fix(deps): vuln major upgrades — 9 packages (major: 3 · unstable: 1 · minor: 5) [Doc]

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 9 packages upgraded (MAJOR changes included)

Manifests changed:

• Doc (pip)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
urllib3	2.2.3	2.6.3	minor	Direct	6 HIGH, 4 MODERATE
alabaster	0.7.16	1.0.0	major	Direct	-
docutils	0.20.1	0.22.4	unstable	Direct	-
python-docs-theme	2022.1	2025.5	major	Direct	-
snowballstemmer	2.2.0	3.0.1	major	Direct	-
certifi	2024.8.30	2024.12.14	minor	Direct	-
idna	3.10	3.12	minor	Direct	-
imagesize	1.4.1	1.5.0	minor	Direct	-
packaging	24.1	24.2	minor	Direct	-

Packages marked with "-" are updated due to dependency constraints.

---

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

• Review the changelog/release notes for breaking changes
• Test thoroughly in a staging environment
• Update any code that depends on changed APIs
• Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (6 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
urllib3	GHSA-2xpw-w6gg-jr37	HIGH	urllib3 streaming API improperly handles highly compressed data	2.2.3	2.6.0
urllib3	CVE-2025-66471	HIGH	urllib3 Streaming API improperly handles highly compressed data	2.2.3	-
urllib3	GHSA-gm62-xv2j-4w53	HIGH	urllib3 allows an unbounded number of links in the decompression chain	2.2.3	2.6.0
urllib3	CVE-2025-66418	HIGH	urllib3 allows an unbounded number of links in the decompression chain	2.2.3	-
urllib3	GHSA-38jv-5279-wg99	HIGH	Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)	2.2.3	2.6.3
urllib3	CVE-2026-21441	HIGH	urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)	2.2.3	-

ℹ️ Other Vulnerabilities (4)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
urllib3	GHSA-pq67-6m6q-mj2v	MODERATE	urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation	2.2.3	2.5.0
urllib3	CVE-2025-50181	MODERATE	urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation	2.2.3	-
urllib3	GHSA-48p4-8xcf-vxj5	MODERATE	urllib3 does not control redirects in browsers and Node.js	2.2.3	2.5.0
urllib3	CVE-2025-50182	MODERATE	urllib3 does not control redirects in browsers and Node.js	2.2.3	-

---

Review Checklist

Extra review is recommended for this update:

• Review changes for compatibility with your code
• Check release notes for breaking changes
• Run integration tests to verify service behavior
• Test in staging environment before production
• Monitor key metrics after deployment
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

---

📚 Documentation preview 📚: https://cpython-previews--46.org.readthedocs.build/