Commit 6301f3a
authored
bump tornado dependency to version 6.5.7 to fix 5 CVEs (#1535)
This PR upgrades the pin to `tornado` in `pyproject.toml` requirements
to exclude versions of `tornado` that contain these 5 CVEs:
```
> uv audit --preview --locked
Found 4 known vulnerabilities and no adverse project statuses in 118 packages
Vulnerabilities:
tornado 6.5.5 has 4 known vulnerabilities:
- GHSA-3x9g-8vmp-wqvf: Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient
Fixed in: 6.5.6
Advisory information: GHSA-3x9g-8vmp-wqvf
- GHSA-cx3h-4qpv-8hc9: Tornado has out-of-bounds memory access via C extension
Fixed in: 6.5.6
Advisory information: GHSA-cx3h-4qpv-8hc9
- GHSA-mgf9-4vpg-hj56: tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)
Fixed in: 6.5.6
Advisory information: GHSA-mgf9-4vpg-hj56
- GHSA-pw6j-qg29-8w7f: Tornado: CurlAsyncHTTPClient leaks per-request credentials on handle reuse
Fixed in: 6.5.7
Advisory information: GHSA-pw6j-qg29-8w7f
```
There are no explicit migrations listed in `tornado` to upgrade from
6.4.x to 6.5.x1 file changed
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
27 | 27 | | |
28 | 28 | | |
29 | 29 | | |
30 | | - | |
| 30 | + | |
31 | 31 | | |
32 | 32 | | |
33 | 33 | | |
| |||
0 commit comments