Skip to content

fix(deps): vuln werkzeug (major → 3.1.8) [integration/testdata/fixtures/repo/poetry]#38

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/major/poetry/poetry/6-1776941448
Open

fix(deps): vuln werkzeug (major → 3.1.8) [integration/testdata/fixtures/repo/poetry]#38
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/major/poetry/poetry/6-1776941448

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Apr 23, 2026

Summary: Critical-severity security update — 1 package upgraded (MAJOR changes included)

Manifests changed:

  • integration/testdata/fixtures/repo/poetry (poetry)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
werkzeug 0.14 3.1.8 major Direct 2 CRITICAL, 10 HIGH, 13 MODERATE, 3 LOW

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

  • Review the changelog/release notes for breaking changes
  • Test thoroughly in a staging environment
  • Update any code that depends on changed APIs
  • Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (12 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
werkzeug CVE-2022-29361 critical - 0.14 -
werkzeug PYSEC-2022-203 critical - 0.14 9a3a981d70d2e9ec3344b5192f86fcaf3210cd85
werkzeug GHSA-j544-7q9p-6xp8 HIGH Pallets Werkzeug vulnerable to Path Traversal 0.14 0.15.5
werkzeug CVE-2019-14322 HIGH - 0.14 -
werkzeug GHSA-2g68-c3qc-8985 HIGH Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain 0.14 3.0.3
werkzeug CVE-2024-34069 HIGH Werkzeug's improper usage of a pathname and improper CSRF protection results in the remote command execution 0.14 -
werkzeug PYSEC-2019-140 high - 0.14 00bc43b1672e662e5e3b8cecd79e67fc968fa246
werkzeug CVE-2019-14806 high - 0.14 -
werkzeug GHSA-gq9m-qvpx-68hc HIGH Pallets Werkzeug Insufficient Entropy 0.14 0.15.3
werkzeug PYSEC-2023-58 high - 0.14 517cac5a804e8c4dc4ed038bb20dacd038e7a9f1
werkzeug CVE-2023-25577 high Werkzeug may allow high resource usage when parsing multipart form data with many fields 0.14 -
werkzeug GHSA-xg9f-g7g7-2323 HIGH High resource usage when parsing multipart form data with many fields 0.14 2.2.3
ℹ️ Other Vulnerabilities (16)
Package CVE Severity Summary Unsafe Version Fixed In
werkzeug GHSA-87hc-h4r5-73f7 MODERATE Werkzeug safe_join() allows Windows special device names with compound extensions 0.14 3.1.5
werkzeug CVE-2026-21860 MODERATE Werkzeug safe_join() allows Windows special device names with compound extensions 0.14 -
werkzeug CVE-2024-49766 MODERATE Werkzeug safe_join not safe on Windows 0.14 -
werkzeug GHSA-q34m-jh98-gwm2 MODERATE Werkzeug possible resource exhaustion when parsing file data in forms 0.14 3.0.6
werkzeug CVE-2024-49767 MODERATE Werkzeug possible resource exhaustion when parsing file data in forms 0.14 -
werkzeug GHSA-hgf8-39gv-g3f2 MODERATE Werkzeug safe_join() allows Windows special device names 0.14 3.1.4
werkzeug CVE-2025-66221 MODERATE Werkzeug safe_join() allows Windows special device names 0.14 -
werkzeug GHSA-f9vj-2wh5-fj8j MODERATE Werkzeug safe_join not safe on Windows 0.14 3.0.6
werkzeug CVE-2026-27199 MODERATE Werkzeug safe_join() allows Windows special device names 0.14 -
werkzeug GHSA-29vq-49wr-vm6x MODERATE Werkzeug safe_join() allows Windows special device names 0.14 3.1.6
werkzeug PYSEC-2023-221 MODERATE - 0.14 f3c803b3ade485a45f12b6d6617595350c0f03e2
werkzeug GHSA-hrfv-mqp8-q5rw MODERATE Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning 0.14 3.0.1
werkzeug CVE-2023-46136 MODERATE Werkzeug vulnerable to high resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning 0.14 -
werkzeug CVE-2023-23934 LOW Wrkzeug's incorrect parsing of nameless cookies leads to __Host- cookies bypass 0.14 -
werkzeug GHSA-px8h-6qxv-m22q LOW Incorrect parsing of nameless cookies leads to __Host- cookies bypass 0.14 2.2.3
werkzeug PYSEC-2023-57 LOW - 0.14 cf275f42acad1b5950c50ffe8ef58fe62cdce028
⚠️ Dependencies that have Reached EOL (1)
Dependency Unsafe Version EOL Date New Version Path
werkzeug 0.14 - 3.1.8 integration/testdata/fixtures/repo/poetry/pyproject.toml

Review Checklist

Extra review is recommended for this update:

  • Review changes for compatibility with your code
  • Check release notes for breaking changes
  • Run integration tests to verify service behavior
  • Test in staging environment before production
  • Monitor key metrics after deployment
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod Bot marked this pull request as ready for review April 23, 2026 14:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-critical-severity adms-dependency-update adms-fixes-eol adms-high-severity adms-low-severity adms-major-update adms-medium-severity adms-mode-all-updates adms-python campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants