Security: 7 CVE fixes for NSPECT-S62Q-PZUD

[nv-rag-cve-bot]

Summary

CVE	Severity	Surface	Package	Fix	Track	Validation
GHSA-gj48-438w-jh9v	High	both	bleach 6.3.0→6.4.0	manifest+lockfile bump	A	re-scan clean ✅
GHSA-82w8-qh3p-5jfq / PYSEC-2026-161	High	both	starlette 0.50.0→1.3.1 (via fastapi≥0.133.0)	manifest+lockfile bump	A	re-scan clean ✅
GHSA-gr75-jv2w-4656	High	both	langchain 1.3.1→1.3.9	manifest+lockfile bump	A	re-scan clean ✅
GHSA-5rvq-cxj2-64vf / CVE-2026-53540	High	both	python-multipart 0.0.29→0.0.32	manifest+lockfile bump	A	re-scan clean ✅
GHSA-rgxp-2hwp-jwgg / CVE-2026-25087	High	both	pyarrow 21.0.0→24.0.0	manifest+lockfile bump	A	re-scan clean ✅
GHSA-537c-gmf6-5ccf	High	both	cryptography 48.0.0→49.0.0	manifest+lockfile bump	A	re-scan clean ✅
CVE-2026-54273 / CVE-2026-54279	High	both	aiohttp 3.13.5→3.14.1	manifest+lockfile bump	A	re-scan clean ✅

Validation

Local validation

• Re-scan (local manifest): uv run --with pip-audit pip-audit — all 7 GHSA/CVE IDs absent after fix ✅
• Re-scan (nSpect source surface): pending nSpect re-ingest after merge
• Full CVE sweep: 1 residual medium (PYSEC-2026-76, langchain-openai 1.1.7 — no-fix-within-constraint, capped at <1.1.9)
• Unit tests: see CI gating jobs below (pipeline mode)
• Lint: see static-analysis below (pipeline mode); ruff auto-fixes applied locally (20 fixed, 28 files formatted)
• 5d deployment smoke: see deploy+basic-tests below (pipeline mode); which docker → command not found locally

Pipeline validation (--validate pipeline)

• Pipeline: ⏳ pending — GitHub Actions on cve-fix/NSPECT-S62Q-PZUD-20260618-023800
• Risk gating (Phase 9a): --ci-wait-gpu set → full docker-tests chain gated; diff touches src/** → deploy+basic-tests also gated
• Fix-loop iterations: 0 of 3 (pipeline not yet polled)

Gating jobs (block the loop):

Job	Status
static-analysis	⏳ pending
unit-tests	⏳ pending
frontend-unit-tests	— not triggered (diff doesn't touch frontend/)
deploy	⏳ pending
basic-tests	⏳ pending

🔴 GPU docker-tests chain (gated via --ci-wait-gpu): ⏳ pending

Not addressed in this MR

• PYSEC-2026-76 (langchain-openai 1.1.7) — no-fix-within-constraint; fix at 1.1.14 is above the <1.1.9 upper-bound cap; medium severity excluded by --severity crit,high
• CVE-2026-9669 — OS/base-image level (Python bz2); deferred; re-run with --include-base-image to fix
• CVE-2026-45447 — OpenSSL PKCS#7 in container; active nSpect exception (EXC-*); deferred

Audit trail

The full per-CVE analysis, expert-review verdicts, and Phase 5 validation logs live in the agentic workspace:

cve-fix-reports/NSPECT-S62Q-PZUD-20260618-023800/
  ├── _summary.md
  ├── _by-image/nvidia-rag.md
  ├── _by-repo/rag-repo.md
  └── GHSA-*/CVE-*-<pkg>-fixed.md  (7 per-CVE files)

This directory is not committed to the repository. Reviewers who need it can request the snapshot from the operator.

---

Refs: NSPECT-S62Q-PZUD
Generated by: agentic-cve-fix

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.