mirror of
https://github.com/langchain-ai/stateful-deepagents.git
synced 2026-07-01 20:14:06 -04:00
fix: patch 8 security alerts (medium + low severity)
Add minimum version constraints for vulnerable direct and transitive dependencies surfaced by Dependabot. Since requirements.txt was unpinned prior to this change, the effective install version was already whatever the resolver picked — these floors guarantee the patched versions. Resolves: - GHSA-r7w7-9xr2-qq2r (langchain-openai) - GHSA-rr7j-v2q5-chgv (langsmith) - CVE-2026-40087 / GHSA-926x-3r5x-gfhw (langchain-core) - CVE-2026-39892 / GHSA-p423-j2cm-9vmq (cryptography) - CVE-2026-34073 / GHSA-m959-cc7f-wv43 (cryptography) - CVE-2026-34452 / GHSA-w828-4qhx-vxx3 (anthropic) - CVE-2026-34450 / GHSA-q5f5-3gjm-7mfm (anthropic) - CVE-2026-4539 / GHSA-5239-wwwm-4pmq (Pygments)
This commit is contained in:
+6
-1
@@ -5,4 +5,9 @@ langgraph
|
||||
langgraph-cli[inmem]
|
||||
requests
|
||||
ipykernel
|
||||
langchain-openai
|
||||
langchain-openai>=1.1.14
|
||||
langchain-core>=1.2.28
|
||||
langsmith>=0.7.31
|
||||
anthropic>=0.87.0
|
||||
cryptography>=46.0.7
|
||||
Pygments>=2.20.0
|
||||
|
||||
Reference in New Issue
Block a user