Skip to content

fix(deps): vuln minor: pyyaml, requests #3978

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/pip/0-1781592768
Open

fix(deps): vuln minor: pyyaml, requests #3978
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/pip/0-1781592768

Conversation

@gh-worker-campaigns-3e9aa4

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Jun 16, 2026

Copy link
Copy Markdown

Summary: Critical-severity security update — 2 packages upgraded (MINOR changes included)

Manifests changed:

  • . (pip)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
pyyaml 5.3.1 5.4.1 minor Direct 3 CRITICAL
requests 2.20.1 2.34.2 minor Direct 9 MEDIUM

Security Details

🚨 Critical & High Severity (3 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
pyyaml PYSEC-2021-142 critical - 5.3.1 5.4
pyyaml CVE-2020-14343 critical - 5.3.1 -
pyyaml GHSA-8q59-q68h-6hv4 CRITICAL Improper Input Validation in PyYAML 5.3.1 5.4
ℹ️ Other Vulnerabilities (9)
Package CVE Severity Summary Unsafe Version Fixed In
requests GHSA-j8r2-6x86-q33q MODERATE Unintended leak of Proxy-Authorization header in requests 2.20.1 2.31.0
requests CVE-2023-32681 MODERATE Unintended leak of Proxy-Authorization header in requests 2.20.1 -
requests PYSEC-2023-74 MODERATE - 2.20.1 74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
requests GHSA-9wx4-h78v-vm56 MODERATE Requests Session object does not verify requests after making first request with verify=False 2.20.1 2.32.0
requests CVE-2024-35195 MODERATE Requests Session object does not verify requests after making first request with verify=False 2.20.1 -
requests GHSA-gc5v-m9x4-r6x2 MODERATE Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function 2.20.1 2.33.0
requests CVE-2026-25645 MODERATE Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function 2.20.1 -
requests GHSA-9hjg-9r4m-mvj7 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.20.1 2.32.4
requests CVE-2024-47081 MODERATE Requests vulnerable to .netrc credentials leak via malicious URLs 2.20.1 -
⚠️ Dependencies that have Reached EOL (2)
Dependency Unsafe Version EOL Date New Version Path
pyyaml 5.3.1 - 5.4.1 requirements.txt
requests 2.20.1 - 2.34.2 requirements.txt

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod Bot marked this pull request as ready for review June 16, 2026 23:18
@campaigner-prod campaigner-prod Bot requested a review from a team as a code owner June 16, 2026 23:18
@campaigner-prod campaigner-prod Bot requested a review from pgimalac June 16, 2026 23:18
@dd-prapprover

dd-prapprover Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

  • ✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-06-16T23:18:51Z
  • ⬜ CI tests passed
  • ⬜ Approved
  • ⬜ Merge Started
  • ⬜ Merged

➡️ Current phase: waiting for CI tests to complete...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pgimalac pgimalac Awaiting requested review from pgimalac pgimalac is a code owner automatically assigned from DataDog/agent-runtimes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

adms-critical-severity adms-dependency-update adms-fixes-eol adms-medium-severity adms-minor-update adms-mode-all-vulns adms-python campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants