Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: grantjenks/python-diskcache
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: master
Choose a base ref
...
head repository: mapped/python-diskcache
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: master
Choose a head ref
Checking mergeability… Don’t worry, you can still create the pull request.
  • 18 commits
  • 10 files changed
  • 3 contributors

Commits on Jul 6, 2026

  1. Restrict pickle deserialization to safe types (CVE-2025-69872)

    BREAKING CHANGE: Pickle deserialization now only permits safe built-in
    types (builtins, collections, datetime, decimal, fractions, uuid).
    Arbitrary objects can no longer be deserialized from cache, preventing
    code execution via crafted pickle payloads.
    
    Users caching custom types should migrate to JSONDisk or a custom Disk
    subclass. There is no opt-out mechanism by design.
    
    - Add SafeUnpickler with allowlist-based find_class override
    - Add UnpicklingError (inherits pickle.UnpicklingError) for downstream
      compatibility with libraries catching pickle.PickleError
    - Support pickle protocols 0-5 via __builtin__, copy_reg, and _codecs
      allowlist entries
    - Use frozenset values in SAFE_PICKLE_CLASSES to prevent runtime bypass
    - Bump version to 6.0.0 (breaking change per semver)
    
    This takes a different approach to PR #361 (HMAC envelope). The HMAC
    approach still allows arbitrary deserialization once the signature is
    verified, meaning an attacker with read+write access to the cache
    directory can read the auto-generated key file and forge valid
    payloads. The allowlist approach blocks dangerous types regardless of
    filesystem access.
    
    Fixes: CVE-2025-69872
    Closes: #357, #360, #362
    a2811057970 authored and vavsab committed Jul 6, 2026
    Configuration menu
    Copy the full SHA
    da93160 View commit details
    Browse the repository at this point in the history
  2. chore: rename to mapped-diskcache, add PyPI publish CI

    Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
    vavsab and claude committed Jul 6, 2026
    Configuration menu
    Copy the full SHA
    7efeb41 View commit details
    Browse the repository at this point in the history
  3. fix(#868k5bbdr): Fix CI, rename to diskcache3, consolidate workflows

    Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
    vavsab and claude committed Jul 6, 2026
    Configuration menu
    Copy the full SHA
    6bbef0a View commit details
    Browse the repository at this point in the history
  4. fix(#868k5bbdr): Use action-vtl, consolidate to single ci.yml

    Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
    vavsab and claude committed Jul 6, 2026
    Configuration menu
    Copy the full SHA
    ab91014 View commit details
    Browse the repository at this point in the history
  5. fix(#868k5bbdr): Use OIDC for PyPI publish, rename to mapped-diskcache

    Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
    vavsab and claude committed Jul 6, 2026
    Configuration menu
    Copy the full SHA
    b8fe5ee View commit details
    Browse the repository at this point in the history
  6. fix(#868k5bbdr): Update djangocache tests to reflect SafeUnpickler re…

    …strictions
    
    Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
    vavsab and claude committed Jul 6, 2026
    Configuration menu
    Copy the full SHA
    5ed55bf View commit details
    Browse the repository at this point in the history
  7. fix(#868k5bbdr): Add blank lines after inline imports (blue formatter)

    Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
    vavsab and claude committed Jul 6, 2026
    Configuration menu
    Copy the full SHA
    1ff09f5 View commit details
    Browse the repository at this point in the history
  8. Merge pull request #1 from mapped/fix-cve-2025-69872

    Fix CVE-2025-69872: restrict pickle deserialization to safe types
    vavsab authored Jul 6, 2026
    Configuration menu
    Copy the full SHA
    3d9b52c View commit details
    Browse the repository at this point in the history
  9. fix(#868k5bbdr): Publish on push to master

    Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
    vavsab and claude committed Jul 6, 2026
    Configuration menu
    Copy the full SHA
    5eabad2 View commit details
    Browse the repository at this point in the history
  10. Merge pull request #2 from mapped/fix-cve-2025-69872-v2

    fix(#868k5bbdr): Publish on push to master
    vavsab authored Jul 6, 2026
    Configuration menu
    Copy the full SHA
    59116a0 View commit details
    Browse the repository at this point in the history
  11. fix(#868k5bbdr): Set releasesBranch=master, use PEP 440 version output

    Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
    vavsab and claude committed Jul 6, 2026
    Configuration menu
    Copy the full SHA
    01280fc View commit details
    Browse the repository at this point in the history
  12. Merge pull request #3 from mapped/fix-ci-vtl-master

    fix(#868k5bbdr): Set releasesBranch=master, use PEP 440 version output
    vavsab authored Jul 6, 2026
    Configuration menu
    Copy the full SHA
    f93fbc3 View commit details
    Browse the repository at this point in the history
  13. fix(#868k5bbdr): Grant contents:write for action-vtl to create tags

    Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
    vavsab and claude committed Jul 6, 2026
    Configuration menu
    Copy the full SHA
    0dab6fb View commit details
    Browse the repository at this point in the history
  14. Merge pull request #4 from mapped/fix-ci-vtl-permissions

    fix(#868k5bbdr): Grant contents:write for action-vtl to create tags
    vavsab authored Jul 6, 2026
    Configuration menu
    Copy the full SHA
    d07c6d0 View commit details
    Browse the repository at this point in the history
  15. docs(#868k5bbdr): Add fork notice — temporary CVE fix until upstream …

    …merges
    
    Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
    vavsab and claude committed Jul 6, 2026
    Configuration menu
    Copy the full SHA
    4aee2a4 View commit details
    Browse the repository at this point in the history
  16. Merge pull request #5 from mapped/update-readme-fork-notice

    docs(#868k5bbdr): Add fork notice — temporary CVE fix until upstream merges
    vavsab authored Jul 6, 2026
    Configuration menu
    Copy the full SHA
    4225a43 View commit details
    Browse the repository at this point in the history

Commits on Jul 7, 2026

  1. fix(#868k5bbdr): Rename package back to diskcache for git source over…

    …ride
    
    Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
    vavsab and claude committed Jul 7, 2026
    Configuration menu
    Copy the full SHA
    d80fd0c View commit details
    Browse the repository at this point in the history
  2. Merge pull request #6 from mapped/rename-to-diskcache

    fix(#868k5bbdr): Rename package back to diskcache for git source override
    vavsab authored Jul 7, 2026
    Configuration menu
    Copy the full SHA
    4f9a202 View commit details
    Browse the repository at this point in the history
Loading