Python examples project.

🚥 Pre-merge checks | ✅ 2
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately reflects the main change: a security bump of the black package to version 26.3.1 to address a CVE, which aligns with the file changes and PR objectives.
Description check ✅ Passed The description is directly related to the changeset, providing context about the security fix (CVE-2026-32274), the version bump, and the Python compatibility marker added to the black dependency.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch andriy/ENG-12907-fix-black-cve
📝 Coding Plan
  • Generate coding plan for human review comments

Comment @coderabbitai help to get the list of available commands and usage tips.

@andriy-sudo andriy-sudo merged commit 77f121f into main Mar 18, 2026
3 checks passed
@andriy-sudo andriy-sudo deleted the andriy/ENG-12907-fix-black-cve branch March 18, 2026 21:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@KateZhang98 KateZhang98 KateZhang98 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@andriy-sudo @KateZhang98