12 Commits

Author SHA1 Message Date
Mason Daugherty ecc0bbd3b3 chore: add refs mcp (#14) 2026-05-18 17:52:20 -05:00
John Kennedy 14caa588ea fix: patch 2 security alerts (orjson high, requests medium) (#12)
## Security Alert Patch

Resolves 2 Dependabot security alerts across high and medium severity
tiers.

### Packages Updated

| Package | Old Version | New Version | Strategy | CVE | Severity |
|---------|------------|-------------|----------|-----|----------|
| orjson | 3.11.5 | 3.11.8 | `poetry update` (transitive via langsmith)
| CVE-2025-67221 | high |
| requests | 2.32.4 | 2.33.1 | `poetry update` (direct dep) |
CVE-2026-25645 | medium |

### Upstream Issues

Both patched versions (`orjson >= 3.11.6`, `requests >= 2.33.0`) dropped
Python 3.9 support (`requires_python >= 3.10`). Poetry's resolver
creates a marker-based split at `python_full_version 3.12.4` (driven by
langsmith's pydantic constraint boundary), applying the patched versions
only for Python >= 3.12.4.

**For Python < 3.12.4**, the vulnerable versions remain in the lockfile
because:
1. No patched orjson/requests versions exist for Python 3.9
2. Poetry's dual-context resolution doesn't upgrade the `< 3.12.4`
context independently
3. Full re-lock fails due to conflicting langchain-core constraints
(release `^0.3` vs git `1.2.23`)

**Full resolution requires upstream action:** langsmith or
langchain-core must floor `orjson >= 3.11.6` and `requests >= 2.33.0` to
propagate the fix across all Python version contexts.

### CVE Details

- **CVE-2025-67221** (high) — orjson `< 3.11.6`: `orjson.dumps()` does
not limit recursion for deeply nested JSON documents, enabling denial of
service. [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-67221) |
[GHSA-hx9q-6w63-j58v](https://github.com/advisories/GHSA-hx9q-6w63-j58v)
- **CVE-2026-25645** (medium) — requests `< 2.33.0`:
`extract_zipped_paths()` uses predictable filenames in temp directory,
enabling local file replacement. Standard requests usage is not
affected. [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-25645) |
[GHSA-gc5v-m9x4-r6x2](https://github.com/advisories/GHSA-gc5v-m9x4-r6x2)

### Linear Tickets

No matching Linear tickets found for the resolved CVEs.

### Verification

- [x] Lockfile regenerated via `poetry update`
- [x] `poetry check` passes (no errors)
- [ ] CI checks

🤖 Submitted by langster-patch
2026-04-01 05:15:46 +00:00
John Kennedy 32498764bd infra: add least-privilege permissions to workflow jobs (#11)
## Summary
- Adds explicit `permissions: contents: read` to all workflow jobs
flagged by code scanning for missing permissions
- Covers 6 workflow files and resolves all 11 open
`actions/missing-workflow-permissions` alerts
- Follows least-privilege principle — jobs only get the minimum
permissions they need

## Test plan
- [ ] Verify CI passes on this PR (workflows still function with
explicit read-only permissions)
- [ ] Confirm code scanning alerts are resolved after merge

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-28 21:55:18 +00:00
dependabot[bot] 4d67174d81 build(deps): bump the pip group across 1 directory with 4 updates (#10)
Bumps the pip group with 4 updates in the /libs/sema4 directory:
[requests](https://github.com/psf/requests),
[h11](https://github.com/python-hyper/h11),
[orjson](https://github.com/ijl/orjson) and
[urllib3](https://github.com/urllib3/urllib3).

Updates `requests` from 2.32.3 to 2.32.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/psf/requests/releases">requests's
releases</a>.</em></p>
<blockquote>
<h2>v2.32.4</h2>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and
trusted
environment will retrieve credentials for the wrong hostname/machine
from a
netrc file. (<a
href="https://redirect.github.com/psf/requests/issues/6965">#6965</a>)</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS. (<a
href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
<li>Dropped support for pypy 3.9 following its end of support. (<a
href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's
changelog</a>.</em></p>
<blockquote>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and
trusted
environment will retrieve credentials for the wrong hostname/machine
from a
netrc file.</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS.</li>
<li>Dropped support for pypy 3.9 following its end of support.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/psf/requests/commit/021dc729f0b71a3030cefdbec7fb57a0e80a6cfd"><code>021dc72</code></a>
Polish up release tooling for last manual release</li>
<li><a
href="https://github.com/psf/requests/commit/821770e822a20a21b207b3907ea83878bda1d396"><code>821770e</code></a>
Bump version and add release notes for v2.32.4</li>
<li><a
href="https://github.com/psf/requests/commit/59f8aa2adf1d3d06bcbf7ce6b13743a1639a5401"><code>59f8aa2</code></a>
Add netrc file search information to authentication documentation (<a
href="https://redirect.github.com/psf/requests/issues/6876">#6876</a>)</li>
<li><a
href="https://github.com/psf/requests/commit/5b4b64c3467fd7a3c03f91ee641aaa348b6bed3b"><code>5b4b64c</code></a>
Add more tests to prevent regression of CVE 2024 47081</li>
<li><a
href="https://github.com/psf/requests/commit/7bc45877a86192af77645e156eb3744f95b47dae"><code>7bc4587</code></a>
Add new test to check netrc auth leak (<a
href="https://redirect.github.com/psf/requests/issues/6962">#6962</a>)</li>
<li><a
href="https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef"><code>96ba401</code></a>
Only use hostname to do netrc lookup instead of netloc</li>
<li><a
href="https://github.com/psf/requests/commit/7341690e842a23cf18ded0abd9229765fa88c4e2"><code>7341690</code></a>
Merge pull request <a
href="https://redirect.github.com/psf/requests/issues/6951">#6951</a>
from tswast/patch-1</li>
<li><a
href="https://github.com/psf/requests/commit/6716d7c9f29df636643fa2489f98890216525cb0"><code>6716d7c</code></a>
remove links</li>
<li><a
href="https://github.com/psf/requests/commit/a7e1c745dc23c18e836febd672416ed0c5d8d8ae"><code>a7e1c74</code></a>
Update docs/conf.py</li>
<li><a
href="https://github.com/psf/requests/commit/c799b8167a13416833ad3b4f3298261a477e826f"><code>c799b81</code></a>
docs: fix dead links to kenreitz.org</li>
<li>Additional commits viewable in <a
href="https://github.com/psf/requests/compare/v2.32.3...v2.32.4">compare
view</a></li>
</ul>
</details>
<br />

Updates `h11` from 0.14.0 to 0.16.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/python-hyper/h11/commit/1c5b07581f058886c8bdd87adababd7d959dc7ca"><code>1c5b075</code></a>
this time for surer</li>
<li><a
href="https://github.com/python-hyper/h11/commit/d9c369935e853a7ee1aeb7e481f6dddf9b9c9b8a"><code>d9c3699</code></a>
this time for sure...</li>
<li><a
href="https://github.com/python-hyper/h11/commit/d91b9dd2290a25c8c3f5ec15feb57de5873e6e39"><code>d91b9dd</code></a>
blacken</li>
<li><a
href="https://github.com/python-hyper/h11/commit/5a4683ca466b59bbab9b19cfea20ee157b31cee0"><code>5a4683c</code></a>
Soothe mypy</li>
<li><a
href="https://github.com/python-hyper/h11/commit/9c9567f0a92d13a83a8d8ebdbc757c8c2d384536"><code>9c9567f</code></a>
Bump version to 0.16.0</li>
<li><a
href="https://github.com/python-hyper/h11/commit/114803a29ce50116dc47951c690ad4892b1a36ed"><code>114803a</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/python-hyper/h11/commit/9462006f6ce4941661888228cbd4ac1ea80689b0"><code>9462006</code></a>
Bump version to 0.15.0</li>
<li><a
href="https://github.com/python-hyper/h11/commit/70a96bea8e55403e5d92db14c111432c6d7a8685"><code>70a96be</code></a>
Merge pull request <a
href="https://redirect.github.com/python-hyper/h11/issues/181">#181</a>
from Julien00859/Julien00859/get_int_max_str_digits</li>
<li><a
href="https://github.com/python-hyper/h11/commit/60782ad107e538b9312aac7e1c119c8358bf797c"><code>60782ad</code></a>
Reject Content-Length longer 1 billion TB</li>
<li><a
href="https://github.com/python-hyper/h11/commit/dff7cc397a26ed4acdedd92d1bda6c8f18a6ed9f"><code>dff7cc3</code></a>
Validate Chunked-Encoding chunk footer</li>
<li>Additional commits viewable in <a
href="https://github.com/python-hyper/h11/compare/v0.14.0...v0.16.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `orjson` from 3.10.7 to 3.11.5
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/ijl/orjson/releases">orjson's
releases</a>.</em></p>
<blockquote>
<h2>3.11.5</h2>
<h3>Changed</h3>
<ul>
<li>Show simple error message instead of traceback when attempting to
build on unsupported Python versions.</li>
</ul>
<h2>3.11.4</h2>
<h3>Changed</h3>
<ul>
<li>ABI compatibility with CPython 3.15 alpha 1.</li>
<li>Publish PyPI wheels for 3.14 and manylinux i686, manylinux arm7,
manylinux ppc64le, manylinux s390x.</li>
<li>Build now requires a C compiler.</li>
</ul>
<h2>3.11.3</h2>
<h3>Fixed</h3>
<ul>
<li>Fix PyPI project metadata when using maturin 1.9.2 or later.</li>
</ul>
<h2>3.11.2</h2>
<h3>Fixed</h3>
<ul>
<li>Fix build using Rust 1.89 on amd64.</li>
</ul>
<h3>Changed</h3>
<ul>
<li>Build now depends on Rust 1.85 or later instead of 1.82.</li>
</ul>
<h2>3.11.1</h2>
<h3>Changed</h3>
<ul>
<li>Publish PyPI wheels for CPython 3.14.</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>Fix <code>str</code> on big-endian architectures.</li>
</ul>
<h2>3.11.0</h2>
<h3>Changed</h3>
<ul>
<li>Use a deserialization buffer allocated per request instead of a
shared buffer allocated on import.</li>
<li>ABI compatibility with CPython 3.14 beta 4.</li>
