github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-08 21:09:41 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[PR #22027] [CLOSED] chore(deps): bump nltk from 3.9.2 to 3.9.3 #65276

New Issue
Closed
opened 2026-05-06 11:03:57 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-05-06 11:03:57 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/22027
Author: @dependabot[bot]
Created: 3/1/2026
Status: Closed

Base: devHead: dependabot/uv/dev/nltk-3.9.3

📝 Commits (1)

  • 0f636b1 chore(deps): bump nltk from 3.9.2 to 3.9.3

📊 Changes

3 files changed (+1364 additions, -1009 deletions)

View changed files

📝 backend/requirements.txt (+1 -1)
📝 pyproject.toml (+1 -1)
📝 uv.lock (+1362 -1007)

📄 Description

Bumps nltk from 3.9.2 to 3.9.3.

Changelog

Sourced from nltk's changelog.

Version 3.9.3 2026-02-21

  • Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (#3468)
  • Block path traversal/arbitrary reads in nltk.data for protocol-less refs (#3467)
  • Block path traversal/abs paths in corpus readers and FS pointers (#3479, #3480)
  • Validate external StanfordSegmenter JARs using SHA256 (#3477)
  • Add optional sandbox enforcement for filestring() (#3485)
  • Maintenance: downloader/zipped models, CI/tooling updates

Thanks to the following contributors to 3.9.3: Chris Clauss, Eric Kafe, HyperPS, purificant, Shivansh-Game, Christopher Smith

Version 3.9.2 2025-10-01

  • Update download checksums to use SHA256 in built index
  • Fix percentage escape in new-style string formatting
  • replace shortened URLs using goo.gl
  • Make Wordnet interoperable with various taggers and tagged corpora
  • Fix saving PerceptronTagger
  • Document how to reproduce old Wordnet studies
  • properly initialize Portuguese corpus reader
  • support for mixed rules conversion into Chomsky Normal Form
  • only import tkinter if a GUI is needed
  • issue #2112 with Corenlp
  • new environment variable NLTK_DOWNLOADER_FORCE_INTERACTIVE_SHELL
  • Lesk defaults to most frequent sense in case of ties

Thanks to the following contributors to 3.9.2: Jose Cols, Peter de Blanc, GeneralPoxter, Eric Kafe, William LaCroix, Jason Liu, Samer Masterson, Mike014, purificant, Andrew Ernest Ritz, samertm, Ikram Ul Haq, Christopher Smith, Ryan Mannion

Version 3.9.1 2024-08-19

  • Fixed bug that prevented wordnet from loading

Version 3.9 2024-08-18

  • Fix security vulnerability CVE-2024-39705 (breaking change)
  • Replace pickled models (punkt, chunker, taggers) by new pickle-free "_tab" packages
  • No longer sort Wordnet synsets and relations (sort in calling function when required)
  • Only strip the last suffix in Wordnet Morphy, thus restricting synsets() results
  • Add Python 3.12 support
  • Many other minor fixes

Thanks to the following contributors to 3.8.2: Tom Aarsen, Cat Lee Ball, Veralara Bernhard, Carlos Brandt, Konstantin Chernyshev, Michael Higgins, Eric Kafe, Vivek Kalyan, David Lukes, Rob Malouf, purificant, Alex Rudnick, Liling Tan, Akihiro Yamazaki.

Version 3.8.1 2023-01-02

  • Resolve RCE vulnerability in localhost WordNet Browser (#3100)

... (truncated)

