fix: update filelock to resolve CVE-2026-22701#3

Open

dannyneira wants to merge 1 commit into

mainfrom

independabot/filelock-CVE-2026-22701

Member

dannyneira commented May 17, 2026

Summary

Updates filelock from 3.18.0 to 3.20.3 in candle-examples/examples/marian-mt/python/requirements.txt.
Resolves direct runtime Dependabot alerts for:
- CVE-2025-68146 / GHSA-w853-jp5j-5j7f: GHSA-w853-jp5j-5j7f
- CVE-2026-22701 / GHSA-qmgc-5h2g-mvrw: GHSA-qmgc-5h2g-mvrw
Dependabot alert links:
- https://github.com/warpdotdev/candle/security/dependabot/17
- https://github.com/warpdotdev/candle/security/dependabot/19

Details

Dependency relationship: direct runtime dependency.
Workarounds: none; this is a direct patch-version pin update.
Dependabot error: none reported for these alerts.

Verification

pip install --dry-run -r candle-examples/examples/marian-mt/python/requirements.txt
pip-audit -r candle-examples/examples/marian-mt/python/requirements.txt --format json confirmed filelock 3.20.3 has zero reported vulnerabilities.
cargo check --manifest-path /workspace/candle/Cargo.toml -p candle-examples --no-default-features
cargo test --manifest-path /workspace/candle/Cargo.toml -p candle-examples --no-default-features

Conversation: https://staging.warp.dev/conversation/bcb069f6-a9ae-4963-94db-87247c6146d6
Run: https://oz.staging.warp.dev/runs/019e36aa-74a8-7c43-b2ab-0da36cc0ce26
This PR was generated with Oz.


          fix: update filelock to resolve CVE-2026-22701

ee57984

Co-Authored-By: Oz <oz-agent@warp.dev>

dannyneira marked this pull request as ready for review

May 21, 2026 15:41

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet