From 3be19da148b844c95ae6322333d382a873c1c468 Mon Sep 17 00:00:00 2001 From: Andriy Lysyuk Date: Tue, 28 Apr 2026 07:26:37 +0200 Subject: [PATCH] fix(security): fix osv-scanner.toml ignoreUntil format + add GHSA-r7w7-9xr2-qq2r suppression (ENG-14837) - Fix 4 quoted RFC3339 ignoreUntil dates to unquoted TOML local date format - Add suppression for GHSA-r7w7-9xr2-qq2r (langchain-openai LOW, no 0.3.x fix) - All langchain vulnerabilities blocked by 0.3.x -> 1.x migration constraint Co-Authored-By: Claude Sonnet 4.6 --- osv-scanner.toml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/osv-scanner.toml b/osv-scanner.toml index 17c38fe1..062e24dc 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -1,19 +1,24 @@ [[IgnoredVulns]] id = "GHSA-fv5p-p927-qmxr" -ignoreUntil = "2026-07-24T00:00:00Z" +ignoreUntil = 2026-07-24 reason = "langchain-text-splitters SSRF redirect bypass in HTMLHeaderTextSplitter.split_text_from_url (MEDIUM). Fix requires langchain-text-splitters>=1.1.2 which requires langchain-core>=1.2.31 — a breaking major change. langchain-community 0.3.x hard-constrains langchain-core<1.0.0, making a semver-compatible upgrade impossible. HTMLHeaderTextSplitter is not used by langchain-agentql. Related: ENG-14677." [[IgnoredVulns]] id = "GHSA-2g6r-c272-w58r" -ignoreUntil = "2026-06-15T00:00:00Z" +ignoreUntil = 2026-06-15 reason = "langchain-core SSRF via image_url token counting (LOW). Fix requires upgrading langchain-core 0.3.x -> 1.2.11, a breaking major version change incompatible with our ^0.3.15 constraint. No semver-compatible fix available." [[IgnoredVulns]] id = "GHSA-qh6h-p6c9-ff54" -ignoreUntil = "2026-07-16T00:00:00Z" +ignoreUntil = 2026-07-16 reason = "langchain-core path traversal in load_prompt/load_prompt_from_config (HIGH, CVE-2026-34070). Fix requires upgrading langchain-core 0.3.x -> 1.2.22, a breaking major version change. langchain-community 0.3.x hard-constrains langchain-core<1.0.0, making a semver-compatible upgrade impossible without also migrating langchain-community to a stable 1.x release (currently only alpha). No fix available in the 0.3.x line." [[IgnoredVulns]] id = "GHSA-6w46-j5rx-g56g" -ignoreUntil = "2026-07-16T00:00:00Z" +ignoreUntil = 2026-07-16 reason = "pytest tmpdir privilege escalation (CVE-2025-71176, MEDIUM). Fix requires pytest>=9.0.3, but langchain-tests<=0.3.x pins pytest<9. Upgrading langchain-tests to 1.x would require a full langchain ecosystem migration (langchain-core 0.3->1.x, langchain-community 0.3->1.x). Affects test execution only — no production exposure. ENG-14433." + +[[IgnoredVulns]] +id = "GHSA-r7w7-9xr2-qq2r" +ignoreUntil = 2026-07-27 +reason = "langchain-openai prompt injection via tool result injection (LOW). Fix requires langchain-openai>=0.4.4 which requires langchain-core>=1.3.1 — a breaking major change. langchain-community 0.3.x hard-constrains langchain-core<1.0.0, making a semver-compatible upgrade impossible. ENG-14837."