Skip to content

fix(deps): vuln patch upgrades — 15 packages (patch: 15) #13

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/uv/0-1776944350
Draft

fix(deps): vuln patch upgrades — 15 packages (patch: 15) #13
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/uv/0-1776944350

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Apr 23, 2026

Summary: Critical-severity security update — 15 packages upgraded (patch changes only)

Manifests changed:

  • . (uv)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
pandas 1.0.0 1.0.5 patch Direct 2 CRITICAL
requests 2.20.0 2.20.1 patch Direct 9 MODERATE
pydantic 2.0 2.0.3 patch Direct 2 MODERATE
Cython 3.0.0 3.0.12 patch Direct -
azure-identity 1.25.1 1.25.3 patch Direct -
bodo 2025.7.4 2025.7.5 patch Direct -
boto3 1.24.59 1.24.96 patch Direct -
cachetools 5.5 5.5.2 patch Direct -
click 7.1.1 7.1.2 patch Direct -
daft 0.5.0 0.5.11 patch Direct -
google-auth 2.4.0 2.4.1 patch Direct -
huggingface-hub 0.24.0 0.24.7 patch Direct -
mmh3 4.0.0 4.0.1 patch Direct -
python-snappy 0.6.0 0.6.1 patch Direct -
strictyaml 1.7.0 1.7.3 patch Direct -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (2 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
pandas PYSEC-2020-73 critical - 1.0.0 1.0.4
pandas CVE-2020-13091 critical - 1.0.0 -
ℹ️ Other Vulnerabilities (11)
Package CVE Severity Summary Unsafe Version Fixed In
pydantic GHSA-mr82-8j83-vxmv MODERATE Pydantic regular expression denial of service 2.0 2.4.0
pydantic CVE-2024-3772 MODERATE - 2.0 -
requests GHSA-j8r2-6x86-q33q MODERATE Unintended leak of Proxy-Authorization header in requests 2.20.0 2.31.0
requests PYSEC-2023-74 MODERATE - 2.20.0 74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
requests CVE-2023-32681 MODERATE Unintended leak of Proxy-Authorization header in requests 2.20.0 -
requests GHSA-9hjg-9r4m-mvj7 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.20.0 2.32.4
requests CVE-2024-47081 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.20.0 -
requests GHSA-9wx4-h78v-vm56 MODERATE Requests Session object does not verify requests after making first request with verify=False 2.20.0 2.32.0
requests CVE-2024-35195 MODERATE Requests Session object does not verify requests after making first request with verify=False 2.20.0 -
requests GHSA-gc5v-m9x4-r6x2 MODERATE Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function 2.20.0 2.33.0
requests CVE-2026-25645 MODERATE Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function 2.20.0 -
⚠️ Dependencies that have Reached EOL (6)
Dependency Unsafe Version EOL Date New Version Path
click 7.1.1 - 7.1.2 pyproject.toml
google-auth 2.4.0 - 2.4.1 pyproject.toml
pandas 1.0.0 Jan 30, 2022 1.0.5 pyproject.toml
python-snappy 0.6.0 Feb 17, 2026 0.6.1 pyproject.toml
requests 2.20.0 - 2.20.1 pyproject.toml
strictyaml 1.7.0 - 1.7.3 pyproject.toml

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (Critical)

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants