meson-python

Version: 0.18.0

Meson PEP 517 Python build backend

Install package

min add meson-python

Data

Updated 20 days ago

Supply chain security: 40
Advisories: 10
Quality: 34
Maintenance: 67
Licence: 100

What is "meson-python"?

Meson PEP 517 Python build backend

How to use this package

Quick install

Installs the package into the current environment for this session. Use --build or --runtime to persist it as a build-time or runtime dependency.

min add meson-python

Declare as a task dependency in minimal.toml

Listing the package under tasks.<name>.packages makes it available inside that task’s sandbox.

[tasks.dev]
packages = ["meson-python"]

Build-time vs runtime

Choose build-time for tools needed during compilation, runtime for dynamic libraries loaded at runtime.

min add --build meson-python
min add --runtime meson-python

Compare versions

Dependencies (5)

Dependencies
Name	Version	Kind
base	—	build
meson	1.10.1	runtime
ninja	1.13.2	runtime
pyproject-metadata	0.9.1	runtime
python CVE:6	3.14.6	runtime

Dependency changes

Dependants (1)

Dependants
Name	Version
numpy	2.3.5

No direct advisories

This package inherits 11 transitive advisories from its dependencies.

Include transitive

Showing 11 transitive advisories via meson-python's dependencies

Security advisories for this package
	Status	IDs	Package	Version	Severity	Published
Critical ( 1 )
	Under investigation	CVE-2026-5450	glibc	2.42 – 2.43	Critical: 9.8	2 months ago
Summary Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow. Via python glibc Affected ranges 2.42 – 2.43 CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
High ( 6 )
	Status	IDs	Package	Version	Severity	Published
	Under investigation	CVE-2026-11972	python	3.14.4 – 3.14.6	High	6 days ago
Summary When using the "tarfile" module with a file opened in "streaming mode" (mode="r\|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer. Via python Affected ranges 3.14.4 – 3.14.6
	Under investigation	CVE-2026-11940	python	3.14.4 – 3.14.6	High	6 days ago
Summary tarfile.extractall() with the 'data' or 'tar' filter could be bypassed by a crafted archive where a hardlink references a symlink stored at a deeper name than the hardlink itself. The extraction fallback validated the symlink at it's archived location but recreated it at the hardlink's shallower path, letting a relative target the filter judged contained escape the destination directory. This allowed a malicious tar archive to create a symlink pointing outside the destination, enabling out-of-destination file reads or writes. This was an incomplete fix of CVE-2025-4330. Via python Affected ranges 3.14.4 – 3.14.6
	Under investigation	CVE-2026-7210	python	3.14.4 – 3.14.6	High: 7.5	2 months ago
Summary `xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch. Via python Affected ranges 3.14.4 – 3.14.6 CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
	Under investigation	CVE-2026-5928	glibc	2.42 – 2.43	High: 7.5	2 months ago
Summary Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets. Via python glibc Affected ranges 2.42 – 2.43 CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
	Under investigation	CVE-2026-4046	glibc	2.42 – 2.43	High: 7.5	3 months ago
Summary The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them. Via python glibc Affected ranges 2.42 – 2.43 CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
	Under investigation	CVE-2026-4437	glibc	2.42 – 2.43	High: 7.5	3 months ago
Summary Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer. Via python glibc Affected ranges 2.42 – 2.43 CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Medium ( 4 )
