Upgrade dependency on Tornado to ≥ 6.5.0 to remediate CVE-2025-47287 (GHSA-7cx3-6m66-7c5m)

[nathan-gilbert]

OpenHTF currently (or at least in its dependency tree) relies on Tornado version 6.4.2. That version is affected by a known vulnerability: CVE‑2025‑47287 (alias GHSA-7cx3-6m66-7c5m).

The problem is Tornado’s multipart/form-data parser, when encountering malformed parts, logs warnings and continues to parse the remainder of the data. Because the logging subsystem is synchronous, an attacker can send specially crafted multipart requests to generate a huge volume of log entries, leading to a denial-of-service (DoS) condition.

The advisory states: All versions of Tornado prior to 6.5.0 are affected.

If OpenHTF is running any HTTP endpoint using Tornado—or exposes multipart/form-data handlers—this vulnerability could allow remote actors to degrade service availability. Even if OpenHTF itself doesn't expose such handlers, downstream integrations might.

The solution would be to upgrade the Tornado dependency to >= 6.5.0, which is the version where the fix is applied. I've manually overridden this in my local project, and OpenHTF appears to work. However, I'm not using any web server features that I'm aware of, so I'm unsure of the upgrade implications for this project.