Security: 2 CVE fixes for NSPECT-S62Q-PZUD

[nv-rag-cve-bot]

Summary

CVE	Severity	Surface	Package	Fix	Track	Validation
CVE-2026-44843	High	both	langchain 1.3.1→1.3.10	manifest+lockfile bump	B (UNVERIFIED)	§5a-repro: lockfile pin ≥1.3.3; §5b/§5d: ⏳ CI
BDSA-2026-15190	High	source	tar 7.4.3→7.5.16	lockfile override (npm overrides)	B (UNVERIFIED)	§5a-repro: lockfile pin >7.5.15; §5b/§5d: ⏳ CI

Status: RECOMMENDATION (UNVERIFIED) — scanner could not confirm CVE presence (CVE-2026-44843 published 2026-06-08, not yet in pip-audit OSV DB; BDSA-2026-15190 BDSA-only source). Fix applied to workspace via manifest/lockfile edits.

Validation

Local validation

• Re-scan (local manifest): Track B — N/A (UNVERIFIED); scanner DB stale for CVE-2026-44843
• Re-scan (nSpect source surface): Pending nSpect re-ingest post-merge for NSPECT-O8B9-SHZ8
• Full CVE sweep: pip-audit full sweep exit 0; 0 langchain/tar vulnerabilities returned (DB lag)
• Unit tests: pipeline mode — see CI gating jobs below
• Lint: pipeline mode — see static-analysis below
• 5d deployment smoke: pipeline mode — see deploy+basic-tests and docker-tests chain below

Pipeline validation (--validate pipeline)

• Pipeline: ⏳ pending — not yet polled (branch just pushed; awaiting GitHub Actions trigger)
• Risk gating (Phase 9a): minor + --ci-wait-gpu → gating on full docker-tests chain
• Fix-loop iterations: 0 of 3

Gating jobs (block the loop):

Job	Status
static-analysis	⏳ pending
unit-tests	⏳ pending
frontend-unit-tests	⏳ pending (diff touches frontend/)
deploy	⏳ pending (--ci-wait-gpu → full chain gated)
basic-tests	⏳ pending

🔴 GPU docker-tests chain (gated via --ci-wait-gpu): ⏳ pending

Not addressed in this MR

• CVE-2026-9669 — CPython 3.13 (apt via deadsnakes PPA); Track C deferred — re-run with --include-base-image to fix
• CVE-2025-65106, CVE-2025-68664 — already-patched; langchain 1.3.1 ≥ advisory fixed versions
• CVE-2026-45134 — already-patched; langsmith 0.8.5 ≥ 0.8.0
• CVE-2025-6984 — not-applicable; langchain-community 0.4.1 is on the 0.4.x branch (advisory affects 0.3.x)
• BDSA-2026-14563 — not-applicable; esbuild (build-time only); no fixed version available in npm OSV DB without major vite upgrade

Audit trail

The full per-CVE analysis, expert-review verdicts, and Phase 5 validation logs live in the agentic workspace:

cve-fix-reports/NSPECT-S62Q-PZUD-20260619-023029/
  ├── _summary.md
  ├── _by-image/rag-server.md
  ├── _by-image/ingestor-server.md
  ├── _by-repo/rag.md
  ├── _by-repo/rag-frontend.md
  └── CVE-2026-44843-langchain-fixed.md, BDSA-2026-15190-tar-fixed.md, ...

This directory is not committed to the repository. Reviewers who need it can request the snapshot from the operator.

---

Refs: NSPECT-S62Q-PZUD
Generated by: agentic-cve-fix

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.