Skip to content

VULN UPGRADE: minor upgrades — 15 packages (minor: 5 · patch: 10) [tools/base]#12

Closed
campaigner-prod[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/pip/base/2-1770965541
Closed

VULN UPGRADE: minor upgrades — 15 packages (minor: 5 · patch: 10) [tools/base]#12
campaigner-prod[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/pip/base/2-1770965541

Conversation

@campaigner-prod
Copy link
Copy Markdown

@campaigner-prod campaigner-prod Bot commented Feb 13, 2026

Summary: High-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

  • tools/base (pip)

Updates

Package From To Type Vulnerabilities Fixed
aiohttp 3.9.5 3.13.3 minor 2 HIGH, 8 MODERATE, 10 LOW
aioquic 1.0.0 1.2.0 minor -
cffi 1.16.0 1.17.1 minor -
flake8 7.0.0 7.3.0 minor -
multidict 6.0.5 6.7.1 minor -
aio.api.github 0.2.5 0.2.10 patch -
aio.core 0.10.2 0.10.5 patch -
envoy.base.utils 0.5.1 0.5.11 patch -
envoy.code.check 0.5.13 0.5.14 patch -
envoy.dependency.check 0.1.12 0.1.13 patch -
envoy.docs.sphinx_runner 0.2.11 0.2.12 patch -
frozendict 2.4.4 2.4.7 patch -
sphinxcontrib-htmlhelp 2.0.5 2.0.6 patch -
sphinxcontrib-qthelp 1.0.7 1.0.8 patch -
yarl 1.9.4 1.9.11 patch -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (2 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
aiohttp GHSA-6mq8-rvhq-8wgg HIGH AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb 3.9.5 3.13.3
aiohttp CVE-2025-69223 HIGH AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb 3.9.5 -
ℹ️ Other Vulnerabilities (18)
Package CVE Severity Summary Unsafe Version Fixed In
aiohttp CVE-2025-69229 MODERATE AIOHTTP vulnerable to DoS through chunked messages 3.9.5 -
aiohttp GHSA-jj3x-wxrx-4x23 MODERATE AIOHTTP vulnerable to DoS when bypassing asserts 3.9.5 3.13.3
aiohttp GHSA-6jhg-hg63-jvvf MODERATE AIOHTTP vulnerable to denial of service through large payloads 3.9.5 3.13.3
aiohttp CVE-2024-52304 MODERATE aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions 3.9.5 -
aiohttp GHSA-8495-4g3g-x7pr MODERATE aiohttp allows request smuggling due to incorrect parsing of chunk extensions 3.9.5 3.10.11
aiohttp CVE-2025-69228 MODERATE AIOHTTP vulnerable to denial of service through large payloads 3.9.5 -
aiohttp GHSA-g84x-mcqj-x9qq MODERATE AIOHTTP vulnerable to DoS through chunked messages 3.9.5 3.13.3
aiohttp CVE-2025-69227 MODERATE AIOHTTP vulnerable to DoS when bypassing asserts 3.9.5 -
aiohttp CVE-2025-53643 LOW AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections 3.9.5 -
aiohttp CVE-2025-69225 LOW AIOHTTP Regex Mismatch Allows Unicode in ASCII-Only Protocol Fields 3.9.5 -
aiohttp GHSA-54jq-c3m8-4m76 LOW AIOHTTP vulnerable to brute-force leak of internal static file path components 3.9.5 3.13.3
aiohttp CVE-2025-69226 LOW AIOHTTP allows for a brute-force leak of internal static filepath components 3.9.5 -
aiohttp GHSA-mqqc-3gqh-h2x8 LOW AIOHTTP has unicode match groups in regexes for ASCII protocol elements 3.9.5 3.13.3
aiohttp GHSA-69f9-5gxw-wvc2 LOW AIOHTTP's unicode processing of header values could cause parsing discrepancies 3.9.5 3.13.3
aiohttp GHSA-9548-qrrj-x5pj LOW AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections 3.9.5 3.12.14
aiohttp CVE-2025-69230 LOW AIOHTTP Vulnerable to Cookie Parser Warning Storm 3.9.5 -
aiohttp GHSA-fh55-r93g-j68g LOW AIOHTTP Vulnerable to Cookie Parser Warning Storm 3.9.5 3.13.3
aiohttp CVE-2025-69224 LOW AIOHTTP's Unicode processing of header values could cause parsing discrepancies 3.9.5 -
⚠️ Dependencies that have Reached EOL (2)
Dependency Unsafe Version EOL Date New Version Path
sphinxcontrib-htmlhelp 2.0.5 - 2.0.6 tools/base/requirements.in
sphinxcontrib-qthelp 1.0.7 - 1.0.8 tools/base/requirements.in

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

dd-prapprover[bot]
dd-prapprover Bot approved these changes Feb 13, 2026
View reviewed changes
Copy link
Copy Markdown

@dd-prapprover dd-prapprover Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR has been automatically approved by the DD PR Approver bot.

@gh-worker-devflow-routing-ef8351
Copy link
Copy Markdown

gh-worker-devflow-routing-ef8351 Bot commented Feb 13, 2026
edited
Loading

View all feedbacks in Devflow UI.

2026-02-13 07:00:36 UTC ℹ️ Start processing command /merge

2026-02-13 07:00:41 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 0s (p90).

2026-02-13 09:00:54 UTCMergeQueue: The build pipeline has timeout

The merge request has been interrupted because the build 0 took longer than expected. The current limit for the base branch 'master' is 120 minutes.

@campaigner-prod campaigner-prod Bot closed this Mar 1, 2026
@campaigner-prod campaigner-prod Bot deleted the engraver-auto-version-upgrade/minorpatch/pip/base/2-1770965541 branch March 1, 2026 14:52
@DataDog DataDog deleted a comment from dd-prapprover Bot Mar 15, 2026
@DataDog DataDog deleted a comment from dd-prapprover Bot Mar 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dd-prapprover dd-prapprover[bot] dd-prapprover[bot] approved these changes

Assignees

No one assigned

Labels

adms-dependency-update adms-fixes-eol adms-high-severity adms-low-severity adms-medium-severity adms-minor-update adms-mode-all-updates adms-python campaigner-automated-change mergequeue-status: rejected

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants