← Back to the AI Dependency AtlasExact package identity dossier

tornado

pypi:tornado
pypi

This dossier links the stable identity pypi:tornado to 6 exact observed versions across 7 public repositories.

pypipypi:tornadoecosystem:name + exact version + evidence path

A package identity or provider interface in published code does not prove configuration, an account, procurement, data transfer or an API call.

ecosystem:name + exact version + evidence path
7repositories
10exact evidence rows
6exact versions
1reported license expression
10OSV records returned
Exact published evidence

Observed exact versions and registry metadata

Publication age and licenses come from deps.dev metadata. They are context—not a maintenance, legal or portability verdict.

Exact version6.4.222 Nov 2024
Repositories
2
Occurrences
2
Reported licenses
Apache-2.0
verified publish attestation10 OSV records
Open exact source ↗
Exact version6.5.122 May 2025
Repositories
1
Occurrences
1
Reported licenses
Apache-2.0
verified publish attestation9 OSV records
Open exact source ↗
Exact version6.5.208 Aug 2025
Repositories
2
Occurrences
2
Reported licenses
Apache-2.0
verified publish attestation9 OSV records
Open exact source ↗
Exact version6.5.415 Dec 2025
Repositories
1
Occurrences
1
Reported licenses
Apache-2.0
verified publish attestation6 OSV records
Open exact source ↗
Exact version6.5.510 Mar 2026
Repositories
1
Occurrences
1
Reported licenses
Apache-2.0
verified publish attestation4 OSV records
Open exact source ↗
Exact version6.5.708 Jun 2026
Repositories
1
Occurrences
3
Reported licenses
Apache-2.0
verified publish attestationNo OSV record returned for this exact version
Open exact source ↗
Observed relations

Repositories carrying this identity

MUCGPTlandeshauptstadt-muenchen/mucgpt
6.5.73 Occurrences
SmartPlanAI Anwendungsh/digitalhub-sh/landesprogramm-offene-innovationen/ki-bauleitplaene/smartplanai-anwendung
6.5.2 · 6.5.52 Occurrences
GSA Extractionuba-ki-lab/gsa-extraction
6.5.11 Occurrence
Objection managementuba-ki-lab/objection-management
6.4.21 Occurrence
Ressource Efficient Computer Visionuba-ki-lab/ressource-efficient-computer-vision
6.5.41 Occurrence
strahlenexpositionuba-ki-lab/strahlenexposition
6.4.21 Occurrence
Workshop Green LLM Usageuba-ki-lab/workshop-green-llm-usage
6.5.21 Occurrence
Exact published evidence

exact evidence rows

GSA Extractionuba-ki-lab/gsa-extraction
pypi:tornado@6.5.1uv.lock
declaration relationship not reporteddevelopment scope not reported
Open exact source ↗
MUCGPTlandeshauptstadt-muenchen/mucgpt
pypi:tornado@6.5.7mucgpt-assistant-service/uv.lock
declaration relationship not reporteddevelopment scope not reported
Open exact source ↗
MUCGPTlandeshauptstadt-muenchen/mucgpt
pypi:tornado@6.5.7mucgpt-core-service/uv.lock
declaration relationship not reporteddevelopment scope not reported
Open exact source ↗
MUCGPTlandeshauptstadt-muenchen/mucgpt
pypi:tornado@6.5.7uv.lock
declaration relationship not reporteddevelopment scope not reported
Open exact source ↗
Objection managementuba-ki-lab/objection-management
pypi:tornado@6.4.2uv.lock
declaration relationship not reporteddevelopment scope not reported
Open exact source ↗
Ressource Efficient Computer Visionuba-ki-lab/ressource-efficient-computer-vision
pypi:tornado@6.5.4uv.lock
declaration relationship not reporteddevelopment scope not reported
Open exact source ↗
SmartPlanAI Anwendungsh/digitalhub-sh/landesprogramm-offene-innovationen/ki-bauleitplaene/smartplanai-anwendung
pypi:tornado@6.5.2blp_streamlit_pipeline/src/ext/streamlit-draw-image-mask/poetry.lock
declaration relationship not reportednot marked as development-only
Open exact source ↗
SmartPlanAI Anwendungsh/digitalhub-sh/landesprogramm-offene-innovationen/ki-bauleitplaene/smartplanai-anwendung
pypi:tornado@6.5.5poetry.lock
declaration relationship not reportednot marked as development-only
Open exact source ↗
strahlenexpositionuba-ki-lab/strahlenexposition
pypi:tornado@6.4.2sbom.json
declaration relationship not reporteddevelopment scope not reported
Open exact source ↗
Workshop Green LLM Usageuba-ki-lab/workshop-green-llm-usage
pypi:tornado@6.5.2uv.lock
declaration relationship not reporteddevelopment scope not reported
Open exact source ↗
OSV

Related OSV records

GHSA-3x9g-8vmp-wqvf

Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient

6 repositories13 Jul 2026
GHSA-78cv-mqj4-43f7

Tornado has incomplete validation of cookie attributes

6 repositories13 Jul 2026
GHSA-7cx3-6m66-7c5m

Tornado vulnerable to excessive logging caused by malformed multipart form data

2 repositories07 Jul 2026
GHSA-cx3h-4qpv-8hc9

Tornado has out-of-bounds memory access via C extension

6 repositories13 Jul 2026
GHSA-mgf9-4vpg-hj56

tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)

6 repositories13 Jul 2026
GHSA-pw6j-qg29-8w7f

Tornado: CurlAsyncHTTPClient leaks per-request credentials on handle reuse

6 repositories17 Jun 2026
GHSA-qjxf-f2mg-c6mc

Tornado is vulnerable to DoS due to too many multipart parts

6 repositories08 Jun 2026
PYSEC-2025-265

Not reported

5 repositories13 Jul 2026
PYSEC-2025-266

Not reported

5 repositories13 Jul 2026
PYSEC-2025-267

Not reported

5 repositories13 Jul 2026
Interpretation boundary

Exact identities in, explicit limits out

Only exact npm and PyPI tuples are enriched. Reported SPDX expressions are metadata; no compatibility, obligation or legal conclusion is inferred.

Retrieval, parsing, matching and publishing use no generative AI model.

i6eal (2026): tornado — exact AI dependency evidence dossier, data state 19 Jul 2026. https://i6eal.de/en/tools/ki-abhaengigkeitsatlas/paket/tornado-ab0f364e/

Reading this dossier

Does package presence prove that a provider is used?
No. Even a direct interface declaration does not establish configuration, credentials, procurement, data transfer or an API call.
Why are exact versions required?
OSV and registry metadata can be linked reproducibly only to an observed package@version tuple. The collector never substitutes a newest release for a range.
Does a missing row mean the dependency is absent?
No. It means not observed within the bounded files and repository checkpoint. Incomplete trees and parser failures remain explicit.

Need a permanent dependency evidence trail for another public code cohort?

We build source-backed data products with stable identities, reproducible joins and boundaries that remain visible.

Discuss a data projectExplore all tools