ENG-2994: Bump Tornado to ~=6.5.5

[erosselli]

Ticket ENG-2994

Description Of Changes

Bumps Tornado from 6.5.4 to 6.5.5 to address CVE-2026-31958 (multipart DoS) and GHSA-78cv-mqj4-43f7 (cookie attribute injection). Tornado is not used directly by fides — it's a transitive dependency via Flower (Celery monitoring dashboard).

Code Changes

• Widened tornado~=6.5.2 → tornado~=6.5.5 in pyproject.toml
• Regenerated uv.lock
• Added changelog entry

Steps to Confirm

1. CI passes — no direct tornado imports in fides

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • No UX review needed
• Followup issues:
  • No followup issues
• Database migrations:
  • No migrations
• Documentation:
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Mar 20, 2026 6:30pm
fides-privacy-center	Ignored		Mar 20, 2026 6:30pm

[greptile-apps]

Greptile Summary

This PR bumps the transitive tornado dependency from 6.5.4 → 6.5.5 to address two security advisories: CVE-2026-31958 (multipart DoS) and GHSA-78cv-mqj4-43f7 (cookie attribute injection). Tornado is not used directly by Fides — it is pulled in as a transitive dependency of Flower (the Celery monitoring dashboard).

• pyproject.toml: version constraint widened from ~=6.5.2 to ~=6.5.5, which correctly requires at least the patched version while still allowing future 6.5.x patch releases.
• uv.lock: regenerated cleanly; note that tornado 6.5.5 drops 32-bit Linux (i686) wheels, but this has no practical impact on Fides' supported platforms.
• changelog/7716-bump-tornado.yaml: properly categorised as Security with both advisory identifiers cited.

No functional code changes, no migrations, and no direct Tornado imports in the Fides codebase. This is a safe, minimal security patch.

Confidence Score: 5/5

• This PR is safe to merge — it is a minimal, targeted security patch with no functional code changes.
• All three changed files are straightforward: a one-line version constraint bump in pyproject.toml, the corresponding regenerated lock file, and a changelog entry. No application logic is touched, there are no direct Tornado imports in Fides, and the version operator (~=6.5.5) is correct.
• No files require special attention.

Important Files Changed

Filename	Overview
pyproject.toml	Widened tornado constraint from ~=6.5.2 to ~=6.5.5, correctly pinning to the patched security release while still allowing future 6.5.x patch updates.
uv.lock	Lock file updated from tornado 6.5.4 → 6.5.5 with regenerated hashes. The 6.5.5 release drops 32-bit Linux wheels (i686) compared to 6.5.4, which is expected for modern Python packages and shouldn't affect production deployments.
changelog/7716-bump-tornado.yaml	New changelog entry correctly categorised as Security with both CVE identifiers referenced.

_{Last reviewed commit: "Fix changelog PR num..."}

[claude]

Code Review — Tornado Security Bump

Clean, well-scoped security patch. No issues found.

What was verified:

• pyproject.toml: Constraint correctly tightened from ~=6.5.2 → ~=6.5.5. The ~= (compatible release) operator means >=6.5.5, <6.6.0, so the patched version is now enforced as the floor. The previous constraint would have permitted installing the vulnerable 6.5.2–6.5.3 range on a clean install. ✓
• uv.lock: Consistently updated to 6.5.5 with correct hashes for all platform wheels. The reduction from 11 to 9 wheel entries reflects upstream packaging changes in the tornado 6.5.5 release (dropped older manylinux1/manylinux2014 i686 wheels) — not a concern. ✓
• changelog/7716-bump-tornado.yaml: Type correctly set to Security, CVE and GHSA references look accurate. ✓

No code logic changes, no migration, no API surface changes. LGTM.