fix(deps): remove nltk to resolve CVE-2026-54293 (#305)

luarss · web-flow · commit d6922ac80c25 · 2026-06-20T00:43:40.000Z
* fix(deps): remove nltk to resolve CVE-2026-54293 No patched version of nltk is available for the URL-encoded path traversal vulnerability (CVE-2026-54293). Remove it by: - Replacing UnstructuredHTMLLoader (unstructured -> nltk) with BSHTMLLoader (beautifulsoup4) in process_html.py BSHTMLLoader (beautifulsoup4) in process_html.py - Removing unstructured==0.18.18 and nltk==3.9.4 from pyproject.toml - Promoting beautifulsoup4 from dev to main dependencies - Deleting the now-unnecessary post_install.py NLTK data downloader - Removing the post_install.py step from both Dockerfiles Signed-off-by: Jack Luar <jluar@precisioninno.com> * fix(tests): update mock target from UnstructuredHTMLLoader to BSHTMLLoader process_html.py was migrated from UnstructuredHTMLLoader to BSHTMLLoader but the test mocks were not updated, causing 8 test failures in CI. Signed-off-by: Jack Luar <jluar@precisioninno.com> --------- Signed-off-by: Jack Luar <jluar@precisioninno.com>
diff --git a/backend/Dockerfile b/backend/Dockerfile
@@ -20,7 +20,7 @@ RUN pip install uv
 COPY ./pyproject.toml /ORAssistant-backend/pyproject.toml
 COPY . .
 
-RUN uv venv .venv && uv sync && uv run /ORAssistant-backend/src/post_install.py
+RUN uv venv .venv && uv sync
 
 ARG SKIP_HF_DOWNLOAD=false
 RUN if [ "$SKIP_HF_DOWNLOAD" = "false" ]; then \
diff --git a/backend/Dockerfile_slim b/backend/Dockerfile_slim
@@ -21,8 +21,7 @@ COPY ./pyproject.toml /ORAssistant-backend/pyproject.toml
 COPY . .
 
 RUN uv venv .venv && \
-    uv sync --dev && \
-    uv run /ORAssistant-backend/src/post_install.py
+    uv sync --dev
 
 RUN git clone https://huggingface.co/datasets/The-OpenROAD-Project/ORAssistant_RAG_Dataset && \
     mkdir -p data && \
diff --git a/backend/pyproject.toml b/backend/pyproject.toml
@@ -29,8 +29,7 @@ dependencies = [
     "markdown==3.8.2",
     "myst-parser==4.0.1",
     "nest-asyncio>=1.6.0",
-    "nltk==3.9.4",
-    "openai==1.100.2",
+"openai==1.100.2",
     "protobuf>=5.29.6",
     "PyJWT>=2.13.0",
     "psycopg2-binary>=2.9.11",
@@ -50,12 +49,11 @@ dependencies = [
     "sqlalchemy>=2.0.43",
     "starlette>=1.3.1",
     "tenacity>=9.0.0",
-    "unstructured==0.18.18",
+    "beautifulsoup4>=4.12.3",
 ]
 
 [dependency-groups]
 dev = [
-    "beautifulsoup4==4.12.3",
     "mypy>=1.17.1",
     "pre-commit==3.7.1",
     "pytest>=9.0.3",
diff --git a/backend/src/post_install.py b/backend/src/post_install.py
diff --git a/backend/src/tools/process_html.py b/backend/src/tools/process_html.py
@@ -6,7 +6,7 @@
 from typing import Optional
 
 from langchain_core.documents import Document
-from langchain_community.document_loaders import UnstructuredHTMLLoader
+from langchain_community.document_loaders import BSHTMLLoader
 from langchain_text_splitters import RecursiveCharacterTextSplitter
 
 from .chunk_documents import chunk_documents
@@ -43,7 +43,7 @@ def process_html(
 
     documents = []
     for file_path in tqdm(html_files, desc="Loading HTML files"):
-        content = UnstructuredHTMLLoader(file_path=file_path).load()
+        content = BSHTMLLoader(file_path=file_path).load()
         for doc in content:
             doc.metadata["source"] = file_path.split("./")[-1]
         documents.extend(content)
diff --git a/backend/tests/test_process_html.py b/backend/tests/test_process_html.py
@@ -21,7 +21,7 @@ def test_process_html_nonexistent_folder(self):
         assert result == []
 
