security: remediate critical/high Dependabot alerts (lockfile bumps)#605
Open
jhamon wants to merge 1 commit into
Open
security: remediate critical/high Dependabot alerts (lockfile bumps)#605jhamon wants to merge 1 commit into
jhamon wants to merge 1 commit into
Conversation
Root uv.lock (dev-extra transitives): - langsmith 0.6.6 -> 0.10.2 (clears GHSA highs <0.8.0, <0.8.18) - starlette 1.0.0 -> 1.3.1 (clears highs <1.1.0, <1.3.1) - urllib3 2.6.3 -> 2.7.0 (clears highs <2.7.0) learn/.../02-ollama-langgraph-agent/poetry.lock (surgical transitive bumps, lock-version 2.1 preserved, no manifest change): - h11 0.14.0 -> 0.16.0 (clears CRITICAL GHSA-vqfr-h8mv-ghfj chunked-encoding smuggling; via httpcore 1.0.9 / httpx 0.28.1) - tornado 6.5.1 -> 6.5.7 (clears highs <6.5.5, <6.5.6) - orjson 3.10.7 -> 3.11.9 (clears high <3.11.6) compatible subtree bumps pulled in: pydantic 2.8.2->2.11.10, ollama 0.3.1->0.6.2 Verified: `uv lock --check` passes; poetry env installs and import/construction smoke test passes (langchain_core, langgraph, langchain_ollama, semantic_router all import; pydantic tool schema builds under 2.11). semantic-router 0.0.61 left intact (a full re-lock would bump cohere and break it) — langchain-stack + subdir urllib3 tracked as follow-up (needs langchain/langgraph v1 migration + Ollama run). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part of the public-repo security fast-track (Pinecone internal PIN-15 / PIN-6). Clears the critical/high Dependabot alerts that are fixable via safe, verified lockfile-only transitive bumps — no manifest or notebook changes.
Cleared (1 critical + 10 high)
Root
uv.lock(dev-extra transitives):learn/generation/langchain/langgraph/02-ollama-langgraph-agent/poetry.lock(surgicalpoetry update, lock-version 2.1 preserved):Compatible subtree bumps pulled in by the above: pydantic 2.8.2 → 2.11.10, ollama 0.3.1 → 0.6.2.
Verification (local)
uv lock --check— passes (root lockfile consistent).langchain_core,langgraph,langchain_ollama,semantic_routerall import; a pydantic@toolschema builds under pydantic 2.11. (No CI in this subdir; notebook needs a local Ollama to run end-to-end.)Deliberately NOT in this PR (tracked follow-up)
The langchain stack in the ollama-langgraph example (langchain-core critical serialization-injection + langchain / langchain-text-splitters / langgraph-checkpoint / langsmith highs) stays on 0.2.x here. Reaching zero requires a langchain / langgraph v1 migration (two of the highs — langchain-core
<1.2.22, langgraph-checkpoint<3.0.0— are only patched in the 1.x lines), plus bumping the pinned, fragilesemantic-router==0.0.61(a full re-lock bumpscohereand breaks its imports). That is a notebook rewrite requiring interactive Ollama verification — out of scope for a lockfile sweep and filed separately. Subdirurllib3(blocked by the abandonedpyppeteer==2.0.0,urllib3<2.0) rides along with that migration.After merge, Dependabot should close the 11 alerts above (1 critical + 10 high), leaving 1 critical + 13 high for the tracked follow-up.
🤖 Generated with Claude Code
Note
Low Risk
Changes are generated lockfile version pins with no production code edits; main risk is dependency compatibility in the learn example, which the author smoke-tested locally.
Overview
This PR updates only lockfiles to clear fixable critical and high Dependabot alerts—no application or notebook source changes.
Root
uv.lockbumps transitive dev/runtime deps:langsmith0.6.6 → 0.10.2 (adds deps such aswebsockets,xxhash),starlette1.0.0 → 1.3.1, andurllib32.6.3 → 2.7.0.learn/.../02-ollama-langgraph-agent/poetry.lockis refreshed with Poetry 2.4.1 and targeted upgrades:h110.14.0 → 0.16.0 (critical smuggling advisory) viahttpcore/httpx; plustornado,orjson,pydantic/pydantic-core,ollama, and related HTTP stack pins. Minor constraint formatting tweaks appear fors3transfer,semantic-router, andcohere.LangChain/LangGraph 0.2.x critical/high items in that example are explicitly out of scope here and need a separate v1 migration.
Reviewed by Cursor Bugbot for commit 6141e2c. Bugbot is set up for automated code reviews on this repo. Configure here.