	Status	IDs	Package	Version	Severity	Published
	Under investigation	CVE-2026-0864	python	3.14.4 – 3.14.6	Medium	6 days ago
Summary When using the "configparser" module to write configuration files containing multi-line text values with carriage return characters (\r) the resulting file could be injected with unexpected keys and values if the attacker controls the written value. Via python Affected ranges 3.14.4 – 3.14.6
	Under investigation	CVE-2026-12003	python	3.14.4 – 3.14.6	Medium	13 days ago
Summary To allow builds of Python to be run from an in-tree layout (rather than an installed file layout), the VPATH variable is defined at build time and used to locate certain landmarks - specifically, Modules/setup.local. When this landmark is found relative to VPATH relative to the executable, Python assumes it is running in a source tree and generates a different default sys.path. This code remains in release builds, so that release-ready builds can be built in-tree. On Windows, since builds are written to 'PCbuild/', the value of VPATH is set to '..\..', which results in a landmark of '..\..\Modules\setup.local'. This path is outside the install directory of Python, and may have different permissions, potentially allowing a low-privilege user to create the landmark and an alternative `Lib` folder that will be discovered by an otherwise restricted install. Such a setup occurs with the legacy default install location for all users (in the now superseded EXE installer), due to how Windows allows all users to create folders in the root directory of their OS drive. Our recommended mitigation on Windows is to migrate away from the legacy installer and use the new [Python install manager](https://www.python.org/downloads/latest/pymanager/) to install for the current user. Installs where the directory two levels above the Python installation directory have equivalent permissions are unaffected (in general, a per-user install cannot be modified at all by other users, removing any escalation of privilege risk, and could be directly modified by a privileged user, making the potential tampering irrelevant). Alternative mitigations might include preemptively creating and restricting access to a `Modules` directory. Be aware that only 3.13 and 3.14 will receive updated legacy installers - earlier fixes are only provided as sources. Platforms other than Windows allow VPATH to be overridden, but as they don't usually use a separated directory in the build for binaries, are unlikely to have a landmark reference outside of the install directory. The landmark detection involving VPATH is a fallback for when a more specific landmark - .\pybuilddir.txt - is absent, and was included for compatibility. Future releases of Python will no longer include the fallback, and so builds will need to generate or preserve the pybuilddir.txt file in order to work in-tree. This landmark file has been generated on Windows since 3.11, and on other platforms for longer. Via python Affected ranges 3.14.4 – 3.14.6
	Under investigation	CVE-2026-6019	python	3.14.4 – 3.14.6	Medium: 6.1	2 months ago
Summary http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value. Via python Affected ranges 3.14.4 – 3.14.6 CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
	Under investigation	CVE-2026-4438	glibc	2.42 – 2.43	Medium: 5.4	3 months ago
Summary Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification. Via python glibc Affected ranges 2.42 – 2.43 CVSS vector CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Low ( 0 )
	Status	IDs	Package	Version	Severity	Published
Unknown ( 0 )
	Status	IDs	Package	Version	Severity	Published

51 components

Software Bill of Materials — every package this build depends on
Packages	Version	Repository	Licence
meson-python ROOT	0.18.0	github.com/mesonbuild/meson-python	MIT
acl	2.3.2	https://storage.googleapis.com/minimal-staging-archives/acl-2.3.2.tar.xz MIRROR	(GPL-2.0-only AND LGPL-2.1-only)
attr	2.5.2	https://storage.googleapis.com/minimal-staging-archives/attr-2.5.2.tar.gz MIRROR	(GPL-2.0-only AND LGPL-2.1-only)
bash	5.3	www.gnu.org/software/bash	GPL-3.0-only
bash-bootstrap	5.3	https://storage.googleapis.com/minimal-staging-archives/bash-5.3.tar.gz MIRROR	GPL-3.0-only
binutils	2.46.1	www.gnu.org/software/binutils	(GPL-2.0-only AND GPL-3.0-only AND LGPL-2.0-only)
bison	3.8.2	www.gnu.org/software/bison	GPL-3.0-only
bzip2	1.0.8	github.com/libarchive/bzip2	bzip2-1.0.6
coreutils	9.11	www.gnu.org/software/coreutils	GPL-3.0-only
diffutils	3.12	www.gnu.org/software/diffutils	GPL-3.0-only
expat	2.7.5	github.com/libexpat/libexpat	MIT
file	5.47	https://storage.googleapis.com/minimal-staging-archives/file-5.47.tar.gz MIRROR	BSD-2-Clause-Darwin
findutils	4.10.0	https://storage.googleapis.com/minimal-staging-archives/findutils-4.10.0.tar.xz MIRROR	GPL-3.0-only
flex	2.6.4	github.com/westes/flex	BSD-3-Clause-flex
flit-core	3.12.0	github.com/pypa/flit	BSD-3-Clause
gawk	5.4.0	www.gnu.org/software/gawk	GPL-3.0-only
gawk-bootstrap	5.3.2	https://storage.googleapis.com/minimal-staging-archives/gawk-5.3.2.tar.xz MIRROR	GPL-3.0-only
gcc	15.2.0	www.gnu.org/software/gcc	(GPL-2.0-only AND GPL-3.0-only AND LGPL-2.1-only)
gdbm	1.26	www.gnu.org/software/gdbm	GPL-3.0-only
glibc	2.43	www.gnu.org/software/glibc	(GPL-2.0-only AND LGPL-2.1-only)
gmp	6.3.0	www.gnu.org/software/gmp	LGPL-3.0-or-later OR GPL-2.0-or-later
grep	3.12	www.gnu.org/software/grep	GPL-3.0-only
gzip	1.14	www.gnu.org/software/gzip	GPL-3.0-only
libcap	2.78	https://storage.googleapis.com/minimal-staging-archives/libcap-2.78.tar.xz MIRROR	BSD-3-Clause OR GPL-2.0-only
libffi	3.5.2	github.com/libffi/libffi	MIT
linux_headers	6.12.43	github.com/torvalds/linux	GPL-2.0-only WITH Linux-syscall-note
lz4	1.10.0	github.com/lz4/lz4	BSD-2-Clause AND GPL-2.0-or-later
m4	1.4.21	www.gnu.org/software/m4	GPL-3.0-only
make	4.4.1	www.gnu.org/software/make	GPL-3.0-only
meson	1.10.1	github.com/mesonbuild/meson	Apache-2.0
mpc	1.4.0	www.gnu.org/software/mpc	LGPL-3.0-or-later
mpfr	4.2.2	www.gnu.org/software/mpfr	GPL-3.0-only
ncurses	6.5-20250830	www.gnu.org/software/ncurses	X11-distribute-modifications-variant
ninja	1.13.2	github.com/ninja-build/ninja	Apache-2.0
openssl	3.6.3	github.com/openssl/openssl	Apache-2.0
pcre2	10.47	github.com/PCRE2Project/pcre2	BSD-3-Clause WITH PCRE2-exception
perl	5.42.0	github.com/Perl/perl5	Artistic-1.0-Perl OR GPL-1.0-or-later
pkgconf	2.5.1	github.com/pkgconf/pkgconf	pkgconf
py-packaging	25.0	github.com/pypa/packaging	Apache-2.0 OR BSD-2-Clause
pyproject-hooks	1.2.0	github.com/pypa/pyproject-hooks	MIT
pyproject-metadata	0.9.1	github.com/pypa/pyproject-metadata	MIT
python	3.14.6	github.com/python/cpython	Python-2.0.1
readline	8.3	www.gnu.org/software/readline	GPL-3.0-only
sed	4.9	www.gnu.org/software/sed	GPL-3.0-only
setuptools	82.0.1	github.com/pypa/setuptools	MIT
sqlite	3.50.4	github.com/sqlite/sqlite	blessing
tar	1.35	www.gnu.org/software/tar	GPL-3.0-only
util-linux	2.42.1	github.com/util-linux/util-linux	GPL-2.0-or-later AND LGPL-2.1-or-later AND BSD-3-Clause
xz	5.8.3	github.com/tukaani-project/xz	(0BSD AND GPL-2.0-only AND GPL-3.0-only AND LGPL-2.1-only)
zlib	1.3.2	github.com/madler/zlib	Zlib
zstd	1.5.7	github.com/facebook/zstd	BSD-3-Clause OR GPL-2.0-only

meson-python

Install package

What is "meson-python"?

How to use this package

Quick install

Declare as a task dependency in minimal.toml

Build-time vs runtime

Dependencies (5)

Dependency changes

Dependants (1)

Summary

Via

Affected ranges

CVSS vector

Summary

Via

Affected ranges

Summary

Via

Affected ranges

Summary

Via

Affected ranges

CVSS vector

Summary

Via

Affected ranges

CVSS vector

Summary

Via

Affected ranges

CVSS vector

Summary

Via

Affected ranges

CVSS vector

Summary

Via

Affected ranges

Summary

Via

Affected ranges

Summary

Via

Affected ranges

CVSS vector

Summary

Via

Affected ranges

CVSS vector

51 components