Bump version: 8.6.0 → 8.6.1 and add security vulnerability notes

- Update version to 8.6.1 across all files
- Add security vulnerability notes to CHANGELOG and README
- Update AUTHORS.md to credit security reporter
- Update documentation with security fix information

Author: seperman

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 8.6.0
+current_version = 8.6.1
 commit = True
 tag = True
 tag_name = {new_version}

AUTHORS.md

@@ -75,3 +75,4 @@ Authors in order of the timeline of their contributions:
 - [dtorres-sf](https://github.com/dtorres-sf) for the fix for moving nested tables when using iterable_compare_func.
 - [Jim Cipar](https://github.com/jcipar) for the fix recursion depth limit when hashing numpy.datetime64
 - [Enji Cooper](https://github.com/ngie-eign) for converting legacy setuptools use to pyproject.toml
+- [Diogo Correia](https://github.com/diogotcorreia) for reporting security vulnerability in Delta and DeepDiff that could allow remote code execution.

CHANGELOG.md

@@ -1,5 +1,9 @@
 # DeepDiff Change log
 
+- v8-6-1
+    - Patched security vulnerability in the Delta class which was vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it could lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization).
+
+
 - v8-6-0
     - Added Colored View thanks to @mauvilsa 
     - Added support for applying deltas to NamedTuple thanks to @paulsc 

CITATION.cff

@@ -5,6 +5,6 @@ authors:
   given-names: "Sep"
   orcid: "https://orcid.org/0009-0009-5828-4345"
 title: "DeepDiff"
-version: 8.6.0
+version: 8.6.1
 date-released: 2024
 url: "https://github.com/seperman/deepdiff"

README.md

@@ -1,4 +1,4 @@
-# DeepDiff v 8.6.0
+# DeepDiff v 8.6.1
 
 ![Downloads](https://img.shields.io/pypi/dm/deepdiff.svg?style=flat)
 ![Python Versions](https://img.shields.io/pypi/pyversions/deepdiff.svg?style=flat)
@@ -17,12 +17,15 @@
 
 Tested on Python 3.9+ and PyPy3.
 
-- **[Documentation](https://zepworks.com/deepdiff/8.6.0/)**
+- **[Documentation](https://zepworks.com/deepdiff/8.6.1/)**
 
 ## What is new?
 
 Please check the [ChangeLog](CHANGELOG.md) file for the detailed information.
 
+DeepDiff 8-6-1
+- Patched security vulnerability in the Delta class which was vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it could lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization).
+
 DeepDiff 8-6-0
 
 - Added Colored View thanks to @mauvilsa 

deepdiff/__init__.py

@@ -1,6 +1,6 @@
 """This module offers the DeepDiff, DeepSearch, grep, Delta and DeepHash classes."""
 # flake8: noqa
-__version__ = '8.6.0'
+__version__ = '8.6.1'
 import logging
 
 if __name__ == '__main__':

docs/authors.rst

@@ -117,6 +117,7 @@ and polars support.
   limit when hashing numpy.datetime64
 - `Enji Cooper <https://github.com/ngie-eign>`__ for converting legacy
   setuptools use to pyproject.toml
+- `Diogo Correia <https://github.com/diogotcorreia>`__ for reporting security vulnerability in Delta and DeepDiff that could allow remote code execution.
 
 
 .. _Sep Dehpour (Seperman): http://www.zepworks.com

docs/changelog.rst

@@ -5,6 +5,9 @@ Changelog
 
 DeepDiff Changelog
 
+- v8-6-1
+   - Patched security vulnerability in the Delta class which was vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it could lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization).
+
 - v8-6-0
    - Added Colored View thanks to @mauvilsa
    - Added support for applying deltas to NamedTuple thanks to @paulsc

docs/conf.py

@@ -64,9 +64,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = '8.6.0'
+version = '8.6.1'
 # The full version, including alpha/beta/rc tags.
-release = '8.6.0'
+release = '8.6.1'
 
 load_dotenv(override=True)
 DOC_VERSION = os.environ.get('DOC_VERSION', version)

docs/index.rst

@@ -4,7 +4,7 @@
    contain the root `toctree` directive.
 
 
-DeepDiff 8.6.0 documentation!
+DeepDiff 8.6.1 documentation!
 =============================
 
 *******
@@ -31,6 +31,12 @@ The DeepDiff library includes the following modules:
 What Is New
 ***********
 
+DeepDiff 8-6-1
+--------------
+
+    - Patched security vulnerability in the Delta class which was vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it could lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization).
+
+
 DeepDiff 8-6-0
 --------------