</ul>
<h2>3.10.18</h2>
<h3>Fixed</h3>
<ul>
<li>Fix incorrect escaping of the vertical tabulation character. This
was
introduced in 3.10.17.</li>
</ul>
<h2>3.10.17</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/ijl/orjson/blob/master/CHANGELOG.md">orjson's
changelog</a>.</em></p>
<blockquote>
<h2>3.11.5 - 2025-12-06</h2>
<h3>Changed</h3>
<ul>
<li>Show simple error message instead of traceback when attempting to
build on unsupported Python versions.</li>
</ul>
<h2>3.11.4 - 2025-10-24</h2>
<h3>Changed</h3>
<ul>
<li>ABI compatibility with CPython 3.15 alpha 1.</li>
<li>Publish PyPI wheels for 3.14 and manylinux i686, manylinux arm7,
manylinux ppc64le, manylinux s390x.</li>
<li>Build now requires a C compiler.</li>
</ul>
<h2>3.11.3 - 2025-08-26</h2>
<h3>Fixed</h3>
<ul>
<li>Fix PyPI project metadata when using maturin 1.9.2 or later.</li>
</ul>
<h2>3.11.2 - 2025-08-12</h2>
<h3>Fixed</h3>
<ul>
<li>Fix build using Rust 1.89 on amd64.</li>
</ul>
<h3>Changed</h3>
<ul>
<li>Build now depends on Rust 1.85 or later instead of 1.82.</li>
</ul>
<h2>3.11.1 - 2025-07-25</h2>
<h3>Changed</h3>
<ul>
<li>Publish PyPI wheels for CPython 3.14.</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>Fix <code>str</code> on big-endian architectures. This was
introduced in 3.11.0.</li>
</ul>
<h2>3.11.0 - 2025-07-15</h2>
<h3>Changed</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/ijl/orjson/commit/fb3eb1f729c7e7b019f780af5695722c99c7c695"><code>fb3eb1f</code></a>
3.11.5</li>
<li><a
href="https://github.com/ijl/orjson/commit/52688e02c51c845cde24a46cd1011a6010d10eb8"><code>52688e0</code></a>
Record contributors in headers</li>
<li><a
href="https://github.com/ijl/orjson/commit/dc083e87d5262e7dde3ba4b1d2a377b5b065a27c"><code>dc083e8</code></a>
Further compatibility and build misc</li>
<li><a
href="https://github.com/ijl/orjson/commit/18f0186d47fbadd53c9db4e39a442d5b04225418"><code>18f0186</code></a>
Compatibility and build misc</li>
<li><a
href="https://github.com/ijl/orjson/commit/a4fdeb3aff125d501ec0dd0577f9b38b2b977b4f"><code>a4fdeb3</code></a>
3.11.4</li>
<li><a
href="https://github.com/ijl/orjson/commit/2e80d68afacafca8751e6a64ca05d0d4087dbd15"><code>2e80d68</code></a>
unlikely to cold_path, remove intrinsics</li>
<li><a
href="https://github.com/ijl/orjson/commit/27edea92f8da2fdfc3f1342474e2f1686f1edf55"><code>27edea9</code></a>
FFI through crate::ffi, partial non-CPython compatibility</li>
<li><a
href="https://github.com/ijl/orjson/commit/416a8c9578da780d0d58b5e6b751793deafc610d"><code>416a8c9</code></a>
Unconditionally build yyjson</li>
<li><a
href="https://github.com/ijl/orjson/commit/c8c1a17dca8436a2fee05ca060febd096e653d98"><code>c8c1a17</code></a>
edition 2024</li>
<li><a
href="https://github.com/ijl/orjson/commit/af4179a1fa0aafffd0f867203b6c36e9a522f165"><code>af4179a</code></a>
build maintenance, panic_immediate_abort break, test 3.15</li>
<li>Additional commits viewable in <a
href="https://github.com/ijl/orjson/compare/3.10.7...3.11.5">compare
view</a></li>
</ul>
</details>
<br />

