Skip to content

VULN UPGRADE: minor upgrades — 9 packages (minor: 7 · patch: 2) #3949

Open
campaigner-prod[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/minorpatch/pip/0-1770924006
Open

VULN UPGRADE: minor upgrades — 9 packages (minor: 7 · patch: 2) #3949
campaigner-prod[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/minorpatch/pip/0-1770924006

Conversation

@campaigner-prod
Copy link

@campaigner-prod campaigner-prod bot commented Feb 12, 2026

Summary: Critical-severity security update — 9 packages upgraded (MINOR changes included)

Manifests changed:

  • . (pip)

Updates

Package From To Type Vulnerabilities Fixed
pyyaml 5.3.1 5.4.1 minor 3 CRITICAL
supervisor 3.3.3 3.4.0 minor 2 HIGH
requests 2.20.1 2.32.5 minor 7 MODERATE
boto 2.46.1 2.49.0 minor -
distro 1.3.0 1.9.0 minor -
lazy-object-proxy 1.3.1 1.12.0 minor -
simplejson 3.6.5 3.20.2 minor -
kazoo 2.6.0 2.6.1 patch -
prometheus-client 0.1.0 0.1.1 patch -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (5 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
pyyaml PYSEC-2021-142 critical - 5.3.1 5.4
pyyaml CVE-2020-14343 critical - 5.3.1 -
pyyaml GHSA-8q59-q68h-6hv4 CRITICAL Improper Input Validation in PyYAML 5.3.1 5.4
supervisor PYSEC-2019-126 high - 3.3.3 4e334d9cf2a1daff685893e35e72398437df3dcb
supervisor CVE-2019-12105 high - 3.3.3 -
ℹ️ Other Vulnerabilities (7)
Package CVE Severity Summary Unsafe Version Fixed In
requests GHSA-9hjg-9r4m-mvj7 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.20.1 2.32.4
requests CVE-2024-47081 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.20.1 -
requests GHSA-j8r2-6x86-q33q MODERATE Unintended leak of Proxy-Authorization header in requests 2.20.1 2.31.0
requests CVE-2023-32681 MODERATE Unintended leak of Proxy-Authorization header in requests 2.20.1 -
requests PYSEC-2023-74 MODERATE - 2.20.1 74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
requests GHSA-9wx4-h78v-vm56 MODERATE Requests Session object does not verify requests after making first request with verify=False 2.20.1 2.32.0
requests CVE-2024-35195 MODERATE Requests Session object does not verify requests after making first request with verify=False 2.20.1 -
⚠️ Dependencies that have Reached EOL (9)
Dependency Unsafe Version EOL Date New Version Path
boto 2.46.1 - 2.49.0 requirements.txt
distro 1.3.0 - 1.9.0 requirements.txt
kazoo 2.6.0 - 2.6.1 requirements.txt
lazy-object-proxy 1.3.1 - 1.12.0 requirements.txt
prometheus-client 0.1.0 - 0.1.1 requirements.txt
pyyaml 5.3.1 - 5.4.1 requirements.txt
requests 2.20.1 - 2.32.5 requirements.txt
simplejson 3.6.5 - 3.20.2 requirements.txt
supervisor 3.3.3 - 3.4.0 requirements.txt

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod bot requested a review from a team as a code owner February 12, 2026 19:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jose-manuel-almaza jose-manuel-almaza jose-manuel-almaza approved these changes

Assignees

No one assigned

Labels

adms-critical-severity adms-dependency-update adms-fixes-eol adms-high-severity adms-medium-severity adms-minor-update adms-mode-all-updates adms-python campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jose-manuel-almaza