Commits
  • 4154eb8 Merge pull request #3503 from ekaf/hotfix-3501
  • 7a710cb Prepare release 3.9.3
  • 1056b32 Merge pull request #3468 from HyperPS/fix/secure-unzip-rce
  • 7dc5baa Resolve merge conflict in tag mapping using normalized nltk resource URL
  • 7ef38b8 Merge pull request #3467 from HyperPS/develop
  • b2e1164 Merge pull request #3485 from HyperPS/fix-filestring-sandbox-update
  • ac0ce55 Merge pull request #3480 from HyperPS/fix/filesystem-sandbox-security
  • 603e34d Merge pull request #3479 from HyperPS/fix/corpusreader-path-traversal
  • b63a501 Merge pull request #3477 from HyperPS/fix/stanford-segmenter-rce-sha256
  • df38955 Merge pull request #3494 from ekaf/ewnv
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/22027 **Author:** [@dependabot[bot]](https://github.com/apps/dependabot) **Created:** 3/1/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `dependabot/uv/dev/nltk-3.9.3` --- ### 📝 Commits (1) - [`0f636b1`](https://github.com/open-webui/open-webui/commit/0f636b1ce2c7b59f3fdfa02694c43110b216e02c) chore(deps): bump nltk from 3.9.2 to 3.9.3 ### 📊 Changes **3 files changed** (+1364 additions, -1009 deletions) <details> <summary>View changed files</summary> 📝 `backend/requirements.txt` (+1 -1) 📝 `pyproject.toml` (+1 -1) 📝 `uv.lock` (+1362 -1007) </details> ### 📄 Description Bumps [nltk](https://github.com/nltk/nltk) from 3.9.2 to 3.9.3. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/nltk/nltk/blob/develop/ChangeLog">nltk's changelog</a>.</em></p> <blockquote> <p>Version 3.9.3 2026-02-21</p> <ul> <li>Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (<a href="https://redirect.github.com/nltk/nltk/issues/3468">#3468</a>)</li> <li>Block path traversal/arbitrary reads in nltk.data for protocol-less refs (<a href="https://redirect.github.com/nltk/nltk/issues/3467">#3467</a>)</li> <li>Block path traversal/abs paths in corpus readers and FS pointers (<a href="https://redirect.github.com/nltk/nltk/issues/3479">#3479</a>, <a href="https://redirect.github.com/nltk/nltk/issues/3480">#3480</a>)</li> <li>Validate external StanfordSegmenter JARs using SHA256 (<a href="https://redirect.github.com/nltk/nltk/issues/3477">#3477</a>)</li> <li>Add optional sandbox enforcement for filestring() (<a href="https://redirect.github.com/nltk/nltk/issues/3485">#3485</a>)</li> <li>Maintenance: downloader/zipped models, CI/tooling updates</li> </ul> <p>Thanks to the following contributors to 3.9.3: Chris Clauss, Eric Kafe, HyperPS, purificant, Shivansh-Game, Christopher Smith</p> <p>Version 3.9.2 2025-10-01</p> <ul> <li>Update download checksums to use SHA256 in built index</li> <li>Fix percentage escape in new-style string formatting</li> <li>replace shortened URLs using goo.gl</li> <li>Make Wordnet interoperable with various taggers and tagged corpora</li> <li>Fix saving PerceptronTagger</li> <li>Document how to reproduce old Wordnet studies</li> <li>properly initialize Portuguese corpus reader</li> <li>support for mixed rules conversion into Chomsky Normal Form</li> <li>only import tkinter if a GUI is needed</li> <li>issue <a href="https://redirect.github.com/nltk/nltk/issues/2112">#2112</a> with Corenlp</li> <li>new environment variable NLTK_DOWNLOADER_FORCE_INTERACTIVE_SHELL</li> <li>Lesk defaults to most frequent sense in case of ties</li> </ul> <p>Thanks to the following contributors to 3.9.2: Jose Cols, Peter de Blanc, GeneralPoxter, Eric Kafe, William LaCroix, Jason Liu, Samer Masterson, Mike014, purificant, Andrew Ernest Ritz, samertm, Ikram Ul Haq, Christopher Smith, Ryan Mannion</p> <p>Version 3.9.1 2024-08-19</p> <ul> <li>Fixed bug that