Skip to content

fix(deps): update tornado (high)#1135

Open
claude[bot] wants to merge 1 commit intomainfrom
claude/dependabot-sweep-tornado
Open

fix(deps): update tornado (high)#1135
claude[bot] wants to merge 1 commit intomainfrom
claude/dependabot-sweep-tornado

Conversation

@claude
Copy link

@claude claude bot commented Feb 25, 2026

Summary

  • Add tornado>=6.5 constraint dependency (scoped to Python 3.9+) in pyproject.toml to address two high-severity security advisories
  • Regenerate uv.lock — tornado updated from 6.4.1 to 6.5.4 for Python >= 3.9

Advisories Resolved

Advisory CVE Severity Summary
GHSA-7cx3-6m66-7c5m CVE-2025-47287 HIGH Tornado vulnerable to excessive logging caused by malformed multipart form data
GHSA-8w49-h785-mj3c CVE-2024-52804 HIGH Tornado has an HTTP cookie parsing DoS vulnerability

Lockfiles Modified

  • uv.lock

Notes

Tornado 6.5 requires Python >= 3.9. Since this project supports Python >= 3.8.1, the constraint is applied with a python_version >= '3.9' marker. The Python < 3.9 resolution fork retains tornado 6.4.1 as no compatible patched version exists for that Python version. Python 3.8 reached end-of-life in October 2024.

Resolves #1132

@github-actions @claude
fix(deps): update tornado to >=6.5 for Python 3.9+ to fix security vu…
7e84069 
…lnerabilities

Add uv constraint-dependency to enforce tornado>=6.5 on Python 3.9+,
resolving GHSA-7cx3-6m66-7c5m (CVE-2025-47287) and GHSA-8w49-h785-mj3c
(CVE-2024-52804). Tornado 6.5 requires Python 3.9+, so the constraint
is scoped with a version marker. Python 3.8 retains tornado 6.4.1 as
no compatible patched version exists for that Python version.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude claude bot requested a review from a team as a code owner February 25, 2026 22:20
@claude claude bot requested review from lia-viam and njooma February 25, 2026 22:20
@ale7714 ale7714 self-assigned this Feb 25, 2026
claude[bot]
claude bot commented Feb 25, 2026
View reviewed changes
Copy link
Author

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review: fix(deps): update tornado (high)

This PR correctly addresses two high-severity CVEs (CVE-2025-47287 and CVE-2024-52804) by constraining the transitive dependency tornado to >=6.5 on Python 3.9+.

Correctness

  • [tool.uv] constraint-dependencies is the correct uv mechanism for constraining transitive packages without adding them as direct dependencies. Using override-dependencies would be too heavy-handed; the floor constraint is the right approach here.
  • The Python version marker python_version>='3.9' is correctly scoped. Tornado 6.5 dropped Python 3.8 support, and uv normalises this to python_full_version >= '3.9' in the lockfile — this is expected behaviour, not a discrepancy.
  • The lockfile correctly resolves two independent tornado forks: 6.4.1 for python_full_version < '3.9' and 6.5.4 for python_full_version >= '3.9'. The resolution-markers in the lock file cover all cases exhaustively.
  • src/viam/gen/ was not touched. No runtime source files were modified.

Security

  • Tornado is a transitive dependency (pulled in through ipykernel → jupyter_client in the dev dependency graph). It is not a direct runtime dependency of viam-sdk itself, so this change has zero impact on published package consumers and only affects the dev/test environment. This is the appropriate scope for the fix.
  • All wheel hashes in the lockfile are present for both tornado entries.

No issues found. The change is minimal and correct. No fixes required.

claude[bot]
claude bot commented Feb 25, 2026
View reviewed changes
Copy link
Author

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review: fix(deps): update tornado (high)

This PR correctly addresses two high-severity CVEs (CVE-2025-47287 and CVE-2024-52804) by constraining the transitive dependency tornado to >=6.5 on Python 3.9+.

Correctness

  • [tool.uv] constraint-dependencies is the correct uv mechanism for constraining transitive packages without adding them as direct dependencies. Using override-dependencies would be too heavy-handed; the floor constraint is the right approach here.
  • The Python version marker python_version>='3.9' is correctly scoped. Tornado 6.5 dropped Python 3.8 support, and uv normalises this to python_full_version >= '3.9' in the lockfile — this is expected behaviour, not a discrepancy.
  • The lockfile correctly resolves two independent tornado forks: 6.4.1 for python_full_version < '3.9' and 6.5.4 for python_full_version >= '3.9'. The resolution-markers in the lock file cover all cases exhaustively.
  • src/viam/gen/ was not touched. No runtime source files were modified.

Security

  • Tornado is a transitive dependency (pulled in through ipykernel → jupyter_client in the dev dependency graph). It is not a direct runtime dependency of viam-sdk itself, so this change has zero impact on published package consumers and only affects the dev/test environment. This is the appropriate scope for the fix.
  • All wheel hashes in the lockfile are present for both tornado entries.

No issues found. The change is minimal and correct. No fixes required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@njooma njooma Awaiting requested review from njooma njooma is a code owner automatically assigned from viamrobotics/sdk-netcode

@lia-viam lia-viam Awaiting requested review from lia-viam lia-viam is a code owner automatically assigned from viamrobotics/sdk-netcode

At least 1 approving review is required to merge this pull request.

Assignees

@ale7714 ale7714

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix(deps): update tornado (high, 2 alerts)

1 participant

@ale7714