fix(deps): remediate Black Duck CVEs on release-v2.6.0 (#612)

Bump langchain, langgraph, langchain-classic, fastmcp, and flatted to
patched versions addressing BDSA/langgraph/fastmcp/flatted findings from
the 26.05.2 container scan.

Author: shubhadeepd

examples/nvidia_rag_mcp/requirements.txt

@@ -1,6 +1,6 @@
 mcp>=1.23.1
 aiohttp>=3.13.3
-fastmcp>=2.15.0
+fastmcp>=3.2.0
 anyio>=4.12.0
 httpx>=0.28.1
 httpx-sse>=0.4.3

frontend/package.json

@@ -57,7 +57,8 @@
       "rollup": ">=4.59.0",
       "minimatch@3.1.2": "3.1.4",
       "minimatch@9.0.5": "9.0.7",
-      "picomatch": ">=4.0.4"
+      "picomatch": ">=4.0.4",
+      "flatted": ">=3.4.2"
     }
   }
 }

frontend/pnpm-lock.yaml

@@ -20,9 +20,9 @@ dependencies = [
     "anyio>=4.12.0",
     "httpx>=0.28.1",
     "httpx-sse>=0.4.3",
-    "langchain>=1.2.7",
+    "langchain>=1.3.1",
     "langchain-community>=0.4",
-    "langgraph>=0.2",
+    "langgraph>=1.2.1",
     "langchain-milvus>=0.3.0",
     "langchain-nvidia-ai-endpoints>=1.4.0",
     "minio>=7.2,<8.0",
@@ -122,6 +122,7 @@ override-dependencies = [
     "aiohttp>=3.13.4",
     "orjson>=3.11.6",
     "langsmith>=0.8.0",
+    "langchain-classic>=1.0.7",
     "langchain-text-splitters>=1.1.2",
     "transformers>=5.1.0",
     "idna>=3.15",

pyproject.toml

@@ -3,7 +3,7 @@ tabulate>=0.9.0
 pyyaml>=6.0.2
 pymilvus>=2.5.8
 mcp>=1.23.1
-fastmcp>=2.15.0
+fastmcp>=3.2.0
 anyio>=4.12.0
 httpx>=0.28.1
 httpx-sse>=0.4.3

tests/integration/requirements.txt

@@ -4,7 +4,7 @@ pytest-cov>=4.0.0
 pytest-asyncio>=0.21.0  # For async test support
 pytest-mock>=3.10.0
 mcp>=1.23.1
-fastmcp>=2.15.0
+fastmcp>=3.2.0
 
 # FastAPI testing
 httpx>=0.28.1