From fc6b5746b1117c665eaa04e5df97a9000d8063b6 Mon Sep 17 00:00:00 2001 From: John Kennedy <65985482+jkennedyvz@users.noreply.github.com> Date: Tue, 21 Apr 2026 06:53:54 +0000 Subject: [PATCH] fix: patch 7 security alerts (medium + low severity) Raises requirements.txt lower bounds for vulnerable direct dependencies and adds explicit pins for vulnerable transitive dependencies. Resolves: - langchain-core >=1.2.28 (GHSA-926x-3r5x-gfhw / CVE-2026-40087) - langsmith >=0.7.31 (GHSA-rr7j-v2q5-chgv) - langchain-openai >=1.1.14 (GHSA-r7w7-9xr2-qq2r) - cryptography >=46.0.7 (GHSA-p423-j2cm-9vmq, GHSA-m959-cc7f-wv43) - anthropic >=0.87.0 (GHSA-w828-4qhx-vxx3, GHSA-q5f5-3gjm-7mfm) --- requirements.txt | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/requirements.txt b/requirements.txt index eeb6935..3145a5c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,10 +1,14 @@ -langchain-core>=0.3.66 +langchain-core>=1.2.28 langchain>=1.0.0 langgraph>=1.0.0 -langsmith>=0.3.0 -langchain-openai>=0.3.0 +langsmith>=0.7.31 +langchain-openai>=1.1.14 langgraph-cli[inmem]>=0.2.0 deepagents>=0.3.0 python-dotenv>=1.0.0 requests>=2.31.0 -langgraph-api>=0.7.0 \ No newline at end of file +langgraph-api>=0.7.0 +# Security pins for transitive dependencies (GHSA-p423-j2cm-9vmq, GHSA-m959-cc7f-wv43, +# GHSA-w828-4qhx-vxx3, GHSA-q5f5-3gjm-7mfm). Remove once parent packages pin patched floors. +cryptography>=46.0.7 +anthropic>=0.87.0 \ No newline at end of file