fix(security): bump langchain-core, langsmith, aiohttp, urllib3, idna + npm deps (GHSA-pjwx-r37v-7724 and 17 more)#33
Conversation
…, pydantic-settings, vcrpy; fix npm deps Python (langchain/): - langchain-core 0.3.83 → 0.3.85+ (GHSA-pjwx-r37v-7724 / GHSA-926x-3r5x-gfhw, CVSS 8.2/5.3) - langsmith 0.7.32 → 0.8.18+ (GHSA-f4xh-w4cj-qxq8 / GHSA-3644-q5cj-c5c7, CVSS 7.7/7.1) - aiohttp 3.13.5 → 3.14.1+ (9 GHSAs incl. GHSA-4fvr-rgm6-gqmc, CVSS up to 6.6) - urllib3 2.6.3 → 2.7.0+ (PYSEC-2026-141/142 / GHSA-mf9v-mfxr-j63j / GHSA-qccp-gfcp-xxvc, CVSS 8.2/8.9) - idna 3.11 → 3.15+ (GHSA-65pc-fj4g-8rjx, CVSS 6.9) — transitive floor pin - pydantic-settings 2.12.0 → 2.14.2+ (GHSA-4xgf-cpjx-pc3j, CVSS 5.3) — transitive floor pin - langchain 0.3.27 → 0.3.30+ (GHSA-3644-q5cj-c5c7, CVSS 7.1) — transitive floor pin - vcrpy < 8.2.1 → 8.2.1+ (GHSA-rpj2-4hq8-938g, CVSS 7.8) — test dep floor pin npm (zapier/): - @babel/core 7.28.6 → 7.29.6 (GHSA-4x5r-pxfx-6jf8, CVSS 3.2) — override - brace-expansion 1.1.12 → 1.1.13 (GHSA-f886-m6hf-6m8v, CVSS 6.5) — override - form-data 4.0.4 → 4.0.6 (GHSA-hmw2-7cc7-3qxx, CVSS 8.7) — override Risk accepted (osv-scanner.toml): - js-yaml 3.14.2: fix 4.2.0 is major API break; consumer (@istanbuljs) uses removed safeLoad() - langchain 0.3.x: GHSA-gr75-jv2w-4656 fix only in 1.3.9 (breaking major) - langchain-core 0.3.x: GHSA-2g6r-c272-w58r fix only in 1.2.11 (renewed suppress) - dify flask/werkzeug/requests: dify_plugin==0.0.1b65 hard-pins incompatible versions
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (2)
📒 Files selected for processing (3)
📝 WalkthroughWalkthroughThe PR updates dependency and security-related configuration in three places: Poetry constraints in 🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Vulnerability Fixes
All changes are limited to manifest/lock file version bumps — no functional source code changes.
Python (langchain/)
npm (zapier/)
Risk Accepted (osv-scanner.toml)
Changelog impact summary