Skip to content

Security: 2 CVE fixes for NSPECT-S62Q-PZUD#684

Draft
nv-rag-cve-bot[bot] wants to merge 4 commits into
developfrom
cve-fix/NSPECT-S62Q-PZUD-20260616-120000
Draft

Security: 2 CVE fixes for NSPECT-S62Q-PZUD#684
nv-rag-cve-bot[bot] wants to merge 4 commits into
developfrom
cve-fix/NSPECT-S62Q-PZUD-20260616-120000

Conversation

@nv-rag-cve-bot

@nv-rag-cve-bot nv-rag-cve-bot Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown

Security: 2 CVE fixes for NSPECT-S62Q-PZUD

nSpect program: NSPECT-S62Q-PZUD (collection → children NSPECT-UV6I-R3V9, NSPECT-O8B9-SHZ8)
Version scope: 26.05.2 (semver-latest non-EOL)
Track: B — RECOMMENDATION (UNVERIFIED) — OSV database stale for 2026 CVEs; nSpect advisory is authoritative

CVEs fixed

CVE Package Severity Fix
CVE-2026-44843 langchain (Python) Critical pyproject.toml: >=1.3.1>=1.3.3,<1.3.8; uv override pins langgraph 1.2.4, langchain-core 1.4.0; uv.lock regenerated (langchain 1.3.7)
CVE-2026-45149 brace-expansion (npm, transitive) High frontend/package.json pnpm.overrides: "brace-expansion@5.0.4": "5.0.6"; pnpm-lock.yaml regenerated

Files changed

  • pyproject.toml — langchain 1.3.1→1.3.7 (CVE fix); langgraph, langchain-core caps added to preserve streaming compatibility
  • uv.lock — regenerated (langchain 1.3.7, langchain-core 1.4.0, langgraph 1.2.4, langgraph-sdk 0.4.2)
  • frontend/package.json — brace-expansion pnpm override added
  • frontend/pnpm-lock.yaml — regenerated (brace-expansion 5.0.4→5.0.6 applied)
  • tests/unit/test_security_dependency_pins.pytest_langchain_not_vulnerable_cve_2026_44843 added

Already-patched CVEs (confirmed, no change needed)

CVE-2025-65106, CVE-2025-68664 (langchain-core), CVE-2025-6984 (langchain-community), CVE-2026-45134 (langsmith)

CI iteration notes

  • Iteration 1 (a48dec6): Fixed ERR_PNPM_LOCKFILE_CONFIG_MISMATCH by regenerating pnpm-lock.yaml; Integration Tests RED (langchain-core 1.4.7 streaming regression)
  • Iteration 2: Regression confirmed — langchain 1.3.7 required langgraph 1.2.5 → langchain-core 1.4.7 → broke streaming (Tests 69/64/153 timeout 300s vs <30s on develop baseline)
  • Iteration 3 (cb12703): Pinned langgraph<1.2.5, langchain-core<1.4.1 → restores develop baseline streaming behavior; langchain 1.3.7 satisfies CVE fix

Validation

Check Status
Local unit tests (8/8) ✅ PASSED
langchain version 1.3.7 ≥ 1.3.3 ✅
langchain-core version 1.4.0 (develop baseline) ✅
Phase 6 Expert Review ✅ 6/6 PASS
Phase 9 CI (iteration 3) ⏳ IN PROGRESS — run 27592423931

Generated by agentic-cve-fix skill — NSPECT-S62Q-PZUD — 2026-06-16
Track B: Both CVEs unverified by local scanner (OSV stale). nSpect advisory is authoritative. Verification occurs on post-merge nSpect rescan.

NVIDIA RAG added 2 commits June 16, 2026 02:32
chore(security): CVE-2026-44843 recommendation — bump langchain >=1.3…
148eb33 
….1 → >=1.3.3 (UNVERIFIED)

pyproject.toml: langchain lower bound 1.3.1 → 1.3.3 (fixes CVE-2026-44843, Critical).
uv.lock regenerated: langchain 1.3.1→1.3.9, langchain-core 1.4.0→1.4.7, langgraph 1.2.1→1.2.5.
Unit pin guard added; full CI validation pending (pipeline mode, Track B — OSV feed stale).

Refs: NSPECT-S62Q-PZUD
Generated-by: agentic-cve-fix
chore(security): CVE-2026-45149 recommendation — pin brace-expansion@…
cf40c36 
…5.0.4 → 5.0.6 (UNVERIFIED)

frontend/package.json: pnpm.overrides forces brace-expansion@5.0.4 → 5.0.6 (High).
pnpm-lock.yaml will regenerate in CI; scanner confirmation pending (pnpm unavailable locally).
Track B — lockfile not yet updated; CI enforces the override on next pnpm install.

Refs: NSPECT-S62Q-PZUD
Generated-by: agentic-cve-fix
@copy-pr-bot

copy-pr-bot Bot commented Jun 16, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

NVIDIA RAG and others added 2 commits June 16, 2026 02:39
fix(security): address CI Frontend Unit Tests failure for CVE-2026-45149
a48dec6 


pnpm install --frozen-lockfile failed: ERR_PNPM_LOCKFILE_CONFIG_MISMATCH.
Regenerated pnpm-lock.yaml with pnpm 10.11.0; brace-expansion@5.0.4→5.0.6 override applied.

Refs: NSPECT-S62Q-PZUD
Generated-by: agentic-cve-fix
@claude
fix(security): cap langgraph<1.2.5 and langchain-core<1.4.1 to restor…
cb12703 
…e streaming

CI iteration 2 revealed Test 69, Test 64, Test 153 timing out at 300s.
Root cause: langchain>=1.3.3 resolved to 1.3.7, which required langgraph>=1.2.4,
and uv picked langgraph 1.2.5. langgraph 1.2.5 requires langchain-core>=1.4.7,
and langchain-core 1.4.7 breaks streaming (LLM response returns empty/no choices).

Fix: pin langgraph>=1.2.4,<1.2.5 and langchain-core>=1.4.0,<1.4.1 in
override-dependencies, restoring the same langchain-core 1.4.0 that the
develop branch baseline uses (confirmed passing CI run 27008380332).

The CVE-2026-44843 fix (langchain>=1.3.3) remains intact — resolved to 1.3.7.

Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants