Skip to content

VULN UPGRADE: minor upgrades — 14 packages (minor: 6 · patch: 8) [local/etc]#34571

Open
campaigner-prod[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/minorpatch/pip/etc/0-1770927577
Open

VULN UPGRADE: minor upgrades — 14 packages (minor: 6 · patch: 8) [local/etc]#34571
campaigner-prod[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/minorpatch/pip/etc/0-1770927577

Conversation

@campaigner-prod
Copy link
Contributor

@campaigner-prod campaigner-prod bot commented Feb 12, 2026

Summary: High-severity security update — 14 packages upgraded (MINOR changes included)

Manifests changed:

  • local/etc (pip)

Updates

Package From To Type Vulnerabilities Fixed
markdown2 2.3.8 2.5.4 minor 3 HIGH, 3 MODERATE
Jinja2 3.0.1 3.0.3 patch 10 MODERATE
requests 2.23.0 2.32.5 minor 7 MODERATE
Pygments 2.7.4 2.19.2 minor 3 MODERATE
PyGithub 1.47 1.59.1 minor -
pycparser 2.14 2.23 minor -
tqdm 4.43.0 4.67.3 minor 2 LOW
PyYAML 6.0.1 6.0.3 patch -
beautifulsoup4 4.12.0 4.12.3 patch -
cffi 1.15.0 1.15.1 patch -
cssutils 1.0.0 1.0.2 patch -
feedparser 6.0.10 6.0.12 patch -
htmlmin 0.1.10 0.1.12 patch -
ruamel.yaml 0.17.32 0.17.40 patch -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (3 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
markdown2 GHSA-jr9p-r423-9m2r HIGH markdown2 Regular Expression Denial of Service 2.3.8 2.4.0
markdown2 PYSEC-2021-20 HIGH - 2.3.8 2.4.0
markdown2 CVE-2021-26813 HIGH - 2.3.8 -
ℹ️ Other Vulnerabilities (25)
Package CVE Severity Summary Unsafe Version Fixed In
Jinja2 CVE-2025-27516 MODERATE Jinja sandbox breakout through attr filter selecting format method 3.0.1 -
Jinja2 GHSA-gmj6-6f8f-6699 MODERATE Jinja has a sandbox breakout through malicious filenames 3.0.1 3.1.5
Jinja2 GHSA-h75v-3vvj-5mfj MODERATE Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter 3.0.1 3.1.4
Jinja2 GHSA-cpwx-vrp4-4pq7 MODERATE Jinja2 vulnerable to sandbox breakout through attr filter selecting format method 3.0.1 3.1.6
Jinja2 CVE-2024-34064 MODERATE Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter 3.0.1 -
Jinja2 GHSA-q2x7-8rv6-6q7h MODERATE Jinja has a sandbox breakout through indirect reference to format method 3.0.1 3.1.5
Jinja2 CVE-2024-22195 MODERATE Jinja vulnerable to Cross-Site Scripting (XSS) 3.0.1 -
Jinja2 CVE-2024-56326 MODERATE Jinja has a sandbox breakout through indirect reference to format method 3.0.1 -
Jinja2 GHSA-h5c8-rqwp-cp95 MODERATE Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter 3.0.1 3.1.3
Jinja2 CVE-2024-56201 MODERATE Jinja has a sandbox breakout through malicious filenames 3.0.1 -
Pygments PYSEC-2023-117 MODERATE - 2.7.4 2.15.1
Pygments CVE-2022-40896 MODERATE - 2.7.4 -
Pygments GHSA-mrwq-x4v8-fh7p MODERATE Pygments vulnerable to ReDoS 2.7.4 2.15.0
markdown2 CVE-2020-11888 MODERATE - 2.3.8 -
markdown2 GHSA-fv3h-8x5j-pvgq MODERATE XSS in python-markdown2 2.3.8 2.3.9
markdown2 PYSEC-2020-65 MODERATE - 2.3.8 2.3.9
requests CVE-2023-32681 MODERATE Unintended leak of Proxy-Authorization header in requests 2.23.0 -
requests CVE-2024-47081 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.23.0 -
requests GHSA-9hjg-9r4m-mvj7 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.23.0 2.32.4
requests CVE-2024-35195 MODERATE Requests Session object does not verify requests after making first request with verify=False 2.23.0 -
requests GHSA-9wx4-h78v-vm56 MODERATE Requests Session object does not verify requests after making first request with verify=False 2.23.0 2.32.0
requests PYSEC-2023-74 MODERATE - 2.23.0 74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
requests GHSA-j8r2-6x86-q33q MODERATE Unintended leak of Proxy-Authorization header in requests 2.23.0 2.31.0
tqdm CVE-2024-34062 LOW tqdm CLI arguments injection attack 4.43.0 -
tqdm GHSA-g7vv-2v7x-gj9p LOW tqdm CLI arguments injection attack 4.43.0 4.66.3
⚠️ Dependencies that have Reached EOL (7)
Dependency Unsafe Version EOL Date New Version Path
PyGithub 1.47 - 1.59.1 local/etc/requirements3.txt
Pygments 2.7.4 Jan 12, 2026 2.19.2 local/etc/requirements3.txt
htmlmin 0.1.10 - 0.1.12 local/etc/requirements3.txt
markdown2 2.3.8 - 2.5.4 local/etc/requirements3.txt
pycparser 2.14 - 2.23 local/etc/requirements3.txt
requests 2.23.0 - 2.32.5 local/etc/requirements3.txt
tqdm 4.43.0 - 4.67.3 local/etc/requirements3.txt

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod bot requested a review from a team as a code owner February 12, 2026 20:33
@github-actions github-actions bot added the Architecture Everything related to the Doc backend label Feb 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-dependency-update adms-fixes-eol adms-high-severity adms-low-severity adms-medium-severity adms-minor-update adms-mode-all-updates adms-python Architecture Everything related to the Doc backend campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants