From a967011e29bd0cea90c220d82dd4a6fca22cbdd7 Mon Sep 17 00:00:00 2001 From: Cory Bullinger Date: Wed, 24 Jun 2026 08:35:25 -0400 Subject: [PATCH] fix: upgrade undici and langsmith to address security vulnerabilities Updates undici (transitive via jsdom) to >=7.28.0 and langsmith to >=0.8.18 to resolve 7 open Dependabot alerts (#94-#101). Co-authored-by: Cursor --- frameworks/javascript/tanstack/app/package-lock.json | 8 ++++---- frameworks/javascript/tanstack/app/package.json | 1 + mflix/server/python-fastapi/requirements.in | 2 +- mflix/server/python-fastapi/requirements.txt | 6 +++++- 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/frameworks/javascript/tanstack/app/package-lock.json b/frameworks/javascript/tanstack/app/package-lock.json index 5bdd500..3e2e6d3 100644 --- a/frameworks/javascript/tanstack/app/package-lock.json +++ b/frameworks/javascript/tanstack/app/package-lock.json @@ -4590,13 +4590,13 @@ "license": "MIT" }, "node_modules/undici": { - "version": "7.24.6", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.6.tgz", - "integrity": "sha512-Xi4agocCbRzt0yYMZGMA6ApD7gvtUFaxm4ZmeacWI4cZxaF6C+8I8QfofC20NAePiB/IcvZmzkJ7XPa471AEtA==", + "version": "8.5.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-8.5.0.tgz", + "integrity": "sha512-xamtWoB1EshgjpmlXd7GGm2VfdDtw1+rD8uhry8pSNW3If6S8E0m2T2+orSKeZXEn/aPJMviCpDBA65WJt8zhg==", "dev": true, "license": "MIT", "engines": { - "node": ">=20.18.1" + "node": ">=22.19.0" } }, "node_modules/undici-types": { diff --git a/frameworks/javascript/tanstack/app/package.json b/frameworks/javascript/tanstack/app/package.json index b724aff..8d6c83c 100644 --- a/frameworks/javascript/tanstack/app/package.json +++ b/frameworks/javascript/tanstack/app/package.json @@ -62,6 +62,7 @@ "postcss": ">=8.5.10", "launch-editor": ">=2.14.1", "shell-quote": ">=1.8.4", + "undici": ">=7.28.0", "ws": ">=8.20.1" } } diff --git a/mflix/server/python-fastapi/requirements.in b/mflix/server/python-fastapi/requirements.in index 2757c1f..263ba1b 100644 --- a/mflix/server/python-fastapi/requirements.in +++ b/mflix/server/python-fastapi/requirements.in @@ -65,7 +65,7 @@ filelock>=3.20.3 # Transitive dep via huggingface-hub aiohttp>=3.14.1 # CVE-2026-54273 / GHSA-4fvr-rgm6-gqmc (pipelined request queue) orjson>=3.11.7 # Transitive dep via langsmith (CVE fix) langchain-core>=1.4.0 # Transitive dep via langchain-text-splitters (Dependabot #63) -langsmith>=0.8.5 # Transitive dep via langchain-core (Dependabot #68) +langsmith>=0.8.18 # Transitive dep via langchain-core (Dependabot #101, GHSA-f4xh-w4cj-qxq8) langchain-text-splitters>=1.1.2 # Transitive dep via langchain (CVE-2026-41481) pygments>=2.20.0 # Transitive dep via rich/pytest (CVE-2026-4539) pillow>=12.2.0 # Transitive dep via voyageai (Pillow 12.2.0 security fixes) diff --git a/mflix/server/python-fastapi/requirements.txt b/mflix/server/python-fastapi/requirements.txt index 06dc01d..54f3726 100644 --- a/mflix/server/python-fastapi/requirements.txt +++ b/mflix/server/python-fastapi/requirements.txt @@ -1,7 +1,9 @@ +# # This file is autogenerated by pip-compile with Python 3.13 # by the following command: # # pip-compile --no-annotate --output-file=requirements.txt --strip-extras requirements.in +# aiohappyeyeballs==2.6.2 aiohttp==3.14.1 aiolimiter==1.2.1 @@ -13,6 +15,7 @@ attrs==26.1.0 certifi==2026.5.20 charset-normalizer==3.4.7 click==8.4.1 +distro==1.9.0 dnspython==2.8.0 email-validator==2.3.0 fastapi==0.136.3 @@ -36,7 +39,7 @@ jsonpointer==3.1.1 langchain-core==1.4.0 langchain-protocol==0.0.16 langchain-text-splitters==1.1.2 -langsmith==0.8.9 +langsmith==0.9.1 markdown-it-py==4.2.0 mdurl==0.1.2 multidict==6.7.1 @@ -62,6 +65,7 @@ rich-toolkit==0.15.1 rignore==0.7.6 sentry-sdk==2.42.1 shellingham==1.5.4 +sniffio==1.3.1 starlette==1.3.1 tenacity==9.1.4 tokenizers==0.23.1