Skip to content

Bump tornado from 6.4.1 to 6.5.6 in /experiments/agentcompany/openhands#36

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/experiments/agentcompany/openhands/tornado-6.5.6
Open

Bump tornado from 6.4.1 to 6.5.6 in /experiments/agentcompany/openhands#36
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/experiments/agentcompany/openhands/tornado-6.5.6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 12, 2026
edited by greptile-apps Bot
Loading

Copy link
Copy Markdown

Bumps tornado from 6.4.1 to 6.5.6.

Changelog

Sourced from tornado's changelog.

Release notes

.. toctree:: :maxdepth: 2

releases/v6.5.7 releases/v6.5.6 releases/v6.5.5 releases/v6.5.4 releases/v6.5.3 releases/v6.5.2 releases/v6.5.1 releases/v6.5.0 releases/v6.4.2 releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1

... (truncated)

Commits
  • aba2569 Merge pull request #3626 from bdarnell/fixes-656
  • a24b260 httpclient_test: Accept an additional error message variant
  • a74240a Release notes and version bump for 6.5.6.
  • e8fc7ed simple_httpclient: Strip auth headers on cross-origin redirects
  • 96dc88c speedups: validate mask length
  • ff808b3 http1connection: Enforce max_body_size in _GzipMessageDelegate
  • ede4e37 auth: Correctly parse check_authentication response
  • 1c178be Remove obsolete curl force_timeout workaround
  • c99d55b Replace deprecated pycurl IOCTLFUNCTION callback with SEEKFUNCTION
  • 2761431 Merge pull request #3587 from bdarnell/fix-link
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Greptile Summary

This PR bumps tornado from 6.4.1 to 6.5.6 in the OpenHands experiment requirements file. The upgrade includes security fixes and bug fixes across several patch releases.

  • Security: simple_httpclient now strips Authorization and other auth headers when following cross-origin redirects, preventing credential leakage to unintended hosts.
  • Security/correctness: _GzipMessageDelegate now properly enforces max_body_size, and the C-extension speedups module validates WebSocket mask lengths to prevent malformed frames.
  • No breaking changes: The upgrade stays within the same minor version series (6.4 → 6.5) and Dependabot reports a high compatibility score.

Confidence Score: 5/5

Safe to merge — this is a targeted dependency patch that resolves known security issues without introducing new behavior in application code.

The change is a single-line version pin update in a requirements file. The new version fixes auth-header leakage on cross-origin redirects, enforces decompression size limits, and hardens the WebSocket extension — all improvements over the previous version with no reported breaking changes.

No files require special attention.

Important Files Changed

Filename Overview
experiments/agentcompany/openhands/requirements.txt Bumps tornado from 6.4.1 to 6.5.6, a security patch that strips auth headers on cross-origin redirects, enforces max_body_size in GzipMessageDelegate, and validates WebSocket mask lengths.

Flowchart

 
%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[HTTP Request via simple_httpclient] --> B{Cross-origin redirect?}
    B -- No --> C[Forward all headers including Auth]
    B -- Yes --> D[Strip Authorization / sensitive headers]
    D --> E[Follow redirect safely]
    C --> E
    E --> F[Response returned to caller]

    subgraph tornado 6.5.6 fixes
        G[GzipMessageDelegate] --> H[Enforce max_body_size]
        I[WebSocket C-ext speedups] --> J[Validate mask length]
    end
Loading

Reviews (1): Last reviewed commit: "Bump tornado from 6.4.1 to 6.5.6 in /exp..." | Re-trigger Greptile

@dependabot
Bump tornado from 6.4.1 to 6.5.6 in /experiments/agentcompany/openhands
2cd74c5 
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.4.1 to 6.5.6.
- [Changelog](https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst)
- [Commits](tornadoweb/tornado@v6.4.1...v6.5.6)

---
updated-dependencies:
- dependency-name: tornado
  dependency-version: 6.5.6
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jun 12, 2026
@dependabot dependabot Bot mentioned this pull request Jun 12, 2026
Closed
@socket-security

socket-security Bot commented Jun 12, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedtornado@​6.4.1 ⏵ 6.5.672 +1100 +40100100100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants