Fix critical and high severity Dependabot vulnerabilities#70
Merged
Conversation
Upgrade langchain ecosystem to 0.3.x to fix CVE-2025-68664 (CVSS 9.3 Critical - serialization injection allowing secret extraction and arbitrary code execution): - langchain: 0.0.353 → >=0.3.0,<0.4.0 - langchain-core: 0.1.4 → >=0.3.81,<0.4.0 - langchain-community: 0.0.7 → >=0.3.0,<0.4.0 Upgrade tqdm to fix CVE-2024-34062 (High - CLI arguments injection via eval()): - tqdm: 4.66.1 → >=4.66.3 Code changes for langchain 0.3.x compatibility: - langchain_integration.py: Use langchain_community.chat_models (models moved from langchain.chat_models), support Pydantic v2 field introspection (model_fields/annotation) with v1 fallback - chat_clients.py: Import messages from langchain_core.messages instead of deprecated langchain.schema - rag_poisoning.py: Import Document from langchain_core.documents instead of deprecated langchain.schema - test_chat_clients.py: Import Field from pydantic instead of deprecated langchain_core.pydantic_v1 Also align setup.py python_requires to >=3.9 matching pyproject.toml (langchain 0.3.x requires Python 3.9+). All 93 tests pass. https://claude.ai/code/session_01CDFqeg5QhB4V7yQ3yVVBc9
|
Baz review |
|
@baz review |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
Upgrade langchain ecosystem to 0.3.x to fix CVE-2025-68664 (CVSS 9.3 Critical - serialization injection allowing secret extraction and arbitrary code execution):
Upgrade tqdm to fix CVE-2024-34062 (High - CLI arguments injection via eval()):
Code changes for langchain 0.3.x compatibility:
Also align setup.py python_requires to >=3.9 matching pyproject.toml (langchain 0.3.x requires Python 3.9+).
All 93 tests pass.
https://claude.ai/code/session_01CDFqeg5QhB4V7yQ3yVVBc9
Generated description
Below is a concise technical summary of the changes proposed in this PR:
Upgrades the LangChain ecosystem and tqdm to resolve critical security vulnerabilities while ensuring compatibility with Pydantic v2 and newer Python versions. Updates internal imports and introspection logic within the chat client and integration modules to support the migrated LangChain 0.3.x architecture.
langchain.schematolangchain_coreand updateget_langchain_chat_models_infoto support both Pydantic v1 and v2 field introspection.Modified files (4)
Latest Contributors(2)
langchain,langchain-core,langchain-community, andtqdmto versions that mitigate known CVEs and updatepython_requiresto 3.9.Modified files (2)
Latest Contributors(2)