Security implications of 1.2.0 unclear

[vanschelven]

The most recent version of Brotli has this ALL CAPS note in the changelog:

## [1.2.0] - 2025-10-27

### SECURITY
 - python: added `Decompressor::can_accept_more_data` method and optional
           `output_buffer_limit` argument `Decompressor::process`;
           that allows mitigation of unexpectedly large output;
           reported by Charles Chan (https://github.com/charleswhchan)

It seems from these notes that a user of the Python brotli package would actually need to change their usage (as well as update) but how is not made abundantly clear.

Side note: my git archeology is being hampered by the fact that this note seems to predate the actual release by almost a year. In similar vein: their seems to be a gap between 2025-10-27 and the moment this actually made it to PyPI

[vanschelven]

• https://cvefeed.io/vuln/detail/CVE-2025-6176
• https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0
• Mitigate brotli and deflate decompression bombs DoS scrapy/scrapy#7134

[vanschelven]

I figured it out as per the above commits