Files
John Kennedy 9001867cc1 Fix all open Dependabot security vulnerabilities (#864)
## Summary

- **rollup** (high): Bump resolution `^3.29.5` → `^3.30.0` to fix
arbitrary file write via path traversal (CVE-2026-27606)
- **ajv** (medium): Add resolution `^8.18.0` to fix ReDoS when using
`$data` option (CVE-2025-69873) — resolves all 4 ajv alerts
- **langchain-core** (low): Upgrade `0.3.83` → `1.2.16` to fix SSRF via
image_url token counting (CVE-2026-26013)
- **langsmith** (medium): Upgrade `0.4.32` → `0.7.9` to fix SSRF via
tracing header injection (CVE-2026-25528)
- **Python 3.9**: Dropped (EOL since Oct 2025) — required to enable
langchain-core 1.x and langsmith 0.6.x+ which have the security fixes

Resolves Dependabot alerts #143, #144, #149, #150, #151, #152, #155,
#156.

## Test plan

- [ ] CI passes on Python 3.10 and 3.11
- [ ] Playground builds still succeed with updated yarn.lock
- [ ] Verify Dependabot alerts auto-close after merge

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-28 15:21:29 -08:00
..