To address and fix CVE-2025-6985 for XXE Vulnerability in langchain-text-splitters

[justjais]

Jira Issue: https://issues.redhat.com/browse/AAP-55293; https://issues.redhat.com/browse/AAP-55295;

Description

To address and fix CVE-2025-6985 for XXE Vulnerability in langchain-text-splitters, and its dependency over langchain-core, resulted in its upgrade as well.

Testing

Steps to test

NA

Scenarios tested

NA

Production deployment

• This code change is ready for production on its own
• This code change requires the following considerations before going to production:

---

Note

Upgrades langchain-text-splitters to 0.3.11 (and langchain-core to 0.3.79) across requirements and adds a pip-audit ignore for a social-auth-app-django advisory.

• Dependencies:
  • Add langchain-text-splitters~=0.3.11 to pyproject.toml.
  • Pin langchain-text-splitters==0.3.11 in requirements.in (notes CVE-2025-6985).
  • Regenerate platform locks: bump langchain-core to 0.3.79 and langchain-text-splitters to 0.3.11 in requirements-aarch64.txt and requirements-x86_64.txt.
• CI:
  • Update .github/workflows/pip_audit.yml to ignore GHSA-wv4w-6qv2-qqfg (social-auth-app-django; pending Django 5+).

^{Written by Cursor Bugbot for commit 423887c. This will update automatically on new commits. Configure here.}

[justjais]

Added to avoid upgrading the social-auth-app-django version as it requires Django version upgrade to 5+ which isn't the scope for respective jiras

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[justjais]

Needed to update langchain-core, as langchain-text-splitters==0.3.11 has dependency over langchain-core version as:>=0.3.75.

[hasys]

Looks good to me, thank you @justjais