Bump gdown from 5.2.0 to 5.2.2

[dependabot]

Bumps gdown from 5.2.0 to 5.2.2.

Release notes

Sourced from gdown's releases.

v5.2.2

Security

• Fix path traversal vulnerability in extractall() that allowed zip/tar archives with ../ entries to write files outside the target directory (GHSA-76hw-p97h-883f)
• Reject symlinks, hardlinks, and special files in tar archives
• Use Python 3.12+ filter="data" for safe tar extraction when available
• Sanitize filenames from HTTP responses and URLs to prevent path traversal via /, , .., and null bytes
• Sanitize root folder name in download_folder() before building directory paths

v5.2.1

Fixes

• cached_download: Verify file hash before moving to final location instead of after (wkentaro/gdown#417)
  • Previously, the hash was verified after moving to the final path, which could leave corrupted files in place if hash verification failed
• download: Fix speed limit throttling logic to use independent byte counter instead of pbar.n (wkentaro/gdown#407)
  • The speed limiter now correctly tracks downloaded bytes independently from the progress bar
  • Also fixes unnecessary sleep when resuming downloads with speed limit (since pbar.n includes start_size from resumed downloads)

Chores

• Fix missing space in --output help text (wkentaro/gdown#398)
• Fix concatenated string literal in extractall.py error message

Commits

• af569fc fix: prevent path traversal in archive extraction and filename handling
• 7f4cb68 Merge pull request #417 from wkentaro/fix_cached_download_verify_file_hash_be...
• 9697a53 fix(cached_download): verify file hash before moving to final location
• c7c1b9d Merge pull request #407 from wkentaro/fix_speed_limit
• 940bd40 Fix throttling logic to use independent byte counter instead of pbar.n
• a55ce67 Fix unnecessary sleep when resuming downloads with speed limit
• c3c8102 Merge pull request #398 from hmaarrfk/lint
• a095aaa chore: add missing space for help of --output
• 10e8c85 lint other files
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Greptile Summary

This PR bumps gdown from 5.2.0 to 5.2.2 in the example extras group. The upgrade carries security fixes for a path traversal vulnerability in extractall() (GHSA-76hw-p97h-883f) and filename sanitization improvements. The uv.lock also gains a revision = 3 marker and upload-time metadata on all package entries, reflecting a uv lock-format update alongside the dependency change.

Confidence Score: 5/5

Safe to merge — this is a security patch update with no breaking changes.

The only functional change is a two-patch-version bump of gdown that addresses a known path traversal CVE (GHSA-76hw-p97h-883f). The lock file hashes are consistent, and the update is scoped to the optional example extras group, so it has no impact on the core library or test dependencies.

No files require special attention.

Important Files Changed

Filename	Overview
pyproject.toml	Single-line change: bumps gdown==5.2.0 to gdown==5.2.2 in the example extras group — straightforward and correct.
uv.lock	Lock file regenerated: gdown entry updated to 5.2.2 with correct hashes; revision = 3 added and upload-time metadata appended to all package entries as part of a uv lock-format update.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[pyproject.toml\nexample extras] -->|gdown==5.2.0 → 5.2.2| B[uv.lock updated\nrevision 3 + upload-time metadata]
    B --> C{Security fixes in 5.2.2}
    C --> D[Path traversal fix\nGHSA-76hw-p97h-883f]
    C --> E[Symlink/hardlink rejection\nin tar archives]
    C --> F[Filename sanitization\nfrom HTTP responses]
    C --> G[Hash verified before\nfile move - 5.2.1 fix]

Loading

_{Reviews (1): Last reviewed commit: "Bump gdown from 5.2.0 to 5.2.2" | Re-trigger Greptile}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.40%. Comparing base (ba553eb) to head (90df444).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #710   +/-   ##
=======================================
  Coverage   74.40%   74.40%           
=======================================
  Files          56       56           
  Lines        8026     8026           
  Branches     1570     1570           
=======================================
  Hits         5972     5972           
  Misses       1437     1437           
  Partials      617      617           

Flag	Coverage Δ
3.10	74.40% <ø> (ø)
3.11	74.40% <ø> (ø)
3.12	74.40% <ø> (ø)
3.13	74.40% <ø> (ø)
macos-latest	74.38% <ø> (ø)
ubuntu-latest	74.38% <ø> (ø)
windows-latest	74.39% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.