prevented wordnet from loading</li> </ul> <p>Version 3.9 2024-08-18</p> <ul> <li>Fix security vulnerability CVE-2024-39705 (breaking change)</li> <li>Replace pickled models (punkt, chunker, taggers) by new pickle-free &quot;_tab&quot; packages</li> <li>No longer sort Wordnet synsets and relations (sort in calling function when required)</li> <li>Only strip the last suffix in Wordnet Morphy, thus restricting synsets() results</li> <li>Add Python 3.12 support</li> <li>Many other minor fixes</li> </ul> <p>Thanks to the following contributors to 3.8.2: Tom Aarsen, Cat Lee Ball, Veralara Bernhard, Carlos Brandt, Konstantin Chernyshev, Michael Higgins, Eric Kafe, Vivek Kalyan, David Lukes, Rob Malouf, purificant, Alex Rudnick, Liling Tan, Akihiro Yamazaki.</p> <p>Version 3.8.1 2023-01-02</p> <ul> <li>Resolve RCE vulnerability in localhost WordNet Browser (<a href="https://redirect.github.com/nltk/nltk/issues/3100">#3100</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nltk/nltk/commit/4154eb85e832f266660a09286c7e37e308292284"><code>4154eb8</code></a> Merge pull request <a href="https://redirect.github.com/nltk/nltk/issues/3503">#3503</a> from ekaf/hotfix-3501</li> <li><a href="https://github.com/nltk/nltk/commit/7a710cbc8b914628252e9cf2518afe9ba9b13c80"><code>7a710cb</code></a> Prepare release 3.9.3</li> <li><a href="https://github.com/nltk/nltk/commit/1056b323af6462455571302e766b67cf300aea18"><code>1056b32</code></a> Merge pull request <a href="https://redirect.github.com/nltk/nltk/issues/3468">#3468</a> from HyperPS/fix/secure-unzip-rce</li> <li><a href="https://github.com/nltk/nltk/commit/7dc5baa98f03b4c36300c408a7a66ffc8ea3934f"><code>7dc5baa</code></a> Resolve merge conflict in tag mapping using normalized nltk resource URL</li> <li><a href="https://github.com/nltk/nltk/commit/7ef38b8aa6055ef3f82c7f8da490297cc12032b1"><code>7ef38b8</code></a> Merge pull request <a href="https://redirect.github.com/nltk/nltk/issues/3467">#3467</a> from HyperPS/develop</li> <li><a href="https://github.com/nltk/nltk/commit/b2e1164bf89277f79b65406c829b99fb20ca1974"><code>b2e1164</code></a> Merge pull request <a href="https://redirect.github.com/nltk/nltk/issues/3485">#3485</a> from HyperPS/fix-filestring-sandbox-update</li> <li><a href="https://github.com/nltk/nltk/commit/ac0ce55daa487401f8215a409cef50eae6a4ac98"><code>ac0ce55</code></a> Merge pull request <a href="https://redirect.github.com/nltk/nltk/issues/3480">#3480</a> from HyperPS/fix/filesystem-sandbox-security</li> <li><a href="https://github.com/nltk/nltk/commit/603e34d25a2cad4612185ebfa6bc1c0dcfcfb2ab"><code>603e34d</code></a> Merge pull request <a href="https://redirect.github.com/nltk/nltk/issues/3479">#3479</a> from HyperPS/fix/corpusreader-path-traversal</li> <li><a href="https://github.com/nltk/nltk/commit/b63a5014aace4d22fe9a713473d2598d409eece4"><code>b63a501</code></a> Merge pull request <a href="https://redirect.github.com/nltk/nltk/issues/3477">#3477</a> from HyperPS/fix/stanford-segmenter-rce-sha256</li> <li><a href="https://github.com/nltk/nltk/commit/df38955e506a9fcaa8aba006984a11babd87cec0"><code>df38955</code></a> Merge pull request <a href="https://redirect.github.com/nltk/nltk/issues/3494">#3494</a> from ekaf/ewnv</li> <li>Additional commits viewable in <a href="https://github.com/nltk/nltk/compare/3.9.2...3.9.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=nltk&package-manager=uv&previous-version=3.9.2&new-version=3.9.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-06 11:03:57 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#65276
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?