mirror of
https://github.com/google/brotli.git
synced 2026-07-08 17:56:58 +00:00
v1.2.0 released on GitHub but not published to PyPI #559
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @GeorgeScribehow on GitHub (Nov 4, 2025).
Description
Thank you for releasing v1.2.0 which addresses the DoS vulnerability (CVE-2025-6176)!
However, it appears that while v1.2.0 was tagged and released on GitHub on October 27, 2024, it has not been published to PyPI. The latest version available on PyPI is still 1.1.0:
Impact
This means users cannot easily upgrade to the patched version using standard Python package managers (pip, poetry, etc.). Many users rely on PyPI for security updates, and the current situation requires:
Expected Behavior
Version 1.2.0 should be published to PyPI so users can upgrade via:
Environment
Thank you for maintaining this excellent library! 🙏
@darren-onda commented on GitHub (Nov 4, 2025):
One of the maintainers is trying to get access to pypi.org to carry out the deployment - https://github.com/google/brotli/issues/1327#issuecomment-3479462458
@kelvin-j-li commented on GitHub (Nov 6, 2025):
Version 1.2.0 is now available in pypi.org - https://pypi.org/project/brotli/
pip3 index versions brotli
brotli (1.2.0)
Available versions: 1.2.0, 1.1.0, 1.0.9, 1.0.8, 1.0.7, 1.0.6, 1.0.4, 1.0.1, 0.6.0, 0.5.2
However, Snyk seems to be behind, it still flags on CVE-2025-6176
https://security.snyk.io/vuln/SNYK-PYTHON-BROTLI-13821834
How to fix?
A fix was pushed into the master branch but not yet published.
My guess it will take a few more days for Snyk to recognise the fix. Anyone knows?
@kelvin-j-li commented on GitHub (Nov 6, 2025):
Open a case with Snyk.
A few hours later, Snky confirmed that CVE-2025-6176 is indeed fixed in Brotli-1.2.0
And Snyk database is also updated - https://security.snyk.io/vuln/SNYK-PYTHON-BROTLI-13821834
How to fix?
Upgrade brotli to version 1.2.0 or higher.
@calderwoodra commented on GitHub (Nov 6, 2025):
this is fixed now, thanks