core: bump cbor2 from 5.8.0 to 5.9.0 by dependabot[bot] · Pull Request #21094 · goauthentik/authentik

dependabot · 2026-03-23T20:27:10Z

Bumps cbor2 from 5.8.0 to 5.9.0.

Release notes

5.9.0

Added the max_depth decoder parameter to limit the maximum allowed nesting level of containers, with a default value of 400 levels (CVE-2026-26209)

Changed the default read_size from 4096 to 1 for backwards compatibility. The buffered reads introduced in 5.8.0 could cause issues when code needs to access the stream position after decoding. Users can opt-in to faster decoding by passing read_size=4096 when they don't need to access the stream directly after decoding. Added a direct read path for read_size=1 to avoid buffer management overhead. (#275; PR by @andreer)

Fixed C encoder not respecting string referencing when encoding string-type datetimes (tag 0) (#254)

Fixed a missed check for an exception in the C implementation of CBOREncoder.encode_shared() (#287)

Fixed two reference/memory leaks in the C extension's long string decoder (#290 PR by @killiancowan82)

Fixed C decoder ignoring the str_errors setting when decoding strings, and improved string decoding performance by using stack allocation for small strings and eliminating unnecessary conditionals. Benchmarks show 9-17% faster deserialization. (#255; PR by @andreer)

Commits

93c5988 Bumped up the version
d903d62 Updated the max_depth default value in the C function signature
2b53b28 Stack allocate small strings (#270)
a7ac10d Upped the max_depth value to 400
54c8ed5 Fixed reference/memory leaks in decode_definite_long_string (#290)
a8d92dc [pre-commit.ci] pre-commit autoupdate (#289)
c91aa00 [pre-commit.ci] pre-commit autoupdate (#288)
53521e7 Fixed ssize_t to Py_ssize_t
94e0d21 Added missing Python counterpart for max_depth
bcb6cea Added the max_depth decoder parameter
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [cbor2](https://github.com/agronholm/cbor2) from 5.8.0 to 5.9.0. - [Release notes](https://github.com/agronholm/cbor2/releases) - [Commits](agronholm/cbor2@5.8.0...5.9.0) --- updated-dependencies: - dependency-name: cbor2 dependency-version: 5.9.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

netlify · 2026-03-23T20:28:43Z

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	`a3f73d6`
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/69c1a220a98cf00007667d3e
😎 Deploy Preview	https://deploy-preview-21094--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

codecov · 2026-03-23T20:37:28Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.76%. Comparing base (fb9e1e6) to head (a3f73d6).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #21094      +/-   ##
==========================================
- Coverage   92.82%   92.76%   -0.06%     
==========================================
  Files        1000     1000              
  Lines       56560    56560              
  Branches      425      425              
==========================================
- Hits        52499    52469      -30     
- Misses       4061     4091      +30

Flag	Coverage Δ
conformance	`37.40% <ø> (+<0.01%)`	⬆️
e2e	`42.90% <ø> (-0.01%)`	⬇️
integration	`22.18% <ø> (-0.05%)`	⬇️
rust	`0.23% <ø> (ø)`
unit	`91.71% <ø> (ø)`
unit-migrate	`91.80% <ø> (ø)`

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

This cherry-pick has conflicts that need manual resolution. Original PR: #21094 Original commit: 6aaebf6

authentik-automation · 2026-03-23T21:13:00Z

⚠️ Cherry-pick to version-2025.12 has conflicts: #21095

Bumps [cbor2](https://github.com/agronholm/cbor2) from 5.8.0 to 5.9.0. - [Release notes](https://github.com/agronholm/cbor2/releases) - [Commits](agronholm/cbor2@5.8.0...5.9.0) --- updated-dependencies: - dependency-name: cbor2 dependency-version: 5.9.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

authentik-automation · 2026-03-23T21:13:13Z

🍒 Cherry-pick to version-2026.2 created: #21096

…025.12) (#21095) * Cherry-pick #21094 to version-2025.12 (with conflicts) This cherry-pick has conflicts that need manual resolution. Original PR: #21094 Original commit: 6aaebf6 * fix conflict Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jens Langhammer <jens@goauthentik.io>

