Skip to content

fix(deps): vuln werkzeug (major → 3.1.8) [src/inventoryservice]#55

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/major/pip/inventoryservice/5-1783347816
Open

fix(deps): vuln werkzeug (major → 3.1.8) [src/inventoryservice]#55
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/major/pip/inventoryservice/5-1783347816

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: Critical-severity security update — 1 package upgraded (MAJOR changes included)

Manifests changed:

  • src/inventoryservice (pip)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
werkzeug 2.0.3 3.1.8 major Direct 2 CRITICAL, 5 HIGH, 13 MEDIUM, 3 LOW

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

  • Review the changelog/release notes for breaking changes
  • Test thoroughly in a staging environment
  • Update any code that depends on changed APIs
  • Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (7 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
werkzeug CVE-2022-29361 critical - 2.0.3 - -
werkzeug PYSEC-2022-203 critical - 2.0.3 9a3a981d70d2e9ec3344b5192f86fcaf3210cd85 -
werkzeug PYSEC-2023-58 high - 2.0.3 517cac5a804e8c4dc4ed038bb20dacd038e7a9f1 -
werkzeug CVE-2024-34069 HIGH Werkzeug's improper usage of a pathname and improper CSRF protection results in the remote command execution 2.0.3 - -
werkzeug GHSA-2g68-c3qc-8985 HIGH Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain 2.0.3 3.0.3 -
werkzeug GHSA-xg9f-g7g7-2323 HIGH High resource usage when parsing multipart form data with many fields 2.0.3 2.2.3 -
werkzeug CVE-2023-25577 high Werkzeug may allow high resource usage when parsing multipart form data with many fields 2.0.3 - -
ℹ️ Other Vulnerabilities (16)
Package CVE Severity Summary Unsafe Version Fixed In Case
werkzeug GHSA-f9vj-2wh5-fj8j MODERATE Werkzeug safe_join not safe on Windows 2.0.3 3.0.6 -
werkzeug CVE-2024-49767 MODERATE Werkzeug possible resource exhaustion when parsing file data in forms 2.0.3 - -
werkzeug CVE-2026-27199 MODERATE Werkzeug safe_join() allows Windows special device names 2.0.3 - -
werkzeug GHSA-hrfv-mqp8-q5rw MODERATE Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning 2.0.3 3.0.1 -
werkzeug CVE-2023-46136 MODERATE Werkzeug vulnerable to high resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning 2.0.3 - -
werkzeug PYSEC-2023-221 MODERATE - 2.0.3 f3c803b3ade485a45f12b6d6617595350c0f03e2 -
werkzeug GHSA-q34m-jh98-gwm2 MODERATE Werkzeug possible resource exhaustion when parsing file data in forms 2.0.3 3.0.6 -
werkzeug GHSA-29vq-49wr-vm6x MODERATE Werkzeug safe_join() allows Windows special device names 2.0.3 3.1.6 -
werkzeug GHSA-hgf8-39gv-g3f2 MODERATE Werkzeug safe_join() allows Windows special device names 2.0.3 3.1.4 -
werkzeug CVE-2024-49766 MODERATE Werkzeug safe_join not safe on Windows 2.0.3 - -
werkzeug GHSA-87hc-h4r5-73f7 MODERATE Werkzeug safe_join() allows Windows special device names with compound extensions 2.0.3 3.1.5 -
werkzeug CVE-2026-21860 MODERATE Werkzeug safe_join() allows Windows special device names with compound extensions 2.0.3 - -
werkzeug CVE-2025-66221 MODERATE Werkzeug safe_join() allows Windows special device names 2.0.3 - -
werkzeug PYSEC-2023-57 low - 2.0.3 cf275f42acad1b5950c50ffe8ef58fe62cdce028 -
werkzeug GHSA-px8h-6qxv-m22q LOW Incorrect parsing of nameless cookies leads to __Host- cookies bypass 2.0.3 2.2.3 -
werkzeug CVE-2023-23934 low Wrkzeug's incorrect parsing of nameless cookies leads to __Host- cookies bypass 2.0.3 - -

Review Checklist

Extra review is recommended for this update:

  • Review changes for compatibility with your code
  • Check release notes for breaking changes
  • Run integration tests to verify service behavior
  • Test in staging environment before production
  • Monitor key metrics after deployment
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants