Skip to content

Comments

VULN UPGRADE: minor upgrades — 21 packages (minor: 11 · patch: 10) [utils/build]#6300

Open
campaigner-prod[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/pip/build/2-1770982118
Open

VULN UPGRADE: minor upgrades — 21 packages (minor: 11 · patch: 10) [utils/build]#6300
campaigner-prod[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/pip/build/2-1770982118

Conversation

@campaigner-prod
Copy link
Contributor

@campaigner-prod campaigner-prod bot commented Feb 13, 2026

Summary: High-severity security update — 52 packages upgraded (MINOR changes included)

Manifests changed:

  • utils/build (pip)

Updates

Package From To Type Vulnerabilities Fixed
flask 2.2.4 2.2.5 patch 3 HIGH
flask 2.2.4 2.2.5 patch 3 HIGH
mysql-connector-python 9.0.0 9.6.0 minor 2 HIGH
mysql-connector-python 9.0.0 9.6.0 minor 2 HIGH
requests 2.32.3 2.32.5 patch 2 MODERATE
requests 2.32.3 2.32.5 patch 2 MODERATE
aws-lambda-powertools 3.17.0 3.24.0 minor -
confluent-kafka 2.1.1 2.13.0 minor -
confluent-kafka 2.1.1 2.13.0 minor -
gevent 25.5.1 25.9.1 minor -
gevent 24.2.1 24.11.1 minor -
gevent 25.5.1 25.9.1 minor -
gevent 24.2.1 24.11.1 minor -
kombu 5.3.7 5.6.2 minor -
kombu 5.3.7 5.6.2 minor -
mock 5.1.0 5.2.0 minor -
mock 5.1.0 5.2.0 minor -
opentelemetry-exporter-otlp 1.21.0 1.39.1 minor -
opentelemetry-exporter-otlp 1.21.0 1.39.1 minor -
opentelemetry-exporter-otlp 1.21.0 1.39.1 minor -
pycryptodome 3.20.0 3.23.0 minor -
pycryptodome 3.20.0 3.23.0 minor -
pyodbc 5.1.0 5.3.0 minor -
zope.event 6.0 6.1 minor -
zope.interface 8.0.1 8.2 minor -
PyMySQL 1.1.1 1.1.2 patch -
boto3 1.34.141 1.34.162 patch -
boto3 1.34.141 1.34.162 patch -
boto3 1.34.141 1.34.162 patch -
boto3 1.40.64 1.40.76 patch -
boto3 1.34.141 1.34.162 patch -
moto 5.1.16 5.1.20 patch -
moto 5.0.14 5.0.28 patch -
moto 5.0.14 5.0.28 patch -
moto 5.0.14 5.0.28 patch -
moto 5.0.14 5.0.28 patch -
mysqlclient 2.2.4 2.2.7 patch -
mysqlclient 2.2.4 2.2.7 patch -
openfeature-sdk 0.8.3 0.8.4 patch -
openfeature-sdk 0.8.3 0.8.4 patch -
openfeature-sdk 0.8.3 0.8.4 patch -
openfeature-sdk 0.8.3 0.8.4 patch -
openfeature-sdk 0.8.3 0.8.4 patch -
openfeature-sdk 0.8.3 0.8.4 patch -
openfeature-sdk 0.8.3 0.8.4 patch -
psycopg2-binary 2.9.9 2.9.11 patch -
psycopg2-binary 2.9.9 2.9.11 patch -
pymysql 1.1.1 1.1.2 patch -
requests 2.32.4 2.32.5 patch -
requests 2.32.4 2.32.5 patch -
requests 2.32.4 2.32.5 patch -
uWSGI 2.0.26 2.0.31 patch -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (10 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
flask CVE-2023-30861 HIGH Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header 2.2.4 -
flask PYSEC-2023-62 HIGH - 2.2.4 70f906c51ce49c485f1d355703e9cc3386b1cc2b
flask GHSA-m2qf-hxjv-5gpq HIGH Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header 2.2.4 2.3.2
flask GHSA-m2qf-hxjv-5gpq HIGH Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header 2.2.4 2.3.2
flask CVE-2023-30861 HIGH Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header 2.2.4 -
flask PYSEC-2023-62 HIGH - 2.2.4 70f906c51ce49c485f1d355703e9cc3386b1cc2b
mysql-connector-python CVE-2024-21272 HIGH - 9.0.0 -
mysql-connector-python GHSA-hgjp-83m4-h4fj HIGH MySQL Connector/Python connector takeover vulnerability 9.0.0 9.1.0
mysql-connector-python GHSA-hgjp-83m4-h4fj HIGH MySQL Connector/Python connector takeover vulnerability 9.0.0 9.1.0
mysql-connector-python CVE-2024-21272 HIGH - 9.0.0 -
ℹ️ Other Vulnerabilities (4)
Package CVE Severity Summary Unsafe Version Fixed In
requests GHSA-9hjg-9r4m-mvj7 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.32.3 2.32.4
requests CVE-2024-47081 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.32.3 -
requests GHSA-9hjg-9r4m-mvj7 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.32.3 2.32.4
requests CVE-2024-47081 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.32.3 -
⚠️ Dependencies that have Reached EOL (2)
Dependency Unsafe Version EOL Date New Version Path
requests 2.32.3 - 2.32.5 utils/build/docker/python/flask/requirements-flask-poc.txt
requests 2.32.3 - 2.32.5 utils/build/docker/python/flask/requirements-uwsgi-poc.txt

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod bot requested review from a team as code owners February 13, 2026 11:28
@campaigner-prod campaigner-prod bot requested review from avara1986 and quinna-h and removed request for a team February 13, 2026 11:28
@dd-prapprover
Copy link

dd-prapprover bot commented Feb 13, 2026
edited
Loading

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

🔗 Workflow Link

  • ✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-02-13T11:28:59Z
  • ✅ CI tests passed - 2026-02-13T11:35:52Z
  • ✅ Approved (commit: 1c2d0c3) - 2026-02-13T11:35:54Z
  • ✅ Merge Started
  • ⬜ Merged

➡️ Current phase: merge in progress...

@github-actions
Copy link
Contributor

github-actions bot commented Feb 13, 2026

CODEOWNERS have been resolved as:

utils/build/docker/python/anthropic_app/requirements.txt                @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/docker/python/django/requirements-django-poc.txt            @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/docker/python/django/requirements-django-py3.13.txt         @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/docker/python/django/requirements-python3.12.txt            @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/docker/python/fastapi/requirements-fastapi.txt              @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/docker/python/flask/requirements-flask-poc.txt              @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/docker/python/flask/requirements-uwsgi-poc.txt              @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/docker/python/openai_app/requirements.txt                   @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/docker/python/parametric/requirements.txt                   @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/docker/python/tornado/requirements-tornado.txt              @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/docker/python_lambda/function/requirements.txt              @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Feb 13, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1c2d0c358f

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

utils/build/docker/python/parametric/requirements.txt
uvicorn==0.20.0
opentelemetry-distro==0.42b0
opentelemetry-exporter-otlp==1.21.0
opentelemetry-exporter-otlp==1.39.1
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Keep OTLP exporter aligned with pinned opentelemetry-distro

This change upgrades opentelemetry-exporter-otlp to 1.39.1 but leaves opentelemetry-distro==0.42b0, which are from incompatible OpenTelemetry release trains; the distro pin pulls the 1.21-era SDK while exporter 1.39.x requires the 1.39-era SDK, so dependency resolution fails when this requirements file is installed. That breaks the parametric reference flow that installs this file in utils/scripts/parametric/run_reference_http.sh.

Useful? React with 👍 / 👎.

dd-prapprover[bot]
dd-prapprover bot approved these changes Feb 13, 2026
View reviewed changes
Copy link

@dd-prapprover dd-prapprover bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR has been automatically approved by the DD PR Approver bot.

@dd-prapprover
Copy link

dd-prapprover bot commented Feb 13, 2026

/merge

@gh-worker-devflow-routing-ef8351
Copy link

gh-worker-devflow-routing-ef8351 bot commented Feb 13, 2026
edited
Loading

View all feedbacks in Devflow UI.

2026-02-13 11:36:02 UTC ℹ️ Start processing command /merge

2026-02-13 11:36:07 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 9m (p90).

2026-02-13 11:36:18 UTCMergeQueue: This merge request has conflicts

This merge request conflicts with another merge request ahead in the queue.

The merge requests in front of this one are:

cbeauchesne
cbeauchesne requested changes Feb 16, 2026
View reviewed changes
Copy link
Collaborator

@cbeauchesne cbeauchesne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CI didn't ran

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@cbeauchesne cbeauchesne cbeauchesne requested changes

@dd-prapprover dd-prapprover[bot] dd-prapprover[bot] approved these changes

@avara1986 avara1986 Awaiting requested review from avara1986 avara1986 is a code owner automatically assigned from DataDog/apm-python

@quinna-h quinna-h Awaiting requested review from quinna-h quinna-h is a code owner automatically assigned from DataDog/apm-python

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

adms-dependency-update adms-fixes-eol adms-high-severity adms-medium-severity adms-minor-update adms-mode-all-updates adms-python campaigner-automated-change mergequeue-status: rejected

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cbeauchesne