mirror of
https://github.com/langchain-ai/executive-ai-assistant.git
synced 2026-07-01 21:34:00 -04:00
fix: migrate to uv and patch 13 critical/high security alerts
Converts project from Poetry to uv (PEP 621 + hatchling) and patches all open critical/high Dependabot security alerts. Direct dependency bumps: - langgraph-checkpoint ^2.0.0 → >=3.0.1,<5.0.0 (CVE-2025-64439: RCE in JsonPlusSerializer) - langgraph-api ^0.2.134 → ^0.7.0 (required to unlock cryptography >=46.0.5) - langgraph-sdk ^0.2 → ^0.3 (required by langgraph-api 0.7.x) - langgraph-cli ^0.3.6 → ^0.4.0 (required by langgraph-api 0.7.x) - langsmith ^0.3.45 → ^0.6.3 (required by langgraph-api 0.7.x) Transitive constraints added via [tool.uv.constraint-dependencies]: - h11>=0.16.0 (CVE-2025-43859, critical) - langchain-core>=0.3.81 (CVE-2025-68664 critical, CVE-2025-65106 high) - tornado>=6.5 (CVE-2024-52804, CVE-2025-47287) - protobuf>=5.29.6 (CVE-2025-4565, CVE-2026-0994) - starlette>=0.49.1 (CVE-2025-62727) - urllib3>=2.6.3 (CVE-2025-66418, CVE-2025-66471, CVE-2026-21441) - cryptography>=46.0.5 (CVE-2026-26007) Resolved versions: cryptography 46.0.5, h11 0.16.0, langchain-core 1.2.15, tornado 6.5.4, protobuf 6.33.5, starlette 0.52.1, urllib3 2.6.3 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+25
-4
@@ -6,7 +6,8 @@ readme = "README.md"
|
||||
requires-python = ">=3.12"
|
||||
dependencies = [
|
||||
"langgraph>=0.4.5",
|
||||
"langgraph-checkpoint>=2.0.0",
|
||||
# CVE-2025-64439: langgraph-checkpoint < 3.0.0 RCE in JsonPlusSerializer
|
||||
"langgraph-checkpoint>=3.0.1,<5.0.0",
|
||||
"langchain>=0.3.9",
|
||||
"langchain-openai>=0.2",
|
||||
"langchain-anthropic>=0.3",
|
||||
@@ -18,8 +19,9 @@ dependencies = [
|
||||
"pyyaml",
|
||||
"python-dateutil>=2.9.0.post0",
|
||||
"python-dotenv>=1.2.1",
|
||||
"langgraph-cli[inmem]>=0.3.8",
|
||||
"langgraph-api>=0.2.134",
|
||||
# langgraph-api >=0.7.0 required to allow cryptography >=46.0.5 (see constraint below)
|
||||
"langgraph-cli[inmem]>=0.4.0",
|
||||
"langgraph-api>=0.7.0",
|
||||
]
|
||||
|
||||
[dependency-groups]
|
||||
@@ -29,7 +31,26 @@ dev = [
|
||||
"pytest>=8.2.0",
|
||||
"pytest-watch>=4.2.0",
|
||||
"vcrpy>=6.0.1",
|
||||
"langgraph-cli>=0.3.8",
|
||||
"langgraph-cli>=0.4.0",
|
||||
]
|
||||
|
||||
[tool.uv]
|
||||
constraint-dependencies = [
|
||||
# CVE-2025-43859: h11 < 0.16.0 accepts malformed chunked-encoding bodies (critical)
|
||||
"h11>=0.16.0",
|
||||
# CVE-2025-68664 (critical), CVE-2025-65106 (high): langchain-core serialization injection + template injection
|
||||
"langchain-core>=0.3.81",
|
||||
# CVE-2024-52804, CVE-2025-47287: tornado HTTP cookie parsing DoS + multipart logging DoS
|
||||
"tornado>=6.5",
|
||||
# CVE-2025-4565, CVE-2026-0994: protobuf DoS vulnerabilities
|
||||
"protobuf>=5.29.6",
|
||||
# CVE-2025-62727: starlette Range header O(n^2) DoS
|
||||
"starlette>=0.49.1",
|
||||
# CVE-2025-66418, CVE-2025-66471, CVE-2026-21441: urllib3 decompression-bomb and redirect vulnerabilities
|
||||
"urllib3>=2.6.3",
|
||||
# CVE-2026-26007: cryptography subgroup attack on SECT curves
|
||||
# langgraph-api >=0.7.0 allows cryptography <47.0, which covers 46.0.5
|
||||
"cryptography>=46.0.5",
|
||||
]
|
||||
|
||||
[build-system]
|
||||
|
||||
@@ -6,6 +6,17 @@ resolution-markers = [
|
||||
"python_full_version < '3.13'",
|
||||
]
|
||||
|
||||
[manifest]
|
||||
constraints = [
|
||||
{ name = "cryptography", specifier = ">=46.0.5" },
|
||||
{ name = "h11", specifier = ">=0.16.0" },
|
||||
{ name = "langchain-core", specifier = ">=0.3.81" },
|
||||
{ name = "protobuf", specifier = ">=5.29.6" },
|
||||
{ name = "starlette", specifier = ">=0.49.1" },
|
||||
{ name = "tornado", specifier = ">=6.5" },
|
||||
{ name = "urllib3", specifier = ">=2.6.3" },
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "annotated-types"
|
||||
version = "0.7.0"
|
||||
@@ -399,9 +410,9 @@ requires-dist = [
|
||||
{ name = "langchain-auth", specifier = ">=0.2.0" },
|
||||
{ name = "langchain-openai", specifier = ">=0.2" },
|
||||
{ name = "langgraph", specifier = ">=0.4.5" },
|
||||
{ name = "langgraph-api", specifier = ">=0.2.134" },
|
||||
{ name = "langgraph-checkpoint", specifier = ">=2.0.0" },
|
||||
{ name = "langgraph-cli", extras = ["inmem"], specifier = ">=0.3.8" },
|
||||
{ name = "langgraph-api", specifier = ">=0.7.0" },
|
||||
{ name = "langgraph-checkpoint", specifier = ">=3.0.1,<5.0.0" },
|
||||
{ name = "langgraph-cli", extras = ["inmem"], specifier = ">=0.4.0" },
|
||||
{ name = "langgraph-sdk", specifier = ">=0.3" },
|
||||
{ name = "langsmith", specifier = ">=0.7.6" },
|
||||
{ name = "python-dateutil", specifier = ">=2.9.0.post0" },
|
||||
@@ -413,7 +424,7 @@ requires-dist = [
|
||||
[package.metadata.requires-dev]
|
||||
dev = [
|
||||
{ name = "ipykernel", specifier = ">=6.29.4" },
|
||||
{ name = "langgraph-cli", specifier = ">=0.3.8" },
|
||||
{ name = "langgraph-cli", specifier = ">=0.4.0" },
|
||||
{ name = "pytest", specifier = ">=8.2.0" },
|
||||
{ name = "pytest-asyncio", specifier = ">=0.23.6" },
|
||||
{ name = "pytest-watch", specifier = ">=4.2.0" },
|
||||
|
||||
Reference in New Issue
Block a user