v1.2.0 released on GitHub but not published to PyPI #559

Closed
opened 2026-01-29 20:45:49 +00:00 by claunia · 4 comments
Owner

Originally created by @GeorgeScribehow on GitHub (Nov 4, 2025).

Description

Thank you for releasing v1.2.0 which addresses the DoS vulnerability (CVE-2025-6176)!

However, it appears that while v1.2.0 was tagged and released on GitHub on October 27, 2024, it has not been published to PyPI. The latest version available on PyPI is still 1.1.0:

$ pip index versions brotli
Available versions: 1.1.0, 1.0.9, 1.0.8, 1.0.7, ...

Impact

This means users cannot easily upgrade to the patched version using standard Python package managers (pip, poetry, etc.). Many users rely on PyPI for security updates, and the current situation requires:

  • Installing from GitHub source (not ideal for production environments)
  • Or remaining on the vulnerable 1.1.0 version

Expected Behavior

Version 1.2.0 should be published to PyPI so users can upgrade via:

pip install --upgrade brotli

Environment

  • GitHub Release: v1.2.0 (October 27, 2024)
  • PyPI Latest: 1.1.0
  • Security Advisory: CVE-2025-6176

Thank you for maintaining this excellent library! 🙏

Originally created by @GeorgeScribehow on GitHub (Nov 4, 2025). ### Description Thank you for releasing v1.2.0 which addresses the DoS vulnerability (CVE-2025-6176)! However, it appears that while v1.2.0 was tagged and released on GitHub on October 27, 2024, it has not been published to PyPI. The latest version available on PyPI is still 1.1.0: ```bash $ pip index versions brotli Available versions: 1.1.0, 1.0.9, 1.0.8, 1.0.7, ... ``` ### Impact This means users cannot easily upgrade to the patched version using standard Python package managers (pip, poetry, etc.). Many users rely on PyPI for security updates, and the current situation requires: - Installing from GitHub source (not ideal for production environments) - Or remaining on the vulnerable 1.1.0 version ### Expected Behavior Version 1.2.0 should be published to PyPI so users can upgrade via: ```bash pip install --upgrade brotli ``` ### Environment - **GitHub Release**: v1.2.0 (October 27, 2024) - **PyPI Latest**: 1.1.0 - **Security Advisory**: CVE-2025-6176 Thank you for maintaining this excellent library! 🙏
Author
Owner

@darren-onda commented on GitHub (Nov 4, 2025):

One of the maintainers is trying to get access to pypi.org to carry out the deployment - https://github.com/google/brotli/issues/1327#issuecomment-3479462458

@darren-onda commented on GitHub (Nov 4, 2025): One of the maintainers is trying to get access to pypi.org to carry out the deployment - https://github.com/google/brotli/issues/1327#issuecomment-3479462458
Author
Owner

@kelvin-j-li commented on GitHub (Nov 6, 2025):

Version 1.2.0 is now available in pypi.org - https://pypi.org/project/brotli/

pip3 index versions brotli
brotli (1.2.0)
Available versions: 1.2.0, 1.1.0, 1.0.9, 1.0.8, 1.0.7, 1.0.6, 1.0.4, 1.0.1, 0.6.0, 0.5.2

However, Snyk seems to be behind, it still flags on CVE-2025-6176

https://security.snyk.io/vuln/SNYK-PYTHON-BROTLI-13821834

How to fix?
A fix was pushed into the master branch but not yet published.

My guess it will take a few more days for Snyk to recognise the fix. Anyone knows?

@kelvin-j-li commented on GitHub (Nov 6, 2025): Version 1.2.0 is now available in pypi.org - https://pypi.org/project/brotli/ pip3 index versions brotli brotli (1.2.0) Available versions: **1.2.0**, 1.1.0, 1.0.9, 1.0.8, 1.0.7, 1.0.6, 1.0.4, 1.0.1, 0.6.0, 0.5.2 However, Snyk seems to be behind, it still flags on [CVE-2025-6176](https://www.cve.org/CVERecord?id=CVE-2025-6176) https://security.snyk.io/vuln/SNYK-PYTHON-BROTLI-13821834 How to fix? A fix was pushed into the master branch but not yet published. My guess it will take a few more days for Snyk to recognise the fix. Anyone knows?
Author
Owner

@kelvin-j-li commented on GitHub (Nov 6, 2025):

Open a case with Snyk.

A few hours later, Snky confirmed that CVE-2025-6176 is indeed fixed in Brotli-1.2.0

And Snyk database is also updated - https://security.snyk.io/vuln/SNYK-PYTHON-BROTLI-13821834

How to fix?
Upgrade brotli to version 1.2.0 or higher.

@kelvin-j-li commented on GitHub (Nov 6, 2025): Open a case with Snyk. A few hours later, Snky confirmed that CVE-2025-6176 is indeed fixed in Brotli-1.2.0 And Snyk database is also updated - https://security.snyk.io/vuln/SNYK-PYTHON-BROTLI-13821834 How to fix? **Upgrade brotli to version 1.2.0 or higher.**
Author
Owner

@calderwoodra commented on GitHub (Nov 6, 2025):

this is fixed now, thanks

@calderwoodra commented on GitHub (Nov 6, 2025): this is fixed now, thanks
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/brotli#559