Merge pull request #827 from Pipelex/release/v0.24.1

Release v0.24.1

Author: thomashebrard

.github/dependabot.yml

@@ -0,0 +1,38 @@
+version: 2
+updates:
+  # Python dependencies via uv/pip ecosystem
+  - package-ecosystem: "pip"
+    directory: "/"
+    # Target dev: merges to main trigger PyPI publish, so dep bumps must go through
+    # a proper versioned release (dev -> release/vX.Y.Z -> main), not a direct main merge.
+    target-branch: "dev"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 10
+    groups:
+      dev-dependencies:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+          - "patch"
+      runtime-minor-patch:
+        dependency-type: "production"
+        update-types:
+          - "minor"
+          - "patch"
+    # Runtime majors get individual PRs so breaking changes are reviewed separately.
+
+  # GitHub Actions — keeps SHA-pinned actions fresh.
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    target-branch: "dev"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    groups:
+      actions-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"

.github/workflows/dependency-review.yml

@@ -0,0 +1,35 @@
+name: Dependency Review
+
+on:
+  pull_request:
+    branches:
+      - main
+      - dev
+      - 'release/v*'
+      - 'pre-release/v*'
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  dependency-review:
+    name: Review new dependencies
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
+        with:
+          # Fail the PR if it introduces any new vulnerable dependency at this
+          # severity or higher. "moderate" matches the Dependabot alert levels
+          # we just triaged (pytest, cryptography were both "medium"/"moderate").
+          fail-on-severity: moderate
+          # Respect existing Dependabot alert dismissals so historical
+          # risk-accepted items (like transformers CVE-2026-1839) don't block.
+          allow-ghsas: GHSA-69w3-r845-3855
+          comment-summary-in-pr: on-failure

.github/workflows/publish-pypi.yml

@@ -55,7 +55,7 @@ jobs:
           name: python-package-distributions
           path: dist/
       - name: Publish distribution 📦 to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
 
   github-release:
     name: >-
@@ -133,7 +133,7 @@ jobs:
           name: python-package-distributions
           path: dist/
       - name: Sign the dists with Sigstore
-        uses: sigstore/gh-action-sigstore-python@v3.0.0
+        uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0
         with:
           inputs: >-
             ./dist/*.tar.gz

CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [v0.24.1] - 2026-04-22
+
+### Security
+
+- **lxml floor `>=6.1.0`** to patch CVE-2026-41066 (GHSA-vfmq-68hx-4jfw): default configuration of `iterparse()` and `ETCompatXMLParser()` allowed XXE to local files (`resolve_entities=True`). lxml 6.1.0 changes the default to `resolve_entities='internal'`. Transitive via `docling`; floor added to the `docling` extra in `pyproject.toml` so downstream installs of `pipelex[docling]` cannot resolve a vulnerable version.
+- **cryptography floor `>=46.0.7`** to patch CVE-2026-39892 (GHSA-p423-j2cm-9vmq): non-contiguous Python buffers passed to hashing APIs (e.g. `Hash.update()`) could read past the end of the buffer on Python >3.11. Transitive via `google-auth` (pulled by `google`, `gcp-storage`, `google-genai` extras) and `moto` (dev). Floor added to each affected extra in `pyproject.toml` — previous bump was lockfile-only, which did not protect downstream users resolving fresh from PyPI metadata.
+- **pytest bumped to 9.0.3** to patch CVE-2025-71176 (GHSA-6w46-j5rx-g56g): vulnerable `/tmp/pytest-of-{user}` directory handling on UNIX could let a local user cause DoS or gain privileges. Dev-only dependency; `pyproject.toml` minimum bumped from `>=9.0.2` to `>=9.0.3`.
+- **transformers CVE-2026-1839 (GHSA-69w3-r845-3855) risk-accepted, alert dismissed.** The vulnerability requires calling `transformers.Trainer._load_rng_state()` with an attacker-controlled checkpoint file. Pipelex only pulls `transformers` transitively through `docling-ibm-models` for PDF layout inference; the `Trainer` class is never imported or executed. Upgrade path is blocked upstream: `docling-ibm-models` 3.13.0 pins `transformers!=5.0.*,!=5.1.*,!=5.2.*,!=5.3.*,<6.0.0,>=4.42.0`, explicitly excluding the patched 5.0.0rc3 release. Revisit when `docling-ibm-models` adds support for `transformers>=5.4`.
+- **Release-publishing GitHub Actions pinned to SHAs**: `pypa/gh-action-pypi-publish` and `sigstore/gh-action-sigstore-python` in `publish-pypi.yml` are now pinned to full commit SHAs (version kept as a trailing comment) so a compromised tag on a third-party action cannot silently alter a PyPI release. Dependabot keeps them fresh.
+- **`.github/dependabot.yml` added**: declares `pip` and `github-actions` ecosystems, weekly cadence, with dev and runtime deps grouped to reduce PR noise. Security updates fire immediately regardless of schedule.
+- **`dependency-review.yml` workflow added**: runs GitHub's `dependency-review-action` on PRs to `main`, `dev`, and release branches. Fails the PR if it introduces a dependency with a moderate-or-higher CVE. Respects the existing transformers (GHSA-69w3-r845-3855) risk-acceptance via `allow-ghsas`. Enable as a required status check in branch protection for `main` to block vulnerable merges.
+
 ## [v0.24.0] - 2026-04-16
 
 ### Added

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "pipelex"
-version = "0.24.0"
+version = "0.24.1"
 description = "Execute composable AI methods declared in the MTHDS open standard"
 authors = [{ name = "Evotis S.A.S.", email = "oss@pipelex.com" }]
 maintainers = [{ name = "Pipelex staff", email = "oss@pipelex.com" }]
@@ -63,11 +63,24 @@ Changelog = "https://docs.pipelex.com/changelog/"
 [project.optional-dependencies]
 anthropic = ["anthropic>=0.78.0"]
 bedrock = ["boto3>=1.34.131", "aioboto3>=13.4.0"]
-docling = ["docling>=2.64.0"]
+docling = [
+  "docling>=2.64.0",
+  "lxml>=6.1.0",
+]
 fal = ["fal-client>=0.4.1"]
-gcp-storage = ["google-cloud-storage>=2.10.0"]
-google = ["google-auth-oauthlib>=1.2.1"]
-google-genai = ["google-genai", "instructor[google-genai]"]
+gcp-storage = [
+  "google-cloud-storage>=2.10.0",
+  "cryptography>=46.0.7",
+]
+google = [
+  "google-auth-oauthlib>=1.2.1",
+  "cryptography>=46.0.7",
+]
+google-genai = [
+  "google-genai",
+  "instructor[google-genai]",
+  "cryptography>=46.0.7",
+]
 huggingface = ["huggingface_hub>=0.23,<1.0.0"]
 linkup = ["linkup-sdk>=0.12.0"]
 mistralai = ["mistralai>=1.12.0"]
@@ -84,12 +97,13 @@ docs = [
 
 dev = [
   "boto3-stubs>=1.35.24",
+  "cryptography>=46.0.7",
   "moto[s3]>=5.0.0",
   "mypy==1.19.1",
   "pipelex-tools>=0.3.2",
   "pyright==1.1.408",
   "pylint==4.0.4",
-  "pytest>=9.0.2",
+  "pytest>=9.0.3",
   "pytest-asyncio>=0.24.0",
   "pytest-cov>=6.1.1",
   "pytest-mock>=3.14.0",