fix: migrate to uv and patch 13 critical/high security alerts

Converts project from Poetry to uv (PEP 621 + hatchling) and patches
all open critical/high Dependabot security alerts.

Direct dependency bumps:
- langgraph-checkpoint ^2.0.0 → >=3.0.1,<5.0.0 (CVE-2025-64439: RCE in JsonPlusSerializer)
- langgraph-api ^0.2.134 → ^0.7.0 (required to unlock cryptography >=46.0.5)
- langgraph-sdk ^0.2 → ^0.3 (required by langgraph-api 0.7.x)
- langgraph-cli ^0.3.6 → ^0.4.0 (required by langgraph-api 0.7.x)
- langsmith ^0.3.45 → ^0.6.3 (required by langgraph-api 0.7.x)

Transitive constraints added via [tool.uv.constraint-dependencies]:
- h11>=0.16.0 (CVE-2025-43859, critical)
- langchain-core>=0.3.81 (CVE-2025-68664 critical, CVE-2025-65106 high)
- tornado>=6.5 (CVE-2024-52804, CVE-2025-47287)
- protobuf>=5.29.6 (CVE-2025-4565, CVE-2026-0994)
- starlette>=0.49.1 (CVE-2025-62727)
- urllib3>=2.6.3 (CVE-2025-66418, CVE-2025-66471, CVE-2026-21441)
- cryptography>=46.0.5 (CVE-2026-26007)

Resolved versions: cryptography 46.0.5, h11 0.16.0, langchain-core 1.2.15,
tornado 6.5.4, protobuf 6.33.5, starlette 0.52.1, urllib3 2.6.3

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
John Kennedy
2026-02-24 21:26:55 -08:00
parent 11a63f9c66
commit 7a9decf0fc
2 changed files with 40 additions and 8 deletions
+25 -4
View File
@@ -6,7 +6,8 @@ readme = "README.md"
requires-python = ">=3.12"
dependencies = [
"langgraph>=0.4.5",
"langgraph-checkpoint>=2.0.0",
# CVE-2025-64439: langgraph-checkpoint < 3.0.0 RCE in JsonPlusSerializer
"langgraph-checkpoint>=3.0.1,<5.0.0",
"langchain>=0.3.9",
"langchain-openai>=0.2",
"langchain-anthropic>=0.3",
@@ -18,8 +19,9 @@ dependencies = [
"pyyaml",
"python-dateutil>=2.9.0.post0",
"python-dotenv>=1.2.1",
"langgraph-cli[inmem]>=0.3.8",
"langgraph-api>=0.2.134",
# langgraph-api >=0.7.0 required to allow cryptography >=46.0.5 (see constraint below)
"langgraph-cli[inmem]>=0.4.0",
"langgraph-api>=0.7.0",
]
[dependency-groups]
@@ -29,7 +31,26 @@ dev = [
"pytest>=8.2.0",
"pytest-watch>=4.2.0",
"vcrpy>=6.0.1",
"langgraph-cli>=0.3.8",
"langgraph-cli>=0.4.0",
]
[tool.uv]
constraint-dependencies = [
# CVE-2025-43859: h11 < 0.16.0 accepts malformed chunked-encoding bodies (critical)
"h11>=0.16.0",
# CVE-2025-68664 (critical), CVE-2025-65106 (high): langchain-core serialization injection + template injection
"langchain-core>=0.3.81",
# CVE-2024-52804, CVE-2025-47287: tornado HTTP cookie parsing DoS + multipart logging DoS
"tornado>=6.5",
# CVE-2025-4565, CVE-2026-0994: protobuf DoS vulnerabilities
"protobuf>=5.29.6",
# CVE-2025-62727: starlette Range header O(n^2) DoS
"starlette>=0.49.1",
# CVE-2025-66418, CVE-2025-66471, CVE-2026-21441: urllib3 decompression-bomb and redirect vulnerabilities
"urllib3>=2.6.3",
# CVE-2026-26007: cryptography subgroup attack on SECT curves
# langgraph-api >=0.7.0 allows cryptography <47.0, which covers 46.0.5
"cryptography>=46.0.5",
]
[build-system]
Generated
+15 -4
View File
@@ -6,6 +6,17 @@ resolution-markers = [
"python_full_version < '3.13'",
]
[manifest]
constraints = [
{ name = "cryptography", specifier = ">=46.0.5" },
{ name = "h11", specifier = ">=0.16.0" },
{ name = "langchain-core", specifier = ">=0.3.81" },
{ name = "protobuf", specifier = ">=5.29.6" },
{ name = "starlette", specifier = ">=0.49.1" },
{ name = "tornado", specifier = ">=6.5" },
{ name = "urllib3", specifier = ">=2.6.3" },
]
[[package]]
name = "annotated-types"
version = "0.7.0"
@@ -399,9 +410,9 @@ requires-dist = [
{ name = "langchain-auth", specifier = ">=0.2.0" },
{ name = "langchain-openai", specifier = ">=0.2" },
{ name = "langgraph", specifier = ">=0.4.5" },
{ name = "langgraph-api", specifier = ">=0.2.134" },
{ name = "langgraph-checkpoint", specifier = ">=2.0.0" },
{ name = "langgraph-cli", extras = ["inmem"], specifier = ">=0.3.8" },
{ name = "langgraph-api", specifier = ">=0.7.0" },
{ name = "langgraph-checkpoint", specifier = ">=3.0.1,<5.0.0" },
{ name = "langgraph-cli", extras = ["inmem"], specifier = ">=0.4.0" },
{ name = "langgraph-sdk", specifier = ">=0.3" },
{ name = "langsmith", specifier = ">=0.7.6" },
{ name = "python-dateutil", specifier = ">=2.9.0.post0" },
@@ -413,7 +424,7 @@ requires-dist = [
[package.metadata.requires-dev]
dev = [
{ name = "ipykernel", specifier = ">=6.29.4" },
{ name = "langgraph-cli", specifier = ">=0.3.8" },
{ name = "langgraph-cli", specifier = ">=0.4.0" },
{ name = "pytest", specifier = ">=8.2.0" },
{ name = "pytest-asyncio", specifier = ">=0.23.6" },
{ name = "pytest-watch", specifier = ">=4.2.0" },