Security: 27 CVE fixes for NSPECT-S62Q-PZUD

[nv-rag-cve-bot]

Summary

CVE	Severity	Surface	Package	Fix	Track	Validation
GHSA-537c	High	source	cryptography 48.0.0→49.0.0	manifest+lockfile bump (override)	A	re-scan clean
CVE-2026-42561	High	source	python-multipart 0.0.29→0.0.32	manifest+lockfile bump	A	re-scan clean
GHSA-f4xh-w4cj-qxq8	High	source	langsmith 0.8.5→0.9.0	manifest+lockfile bump (override)	A	re-scan clean
CVE-2026-34993/47265/54273-80/50269	High	source	aiohttp 3.13.5→3.14.1	manifest+lockfile bump (override)	A	re-scan clean
GHSA-86qp/wqp7/82w8 et al.	High	source	starlette 0.50.0→1.3.1	manifest+lockfile bump (override) + FastAPI floor raise	A	re-scan clean
GHSA-gr75-jv2w-4656	High	source	langchain 1.3.1→1.3.11	manifest+lockfile bump	A	re-scan clean
GHSA-gj48/8rfp	High	source	bleach 6.3.0→6.4.0	manifest+lockfile bump	A	re-scan clean
GHSA-4xgf-cpjx-pc3j	High	source	pydantic-settings 2.12.0→2.14.2	manifest+lockfile bump (override)	A	re-scan clean

27 CVEs total. 8 distinct package fixes. 1 not-applicable (GHSA-g75f — bleach EOL, no fix).

Validation

Local validation

• Re-scan (local manifest): uv export --locked | python3 -m pip_audit -r /dev/stdin → 0 vulnerabilities (pre-fix: 27). Exit 0.
• Re-scan (nSpect source surface): pending nSpect re-ingest after merge
• Full CVE sweep: 0 residual critical/high; 1 incidental (GHSA-g75f, no fix available)
• Unit tests: see CI gating jobs below (pipeline mode — §5b relocates to CI)
• Lint: see static-analysis below (pipeline mode — §5c relocates to CI)
• 5d deployment smoke: see CI gating jobs below (pipeline mode — §5d relocates to CI)

Pipeline validation (--validate pipeline)

• Pipeline: ⏳ pending (project chat-labs/OpenSource/rag, GitLab mirror — polling in Phase 9)
• Risk gating (Phase 9a): starlette 0.50→1.3.1 is a major version bump → major risk class → fast jobs + --ci-wait-gpu → full docker-tests chain gated
• Fix-loop iterations: 0 of 3 so far

Gating jobs (block the loop):

Job	Status
static-analysis	⏳ pending
unit-tests	⏳ pending
frontend-unit-tests	— not triggered (diff doesn't touch frontend/)
deploy	⏳ pending (major bump)
basic-tests	⏳ pending (major bump)

🔴 GPU docker-tests chain (gated via --ci-wait-gpu): ⏳ pending — full chain gates the loop

Not addressed in this MR

• CVE-2026-42311 (pillow) — already-patched; pillow>=12.2.0 override already in place
• CVE-2026-44432 (urllib3) — already-patched; urllib3>=2.7.0 override already in place
• CVE-2026-1839 (transformers) — already-patched; transformers>=5.1.0 override already in place
• GHSA-hx9q-6w63-j58v (orjson) — already-patched; orjson>=3.11.6 override already in place
• GHSA-g75f-g53v-794x (bleach) — no fix available; bleach is EOL as of 2026-06-05. Replacement (nh3) recommended as a follow-up workstream.

Audit trail

The full per-CVE analysis, expert-review verdicts, and Phase 5 validation logs live in the agentic workspace:

cve-fix-reports/NSPECT-S62Q-PZUD-20260623-000000/
  ├── _summary.md
  ├── _by-repo/rag-source.md
  └── <CVE-ID>-<pkg>-<disposition>.md  (13 per-CVE files)

This directory is not committed to the repository (gitignored). Reviewers who need it can request the snapshot from the operator.

---

Refs: NSPECT-S62Q-PZUD
Generated by: agentic-cve-fix

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.