Skip to content

security: remediate critical/high Dependabot alerts (lockfile bumps)#605

Open
jhamon wants to merge 1 commit into
mainfrom
security/pin15-examples-crit-high
Open

security: remediate critical/high Dependabot alerts (lockfile bumps)#605
jhamon wants to merge 1 commit into
mainfrom
security/pin15-examples-crit-high

Conversation

@jhamon

@jhamon jhamon commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

Part of the public-repo security fast-track (Pinecone internal PIN-15 / PIN-6). Clears the critical/high Dependabot alerts that are fixable via safe, verified lockfile-only transitive bumps — no manifest or notebook changes.

Cleared (1 critical + 10 high)

Root uv.lock (dev-extra transitives):

pkg from → to alerts
langsmith 0.6.6 → 0.10.2 high ×2
starlette 1.0.0 → 1.3.1 high ×2
urllib3 2.6.3 → 2.7.0 high ×2

learn/generation/langchain/langgraph/02-ollama-langgraph-agent/poetry.lock (surgical poetry update, lock-version 2.1 preserved):

pkg from → to alerts
h11 0.14.0 → 0.16.0 CRITICAL (GHSA-vqfr-h8mv-ghfj — chunked-encoding request smuggling); freed via httpcore 1.0.9 / httpx 0.28.1
tornado 6.5.1 → 6.5.7 high ×3
orjson 3.10.7 → 3.11.9 high ×1

Compatible subtree bumps pulled in by the above: pydantic 2.8.2 → 2.11.10, ollama 0.3.1 → 0.6.2.

Verification (local)

  • uv lock --check — passes (root lockfile consistent).
  • poetry env installs; import + construction smoke test passes: langchain_core, langgraph, langchain_ollama, semantic_router all import; a pydantic @tool schema builds under pydantic 2.11. (No CI in this subdir; notebook needs a local Ollama to run end-to-end.)

Deliberately NOT in this PR (tracked follow-up)

The langchain stack in the ollama-langgraph example (langchain-core critical serialization-injection + langchain / langchain-text-splitters / langgraph-checkpoint / langsmith highs) stays on 0.2.x here. Reaching zero requires a langchain / langgraph v1 migration (two of the highs — langchain-core <1.2.22, langgraph-checkpoint <3.0.0 — are only patched in the 1.x lines), plus bumping the pinned, fragile semantic-router==0.0.61 (a full re-lock bumps cohere and breaks its imports). That is a notebook rewrite requiring interactive Ollama verification — out of scope for a lockfile sweep and filed separately. Subdir urllib3 (blocked by the abandoned pyppeteer==2.0.0, urllib3<2.0) rides along with that migration.

After merge, Dependabot should close the 11 alerts above (1 critical + 10 high), leaving 1 critical + 13 high for the tracked follow-up.

🤖 Generated with Claude Code


Note

Low Risk
Changes are generated lockfile version pins with no production code edits; main risk is dependency compatibility in the learn example, which the author smoke-tested locally.

Overview
This PR updates only lockfiles to clear fixable critical and high Dependabot alerts—no application or notebook source changes.

Root uv.lock bumps transitive dev/runtime deps: langsmith 0.6.6 → 0.10.2 (adds deps such as websockets, xxhash), starlette 1.0.0 → 1.3.1, and urllib3 2.6.3 → 2.7.0.

learn/.../02-ollama-langgraph-agent/poetry.lock is refreshed with Poetry 2.4.1 and targeted upgrades: h11 0.14.0 → 0.16.0 (critical smuggling advisory) via httpcore/httpx; plus tornado, orjson, pydantic/pydantic-core, ollama, and related HTTP stack pins. Minor constraint formatting tweaks appear for s3transfer, semantic-router, and cohere.

LangChain/LangGraph 0.2.x critical/high items in that example are explicitly out of scope here and need a separate v1 migration.

Reviewed by Cursor Bugbot for commit 6141e2c. Bugbot is set up for automated code reviews on this repo. Configure here.

Root uv.lock (dev-extra transitives):
- langsmith 0.6.6 -> 0.10.2  (clears GHSA highs <0.8.0, <0.8.18)
- starlette 1.0.0 -> 1.3.1    (clears highs <1.1.0, <1.3.1)
- urllib3 2.6.3 -> 2.7.0      (clears highs <2.7.0)

learn/.../02-ollama-langgraph-agent/poetry.lock (surgical transitive bumps,
lock-version 2.1 preserved, no manifest change):
- h11 0.14.0 -> 0.16.0        (clears CRITICAL GHSA-vqfr-h8mv-ghfj chunked-encoding smuggling; via httpcore 1.0.9 / httpx 0.28.1)
- tornado 6.5.1 -> 6.5.7      (clears highs <6.5.5, <6.5.6)
- orjson 3.10.7 -> 3.11.9     (clears high <3.11.6)
  compatible subtree bumps pulled in: pydantic 2.8.2->2.11.10, ollama 0.3.1->0.6.2

Verified: `uv lock --check` passes; poetry env installs and import/construction
smoke test passes (langchain_core, langgraph, langchain_ollama, semantic_router
all import; pydantic tool schema builds under 2.11). semantic-router 0.0.61 left
intact (a full re-lock would bump cohere and break it) — langchain-stack + subdir
urllib3 tracked as follow-up (needs langchain/langgraph v1 migration + Ollama run).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant