fix(deps): remove nltk to resolve CVE-2026-54293

No patched version of nltk is available for the URL-encoded path
traversal vulnerability (CVE-2026-54293). Remove it by:

- Replacing UnstructuredHTMLLoader (unstructured -> nltk) with
  BSHTMLLoader (beautifulsoup4) in process_html.py
  BSHTMLLoader (beautifulsoup4) in process_html.py
- Removing unstructured==0.18.18 and nltk==3.9.4 from pyproject.toml
- Promoting beautifulsoup4 from dev to main dependencies
- Deleting the now-unnecessary post_install.py NLTK data downloader
- Removing the post_install.py step from both Dockerfiles

Signed-off-by: Jack Luar <jluar@precisioninno.com>

Author: luarss

backend/Dockerfile

@@ -20,7 +20,7 @@ RUN pip install uv
 COPY ./pyproject.toml /ORAssistant-backend/pyproject.toml
 COPY . .
 
-RUN uv venv .venv && uv sync && uv run /ORAssistant-backend/src/post_install.py
+RUN uv venv .venv && uv sync
 
 ARG SKIP_HF_DOWNLOAD=false
 RUN if [ "$SKIP_HF_DOWNLOAD" = "false" ]; then \

backend/Dockerfile_slim

@@ -21,8 +21,7 @@ COPY ./pyproject.toml /ORAssistant-backend/pyproject.toml
 COPY . .
 
 RUN uv venv .venv && \
-    uv sync --dev && \
-    uv run /ORAssistant-backend/src/post_install.py
+    uv sync --dev
 
 RUN git clone https://huggingface.co/datasets/The-OpenROAD-Project/ORAssistant_RAG_Dataset && \
     mkdir -p data && \

backend/pyproject.toml

@@ -29,8 +29,7 @@ dependencies = [
     "markdown==3.8.2",
     "myst-parser==4.0.1",
     "nest-asyncio>=1.6.0",
-    "nltk==3.9.4",
-    "openai==1.100.2",
+"openai==1.100.2",
     "protobuf>=5.29.6",
     "PyJWT>=2.13.0",
     "psycopg2-binary>=2.9.11",
@@ -50,12 +49,11 @@ dependencies = [
     "sqlalchemy>=2.0.43",
     "starlette>=1.3.1",
     "tenacity>=9.0.0",
-    "unstructured==0.18.18",
+    "beautifulsoup4>=4.12.3",
 ]
 
 [dependency-groups]
 dev = [
-    "beautifulsoup4==4.12.3",
     "mypy>=1.17.1",
     "pre-commit==3.7.1",
     "pytest>=9.0.3",

backend/src/post_install.py

@@ -6,7 +6,7 @@
 from typing import Optional
 
 from langchain_core.documents import Document
-from langchain_community.document_loaders import UnstructuredHTMLLoader
+from langchain_community.document_loaders import BSHTMLLoader
 from langchain_text_splitters import RecursiveCharacterTextSplitter
 
 from .chunk_documents import chunk_documents
@@ -43,7 +43,7 @@ def process_html(
 
     documents = []
     for file_path in tqdm(html_files, desc="Loading HTML files"):
-        content = UnstructuredHTMLLoader(file_path=file_path).load()
+        content = BSHTMLLoader(file_path=file_path).load()
         for doc in content:
             doc.metadata["source"] = file_path.split("./")[-1]
         documents.extend(content)