Files
John Kennedy 279630ca2c fix: patch 8 security alerts (all severities) (#891)
## Security Alert Patch

Resolves 8 Dependabot security alerts across all severity tiers.

### Packages Updated

| Package | Old Constraint | New Constraint | Strategy | Scope | CVEs
Resolved |

|---------|---------------|----------------|----------|-------|---------------|
| Pygments | 2.19.2 | 2.20.0 | A — lockfile update | runtime
(transitive) | CVE-2026-4539 |
| yaml | 1.10.2 | 1.10.3 | A — lockfile patch | runtime (transitive) |
CVE-2026-33532 |
| yaml | 2.3.3 | 2.8.3 | A — lockfile regen | dev (transitive) |
CVE-2026-33532 |
| esbuild | 0.21.5 / 0.24.2 | 0.25.0 | C — resolution override
(dev-only) | dev-only | GHSA-67mh-4wv8-2f99 |

Strategy = direct bump (A) / override (C, dev-only)
Scope = runtime (transitive) = transitive dep in runtime chain /
dev-only = local dev only

### CVE Details

- **CVE-2026-4539** (low) — Pygments ReDoS via inefficient regex for
GUID matching.
[GHSA-5239-wwwm-4pmq](https://github.com/advisories/GHSA-5239-wwwm-4pmq)
- **CVE-2026-33532** (medium) — yaml stack overflow via deeply nested
YAML collections.
[GHSA-48c2-rrv3-qjmp](https://github.com/advisories/GHSA-48c2-rrv3-qjmp)
- **GHSA-67mh-4wv8-2f99** (medium) — esbuild dev server allows any
website to send requests and read responses.
[GHSA-67mh-4wv8-2f99](https://github.com/advisories/GHSA-67mh-4wv8-2f99)

### Linear Tickets

No matching Linear tickets found for the resolved CVEs.

### Verification

- [x] All lockfiles regenerated
- [x] Linters pass (`ruff check`, `ruff format --check`)
- [x] Tests pass (123 passed)

🤖 Submitted by langster-patch
2026-04-01 00:19:21 -07:00
..
2024-03-08 17:28:59 -08:00

LangServe Playground 🦜🏓