fix: correct GHSA-4j5j-58j7-6c3w dulwich fixed version 0.9.9 -> 0.10.0

[DEVSOG12]

git merge-base --is-ancestor 091638be3c89f46f42c3b1d57dc1504af5729176 dulwich-0.9.9 returns false — the fix commit is not in the ancestry of the 0.9.9 release tag. The 0.9.9 artifact on PyPI ships dulwich/index.py byte-identical to the pre-fix state (missing path validation in build_index_from_tree()). The fix first appears in 0.10.0.

• fixed: "0.9.9" -> fixed: "0.10.0"
• Updated details prose accordingly

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the GHSA advisory for dulwich (GHSA-4j5j-58j7-6c3w) to reflect that the first release containing the fix is 0.10.0 rather than 0.9.9, based on ancestry/artifact verification.

Changes:

• Update affected version range by changing the fixed version from 0.9.9 to 0.10.0
• Update advisory details text to match the corrected fixed version
• Refresh the advisory modified timestamp

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

[yhidad31]

Hello @DEVSOG12, thank you for bringing this to our attention. Upon further review, it appears that the fix is actually in version 9.10.0, see the diff here: jelmer/dulwich@dulwich-0.9.9...dulwich-0.9.10. We will update accordingly.

[advisory-database]

Hi @DEVSOG12! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!