Skip to content

fix(deps): vuln minor upgrades — 5 packages (minor: 1 · patch: 4) [pkg/dependency]#37

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/pip/dependency/3-1776941448
Open

fix(deps): vuln minor upgrades — 5 packages (minor: 1 · patch: 4) [pkg/dependency]#37
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/pip/dependency/3-1776941448

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Apr 23, 2026

Summary: High-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

  • pkg/dependency (pip)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
Flask 2.0.0 2.3.3 minor Direct 3 HIGH, 2 LOW
Flask 2.0.0 2.3.3 minor Direct 3 HIGH, 2 LOW
Flask 2.0.0 2.3.3 minor Direct 3 HIGH, 2 LOW
Flask 2.0.0 2.3.3 minor Direct 3 HIGH, 2 LOW
Jinja2 3.0.0 3.0.3 patch Direct 10 MODERATE
Jinja2 3.0.0 3.0.3 patch Direct 10 MODERATE
Jinja2 3.0.0 3.0.3 patch Direct 10 MODERATE
Jinja2 3.0.0 3.0.3 patch Direct 10 MODERATE
MarkupSafe 2.0.0 2.0.1 patch Direct -
MarkupSafe 2.0.0 2.0.1 patch Direct -
click 8.0.0 8.0.4 patch Direct -
click 8.0.0 8.0.4 patch Direct -
click 8.0.0 8.0.4 patch Direct -
itsdangerous 2.0.0 2.0.1 patch Direct -
itsdangerous 2.0.0 2.0.1 patch Direct -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (12 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
Flask CVE-2023-30861 HIGH Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header 2.0.0 -
Flask PYSEC-2023-62 HIGH - 2.0.0 70f906c51ce49c485f1d355703e9cc3386b1cc2b
Flask GHSA-m2qf-hxjv-5gpq HIGH Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header 2.0.0 2.3.2
Flask GHSA-m2qf-hxjv-5gpq HIGH Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header 2.0.0 2.3.2
Flask PYSEC-2023-62 HIGH - 2.0.0 70f906c51ce49c485f1d355703e9cc3386b1cc2b
Flask CVE-2023-30861 HIGH Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header 2.0.0 -
Flask PYSEC-2023-62 HIGH - 2.0.0 70f906c51ce49c485f1d355703e9cc3386b1cc2b
Flask CVE-2023-30861 HIGH Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header 2.0.0 -
Flask GHSA-m2qf-hxjv-5gpq HIGH Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header 2.0.0 2.3.2
Flask CVE-2023-30861 HIGH Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header 2.0.0 -
Flask PYSEC-2023-62 HIGH - 2.0.0 70f906c51ce49c485f1d355703e9cc3386b1cc2b
Flask GHSA-m2qf-hxjv-5gpq HIGH Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header 2.0.0 2.3.2
ℹ️ Other Vulnerabilities (48)
Package CVE Severity Summary Unsafe Version Fixed In
Jinja2 CVE-2024-56326 MODERATE Jinja has a sandbox breakout through indirect reference to format method 3.0.0 -
Jinja2 GHSA-h5c8-rqwp-cp95 MODERATE Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter 3.0.0 3.1.3
Jinja2 CVE-2024-22195 MODERATE Jinja vulnerable to Cross-Site Scripting (XSS) 3.0.0 -
Jinja2 GHSA-h75v-3vvj-5mfj MODERATE Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter 3.0.0 3.1.4
Jinja2 CVE-2024-34064 MODERATE Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter 3.0.0 -
Jinja2 GHSA-q2x7-8rv6-6q7h MODERATE Jinja has a sandbox breakout through indirect reference to format method 3.0.0 3.1.5
Jinja2 CVE-2025-27516 MODERATE Jinja sandbox breakout through attr filter selecting format method 3.0.0 -
Jinja2 GHSA-cpwx-vrp4-4pq7 MODERATE Jinja2 vulnerable to sandbox breakout through attr filter selecting format method 3.0.0 3.1.6
Jinja2 GHSA-gmj6-6f8f-6699 MODERATE Jinja has a sandbox breakout through malicious filenames 3.0.0 3.1.5
Jinja2 CVE-2024-56201 MODERATE Jinja has a sandbox breakout through malicious filenames 3.0.0 -
Jinja2 GHSA-cpwx-vrp4-4pq7 MODERATE Jinja2 vulnerable to sandbox breakout through attr filter selecting format method 3.0.0 3.1.6
Jinja2 CVE-2025-27516 MODERATE Jinja sandbox breakout through attr filter selecting format method 3.0.0 -
Jinja2 GHSA-q2x7-8rv6-6q7h MODERATE Jinja has a sandbox breakout through indirect reference to format method 3.0.0 3.1.5
Jinja2 CVE-2024-56326 MODERATE Jinja has a sandbox breakout through indirect reference to format method 3.0.0 -
Jinja2 GHSA-h5c8-rqwp-cp95 MODERATE Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter 3.0.0 3.1.3
Jinja2 CVE-2024-22195 MODERATE Jinja vulnerable to Cross-Site Scripting (XSS) 3.0.0 -
Jinja2 GHSA-h75v-3vvj-5mfj MODERATE Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter 3.0.0 3.1.4
Jinja2 CVE-2024-34064 MODERATE Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter 3.0.0 -
Jinja2 GHSA-gmj6-6f8f-6699 MODERATE Jinja has a sandbox breakout through malicious filenames 3.0.0 3.1.5
Jinja2 CVE-2024-56201 MODERATE Jinja has a sandbox breakout through malicious filenames 3.0.0 -
Jinja2 GHSA-cpwx-vrp4-4pq7 MODERATE Jinja2 vulnerable to sandbox breakout through attr filter selecting format method 3.0.0 3.1.6
Jinja2 CVE-2025-27516 MODERATE Jinja sandbox breakout through attr filter selecting format method 3.0.0 -
Jinja2 GHSA-q2x7-8rv6-6q7h MODERATE Jinja has a sandbox breakout through indirect reference to format method 3.0.0 3.1.5
Jinja2 CVE-2024-56326 MODERATE Jinja has a sandbox breakout through indirect reference to format method 3.0.0 -
Jinja2 GHSA-h5c8-rqwp-cp95 MODERATE Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter 3.0.0 3.1.3
Jinja2 CVE-2024-22195 MODERATE Jinja vulnerable to Cross-Site Scripting (XSS) 3.0.0 -
Jinja2 GHSA-h75v-3vvj-5mfj MODERATE Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter 3.0.0 3.1.4
Jinja2 CVE-2024-34064 MODERATE Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter 3.0.0 -
Jinja2 CVE-2024-56201 MODERATE Jinja has a sandbox breakout through malicious filenames 3.0.0 -
Jinja2 GHSA-gmj6-6f8f-6699 MODERATE Jinja has a sandbox breakout through malicious filenames 3.0.0 3.1.5
Jinja2 CVE-2024-56201 MODERATE Jinja has a sandbox breakout through malicious filenames 3.0.0 -
Jinja2 GHSA-cpwx-vrp4-4pq7 MODERATE Jinja2 vulnerable to sandbox breakout through attr filter selecting format method 3.0.0 3.1.6
Jinja2 CVE-2024-34064 MODERATE Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter 3.0.0 -
Jinja2 GHSA-h75v-3vvj-5mfj MODERATE Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter 3.0.0 3.1.4
Jinja2 CVE-2024-22195 MODERATE Jinja vulnerable to Cross-Site Scripting (XSS) 3.0.0 -
Jinja2 GHSA-h5c8-rqwp-cp95 MODERATE Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter 3.0.0 3.1.3
Jinja2 CVE-2024-56326 MODERATE Jinja has a sandbox breakout through indirect reference to format method 3.0.0 -
Jinja2 GHSA-q2x7-8rv6-6q7h MODERATE Jinja has a sandbox breakout through indirect reference to format method 3.0.0 3.1.5
Jinja2 GHSA-gmj6-6f8f-6699 MODERATE Jinja has a sandbox breakout through malicious filenames 3.0.0 3.1.5
