Skip to content

Update dependency sqlparse to v0.5.4 [SECURITY]#200

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/pypi-sqlparse-vulnerability
Open

Update dependency sqlparse to v0.5.4 [SECURITY]#200
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/pypi-sqlparse-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Feb 13, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
sqlparse (changelog) ==0.5.1==0.5.4 age confidence

sqlparse: formatting list of tuples leads to denial of service

GHSA-27jp-wm6q-gp25

More information

Details

Summary

The below gist hangs while attempting to format a long list of tuples.

This was found while drafting a regression test for Dja
ngo 5.2's composite primary key feature
, which allows querying composite fields with tuples.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

andialbrecht/sqlparse (sqlparse)

v0.5.4

Compare Source

Enhancements

  • Add support for Python 3.14.
  • Add type annotations to top-level API functions and include py.typed marker
    for PEP 561 compliance, enabling type checking with mypy and other tools
    (issue756).
  • Add pre-commit hook support. sqlparse can now be used as a pre-commit hook
    to automatically format SQL files. The CLI now supports multiple files and
    an --in-place flag for in-place editing (issue537).
  • Add ATTACH and DETACH to PostgreSQL keywords (pr808).
  • Add INTERSECT to close keywords in WHERE clause (pr820).
  • Support REGEXP BINARY comparison operator (pr817).

Bug Fixes

  • Add additional protection against denial of service attacks when parsing
    very large lists of tuples. This enhances the existing recursion protections
    with configurable limits for token processing to prevent DoS through
    algorithmic complexity attacks. The new limits (MAX_GROUPING_DEPTH=100,
    MAX_GROUPING_TOKENS=10000) can be adjusted or disabled (by setting to None)
    if needed for legitimate large SQL statements.
  • Remove shebang from cli.py and remove executable flag (pr818).
  • Fix strip_comments not removing all comments when input contains only
    comments (issue801, pr803 by stropysh).
  • Fix splitting statements with IF EXISTS/IF NOT EXISTS inside BEGIN...END
    blocks (issue812).
  • Fix splitting on semicolons inside BEGIN...END blocks (issue809).

v0.5.3

Compare Source

Bug Fixes

  • This version introduces a more generalized handling of potential denial of
    service attack (DOS) due to recursion errors for deeply nested statements.
    Brought up and fixed by @​living180. Thanks a lot!

v0.5.2

Compare Source

Bug Fixes

  • EXTENSION is now recognized as a keyword (issue785).
  • SQL hints are not removed when removing comments (issue262, by skryzh).

Configuration

📅 Schedule: (in timezone Europe/London)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Feb 13, 2026
@renovate renovate Bot requested a review from a team as a code owner February 13, 2026 19:27
@renovate renovate Bot requested review from Asaleem-hmcts, cpareek and madjava and removed request for a team February 13, 2026 19:27
@renovate renovate Bot changed the title Update dependency sqlparse to v0.5.4 [SECURITY] Update dependency sqlparse to v0.5.4 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/pypi-sqlparse-vulnerability branch March 27, 2026 03:03
@renovate renovate Bot changed the title Update dependency sqlparse to v0.5.4 [SECURITY] - autoclosed Update dependency sqlparse to v0.5.4 [SECURITY] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/pypi-sqlparse-vulnerability branch 2 times, most recently from 0e36ca6 to 3caf155 Compare March 30, 2026 20:02
@renovate renovate Bot changed the title Update dependency sqlparse to v0.5.4 [SECURITY] Update dependency sqlparse to v0.5.4 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title Update dependency sqlparse to v0.5.4 [SECURITY] - autoclosed Update dependency sqlparse to v0.5.4 [SECURITY] Apr 28, 2026
@renovate renovate Bot reopened this Apr 28, 2026
@renovate renovate Bot force-pushed the renovate/pypi-sqlparse-vulnerability branch 2 times, most recently from 3caf155 to fb656df Compare April 28, 2026 01:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants