fix: patch 8 security alerts (medium + low severity)

Add minimum version constraints for vulnerable direct and transitive
dependencies surfaced by Dependabot. Since requirements.txt was unpinned
prior to this change, the effective install version was already whatever
the resolver picked — these floors guarantee the patched versions.

Resolves:
- GHSA-r7w7-9xr2-qq2r (langchain-openai)
- GHSA-rr7j-v2q5-chgv (langsmith)
- CVE-2026-40087 / GHSA-926x-3r5x-gfhw (langchain-core)
- CVE-2026-39892 / GHSA-p423-j2cm-9vmq (cryptography)
- CVE-2026-34073 / GHSA-m959-cc7f-wv43 (cryptography)
- CVE-2026-34452 / GHSA-w828-4qhx-vxx3 (anthropic)
- CVE-2026-34450 / GHSA-q5f5-3gjm-7mfm (anthropic)
- CVE-2026-4539 / GHSA-5239-wwwm-4pmq (Pygments)
This commit is contained in:
John Kennedy
2026-04-21 06:53:57 +00:00
parent 650cb13644
commit eabbff949b
+6 -1
View File
@@ -5,4 +5,9 @@ langgraph
langgraph-cli[inmem]
requests
ipykernel
langchain-openai
langchain-openai>=1.1.14
langchain-core>=1.2.28
langsmith>=0.7.31
anthropic>=0.87.0
cryptography>=46.0.7
Pygments>=2.20.0