Skip to content

VULN UPGRADE: minor upgrades — 14 packages (minor: 6 · patch: 8) [local/etc]#35134

Open
campaigner-prod[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/minorpatch/pip/etc/0-1773100735
Open

VULN UPGRADE: minor upgrades — 14 packages (minor: 6 · patch: 8) [local/etc]#35134
campaigner-prod[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/minorpatch/pip/etc/0-1773100735

Conversation

@campaigner-prod
Copy link
Contributor

@campaigner-prod campaigner-prod bot commented Mar 10, 2026

Summary: High-severity security update — 14 packages upgraded (MINOR changes included)

Manifests changed:

  • local/etc (pip)

Updates

Package From To Type Vulnerabilities Fixed
markdown2 2.3.8 2.5.5 minor 3 HIGH, 1 MODERATE, 2 MEDIUM
Jinja2 3.0.1 3.0.3 patch 10 MODERATE
requests 2.23.0 2.32.5 minor 7 MODERATE
Pygments 2.7.4 2.19.2 minor 1 MODERATE, 2 MEDIUM
PyGithub 1.47 1.59.1 minor -
pycparser 2.14 2.23 minor -
tqdm 4.43.0 4.67.3 minor 2 LOW
PyYAML 6.0.1 6.0.3 patch -
beautifulsoup4 4.12.0 4.12.3 patch -
cffi 1.15.0 1.15.1 patch -
cssutils 1.0.0 1.0.2 patch -
feedparser 6.0.10 6.0.12 patch -
htmlmin 0.1.10 0.1.12 patch -
ruamel.yaml 0.17.32 0.17.40 patch -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (3 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
markdown2 CVE-2021-26813 HIGH - 2.3.8 -
markdown2 PYSEC-2021-20 HIGH - 2.3.8 2.4.0
markdown2 GHSA-jr9p-r423-9m2r HIGH markdown2 Regular Expression Denial of Service 2.3.8 2.4.0
ℹ️ Other Vulnerabilities (25)
Package CVE Severity Summary Unsafe Version Fixed In
Pygments CVE-2022-40896 medium - 2.7.4 -
Pygments PYSEC-2023-117 medium - 2.7.4 2.15.1
markdown2 PYSEC-2020-65 medium - 2.3.8 2.3.9
markdown2 CVE-2020-11888 medium - 2.3.8 -
Jinja2 CVE-2024-56326 MODERATE Jinja has a sandbox breakout through indirect reference to format method 3.0.1 -
Jinja2 CVE-2024-34064 MODERATE Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter 3.0.1 -
Jinja2 CVE-2025-27516 MODERATE Jinja sandbox breakout through attr filter selecting format method 3.0.1 -
Jinja2 GHSA-cpwx-vrp4-4pq7 MODERATE Jinja2 vulnerable to sandbox breakout through attr filter selecting format method 3.0.1 3.1.6
Jinja2 CVE-2024-22195 MODERATE Jinja vulnerable to Cross-Site Scripting (XSS) 3.0.1 -
Jinja2 GHSA-h5c8-rqwp-cp95 MODERATE Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter 3.0.1 3.1.3
Jinja2 GHSA-h75v-3vvj-5mfj MODERATE Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter 3.0.1 3.1.4
Jinja2 GHSA-q2x7-8rv6-6q7h MODERATE Jinja has a sandbox breakout through indirect reference to format method 3.0.1 3.1.5
Jinja2 CVE-2024-56201 MODERATE Jinja has a sandbox breakout through malicious filenames 3.0.1 -
Jinja2 GHSA-gmj6-6f8f-6699 MODERATE Jinja has a sandbox breakout through malicious filenames 3.0.1 3.1.5
Pygments GHSA-mrwq-x4v8-fh7p MODERATE Pygments vulnerable to ReDoS 2.7.4 2.15.0
markdown2 GHSA-fv3h-8x5j-pvgq MODERATE XSS in python-markdown2 2.3.8 2.3.9
requests CVE-2024-47081 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.23.0 -
requests GHSA-9hjg-9r4m-mvj7 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.23.0 2.32.4
requests PYSEC-2023-74 MODERATE - 2.23.0 74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
requests CVE-2023-32681 MODERATE Unintended leak of Proxy-Authorization header in requests 2.23.0 -
requests GHSA-j8r2-6x86-q33q MODERATE Unintended leak of Proxy-Authorization header in requests 2.23.0 2.31.0
requests CVE-2024-35195 MODERATE Requests Session object does not verify requests after making first request with verify=False 2.23.0 -
requests GHSA-9wx4-h78v-vm56 MODERATE Requests Session object does not verify requests after making first request with verify=False 2.23.0 2.32.0
tqdm CVE-2024-34062 LOW tqdm CLI arguments injection attack 4.43.0 -
tqdm GHSA-g7vv-2v7x-gj9p LOW tqdm CLI arguments injection attack 4.43.0 4.66.3
⚠️ Dependencies that have Reached EOL (7)
Dependency Unsafe Version EOL Date New Version Path
PyGithub 1.47 - 1.59.1 local/etc/requirements3.txt
Pygments 2.7.4 Jan 12, 2026 2.19.2 local/etc/requirements3.txt
htmlmin 0.1.10 - 0.1.12 local/etc/requirements3.txt
markdown2 2.3.8 - 2.5.5 local/etc/requirements3.txt
pycparser 2.14 - 2.23 local/etc/requirements3.txt
requests 2.23.0 - 2.32.5 local/etc/requirements3.txt
tqdm 4.43.0 - 4.67.3 local/etc/requirements3.txt

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

@github-actions github-actions bot added the Architecture Everything related to the Doc backend label Mar 10, 2026
@campaigner-prod campaigner-prod bot marked this pull request as ready for review March 10, 2026 14:48
@campaigner-prod campaigner-prod bot requested a review from a team as a code owner March 10, 2026 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-dependency-update adms-fixes-eol adms-high-severity adms-low-severity adms-medium-severity adms-minor-update adms-mode-all-updates adms-python Architecture Everything related to the Doc backend campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants