[Aikido] Fix security issue in tornado via minor version upgrade from 6.5.4 to 6.5.5

[aikido-autofix]

Ticket ENG-2994

Description Of Changes

Upgrade Tornado from 6.5.4 to 6.5.5 via minor version bump.

Code Changes

• Updated Tornado version in pyproject.toml and uv.lock

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Mar 12, 2026 7:49pm
fides-privacy-center	Ignored		Mar 12, 2026 7:49pm

[greptile-apps]

Greptile Summary

This PR upgrades tornado from 6.5.4 to 6.5.5 to address a security vulnerability, updating both pyproject.toml and uv.lock with the new version and correct package hashes.

• pyproject.toml correctly uses the compatible-release specifier ~=6.5.5, consistent with the project's conventions.
• uv.lock's [[package]] section is correctly updated to 6.5.5 with the new wheel hashes and sdist.
• The requires-dist entry in uv.lock records ==6.5.5 (exact pin) rather than ~=6.5.5 to match pyproject.toml — the lock file was not regenerated after the third commit changed the specifier from ==6.5.5 to ~=6.5.5. This mismatch can cause uv lock --check to fail in CI.
• The changelog entry is accurate and well-formed.

Confidence Score: 3/5

• The security goal is achieved (tornado 6.5.5 will be installed), but the lock file's requires-dist specifier is inconsistent with pyproject.toml, which will likely cause uv lock --check CI failures.
• The actual resolved tornado version is correctly pinned to 6.5.5 in the lock file with verified hashes, so the security fix is effective. However, the requires-dist specifier in uv.lock (==6.5.5) does not match the pyproject.toml constraint (~=6.5.5) because the lock file was not regenerated after the specifier was relaxed in the third commit. This will cause uv lock --check to fail, blocking CI until fixed.
• uv.lock requires attention — the requires-dist specifier must be regenerated to reflect the ~=6.5.5 constraint from pyproject.toml.

Important Files Changed

Filename	Overview
pyproject.toml	Correctly bumps tornado from ~=6.5.2 to ~=6.5.5 using the compatible-release specifier, consistent with surrounding dependencies.
uv.lock	The [[package]] section correctly resolves to tornado 6.5.5 with updated hashes, but the requires-dist specifier still shows ==6.5.5 (an exact pin) rather than ~=6.5.5 to match the updated pyproject.toml — the lock file was not regenerated after the specifier was relaxed in the third commit, which will cause uv lock --check CI failures.
changelog/7644-upgrade-tornado.yaml	Correct changelog entry documenting the tornado upgrade from 6.5.4 to 6.5.5.

_{Last reviewed commit: e931668}

[daveqnet]

@greptileai please re-review