fix(deps): update dependency marshmallow to v3.26.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
marshmallow (changelog)	3.22.0 → 3.26.2

Review

• Updates have been tested and work
• If updates are AWS related, versions match the infrastructure (e.g. Lambda runtime, database, etc.)

---

Marshmallow has DoS in Schema.load(many)

CVE-2025-68480 / GHSA-428g-f7cq-pgp5

More information

Details

Impact

Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time.

Patches

4.1.2, 3.26.2

Workarounds

##### Fail fast
def load_many(schema, data, **kwargs):
    if not isinstance(data, list):
        raise ValidationError(['Invalid input type.'])
    return [schema.load(item, **kwargs) for item in data]

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/marshmallow-code/marshmallow/security/advisories/GHSA-428g-f7cq-pgp5
• https://github.com/marshmallow-code/marshmallow/commit/d24a0c9df061c4daa92f71cf85aca25b83eee508
• https://nvd.nist.gov/vuln/detail/CVE-2025-68480
• https://github.com/advisories/GHSA-428g-f7cq-pgp5

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Marshmallow has DoS in Schema.load(many)

CVE-2025-68480 / GHSA-428g-f7cq-pgp5

More information

Details

Impact

Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time.

Patches

4.1.2, 3.26.2

Workarounds

##### Fail fast
def load_many(schema, data, **kwargs):
    if not isinstance(data, list):
        raise ValidationError(['Invalid input type.'])
    return [schema.load(item, **kwargs) for item in data]

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/marshmallow-code/marshmallow/security/advisories/GHSA-428g-f7cq-pgp5
• https://nvd.nist.gov/vuln/detail/CVE-2025-68480
• https://github.com/marshmallow-code/marshmallow/commit/d24a0c9df061c4daa92f71cf85aca25b83eee508
• https://github.com/marshmallow-code/marshmallow

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

marshmallow-code/marshmallow (marshmallow)

v3.26.2

Compare Source

Bug fixes:

• :cve:2025-68480: Merge error store messages without rebuilding collections.
  Thanks 카푸치노 for reporting and :user:deckar01 for the fix.

v3.26.1

Compare Source

v3.26.0

Compare Source

v3.25.1

Compare Source

v3.25.0

Compare Source

v3.24.2

Compare Source

v3.24.1

Compare Source

v3.24.0

Compare Source

v3.23.3

Compare Source

v3.23.2

Compare Source

v3.23.1

Compare Source

v3.23.0

Compare Source

---

Configuration

📅 Schedule: (in timezone America/Montreal)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[notify-pr-bot]

⚠️ renovate-agent: The automated upgrade of marshmallow 3.22.0 → 3.26.2 failed the test suite.

The branch renovate-agent/marshmallow-3.26.2-20260327 has been deleted. A human should review the failure and either fix the code or manually skip this upgrade.

Workflow run: https://github.com/cds-snc/notification-api/actions/runs/23666223812