chore(deps): bump pypdf from 6.13.0 to 6.13.3 in /agent-governance-python/agent-os/modules/caas#3112
Conversation
Bumps [pypdf](https://github.com/py-pdf/pypdf) from 6.13.0 to 6.13.3. - [Release notes](https://github.com/py-pdf/pypdf/releases) - [Changelog](https://github.com/py-pdf/pypdf/blob/main/CHANGELOG.md) - [Commits](py-pdf/pypdf@6.13.0...6.13.3) --- updated-dependencies: - dependency-name: pypdf dependency-version: 6.13.3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
PR Review Summary
Verdict: AI review comments are untrusted advisory output. The summary reports workflow-generated completion status only, not model-authored pass/fail claims. |
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
📦 Dependency diff (SBOM)Comparing main → dependabot/pip/agent-governance-python/agent-os/modules/caas/pypdf-6.13.3. Summary: ➕ 0 added · ➖ 0 removed · 🔄 1 bumped 🔄 Bumped
|
| Package | From | To |
|---|---|---|
| pypdf | 6.13.0 | 6.13.3 |
|
The failures on this PR are a false positive -- they are caused by three regex bugs in (shipped in #3107) that break the K-12 policy tests for all PRs. Fix is in #3115. Once that merges, please retrigger this PR's CI with a rebase or empty push and it should go green. Cooling-off still expires 2026-06-22. |
|
Two blockers:
|
imran-siddique
left a comment
There was a problem hiding this comment.
pypdf 6.13.0 → 6.13.3 includes two security fixes (MAX_DECLARED_STREAM_LENGTH enforcement for streams without declared length, and multi-hop cyclic /Pages tree detection to prevent SIGSEGV). Both are relevant to the PDF-parsing surface in agent-os/caas. The "Policy: Awaiting maintainer review" gate blocked this; approving now.
Note: CI failure on this PR is the same pre-existing edu-k12 regex bug that will be fixed by #3127 and is unrelated to this dependency bump.
imran-siddique
left a comment
There was a problem hiding this comment.
The 7-day cooling-off gate is still active (opened June 18 -- passes June 25). Additionally, the test suite has failures that need investigation:
test (agent-os, 3.11),test (agent-os, 3.12),test (agent-os, 3.13): failingdocker-compose-test: failing
These test failures need to be resolved (or confirmed pre-existing in main) before this can merge. Once the cooling-off passes and CI is clean, I can approve.
…-os/modules/caas/pypdf-6.13.3
🤖 AI Agent: security-scanner — View details
No security issues found. |
🤖 AI Agent: test-generator — View details
Test coverage looks good. No gaps identified. |
🤖 AI Agent: docs-sync-checker — Docs Sync
Docs SyncDocumentation is in sync. |
🤖 AI Agent: code-reviewer — View details
TL;DR: 0 blockers, 1 warning. Safe update with a minor follow-up suggestion.
Action items:
Warnings:
|
🤖 AI Agent: breaking-change-detector — API Compatibility
API CompatibilityNo breaking changes detected. |
MohammadHaroonAbuomar
left a comment
There was a problem hiding this comment.
Routine dependency bump — reviewed in batch.
Warning
Dependabot will stop supporting
python v3.9!Please upgrade to one of the following versions:
v3.9,v3.10,v3.11,v3.12,v3.13, orv3.14.Bumps pypdf from 6.13.0 to 6.13.3.
Release notes
Sourced from pypdf's releases.
Changelog
Sourced from pypdf's changelog.
Commits
9aa05e7REL: 6.13.3bbd083dSEC: Apply MAX_DECLARED_STREAM_LENGTH to streams without length as well (#3871)d5cd266ROB: Guard text operators against missing operands in extract_text (#3861)82f1f90ROB: Tolerate malformed /Limits in index2label (#3858)0276a6fPI: Avoid per-pixel getpixel loop for 1-bit indexed images (#3854)41a9c3cMAINT: Make mypy assert messages consistent (#3849)d1bba60MAINT: Increase readability of PdfDocCommon (#3834)53b6fbcDEV: Bump codecov/codecov-action from 6.0.1 to 7.0.0 (#3859)e07c223MAINT: Enforce G004 (no f-strings in logging) (#3845)5270f76ROB: Guard zero unitsPerEm in from_truetype_font_file (#3846)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.