Security: 11 CVE fixes for NSPECT-S62Q-PZUD (collection, 2 children)#702
Draft
nv-rag-cve-bot[bot] wants to merge 2 commits into
Draft
Security: 11 CVE fixes for NSPECT-S62Q-PZUD (collection, 2 children)#702nv-rag-cve-bot[bot] wants to merge 2 commits into
nv-rag-cve-bot[bot] wants to merge 2 commits into
Conversation
added 2 commits
June 30, 2026 02:27
aiohttp >=3.14.1 (CVE-2026-50269 cluster), cryptography >=48.0.1 (GHSA-537c-gmf6-5ccf), starlette >=1.3.1 (CVE-2026-54283 cluster), python-multipart >=0.0.31 (CVE-2026-53539 cluster), langsmith >=0.8.18 (GHSA-f4xh-w4cj-qxq8), langchain >=1.3.9 (GHSA-gr75-jv2w-4656), langchain-openai >=1.1.14 / openai >=2.26.0 (PYSEC-2026-76), bleach >=6.4.0 (GHSA-gj48-438w-jh9v), pyarrow >=23.0.1 (PYSEC-2026-113), pydantic-settings >=2.14.2 (GHSA-4xgf-cpjx-pc3j), langgraph-sdk >=0.3.15 (CVE-2026-48776). Also bumps fastapi >=0.135.0 to unblock starlette 1.3.1. pip-audit post-fix: 0 vulnerabilities. Refs: NSPECT-S62Q-PZUD (collection) Refs: NSPECT-UV6I-R3V9 (container child) Refs: NSPECT-O8B9-SHZ8 (helm chart child) Generated-by: agentic-cve-fix Signed-off-by: NVIDIA RAG <foundational-rag-dev@exchange.nvidia.com>
Adds regression guards for all 11 CVE clusters addressed in the preceding manifest bump: aiohttp, cryptography, starlette, python-multipart, langsmith, langchain, langchain-openai, bleach, pyarrow, pydantic-settings, langgraph-sdk. All 18 tests in the security-pins suite pass (including 7 pre-existing guards). Refs: NSPECT-S62Q-PZUD (collection) Generated-by: agentic-cve-fix Signed-off-by: NVIDIA RAG <foundational-rag-dev@exchange.nvidia.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security: 11 CVE fixes for NSPECT-S62Q-PZUD (collection, 2 children)
nSpect: NSPECT-S62Q-PZUD (Foundational RAG Downloadable NIM Agent Blueprint)
Children: NSPECT-UV6I-R3V9 (Container), NSPECT-O8B9-SHZ8 (Helm Chart)
Severity scope: Critical + High
Track: A — pip-audit verified (0 vulnerabilities post-fix)
Validation: pipeline (§5b/§5c/§5d in CI)
CVEs addressed
Changes
pyproject.toml— 15 constraint edits + 3 newoverride-dependenciesuv.lock— regenerated (16 packages updated)tests/unit/test_security_dependency_pins.py— 11 new version-pin regression testsCascade notes
starlette>=1.3.1override-dep.AsyncOpenAI/OpenAIAPI — unchanged in v2.<22.0; safe — repo uses only stablepa.*APIs.Expert review (Phase 6)
All five reviewers approved after two minor fixes:
pytestdev-group added byuv add --devValidation
unit-testsstatic-analysisdocker-testschain (--ci-wait-gpu)frontend-unit-testsCI gating: unit-tests, frontend-unit-tests, static-analysis + full docker-tests chain (
--ci-wait-gpu). Poll timeout: 55 min. This PR stays draft until CI is green.Deferred
Container-only CVEs (CVE-2026-6100, CVE-2026-11940/11972, CVE-2026-9669, CVE-2026-45447) affect the base image. Re-run with
--include-base-imageto fix via Dockerfile base bump.Stale
scripts/requirements.txtpin (aiohttp==3.12.14) — update separately.NVBugs update: disabled (
--no-nvbugs-update)Report:
cve-fix-reports/NSPECT-S62Q-PZUD-20260630-022149/(local workspace, not committed)Generated-by: agentic-cve-fix