Skip to content

Fix security vulnerabilities in langchain-core and requests#1

Open
samuBe wants to merge 2 commits into
mainfrom
fix/security-vulnerabilities
Open

Fix security vulnerabilities in langchain-core and requests#1
samuBe wants to merge 2 commits into
mainfrom
fix/security-vulnerabilities

Conversation

@samuBe

@samuBe samuBe commented Mar 28, 2026

Copy link
Copy Markdown
Owner

Summary

  • Upgrade langchain-core from 0.2.0 to 1.2.22 to fix CVE-2026-34070 (Path Traversal vulnerability, HIGH severity)
  • Upgrade requests from 2.31.0 to 2.33.0 to fix CVE-2026-25645 (Insecure Temp File Reuse, MEDIUM severity)
  • Upgrade companion langchain packages for compatibility: langchain 1.2.13, langchain-community 0.4.1, langchain-text-splitters 1.1.1
  • Update main.py imports: remove unused LLMChain import (removed in langchain 1.x), move CommaSeparatedListOutputParser to langchain_core.output_parsers

Security Advisories

CVE Package Severity Description
CVE-2026-34070 langchain-core HIGH Path Traversal in legacy load_prompt functions
CVE-2026-25645 requests MEDIUM Insecure Temp File Reuse in extract_zipped_paths()

Test plan

  • Verify the app starts without import errors (streamlit run main.py)
  • Verify city search and landmark generation still works
  • Verify route generation with the updated langchain LCEL chains
  • Confirm Dependabot alerts are resolved after merge

🤖 Generated with Claude Code

samuBe and others added 2 commits March 28, 2026 16:23
…ities

- langchain-core 0.2.0 -> 1.2.22 (CVE-2026-34070, path traversal, HIGH)
- langchain 0.2.0 -> 1.2.13 (compatibility with new langchain-core)
- langchain-community 0.2.0 -> 0.4.1 (compatibility)
- langchain-text-splitters 0.2.0 -> 1.1.1 (compatibility)
- requests 2.31.0 -> 2.33.0 (CVE-2026-25645, insecure temp file, MEDIUM)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove unused LLMChain import (removed in langchain 1.x)
- Move CommaSeparatedListOutputParser import to langchain_core.output_parsers

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant