Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 19 additions & 16 deletions pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,13 @@ authors = [
requires-python = ">=3.11,<3.14"

dependencies = [
"bleach>=6.2,<7.0",
"bleach>=6.4.0,<7.0",
"dataclass-wizard>=0.27,<1.0",
"fastapi>=0.115.5,<1.0",
"fastapi>=0.135.0,<1.0",
"anyio>=4.12.0",
"httpx>=0.28.1",
"httpx-sse>=0.4.3",
"langchain>=1.3.1",
"langchain>=1.3.9",
"langchain-community>=0.4",
"langgraph>=1.2.1",
"langchain-milvus>=0.3.0",
Expand All @@ -30,7 +30,7 @@ dependencies = [
"pydantic>=2.11,<3.0",
"pymilvus[milvus_lite]>=2.6.7,<3.0",
"pymilvus-model>=0.3,<1.0",
"python-multipart>=0.0.27,<1.0",
"python-multipart>=0.0.31,<1.0",
"pyyaml>=6.0,<7.0",
"uvicorn[standard]>=0.32,<1.0",
"langchain-core>=1.2.28",
Expand All @@ -42,8 +42,8 @@ dependencies = [

[project.optional-dependencies]
rag = [
"langchain-openai>=0.2,<1.1.9",
"openai>=1.0,<2.0",
"langchain-openai>=1.1.14,<2.0",
"openai>=2.26.0,<3.0",
"opentelemetry-api>=1.29,<2.0",
"opentelemetry-exporter-otlp>=1.29,<2.0",
"opentelemetry-exporter-prometheus>=0.50b0,<1.0",
Expand All @@ -56,7 +56,7 @@ rag = [
"prometheus-client>=0.20,<1.0",
"azure-core>=1.35,<2.0",
"azure-storage-blob>=12.26,<13.0",
"pyarrow>=21.0,<22.0",
"pyarrow>=23.0.1",
"tiktoken>=0.7",
]
ingest = [
Expand All @@ -65,8 +65,8 @@ ingest = [
"nv-ingest-client==26.3.0",
"tritonclient==2.57.0",
# Other ingest dependencies
"langchain-openai>=0.2,<1.1.9",
"openai>=1.0,<2.0",
"langchain-openai>=1.1.14,<2.0",
"openai>=2.26.0,<3.0",
"overrides>=7.7,<8.0",
"tqdm>=4.67,<5.0",
"opentelemetry-api>=1.29,<2.0",
Expand All @@ -79,7 +79,7 @@ ingest = [
"opentelemetry-sdk>=1.29,<2.0",
"azure-core>=1.35,<2.0",
"azure-storage-blob>=12.26,<13.0",
"pyarrow>=21.0,<22.0",
"pyarrow>=23.0.1",
"setuptools>=80.10.2",
]
all = [
Expand All @@ -88,8 +88,8 @@ all = [
"nv-ingest-client==26.3.0",
"tritonclient==2.57.0",
# RAG + Ingest dependencies
"langchain-openai>=0.2,<1.1.9",
"openai>=1.0,<2.0",
"langchain-openai>=1.1.14,<2.0",
"openai>=2.26.0,<3.0",
"overrides>=7.7,<8.0",
"tqdm>=4.67,<5.0",
"opentelemetry-api>=1.29,<2.0",
Expand All @@ -102,7 +102,7 @@ all = [
"opentelemetry-sdk>=1.29,<2.0",
"azure-core>=1.35,<2.0",
"azure-storage-blob>=12.26,<13.0",
"pyarrow>=21.0,<22.0",
"pyarrow>=23.0.1",
# Elasticsearch support
"langchain-elasticsearch>=0.3",
]
Expand All @@ -117,18 +117,21 @@ nvidia-rag = { workspace = true }
# Pillow 12.x required for containers; moviepy pins pillow<12 so override needed for resolution
override-dependencies = [
"pillow>=12.2.0",
"cryptography>=46.0.6",
"cryptography>=48.0.1",
"urllib3>=2.7.0",
"aiohttp>=3.13.4",
"aiohttp>=3.14.1",
"orjson>=3.11.6",
"langsmith>=0.8.0",
"langsmith>=0.8.18",
"langchain-classic>=1.0.7",
"langchain-text-splitters>=1.1.2",
"transformers>=5.1.0",
"idna>=3.15",
"pygments>=2.20.0",
"python-dotenv>=1.2.2",
"requests>=2.33.0",
"starlette>=1.3.1",
"pydantic-settings>=2.14.2",
"langgraph-sdk>=0.3.15",
]

[tool.setuptools]
Expand Down
60 changes: 59 additions & 1 deletion tests/unit/test_security_dependency_pins.py
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
# SPDX-License-Identifier: Apache-2.0

"""Guardrails for NSPECT-UV6I-R3V9 dependency remediation (pip-audit verified pins)."""
"""Guardrails for NSPECT-UV6I-R3V9 / NSPECT-S62Q-PZUD dependency remediation (pip-audit verified pins)."""

from importlib.metadata import version
from packaging.version import Version
Expand Down Expand Up @@ -33,3 +33,61 @@ def test_orjson_not_vulnerable_ghsa_hx9q_6w63_j58v() -> None:

def test_langsmith_not_vulnerable_ghsa_3644_q5cj_c5c7() -> None:
assert Version(version("langsmith")) >= Version("0.8.0")


# NSPECT-S62Q-PZUD remediation — pip-audit verified


def test_aiohttp_not_vulnerable_cve_2026_50269_et_al() -> None:
# CVE-2026-50269, CVE-2026-54274, CVE-2026-54279, CVE-2026-54280, and cluster
assert Version(version("aiohttp")) >= Version("3.14.1")


def test_cryptography_not_vulnerable_ghsa_537c_gmf6_5ccf() -> None:
# GHSA-537c-gmf6-5ccf: cryptography DoS
assert Version(version("cryptography")) >= Version("48.0.1")


def test_starlette_not_vulnerable_cve_2026_54283() -> None:
# CVE-2026-54283, CVE-2026-48818, CVE-2026-48817: starlette form/DoS
assert Version(version("starlette")) >= Version("1.3.1")


def test_python_multipart_not_vulnerable_cve_2026_53539() -> None:
# CVE-2026-53539, CVE-2026-53538, CVE-2026-53540
assert Version(version("python-multipart")) >= Version("0.0.31")


def test_langsmith_not_vulnerable_ghsa_f4xh_w4cj_qxq8() -> None:
# GHSA-f4xh-w4cj-qxq8: langsmith data exposure
assert Version(version("langsmith")) >= Version("0.8.18")


def test_langchain_not_vulnerable_ghsa_gr75_jv2w_4656() -> None:
# GHSA-gr75-jv2w-4656: langchain credential disclosure
assert Version(version("langchain")) >= Version("1.3.9")


def test_langchain_openai_not_vulnerable_pysec_2026_76() -> None:
# PYSEC-2026-76 / CVE-2026-41488 / GHSA-r7w7-9xr2-qq2r: SSRF in _url_to_size()
assert Version(version("langchain-openai")) >= Version("1.1.14")


def test_bleach_not_vulnerable_ghsa_gj48_438w_jh9v() -> None:
# GHSA-gj48-438w-jh9v, GHSA-8rfp-98v4-mmr6: bleach XSS bypass
assert Version(version("bleach")) >= Version("6.4.0")


def test_pydantic_settings_not_vulnerable_ghsa_4xgf_cpjx_pc3j() -> None:
# GHSA-4xgf-cpjx-pc3j: pydantic-settings symlink traversal
assert Version(version("pydantic-settings")) >= Version("2.14.2")


def test_langgraph_sdk_not_vulnerable_cve_2026_48776() -> None:
# CVE-2026-48776: langgraph-sdk security issue
assert Version(version("langgraph-sdk")) >= Version("0.3.15")


def test_pyarrow_not_vulnerable_pysec_2026_113() -> None:
# PYSEC-2026-113 / CVE-2026-25087 / GHSA-rgxp-2hwp-jwgg: pyarrow vulnerability
assert Version(version("pyarrow")) >= Version("23.0.1")
Loading
Loading