…026.2) (#21096) core: bump cbor2 from 5.8.0 to 5.9.0 (#21094) Bumps [cbor2](https://github.com/agronholm/cbor2) from 5.8.0 to 5.9.0. - [Release notes](https://github.com/agronholm/cbor2/releases) - [Commits](agronholm/cbor2@5.8.0...5.9.0) --- updated-dependencies: - dependency-name: cbor2 dependency-version: 5.9.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* main: core: remove filter_not_expired for QS (#18274) tenants: fix default schema in initial migration (#21114) core: bump django-stubs[compatible-mypy] from 5.2.9 to 6.0.1 (#21099) core, web: update translations (#21097) lifecycle/aws: bump aws-cdk from 2.1112.0 to 2.1113.0 in /lifecycle/aws (#21098) core: bump types-requests from 2.32.4.20260107 to 2.32.4.20260324 (#21100) core: bump constructs from 10.5.1 to 10.6.0 (#21101) core: bump astral-sh/uv from 0.10.12 to 0.11.0 in /lifecycle/container (#21103) ci: bump taiki-e/install-action from 2.69.6 to 2.69.7 in /.github/actions/setup (#21104) web: bump flatted from 3.4.1 to 3.4.2 (#21076) core: bump goauthentik.io/api/v3 to 3.2026.5.0-rc1-1774286095 (#21089) core: bump cbor2 from 5.8.0 to 5.9.0 (#21094) ci: fix cherry-pick action generating empty title (#21091) web: bump the swc group across 1 directory with 11 updates (#21070) web: bump yaml from 2.8.2 to 2.8.3 in /web (#21071) core: add flag for future default behaviour of requiring a binding to access an application (#16247)

dependabot bot added the dependencies Pull requests that update a dependency file label Mar 23, 2026

dependabot bot requested a review from a team as a code owner March 23, 2026 20:27

BeryJu added backport/version-2025.12 Add this label to PRs to backport changes to version-2025.12 backport/version-2026.2 Add this label to PRs to backport changes to version-2026.2 labels Mar 23, 2026

BeryJu approved these changes Mar 23, 2026

View reviewed changes

BeryJu merged commit 6aaebf6 into main Mar 23, 2026
109 checks passed

BeryJu deleted the dependabot/uv/cbor2-5.9.0 branch March 23, 2026 21:12

authentik-automation bot pushed a commit that referenced this pull request Mar 23, 2026

Cherry-pick #21094 to version-2025.12 (with conflicts)

c70bd28

This cherry-pick has conflicts that need manual resolution. Original PR: #21094 Original commit: 6aaebf6

authentik-automation bot mentioned this pull request Mar 23, 2026

core: bump cbor2 from 5.8.0 to 5.9.0 (cherry-pick #21094 to version-2025.12) #21095

Merged

authentik-automation bot mentioned this pull request Mar 23, 2026

core: bump cbor2 from 5.8.0 to 5.9.0 (cherry-pick #21094 to version-2026.2) #21096

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

core: bump cbor2 from 5.8.0 to 5.9.0#21094

core: bump cbor2 from 5.8.0 to 5.9.0#21094
BeryJu merged 1 commit intomainfrom
dependabot/uv/cbor2-5.9.0

dependabot bot commented on behalf of github Mar 23, 2026

Uh oh!

netlify bot commented Mar 23, 2026

Uh oh!

codecov bot commented Mar 23, 2026 •

edited

Loading

Uh oh!

Uh oh!

authentik-automation bot commented Mar 23, 2026

Uh oh!

authentik-automation bot commented Mar 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

dependabot bot commented on behalf of github Mar 23, 2026

5.9.0

Uh oh!

netlify bot commented Mar 23, 2026

✅ Deploy Preview for authentik-docs ready!

Uh oh!

codecov bot commented Mar 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Uh oh!

authentik-automation bot commented Mar 23, 2026

Uh oh!

authentik-automation bot commented Mar 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

codecov bot commented Mar 23, 2026 •

edited

Loading