ActiveState security release on the filelock 3.1.0 line — the last Python-2.7-compatible filelock (3.2.x+ are Py3-only). Version is setuptools-scm-derived from this tag.

Security

• CVE-2025-68146 / GHSA-w853-jp5j-5j7f (High) — TOCTOU symlink attack: the lock file was opened with O_CREAT|O_TRUNC and no O_NOFOLLOW, so a symlink planted at the lock path was followed and its target truncated (arbitrary file truncation), on both Unix and Windows. Patched by backporting the upstream 3.20.1 mitigation: O_NOFOLLOW on the Unix and Soft lock opens, and reparse-point (symlink/junction) refusal on Windows. Regression test added; 25/25 tests pass on Python 2.7; a symlink smoke test confirms the target is no longer truncated (ELOOP).
• CVE-2026-22701 / GHSA-qmgc-5h2g-mvrw — Not applicable to 3.1.0: the vulnerable SoftFileLock pre-check→open race does not exist here (no raise_on_not_writable_file(), and the soft lock opens with O_CREAT|O_EXCL). NVD lists no lower version bound, so scanners may flag it; documented as not-applicable by code.

Maintenance branch 3.1.0.x (from the upstream 3.1.0 tag). Merged via #1.

Jira: DE-8131 (release), DE-8132 (CVE-2025-68146, Done), DE-8133 (CVE-2026-22701, Won't Do).