VULN UPGRADE: minor upgrades — 7 packages (minor: 6 · patch: 1) [opentelemetry/python-microservice]

[campaigner-prod]

Summary: High-severity security update — 7 packages upgraded (MINOR changes included)

Manifests changed:

• opentelemetry/python-microservice (pip)

Updates

Package	From	To	Type	Vulnerabilities Fixed
grpcio	1.32.0	1.78.1	minor	2 HIGH
Jinja2	2.11.2	2.11.3	patch	11 MODERATE
requests	2.24.0	2.32.5	minor	7 MODERATE
backoff	1.10.0	1.11.1	minor	-
googleapis-common-protos	1.52.0	1.72.0	minor	-
six	1.15.0	1.17.0	minor	-
wrapt	1.12.1	1.17.3	minor	-

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

🚨 Critical & High Severity (2 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
grpcio	GHSA-496j-2rq6-j6cc	HIGH	Excessive Iteration in gRPC	1.32.0	1.53.2
grpcio	CVE-2023-33953	HIGH	-	1.32.0	-

ℹ️ Other Vulnerabilities (18)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
Jinja2	PYSEC-2021-66	MODERATE	-	2.11.2	2.11.3
Jinja2	GHSA-g3rq-g295-4j3m	MODERATE	Regular Expression Denial of Service (ReDoS) in Jinja2	2.11.2	2.11.3
Jinja2	CVE-2024-34064	MODERATE	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	2.11.2	-
Jinja2	GHSA-h75v-3vvj-5mfj	MODERATE	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	2.11.2	3.1.4
Jinja2	CVE-2024-56326	MODERATE	Jinja has a sandbox breakout through indirect reference to format method	2.11.2	-
Jinja2	GHSA-q2x7-8rv6-6q7h	MODERATE	Jinja has a sandbox breakout through indirect reference to format method	2.11.2	3.1.5
Jinja2	CVE-2020-28493	MODERATE	-	2.11.2	-
Jinja2	GHSA-cpwx-vrp4-4pq7	MODERATE	Jinja2 vulnerable to sandbox breakout through attr filter selecting format method	2.11.2	3.1.6
Jinja2	CVE-2025-27516	MODERATE	Jinja sandbox breakout through attr filter selecting format method	2.11.2	-
Jinja2	GHSA-h5c8-rqwp-cp95	MODERATE	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	2.11.2	3.1.3
Jinja2	CVE-2024-22195	MODERATE	Jinja vulnerable to Cross-Site Scripting (XSS)	2.11.2	-
requests	GHSA-9hjg-9r4m-mvj7	MODERATE	Requests vulnerable to .netrc credentials leak via malicious URLs	2.24.0	2.32.4
requests	CVE-2024-47081	MODERATE	Requests vulnerable to .netrc credentials leak via malicious URLs	2.24.0	-
requests	GHSA-j8r2-6x86-q33q	MODERATE	Unintended leak of Proxy-Authorization header in requests	2.24.0	2.31.0
requests	CVE-2023-32681	MODERATE	Unintended leak of Proxy-Authorization header in requests	2.24.0	-
requests	CVE-2024-35195	MODERATE	Requests Session object does not verify requests after making first request with verify=False	2.24.0	-
requests	GHSA-9wx4-h78v-vm56	MODERATE	Requests Session object does not verify requests after making first request with verify=False	2.24.0	2.32.0
requests	PYSEC-2023-74	MODERATE	-	2.24.0	74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5

⚠️ Dependencies that have Reached EOL (7)

Dependency	Unsafe Version	EOL Date	New Version	Path
Jinja2	2.11.2	-	2.11.3	opentelemetry/python-microservice/requirements.txt
backoff	1.10.0	-	1.11.1	opentelemetry/python-microservice/requirements.txt
googleapis-common-protos	1.52.0	-	1.72.0	opentelemetry/python-microservice/requirements.txt
grpcio	1.32.0	Sep 9, 2025	1.78.1	opentelemetry/python-microservice/requirements.txt
requests	2.24.0	-	2.32.5	opentelemetry/python-microservice/requirements.txt
six	1.15.0	-	1.17.0	opentelemetry/python-microservice/requirements.txt
wrapt	1.12.1	-	1.17.3	opentelemetry/python-microservice/requirements.txt

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System