chore: update dependencies to fix security issues (#251)

This pull request primarily updates Python and JavaScript dependencies
across multiple projects to improve compatibility, security, and add new
features. The most significant changes include adding new dependencies
to several Python `pyproject.toml` files, upgrading various JavaScript
packages in the frontend, and introducing or updating package overrides
for better dependency management.

**Python dependency updates:**

* Added `marshmallow` to multiple Python projects for data serialization
and validation (`libs/admin-api-lib/pyproject.toml`,
`libs/rag-core-api/pyproject.toml`, `libs/rag-core-lib/pyproject.toml`,
`services/document-extractor/pyproject.toml`,
`services/rag-backend/pyproject.toml`).
[[1]](diffhunk://#diff-9c5aeb0db77c2eec077d07ddc3b3810ae1a4a1e50ee7061fba37a46706c513fbR129-R130)
[[2]](diffhunk://#diff-9c4162cc1c16dd4c7ec5e95e79df285e8c0882a1db7ff2892c746a0537d26c36R43)
[[3]](diffhunk://#diff-b19ab043535569caf9345971969d115d6515ae951a21b00a278145a28230fba1R37-R38)
[[4]](diffhunk://#diff-bda9860363f25ca7829f0bc0121455b5cfea15f6ecc4e98d168aba411d9653c9R67-R71)
[[5]](diffhunk://#diff-575f4ba32d7ff340b37eb2f875cb9574553092b79335faadd5f3b6be662b6925R19-R20)
* Added or updated other dependencies such as `protobuf`, `filelock`,
`mammoth`, `azure-core`, `langsmith`, `aiohttp`, and `python-multipart`
in various backend and library modules to enhance functionality and
compatibility.
[[1]](diffhunk://#diff-9c5aeb0db77c2eec077d07ddc3b3810ae1a4a1e50ee7061fba37a46706c513fbR129-R130)
[[2]](diffhunk://#diff-b19ab043535569caf9345971969d115d6515ae951a21b00a278145a28230fba1R37-R38)
[[3]](diffhunk://#diff-bda9860363f25ca7829f0bc0121455b5cfea15f6ecc4e98d168aba411d9653c9R67-R71)
[[4]](diffhunk://#diff-575f4ba32d7ff340b37eb2f875cb9574553092b79335faadd5f3b6be662b6925R19-R20)
[[5]](diffhunk://#diff-a32cd883126f65652f92c8ecc411d949b7bcf95edb2156c36dc2c1b7063ee690R26)
[[6]](diffhunk://#diff-dede389bcfb615c4b45cd1da7ac14cbe9535305f41f19cce09e321c91a8bb323R121)
[[7]](diffhunk://#diff-7be99b3586ebefbb9757532b67d9bd826779bfe12db834326790c00f868238e7R109)

**Frontend JavaScript dependency upgrades:**

* Upgraded key frontend dependencies such as `axios` (to `^1.13.5`) and
`vite` (to `^7.1.11` in `package.json`, `7.3.1` in `package-lock.json`),
and updated related lockfile entries to ensure the latest bug fixes and
features.
[[1]](diffhunk://#diff-699a70f28d33903e145f50af042a20b1b35d92696ab16cc8514a1eb675b39064L45-R45)
[[2]](diffhunk://#diff-699a70f28d33903e145f50af042a20b1b35d92696ab16cc8514a1eb675b39064L61-R61)
[[3]](diffhunk://#diff-699a70f28d33903e145f50af042a20b1b35d92696ab16cc8514a1eb675b39064L6386-R6395)
[[4]](diffhunk://#diff-699a70f28d33903e145f50af042a20b1b35d92696ab16cc8514a1eb675b39064L14104-R14113)
[[5]](diffhunk://#diff-0d005dbd9d9f66983f95fa01fa375184cf69dac9ae841050c11f07ebcc6789fdL56-R56)
[[6]](diffhunk://#diff-0d005dbd9d9f66983f95fa01fa375184cf69dac9ae841050c11f07ebcc6789fdL72-R81)
* Added or updated package overrides for `@isaacs/brace-expansion`,
`lodash`, and `undici` to enforce specific versions and address
potential security or compatibility issues.
[[1]](diffhunk://#diff-0d005dbd9d9f66983f95fa01fa375184cf69dac9ae841050c11f07ebcc6789fdL72-R81)
[[2]](diffhunk://#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519R7-R10)
[[3]](diffhunk://#diff-699a70f28d33903e145f50af042a20b1b35d92696ab16cc8514a1eb675b39064L2739-R2741)

These updates collectively improve reliability, maintainability, and
security across both backend and frontend codebases.

Author: a-klos

libs/admin-api-lib/poetry.lock

@@ -126,6 +126,8 @@ langfuse = "^3.10.1"
 redis = "^6.0.0"
 pyyaml = "^6.0.2"
 python-multipart = "^0.0.22"
+marshmallow = "^3.26.2"
+protobuf = ">=5.29.6,<6.0.0"
 langchain-experimental = "^0.4.0"
 nltk = "^3.9.2"
 starlette = ">=0.49.1"

libs/admin-api-lib/pyproject.toml

@@ -118,6 +118,7 @@ langchain-core = "^1.0.7"
 camelot-py = {extras = ["cv"], version = "^1.0.0"}
 fake-useragent = "^2.2.0"
 pypdfium2 = "4.30.0"
+mammoth = "^1.11.0"
 pypandoc-binary = "^1.15"
 starlette = ">=0.49.1"
 markitdown = {version = "^0.1.3", extras = ["all"]}

libs/extractor-api-lib/poetry.lock

@@ -40,6 +40,7 @@ langchain-community = "^0.4.1"
 fastembed = "^0.7.0"
 langdetect = "^1.0.9"
 langfuse = "^3.10.1"
+marshmallow = "^3.26.2"
 langchain-text-splitters = "^1.0.0"
 starlette = ">=0.49.1"
 langgraph-checkpoint = ">=3.0.0,<4.0.0"

libs/extractor-api-lib/pyproject.toml

@@ -34,6 +34,8 @@ langchain-core = "^1.0.7"
 langchain-openai = "^1.0.3"
 langgraph-checkpoint = ">=3.0.0,<4.0.0"
 boto3 = "^1.38.10"
+filelock = "^3.20.3"
+marshmallow = "^3.26.2"
 
 [tool.poetry.group.test.dependencies]
 pytest = "^8.3.5"

libs/rag-core-api/poetry.lock

@@ -4,5 +4,9 @@
         "@semantic-release/github": "^11.0.1",
         "conventional-changelog-conventionalcommits": "^9.0.0",
         "semantic-release": "^25.0.2"
+    },
+    "overrides": {
+        "lodash": "^4.17.23",
+        "undici": "^6.23.0"
     }
 }