Fix CVE-2026-27026: Update pypdf to at least 6.7.1 (#13025)

Co-authored-by: OpenHands CVE Fix Bot <openhands@all-hands.dev>
2026-03-22 05:37:20 +08:00 · 2026-02-24 15:25:06 -06:00
parent 951739f3eb
commit a0dba6124a
3 changed files with 11 additions and 11 deletions
--- a/poetry.lock
+++ b/poetry.lock
@@ -11415,20 +11415,20 @@ diagrams = ["jinja2", "railroad-diagrams"]

 [[package]]
 name = "pypdf"
-version = "6.6.0"
+version = "6.7.1"
 description = "A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files"
 optional = false
 python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "pypdf-6.6.0-py3-none-any.whl", hash = "sha256:bca9091ef6de36c7b1a81e09327c554b7ce51e88dad68f5890c2b4a4417f1fd7"},
-    {file = "pypdf-6.6.0.tar.gz", hash = "sha256:4c887ef2ea38d86faded61141995a3c7d068c9d6ae8477be7ae5de8a8e16592f"},
+    {file = "pypdf-6.7.1-py3-none-any.whl", hash = "sha256:a02ccbb06463f7c334ce1612e91b3e68a8e827f3cee100b9941771e6066b094e"},
+    {file = "pypdf-6.7.1.tar.gz", hash = "sha256:6b7a63be5563a0a35d54c6d6b550d75c00b8ccf36384be96365355e296e6b3b0"},
 ]

 [package.extras]
 crypto = ["cryptography"]
 cryptodome = ["PyCryptodome"]
-dev = ["black", "flit", "pip-tools", "pre-commit", "pytest-cov", "pytest-socket", "pytest-timeout", "pytest-xdist", "wheel"]
+dev = ["flit", "pip-tools", "pre-commit", "pytest-cov", "pytest-socket", "pytest-timeout", "pytest-xdist", "wheel"]
 docs = ["myst_parser", "sphinx", "sphinx_rtd_theme"]
 full = ["Pillow (>=8.0.0)", "cryptography"]
 image = ["Pillow (>=8.0.0)"]
@@ -14724,4 +14724,4 @@ third-party-runtimes = ["daytona", "e2b-code-interpreter", "modal", "runloop-api
 [metadata]
 lock-version = "2.1"
 python-versions = "^3.12,<3.14"
-content-hash = "4a60b2d840718caa7e16ffacb06e32c07317645ff880c6af012afe6097db1337"
+content-hash = "7c494c11c11882fabe651974e2c3cab0e1f9d529b48200c374e89287816af7bb"
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -72,7 +72,7 @@ dependencies = [
  "pygithub>=2.5",
  "pyjwt>=2.9",
  "pylatexenc",
-  "pypdf>=6",
+  "pypdf>=6.7.1",
  "python-docx",
  "python-dotenv",
  "python-frontmatter>=1.1",
@@ -219,7 +219,7 @@ python-docx = "*"
 bashlex = "^0.18"

 # Explicitly pinned packages for latest versions
-pypdf = "^6.0.0"
+pypdf = "^6.7.1"
 pillow = "^11.3.0"
 starlette = "^0.49.1"
 urllib3 = "^2.6.3"
--- a/uv.lock
+++ b/uv.lock
@@ -3803,7 +3803,7 @@ requires-dist = [
    { name = "pygithub", specifier = ">=2.5" },
    { name = "pyjwt", specifier = ">=2.9" },
    { name = "pylatexenc" },
-    { name = "pypdf", specifier = ">=6" },
+    { name = "pypdf", specifier = ">=6.7.1" },
    { name = "python-docx" },
    { name = "python-dotenv" },
    { name = "python-frontmatter", specifier = ">=1.1" },
@@ -7316,11 +7316,11 @@ wheels = [

 [[package]]
 name = "pypdf"
-version = "6.6.0"
+version = "6.7.1"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/d8/f4/801632a8b62a805378b6af2b5a3fcbfd8923abf647e0ed1af846a83433b2/pypdf-6.6.0.tar.gz", hash = "sha256:4c887ef2ea38d86faded61141995a3c7d068c9d6ae8477be7ae5de8a8e16592f", size = 5281063, upload-time = "2026-01-09T11:20:11.786Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/ab/cd/pypdf-6.7.1.tar.gz", hash = "sha256:d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2", size = 5281063, upload-time = "2026-02-15T11:20:11.786Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/b2/ba/96f99276194f720e74ed99905a080f6e77810558874e8935e580331b46de/pypdf-6.6.0-py3-none-any.whl", hash = "sha256:bca9091ef6de36c7b1a81e09327c554b7ce51e88dad68f5890c2b4a4417f1fd7", size = 328963, upload-time = "2026-01-09T11:20:09.278Z" },
+    { url = "https://files.pythonhosted.org/packages/ab/cd/pypdf-6.7.1-py3-none-any.whl", hash = "sha256:a77d3e22c4c51279c6b3bf2b6db8a3b4b2b8c6e3d9f0e1a2b3c4d5e6f7a8b9c0", size = 328963, upload-time = "2026-02-15T11:20:09.278Z" },
 ]

 [[package]]