Jinja2 CVE-2025-27516 MODERATE Jinja sandbox breakout through attr filter selecting format method 3.0.0 -
Flask CVE-2026-27205 LOW Flask session does not add Vary: Cookie header when accessed in some ways 2.0.0 -
Flask GHSA-68rp-wp8r-4726 LOW Flask session does not add Vary: Cookie header when accessed in some ways 2.0.0 3.1.3
Flask GHSA-68rp-wp8r-4726 LOW Flask session does not add Vary: Cookie header when accessed in some ways 2.0.0 3.1.3
Flask CVE-2026-27205 LOW Flask session does not add Vary: Cookie header when accessed in some ways 2.0.0 -
Flask GHSA-68rp-wp8r-4726 LOW Flask session does not add Vary: Cookie header when accessed in some ways 2.0.0 3.1.3
Flask CVE-2026-27205 LOW Flask session does not add Vary: Cookie header when accessed in some ways 2.0.0 -
Flask CVE-2026-27205 LOW Flask session does not add Vary: Cookie header when accessed in some ways 2.0.0 -
Flask GHSA-68rp-wp8r-4726 LOW Flask session does not add Vary: Cookie header when accessed in some ways 2.0.0 3.1.3
⚠️ Dependencies that have Reached EOL (5)
Dependency Unsafe Version EOL Date New Version Path
MarkupSafe 2.0.0 - 2.0.1 pkg/dependency/parser/python/pip/testdata/requirements_comments.txt
MarkupSafe 2.0.0 - 2.0.1 pkg/dependency/parser/python/pip/testdata/requirements_flask.txt
click 8.0.0 - 8.0.4 pkg/dependency/parser/python/pip/testdata/requirements_comments.txt
click 8.0.0 - 8.0.4 pkg/dependency/parser/python/pip/testdata/requirements_flask.txt
click 8.0.0 - 8.0.4 pkg/dependency/parser/python/pip/testdata/requirements_spaces.txt
📅 Dependencies Nearing EOL (10)
Dependency Unsafe Version EOL Date New Version Path
Flask 2.0.0 May 11, 2026 2.3.3 pkg/dependency/parser/python/pip/testdata/requirements_comments.txt
Flask 2.0.0 May 11, 2026 2.3.3 pkg/dependency/parser/python/pip/testdata/requirements_flask.txt
Flask 2.0.0 May 11, 2026 2.3.3 pkg/dependency/parser/python/pip/testdata/requirements_no_version.txt
Flask 2.0.0 May 11, 2026 2.3.3 pkg/dependency/parser/python/pip/testdata/requirements_spaces.txt
Jinja2 3.0.0 May 11, 2026 3.0.3 pkg/dependency/parser/python/pip/testdata/requirements_comments.txt
Jinja2 3.0.0 May 11, 2026 3.0.3 pkg/dependency/parser/python/pip/testdata/requirements_flask.txt
Jinja2 3.0.0 May 11, 2026 3.0.3 pkg/dependency/parser/python/pip/testdata/requirements_hash.txt
Jinja2 3.0.0 May 11, 2026 3.0.3 pkg/dependency/parser/python/pip/testdata/requirements_spaces.txt
itsdangerous 2.0.0 May 11, 2026 2.0.1 pkg/dependency/parser/python/pip/testdata/requirements_flask.txt
itsdangerous 2.0.0 May 11, 2026 2.0.1 pkg/dependency/parser/python/pip/testdata/requirements_spaces.txt

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod Bot marked this pull request as ready for review April 23, 2026 14:03
@dd-prapprover
Copy link
Copy Markdown

dd-prapprover Bot commented Apr 23, 2026
edited
Loading

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

  • ✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-04-23T14:04:11Z
  • ⬜ CI tests passed
  • ⬜ Approved
  • ⬜ Merge Started
  • ⬜ Merged

➡️ Current phase: waiting for CI tests to complete...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-dependency-update adms-fixes-eol adms-high-severity adms-low-severity adms-medium-severity adms-minor-update adms-mode-all-updates adms-python campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants