fix(deps): vuln minor upgrades — 9 packages (minor: 1 · patch: 8) [datadog_checks_base]

[gh-worker-campaigns-3e9aa4]

Summary: Security update — 9 packages upgraded (MINOR changes included)

Manifests changed:

• datadog_checks_base (pep621)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
cryptography	46.0.6	46.0.7	patch	Direct	1 MODERATE
pydantic	2.12.5	2.13.3	minor	Direct	-
botocore	1.42.72	1.42.92	patch	Direct	-
cachetools	7.0.5	7.0.6	patch	Direct	-
ddtrace	3.19.5	3.19.7	patch	Direct	-
hatchling	0.11.2	0.11.3	patch	Direct	-
orjson	3.11.7	3.11.8	patch	Direct	-
protobuf	7.34.0	7.34.1	patch	Direct	-
requests	2.33.0	2.33.1	patch	Direct	-

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

ℹ️ Other Vulnerabilities (1)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
cryptography	GHSA-p423-j2cm-9vmq	MODERATE	Cryptography vulnerable to buffer overflow if non-contiguous buffers were passed to APIs	46.0.6	46.0.7

⚠️ Dependencies that have Reached EOL (3)

Dependency	Unsafe Version	EOL Date	New Version	Path
cachetools	7.0.5	-	7.0.6	datadog_checks_base/pyproject.toml
cryptography	46.0.6	-	46.0.7	datadog_checks_base/pyproject.toml
requests	2.33.0	-	2.33.1	datadog_checks_base/pyproject.toml

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation

🤖 Generated by DataDog Automated Dependency Management System

[campaigner-prod]

Release Notes

cryptography (46.0.6 → 46.0.7) — Commit comparison

• 622d672 46.0.7 release (46.0.7 release pyca/cryptography#14602)

pydantic (2.12.5 → 2.13.3) — GitHub Release

v2.13.3

v2.13.3 (2026-04-20)

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @Viicos in https://github.com/pydantic/pydantic/issues/13096

Full Changelog: pydantic/pydantic@v2.13.2...v2.13.3

v2.13.2

v2.13.2 (2026-04-17)

What's Changed

Fixes

• Fix ValidationInfo.field_name missing with model_validate_json() by @Viicos in https://github.com/pydantic/pydantic/issues/13084

Full Changelog: pydantic/pydantic@v2.13.1...v2.13.2

v2.13.1

v2.13.1 (2026-04-15)

What's Changed

Fixes

• Fix ValidationInfo.data missing with model_validate_json() by @davidhewitt in https://github.com/pydantic/pydantic/issues/13079

Full Changelog: pydantic/pydantic@v2.13.0...v2.13.1

v2.13.0

v2.13.0 (2026-04-13)

The highlights of the v2.13 release are available in the blog post.
Several minor changes (considered non-breaking changes according to our versioning policy) are also included in this release. Make sure to look into them before upgrading.

This release contains the updated pydantic.v1 namespace, matching version 1.10.26 which includes support for Python 3.14.

What's Changed

See the beta releases for all changes sinces 2.12.

Packaging

• Add zizmor for GitHub Actions workflow linting by @Viicos in https://github.com/pydantic/pydantic/issues/13039
• Update jiter to v0.14.0 to fix a segmentation fault on musl Linux by @Viicos in https://github.com/pydantic/pydantic/issues/13064

New Features

• Allow default factories of private attributes to take validated model data by @Viicos in https://github.com/pydantic/pydantic/issues/13013

Changes

• Warn when serializing fixed length tuples with too few items by @arvindsaripalli in https://github.com/pydantic/pydantic/issues/13016

Fixes

• Change type of Any when synthesizing _build_sources for BaseSettings.__init__() signature in the mypy plugin by @Viicos in https://github.com/pydantic/pydantic/issues/13049
• Fix model equality when using runtime extra configuration by @Viicos in https://github.com/pydantic/pydantic/issues/13062

New Contributors

• @arvindsaripalli made their first contribution in https://github.com/pydantic/pydantic/issues/13016

Full Changelog: pydantic/pydantic@v2.12.0...v2.13.0

botocore (1.42.72 → 1.42.92) — Commit comparison

• 8f03ea2 Merge branch 'release-1.42.90' into develop
• 30bb6b7 Bumping version to 1.42.90
• a35866f Update endpoints model
• 4d4cd43 Update to latest models
• a26d4c3 Bump actions/github-script from 8.0.0 to 9.0.0 (Bump actions/github-script from 8.0.0 to 9.0.0 boto/botocore#3672)
• 12bf0cd Bump aws-actions/configure-aws-credentials from 6.0.0 to 6.1.0 (Bump aws-actions/configure-aws-credentials from 6.0.0 to 6.1.0 boto/botocore#3673)
• 0db98ca Fix bug with auth_scheme_preference when endpoint resolves from EP2.0 or operation-level trait (Fix bug with auth_scheme_preference when endpoint resolves from EP2.0 or operation-level trait boto/botocore#3670)
• 9b76a62 Merge branch 'release-1.42.89'
• a38f490 Merge branch 'release-1.42.89' into develop
• 9402965 Bumping version to 1.42.89
• d7f945c Update endpoints model
• b84a3d3 Update to latest models
• 974e23f Merge branch 'release-1.42.88'
• 3ed8b67 Merge branch 'release-1.42.88' into develop
• ec1ea27 Bumping version to 1.42.88

... and 85 more commits

cachetools (7.0.5 → 7.0.6) — Commit comparison

• 28d4506 Release v7.0.6.
• 51921a4 Remove _TimedCache default timer to simplify type stubs.
• a4249f6 Bump codecov/codecov-action from 5.5.2 to 6.0.0 (Bump codecov/codecov-action from 5.5.2 to 6.0.0 tkem/cachetools#392)
• aa87283 feat: update project URLs in pyproject.toml to show on pypi.org (feat: update project URLs in pyproject.toml to show on pypi.org tkem/cachetools#390)

ddtrace (3.19.5 → 3.19.7) — GitHub Release

v3.19.7

Estimated end-of-life date, accurate to within three months: 08-2026
See the support level definitions for more information.

Bug Fixes

• AAP: Fixes a memory corruption issue where concurrent calls to the WAF on the same request context from multiple threads (e.g. an asyncio event loop and a thread pool executor inheriting the same context via contextvars) could cause use-after-free or double-free crashes (SIGSEGV) inside libddwaf. A per-context lock now serializes WAF calls on the same context.

v3.19.6

Estimated end-of-life date, accurate to within three months: 08-2026
See the support level definitions for more information.

Bug Fixes

• profiling: fixed an issue that causes greenlets to misbehave when gevent.joinall is called.

orjson (3.11.7 → 3.11.8) — GitHub Release

Changed

• Build and compatibility improvements.

requests (2.33.0 → 2.33.1) — GitHub Release

2.33.1 (2026-03-30)

Bugfixes

• Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary
  files in the tmp directory. (Cleanup extracted file after extract_zipped_path test psf/requests#7305)
• Fixed Content-Type header parsing for malformed values. (Fix malformed value parsing for Content-Type psf/requests#7309)
• Improved error consistency for malformed header values. (Fix cosmetic header validity parsing regex psf/requests#7308)

New Contributors

• @ferdnyc made their first contribution in Packaging: DRY out extras definition psf/requests#7277

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2331-2026-03-30

---

Generated by ADMS Sources: 4 GitHub Releases, 3 Commit comparisons, 2 not available.

[dd-octo-sts]

Validation Report

Validation	Description	Status
dep	Verify dependency pins are consistent and Agent-compatible	❌

Run ddev validate all changed --fix to attempt to auto-fix supported validations.

Passed validations (19)

Validation	Description	Status
agent-reqs	Verify check versions match the Agent requirements file	✅
ci	Validate CI configuration and Codecov settings	✅
codeowners	Validate every integration has a CODEOWNERS entry	✅
config	Validate default configuration files against spec.yaml	✅
http	Validate integrations use the HTTP wrapper correctly	✅
imports	Validate check imports do not use deprecated modules	✅
integration-style	Validate check code style conventions	✅
jmx-metrics	Validate JMX metrics definition files and config	✅
labeler	Validate PR labeler config matches integration directories	✅
legacy-signature	Validate no integration uses the legacy Agent check signature	✅
license-headers	Validate Python files have proper license headers	✅
licenses	Validate third-party license attribution list	✅
metadata	Validate metadata.csv metric definitions	✅
models	Validate configuration data models match spec.yaml	✅
openmetrics	Validate OpenMetrics integrations disable the metric limit	✅
package	Validate Python package metadata and naming	✅
readmes	Validate README files have required sections	✅
saved-views	Validate saved view JSON file structure and fields	✅
version	Validate version consistency between package and changelog	✅

View full run

[datadog-official]

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 89.23% (+2.17%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: e0bbef0 | Docs | Datadog PR Page | Give us feedback!}

[seberm-6]

Hey, sorry for the noise. This was caused by a bug in our automated dependency update system that incorrectly included upstream changelog content in PR comments, triggering notifications to external contributors. The feature flag has been turned off and we're working on a fix. Sorry about that again.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.46%. Comparing base (8571f62) to head (e0bbef0).
⚠️ Report is 3 commits behind head on master.

Additional details and impacted files

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.