Skip to content

build(deps): bump cbor2 from 5.9.0 to 6.1.3#675

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/cbor2-6.1.3
Open

build(deps): bump cbor2 from 5.9.0 to 6.1.3#675
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/cbor2-6.1.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 16, 2026

Copy link
Copy Markdown
Contributor

Bumps cbor2 from 5.9.0 to 6.1.3.

Release notes

Sourced from cbor2's releases.

6.1.3

  • Fixed the decoder registering 6-byte strings in the string reference namespace at indices 65536–4294967295 where the encoder does not, desynchronising the namespace and resolving later string references to the wrong value (#313; PR by @​sahvx655-wq)
  • Fixed the IPv4/IPv6 network decoders (tags 52 and 54) silently truncating an address byte string that is longer than the address size instead of rejecting it as malformed (#309; PR by @​sahvx655-wq)
  • Fixed quadratic decoding time for indefinite-length and large definite-length byte and text strings, caused by concatenating each chunk onto the accumulated result with + instead of building the result once (#316; PR by @​sahvx655-wq)
  • Fixed datetime_as_timestamp encoding whole-second datetimes before 1970 or after 2106 as floats instead of integers, because the timestamp was narrowed through an unsigned 32-bit integer (#317; PR by @​sahvx655-wq)
  • Fixed the encoder measuring text strings by code point count instead of UTF-8 byte length when deciding whether to add them to the string reference namespace, desynchronising it from the decoder (which counts bytes) and corrupting later string references for non-ASCII strings (#314; PR by @​sahvx655-wq)
  • Fixed the decoder rejecting scoped IPv6 addresses (tag 54) with a CBORDecodeError reading invalid types in input array; the encoder emits them as [address, null, zone id] but the decoder only handled the network and interface array forms, so a scoped ~ipaddress.IPv6Address could not be decoded back (#324; PR by @​sahvx655-wq)

6.1.2

  • Fixed incorrect tracking of string references for definite-length text strings of length greater than 65536 (#308; PR by @​sahvx655-wq)
  • Fixed cbor2.load() crash caused by incorrect handling of internal read buffer extension during stream deserialization. (#307; PR by @​noderyos)

6.1.1

  • Fixed cbor2.load() returning corrupted data for payloads exceeding 4096 bytes (#304)

6.1.0

  • Added the allow_duplicate_keys parameter to CBORDecoder, load and loads (default: True). When set to False, a CBORDecodeError is raised upon encountering a duplicate key within the same map. (#283)
  • Added support for decoding from any object supporting the buffer API (e.g. memoryview or bytearray) in addition to bytes (#297)
  • Fixed compatibility issues with 32-bit systems (#300)

6.0.1

  • Fixed an error in the mutability logic during decoding, leading to values being decoded as immutable in unexpected places (#295)

6.0.0

  • No changes since v6.0.0rc1

6.0.0rc1

  • MAJOR REWRITE: The Python and C implementations of the encoder and decoder were replaced with a single, Rust-based implementation in the interest of maintainability.

    Here are some of the highlights:

    • Improved memory safety (100% safe-mode Rust)
    • Complete elimination of reference leaks
    • Support for free-threading and subinterpreters
    • Substantially improved performance
    • Improved decoder error handling where any non-base exception gets wrapped in a CBORDecodeError
    • Iterative, rather than recursive decoding, meaning the container nesting depth is limited only by the available memory, rather than the C stack size
  • BACKWARD INCOMPATIBLE Changed the signature of the tag_hook decoder callables to accept (CBORTag, immutable as arguments instead of CBORDecoder, CBORTag)

  • BACKWARD INCOMPATIBLE Changed the signature of the object_hook decoder callables to accept (Mapping[Any, Any], bool) instead of (CBORDecoder, dict[Any, Any])

  • BACKWARD INCOMPATIBLE Removed the break_marker singleton as no longer necessary

  • BACKWARD INCOMPATIBLE Removed the CBORDecodeValueError exception, instead chaining ValueError or TypeError to a CBORDecodeError

  • BACKWARD INCOMPATIBLE Changed the decoding of semantic tag 261 to yield an IPv4Interface or IPv6Interface if the address contains host bits

  • BACKWARD INCOMPATIBLE Removed the individual decoding functions from the API as they were mistakenly called directly by users. Please open an issue if you need them back.

... (truncated)

Commits
  • 5820bd4 Bumped up the version
  • 8bb0466 Bump the github-actions group with 2 updates (#323)
  • 00e3dea Decode scoped IPv6 addresses instead of rejecting them (#324)
  • aeff00b Measure text strings by byte length in maybe_stringref (#314)
  • 1c827f1 Encode whole-second datetime timestamps as integers across full range (#317)
  • 791172c Worked around coveralls not working with Homebrew 6
  • 32f66ee [pre-commit.ci] pre-commit autoupdate (#322)
  • 1d5054e Switched to quarterly pre-commit updates
  • c348bbf [pre-commit.ci] pre-commit autoupdate (#319)
  • 6625bc1 Optimized bytestring and text string decoding (#316)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [cbor2](https://github.com/agronholm/cbor2) from 5.9.0 to 6.1.3.
- [Release notes](https://github.com/agronholm/cbor2/releases)
- [Commits](agronholm/cbor2@5.9.0...6.1.3)

---
updated-dependencies:
- dependency-name: cbor2
  dependency-version: 6.1.3
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants