chore(deps): update dependency idna to v3 [security]

[manifest-self-hosted-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
idna (changelog)	==2.8 → ==3.15

---

Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode

CVE-2024-3651 / GHSA-jjg7-2v4v-x38h

More information

Details

Impact

A specially crafted argument to the idna.encode() function could consume significant resources. This may lead to a denial-of-service.

Patches

The function has been refined to reject such strings without the associated resource consumption in version 3.7.

Workarounds

Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the idna.encode() function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.

References

• https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h
• https://nvd.nist.gov/vuln/detail/CVE-2024-3651
• https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d
• https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb
• https://github.com/pypa/advisory-database/tree/main/vulns/idna/PYSEC-2024-60.yaml
• https://lists.debian.org/debian-lts-announce/2024/05/msg00006.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2S5E23N6E52S46KGNYTDFB75LOC4N4D
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S5IDLLD2IKSIVRBSLB34WTSYGLMWUFWF
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULSC7HBJKXB3BZV367WM5BR6DFEC4Z43
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4YQUPYH3SVZ5GFF2CDQ55FCM575AZTF2
• https://github.com/advisories/GHSA-jjg7-2v4v-x38h

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix

CVE-2026-45409 / GHSA-65pc-fj4g-8rjx

More information

Details

This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. Payloads such as "\u0660" * N or "\u30fb" * N + "\u6f22" utilize the valid_contexto function prior to length rejection, and for high values of N will take a long time to process.

Impact

A specially crafted argument to the idna.encode() function could consume significant resources. This may lead to a denial-of-service.

Patches

Starting in version 3.14, the function rejects long inputs as soon as practicable prior to any further processing to minimize resource consumption. In version 3.15, this approach was extended to lesser used alternate functions (i.e. per-label conversions and codec support).

Workarounds

Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the idna.encode() function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

• https://github.com/kjd/idna/security/advisories/GHSA-65pc-fj4g-8rjx
• https://nvd.nist.gov/vuln/detail/CVE-2026-45409
• https://github.com/advisories/GHSA-65pc-fj4g-8rjx

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

kjd/idna (idna)

v3.15

Compare Source

• Enforce DNS-length cap on individual labels early in check_label,
  short-circuiting contextual-rule processing for oversized input
  while staying compatible with UTS 46 usage.
• Tidy core helpers: hoist bidi category sets to module-level
  frozensets (avoiding per-codepoint list construction), simplify
  length checks, and reuse the shared _unicode_dots_re from
  idna.core in the codec module.
• Use raise ... from err for proper exception chaining and
  switch internal string formatting to f-strings.
• Allow flit_core 4.x in the build backend.
• Expand the ruff lint set (flake8-bugbear, flake8-simplify,
  pyupgrade, perflint) and apply the surfaced fixes; pin lint CI
  to Python 3.14.
• Add Dependabot configuration for GitHub Actions.
• Convert README and HISTORY from reStructuredText to Markdown.
• Reference CVE-2026-45409 for the 3.14 advisory in place of the
  initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for
contributions to this release.

v3.14

Compare Source

• Removed opportunity to process long inputs into quadratic
  time by rejecting oversize inputs up-front. Closes a bypass
  of the CVE-2024-3651 mitigation. [CVE-2026-45409]

Thanks to Stan Ulbrych for reporting the issue.

v3.13

Compare Source

• Correct classification error for codepoint U+A7F1

v3.12

Compare Source

• Update to Unicode 17.0.0.
• Issue a deprecation warning for the transitional argument.
• Added lazy-loading to provide some performance improvements.
• Removed vestiges of code related to Python 2 support, including
  segmentation of data structures specific to Jython.

Thanks to Rodrigo Nogueira for contributions to this release.

v3.11

Compare Source

• Update to Unicode 16.0.0, including significant changes to UTS46
  processing. As a result of Unicode ending support for it, transitional
  processing no longer has an effect and returns the same result.
• Add support for Python 3.14, lowest supported version is Python 3.8.
• Various updates to packaging, including PEP 740 support.

v3.10

Compare Source

• Reverted to Unicode 15.1.0 data. Unicode 16 has some significant changes
  to UTS46 processing that will require more work to properly implement.

v3.9

Compare Source

• Update to Unicode 16.0.0
• Deprecate setup.cfg in favour of pyproject.toml
• Use ruff for code formatting

Thanks to Waket Zheng for contributions to this release.

v3.8

Compare Source

• Fix regression where IDNAError exception was not being produced for
  certain inputs.
• Add support for Python 3.13, drop support for Python 3.5 as it is no
  longer testable.
• Documentation improvements
• Updates to package testing using Github actions

Thanks to Hugo van Kemenade for contributions to this release.

v3.7

Compare Source

• Fix issue where specially crafted inputs to encode() could
  take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

v3.6

Compare Source

• Fix regression to include tests in source distribution.

v3.5

Compare Source

• Update to Unicode 15.1.0
• String codec name is now "idna2008" as overriding the system codec
  "idna" was not working.
• Fix typing error for codec encoding
• "setup.cfg" has been added for this release due to some downstream
  lack of adherence to PEP 517. Should be removed in a future release
  so please prepare accordingly.
• Removed reliance on a symlink for the "idna-data" tool to comport
  with PEP 517 and the Python Packaging User Guide for sdist archives.
• Added security reporting protocol for project

Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions
to this release.

v3.4

Compare Source

• Update to Unicode 15.0.0
• Migrate to pyproject.toml for build information (PEP 621)
• Correct another instance where generic exception was raised instead of
  IDNAError for malformed input
• Source distribution uses zeroized file ownership for improved
  reproducibility

Thanks to Seth Michael Larson for contributions to this release.

v3.3

Compare Source

• Update to Unicode 14.0.0
• Update to in-line type annotations
• Throw IDNAError exception correctly for some malformed input
• Advertise support for Python 3.10
• Improve testing regime on Github
• Fix Russian typo in documentation

Thanks to Jon Defresne, Hugo van Kemenade, Seth Michael Larson,
Patrick Ventuzelo and Boris Verhovsky for contributions to this
release.

v3.2

Compare Source

• Add type hints (Thanks, Seth Michael Larson!)
• Remove support for Python 3.4

v3.1

Compare Source

• When decoding a domain, add a display argument that will pass
  through invalid labels rather than raising an exception.

v3.0

Compare Source

• Python 2 is no longer supported (the 2.x branch supports Python 2,
  use "idna<3" in your requirements file if you need Python 2 support)
• Support for V2 UTS 46 test vectors.

v2.10

Compare Source

• Update to Unicode 13.0.0.
• Throws a more specific exception if "xn--" is provided as a label.
• This is expected to be the last version that supports Python 2.

v2.9

Compare Source

• Update to Unicode 12.1.0.
• Prohibit A-labels ending with a hyphen (Thanks, Julien Bernard!)
• Future-proofing: Test on Python 3.7 and 3.8, don't immediately
  fail should Python 4 come along.
• Made BSD 3-clause license clearer

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.