PyPI - marshmallow - Versions diffs - 4.1.1__tar.gz → 4.1.2__tar.gz - Mend

marshmallow 4.1.1tar.gz → 4.1.2tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (92) hide show

{marshmallow-4.1.1 → marshmallow-4.1.2}/CHANGELOG.rst RENAMED Viewed

@@ -1,6 +1,14 @@
 Changelog
 ---------
+4.1.2 (2025-12-19)
+++++++++++++++++++
+Bug fixes:
+- :cve:`CVE-2025-68480`: Merge error store messages without rebuilding collections.
+  Thanks 카푸치노 for reporting and :user:`deckar01` for the fix.
 4.1.1 (2025-11-05)
 ++++++++++++++++++

{marshmallow-4.1.1 → marshmallow-4.1.2}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: marshmallow
-Version: 4.1.1
+Version: 4.1.2
 Summary: A lightweight library for converting complex datatypes to and from native Python datatypes.
 Author-email: Steven Loria <oss@stevenloria.com>
 Maintainer-email: Steven Loria <oss@stevenloria.com>, Jérôme Lafréchoux <jerome@jolimont.fr>, Jared Deckard <jared@shademaps.com>

{marshmallow-4.1.1 → marshmallow-4.1.2}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "marshmallow"
-version = "4.1.1"
+version = "4.1.2"
 description = "A lightweight library for converting complex datatypes to and from native Python datatypes."
 readme = "README.rst"
 license = { file = "LICENSE" }

{marshmallow-4.1.1 → marshmallow-4.1.2}/src/marshmallow/error_store.py RENAMED Viewed

@@ -18,6 +18,7 @@ class ErrorStore:
         # field error  -> store/merge error messages under field name key
         # schema error -> if string or list, store/merge under _schema key
         #              -> if dict, store/merge with other top-level keys
+        messages = copy_containers(messages)
         if field_name != SCHEMA or not isinstance(messages, dict):
             messages = {field_name: messages}
         if index is not None:
@@ -25,6 +26,14 @@ class ErrorStore:
         self.errors = merge_errors(self.errors, messages)
+def copy_containers(errors):
+    if isinstance(errors, list):
+        return [copy_containers(val) for val in errors]
+    if isinstance(errors, dict):
+        return {key: copy_containers(val) for key, val in errors.items()}
+    return errors
 def merge_errors(errors1, errors2):  # noqa: PLR0911
     """Deeply merge two error messages.
@@ -37,24 +46,26 @@ def merge_errors(errors1, errors2):  # noqa: PLR0911
         return errors1
     if isinstance(errors1, list):
         if isinstance(errors2, list):
-            return errors1 + errors2
+            errors1.extend(errors2)
+            return errors1
         if isinstance(errors2, dict):
-            return dict(errors2, **{SCHEMA: merge_errors(errors1, errors2.get(SCHEMA))})
-        return [*errors1, errors2]
+            errors2[SCHEMA] = merge_errors(errors1, errors2.get(SCHEMA))
+            return errors2
+        errors1.append(errors2)
+        return errors1
     if isinstance(errors1, dict):
-        if isinstance(errors2, list):
-            return dict(errors1, **{SCHEMA: merge_errors(errors1.get(SCHEMA), errors2)})
         if isinstance(errors2, dict):
-            errors = dict(errors1)
             for key, val in errors2.items():
-                if key in errors:
-                    errors[key] = merge_errors(errors[key], val)
+                if key in errors1:
+                    errors1[key] = merge_errors(errors1[key], val)
                 else:
-                    errors[key] = val
-            return errors
-        return dict(errors1, **{SCHEMA: merge_errors(errors1.get(SCHEMA), errors2)})
+                    errors1[key] = val
+            return errors1
+        errors1[SCHEMA] = merge_errors(errors1.get(SCHEMA), errors2)
+        return errors1
     if isinstance(errors2, list):
         return [errors1, *errors2]
     if isinstance(errors2, dict):
-        return dict(errors2, **{SCHEMA: merge_errors(errors1, errors2.get(SCHEMA))})
+        errors2[SCHEMA] = merge_errors(errors1, errors2.get(SCHEMA))
+        return errors2
     return [errors1, errors2]

{marshmallow-4.1.1 → marshmallow-4.1.2}/tests/test_error_store.py RENAMED Viewed

@@ -1,7 +1,7 @@
 from typing import NamedTuple
 from marshmallow import missing
-from marshmallow.error_store import merge_errors
+from marshmallow.error_store import ErrorStore, merge_errors
 def test_missing_is_falsy():
@@ -149,3 +149,19 @@ class TestMergeErrors:
         assert merge_errors(
             {"field1": {"field2": "error1"}}, {"field1": {"field2": "error2"}}
         ) == {"field1": {"field2": ["error1", "error2"]}}
+    def test_list_not_changed(self):
+        store = ErrorStore()
+        message = ["foo"]
+        store.store_error(message)
+        store.store_error(message)
+        assert message == ["foo"]
+        assert store.errors == {"_schema": ["foo", "foo"]}
+    def test_dict_not_changed(self):
+        store = ErrorStore()
+        message = {"foo": ["bar"]}
+        store.store_error(message)
+        store.store_error(message)
+        assert message == {"foo": ["bar"]}
+        assert store.errors == {"foo": ["bar", "bar"]}