Skip to content

VULN UPGRADE: minor upgrades — 8 packages (minor: 5 · patch: 3) [apps/rolldice-game]#196

Draft
campaigner-prod[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/pip/rolldice-game/0-1773111297
Draft

VULN UPGRADE: minor upgrades — 8 packages (minor: 5 · patch: 3) [apps/rolldice-game]#196
campaigner-prod[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/pip/rolldice-game/0-1773111297

Conversation

@campaigner-prod
Copy link
Contributor

@campaigner-prod campaigner-prod bot commented Mar 10, 2026

Summary: High-severity security update — 16 packages upgraded (MINOR changes included)

Manifests changed:

  • apps/rolldice-game (pip)

Updates

Package From To Type Vulnerabilities Fixed
urllib3 2.2.1 2.6.3 minor 6 HIGH, 6 MODERATE
urllib3 2.2.1 2.6.3 minor 6 HIGH, 6 MODERATE
Werkzeug 3.0.1 3.0.6 patch 2 HIGH, 10 MODERATE
Werkzeug 3.0.1 3.0.6 patch 2 HIGH, 10 MODERATE
requests 2.31.0 2.32.5 minor 4 MODERATE
requests 2.31.0 2.32.5 minor 4 MODERATE
opentelemetry-api 1.23.0 1.39.1 minor -
opentelemetry-api 1.23.0 1.39.1 minor -
opentelemetry-exporter-otlp 1.23.0 1.39.1 minor -
opentelemetry-exporter-otlp 1.23.0 1.39.1 minor -
opentelemetry-sdk 1.23.0 1.39.1 minor -
opentelemetry-sdk 1.23.0 1.39.1 minor -
Flask 3.0.2 3.0.3 patch 2 LOW
Flask 3.0.2 3.0.3 patch 2 LOW
grpcio 1.62.1 1.62.3 patch -
grpcio 1.62.1 1.62.3 patch -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (16 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
Werkzeug CVE-2024-34069 HIGH Werkzeug's improper usage of a pathname and improper CSRF protection results in the remote command execution 3.0.1 -
Werkzeug GHSA-2g68-c3qc-8985 HIGH Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain 3.0.1 3.0.3
Werkzeug CVE-2024-34069 HIGH Werkzeug's improper usage of a pathname and improper CSRF protection results in the remote command execution 3.0.1 -
Werkzeug GHSA-2g68-c3qc-8985 HIGH Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain 3.0.1 3.0.3
urllib3 GHSA-gm62-xv2j-4w53 HIGH urllib3 allows an unbounded number of links in the decompression chain 2.2.1 2.6.0
urllib3 GHSA-38jv-5279-wg99 HIGH Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API) 2.2.1 2.6.3
urllib3 CVE-2026-21441 HIGH urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API) 2.2.1 -
urllib3 GHSA-2xpw-w6gg-jr37 HIGH urllib3 streaming API improperly handles highly compressed data 2.2.1 2.6.0
urllib3 CVE-2025-66471 HIGH urllib3 Streaming API improperly handles highly compressed data 2.2.1 -
urllib3 CVE-2025-66418 HIGH urllib3 allows an unbounded number of links in the decompression chain 2.2.1 -
urllib3 CVE-2026-21441 HIGH urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API) 2.2.1 -
urllib3 GHSA-38jv-5279-wg99 HIGH Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API) 2.2.1 2.6.3
urllib3 GHSA-2xpw-w6gg-jr37 HIGH urllib3 streaming API improperly handles highly compressed data 2.2.1 2.6.0
urllib3 CVE-2025-66471 HIGH urllib3 Streaming API improperly handles highly compressed data 2.2.1 -
urllib3 GHSA-gm62-xv2j-4w53 HIGH urllib3 allows an unbounded number of links in the decompression chain 2.2.1 2.6.0
urllib3 CVE-2025-66418 HIGH urllib3 allows an unbounded number of links in the decompression chain 2.2.1 -
ℹ️ Other Vulnerabilities (44)
Package CVE Severity Summary Unsafe Version Fixed In
Werkzeug GHSA-hgf8-39gv-g3f2 MODERATE Werkzeug safe_join() allows Windows special device names 3.0.1 3.1.4
Werkzeug CVE-2024-49766 MODERATE Werkzeug safe_join not safe on Windows 3.0.1 -
Werkzeug GHSA-q34m-jh98-gwm2 MODERATE Werkzeug possible resource exhaustion when parsing file data in forms 3.0.1 3.0.6
Werkzeug CVE-2024-49767 MODERATE Werkzeug possible resource exhaustion when parsing file data in forms 3.0.1 -
Werkzeug GHSA-87hc-h4r5-73f7 MODERATE Werkzeug safe_join() allows Windows special device names with compound extensions 3.0.1 3.1.5
Werkzeug CVE-2026-21860 MODERATE Werkzeug safe_join() allows Windows special device names with compound extensions 3.0.1 -
Werkzeug GHSA-f9vj-2wh5-fj8j MODERATE Werkzeug safe_join not safe on Windows 3.0.1 3.0.6
Werkzeug CVE-2025-66221 MODERATE Werkzeug safe_join() allows Windows special device names 3.0.1 -
Werkzeug CVE-2026-27199 MODERATE Werkzeug safe_join() allows Windows special device names 3.0.1 -
Werkzeug GHSA-29vq-49wr-vm6x MODERATE Werkzeug safe_join() allows Windows special device names 3.0.1 3.1.6
Werkzeug CVE-2026-27199 MODERATE Werkzeug safe_join() allows Windows special device names 3.0.1 -
Werkzeug GHSA-f9vj-2wh5-fj8j MODERATE Werkzeug safe_join not safe on Windows 3.0.1 3.0.6
Werkzeug GHSA-q34m-jh98-gwm2 MODERATE Werkzeug possible resource exhaustion when parsing file data in forms 3.0.1 3.0.6
Werkzeug CVE-2025-66221 MODERATE Werkzeug safe_join() allows Windows special device names 3.0.1 -
Werkzeug CVE-2024-49766 MODERATE Werkzeug safe_join not safe on Windows 3.0.1 -
Werkzeug GHSA-hgf8-39gv-g3f2 MODERATE Werkzeug safe_join() allows Windows special device names 3.0.1 3.1.4
Werkzeug GHSA-29vq-49wr-vm6x MODERATE Werkzeug safe_join() allows Windows special device names 3.0.1 3.1.6
Werkzeug CVE-2024-49767 MODERATE Werkzeug possible resource exhaustion when parsing file data in forms 3.0.1 -
Werkzeug CVE-2026-21860 MODERATE Werkzeug safe_join() allows Windows special device names with compound extensions 3.0.1 -
Werkzeug GHSA-87hc-h4r5-73f7 MODERATE Werkzeug safe_join() allows Windows special device names with compound extensions 3.0.1 3.1.5
requests GHSA-9wx4-h78v-vm56 MODERATE Requests Session object does not verify requests after making first request with verify=False 2.31.0 2.32.0
requests CVE-2024-47081 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.31.0 -
requests GHSA-9hjg-9r4m-mvj7 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.31.0 2.32.4
requests CVE-2024-35195 MODERATE Requests Session object does not verify requests after making first request with verify=False 2.31.0 -
requests CVE-2024-47081 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.31.0 -
requests GHSA-9hjg-9r4m-mvj7 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.31.0 2.32.4
requests CVE-2024-35195 MODERATE Requests Session object does not verify requests after making first request with verify=False 2.31.0 -
requests GHSA-9wx4-h78v-vm56 MODERATE Requests Session object does not verify requests after making first request with verify=False 2.31.0 2.32.0
urllib3 CVE-2024-37891 MODERATE Proxy-Authorization request header isn't stripped during cross-origin redirects in urllib3 2.2.1 -
urllib3 GHSA-34jh-p97f-mpxf MODERATE urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects 2.2.1 1.26.19
urllib3 GHSA-pq67-6m6q-mj2v MODERATE urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation 2.2.1 2.5.0
urllib3 CVE-2025-50181 MODERATE urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation 2.2.1 -
urllib3 GHSA-48p4-8xcf-vxj5 MODERATE urllib3 does not control redirects in browsers and Node.js 2.2.1 2.5.0
urllib3 CVE-2025-50182 MODERATE urllib3 does not control redirects in browsers and Node.js 2.2.1 -
urllib3 CVE-2025-50181 MODERATE urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation 2.2.1 -
urllib3 CVE-2024-37891 MODERATE Proxy-Authorization request header isn't stripped during cross-origin redirects in urllib3 2.2.1 -
urllib3 GHSA-pq67-6m6q-mj2v MODERATE urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation 2.2.1 2.5.0
urllib3 GHSA-48p4-8xcf-vxj5 MODERATE urllib3 does not control redirects in browsers and Node.js 2.2.1 2.5.0
urllib3 CVE-2025-50182 MODERATE urllib3 does not control redirects in browsers and Node.js 2.2.1 -
urllib3 GHSA-34jh-p97f-mpxf MODERATE urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects 2.2.1 1.26.19
Flask CVE-2026-27205 LOW Flask session does not add Vary: Cookie header when accessed in some ways 3.0.2 -
Flask GHSA-68rp-wp8r-4726 LOW Flask session does not add Vary: Cookie header when accessed in some ways 3.0.2 3.1.3
Flask CVE-2026-27205 LOW Flask session does not add Vary: Cookie header when accessed in some ways 3.0.2 -
Flask GHSA-68rp-wp8r-4726 LOW Flask session does not add Vary: Cookie header when accessed in some ways 3.0.2 3.1.3
⚠️ Dependencies that have Reached EOL (2)
Dependency Unsafe Version EOL Date New Version Path
requests 2.31.0 - 2.32.5 apps/rolldice-game/rolling/requirements.txt
requests 2.31.0 - 2.32.5 apps/rolldice-game/scoring/requirements.txt

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-dependency-update adms-fixes-eol adms-high-severity adms-low-severity adms-medium-severity adms-minor-update adms-mode-all-updates adms-python campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants