fix(security): bump python-dotenv 1.2.1->1.2.2, suppress langchain-text-splitters SSRF (ENG-14769/14677)

[andriy-sudo]

Vulnerability Fix

Package	Old	New	Advisory	CVSS	Status
python-dotenv	1.2.1	1.2.2	CVE-2026-28684	Medium	✅ Fixed
langchain-text-splitters	0.3.11	—	GHSA-fv5p-p927-qmxr	Medium	⚠️ Risk accepted — fix requires >=1.1.2 which needs langchain-core>=1.2.31 (breaking; langchain-community 0.3.x pins langchain-core<1.0.0)

Linear: https://linear.app/tinyfish/issue/ENG-14769 | https://linear.app/tinyfish/issue/ENG-14677

Summary

• Adds explicit python-dotenv = ">=1.2.2" floor pin to langchain/pyproject.toml — fixes CVE-2026-28684 (symlink-following file overwrite in set_key()/unset_key()).
• Suppresses GHSA-fv5p-p927-qmxr (langchain-text-splitters SSRF redirect bypass): fix requires langchain-text-splitters>=1.1.2 which requires langchain-core>=1.2.31 — breaking major change incompatible with langchain-community 0.3.x. HTMLHeaderTextSplitter.split_text_from_url() is not called by this integration package.

Changelog impact summary

Package	Old	New	Classification	Key changes
python-dotenv	1.2.1	1.2.2	Patch/security	CVE-2026-28684 fix (symlink follow); no API changes

All changes are limited to manifest/lock file version bumps and osv-scanner.toml suppression entries — no functional source code changes.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request adds a new dependency and manages a security consideration. The python-dotenv package (version 1.2.2 or later) is added to the project's Python dependencies in pyproject.toml. Additionally, an OSV vulnerability ignore rule is created in osv-scanner.toml for vulnerability ID GHSA-fv5p-p927-qmxr, including an expiration date and justification noting that the blocking concern involves breaking major version changes and that this dependency is not utilized within langchain-agentql.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the primary changes: bumping python-dotenv for security and suppressing a vulnerability in langchain-text-splitters.
Description check	✅ Passed	The description provides detailed context about the vulnerability fixes, version changes, and risk assessment, clearly related to the changeset modifications.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch andriy/eng-14677-fix-python-dotenv-langchain-text-splitters

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

osv-scanner.toml (1)

3-3: Consider the 3-month suppression window for ongoing risk management.

The ignoreUntil date of 2026-07-24 provides a 3-month window to either migrate to compatible versions or confirm continued risk acceptance. Ensure tracking mechanisms are in place to revisit this decision before expiration.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@osv-scanner.toml` at line 3, The PR sets ignoreUntil = "2026-07-24T00:00:00Z"
which creates a 3-month suppression window; update tracking and reminder
behavior to ensure this suppression is revisited before expiry by adding or
wiring a follow-up process: ensure the configuration key "ignoreUntil" is
retained, add/update whatever scheduler or issue-tracking hook that monitors
suppression expirations to create a ticket or send an alert ~1–2 weeks before
the ignoreUntil date, and document the rationale and owner for this suppression
in the surrounding configuration or comments so the team knows who is
responsible for migration or risk acceptance decisions.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@osv-scanner.toml`:
- Line 3: The PR sets ignoreUntil = "2026-07-24T00:00:00Z" which creates a
3-month suppression window; update tracking and reminder behavior to ensure this
suppression is revisited before expiry by adding or wiring a follow-up process:
ensure the configuration key "ignoreUntil" is retained, add/update whatever
scheduler or issue-tracking hook that monitors suppression expirations to create
a ticket or send an alert ~1–2 weeks before the ignoreUntil date, and document
the rationale and owner for this suppression in the surrounding configuration or
comments so the team knows who is responsible for migration or risk acceptance
decisions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 21ccbc63-0673-4535-b81a-10edac69b004

📥 Commits

Reviewing files that changed from the base of the PR and between 53b4898 and e6e3ac7.

⛔ Files ignored due to path filters (1)

• langchain/poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• langchain/pyproject.toml
• osv-scanner.toml