Skip to content

fix: patch 4 security alerts (urllib3 high+medium)#171

Merged
John Kennedy (jkennedyvz) merged 1 commit intomainfrom
fix/security-alerts-2026-02-28
Feb 28, 2026
Merged

fix: patch 4 security alerts (urllib3 high+medium)#171
John Kennedy (jkennedyvz) merged 1 commit intomainfrom
fix/security-alerts-2026-02-28

Conversation

@jkennedyvz
Copy link
Contributor

@jkennedyvz John Kennedy (jkennedyvz) commented Feb 28, 2026

Security Alert Patch

Resolves 4 Dependabot security alerts (3 high, 1 medium) by bumping langchain-tests which transitively upgrades vcrpy and eliminates the vulnerable urllib3 1.x lockfile entry.

Packages Updated

Package Old Constraint New Constraint Strategy CVEs Resolved
langchain-tests 1.0.0 1.1.5 Parent bump CVE-2026-21441, CVE-2025-66471, CVE-2025-66418, CVE-2025-50181

Root cause: langchain-tests 1.0.0 pinned vcrpy >=7,<8, and vcrpy 7.0.0 had a hard urllib3 <2 dependency for PyPy. This forced the lockfile to include vulnerable urllib3 1.26.20 alongside the patched 2.6.3.

Fix: langchain-tests 1.1.5 requires vcrpy >=8,<9. vcrpy 8.x dropped the urllib3 <2 constraint, so the lockfile now resolves to a single urllib3 2.6.3 entry.

CVE Details

CVE Severity Package Summary
CVE-2026-21441 high urllib3 Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)
CVE-2025-66471 high urllib3 Streaming API improperly handles highly compressed data
CVE-2025-66418 high urllib3 Unbounded number of links in the decompression chain
CVE-2025-50181 medium urllib3 Redirects not disabled when retries are disabled on PoolManager

Verification

  • Lockfile regenerated — only urllib3 2.6.3 remains
  • Linters pass (ruff check + format)
  • Unit tests pass (98 passed)

🤖 Submitted by langster-patch

@jkennedyvz
fix: patch 4 Dependabot security alerts (urllib3 high+medium)
28be1ba 
Bump langchain-tests 1.0.0 → 1.1.5, which pulls in vcrpy 8.1.1
(dropped the urllib3 <2 hard dependency). This eliminates the
vulnerable urllib3 1.26.20 lockfile entry — only 2.6.3 remains.

Resolves: CVE-2026-21441, CVE-2025-66471, CVE-2025-66418, CVE-2025-50181
Strategy: parent bump (langchain-tests → vcrpy 8.x → urllib3 unconstrained)
@jkennedyvz John Kennedy (jkennedyvz) merged commit 0fa8630 into main Feb 28, 2026
11 checks passed
@jkennedyvz John Kennedy (jkennedyvz) deleted the fix/security-alerts-2026-02-28 branch February 28, 2026 22:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@GangGreenTemperTatum Ads Dawson (GangGreenTemperTatum) Awaiting requested review from GangGreenTemperTatum

@harry-cohere harry-cohere Awaiting requested review from harry-cohere

@BeatrixCohere Beatrix De Wilde (BeatrixCohere) Awaiting requested review from BeatrixCohere

@billytrend-cohere billytrend-cohere Awaiting requested review from billytrend-cohere

@minjie-cohere Minjie (minjie-cohere) Awaiting requested review from minjie-cohere

@pat-cohere pat-cohere Awaiting requested review from pat-cohere

@Anirudh31415926535 Anirudh31415926535 Awaiting requested review from Anirudh31415926535

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jkennedyvz