Updates `urllib3` from 2.2.3 to 2.6.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/urllib3/urllib3/releases">urllib3's
releases</a>.</em></p>
<blockquote>
<h2>2.6.3</h2>
<h2>🚀 urllib3 is fundraising for HTTP/2 support</h2>
<p><a
href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3
is raising ~$40,000 USD</a> to release HTTP/2 support and ensure
long-term sustainable maintenance of the project after a sharp decline
in financial support. If your company or organization uses Python and
would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and
thousands of other projects <a
href="https://opencollective.com/urllib3">please consider contributing
financially</a> to ensure HTTP/2 support is developed sustainably and
maintained for the long-haul.</p>
<p>Thank you for your support.</p>
<h2>Changes</h2>
<ul>
<li>Fixed a security issue where decompression-bomb safeguards of the
streaming API were bypassed when HTTP redirects were followed.
(CVE-2026-21441 reported by <a
href="https://github.com/D47A"><code>@​D47A</code></a>, 8.9 High,
GHSA-38jv-5279-wg99)</li>
<li>Started treating <code>Retry-After</code> times greater than 6 hours
as 6 hours by default. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3743">urllib3/urllib3#3743</a>)</li>
<li>Fixed <code>urllib3.connection.VerifiedHTTPSConnection</code> on
Emscripten. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3752">urllib3/urllib3#3752</a>)</li>
</ul>
<h2>2.6.2</h2>
<h2>🚀 urllib3 is fundraising for HTTP/2 support</h2>
<p><a
href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3
is raising ~$40,000 USD</a> to release HTTP/2 support and ensure
long-term sustainable maintenance of the project after a sharp decline
in financial support. If your company or organization uses Python and
would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and
thousands of other projects <a
href="https://opencollective.com/urllib3">please consider contributing
financially</a> to ensure HTTP/2 support is developed sustainably and
maintained for the long-haul.</p>
<p>Thank you for your support.</p>
<h2>Changes</h2>
<ul>
<li>Fixed <code>HTTPResponse.read_chunked()</code> to properly handle
leftover data in the decoder's buffer when reading compressed chunked
responses. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3734">urllib3/urllib3#3734</a>)</li>
</ul>
<h2>2.6.1</h2>
<h2>🚀 urllib3 is fundraising for HTTP/2 support</h2>
<p><a
href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3
is raising ~$40,000 USD</a> to release HTTP/2 support and ensure
long-term sustainable maintenance of the project after a sharp decline
in financial support. If your company or organization uses Python and
would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and
thousands of other projects <a
href="https://opencollective.com/urllib3">please consider contributing
financially</a> to ensure HTTP/2 support is developed sustainably and
maintained for the long-haul.</p>
<p>Thank you for your support.</p>
<h2>Changes</h2>
<ul>
<li>Restore previously removed <code>HTTPResponse.getheaders()</code>
and <code>HTTPResponse.getheader()</code> methods. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3731">#3731</a>)</li>
</ul>
<h2>2.6.0</h2>
<h2>🚀 urllib3 is fundraising for HTTP/2 support</h2>
<p><a
href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3
is raising ~$40,000 USD</a> to release HTTP/2 support and ensure
long-term sustainable maintenance of the project after a sharp decline
in financial support. If your company or organization uses Python and
would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and
thousands of other projects <a
href="https://opencollective.com/urllib3">please consider contributing
financially</a> to ensure HTTP/2 support is developed sustainably and
maintained for the long-haul.</p>
<p>Thank you for your support.</p>
<h2>Security</h2>
<ul>
<li>Fixed a security issue where streaming API could improperly handle
highly compressed HTTP content (&quot;decompression bombs&quot;) leading
to excessive resource consumption even when a small amount of data was
requested. Reading small chunks of compressed data is safer and much
more efficient now. (CVE-2025-66471 reported by <a
href="https://github.com/Cycloctane"><code>@​Cycloctane</code></a>, 8.9
High, GHSA-2xpw-w6gg-jr37)</li>
<li>Fixed a security issue where an attacker could compose an HTTP
response with virtually unlimited links in the
<code>Content-Encoding</code> header, potentially leading to a denial of
service (DoS) attack by exhausting system resources during decoding. The
number of allowed chained encodings is now limited to 5. (CVE-2025-66418
reported by <a
href="https://github.com/illia-v"><code>@​illia-v</code></a>, 8.9 High,
GHSA-gm62-xv2j-4w53)</li>
</ul>
<blockquote>
<p>[!IMPORTANT]</p>
<ul>
<li>If urllib3 is not installed with the optional
<code>urllib3[brotli]</code> extra, but your environment contains a
Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at
least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security
fixes and avoid warnings. Prefer using <code>urllib3[brotli]</code> to
install a compatible Brotli package automatically.</li>
</ul>
</blockquote>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's
changelog</a>.</em></p>
<blockquote>
<h1>2.6.3 (2026-01-07)</h1>
<ul>
<li>Fixed a high-severity security issue where decompression-bomb
safeguards of
the streaming API were bypassed when HTTP redirects were followed.
(<code>GHSA-38jv-5279-wg99
&lt;https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99&gt;</code>__)</li>
