Skip to content

chore(deps): Bump the minor-and-patch group in /a2a/a2a_contact_extractor with 3 updates#688

Merged
esnible merged 1 commit into
mainfrom
dependabot/uv/a2a/a2a_contact_extractor/minor-and-patch-94c281bc4e
Jul 14, 2026
Merged

chore(deps): Bump the minor-and-patch group in /a2a/a2a_contact_extractor with 3 updates#688
esnible merged 1 commit into
mainfrom
dependabot/uv/a2a/a2a_contact_extractor/minor-and-patch-94c281bc4e

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 10, 2026

Copy link
Copy Markdown
Contributor

Bumps the minor-and-patch group in /a2a/a2a_contact_extractor with 3 updates: pyasn1, filelock and fastmcp.

Updates pyasn1 from 0.6.3 to 0.6.4

Release notes

Sourced from pyasn1's releases.

Release 0.6.4

This is a security release.

  • CVE-2026-59885 (GHSA-8ppf-4f7h-5ppj): Fixed quadratic time complexity in the OBJECT IDENTIFIER and RELATIVE-OID decoders. A small crafted substrate encoding many arcs could consume excessive CPU.
  • CVE-2026-59884 (GHSA-m4p7-r5rc-7g4j): Limited BER long-form tag IDs to 20 octets (140 bits). Unbounded tag IDs allowed a crafted substrate to consume excessive CPU and memory.
  • CVE-2026-59886 (GHSA-hm4w-wwcw-mr6r): Fixed excessive memory and CPU consumption in Real.__float__() for values with large base-10 exponents.
  • Pinned PyPI publish GitHub Action to an immutable commit.

All changes are noted in the CHANGELOG.

Changelog

Sourced from pyasn1's changelog.

Revision 0.6.4, released 08-07-2026

  • CVE-2026-59885 (GHSA-8ppf-4f7h-5ppj): Fixed quadratic time complexity in the OBJECT IDENTIFIER and RELATIVE-OID decoders. A small crafted substrate encoding many arcs could consume excessive CPU. Arcs are now accumulated in linear time; decoded values are unchanged (thanks for reporting, tynus2)
  • CVE-2026-59884 (GHSA-m4p7-r5rc-7g4j): Limited BER long-form tag IDs to 20 octets (140 bits), matching the OID arc limit introduced in 0.6.2. Unbounded tag IDs allowed a crafted substrate to consume excessive CPU and memory; longer tag IDs are now rejected with PyAsn1Error. Also fixed Tag and TagSet repr() failing on huge tag (thanks for reporting, mikeappsec) IDs due to the integer-to-string conversion limit (Python 3.11+)
  • CVE-2026-59886 (GHSA-hm4w-wwcw-mr6r): Fixed excessive memory and CPU consumption in Real.float() for values with large base-10 exponents. Conversion no longer materializes huge intermediate integers; values too large to represent as a Python float raise OverflowError promptly, and prettyPrint() renders them as '' as before. Also fixed base-10 mantissa normalization to use exact integer arithmetic; mantissas larger than 2**53 could previously lose precision through float division (thanks for reporting, gvozdila)
  • Pinned PyPI publish GitHub Action to an immutable commit [pr #113](pyasn1/pyasn1#113)
Commits

Updates filelock from 3.29.5 to 3.29.7

Release notes

Sourced from filelock's releases.

3.29.7

What's Changed

Full Changelog: tox-dev/filelock@3.29.6...3.29.7

3.29.6

What's Changed

Full Changelog: tox-dev/filelock@3.29.5...3.29.6

Commits
  • 1efb893 _util: drop the dead st_mtime=0 short-circuit in raise_on_not_writable_file (...
  • 3547d58 soft_rw: evict a non-regular write marker without reading it (#588)
  • 616400e asyncio: detect cross-instance reentrant deadlocks before the poll loop (#586)
  • f8b0e93 test: silence fork DeprecationWarning on 3.15 (#585)
  • b68be65 _util: drop the dead st_mtime=0 short-circuit in raise_on_not_writable_file (...
  • a833dd9 serialise singleton construction in FileLockMeta (#581)
  • bb2f884 [pre-commit.ci] pre-commit autoupdate (#583)
  • da9c3ed 💰 Surface GitHub Sponsors + thanks.dev
  • See full diff in compare view

Updates fastmcp from 3.4.2 to 3.4.4

Release notes

Sourced from fastmcp's releases.

v3.4.4: Host in Translation

FastMCP 3.4.4 restores HTTP deployment compatibility after the 3.4.3 Host/Origin guard changed default behavior for existing ASGI, serverless, and reverse-proxy deployments. The guard implementation remains available for deployments that opt in with explicit trusted hosts and origins, while 3.x returns to accepting traffic that worked before the patch. This release also adds Hugging Face OAuth provider support, with docs and examples for public and private apps, PKCE, Dynamic Client Registration, and CIMD.

