Update used marshmallow version according to CVE-2025-68480 (#448)

whyscream · sloria · web-flow · commit 03c2e94c5fd4 · 2026-01-07T20:24:51.000-05:00
* Set the marshmallow dependency to the fixed version from CVE-2025-68480 Ref: GHSA-428g-f7cq-pgp5 * Update uv lockfile * Update the lowest marshmallow versions used in tests * Update changelog --------- Co-authored-by: Steven Loria <git@stevenloria.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Changelog
 
+## next
+
+Other changes:
+
+- Update lowest supported marshmallow version to 3.26.2 ([#448](https://github.com/sloria/environs/pull/448)).
+  Thanks [whyscream](https://github.com/whyscream) for the PR.
+
 ## 14.5.0 (2025-11-02)
 
 Features:
diff --git a/pyproject.toml b/pyproject.toml
@@ -19,7 +19,7 @@ classifiers = [
 requires-python = ">=3.10"
 dependencies = [
   "python-dotenv",
-  "marshmallow>=3.18.0",
+  "marshmallow>=3.26.2",
   "typing-extensions; python_version < '3.11'",
 ]
 
diff --git a/tox.ini b/tox.ini
@@ -7,17 +7,16 @@ envlist=
 [testenv]
 extras = tests
 deps =
-    marshmallowlowest: marshmallow==3.18.0;python_version<"3.12"
-    marshmallowlowest: marshmallow==3.20.2;python_version>="3.12"
-    marshmallow3: marshmallow>=3.18.0,<4.0.0
+    marshmallowlowest: marshmallow==3.26.2;python_version<"3.12"
+    marshmallow3: marshmallow>=3.26.2,<4.0.0
     marshmallowdev: https://github.com/marshmallow-code/marshmallow/archive/dev.tar.gz
 commands = pytest {posargs}
 
 [testenv:mypy-marshmallow3]
 extras = django
 deps =
     mypy
-    marshmallow>=3.13.0,<4.0.0
+    marshmallow>=3.26.2,<4.0.0
 commands = mypy
 
 [testenv:mypy-marshmallowdev]
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ classifiers = [`
`19`	`19`	`requires-python = ">=3.10"`
`20`	`20`	`dependencies = [`
`21`	`21`	`"python-dotenv",`
`22`		`- "marshmallow>=3.18.0",`
	`22`	`+ "marshmallow>=3.26.2",`
`23`	`23`	`"typing-extensions; python_version < '3.11'",`
`24`	`24`	`]`
`25`	`25`