From 953c7c386401b076d889384836378594b8360709 Mon Sep 17 00:00:00 2001 From: Cory Bullinger Date: Wed, 11 Feb 2026 16:39:49 -0500 Subject: [PATCH 1/2] fix: bump langchain-core and pillow for security fixes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - langchain-core: 1.2.9 → 1.2.11 (CVE-2026-26013 fix per Dependabot alert #25) - pillow: 12.1.0 → 12.1.1 (CVE-2026-25990 fix per Dependabot alert #26) --- mflix/server/python-fastapi/requirements.in | 2 ++ mflix/server/python-fastapi/requirements.txt | 14 +++++++++----- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/mflix/server/python-fastapi/requirements.in b/mflix/server/python-fastapi/requirements.in index c50a667..baf2bf5 100644 --- a/mflix/server/python-fastapi/requirements.in +++ b/mflix/server/python-fastapi/requirements.in @@ -64,3 +64,5 @@ rich-toolkit~=0.15.1 # Extensions for the 'rich' library filelock>=3.20.3 # Transitive dep via huggingface-hub aiohttp>=3.13.3 # Transitive dep via voyageai orjson>=3.11.7 # Transitive dep via langsmith (CVE fix) +langchain-core>=1.2.11 # Transitive dep via langchain-text-splitters (CVE-2026-26013 fix) +pillow>=12.1.1 # Transitive dep via voyageai (CVE-2026-25990 fix) diff --git a/mflix/server/python-fastapi/requirements.txt b/mflix/server/python-fastapi/requirements.txt index 29e4311..9082a76 100644 --- a/mflix/server/python-fastapi/requirements.txt +++ b/mflix/server/python-fastapi/requirements.txt @@ -2,7 +2,7 @@ # This file is autogenerated by pip-compile with Python 3.13 # by the following command: # -# pip-compile requirements.in +# pip-compile --output-file=requirements.txt requirements.in # aiohappyeyeballs==2.6.1 # via aiohttp @@ -99,8 +99,10 @@ jsonpatch==1.33 # via langchain-core jsonpointer==3.0.0 # via jsonpatch -langchain-core==1.2.9 - # via langchain-text-splitters +langchain-core==1.2.11 + # via + # -r requirements.in + # langchain-text-splitters langchain-text-splitters==1.1.0 # via voyageai langsmith==0.6.9 @@ -125,8 +127,10 @@ packaging==26.0 # langchain-core # langsmith # pytest -pillow==12.1.0 - # via voyageai +pillow==12.1.1 + # via + # -r requirements.in + # voyageai pluggy==1.6.0 # via pytest propcache==0.4.1 From 0447a8a35fe6c42b3f42b22f0a8ed6c3ac07f902 Mon Sep 17 00:00:00 2001 From: Cory Bullinger Date: Thu, 26 Mar 2026 12:14:59 -0400 Subject: [PATCH 2/2] chore: update dependencies to address Dependabot alert 28 --- mflix/server/python-fastapi/requirements.in | 1 + mflix/server/python-fastapi/requirements.txt | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/mflix/server/python-fastapi/requirements.in b/mflix/server/python-fastapi/requirements.in index baf2bf5..d46b4d9 100644 --- a/mflix/server/python-fastapi/requirements.in +++ b/mflix/server/python-fastapi/requirements.in @@ -66,3 +66,4 @@ aiohttp>=3.13.3 # Transitive dep via voyageai orjson>=3.11.7 # Transitive dep via langsmith (CVE fix) langchain-core>=1.2.11 # Transitive dep via langchain-text-splitters (CVE-2026-26013 fix) pillow>=12.1.1 # Transitive dep via voyageai (CVE-2026-25990 fix) +requests>=2.33.0 # Transitive dep via langsmith/voyageai (CVE-2026-25645 fix) diff --git a/mflix/server/python-fastapi/requirements.txt b/mflix/server/python-fastapi/requirements.txt index 9082a76..585daa3 100644 --- a/mflix/server/python-fastapi/requirements.txt +++ b/mflix/server/python-fastapi/requirements.txt @@ -171,8 +171,9 @@ pyyaml==6.0.3 # huggingface-hub # langchain-core # uvicorn -requests==2.32.5 +requests==2.33.0 # via + # -r requirements.in # langsmith # requests-toolbelt # voyageai