Bump cbor2 from 5.4.6 to 5.9.0 in /verifiers-reference-implementation/python-server

[dependabot]

Bumps cbor2 from 5.4.6 to 5.9.0.

Release notes

Sourced from cbor2's releases.

5.9.0

• Added the max_depth decoder parameter to limit the maximum allowed nesting level of containers, with a default value of 400 levels (CVE-2026-26209)
• Changed the default read_size from 4096 to 1 for backwards compatibility. The buffered reads introduced in 5.8.0 could cause issues when code needs to access the stream position after decoding. Users can opt-in to faster decoding by passing read_size=4096 when they don't need to access the stream directly after decoding. Added a direct read path for read_size=1 to avoid buffer management overhead. (#275; PR by @​andreer)
• Fixed C encoder not respecting string referencing when encoding string-type datetimes (tag 0) (#254)
• Fixed a missed check for an exception in the C implementation of CBOREncoder.encode_shared() (#287)
• Fixed two reference/memory leaks in the C extension's long string decoder (#290 PR by @​killiancowan82)
• Fixed C decoder ignoring the str_errors setting when decoding strings, and improved string decoding performance by using stack allocation for small strings and eliminating unnecessary conditionals. Benchmarks show 9-17% faster deserialization. (#255; PR by @​andreer)

5.8.0

• Added readahead buffering to C decoder for improved performance. The decoder now uses a 4 KB buffer by default to reduce the number of read calls. Benchmarks show 20-140% performance improvements for decoding operations. (#268; PR by @​andreer)
• Fixed Python decoder not preserving share index when decoding array items containing nested shareable tags, causing shared references to resolve to wrong objects (#267; PR by @​andreer)
• Reset shared reference state at the start of each top-level encode/decode operation (#266; PR by @​andreer)

5.7.1

• Improved performance on decoding large definite bytestrings (#240 <agronholm/cbor2#240>_; PR by @​dwpaley)
• Fixed a read(-1) vulnerability caused by boundary handling error (#264 <agronholm/cbor2#264>_; PR by @​tylzh97)

5.7.0

• Added support for Python 3.14 (no free-threading support yet, sorry)
• Dropped support for Python 3.8 (#247 <agronholm/cbor2#247>_; PR by @​hugovk)
• Added support for encoding indefinite containers (#256 <agronholm/cbor2#256>_; PR by @​CZDanol)
• Added complex number support (tag 43000) (#249 <agronholm/cbor2#249>_; PR by @​chillenb)

5.6.5

• Published binary wheels for Python 3.13

5.6.4

• Fixed compilation of C extension failing on GCC 14
• Fixed compiler warnings when building C extension

5.6.3

• Fixed decoding of epoch-based dates being affected by the local time zone in the C extension

5.6.2

• Fixed __hash__() of the C version of the CBORTag type crashing when there's a recursive reference cycle
• Fixed type annotation for the file object in cbor2.dump(), cbor2.load(), CBOREncoder and CBORDecoder to be IO[bytes] instead of BytesIO
• Worked around a CPython bug that caused a SystemError to be raised, or even a buffer overflow to occur when decoding a long text string that contained only ASCII characters
• Changed the return type annotations of cbor2.load() and cbor2.load() to return Any instead of object so as not to force users to make type casts

5.6.1

• Fixed use-after-free in the decoder's C version when prematurely encountering the end of stream
• Fixed the C version of the decoder improperly raising CBORDecodeEOF when decoding a text string longer than 65536 bytes

5.6.0

• Added the cbor2 command line tool (for pipx run cbor2)
• Added support for native date encoding (bschoenmaeckers)
• Made the C extension mandatory when the environment variable CBOR2_BUILD_C_EXTENSION is set to 1.
• Fixed SystemError in the C extension when decoding a Fractional with a bad number of arguments or a non-tuple value
• Fixed SystemError in the C extension when the decoder object hook raises an exception
• Fixed a segmentation fault when decoding invalid unicode data

... (truncated)

Commits

• 93c5988 Bumped up the version
• d903d62 Updated the max_depth default value in the C function signature
• 2b53b28 Stack allocate small strings (#270)
• a7ac10d Upped the max_depth value to 400
• 54c8ed5 Fixed reference/memory leaks in decode_definite_long_string (#290)
• a8d92dc [pre-commit.ci] pre-commit autoupdate (#289)
• c91aa00 [pre-commit.ci] pre-commit autoupdate (#288)
• 53521e7 Fixed ssize_t to Py_ssize_t
• 94e0d21 Added missing Python counterpart for max_depth
• bcb6cea Added the max_depth decoder parameter
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.