<li>Started treating <code>Retry-After</code> times greater than 6 hours
as 6 hours by
default. (<code>[#3743](https://github.com/urllib3/urllib3/issues/3743)
&lt;https://github.com/urllib3/urllib3/issues/3743&gt;</code>__)</li>
<li>Fixed <code>urllib3.connection.VerifiedHTTPSConnection</code> on
Emscripten.
(<code>[#3752](https://github.com/urllib3/urllib3/issues/3752)
&lt;https://github.com/urllib3/urllib3/issues/3752&gt;</code>__)</li>
</ul>
<h1>2.6.2 (2025-12-11)</h1>
<ul>
<li>Fixed <code>HTTPResponse.read_chunked()</code> to properly handle
leftover data in
the decoder's buffer when reading compressed chunked responses.
(<code>[#3734](https://github.com/urllib3/urllib3/issues/3734)
&lt;https://github.com/urllib3/urllib3/issues/3734&gt;</code>__)</li>
</ul>
<h1>2.6.1 (2025-12-08)</h1>
<ul>
<li>Restore previously removed <code>HTTPResponse.getheaders()</code>
and
<code>HTTPResponse.getheader()</code> methods.
(<code>[#3731](https://github.com/urllib3/urllib3/issues/3731)
&lt;https://github.com/urllib3/urllib3/issues/3731&gt;</code>__)</li>
</ul>
<h1>2.6.0 (2025-12-05)</h1>
<h2>Security</h2>
<ul>
<li>Fixed a security issue where streaming API could improperly handle
highly
compressed HTTP content (&quot;decompression bombs&quot;) leading to
excessive resource
consumption even when a small amount of data was requested. Reading
small
chunks of compressed data is safer and much more efficient now.
(<code>GHSA-2xpw-w6gg-jr37
&lt;https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37&gt;</code>__)</li>
<li>Fixed a security issue where an attacker could compose an HTTP
response with
virtually unlimited links in the <code>Content-Encoding</code> header,
potentially
leading to a denial of service (DoS) attack by exhausting system
resources
during decoding. The number of allowed chained encodings is now limited
to 5.
(<code>GHSA-gm62-xv2j-4w53
&lt;https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53&gt;</code>__)</li>
</ul>
<p>.. caution::</p>
<ul>
<li>If urllib3 is not installed with the optional
<code>urllib3[brotli]</code> extra, but
your environment contains a Brotli/brotlicffi/brotlipy package anyway,
make
sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to
benefit from the security fixes and avoid warnings. Prefer using</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/urllib3/urllib3/commit/0248277dd7ac0239204889ca991353ad3e3a1ddc"><code>0248277</code></a>
Release 2.6.3</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b"><code>8864ac4</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/70cecb27ca99d56aaaeb63ac27ee270ef2b24c5c"><code>70cecb2</code></a>
Fix Scorecard issues related to vulnerable dev dependencies (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3755">#3755</a>)</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/41f249abe1ef3e20768588969c4035aba060a359"><code>41f249a</code></a>
Move &quot;v2.0 Migration Guide&quot; to the end of the table of
contents (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3747">#3747</a>)</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/fd4dffd2fc544166b76151a2fa3d7b7c0eab540c"><code>fd4dffd</code></a>
Patch <code>VerifiedHTTPSConnection</code> for Emscripten (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3752">#3752</a>)</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/13f0bfd55e4468fe1ea9c6f809d3a87b0f93ebab"><code>13f0bfd</code></a>
Handle massive values in Retry-After when calculating time to sleep for
(<a
href="https://redirect.github.com/urllib3/urllib3/issues/3743">#3743</a>)</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/8c480bf87bcefd321b3a1ae47f04e908b6b2ed7b"><code>8c480bf</code></a>
Bump actions/upload-artifact from 5.0.0 to 6.0.0 (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3748">#3748</a>)</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/4b40616e959c0a2c466e8075f2a785a9f99bb0c1"><code>4b40616</code></a>
Bump actions/cache from 4.3.0 to 5.0.1 (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3750">#3750</a>)</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/82b8479663d037d220c883f1584dd01a43bb273b"><code>82b8479</code></a>
Bump actions/download-artifact from 6.0.0 to 7.0.0 (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3749">#3749</a>)</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/34284cb01700bb7d4fdd472f909e22393e9174e2"><code>34284cb</code></a>
Mention experimental features in the security policy (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3746">#3746</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/urllib3/urllib3/compare/2.2.3...2.6.3">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain-sema4/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-25 17:32:51 -08:00
Mason Daugherty 8fd929faf0 feat(infra): MCP server for langchain docs (#8) 2025-10-22 14:24:55 -04:00
Erick Friis c7e7c8d16b infra: use artifact v4 in mark-release (#6) 2024-11-08 17:18:14 +00:00
Erick Friis c007a2c8c1 infra: use artifact v4 in release pipeline (#5) 2024-11-05 22:54:47 +00:00
Erick Friis 57180200db infra: disable pypi release attestations (#4) 2024-10-31 22:30:22 +00:00
Bagatur a8d5fea366 sema4[minor]: update to support core 0.3, pydantic 2, release 0.2.0 (#3)
* sema4[minor]: update to support core 0.3, pydantic 2, release 0.2.0

* drop 3.8 ci
libs/sema4/v0.2.0
2024-09-16 14:07:17 -07:00
Erick Friis afcbca6078 release permissions (#2) 2024-07-08 17:28:20 -07:00
Erick Friis 580891894b sema4: init package (#1)
* sema4: init package

* x

* x
libs/sema4/v0.1.0
2024-05-31 16:26:37 -04:00
Erick Friis 1c68057704 Initial commit 2024-05-31 11:54:34 -04:00