mirror of
https://github.com/langchain-ai/langserve.git
synced 2026-07-01 20:14:01 -04:00
9001867cc1
## Summary - **rollup** (high): Bump resolution `^3.29.5` → `^3.30.0` to fix arbitrary file write via path traversal (CVE-2026-27606) - **ajv** (medium): Add resolution `^8.18.0` to fix ReDoS when using `$data` option (CVE-2025-69873) — resolves all 4 ajv alerts - **langchain-core** (low): Upgrade `0.3.83` → `1.2.16` to fix SSRF via image_url token counting (CVE-2026-26013) - **langsmith** (medium): Upgrade `0.4.32` → `0.7.9` to fix SSRF via tracing header injection (CVE-2026-25528) - **Python 3.9**: Dropped (EOL since Oct 2025) — required to enable langchain-core 1.x and langsmith 0.6.x+ which have the security fixes Resolves Dependabot alerts #143, #144, #149, #150, #151, #152, #155, #156. ## Test plan - [ ] CI passes on Python 3.10 and 3.11 - [ ] Playground builds still succeed with updated yarn.lock - [ ] Verify Dependabot alerts auto-close after merge 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>