Skip to content

VULN UPGRADE: minor upgrades — 21 packages (minor: 11 · patch: 10) [utils/build]#6300

Closed
campaigner-prod[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/pip/build/2-1770982118
Closed

VULN UPGRADE: minor upgrades — 21 packages (minor: 11 · patch: 10) [utils/build]#6300
campaigner-prod[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/pip/build/2-1770982118

Conversation

@campaigner-prod
Copy link
Copy Markdown
Contributor

@campaigner-prod campaigner-prod Bot commented Feb 13, 2026

Summary: High-severity security update — 52 packages upgraded (MINOR changes included)

Manifests changed:

  • utils/build (pip)

Updates

Package From To Type Vulnerabilities Fixed
flask 2.2.4 2.2.5 patch 3 HIGH
flask 2.2.4 2.2.5 patch 3 HIGH
mysql-connector-python 9.0.0 9.6.0 minor 2 HIGH
mysql-connector-python 9.0.0 9.6.0 minor 2 HIGH
requests 2.32.3 2.32.5 patch 2 MODERATE
requests 2.32.3 2.32.5 patch 2 MODERATE
aws-lambda-powertools 3.17.0 3.24.0 minor -
confluent-kafka 2.1.1 2.13.0 minor -
confluent-kafka 2.1.1 2.13.0 minor -
gevent 25.5.1 25.9.1 minor -
gevent 24.2.1 24.11.1 minor -
gevent 25.5.1 25.9.1 minor -
gevent 24.2.1 24.11.1 minor -
kombu 5.3.7 5.6.2 minor -
kombu 5.3.7 5.6.2 minor -
mock 5.1.0 5.2.0 minor -
mock 5.1.0 5.2.0 minor -
opentelemetry-exporter-otlp 1.21.0 1.39.1 minor -
opentelemetry-exporter-otlp 1.21.0 1.39.1 minor -
opentelemetry-exporter-otlp 1.21.0 1.39.1 minor -
pycryptodome 3.20.0 3.23.0 minor -
pycryptodome 3.20.0 3.23.0 minor -
pyodbc 5.1.0 5.3.0 minor -
zope.event 6.0 6.1 minor -
zope.interface 8.0.1 8.2 minor -
PyMySQL 1.1.1 1.1.2 patch -
boto3 1.34.141 1.34.162 patch -
boto3 1.34.141 1.34.162 patch -
boto3 1.34.141 1.34.162 patch -
boto3 1.40.64 1.40.76 patch -
boto3 1.34.141 1.34.162 patch -
moto 5.1.16 5.1.20 patch -
moto 5.0.14 5.0.28 patch -
moto 5.0.14 5.0.28 patch -
moto 5.0.14 5.0.28 patch -
moto 5.0.14 5.0.28 patch -
mysqlclient 2.2.4 2.2.7 patch -
mysqlclient 2.2.4 2.2.7 patch -
openfeature-sdk 0.8.3 0.8.4 patch -
openfeature-sdk 0.8.3 0.8.4 patch -
openfeature-sdk 0.8.3 0.8.4 patch -
openfeature-sdk 0.8.3 0.8.4 patch -
openfeature-sdk 0.8.3 0.8.4 patch -
openfeature-sdk 0.8.3 0.8.4 patch -
openfeature-sdk 0.8.3 0.8.4 patch -
psycopg2-binary 2.9.9 2.9.11 patch -
psycopg2-binary 2.9.9 2.9.11 patch -
pymysql 1.1.1 1.1.2 patch -
requests 2.32.4 2.32.5 patch -
requests 2.32.4 2.32.5 patch -
requests 2.32.4 2.32.5 patch -
uWSGI 2.0.26 2.0.31 patch -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (10 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
flask CVE-2023-30861 HIGH Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header 2.2.4 -
flask PYSEC-2023-62 HIGH - 2.2.4 70f906c51ce49c485f1d355703e9cc3386b1cc2b
flask GHSA-m2qf-hxjv-5gpq HIGH Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header 2.2.4 2.3.2
flask GHSA-m2qf-hxjv-5gpq HIGH Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header 2.2.4 2.3.2
flask CVE-2023-30861 HIGH Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header 2.2.4 -
flask PYSEC-2023-62 HIGH - 2.2.4 70f906c51ce49c485f1d355703e9cc3386b1cc2b
mysql-connector-python CVE-2024-21272 HIGH - 9.0.0 -
mysql-connector-python GHSA-hgjp-83m4-h4fj HIGH MySQL Connector/Python connector takeover vulnerability 9.0.0 9.1.0
mysql-connector-python GHSA-hgjp-83m4-h4fj HIGH MySQL Connector/Python connector takeover vulnerability 9.0.0 9.1.0
mysql-connector-python CVE-2024-21272 HIGH - 9.0.0 -
ℹ️ Other Vulnerabilities (4)
Package CVE Severity Summary Unsafe Version Fixed In
requests GHSA-9hjg-9r4m-mvj7 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.32.3 2.32.4
requests CVE-2024-47081 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.32.3 -
requests GHSA-9hjg-9r4m-mvj7 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.32.3 2.32.4
requests CVE-2024-47081 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.32.3 -
⚠️ Dependencies that have Reached EOL (2)
Dependency Unsafe Version EOL Date New Version Path
requests 2.32.3 - 2.32.5 utils/build/docker/python/flask/requirements-flask-poc.txt
requests 2.32.3 - 2.32.5 utils/build/docker/python/flask/requirements-uwsgi-poc.txt

