mirror of
https://github.com/langchain-ai/langserve.git
synced 2026-07-01 20:14:01 -04:00
279630ca2c
## Security Alert Patch Resolves 8 Dependabot security alerts across all severity tiers. ### Packages Updated | Package | Old Constraint | New Constraint | Strategy | Scope | CVEs Resolved | |---------|---------------|----------------|----------|-------|---------------| | Pygments | 2.19.2 | 2.20.0 | A — lockfile update | runtime (transitive) | CVE-2026-4539 | | yaml | 1.10.2 | 1.10.3 | A — lockfile patch | runtime (transitive) | CVE-2026-33532 | | yaml | 2.3.3 | 2.8.3 | A — lockfile regen | dev (transitive) | CVE-2026-33532 | | esbuild | 0.21.5 / 0.24.2 | 0.25.0 | C — resolution override (dev-only) | dev-only | GHSA-67mh-4wv8-2f99 | Strategy = direct bump (A) / override (C, dev-only) Scope = runtime (transitive) = transitive dep in runtime chain / dev-only = local dev only ### CVE Details - **CVE-2026-4539** (low) — Pygments ReDoS via inefficient regex for GUID matching. [GHSA-5239-wwwm-4pmq](https://github.com/advisories/GHSA-5239-wwwm-4pmq) - **CVE-2026-33532** (medium) — yaml stack overflow via deeply nested YAML collections. [GHSA-48c2-rrv3-qjmp](https://github.com/advisories/GHSA-48c2-rrv3-qjmp) - **GHSA-67mh-4wv8-2f99** (medium) — esbuild dev server allows any website to send requests and read responses. [GHSA-67mh-4wv8-2f99](https://github.com/advisories/GHSA-67mh-4wv8-2f99) ### Linear Tickets No matching Linear tickets found for the resolved CVEs. ### Verification - [x] All lockfiles regenerated - [x] Linters pass (`ruff check`, `ruff format --check`) - [x] Tests pass (123 passed) 🤖 Submitted by langster-patch