From eabbff949b72e1de38b29fbe188bec11065d3e9a Mon Sep 17 00:00:00 2001 From: John Kennedy <65985482+jkennedyvz@users.noreply.github.com> Date: Tue, 21 Apr 2026 06:53:57 +0000 Subject: [PATCH] fix: patch 8 security alerts (medium + low severity) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add minimum version constraints for vulnerable direct and transitive dependencies surfaced by Dependabot. Since requirements.txt was unpinned prior to this change, the effective install version was already whatever the resolver picked — these floors guarantee the patched versions. Resolves: - GHSA-r7w7-9xr2-qq2r (langchain-openai) - GHSA-rr7j-v2q5-chgv (langsmith) - CVE-2026-40087 / GHSA-926x-3r5x-gfhw (langchain-core) - CVE-2026-39892 / GHSA-p423-j2cm-9vmq (cryptography) - CVE-2026-34073 / GHSA-m959-cc7f-wv43 (cryptography) - CVE-2026-34452 / GHSA-w828-4qhx-vxx3 (anthropic) - CVE-2026-34450 / GHSA-q5f5-3gjm-7mfm (anthropic) - CVE-2026-4539 / GHSA-5239-wwwm-4pmq (Pygments) --- requirements.txt | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index e540aab..78c970d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -5,4 +5,9 @@ langgraph langgraph-cli[inmem] requests ipykernel -langchain-openai +langchain-openai>=1.1.14 +langchain-core>=1.2.28 +langsmith>=0.7.31 +anthropic>=0.87.0 +cryptography>=46.0.7 +Pygments>=2.20.0