fix(deps): vuln minor upgrades — 4 packages (minor: 3 · patch: 1) [Doc]

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 4 packages upgraded (MINOR changes included)

Manifests changed:

• Doc (pip)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
urllib3	2.2.3	2.6.3	minor	Direct	6 HIGH, 4 MODERATE
Jinja2	3.1.4	3.1.6	patch	Direct	6 MODERATE
requests	2.32.3	2.33.1	minor	Direct	4 MODERATE
Pygments	2.18.0	2.20.0	minor	Direct	1 LOW

---

Security Details

🚨 Critical & High Severity (6 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
urllib3	CVE-2025-66418	HIGH	urllib3 allows an unbounded number of links in the decompression chain	2.2.3	-
urllib3	GHSA-38jv-5279-wg99	HIGH	Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)	2.2.3	2.6.3
urllib3	CVE-2026-21441	HIGH	urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)	2.2.3	-
urllib3	GHSA-gm62-xv2j-4w53	HIGH	urllib3 allows an unbounded number of links in the decompression chain	2.2.3	2.6.0
urllib3	CVE-2025-66471	HIGH	urllib3 Streaming API improperly handles highly compressed data	2.2.3	-
urllib3	GHSA-2xpw-w6gg-jr37	HIGH	urllib3 streaming API improperly handles highly compressed data	2.2.3	2.6.0

ℹ️ Other Vulnerabilities (15)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
Jinja2	GHSA-gmj6-6f8f-6699	MODERATE	Jinja has a sandbox breakout through malicious filenames	3.1.4	3.1.5
Jinja2	CVE-2025-27516	MODERATE	Jinja sandbox breakout through attr filter selecting format method	3.1.4	-
Jinja2	GHSA-cpwx-vrp4-4pq7	MODERATE	Jinja2 vulnerable to sandbox breakout through attr filter selecting format method	3.1.4	3.1.6
Jinja2	CVE-2024-56326	MODERATE	Jinja has a sandbox breakout through indirect reference to format method	3.1.4	-
Jinja2	GHSA-q2x7-8rv6-6q7h	MODERATE	Jinja has a sandbox breakout through indirect reference to format method	3.1.4	3.1.5
Jinja2	CVE-2024-56201	MODERATE	Jinja has a sandbox breakout through malicious filenames	3.1.4	-
requests	GHSA-9hjg-9r4m-mvj7	MODERATE	Requests vulnerable to .netrc credentials leak via malicious URLs	2.32.3	2.32.4
requests	CVE-2024-47081	MODERATE	Requests vulnerable to .netrc credentials leak via malicious URLs	2.32.3	-
requests	GHSA-gc5v-m9x4-r6x2	MODERATE	Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function	2.32.3	2.33.0
requests	CVE-2026-25645	MODERATE	Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function	2.32.3	-
urllib3	GHSA-48p4-8xcf-vxj5	MODERATE	urllib3 does not control redirects in browsers and Node.js	2.2.3	2.5.0
urllib3	CVE-2025-50182	MODERATE	urllib3 does not control redirects in browsers and Node.js	2.2.3	-
urllib3	CVE-2025-50181	MODERATE	urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation	2.2.3	-
urllib3	GHSA-pq67-6m6q-mj2v	MODERATE	urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation	2.2.3	2.5.0
Pygments	GHSA-5239-wwwm-4pmq	LOW	Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching	2.18.0	2.20.0

⚠️ Dependencies that have Reached EOL (1)

Dependency	Unsafe Version	EOL Date	New Version	Path
requests	2.32.3	-	2.33.1	Doc/requirements-oldest-sphinx.txt

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

---

📚 Documentation preview 📚: https://cpython-previews--47.org.readthedocs.build/