From 4964ec7929fdf5ad5dc90ffbc48ec1fed878f913 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 Apr 2026 22:14:57 +0000 Subject: [PATCH 1/4] chore: bump pypdf from 6.10.1 to 6.10.2 Bumps [pypdf](https://github.com/py-pdf/pypdf) from 6.10.1 to 6.10.2. - [Release notes](https://github.com/py-pdf/pypdf/releases) - [Changelog](https://github.com/py-pdf/pypdf/blob/main/CHANGELOG.md) - [Commits](https://github.com/py-pdf/pypdf/compare/6.10.1...6.10.2) --- updated-dependencies: - dependency-name: pypdf dependency-version: 6.10.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- pyproject.toml | 2 +- uv.lock | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 4eec73a..8c00545 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -22,7 +22,7 @@ dependencies = [ "networkx>=3.4.2", "matplotlib>=3.10.0", "langchain-experimental>=0.3.3", - "pypdf>=6.10.1", + "pypdf>=6.10.2", "ipywidgets>=8.1.5", "python-dotenv>=1.0.1", "langchain-google-genai>=2.0.9", diff --git a/uv.lock b/uv.lock index acc206a..5fd1bb4 100644 --- a/uv.lock +++ b/uv.lock @@ -1910,7 +1910,7 @@ requires-dist = [ { name = "pdf2image", specifier = ">=1.17.0" }, { name = "pyasn1", specifier = ">=0.6.2" }, { name = "pygments", specifier = ">=2.20.0" }, - { name = "pypdf", specifier = ">=6.10.1" }, + { name = "pypdf", specifier = ">=6.10.2" }, { name = "pytesseract", specifier = ">=0.3.13" }, { name = "python-dotenv", specifier = ">=1.0.1" }, { name = "ragas", specifier = ">=0.2.12" }, @@ -3919,14 +3919,14 @@ wheels = [ [[package]] name = "pypdf" -version = "6.10.1" +version = "6.10.2" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "typing-extensions", marker = "python_full_version < '3.11'" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/66/79/f2730c42ec7891a75a2fcea2eb4f356872bcbc671b711418060424796612/pypdf-6.10.1.tar.gz", hash = "sha256:62e6ca7f65aaa28b3d192addb44f97296e4be1748f57ed0f4efb2d4915841880", size = 5315704, upload-time = "2026-04-14T12:55:20.996Z" } +sdist = { url = "https://files.pythonhosted.org/packages/7b/3f/9f2167401c2e94833ca3b69535bad89e533b5de75fefe4197a2c224baec2/pypdf-6.10.2.tar.gz", hash = "sha256:7d09ce108eff6bf67465d461b6ef352dcb8d84f7a91befc02f904455c6eea11d", size = 5315679, upload-time = "2026-04-15T16:37:36.978Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/f0/04/e3aa7f1f14dbc53429cae34666261eb935d99bd61d24756ab94d7e0309da/pypdf-6.10.1-py3-none-any.whl", hash = "sha256:6331940d3bfe75b7e6601d35db7adabab5fc1d716efaeb384e3c0c3957d033de", size = 335606, upload-time = "2026-04-14T12:55:18.941Z" }, + { url = "https://files.pythonhosted.org/packages/0c/d6/1d5c60cc17bbdf37c1552d9c03862fc6d32c5836732a0415b2d637edc2d0/pypdf-6.10.2-py3-none-any.whl", hash = "sha256:aa53be9826655b51c96741e5d7983ca224d898ac0a77896e64636810517624aa", size = 336308, upload-time = "2026-04-15T16:37:34.851Z" }, ] [[package]] From 6e07074d1dcc7ac6a3dda9ccd4d71c35c66021b3 Mon Sep 17 00:00:00 2001 From: "aieng-bot[bot]" Date: Thu, 23 Apr 2026 01:00:01 +0000 Subject: [PATCH 2/4] chore: ignore langchain ecosystem CVEs pending 1.x migration Add CVE-2026-34070, GHSA-r7w7-9xr2-qq2r, and GHSA-fv5p-p927-qmxr to pip-audit ignore list. These vulnerabilities in langchain-core, langchain-openai, and langchain-text-splitters are fixed in the langchain 1.x ecosystem, but the project currently uses langchain 0.3.x. Applying the patches requires a major ecosystem upgrade (separate work). This follows the project's existing pattern for managing langchain vulnerabilities while the 1.x migration is planned. Co-authored-by: aieng-bot --- .github/workflows/code_checks.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/code_checks.yml b/.github/workflows/code_checks.yml index 13fd8e9..4330add 100644 --- a/.github/workflows/code_checks.yml +++ b/.github/workflows/code_checks.yml @@ -61,3 +61,6 @@ jobs: GHSA-2g6r-c272-w58r CVE-2025-69872 CVE-2026-28277 + CVE-2026-34070 + GHSA-r7w7-9xr2-qq2r + GHSA-fv5p-p927-qmxr From 5605e2a478c1a9f5a244befe27c41ef718191480 Mon Sep 17 00:00:00 2001 From: "aieng-bot[bot]" Date: Sun, 26 Apr 2026 00:54:19 +0000 Subject: [PATCH 3/4] chore: ignore CVE-2026-6587 in ragas pending upstream fix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ragas 0.4.3 is affected by CVE-2026-6587 (SSRF via _try_process_local_file/_try_process_url in the multi_modal_faithfulness module). No patched version is available on PyPI — the latest release is still 0.4.3. Adding to the pip-audit ignore list following the project's established pattern until upstream publishes a fix. Co-authored-by: aieng-bot --- .github/workflows/code_checks.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/code_checks.yml b/.github/workflows/code_checks.yml index 4330add..2f5da1a 100644 --- a/.github/workflows/code_checks.yml +++ b/.github/workflows/code_checks.yml @@ -64,3 +64,4 @@ jobs: CVE-2026-34070 GHSA-r7w7-9xr2-qq2r GHSA-fv5p-p927-qmxr + CVE-2026-6587 From 30e928543687f3831d8f9f1ce9df23f91fe8b6a5 Mon Sep 17 00:00:00 2001 From: "aieng-bot[bot]" Date: Sun, 26 Apr 2026 00:56:26 +0000 Subject: [PATCH 4/4] chore: ignore CVE-2026-3219 in pip pending upstream fix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit pip 26.0.1 is affected by CVE-2026-3219 (concatenated tar+ZIP handling may install incorrect files). No patched version is available on PyPI — 26.0.1 is the latest release. Adding to the pip-audit ignore list following the project's established pattern until upstream publishes a fix. Co-authored-by: aieng-bot --- .github/workflows/code_checks.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/code_checks.yml b/.github/workflows/code_checks.yml index 2f5da1a..a57a183 100644 --- a/.github/workflows/code_checks.yml +++ b/.github/workflows/code_checks.yml @@ -65,3 +65,4 @@ jobs: GHSA-r7w7-9xr2-qq2r GHSA-fv5p-p927-qmxr CVE-2026-6587 + CVE-2026-3219