     @patch("src.tools.process_html.glob.glob")
-    @patch("src.tools.process_html.UnstructuredHTMLLoader")
+    @patch("src.tools.process_html.BSHTMLLoader")
     @patch(
         "builtins.open",
         new_callable=mock_open,
@@ -52,7 +52,7 @@ def test_process_html_without_splitting(
         assert result[0].metadata["source"] == "test.html"
 
     @patch("src.tools.process_html.glob.glob")
-    @patch("src.tools.process_html.UnstructuredHTMLLoader")
+    @patch("src.tools.process_html.BSHTMLLoader")
     @patch(
         "builtins.open",
         new_callable=mock_open,
@@ -95,7 +95,7 @@ def test_process_html_with_splitting(
         mock_chunk.assert_called_once_with(500, [mock_doc])
 
     @patch("src.tools.process_html.glob.glob")
-    @patch("src.tools.process_html.UnstructuredHTMLLoader")
+    @patch("src.tools.process_html.BSHTMLLoader")
     @patch("builtins.open", new_callable=mock_open, read_data="{}")
     @patch("src.tools.process_html.os.path.exists")
     @patch("src.tools.process_html.os.listdir")
@@ -133,7 +133,7 @@ def test_process_html_split_without_chunk_size_raises_error(self):
                 mock_open(read_data='{"test.html": "https://example.com"}'),
             ):
                 with patch(
-                    "src.tools.process_html.UnstructuredHTMLLoader"
+                    "src.tools.process_html.BSHTMLLoader"
                 ) as mock_loader:
                     mock_doc = Mock()
                     mock_doc.metadata = {"source": "test.html"}
@@ -145,7 +145,7 @@ def test_process_html_split_without_chunk_size_raises_error(self):
                         process_html(temp_dir, split_text=True, chunk_size=None)
 
     @patch("src.tools.process_html.glob.glob")
-    @patch("src.tools.process_html.UnstructuredHTMLLoader")
+    @patch("src.tools.process_html.BSHTMLLoader")
     @patch(
         "builtins.open",
         new_callable=mock_open,
@@ -198,7 +198,7 @@ def test_process_html_logs_error_for_empty_folder(self, mock_logging):
 
     @patch("src.tools.process_html.logging")
     @patch("src.tools.process_html.glob.glob")
-    @patch("src.tools.process_html.UnstructuredHTMLLoader")
+    @patch("src.tools.process_html.BSHTMLLoader")
     @patch("builtins.open", new_callable=mock_open, read_data="{}")
     @patch("src.tools.process_html.os.path.exists")
     @patch("src.tools.process_html.os.listdir")
@@ -225,7 +225,7 @@ def test_process_html_logs_warning_for_missing_source(
     def test_process_html_metadata_transformation(self):
         """Test that metadata is properly transformed."""
         with patch("src.tools.process_html.glob.glob") as mock_glob:
-            with patch("src.tools.process_html.UnstructuredHTMLLoader") as mock_loader:
+            with patch("src.tools.process_html.BSHTMLLoader") as mock_loader:
                 with patch(
                     "builtins.open",
                     mock_open(read_data='{"test.html": "https://example.com"}'),
@@ -281,7 +281,7 @@ def test_process_html_real_file_structure(self):
                 mock_open(read_data='{"docs/html/test.html": "https://example.com"}'),
             ):
                 with patch(
-                    "src.tools.process_html.UnstructuredHTMLLoader"
+                    "src.tools.process_html.BSHTMLLoader"
                 ) as mock_loader:
                     mock_doc = Mock()
                     mock_doc.metadata = {"source": "test.html"}
diff --git a/backend/uv.lock b/backend/uv.lock
