Update dependency pygments to >=2.20.0 [SECURITY] (3.28) - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pygments (changelog)	>=2.15.0 → >=2.20.0

---

CVE-2022-40896 / GHSA-mrwq-x4v8-fh7p / PYSEC-2023-117

More information

Details

A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.

Severity

Unknown

References

• https://pypi.org/project/Pygments/
• https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/
• https://github.com/pygments/pygments/blob/master/pygments/lexers/smithy.py#L61

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

---

Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching

CVE-2026-4539 / GHSA-5239-wwwm-4pmq

More information

Details

A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Severity

• CVSS Score: 1.9 / 10 (Low)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-4539
• https://github.com/pygments/pygments/issues/3058
• https://github.com/pygments/pygments
• https://vuldb.com/?ctiid.352327
• https://vuldb.com/?id.352327
• https://vuldb.com/?submit.774685

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

pygments/pygments (pygments)

v2.20.0

Compare Source

(released March 29th, 2026)

• New lexers:

  • Rell (#​2914)

• Updated lexers:

  • archetype: Fix catastrophic backtracking in GUID and ID patterns (#​3064)
  • ASN.1: Recognize minus sign and fix range operator (#​3014, #​3060)
  • C++: Add C++26 keywords (#​2955), add integer literal suffixes (#​2966)
  • ComponentPascal: Fix analyse_text (#​3028, #​3032)
  • Coq renamed to Rocq (#​2883, #​2908)
  • Cython: Various improvements (#​2932, #​2933)
  • Debian control: Improve architecture parsing (#​3052)
  • Devicetree: Add support for overlay/fragments (#​3021), add bytestring support (#​3022), fix catastrophic backtracking (#​3057)
  • Fennel: Various improvements (#​2911)
  • Haskell: Handle escape sequences in character literals (#​3069, #​1795)
  • Java: Add module keywords (#​2955)
  • Lean4: Add operators ]', ]?, ]! (#​2946)
  • LESS: Support single-line comments (#​3005)
  • LilyPond: Update to 2.25.29 (#​2974)
  • LLVM: Support C-style comments (#​3023, #​2978)
  • Lua(u): Fix catastrophic backtracking (#​3047)
  • Macaulay2: Update to 1.25.05 (#​2893), 1.25.11 (#​2988)
  • Mathematica: Various improvements (#​2957)
  • meson: Add additional operators (#​2919)
  • MySQL: Update keywords (#​2970)
  • org-Mode: Support both schedule and deadline (#​2899)
  • PHP: Add __PROPERTY__ magic constant (#​2924), add reserved keywords (#​3002)
  • PostgreSQL: Add more keywords (#​2985)
  • protobuf: Fix namespace tokenization (#​2929)
  • Python: Add t-string support (#​2973, #​3009, #​3010)
  • Tablegen: Fix infinite loop (#​2972, #​2940)
  • Tera Term macro: Add commands introduced in v5.3 through v5.6 (#​2951)
  • TOML: Support TOML 1.1.0 (#​3026, #​3027)
  • Turtle: Allow empty comment lines (#​2980)
  • XML: Added .xbrl as file ending (#​2890, #​2891)

• Drop Python 3.8, and add Python 3.14 as a supported version (#​2987, #​3012)

• Various improvements to autopygmentize (#​2894)

• Update onedark style to support more token types (#​2977)

• Update rtt style to support more token types (#​2895)

• Cache entry points to improve performance (#​2979)

• Fix xterm-256 color table (#​3043)

• Fix kwargs dictionary getting mutated on each call (#​3044)

v2.19.2

Compare Source

(released June 21st, 2025)

• Lua: Fix regression introduced in 2.19.0 (#​2882, #​2839)

v2.19.1

Compare Source

(released January 6th, 2025)

• Updated lexers:

  • Ini: Fix quoted string regression introduced in 2.19.0
  • Lua: Fix a regression introduced in 2.19.0

v2.19.0

Compare Source

(released January 5th, 2025)

• New lexers:

  • CodeQL (#​2819)
  • Debian Sources (#​2788, #​2747)
  • Gleam (#​2662)
  • GoogleSQL (#​2820, #​2814)
  • JSON5 (#​2734, #​1880)
  • Maple (#​2763, #​2548)
  • NumbaIR (#​2433)
  • PDDL (#​2799, #​2616)
  • Rego (#​2794)
  • TableGen (#​2751)
  • Vue.js (#​2832)

• Updated lexers:

