Skip to content

chore(deps): bump garminconnect from 0.3.3 to 0.3.5 in /api#264

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/api/garminconnect-0.3.5
Open

chore(deps): bump garminconnect from 0.3.3 to 0.3.5 in /api#264
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/api/garminconnect-0.3.5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 17, 2026

Copy link
Copy Markdown
Contributor

Bumps garminconnect from 0.3.3 to 0.3.5.

Release notes

Sourced from garminconnect's releases.

Release 0.3.5

What's Changed

This release includes a security fix (please upgrade), major login resilience improvements, two new activity-editing methods, and bug fixes.

🔒 Security

  • Token store hardening (GHSA-wjhr-76vg-2hvc, CWE-732, High). Client.dump() previously wrote garmin_tokens.json under the process umask, leaving it world-readable (0o644) on the default Linux umask. The file holds the DI refresh token, so any local user on a shared host could read it and gain persistent access to the account. Tokens are now written 0o600 inside a 0o700 directory (with O_NOFOLLOW and a defensive chmod), regardless of umask. Affected: ≤ 0.3.4. Patched: 0.3.5. Upgrading is strongly advised for anyone storing tokens on a multi-user system.

✨ Login resilience (fixes #369)

  • In-chain token validation. Each login strategy's token is now verified against the API before the chain accepts it. A token the API rejects (401/403 — an account/region-specific condition) is discarded and the next strategy is tried automatically. Only definitive auth rejections fall through; transient 5xx/network errors never block a working login.
  • Self-healing from poisoned cached tokens. If cached tokens load but the API rejects them, they're discarded and a fresh credential login runs automatically — fixing the long-standing footgun where a stale token cache silently short-circuited the login chain on every run.
  • logout() is now functional (was a deprecated no-op): clears in-memory auth state and removes cached tokens on disk. Callable as g.logout() or g.logout(tokenstore).
  • New verify_login option (Garmin(..., verify_login=False)) to restore the legacy "first token wins" behavior.
  • New skip_strategies on the client to force or skip specific login strategies — useful for diagnosing which auth path works on your account.
  • Cleaner failure handling: explicit Cloudflare 403 / CAPTCHA detection, child/family-account detection, 429 errors preserved through the login wrapper, and no more stack-trace dumps for expected login failures.

🆕 New API methods

  • set_activity_description(activity_id, description) (#367)
  • set_activity_exercise_sets(activity_id, payload) (#368)
  • CN accounts: domain-aware service URLs for authentication (#366)

Both new methods are available in the interactive demo under the new ✏️ Activity Editing menu.

🐛 Fixes

... (truncated)

Commits
  • 4028de8 Update pyproject.toml
  • f74174a Merge commit from fork
  • 77a3837 fix: write token store with owner-only permissions (GHSA-wjhr-76vg-2hvc)
  • d8cf8f7 docs: update API statistics and document resilient login behavior
  • 14bc574 feat: self-healing login — validate tokens & recover from poisoned cache
  • eab98de feat(demo): add Activity Editing menu for set_activity_description / exercise...
  • 6dfc315 chore: add test_strategy.py login diagnostic script
  • f7d8c0c fix: don't dump login traceback at ERROR for expected failures
  • f54b4df fix: detect HTTP 403 Cloudflare challenge before JSON parse in login
  • 7fee7ee feat: detect CAPTCHA_REQUIRED in mobile and portal login handlers
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [garminconnect](https://github.com/cyberjunky/python-garminconnect) from 0.3.3 to 0.3.5.
- [Release notes](https://github.com/cyberjunky/python-garminconnect/releases)
- [Commits](cyberjunky/python-garminconnect@0.3.3...0.3.5)

---
updated-dependencies:
- dependency-name: garminconnect
  dependency-version: 0.3.5
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies python:uv Pull requests that update python:uv code labels Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants