chore: bump astral-sh/setup-uv from 8.0.0 to 8.1.0

[dependabot]

Bumps astral-sh/setup-uv from 8.0.0 to 8.1.0.

Release notes

Sourced from astral-sh/setup-uv's releases.

v8.1.0 🌈 New input no-project

Changes

This add the a new boolean input no-project. It only makes sense to use in combination with activate-environment: true and will append --no project to the uv venv call. This is for example useful if you have a pyproject.toml file with parts unparseable by uv

🚀 Enhancements

• Add input no-project in combination with activate-environment @​eifinger (#856)

🧰 Maintenance

• fix: grant contents:write to validate-release job @​eifinger (#860)
• Add a release-gate step to the release workflow @​zanieb (#859)
• Draft commitish releases @​eifinger (#858)
• Add action-types.yml to instructions @​eifinger (#857)
• chore: update known checksums for 0.11.7 @github-actions[bot] (#853)
• Refactor version resolving @​eifinger (#852)
• chore: update known checksums for 0.11.6 @github-actions[bot] (#850)
• chore: update known checksums for 0.11.5 @github-actions[bot] (#845)
• chore: update known checksums for 0.11.4 @github-actions[bot] (#843)
• Add a release workflow @​zanieb (#839)
• chore: update known checksums for 0.11.3 @github-actions[bot] (#836)

📚 Documentation

• Update ignore-nothing-to-cache documentation @​eifinger (#833)
• Pin setup-uv docs to v8 @​eifinger (#829)

⬆️ Dependency updates

• chore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 @dependabot[bot] (#855)

Commits

• 0880764 fix: grant contents:write to validate-release job (#860)
• 717d6ab Add a release-gate step to the release workflow (#859)
• 5a911eb Draft commitish releases (#858)
• 080c31e Add action-types.yml to instructions (#857)
• b3e97d2 Add input no-project in combination with activate-environment (#856)
• 7dd591d chore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 (#855)
• 1541b77 chore: update known checksums for 0.11.7 (#853)
• cdfb2ee Refactor version resolving (#852)
• cb84d12 chore: update known checksums for 0.11.6 (#850)
• 1912cc6 chore: update known checksums for 0.11.5 (#845)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[amrit110]

Security Vulnerabilities — Partial Fix Applied

aieng-bot applied partial security fixes from pip-audit findings.

✅ Fixed

Package	Version	Vulnerability	Fix Applied
pypdf	6.10.1	GHSA-4pxv-j86v-mhcw	Bumped to >=6.10.2
pypdf	6.10.1	GHSA-7gw9-cf7v-778f	Bumped to >=6.10.2
pypdf	6.10.1	GHSA-x284-j5p8-9c5p	Bumped to >=6.10.2

❌ Cannot Auto-Fix — Dependency Conflict

Package	Version	Vulnerability	Patch Version	Status
langchain-core	0.3.84	CVE-2026-34070	1.2.21+echo.1	Blocked — see below
langchain-openai	0.3.35	GHSA-r7w7-9xr2-qq2r	1.1.14	Blocked — see below
langchain-text-splitters	0.3.11	GHSA-fv5p-p927-qmxr	1.1.2	Blocked — see below

Why these cannot be auto-fixed

Fixing these vulnerabilities requires langchain-core>=1.2.31. However, applying that constraint creates an irresolvable dependency conflict:

langchain-core>=1.2.31
  → langchain-neo4j>=0.6.0 (versions <0.6.0 require langchain-core<0.4.0)
  → neo4j-graphrag>=1.9.0
  → numpy>=2.0.0

langchain-graphrag>=0.0.9 (existing dependency)
  → graspologic>=3.4.1
  → numpy>=1.26.4,<2.0.0   ← incompatible with numpy>=2.0.0

Recommended next steps

1. Wait for langchain-graphrag to release a version compatible with numpy>=2.0.0 (or for graspologic to drop the numpy<2.0.0 upper bound)
2. Or consider replacing langchain-graphrag with an alternative that supports numpy>=2.0.0
3. Once the conflict is resolved, aieng-bot can re-run and apply the remaining fixes automatically

This PR cannot be auto-merged until the remaining vulnerabilities are resolved.

[amrit110]

Security Vulnerabilities — Cannot Auto-Fix Due to Irresolvable Dependency Conflict

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot fix them automatically because applying the patches creates an irresolvable dependency conflict:

Package	Version	Vulnerability	Fix Version
langchain-core	0.3.84	CVE-2026-34070	≥ 1.2.21
langchain-openai	0.3.35	GHSA-r7w7-9xr2-qq2r	≥ 1.1.14
langchain-text-splitters	0.3.11	GHSA-fv5p-p927-qmxr	≥ 1.1.2

Why this cannot be auto-fixed

All three fixes require upgrading langchain-core from 0.3.84 to ≥ 1.2.31. However, this creates an irresolvable conflict between two existing dependencies:

Conflict chain:

1. langchain-core >= 1.2.31 requires upgrading langchain-neo4j from 0.3.0 → ≥ 0.6.0 (since 0.3.0–0.5.0 cap at langchain-core < 0.4.0)
2. langchain-neo4j >= 0.6.0 requires neo4j-graphrag >= 1.9.0
3. neo4j-graphrag >= 1.9.0 requires numpy >= 2.0.0
4. langchain-graphrag 0.0.9 requires graspologic >= 3.4.1
5. graspologic >= 3.4.1 requires numpy < 2.0.0

numpy >= 2.0.0 (from the neo4j stack) and numpy < 2.0.0 (from graspologic/langchain-graphrag) cannot both be satisfied simultaneously.

Recommended next steps

1. Replace or update langchain-graphrag: Check if a newer version of langchain-graphrag supports graspologic with numpy >= 2.0.0, or consider an alternative package that doesn't pin numpy < 2.0.0
2. Update graspologic: Wait for a graspologic release that drops the numpy < 2.0.0 upper bound (pre-releases exist as 3.4.5.dev2 but still cap at < 2.0.0)
3. Separate the conflicting dependencies: If langchain-graphrag and langchain-neo4j are used in different contexts, consider splitting the project or using extras/optional dependencies

This PR will not be auto-merged until the conflict is resolved.

[amrit110]

Security Vulnerabilities — Cannot Be Auto-Fixed Due to Dependency Conflict

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot fix them automatically because the patches conflict with an existing dependency constraint in this project:

Package	Version	Vulnerability	Fix Version	Status
langchain-core	0.3.84	CVE-2026-34070	1.2.21+	❌ Blocked by dependency conflict
langchain-openai	0.3.35	GHSA-r7w7-9xr2-qq2r	1.1.14+	❌ Blocked by dependency conflict
langchain-text-splitters	0.3.11	GHSA-fv5p-p927-qmxr	1.1.2+	❌ Blocked by dependency conflict

Why this cannot be auto-fixed

All three fixes require bumping langchain-core to >= 1.2.31 (the 1.x series). However, this creates an irreconcilable dependency conflict:

• langchain-core >= 1.2.31 forces langchain-neo4j >= 0.5.0
  • (langchain-neo4j 0.2.0–0.4.0 explicitly requires langchain-core < 0.4.0)
• langchain-neo4j >= 0.5.0 requires neo4j-graphrag >= 1.9.0
• neo4j-graphrag >= 1.9.0 requires numpy >= 2.0.0
• langchain-graphrag >= 0.0.9 requires graspologic >= 3.4.1
• graspologic 3.4.4 (latest stable) requires numpy < 2.0.0

The only pre-release that might resolve this is graspologic 3.4.5.dev2, which is not suitable for production use.

Recommended next steps

1. Remove or replace langchain-graphrag from pyproject.toml if it is no longer needed, OR
2. Wait for graspologic to publish a stable release supporting numpy >= 2.0.0 (tracking: graspologic 3.4.5.dev2 on PyPI), OR
3. Manually override the dependency conflict by pinning graspologic to the pre-release 3.4.5.dev2 if acceptable for your use case, OR
4. Add these CVEs to the pip-audit ignore list with documented justification if the attack vectors are not applicable to this project

This PR cannot be auto-merged until the vulnerability is resolved. Human review required.

[amrit110]

Security Vulnerabilities — Cannot Auto-Fix Due to Dependency Conflict

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot fix them automatically because applying the fixes creates an unresolvable dependency conflict.

Package	Installed	Vulnerability	Fix Version	Status
langchain-core	0.3.84	CVE-2026-34070	≥ 1.2.21	⚠️ Blocked by conflict
langchain-openai	0.3.35	GHSA-r7w7-9xr2-qq2r	≥ 1.1.14	⚠️ Blocked by conflict
langchain-text-splitters	0.3.11	GHSA-fv5p-p927-qmxr	≥ 1.1.2	⚠️ Blocked by conflict

Why this cannot be auto-fixed

All three fixes require upgrading from the langchain 0.x to langchain 1.x ecosystem. This upgrade causes an unresolvable numpy version conflict:

Upgrade chain:

1. langchain-core ≥ 1.2.31 → requires langchain-neo4j ≥ 0.6.0 (first version supporting langchain-core 1.x)
2. langchain-neo4j ≥ 0.6.0 → requires neo4j-graphrag ≥ 1.9.0
3. neo4j-graphrag ≥ 1.9.0 → requires numpy ≥ 2.0.0
4. langchain-graphrag 0.0.9 (already in deps) → requires graspologic ≥ 3.4.1
5. graspologic ≥ 3.4.1 (all versions including 3.4.3, 3.4.4) → requires numpy < 2.0.0

numpy ≥ 2.0.0 and numpy < 2.0.0 cannot be satisfied simultaneously — uv lock fails with an unsatisfiable constraint error.

Root cause

langchain-graphrag depends on graspologic, which has not yet released a version compatible with numpy ≥ 2.0.0. A pre-release (graspologic 3.4.5.dev2) may fix this, but pre-releases are not appropriate for production dependencies.

Recommended next steps

1. Monitor graspologic for a stable release with numpy ≥ 2.0.0 support (track graspologic releases)
2. Consider langchain-graphrag alternatives that don't depend on graspologic, if any emerge
3. Manually review whether the SSRF vulnerabilities in langchain-openai and langchain-text-splitters are exploitable in this codebase's usage patterns (they involve URL fetching that may not be used)
4. Once graspologic supports numpy ≥ 2.0.0, re-run aieng-bot to apply all fixes automatically

This PR will not be auto-merged until the vulnerability conflict is resolved.

[amrit110]

Security Vulnerabilities — Fix Creates Unsatisfiable Dependency Conflict

aieng-bot found the following security vulnerabilities reported by pip-audit. Patched versions exist on PyPI, but applying them creates an irreconcilable dependency conflict in this project.

Package	Version	Vulnerability	Fix Version
langchain-core	0.3.84	CVE-2026-34070	>=1.2.31
langchain-openai	0.3.35	GHSA-r7w7-9xr2-qq2r	>=1.1.14
langchain-text-splitters	0.3.11	GHSA-fv5p-p927-qmxr	>=1.1.2

Why this cannot be auto-fixed

All three fixes require bumping to LangChain 1.x (langchain-core >= 1.2.31). However, this creates an irreconcilable numpy version conflict:

1. langchain-core >= 1.2.31 requires langchain-neo4j >= 0.6.0 (older versions only support langchain-core 0.3.x)
2. langchain-neo4j >= 0.6.0 requires neo4j-graphrag >= 1.9.0
3. neo4j-graphrag >= 1.9.0 requires numpy >= 2.0.0 (for Python 3.9–3.12)
4. langchain-graphrag >= 0.0.9 (already in dependencies) requires graspologic >= 3.4.1
5. graspologic >= 3.4.1 requires numpy < 2.0.0

There is no version combination of these packages that satisfies both numpy >= 2.0.0 and numpy < 2.0.0 simultaneously.

Dependency chain visualization

langchain-core>=1.2.31
    → langchain-neo4j>=0.6.0
        → neo4j-graphrag>=1.9.0
            → numpy>=2.0.0  ❌ CONFLICT

langchain-graphrag>=0.0.9
    → graspologic>=3.4.1
        → numpy<2.0.0   ❌ CONFLICT

Recommended next steps

1. Wait for upstream resolution: Either graspologic needs to add support for numpy >= 2.0.0, or langchain-graphrag needs to drop/update the graspologic dependency
2. Alternative: Consider whether langchain-graphrag can be replaced with an alternative that doesn't require graspologic
3. Temporary workaround: If the vulnerabilities are considered low-risk in this context, they can be added to the ignore-vulns list in the CI workflow with documented justification (requires human review and approval)

This PR cannot be auto-merged until the dependency conflict is resolved upstream.

[amrit110]

Security Vulnerability — Cannot Auto-Fix Due to Dependency Conflict

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot apply the fixes automatically because they require a major version upgrade of the langchain ecosystem that creates an irresolvable dependency conflict.

Vulnerabilities Found

Package	Version	Vulnerability	Fix Version
langchain-core	0.3.84	CVE-2026-34070	1.2.21+
langchain-openai	0.3.35	GHSA-r7w7-9xr2-qq2r	1.1.14
langchain-text-splitters	0.3.11	GHSA-fv5p-p927-qmxr	1.1.2

Why This Cannot Be Auto-Fixed

The fixes require upgrading langchain-core from 0.3.x → 1.2.31+. However, doing so causes an irresolvable dependency conflict:

• langchain-core ≥ 1.x requires langchain-neo4j ≥ 0.6.0
• langchain-neo4j ≥ 0.6.0 requires neo4j-graphrag ≥ 1.9.0
• neo4j-graphrag ≥ 1.9.0 requires numpy ≥ 2.0.0
• langchain-graphrag 0.0.9 (also in the project) requires graspologic ≥ 3.4.1
• graspologic ≥ 3.4.1 requires numpy < 2.0.0

numpy < 2.0 and numpy ≥ 2.0 are mutually exclusive. No combination of package versions can satisfy both constraints simultaneously. graspologic does not yet support numpy 2.0.

Recommended Next Steps

1. Wait for graspologic to release numpy 2.x support — once graspologic ≥ 3.4.5 (or similar) drops the numpy<2.0 upper bound, aieng-bot can apply the fixes automatically on the next run.
2. Evaluate removing langchain-graphrag — if GraphRAG functionality can be replaced or is unused, removing this package would unblock the langchain 1.x upgrade.
3. Temporarily add pip-audit ignore entries for these CVEs/GHSAs (requires human review and justification) while awaiting an upstream fix.

This PR will not be auto-merged until the vulnerability is resolved.

Investigated by aieng-bot on 2026-04-25

[amrit110]

Security Vulnerabilities — Cannot Be Auto-Fixed (Dependency Conflict)

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot fix them automatically because applying the patches creates an irresolvable dependency conflict:

Package	Version	Vulnerability	Fix Version	Status
langchain-core	0.3.84	CVE-2026-34070	>=1.2.21	Blocked (see below)
langchain-openai	0.3.35	GHSA-r7w7-9xr2-qq2r	>=1.1.14	Blocked (see below)
langchain-text-splitters	0.3.11	GHSA-fv5p-p927-qmxr	>=1.1.2	Blocked (see below)

Why this cannot be auto-fixed: Dependency Conflict

All three fixes require bumping langchain-core to >=1.2.31. However, this creates an irresolvable numpy version conflict:

langchain-core >= 1.2.31
  → langchain-neo4j >= 0.6.0 (needed for langchain-core 1.x support)
    → neo4j-graphrag >= 1.9.0
      → neo4j-graphrag >= 1.10.0 (needed since 1.9.x requires pypdf < 6.0.0, conflicts with pypdf >= 6.10.2)
        → numpy >= 2.0.0

langchain-graphrag >= 0.0.9  (latest version)
  → graspologic >= 3.4.1  (latest stable)
    → numpy < 2.0.0   ← CONFLICT

There is no combination of package versions that satisfies both numpy >= 2.0.0 (needed for neo4j-graphrag ≥ 1.10.0) and numpy < 2.0.0 (required by graspologic ≤ 3.4.4, the latest stable).

What's needed to unblock this

The conflict will resolve when one of the following happens:

1. graspologic releases a version that supports numpy >= 2.0.0 (pre-release 3.4.5.dev2 exists but isn't stable yet)
2. langchain-graphrag releases a version that drops or updates its graspologic dependency
3. Human decision to remove langchain-graphrag from this project's dependencies if it's not essential

Once any of the above is resolved, aieng-bot can re-run and apply the security updates automatically.

This PR will not be auto-merged. The vulnerability requires human review to resolve the upstream dependency conflict.