v1.2.0 released on GitHub but not published to PyPI

[GeorgeScribehow]

Description

Thank you for releasing v1.2.0 which addresses the DoS vulnerability (CVE-2025-6176)!

However, it appears that while v1.2.0 was tagged and released on GitHub on October 27, 2024, it has not been published to PyPI. The latest version available on PyPI is still 1.1.0:

$ pip index versions brotli
Available versions: 1.1.0, 1.0.9, 1.0.8, 1.0.7, ...

Impact

This means users cannot easily upgrade to the patched version using standard Python package managers (pip, poetry, etc.). Many users rely on PyPI for security updates, and the current situation requires:

• Installing from GitHub source (not ideal for production environments)
• Or remaining on the vulnerable 1.1.0 version

Expected Behavior

Version 1.2.0 should be published to PyPI so users can upgrade via:

pip install --upgrade brotli

Environment

• GitHub Release: v1.2.0 (October 27, 2024)
• PyPI Latest: 1.1.0
• Security Advisory: CVE-2025-6176

Thank you for maintaining this excellent library! 🙏

[darren-onda]

One of the maintainers is trying to get access to pypi.org to carry out the deployment - #1327 (comment)

[kelvin-j-li]

Version 1.2.0 is now available in pypi.org - https://pypi.org/project/brotli/

pip3 index versions brotli
brotli (1.2.0)
Available versions: 1.2.0, 1.1.0, 1.0.9, 1.0.8, 1.0.7, 1.0.6, 1.0.4, 1.0.1, 0.6.0, 0.5.2

However, Snyk seems to be behind, it still flags on CVE-2025-6176

https://security.snyk.io/vuln/SNYK-PYTHON-BROTLI-13821834

How to fix?
A fix was pushed into the master branch but not yet published.

My guess it will take a few more days for Snyk to recognise the fix. Anyone knows?

[kelvin-j-li]

Open a case with Snyk.

A few hours later, Snky confirmed that CVE-2025-6176 is indeed fixed in Brotli-1.2.0

And Snyk database is also updated - https://security.snyk.io/vuln/SNYK-PYTHON-BROTLI-13821834

How to fix?
Upgrade brotli to version 1.2.0 or higher.

[calderwoodra]

this is fixed now, thanks