  • BQN: Various improvements (#​2789)
  • C#: Fix number highlighting (#​986, #​2727), add file keyword (#​2726, #​2805, #​2806), add various other keywords (#​2745, #​2770)
  • CSS: Add revert (#​2766, #​2775)
  • Debian control: Add Change-By field (#​2757)
  • Elip: Improve punctuation handling (#​2651)
  • Igor: Add int (#​2801)
  • Ini: Fix quoted strings with embedded comment characters (#​2767, #​2720)
  • Java: Support functions returning types containing a question mark (#​2737)
  • JavaScript: Support private identiiers (#​2729, #​2671)
  • LLVM: Add splat, improve floating-point number parsing (#​2755)
  • Lua: Improve variable detection, add built-in functions (#​2829)
  • Macaulay2: Update to 1.24.11 (#​2800)
  • PostgreSQL: Add more EXPLAIN keywords (#​2785), handle / (#​2774)
  • S-Lexer: Fix keywords (#​2082, #​2750)
  • TransactSQL: Fix single-line comments (#​2717)
  • Turtle: Fix triple quoted strings (#​2744, #​2758)
  • Typst: Various improvements (#​2724)
  • Various: Add ^ as an operator to Matlab, Octave and Scilab (#​2798)
  • Vyper: Add staticcall and extcall (#​2719)

• Mark file extensions for HTML/XML+Evoque as aliases (#​2743)
• Add a color for Operator.Word to the rrt style (#​2709)
• Fix broken link in the documentation (#​2803, #​2804)
• Drop executable bit where not needed (#​2781)
• Reduce Mojo priority relative to Python in analyze_text (#​2771, #​2772)
• Fix documentation builds (#​2712)
• Match example file names to the lexer's name (#​2713, #​2715)
• Ensure lexer metadata is present (#​2714)
• Search more directories on macOS for fonts (#​2809)
• Improve test robustness (#​2812)

v2.18.0

Compare Source

(released May 4th, 2024)

• New lexers:

  • Janet (#​2557)
  • Lean 4 (#​2618, #​2626)
  • Luau (#​2605)
  • Mojo (#​2691, #​2515)
  • org-mode (#​2628, #​2636)
  • Promela (#​2620)
  • Soong / Android.bp (#​2659)
  • Tact (#​2571)
  • TSX
  • Typst (#​2596)

• Updated lexers:

  • Awk: recognize ternary operator (#​2687)
  • Bash: add openrc alias (#​2599, #​2371)
  • Coq: add keywords, lex more vernacular command arguments, produce
    fewer tokens on heading comments (#​2678)
  • DNS zone files: Fix comment parsing (#​2595)
  • Hy: Support unicode literals (#​1126)
  • Inform6: Update to Inform 6.42 (#​2644)
  • lean: Fix name handling (#​2614)
  • Logtalk: add uninstantiation keyword and recognize
    escape sequences (#​2619)
  • Macaulay2: Update to 1.23 (#​2655)
  • Python: fix highlighting of soft keywords before None/True/False
  • reStructuredText: use Token.Comment for comments instead of
    Comment.Preproc (#​2598)
  • Rust: highlight :, :: and -> as Punctuation
    and whitespace as Whitespace, instead of Text
    in both cases (#​2631)
  • Spice: Add keywords (#​2621)
  • SQL Explain: allow negative numbers (#​2610)
  • Swift: Support multiline strings (#​2681)
  • ThingsDB: add constants and new functions; support template
    strings (#​2624)
  • UL4: support nested <?doc?> and <?note?> tags (#​2597)
  • VHDL: support multi-line comments of VHDL-2008 (#​2622)
  • Wikitext: Remove kk-* in variant_langs (#​2647)
  • Xtend: Add val and var (#​2602)

• New styles:

  • Coffee (#​2609)

• Make background colors in the image formatter work with Pillow 10.0 (#​2623)

• Require Python 3.8. As a result, the importlib-metadata package
  is no longer needed for fast plugin discovery on Python 3.7.
  The plugins extra (used as, e.g., pip install pygments[plugins])
  is kept for backwards compatibility but now has no effect. (#​2601)

• Require the url attribute for lexers inside Pygments, add
  it to many lexers (#​2588)

• Replace Pyflakes linter with Ruff (#​2592)

• Add macOS CI (#​2594)

• Built-in lexers now declare the version of Pygments in which they were
  added in a required version_added lexer attribute, instead of a
  .. versionadded:: directive in the docstring (#​2589, #​2634)

• The url attribute is now required for built-in lexers and
  has been added to all existing lexers (#​2588)

• The RTF formatter supports line number and line highlighting now (#​1217, #​2654)

• Add \sa0 keyword in the RTF formatter (#​1111, #​2607)

• Register pycon as an alias for the Python console lexer (#​2697)

• Add MIME-Type for DesktopLexer (#​2613)

• Fix native style to meet WCAG AA guidelines (#​2600)

• Fix typo in documentation (#​2672)

• Use format strings consistently (#​2661)

• Add __class_getitem__ to Formatter to improve typing support (#​2665)

v2.17.2

Compare Source

(released November 21, 2023)

• Fix a packaging issue on macOS (#​2593)

v2.17.1

Compare Source

(released November 19, 2023)

• Updated lexers:

  • TOML: Fix bug making lexing of single-quoted strings too eager

v2.17.0

Compare Source

(released November 18, 2023)

• New lexers:

