Skip to content

fix(deps): remove nltk to resolve CVE-2026-54293#305

Merged
luarss merged 2 commits into
The-OpenROAD-Project:masterfrom
luarss:fix/remove-nltk-cve-2026-54293
Jun 20, 2026
Merged

fix(deps): remove nltk to resolve CVE-2026-54293#305
luarss merged 2 commits into
The-OpenROAD-Project:masterfrom
luarss:fix/remove-nltk-cve-2026-54293

Conversation

@luarss

@luarss luarss commented Jun 19, 2026

Copy link
Copy Markdown
Collaborator

No patched version of nltk is available for the URL-encoded path traversal vulnerability (CVE-2026-54293). Remove it by:

  • Replacing UnstructuredHTMLLoader (unstructured -> nltk) with BSHTMLLoader (beautifulsoup4) in process_html.py BSHTMLLoader (beautifulsoup4) in process_html.py
  • Removing unstructured==0.18.18 and nltk==3.9.4 from pyproject.toml
  • Promoting beautifulsoup4 from dev to main dependencies
  • Deleting the now-unnecessary post_install.py NLTK data downloader
  • Removing the post_install.py step from both Dockerfiles

@luarss
fix(deps): remove nltk to resolve CVE-2026-54293
17a318a 
No patched version of nltk is available for the URL-encoded path
traversal vulnerability (CVE-2026-54293). Remove it by:

- Replacing UnstructuredHTMLLoader (unstructured -> nltk) with
  BSHTMLLoader (beautifulsoup4) in process_html.py
  BSHTMLLoader (beautifulsoup4) in process_html.py
- Removing unstructured==0.18.18 and nltk==3.9.4 from pyproject.toml
- Promoting beautifulsoup4 from dev to main dependencies
- Deleting the now-unnecessary post_install.py NLTK data downloader
- Removing the post_install.py step from both Dockerfiles

Signed-off-by: Jack Luar <jluar@precisioninno.com>
@luarss luarss enabled auto-merge (squash) June 20, 2026 00:38
@luarss
fix(tests): update mock target from UnstructuredHTMLLoader to BSHTMLL…
a474e34 
…oader

process_html.py was migrated from UnstructuredHTMLLoader to BSHTMLLoader
but the test mocks were not updated, causing 8 test failures in CI.

Signed-off-by: Jack Luar <jluar@precisioninno.com>
@luarss luarss force-pushed the fix/remove-nltk-cve-2026-54293 branch from b1904c6 to a474e34 Compare June 20, 2026 00:43
@luarss luarss merged commit d6922ac into The-OpenROAD-Project:master Jun 20, 2026
4 checks passed
@luarss luarss deleted the fix/remove-nltk-cve-2026-54293 branch June 20, 2026 01:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@luarss