What's Changed

Enhancements ✨

Fixes 🐞

Docs 📚

New Contributors

Full Changelog: PrefectHQ/fastmcp@v3.4.3...v3.4.4

v3.4.3: The Fast and the Secure-ious

FastMCP 3.4.3 closes out a month of SSRF and OAuth hardening: NAT64, 6to4, Teredo, and ISATAP transition addresses can no longer smuggle private IPv4 targets past the SSRF allow-list, Streamable HTTP now validates Host and Origin before session handling to block DNS rebinding against localhost-bound servers, and OAuth redirect validation rejects unsafe schemes and unregistered DCR redirect URIs. Alongside the security work, this release also fixes proxy session teardown races, discriminator-tag handling in JSON schema conversion, and several smaller reliability issues.

What's Changed

Enhancements ✨

Security 🔒

Fixes 🐞

... (truncated)

Changelog

Sourced from fastmcp's changelog.


title: "Changelog" icon: "list-check" rss: true tag: NEW

v3.4.4: Host in Translation

FastMCP 3.4.4 restores HTTP deployment compatibility after the 3.4.3 Host/Origin guard changed default behavior for existing ASGI, serverless, and reverse-proxy deployments. The guard implementation remains available for deployments that opt in with explicit trusted hosts and origins, while 3.x returns to accepting traffic that worked before the patch. This release also adds Hugging Face OAuth provider support, with docs and examples for public and private apps, PKCE, Dynamic Client Registration, and CIMD.

Enhancements ✨

Fixes 🐞

New Contributors

Full Changelog: v3.4.3...v3.4.4

v3.4.3: The Fast and the Secure-ious

FastMCP 3.4.3 closes out a month of SSRF and OAuth hardening: NAT64, 6to4, Teredo, and ISATAP transition addresses can no longer smuggle private IPv4 targets past the SSRF allow-list, Streamable HTTP now validates Host and Origin before session handling to block DNS rebinding against localhost-bound servers, and OAuth redirect validation rejects unsafe schemes and unregistered DCR redirect URIs. Alongside the security work, this release also fixes proxy session teardown races, discriminator-tag handling in JSON schema conversion, and several smaller reliability issues.

Enhancements ✨

  • Dedupe discriminator-required helper across schema converters by @​jlowin in #4362
  • Add real Monty sandbox e2e coverage for CodeMode call_tool by @​AlexlaGuardia in #4274
  • Switch prettier hook to rbubley/mirrors-prettier by @​jlowin in #4366
  • feat(remote): add --verify flag for TLS certificate verification by @​jlowin in #4369

Security 🔒

Fixes 🐞

  • fix: caching middleware TypeError on cache miss due to mismatched call_next parameter by @​gmenziesint in #4301
  • Fix: async rate limiting middleware get_client_id callbacks by @​Chotom in #4319

... (truncated)

Commits
  • 9138d40 Docs: add v3.4.4 changelog entries (#4473)
  • d929882 Hugging Face Auth Integration (#4385)
  • 5fe4fae Restore HTTP host guard compatibility (#4472)
  • 400db61 Relax host origin guard defaults (#4439)
  • 1eedd1f Docs: add v3.4.2 and v3.4.3 changelog entries (#4430)
  • 3b1afe6 chore(deps): bump joserfc from 1.6.7 to 1.6.8 in the uv group across 1 direct...
  • 874425a chore: Update SDK documentation (#4427)
  • 691766b [codex] Fix OpenAPI resource template requests (#4407)
  • 47907e0 Fix ty 0.0.55 diagnostics and prefab-ui protocol version drift (#4428)
  • c1b0396 Block IPv6 transition SSRF bypasses (#4426)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the minor-and-patch group in /a2a/a2a_contact_extractor with 3 updates: [pyasn1](https://github.com/pyasn1/pyasn1), [filelock](https://github.com/tox-dev/py-filelock) and [fastmcp](https://github.com/PrefectHQ/fastmcp).


Updates `pyasn1` from 0.6.3 to 0.6.4
- [Release notes](https://github.com/pyasn1/pyasn1/releases)
- [Changelog](https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst)
- [Commits](pyasn1/pyasn1@v0.6.3...v0.6.4)

Updates `filelock` from 3.29.5 to 3.29.7
- [Release notes](https://github.com/tox-dev/py-filelock/releases)
- [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst)
- [Commits](tox-dev/filelock@3.29.5...3.29.7)

Updates `fastmcp` from 3.4.2 to 3.4.4
- [Release notes](https://github.com/PrefectHQ/fastmcp/releases)
- [Changelog](https://github.com/PrefectHQ/fastmcp/blob/main/docs/changelog.mdx)
- [Commits](PrefectHQ/fastmcp@v3.4.2...v3.4.4)

---
updated-dependencies:
- dependency-name: pyasn1
  dependency-version: 0.6.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: filelock
  dependency-version: 3.29.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: fastmcp
  dependency-version: 3.4.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jul 10, 2026
@esnible esnible merged commit 4919615 into main Jul 14, 2026
11 checks passed
@github-project-automation github-project-automation Bot moved this from New/ToDo to Done in Kagenti Issue Prioritization Jul 14, 2026
@esnible esnible deleted the dependabot/uv/a2a/a2a_contact_extractor/minor-and-patch-94c281bc4e branch July 14, 2026 18:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

2 participants