Security: Upgrade pymdown-extensions to 10.21.3 (CVE-2026-46338)

[scotmatson]

Summary

Upgrades pymdown-extensions from 10.21.2 to 10.21.3 to address CVE-2026-46338, a medium-severity path traversal vulnerability in the snippets preprocessor.

Origin: This security issue was surfaced by Dependabot alert #13.

Risk Assessment

Actual exposure: MINIMAL

• The vulnerable pymdownx.snippets feature is enabled but not used (zero instances in docs)
• Default configuration (restrict_base_path: true) provides protection
• No secrets or sensitive files in repository root
• Code review process would catch malicious snippet syntax

Vulnerability Details

CVE: CVE-2026-46338 / GHSA-62q4-447f-wv8h
Affected: pymdown-extensions 10.0.1 - 10.21.2
Fixed in: 10.21.3 (released 2026-05-13)
Dependabot alert: #13

Technical issue: Path traversal in pymdownx.snippets preprocessor allows reading files outside base_path using sibling prefix bypass. The vulnerable code uses filename.startswith(base) for path containment checks, which doesn't enforce directory boundaries. This allows snippet directives like --8<-- "../docs_secret/file.txt" to bypass restrict_base_path settings and read files from sibling directories that share the same prefix (e.g., docs vs docs_secret).

Attack scenario:

1. Attacker contributes a PR with malicious markdown containing: --8<-- "../sensitive_dir/secrets.txt"
2. During docs build, the snippet preprocessor reads the file
3. Sensitive content gets embedded in generated HTML
4. HTML is published to GitHub Pages, exposing secrets

Impact: Arbitrary file read within the host filesystem, bounded by prefix matching. In CI/CD contexts, could expose secrets or sensitive files in documentation builds.

Testing

• ✅ Clean rebase from latest main (eec1379)
• ✅ Documentation builds successfully (mkdocs build --strict)
• ✅ Only uv.lock changed (no merge conflicts)
• ✅ Sanity tests pass locally
• ✅ Pre-commit hooks pass (ruff format, ruff lint, interrogate)
• ✅ CI will run full test suite (6,772+ tests with ≥90% coverage)

Changes

• uv.lock: pymdown-extensions 10.21.2 → 10.21.3
• Single patch version bump, no breaking changes expected
• Transitive dependency via mkdocs-material (no pyproject.toml changes needed)

Post-Merge Actions

• Dependabot alert feat: Add discovery enhancements with funnel, cohort, and event APIs #13 will auto-close
• Consider optional hardening: remove unused pymdownx.snippets extension from mkdocs.yml for defense-in-depth

References

• Dependabot alert: #13
• CVE: CVE-2026-46338
• GHSA: GHSA-62q4-447f-wv8h
• Package: pymdown-extensions 10.21.3
• Supersedes: Security: Upgrade pymdown-extensions to 10.21.3 (CVE-2026-46338) #181 (closed due to merge conflicts)