  • JSX (#​2524, #​709)
  • Kusto (#​2552)
  • ldaprc (#​2532)
  • LDIF (#​2489)
  • PRQL (#​2507, #​2523, #​2559)
  • Visual Prolog and Visual Prolog Grammar (#​2480)
  • Vyper (#​2531, #​2579)

• Updated lexers:

  • Cypher: fix comment matching, add missing keywords (#​2504)
  • Fortran: add elseif keyword (#​2528)
  • Lean: make it available as lean3, in preparation for
    a possible switch to lean highlighting as Lean 4 (#​2546)
  • JSON: add MIME types and file extensions for several line-delimited
    JSON formats (#​2490)
  • Nix: many improvements (#​2551, #​1800)
  • OCaml: Add and keyword, remove value from keywords (#​2521)
  • Python: add starlark and bazel aliases (#​2517, #​2516)
  • Snowball: Treat len like size (#​2508)
  • Spice: add panic keyword and -> operator (#​2510)
  • squid.conf: fix catastrophic backtracking (#​2583)
  • TOML: rewritten, with many fixes (#​2576)
  • Turtle: support blank nodes (#​2581)
  • Wikitext: fix erroneous highlighting of LanguageConverter markup
    (#​2493), add missing variant languages (#​2494)
  • CMake: support [=[ bracketed arguments ]=] (#​2549)

• Fix ctags support and tests (#​2487)

• Include Lexer.add_filter in the documentation (#​2519)

• Add a Lean3Lexer alias (#​2546)

• The pygments.styles module contains a new STYLES variable
  with a dictionary of built-in styles. The old STYLE_MAP variable,
  which uses a different format, is kept for backwards compatibility.

• On Windows, add a new installation extra (windows-terminal) which pulls in
  dependencies for colored console output. See :doc:cmdline for more details.
  (#​2505)

• Support more file types in autopygmentize script (#​2513)

• Change color of numbers in rrt style (#​2526)

• Fix error when trying to look up plugin formatters by file extension
  of the output format (#​2563)

• Use Hatchling as a build backend instead of setuptools.
  This change is transparent to most users. Distribution packagers
  who build without build isolation need to add hatchling as a build
  dependency and remove setuptools. People downloading source distributions
  and wheels from PyPI directly should note that they now have pygments
  in their file names instead of Pygments. (#​2573)

• Improve the test framework to also check for lost tokens when processing the
  snippets and example files (#​2582.)

• Improve the Dracula style definition to make it easier to maintain (#​2575)

v2.16.1

Compare Source

(released August 6th, 2023)

• Fix native style missing from style list (#​2484)

v2.16.0

Compare Source

(released August 6th, 2023)

• New lexers:

  • ASN.1 (#​2462)
  • Blueprint (#​2434)
  • BQN (#​2472)
  • DNS zone files (#​2464)
  • GraphQL (#​2428)
  • Linux desktop files (following the specification of the
    Freedesktop group, formerly known as XDG) (#​2470)
  • NVIDIA PTX (#​2432)
  • OpenSCAD (#​2449)
  • systemd (#​2470)
  • TLS presentation language (#​2455)
  • Verifpal (#​2430)
  • YARA (#​2453)

• Updated lexers:

  • ASC: Add application/pem-certificate-chain mimetype (#​2471)
  • C/C++: Refine keyword lists (#​2421, #​2422)
  • Carbon: Fix long processing times on invalid input, fix number
    lexing (#​2454, #​2456)
  • Elpi: Handle quotations (#​2419)
  • Go: Support additional built-ins (#​2481)
  • HTTP: Support empty headers (#​2461), support more general methods (#​2460),
    also recognize responses in analyse_text implementation (#​2460), and
    highlight URL encoded data (#​2465, #​1620)
  • Igor Pro: Update to Igor Pro 9 (#​2482)
  • lean: Recognize expressions nested within attributes (#​1817)
  • Macaulay2: Update builtins (#​2457)
  • Markdown: Allow extra characters after language name
    in code blocks (#​2437)
  • NestedText: Update to version 3 (#​2459)
  • scdoc: Improve language guessing implementation (#​2402)
  • Spice: Update to latest version (#​2476)
  • Transact SQL: Add Pre-sorted Group keyword (#​2417)
  • Uxntal: Update for current runes (#​2424)
  • Wikitext: Fix templates in wiki links; fix a language converter false
    positive; add bold italic markup (#​2447)

• Add Generic.EmphStrong token for bold italic markup (#​2444)

• Add Lightbulb style (#​2474)

• Improve contrast in Monokai style (#​2448)

• Add documentation how to create terminal code highlighting commands (#​2131, #​2425)

• Add support for loading TrueType fonts to the ImageFormatter (#​1960)

v2.15.1

Compare Source

(released April 18th, 2023)

• Updated lexers:

  • Java properties: Fix catastrophic backtracking (#​2356, #​2404)

• Fix Python console traceback lexing being too strict
  and sometimes reordering output (#​2407, #​2410, #​2412)

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Zurich, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.