Skip to content

Security: 10 CVE fixes for NSPECT-S62Q-PZUD (collection, 2 children)#690

Draft
nv-rag-cve-bot[bot] wants to merge 2 commits into
developfrom
cve-fix/NSPECT-S62Q-PZUD-20260621-022757
Draft

Security: 10 CVE fixes for NSPECT-S62Q-PZUD (collection, 2 children)#690
nv-rag-cve-bot[bot] wants to merge 2 commits into
developfrom
cve-fix/NSPECT-S62Q-PZUD-20260621-022757

Conversation

@nv-rag-cve-bot

@nv-rag-cve-bot nv-rag-cve-bot Bot commented Jun 21, 2026

Copy link
Copy Markdown

Summary

Automated CVE fixes for nSpect collection NSPECT-S62Q-PZUD v26.05.2, generated by agentic-cve-fix skill.

Child programs scanned:

  • NSPECT-UV6I-R3V9 (Container) — complete (6 fixed, 4 already-patched, 2 N/A, 1 deferred Track C)
  • NSPECT-O8B9-SHZ8 (Helm Chart) — no-artifacts (no scannable deps in chart)

Changes

Python (pyproject.toml + uv.lock)

Package Old New CVE
langchain >=1.3.1 >=1.3.9 (→1.3.10) GHSA-gr75-jv2w-4656 (path traversal)
langsmith >=0.8.0 >=0.8.18 GHSA-f4xh-w4cj-qxq8 (arbitrary file read)

Node (frontend/package.json + frontend/pnpm-lock.yaml)

Package Old New CVE
vitest ^3.2.4 ^3.2.6 (→3.2.6) GHSA-5xrq-8626-4rwp (Critical: arbitrary file exec)
react-router-dom ^7.12.0 ^7.15.1 (→7.18.0) 7-advisory cluster (XSS/CSRF/DoS)
ws (override) >=8.21.0 (→8.21.0) GHSA-58qx + GHSA-96hv (memory + DoS)
vite ^6.3.5 ^6.4.3 (→6.4.3) GHSA-fx2h-pf6j-xcff (server.fs.deny bypass)

Already-patched (no changes)

Deferred

  • CVE-2026-9669 (python-bz2 OS-level in container base image): requires --include-base-image to fix

Validation

  • §5a Python re-scan (OSV): langchain@1.3.10, langsmith@0.8.18 → 0 critical/high CVEs
  • §5a Node re-scan (pnpm audit): vitest/react-router/ws/vite → 0 critical/high CVEs
  • §5b unit tests / §5c lint / §5d smoke: running in CI (pipeline validation mode)

Test plan

  • All unit tests pass (unit-tests CI job)
  • Static analysis clean (static-analysis CI job)
  • Frontend unit tests pass (frontend-unit-tests CI job)
  • Docker build tests pass (docker-tests CI job chain) — --ci-wait-gpu gated
  • Re-run pnpm audit in CI and confirm 0 critical/high
  • Re-run OSV scan in CI and confirm 0 critical/high Python vulns

🤖 Generated with agentic-cve-fix for NSPECT-S62Q-PZUD

NVIDIA Security Bot added 2 commits June 21, 2026 02:30
fix(security): GHSA-gr75-jv2w-4656 / GHSA-f4xh-w4cj-qxq8 — bump langc…
45e211b 
…hain + langsmith

Bump langchain >=1.3.1 → >=1.3.9 (resolved 1.3.10) to fix path traversal
(GHSA-gr75-jv2w-4656). Bump langsmith >=0.8.0 → >=0.8.18 to fix arbitrary
file read (GHSA-f4xh-w4cj-qxq8). Lockfile regenerated; uv sync confirmed
0 OSV vulns at installed versions.

Refs: NSPECT-S62Q-PZUD (collection)
Refs: NSPECT-UV6I-R3V9 (child)
Generated-by: agentic-cve-fix
Signed-off-by: NVIDIA Security Bot <security-bot@nvidia.com>
fix(security): vitest/react-router/ws/vite CVE cluster — bump Node deps
0931e2c 
Fix 10 advisories across 4 packages:
- vitest 3.2.4 → 3.2.6: GHSA-5xrq-8626-4rwp (Critical: arbitrary file exec)
- react-router-dom 7.12.0 → 7.18.0: 7 GHSAs (XSS/CSRF/DoS cluster, worst >=7.15.1)
- ws override >=8.21.0: GHSA-58qx + GHSA-96hv (memory disclosure + DoS)
- vite 6.4.2 → 6.4.3: GHSA-fx2h-pf6j-xcff (server.fs.deny bypass)

pnpm-lock.yaml regenerated; pnpm audit confirms 0 critical/high remaining.

Refs: NSPECT-S62Q-PZUD (collection)
Refs: NSPECT-UV6I-R3V9 (child)
Generated-by: agentic-cve-fix
Signed-off-by: NVIDIA Security Bot <security-bot@nvidia.com>
@copy-pr-bot

copy-pr-bot Bot commented Jun 21, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants