Skip to content

Update dependency orjson to v3.9.15 [SECURITY]#36

Closed
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-orjson-vulnerability
Closed

Update dependency orjson to v3.9.15 [SECURITY]#36
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-orjson-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate Bot commented Feb 27, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
orjson (changelog) ==3.8.14 -> ==3.9.15 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-27454

orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.

Release Notes

ijl/orjson (orjson)

v3.9.15

Compare Source

Fixed
  • Implement recursion limit of 1024 on orjson.loads().
  • Use byte-exact read on str formatting SIMD path to avoid crash.

v3.9.14

Compare Source

Fixed
  • Fix crash serializing str introduced in 3.9.11.
Changed
  • Build now depends on Rust 1.72 or later.

v3.9.13

Compare Source

Fixed
  • Serialization str escape uses only 128-bit SIMD.
  • Fix compatibility with CPython 3.13 alpha 3.
Changed
  • Publish musllinux_1_2 instead of musllinux_1_1 wheels.
  • Serialization uses small integer optimization in CPython 3.12 or later.

v3.9.12

Compare Source

Changed
  • Update benchmarks in README.
Fixed
  • Minimal musllinux_1_1 build due to sporadic CI failure.

v3.9.11

Compare Source

Changed
  • Improve performance of serializing. str is significantly faster. Documents
    using dict, list, and tuple are somewhat faster.

v3.9.10

Compare Source

Fixed
  • Fix debug assert failure on 3.12 --profile=dev build.

v3.9.9

Compare Source

Changed
  • orjson module metadata explicitly marks subinterpreters as not supported.

v3.9.8

Compare Source

Changed
  • Improve performance.
  • Drop support for Python 3.7.

v3.9.7

Compare Source

Fixed
  • Fix crash in orjson.loads() due to non-reentrant handling of persistent
    buffer. This was introduced in 3.9.3.
  • Handle some FFI removals in CPython 3.13.

v3.9.6

Compare Source

Fixed
  • Fix numpy reference leak on unsupported array dtype.
  • Fix numpy.datetime64 reference handling.
Changed
  • Minor performance improvements.

v3.9.5

Compare Source

Fixed
  • Remove futex from module import and initialization path.

v3.9.4

Compare Source

Fixed
  • Fix hash builder using default values.
  • Fix non-release builds of orjson copying large deserialization buffer
    from stack to heap. This was introduced in 3.9.3.

v3.9.3

Compare Source

Fixed
  • Fix compatibility with CPython 3.12.
Changed
  • Support i686/x86 32-bit Python installs on Windows.

v3.9.2

Compare Source

Fixed
  • Fix the __cause__ exception on orjson.JSONEncodeError possibly being
    denormalized, i.e., of type str instead of Exception.

v3.9.1

Compare Source

Fixed
  • Implement recursion limit of 1024 on orjson.loads().
  • Use byte-exact read on str formatting SIMD path to avoid crash.

v3.9.0

Compare Source

Added
  • orjson.Fragment includes already-serialized JSON in a document.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@KaKi87 KaKi87 closed this Jun 4, 2025
@KaKi87 KaKi87 deleted the renovate/pypi-orjson-vulnerability branch June 4, 2025 20:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@KaKi87