Skip to content

fix(deps): vuln minor upgrades — 5 packages (minor: 5) [local/etc]#37533

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/pip/etc/1-1781564417
Draft

fix(deps): vuln minor upgrades — 5 packages (minor: 5) [local/etc]#37533
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/pip/etc/1-1781564417

Conversation

@gh-worker-campaigns-3e9aa4

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Jun 15, 2026

Copy link
Copy Markdown

Summary: High-severity security update — 5 packages upgraded (MINOR changes included)

Manifests changed:

  • local/etc (pip)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
markdown2 2.3.8 2.5.5 minor Direct 3 HIGH, 3 MEDIUM
Jinja2 3.0.1 3.1.6 minor Direct 10 MEDIUM
requests 2.23.0 2.34.2 minor Direct 9 MEDIUM
Pygments 2.7.4 2.20.0 minor Direct 3 MEDIUM, 1 LOW
tqdm 4.43.0 4.68.2 minor Direct 2 LOW

Security Details

🚨 Critical & High Severity (3 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
markdown2 PYSEC-2021-20 HIGH - 2.3.8 2.4.0
markdown2 CVE-2021-26813 HIGH - 2.3.8 -
markdown2 GHSA-jr9p-r423-9m2r HIGH markdown2 Regular Expression Denial of Service 2.3.8 2.4.0
ℹ️ Other Vulnerabilities (28)
Package CVE Severity Summary Unsafe Version Fixed In
Pygments PYSEC-2023-117 medium - 2.7.4 2.15.1
Pygments CVE-2022-40896 medium - 2.7.4 -
requests CVE-2023-32681 medium Unintended leak of Proxy-Authorization header in requests 2.23.0 -
requests PYSEC-2023-74 medium - 2.23.0 74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
Jinja2 CVE-2024-22195 MODERATE Jinja vulnerable to Cross-Site Scripting (XSS) 3.0.1 -
Jinja2 GHSA-cpwx-vrp4-4pq7 MODERATE Jinja2 vulnerable to sandbox breakout through attr filter selecting format method 3.0.1 3.1.6
Jinja2 CVE-2024-34064 MODERATE Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter 3.0.1 -
Jinja2 CVE-2024-56326 MODERATE Jinja has a sandbox breakout through indirect reference to format method 3.0.1 -
Jinja2 GHSA-q2x7-8rv6-6q7h MODERATE Jinja has a sandbox breakout through indirect reference to format method 3.0.1 3.1.5
Jinja2 GHSA-h5c8-rqwp-cp95 MODERATE Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter 3.0.1 3.1.3
Jinja2 GHSA-h75v-3vvj-5mfj MODERATE Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter 3.0.1 3.1.4
Jinja2 CVE-2024-56201 MODERATE Jinja has a sandbox breakout through malicious filenames 3.0.1 -
Jinja2 GHSA-gmj6-6f8f-6699 MODERATE Jinja has a sandbox breakout through malicious filenames 3.0.1 3.1.5
Jinja2 CVE-2025-27516 MODERATE Jinja sandbox breakout through attr filter selecting format method 3.0.1 -
Pygments GHSA-mrwq-x4v8-fh7p MODERATE Pygments vulnerable to ReDoS 2.7.4 2.15.0
markdown2 GHSA-fv3h-8x5j-pvgq MODERATE XSS in python-markdown2 2.3.8 2.3.9
markdown2 PYSEC-2020-65 MODERATE - 2.3.8 2.3.9
markdown2 CVE-2020-11888 MODERATE - 2.3.8 -
requests GHSA-j8r2-6x86-q33q MODERATE Unintended leak of Proxy-Authorization header in requests 2.23.0 2.31.0
requests CVE-2024-47081 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.23.0 -
requests GHSA-9hjg-9r4m-mvj7 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.23.0 2.32.4
requests GHSA-9wx4-h78v-vm56 MODERATE Requests Session object does not verify requests after making first request with verify=False 2.23.0 2.32.0
requests CVE-2024-35195 MODERATE Requests Session object does not verify requests after making first request with verify=False 2.23.0 -
requests GHSA-gc5v-m9x4-r6x2 MODERATE Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function 2.23.0 2.33.0
requests CVE-2026-25645 MODERATE Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function 2.23.0 -
Pygments GHSA-5239-wwwm-4pmq LOW Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching 2.7.4 2.20.0
tqdm GHSA-g7vv-2v7x-gj9p LOW tqdm CLI arguments injection attack 4.43.0 4.66.3
tqdm CVE-2024-34062 LOW tqdm CLI arguments injection attack 4.43.0 -
⚠️ Dependencies that have Reached EOL (5)
Dependency Unsafe Version EOL Date New Version Path
Jinja2 3.0.1 May 18, 2026 3.1.6 local/etc/requirements3.txt
Pygments 2.7.4 Jan 12, 2026 2.20.0 local/etc/requirements3.txt
markdown2 2.3.8 - 2.5.5 local/etc/requirements3.txt
requests 2.23.0 - 2.34.2 local/etc/requirements3.txt
tqdm 4.43.0 - 4.68.2 local/etc/requirements3.txt

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@github-actions github-actions Bot added the Architecture Everything related to the Doc backend label Jun 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-dependency-update adms-fixes-eol adms-high-severity adms-low-severity adms-medium-severity adms-minor-update adms-mode-all-vulns adms-python Architecture Everything related to the Doc backend campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants