Skip to content

fix(deps): Update dependency black to v26.3.1 [SECURITY]#22229

Closed
cq-bot wants to merge 1 commit intomainfrom
renovate/pypi-black-vulnerability
Closed

fix(deps): Update dependency black to v26.3.1 [SECURITY]#22229
cq-bot wants to merge 1 commit intomainfrom
renovate/pypi-black-vulnerability

Conversation

@cq-bot
Copy link
Copy Markdown
Contributor

@cq-bot cq-bot commented Mar 12, 2026

This PR contains the following updates:

Package Change Age Confidence
black (changelog) ==26.1.0==26.3.1 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-32274

Impact

Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations.

Patches

Fixed in Black 26.3.1.

Workarounds

Do not allow untrusted user input into the value of the --python-cell-magics option.

Release Notes

psf/black (black)

v26.3.1

Compare Source

Stable style
  • Prevent Jupyter notebook magic masking collisions from corrupting cells by using
    exact-length placeholders for short magics and aborting if a placeholder can no longer
    be unmasked safely (#​5038)
Configuration
  • Always hash cache filename components derived from --python-cell-magics so custom
    magic names cannot affect cache paths (#​5038)
Blackd
  • Disable browser-originated requests by default, add configurable origin allowlisting
    and request body limits, and bound executor submissions to improve backpressure
    (#​5039)

v26.3.0

Compare Source

Stable style
  • Don't double-decode input, causing non-UTF-8 files to be corrupted (#​4964)
  • Fix crash on standalone comment in lambda default arguments (#​4993)
  • Preserve parentheses when # type: ignore comments would be merged with other
    comments on the same line, preventing AST equivalence failures (#​4888)
Preview style
  • Fix bug where if guards in case blocks were incorrectly split when the pattern had
    a trailing comma (#​4884)
  • Fix string_processing crashing on unassigned long string literals with trailing
    commas (one-item tuples) (#​4929)
  • Simplify implementation of the power operator "hugging" logic (#​4918)
Packaging
  • Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in
    frozen environments (#​4930)
Performance
  • Introduce winloop for windows as an alternative to uvloop (#​4996)
  • Remove deprecated function uvloop.install() in favor of uvloop.new_event_loop()
    (#​4996)
  • Rename maybe_install_uvloop function to maybe_use_uvloop to simplify loop
    installation and creation of either a uvloop/winloop evenloop or default eventloop
    (#​4996)
Output
  • Emit a clear warning when the target Python version is newer than the running Python
    version, since AST safety checks cannot parse newer syntax. Also replace the
    misleading "INTERNAL ERROR" message with an actionable error explaining the version
    mismatch (#​4983)
Blackd
  • Introduce winloop to be used when windows in use which enables blackd to run faster on
    windows when winloop is installed. (#​4996)
Integrations
  • Remove unused gallery script (#​5030)
  • Harden parsing of black requirements in the GitHub Action when use_pyproject is
    enabled so that only version specifiers are accepted and direct references such as
    black @​ https://... are rejected. Users should upgrade to the latest version of the
    action as soon as possible. This update is received automatically when using
    psf/black@stable, and is independent of the version of Black installed by the
    action. (#​5031)
Documentation
  • Expand preview style documentation with detailed examples for wrap_comprehension_in,
    simplify_power_operator_hugging, and wrap_long_dict_values_in_parens features
    (#​4987)
  • Add detailed documentation for formatting Jupyter Notebooks (#​5009)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@cq-bot cq-bot requested a review from a team as a code owner March 12, 2026 22:16
@cq-bot cq-bot added the automerge Automatically merge once required checks pass label Mar 12, 2026
@cq-bot cq-bot requested a review from stoovon March 12, 2026 22:16
@erezrokah
Copy link
Copy Markdown
Member

erezrokah commented Mar 13, 2026

Will be done in the SDK update cloudquery/plugin-sdk-python#371

@erezrokah erezrokah closed this Mar 13, 2026
@cq-bot
Copy link
Copy Markdown
Contributor Author

cq-bot commented Mar 13, 2026

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (==26.3.1). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@cq-bot cq-bot deleted the renovate/pypi-black-vulnerability branch March 13, 2026 10:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kodiakhq kodiakhq[bot] kodiakhq[bot] approved these changes

@stoovon stoovon Awaiting requested review from stoovon stoovon is a code owner automatically assigned from cloudquery/backend

Assignees

No one assigned

Labels

area/plugin/source/square automerge Automatically merge once required checks pass security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cq-bot @erezrokah