Pkgs

python

Version: 3.14.5

The Python programming language

Install package

min add python

Language

Updated last month

Spec hash: d7457cc3…8fd8
Built from: Source
Source archive: Mirrored
Source archive SHA256: 7e32597b…6db6
Dependencies: 8 build · 7 runtime

Quick links

[ Docs ] [ Changelog ] [ Repo ] [ Security ] [ SBOM ]

What is python?

The Python programming language

How to use this package

Quick install

Installs the package into the current environment for this session. Use --build or --runtime to persist it as a build-time or runtime dependency.

min add python

Declare as a task dependency in minimal.toml

Listing the package under tasks.<name>.packages makes it available inside that task’s sandbox.

[tasks.dev]
packages = ["python"]

Build-time vs runtime

Choose build-time for tools needed during compilation, runtime for dynamic libraries loaded at runtime.

min add --build python
min add --runtime python

Dependencies (15)

Dependencies
Name	Version	Kind
base	—	build
bash	5.3	runtime
expat	2.7.5	runtime
gdbm	1.26	build
glibc CVE:3	2.42	runtime
libffi	3.5.2	runtime
make	4.4.1	build
ncurses	6.5-20250830	build
openssl CVE:1	3.6.2	runtime
pkgconf	2.5.1	build
sqlite	3.50.4	build
toolchain	—	build
util-linux	2.42.1	build
xz	5.8.3	runtime
zlib	1.3.2	runtime

Dependants (41)

Dependants
Name	Version
android-sdk	11076708
boost CVE:2	1.91.0-1
bun	1.3.14
cabal	3.12.1.0
cython	3.2.1
deno	2.8.2
diffoscope	306
expect	5.45.4
flit-core	3.12.0
fontconfig	2.17.1
foundationdb	7.3.69
gcloud	568.0.0
ghc	9.10.3
git	2.54.0
glib	2.86.4
glibc CVE:3	2.42
gradle	9.3.1
graphviz	14.1.1
hex-patch	1.12.5
libevent	2.1.12-stable
libglvnd	1.7.0
libxcb	1.17.0
llvm	21.1.8
llvm-bootstrap	21.1.8
mesa	25.3.5
meson	1.10.1
meson-python	0.18.0
mono	6.12.0.206
next	16.2.6
ninja	1.13.2
node	25.8.2
node-lts	24.14.1
numpy	2.3.5
py-build	1.3.0
py-packaging	25.0
pyproject-hooks	1.2.0
pyproject-metadata	0.9.1
rust	1.95.0
setuptools	82.0.1
xcb-proto	1.17.0
z3	4.16.0

Include transitive

Showing 11 advisories, 5 of which are transitive via python's dependencies

Security advisories for this package
	Status	IDs	Package	Version	Severity	Published
Critical ( 1 )
	Under investigation	CVE-2026-7210	python	`3.13.7 – 3.14.5`	Critical: 9.8	last month
Summary `xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch. Affected ranges `3.13.7 – 3.14.5` CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
High ( 7 )
	Under investigation	CVE-2026-9669	python	`3.13.7 – 3.14.5`	High	7 days ago
Summary bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data. Affected ranges `3.13.7 – 3.14.5`
	Under investigation	CVE-2026-3087	python	`3.13.7 – 3.14.5`	High: 7.5	2 months ago
Summary If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability. Affected ranges `3.13.7 – 3.14.5` CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N`
	Affected: 2.42	CVE-2025-15281	glibc	`2.42`	High: 7.5	5 months ago
Summary No summary published for this advisory. Via: glibc Affected ranges `2.42` CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` References Advisory: http://www.openwall.com/lists/oss-security/2026/01/20/3 Fix: https://sourceware.org/bugzilla/show_bug.cgi?id=33814
	Affected: 2.42	CVE-2026-0915	glibc	`2.42`	High: 7.5	5 months ago
Summary No summary published for this advisory. Via: glibc Affected ranges `2.42` CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N` References Report: https://sourceware.org/bugzilla/show_bug.cgi?id=33802 ARTICLE: http://www.openwall.com/lists/oss-security/2026/01/16/6
	Affected: 2.42	CVE-2026-0861	glibc	`2.42`	High: 8.4	5 months ago
Summary No summary published for this advisory. Via: glibc Affected ranges `2.42` CVSS vector: `CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` References Fix: https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001 , http://www.openwall.com/lists/oss-security/2026/01/16/5 Evidence: https://sourceware.org/bugzilla/show_bug.cgi?id=33796
	Affected: 3.6.2	CVE-2024-6119	openssl	`3.6.0 – 3.6.2`	High: 7.5	2 years ago
Summary No summary published for this advisory. Via: openssl Affected ranges `3.6.0 – 3.6.2` CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` References Advisory: https://openssl-library.org/news/secadv/20240903.txt , https://security.netapp.com/advisory/ntap-20240912-0001/ Fix: https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6 , https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2 , https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0 , https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f ARTICLE: http://www.openwall.com/lists/oss-security/2024/09/03/4 , https://lists.freebsd.org/archives/freebsd-security/2024-September/000303.html
	Resolved in 0df65d82dbc41e8da00adb243de5918db532c8a6	OSV-2018-153	openssl	`0df65d82dbc41e8da00adb243de5918db532c8a6, fixed in 0df65d82dbc41e8da00adb243de5918db532c8a6`	High	5 years ago
Summary Heap-buffer-overflow in asn1_ex_i2c Via: openssl Affected ranges `0df65d82dbc41e8da00adb243de5918db532c8a6, fixed in 0df65d82dbc41e8da00adb243de5918db532c8a6` Fixed in: `0df65d82dbc41e8da00adb243de5918db532c8a6` References Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7696
Medium ( 3 )
	Under investigation	CVE-2026-7774	python	`3.13.7 – 3.14.5`	Medium	11 days ago
Summary tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process. Affected ranges `3.13.7 – 3.14.5`
	Under investigation	CVE-2026-3276	python	`3.13.7 – 3.14.5`	Medium	12 days ago
Summary unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms. Affected ranges `3.13.7 – 3.14.5`
	Under investigation	CVE-2026-8328	python	`3.13.7 – 3.14.5`	Medium	last month
Summary The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189. Affected ranges `3.13.7 – 3.14.5`
Low ( 0 )
Unknown ( 0 )

43 components

Software Bill of Materials — every package this build depends on
Packages	Version	Repository	Licence
python ROOT	3.14.5	github.com/python/cpython	Python-2.0.1
acl	2.3.2	https://storage.googleapis.com/minimal-staging-archives/acl-2.3.2.tar.xz MIRROR	(GPL-2.0-only AND LGPL-2.1-only)
attr	2.5.2	https://storage.googleapis.com/minimal-staging-archives/attr-2.5.2.tar.gz MIRROR	(GPL-2.0-only AND LGPL-2.1-only)
bash	5.3	www.gnu.org/software/bash	GPL-3.0-only
bash-bootstrap	5.3	https://storage.googleapis.com/minimal-staging-archives/bash-5.3.tar.gz MIRROR	GPL-3.0-only
binutils	2.46.1	www.gnu.org/software/binutils	(GPL-2.0-only AND GPL-3.0-only AND LGPL-2.0-only)
bison	3.8.2	www.gnu.org/software/bison	GPL-3.0-only
bzip2	1.0.8	github.com/libarchive/bzip2	bzip2-1.0.6
coreutils	9.11	www.gnu.org/software/coreutils	GPL-3.0-only
diffutils	3.12	www.gnu.org/software/diffutils	GPL-3.0-only
expat	2.7.5	github.com/libexpat/libexpat	MIT
file	5.47	https://storage.googleapis.com/minimal-staging-archives/file-5.47.tar.gz MIRROR	BSD-2-Clause-Darwin
findutils	4.10.0	https://storage.googleapis.com/minimal-staging-archives/findutils-4.10.0.tar.xz MIRROR	GPL-3.0-only
flex	2.6.4	github.com/westes/flex	BSD-3-Clause-flex
gawk	5.4.0	www.gnu.org/software/gawk	GPL-3.0-only
gawk-bootstrap	5.3.2	https://storage.googleapis.com/minimal-staging-archives/gawk-5.3.2.tar.xz MIRROR	GPL-3.0-only
gcc	15.2.0	www.gnu.org/software/gcc	(GPL-2.0-only AND GPL-3.0-only AND LGPL-2.1-only)
gdbm	1.26	www.gnu.org/software/gdbm	GPL-3.0-only
glibc	2.42	www.gnu.org/software/glibc	(GPL-2.0-only AND LGPL-2.1-only)
gmp	6.3.0	www.gnu.org/software/gmp	LGPL-3.0-or-later OR GPL-2.0-or-later
grep	3.12	www.gnu.org/software/grep	GPL-3.0-only
gzip	1.14	www.gnu.org/software/gzip	GPL-3.0-only
libcap	2.78	https://storage.googleapis.com/minimal-staging-archives/libcap-2.78.tar.xz MIRROR	BSD-3-Clause OR GPL-2.0-only
libffi	3.5.2	github.com/libffi/libffi	MIT
linux_headers	6.12.43	github.com/torvalds/linux	GPL-2.0-only WITH Linux-syscall-note
lz4	1.10.0	github.com/lz4/lz4	BSD-2-Clause AND GPL-2.0-or-later
m4	1.4.21	www.gnu.org/software/m4	GPL-3.0-only
make	4.4.1	www.gnu.org/software/make	GPL-3.0-only
mpc	1.4.0	www.gnu.org/software/mpc	LGPL-3.0-or-later
mpfr	4.2.2	www.gnu.org/software/mpfr	GPL-3.0-only
ncurses	6.5-20250830	www.gnu.org/software/ncurses	X11-distribute-modifications-variant
openssl	3.6.2	github.com/openssl/openssl	Apache-2.0
pcre2	10.47	github.com/PCRE2Project/pcre2	BSD-3-Clause WITH PCRE2-exception
perl	5.42.0	github.com/Perl/perl5	Artistic-1.0-Perl OR GPL-1.0-or-later
pkgconf	2.5.1	github.com/pkgconf/pkgconf	pkgconf
readline	8.3	www.gnu.org/software/readline	GPL-3.0-only
sed	4.9	www.gnu.org/software/sed	GPL-3.0-only
sqlite	3.50.4	github.com/sqlite/sqlite	blessing
tar	1.35	www.gnu.org/software/tar	GPL-3.0-only
util-linux	2.42.1	github.com/util-linux/util-linux	GPL-2.0-or-later AND LGPL-2.1-or-later AND BSD-3-Clause
xz	5.8.3	github.com/tukaani-project/xz	(0BSD AND GPL-2.0-only AND GPL-3.0-only AND LGPL-2.1-only)
zlib	1.3.2	github.com/madler/zlib	Zlib
zstd	1.5.7	github.com/facebook/zstd	BSD-3-Clause OR GPL-2.0-only

python

Install package

Quick links

What is python?

How to use this package

Quick install

Declare as a task dependency in minimal.toml

Build-time vs runtime

Dependencies (15)

Dependants (41)

Summary

Affected ranges

Summary

Affected ranges

Summary

Affected ranges

Summary

Affected ranges

References

Summary

Affected ranges

References

Summary

Affected ranges

References

Summary

Affected ranges

References

Summary

Affected ranges

References

Summary

Affected ranges

Summary

Affected ranges

Summary

Affected ranges

43 components