Skip to content

fix: Bump ujson minimum version to 5.10.0#787

Merged
joeyzhao2018 merged 2 commits intomainfrom
ujson-update
Apr 9, 2026
Merged

fix: Bump ujson minimum version to 5.10.0#787
joeyzhao2018 merged 2 commits intomainfrom
ujson-update

Conversation

@joeyzhao2018
Copy link
Copy Markdown
Contributor

@joeyzhao2018 joeyzhao2018 commented Apr 9, 2026
edited
Loading

Fixes #786

Changes

pyproject.toml — Split the ujson constraint by Python version:

  • Python 3.8-3.9: >=5.10.0,<5.12.0 (best available; ujson 5.12.0 dropped Python <3.10 support)
  • Python >=3.10: >=5.12.0 (the version that fixes both CVEs)

poetry.lock — Updated the ujson entry to include:

  • ujson 5.12.0 with markers = "python_version >= "3.10""
  • ujson 5.10.0 with markers = "python_version < "3.10"" (only cp38/cp39 wheels)

This fixes CVE-2026-32874 (memory leak parsing large integers, CVSS 7.5) and CVE-2026-32875 (integer
overflow in indent handling, CVSS 7.5).

@joeyzhao2018 joeyzhao2018 requested review from a team as code owners April 9, 2026 13:51
@joeyzhao2018 joeyzhao2018 requested a review from duncanista April 9, 2026 13:51
rithikanarayan
rithikanarayan approved these changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@rithikanarayan rithikanarayan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

rithikanarayan
rithikanarayan requested changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@rithikanarayan rithikanarayan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

approved too quickly, I think we should use 5.12.0 or greater per GHSA-wgvc-ghv9-3pmm

rithikanarayan
rithikanarayan approved these changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@rithikanarayan rithikanarayan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

makes sense

pyproject.toml
]
ujson = ">=5.9.0"
ujson = [
{version = ">=5.10.0,<5.12.0", python = ">=3.8,<3.10"},
Copy link
Copy Markdown
Contributor

@rithikanarayan rithikanarayan Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like this is the best we can do for Python 3.8 and 3.9 given that v5.12.0 of the ujson library removed support for Python 3.9 ☹️ https://github.com/ultrajson/ultrajson/releases/tag/5.12.0

Copy link
Copy Markdown
Contributor

@rithikanarayan rithikanarayan Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left this comment to remind us why this is structured this way. Shouldn't be a big deal especially since we are removing support for 3.8 and 3.9 in two months.

Copy link
Copy Markdown
Contributor Author

@joeyzhao2018 joeyzhao2018 Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the best we can do because security fixes cannot always guarantee coverage for the older versions.

@joeyzhao2018 joeyzhao2018 merged commit 81d57ac into main Apr 9, 2026
90 of 91 checks passed
@joeyzhao2018 joeyzhao2018 deleted the ujson-update branch April 9, 2026 15:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rithikanarayan rithikanarayan rithikanarayan approved these changes

@duncanista duncanista Awaiting requested review from duncanista duncanista is a code owner automatically assigned from DataDog/serverless-aws

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[URGENT] ujson vulnerable to CVE-2026-32874 and CVE-2026-32875 in Datadog-Python313 Lambda layer

2 participants

@joeyzhao2018 @rithikanarayan