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod Bot requested review from a team as code owners February 13, 2026 11:28
@campaigner-prod campaigner-prod Bot requested review from avara1986 and quinna-h and removed request for a team February 13, 2026 11:28
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Feb 13, 2026

CODEOWNERS have been resolved as:

utils/build/docker/python/anthropic_app/requirements.txt                @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/docker/python/django/requirements-django-poc.txt            @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/docker/python/django/requirements-django-py3.13.txt         @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/docker/python/django/requirements-python3.12.txt            @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/docker/python/fastapi/requirements-fastapi.txt              @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/docker/python/flask/requirements-flask-poc.txt              @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/docker/python/flask/requirements-uwsgi-poc.txt              @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/docker/python/openai_app/requirements.txt                   @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/docker/python/parametric/requirements.txt                   @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/docker/python/tornado/requirements-tornado.txt              @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/docker/python_lambda/function/requirements.txt              @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Feb 13, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1c2d0c358f

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread utils/build/docker/python/parametric/requirements.txt
uvicorn==0.20.0
opentelemetry-distro==0.42b0
opentelemetry-exporter-otlp==1.21.0
opentelemetry-exporter-otlp==1.39.1
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Keep OTLP exporter aligned with pinned opentelemetry-distro

This change upgrades opentelemetry-exporter-otlp to 1.39.1 but leaves opentelemetry-distro==0.42b0, which are from incompatible OpenTelemetry release trains; the distro pin pulls the 1.21-era SDK while exporter 1.39.x requires the 1.39-era SDK, so dependency resolution fails when this requirements file is installed. That breaks the parametric reference flow that installs this file in utils/scripts/parametric/run_reference_http.sh.

Useful? React with 👍 / 👎.

dd-prapprover[bot]
dd-prapprover Bot approved these changes Feb 13, 2026
View reviewed changes
Copy link
Copy Markdown

@dd-prapprover dd-prapprover Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR has been automatically approved by the DD PR Approver bot.

@gh-worker-devflow-routing-ef8351
Copy link
Copy Markdown

gh-worker-devflow-routing-ef8351 Bot commented Feb 13, 2026
edited
Loading

View all feedbacks in Devflow UI.

2026-02-13 11:36:02 UTC ℹ️ Start processing command /merge

2026-02-13 11:36:07 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 9m (p90).

2026-02-13 11:36:18 UTCMergeQueue: This merge request has conflicts

This merge request conflicts with another merge request ahead in the queue.

The merge requests in front of this one are:

cbeauchesne
cbeauchesne requested changes Feb 16, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@cbeauchesne cbeauchesne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CI didn't ran

@campaigner-prod campaigner-prod Bot closed this Mar 8, 2026
@campaigner-prod campaigner-prod Bot deleted the engraver-auto-version-upgrade/minorpatch/pip/build/2-1770982118 branch March 8, 2026 14:03
@DataDog DataDog deleted a comment from dd-prapprover Bot Mar 13, 2026
@DataDog DataDog deleted a comment from dd-prapprover Bot Mar 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@cbeauchesne cbeauchesne cbeauchesne requested changes

@dd-prapprover dd-prapprover[bot] dd-prapprover[bot] approved these changes

@avara1986 avara1986 Awaiting requested review from avara1986 avara1986 is a code owner automatically assigned from DataDog/apm-python

@quinna-h quinna-h Awaiting requested review from quinna-h quinna-h is a code owner automatically assigned from DataDog/apm-python

Assignees

No one assigned

Labels

adms-dependency-update adms-fixes-eol adms-high-severity adms-medium-severity adms-minor-update adms-mode-all-updates adms-python campaigner-automated-change mergequeue-status: rejected

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cbeauchesne