Security: 27 CVE fixes for NSPECT-S62Q-PZUD

.gitignore

@@ -85,4 +85,7 @@ tests/data/
 /.claude/
 skills-lock.json
 
+# CVE fix audit reports (local only — archive externally if needed)
+cve-fix-reports/
+
 # Workbench Project Layout

pyproject.toml

@@ -14,13 +14,13 @@ authors = [
 requires-python = ">=3.11,<3.14"
 
 dependencies = [
-    "bleach>=6.2,<7.0",
+    "bleach>=6.4.0,<7.0",
     "dataclass-wizard>=0.27,<1.0",
-    "fastapi>=0.115.5,<1.0",
+    "fastapi>=0.135.4,<1.0",
     "anyio>=4.12.0",
     "httpx>=0.28.1",
     "httpx-sse>=0.4.3",
-    "langchain>=1.3.1",
+    "langchain>=1.3.9",
     "langchain-community>=0.4",
     "langgraph>=1.2.1",
     "langchain-milvus>=0.3.0",
@@ -30,7 +30,7 @@ dependencies = [
     "pydantic>=2.11,<3.0",
     "pymilvus[milvus_lite]>=2.6.7,<3.0",
     "pymilvus-model>=0.3,<1.0",
-    "python-multipart>=0.0.27,<1.0",
+    "python-multipart>=0.0.31,<1.0",
     "pyyaml>=6.0,<7.0",
     "uvicorn[standard]>=0.32,<1.0",
     "langchain-core>=1.2.28",
@@ -117,18 +117,20 @@ nvidia-rag = { workspace = true }
 # Pillow 12.x required for containers; moviepy pins pillow<12 so override needed for resolution
 override-dependencies = [
     "pillow>=12.2.0",
-    "cryptography>=46.0.6",
+    "cryptography>=48.0.1",
     "urllib3>=2.7.0",
-    "aiohttp>=3.13.4",
+    "aiohttp>=3.14.1",
     "orjson>=3.11.6",
-    "langsmith>=0.8.0",
+    "langsmith>=0.8.18",
     "langchain-classic>=1.0.7",
     "langchain-text-splitters>=1.1.2",
     "transformers>=5.1.0",
     "idna>=3.15",
     "pygments>=2.20.0",
     "python-dotenv>=1.2.2",
     "requests>=2.33.0",
+    "starlette>=1.3.1",
+    "pydantic-settings>=2.14.2",
 ]
 
 [tool.setuptools]

tests/unit/test_security_dependency_pins.py

@@ -4,6 +4,7 @@
 """Guardrails for NSPECT-UV6I-R3V9 dependency remediation (pip-audit verified pins)."""
 
 from importlib.metadata import version
+
 from packaging.version import Version
 
 
@@ -24,12 +25,38 @@ def test_transformers_not_vulnerable_cve_2026_1839() -> None:
 
 
 def test_python_multipart_not_vulnerable_cve_2026_42561() -> None:
-    assert Version(version("python-multipart")) >= Version("0.0.27")
+    assert Version(version("python-multipart")) >= Version("0.0.31")
 
 
 def test_orjson_not_vulnerable_ghsa_hx9q_6w63_j58v() -> None:
     assert Version(version("orjson")) >= Version("3.11.6")
 
 
-def test_langsmith_not_vulnerable_ghsa_3644_q5cj_c5c7() -> None:
-    assert Version(version("langsmith")) >= Version("0.8.0")
+def test_langsmith_not_vulnerable_ghsa_f4xh_w4cj_qxq8() -> None:
+    """GHSA-f4xh-w4cj-qxq8: LangSmith TracingMiddleware arbitrary server-side file read."""
+    assert Version(version("langsmith")) >= Version("0.8.18")
+
+
+def test_aiohttp_not_vulnerable_cve_2026_batch() -> None:
+    """CVE-2026-34993,CVE-2026-47265,CVE-2026-54273-54280,CVE-2026-50269: aiohttp vulnerabilities."""
+    assert Version(version("aiohttp")) >= Version("3.14.1")
+
+
+def test_starlette_not_vulnerable_cve_2026_batch() -> None:
+    """GHSA-86qp-5c8j-p5mr,GHSA-wqp7-x3pw-xc5r,GHSA-82w8-qh3p-5jfq and others: starlette CVEs."""
+    assert Version(version("starlette")) >= Version("1.3.1")
+
+
+def test_langchain_not_vulnerable_ghsa_gr75_jv2w_4656() -> None:
+    """GHSA-gr75-jv2w-4656: langchain vulnerability."""
+    assert Version(version("langchain")) >= Version("1.3.9")
+
+
+def test_bleach_not_vulnerable_ghsa_gj48_438w_jh9v() -> None:
+    """GHSA-gj48-438w-jh9v,GHSA-8rfp-98v4-mmr6: bleach XSS vulnerabilities."""
+    assert Version(version("bleach")) >= Version("6.4.0")
+
+
+def test_pydantic_settings_not_vulnerable_ghsa_4xgf_cpjx_pc3j() -> None:
+    """GHSA-4xgf-cpjx-pc3j: pydantic-settings vulnerability."""
+    assert Version(version("pydantic-settings")) >= Version("2.14.2")