Skip to content

Update dependency pypdf to v6.6.0 [SECURITY] #225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Update dependency pypdf to v6.6.0 [SECURITY] #225

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 9, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
pypdf (changelog) ==6.4.0==6.6.0 age confidence

GitHub Vulnerability Alerts

CVE-2026-22690

Impact

An attacker who exploits this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be achieved by omitting the /Root entry in the trailer, while using a rather large /Size value. Only the non-strict reading mode is affected.

Patches

This has been fixed in pypdf==6.6.0.

Workarounds

from pypdf import PdfReader, PdfWriter

# Instead of
reader = PdfReader("file.pdf")

# use the strict mode:
reader = PdfReader("file.pdf", strict=True)

# Instead of
writer = PdfWriter(clone_from="file.pdf")

# use an explicit strict reader:
writer = PdfWriter(clone_from=PdfReader("file.pdf", strict=True))

Resources

This issue has been fixed in #​3594.

CVE-2026-22691

Impact

An attacker who exploits this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected.

Patches

This has been fixed in pypdf==6.6.0.

Workarounds

from pypdf import PdfReader, PdfWriter

# Instead of
reader = PdfReader("file.pdf")

# use the strict mode:
reader = PdfReader("file.pdf", strict=True)

# Instead of
writer = PdfWriter(clone_from="file.pdf")

# use an explicit strict reader:
writer = PdfWriter(clone_from=PdfReader("file.pdf", strict=True))

Resources

This issue has been fixed in #​3594.

Release Notes

py-pdf/pypdf (pypdf)

v6.6.0

Compare Source

Security (SEC)
  • Improve handling of partially broken PDF files (#​3594)
Deprecations (DEP)
  • Block common page content modifications when assigned to reader (#​3582)
New Features (ENH)
  • Embellishments to generated text appearance streams (#​3571)
Bug Fixes (BUG)
  • Do not consider multi-byte BOM-like sequences as BOMs (#​3589)
Robustness (ROB)
  • Avoid empty FlateDecode outputs without warning (#​3579)
Documentation (DOC)
  • Add outlines documentation and link it in User Guide (#​3511)
Developer Experience (DEV)
  • Add PyPy 3.11 to test matrix and benchmarks (#​3574)
Maintenance (MAINT)
  • Fix compatibility with Pillow >= 12.1.0 (#​3590)

Full Changelog

v6.5.0

Compare Source

New Features (ENH)
  • Limit jbig2dec memory usage (#​3576)
  • FontDescriptor: Initiate from embedded font resource (#​3551)
Robustness (ROB)
  • Allow fallback to PBM files for jbig2dec without PNG support (#​3567)
  • Use warning instead of error for early EOD for RunLengthDecode (#​3548)
Developer Experience (DEV)

Full Changelog

v6.4.2

Compare Source

New Features (ENH)
  • Limit jbig2dec memory usage (#​3576)
  • FontDescriptor: Initiate from embedded font resource (#​3551)
Robustness (ROB)
  • Allow fallback to PBM files for jbig2dec without PNG support (#​3567)
  • Use warning instead of error for early EOD for RunLengthDecode (#​3548)
Developer Experience (DEV)

Full Changelog

v6.4.1

Compare Source

Bug Fixes (BUG)
  • Fix KeyError when flattening form field without /Font in resources (#​3554)
Robustness (ROB)
  • Allow deleting non-existent annotations (#​3559)
Documentation (DOC)
  • Fix level of attachment heading (#​3560)

Full Changelog

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions
Copy link

github-actions bot commented Jan 9, 2026

Coverage report

Click to see where and how coverage changed

FileStatementsMissingCoverageCoverage
(new stmts)		Lines missing
  django/reservation/tests
  test_models.py
Project Total  

This report was generated by python-coverage-comment-action

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant