ci(deps): bump tornado from 6.5.1 to 6.5.7#3135
Conversation
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.1 to 6.5.7. - [Changelog](https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst) - [Commits](tornadoweb/tornado@v6.5.1...v6.5.7) --- updated-dependencies: - dependency-name: tornado dependency-version: 6.5.7 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
dosubot
Bot
added
the
size:XS
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM, mechanical dependabot patch bump of tornado (transitive dev dependency via ipykernel/jupyter-client) including security fixes.
Extended reasoning...
Overview
This is a Dependabot PR bumping tornado from 6.5.1 to 6.5.7 in uv.lock only. Tornado is a transitive dev dependency pulled in via ipykernel and jupyter-client (Jupyter notebook execution for cookbooks). No source code is touched, no pyproject.toml changes — just lockfile updates with new wheels and hashes. The lockfile revision is also bumped from 2 to 3, which is expected when regenerating with a newer uv.
Security risks
None introduced by this PR. The bump goes the other direction — 6.5.x patch releases between 6.5.1 and 6.5.7 include security fixes (e.g. stripping auth headers on cross-origin redirects in simple_httpclient, curl client reset on freelist). Since tornado is only used here for local Jupyter kernel/cookbook execution (dev dependency), the security impact is low either way.
Level of scrutiny
Low. This is a patch-version dependency bump on a dev-only transitive dependency, generated by Dependabot and labelled auto-merge. The change is mechanical and limited to lockfile entries. No logic, config, or build changes.
Other factors
The PR carries the auto-merge label, indicating the repo's intended workflow for these. Vercel preview build is running. No outstanding reviewer comments.
Bumps tornado from 6.5.1 to 6.5.7.
Changelog
Sourced from tornado's changelog.
... (truncated)
Commits
48fc2d4Merge pull request #3633 from bdarnell/curl-reset-654ae1dddRelease notes and version bump for 6.5.73154caacurl_httpclient: Reset the curl object before putting it on the freelist7d869c0Merge pull request #3631 from bdarnell/cve-links288241fdocs: Use the correct link syntax8da981cdocs: Add CVE links to 6.5.6 release notesaba2569Merge pull request #3626 from bdarnell/fixes-656a24b260httpclient_test: Accept an additional error message varianta74240aRelease notes and version bump for 6.5.6.e8fc7edsimple_httpclient: Strip auth headers on cross-origin redirectsDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.