From 77da4c85fd2ed697a727f2c8ce0e459de1a0d0b3 Mon Sep 17 00:00:00 2001 From: Sumit Jaiswal Date: Mon, 13 Oct 2025 23:58:55 +0530 Subject: [PATCH 1/3] fix CVE-2025-6985 for XXE Vulnerability in langchain-text-splitters --- pyproject.toml | 1 + requirements-aarch64.txt | 7 ++++--- requirements-x86_64.txt | 7 ++++--- requirements.in | 2 ++ 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 0f661544e..de930d502 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -30,6 +30,7 @@ dependencies = [ 'jinja2~=3.1.6', 'langchain~=0.3.10', 'langchain-ollama~=0.3.5', + 'langchain-text-splitters~=0.3.11', 'launchdarkly-server-sdk~=8.3.0', 'llama-stack-client>=0.2.12', 'protobuf~=5.29.5', diff --git a/requirements-aarch64.txt b/requirements-aarch64.txt index 9545cfb1e..58ec652fd 100644 --- a/requirements-aarch64.txt +++ b/requirements-aarch64.txt @@ -253,15 +253,16 @@ jwcrypto==1.5.6 # django-oauth-toolkit langchain==0.3.26 # via -r requirements.in -langchain-core==0.3.69 +langchain-core==0.3.79 # via # langchain # langchain-ollama # langchain-text-splitters langchain-ollama==0.3.5 # via -r requirements.in -langchain-text-splitters==0.3.8 - # via langchain +langchain-text-splitters==0.3.11 + # via + # langchain langsmith==0.4.8 # via # langchain diff --git a/requirements-x86_64.txt b/requirements-x86_64.txt index 87d0f6887..1bd17c502 100644 --- a/requirements-x86_64.txt +++ b/requirements-x86_64.txt @@ -253,15 +253,16 @@ jwcrypto==1.5.6 # django-oauth-toolkit langchain==0.3.26 # via -r requirements.in -langchain-core==0.3.69 +langchain-core==0.3.79 # via # langchain # langchain-ollama # langchain-text-splitters langchain-ollama==0.3.5 # via -r requirements.in -langchain-text-splitters==0.3.8 - # via langchain +langchain-text-splitters==0.3.11 + # via + # langchain langsmith==0.4.8 # via # langchain diff --git a/requirements.in b/requirements.in index 384d22682..c6c53dd88 100644 --- a/requirements.in +++ b/requirements.in @@ -47,6 +47,8 @@ jinja2==3.1.6 jsonpickle==3.3.0 langchain==0.3.26 langchain-ollama==0.3.5 +# CVE-2025-6985: XXE Vulnerability fixed in 0.3.9+ +langchain-text-splitters==0.3.11 launchdarkly-server-sdk==8.3.0 llama-stack-client>=0.2.12 protobuf==5.29.5 From 7efc57c7c86c8216a72cc10a9ce82965e61115eb Mon Sep 17 00:00:00 2001 From: Sumit Jaiswal Date: Tue, 14 Oct 2025 11:30:39 +0530 Subject: [PATCH 2/3] update n skip pip-audit social-auth-app-django vulnerability issue --- .github/workflows/pip_audit.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pip_audit.yml b/.github/workflows/pip_audit.yml index a06b4f97c..eef23aaa2 100644 --- a/.github/workflows/pip_audit.yml +++ b/.github/workflows/pip_audit.yml @@ -68,3 +68,6 @@ jobs: # pip 25.3 is not released yet # See: https://github.com/advisories/GHSA-4xh5-x5gv-qwph GHSA-4xh5-x5gv-qwph + # To remove once we upgrade to Django 5+ (requires major version upgrade) + # social-auth-app-django vulnerability requires Django>=5.1 + GHSA-wv4w-6qv2-qqfg From 423887c57c2c26b47441fa6ee617fdd8f4669fc4 Mon Sep 17 00:00:00 2001 From: Sumit Jaiswal Date: Tue, 14 Oct 2025 11:36:54 +0530 Subject: [PATCH 3/3] fix pip compile --- requirements-aarch64.txt | 1 + requirements-x86_64.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/requirements-aarch64.txt b/requirements-aarch64.txt index 58ec652fd..1859cae1f 100644 --- a/requirements-aarch64.txt +++ b/requirements-aarch64.txt @@ -262,6 +262,7 @@ langchain-ollama==0.3.5 # via -r requirements.in langchain-text-splitters==0.3.11 # via + # -r requirements.in # langchain langsmith==0.4.8 # via diff --git a/requirements-x86_64.txt b/requirements-x86_64.txt index 1bd17c502..06432aace 100644 --- a/requirements-x86_64.txt +++ b/requirements-x86_64.txt @@ -262,6 +262,7 @@ langchain-ollama==0.3.5 # via -r requirements.in langchain-text-splitters==0.3.11 # via + # -r requirements.in # langchain langsmith==0.4.8 # via