Decode IDNA labels in non-leading host positions#1018
Conversation
Refs pydantic#979, kjd/idna#248. Co-Authored-By: Abdulmumin Yaqeen <abdulmuminyqn@gmail.com>
Merging this PR will not alter performance
Comparing 
Footnotes
|
There was a problem hiding this comment.
1 issue found across 5 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="pyproject.toml">
<violation number="1" location="pyproject.toml:6">
P2: `exclude-newer-package` uses a hardcoded timestamp that will permanently cap `idna` versions after the temporary workaround period expires</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
| default-groups = ["dev", "docs", "bench"] | ||
| required-version = ">=0.8.6" | ||
| exclude-newer = "7 days" | ||
| exclude-newer-package = { idna = "2026-06-03T00:00:00Z" } |
There was a problem hiding this comment.
P2: exclude-newer-package uses a hardcoded timestamp that will permanently cap idna versions after the temporary workaround period expires
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At pyproject.toml, line 6:
<comment>`exclude-newer-package` uses a hardcoded timestamp that will permanently cap `idna` versions after the temporary workaround period expires</comment>
<file context>
@@ -3,6 +3,7 @@ package = false
default-groups = ["dev", "docs", "bench"]
required-version = ">=0.8.6"
exclude-newer = "7 days"
+exclude-newer-package = { idna = "2026-06-03T00:00:00Z" }
[tool.uv.workspace]
</file context>
Kludex
left a comment
There was a problem hiding this comment.
Given that idna was vulnerable in <3.15 versions, given GHSA-65pc-fj4g-8rjx, then I'll assume that bumping is fine for everybody.
I don't think anyone sets upperbound constraints on idna.
Supersedes #979 — uses the new
idna.decode(..., display=True)added in idna 3.18 (kjd/idna#248, kjd/idna@1a5bf80, released 2026-06-02), so the per-label recovery lives in idna where Kludex preferred it.AI-assisted: change drafted by Claude under my review.