Skip to content

Commit 2b9955a

Browse files
author
Agentic CVE Fix
committed
fix(security): bump 8 packages to address 27 CVEs (NSPECT-S62Q-PZUD)
Addresses CVEs: GHSA-537c (cryptography), CVE-2026-42561 (python-multipart), GHSA-f4xh-w4cj-qxq8 (langsmith), CVE-2026-34993/47265/54273-80/50269 (aiohttp), GHSA-86qp/wqp7/82w8 et al. (starlette), GHSA-gr75-jv2w-4656 (langchain), GHSA-gj48/8rfp (bleach), GHSA-4xgf-cpjx-pc3j (pydantic-settings). pip-audit: 27 found pre-fix, 0 post-fix. Unit tests: 1517 passed. §5b/§5d deferred to CI pipeline (--validate pipeline mode). Refs: NSPECT-S62Q-PZUD Generated-by: agentic-cve-fix
1 parent 4319e38 commit 2b9955a

4 files changed

Lines changed: 188 additions & 145 deletions

File tree

.gitignore

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -85,4 +85,7 @@ tests/data/
8585
/.claude/
8686
skills-lock.json
8787

88+
# CVE fix audit reports (local only — archive externally if needed)
89+
cve-fix-reports/
90+
8891
# Workbench Project Layout

pyproject.toml

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -14,13 +14,13 @@ authors = [
1414
requires-python = ">=3.11,<3.14"
1515

1616
dependencies = [
17-
"bleach>=6.2,<7.0",
17+
"bleach>=6.4.0,<7.0",
1818
"dataclass-wizard>=0.27,<1.0",
19-
"fastapi>=0.115.5,<1.0",
19+
"fastapi>=0.135.4,<1.0",
2020
"anyio>=4.12.0",
2121
"httpx>=0.28.1",
2222
"httpx-sse>=0.4.3",
23-
"langchain>=1.3.1",
23+
"langchain>=1.3.9",
2424
"langchain-community>=0.4",
2525
"langgraph>=1.2.1",
2626
"langchain-milvus>=0.3.0",
@@ -30,7 +30,7 @@ dependencies = [
3030
"pydantic>=2.11,<3.0",
3131
"pymilvus[milvus_lite]>=2.6.7,<3.0",
3232
"pymilvus-model>=0.3,<1.0",
33-
"python-multipart>=0.0.27,<1.0",
33+
"python-multipart>=0.0.31,<1.0",
3434
"pyyaml>=6.0,<7.0",
3535
"uvicorn[standard]>=0.32,<1.0",
3636
"langchain-core>=1.2.28",
@@ -117,18 +117,20 @@ nvidia-rag = { workspace = true }
117117
# Pillow 12.x required for containers; moviepy pins pillow<12 so override needed for resolution
118118
override-dependencies = [
119119
"pillow>=12.2.0",
120-
"cryptography>=46.0.6",
120+
"cryptography>=48.0.1",
121121
"urllib3>=2.7.0",
122-
"aiohttp>=3.13.4",
122+
"aiohttp>=3.14.1",
123123
"orjson>=3.11.6",
124-
"langsmith>=0.8.0",
124+
"langsmith>=0.8.18",
125125
"langchain-classic>=1.0.7",
126126
"langchain-text-splitters>=1.1.2",
127127
"transformers>=5.1.0",
128128
"idna>=3.15",
129129
"pygments>=2.20.0",
130130
"python-dotenv>=1.2.2",
131131
"requests>=2.33.0",
132+
"starlette>=1.3.1",
133+
"pydantic-settings>=2.14.2",
132134
]
133135

134136
[tool.setuptools]

tests/unit/test_security_dependency_pins.py

Lines changed: 30 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
"""Guardrails for NSPECT-UV6I-R3V9 dependency remediation (pip-audit verified pins)."""
55

66
from importlib.metadata import version
7+
78
from packaging.version import Version
89

910

@@ -24,12 +25,38 @@ def test_transformers_not_vulnerable_cve_2026_1839() -> None:
2425

2526

2627
def test_python_multipart_not_vulnerable_cve_2026_42561() -> None:
27-
assert Version(version("python-multipart")) >= Version("0.0.27")
28+
assert Version(version("python-multipart")) >= Version("0.0.31")
2829

2930

3031
def test_orjson_not_vulnerable_ghsa_hx9q_6w63_j58v() -> None:
3132
assert Version(version("orjson")) >= Version("3.11.6")
3233

3334

34-
def test_langsmith_not_vulnerable_ghsa_3644_q5cj_c5c7() -> None:
35-
assert Version(version("langsmith")) >= Version("0.8.0")
35+
def test_langsmith_not_vulnerable_ghsa_f4xh_w4cj_qxq8() -> None:
36+
"""GHSA-f4xh-w4cj-qxq8: LangSmith TracingMiddleware arbitrary server-side file read."""
37+
assert Version(version("langsmith")) >= Version("0.8.18")
38+
39+
40+
def test_aiohttp_not_vulnerable_cve_2026_batch() -> None:
41+
"""CVE-2026-34993,CVE-2026-47265,CVE-2026-54273-54280,CVE-2026-50269: aiohttp vulnerabilities."""
42+
assert Version(version("aiohttp")) >= Version("3.14.1")
43+
44+
45+
def test_starlette_not_vulnerable_cve_2026_batch() -> None:
46+
"""GHSA-86qp-5c8j-p5mr,GHSA-wqp7-x3pw-xc5r,GHSA-82w8-qh3p-5jfq and others: starlette CVEs."""
47+
assert Version(version("starlette")) >= Version("1.3.1")
48+
49+
50+
def test_langchain_not_vulnerable_ghsa_gr75_jv2w_4656() -> None:
51+
"""GHSA-gr75-jv2w-4656: langchain vulnerability."""
52+
assert Version(version("langchain")) >= Version("1.3.9")
53+
54+
55+
def test_bleach_not_vulnerable_ghsa_gj48_438w_jh9v() -> None:
56+
"""GHSA-gj48-438w-jh9v,GHSA-8rfp-98v4-mmr6: bleach XSS vulnerabilities."""
57+
assert Version(version("bleach")) >= Version("6.4.0")
58+
59+
60+
def test_pydantic_settings_not_vulnerable_ghsa_4xgf_cpjx_pc3j() -> None:
61+
"""GHSA-4xgf-cpjx-pc3j: pydantic-settings vulnerability."""
62+
assert Version(version("pydantic-settings")) >= Version("2.14.2")

0 commit comments

Comments
 (0)