fix(security): fix osv-scanner.toml format + suppress langchain vulns (ENG-14837)

[andriy-sudo]

Vulnerabilities

Package	Old	New	Advisory	CVSS	Status
langchain-core	0.3.x	—	GHSA-qh6h-p6c9-ff54	HIGH	⚠️ Risk accepted — fix requires langchain 0.3→1.x migration (see osv-scanner.toml)
langchain-text-splitters	0.3.x	—	GHSA-fv5p-p927-qmxr	MEDIUM	⚠️ Risk accepted — same blocker
langchain-core	0.3.x	—	GHSA-2g6r-c272-w58r	LOW	⚠️ Risk accepted — same blocker
pytest	8.x	—	GHSA-6w46-j5rx-g56g	MEDIUM	⚠️ Risk accepted — langchain-tests 0.3.x pins pytest<9
langchain-openai	0.3.x	—	GHSA-r7w7-9xr2-qq2r	LOW	⚠️ Risk accepted — fix requires langchain-core>=1.3.1 (breaking)

All changes are limited to osv-scanner.toml — no functional source code changes.

Changes

• Fixed ignoreUntil format: Corrected 4 existing suppressions from quoted RFC3339 strings ("2026-07-16T00:00:00Z") to unquoted TOML local dates (2026-07-16). The quoted form passes TOML parsing silently but is invalid per osv-scanner spec.
• Added GHSA-r7w7-9xr2-qq2r suppression: langchain-openai prompt injection (LOW) — fix requires langchain-openai>=0.4.4 which requires langchain-core>=1.3.1, blocked by langchain-community 0.3.x's hard langchain-core<1.0.0 constraint.

Root Cause of All Suppressions

All 5 langchain vulnerabilities are blocked by the same fundamental constraint: langchain-community 0.3.x hard-pins langchain-core<1.0.0. All security fixes require langchain-core>=1.x. This is a breaking ecosystem migration with no 0.3.x-compatible fix available. Tracked in ENG-14677 for future migration planning.

Changelog impact summary

Package	Old	New	Classification	Key changes
osv-scanner.toml	—	—	Config fix only	Format correction + 1 new suppression entry

[coderabbitai]

📝 Walkthrough

Walkthrough

The osv-scanner.toml configuration file was updated to modify the date format of four existing ignored vulnerability entries, converting their ignoreUntil values from full UTC ISO timestamps (with time component) to date-only format. Additionally, a new ignored vulnerability entry for GHSA-r7w7-9xr2-qq2r was added with an ignoreUntil date of 2026-07-27 and a descriptive reason regarding a langchain-openai tool-result prompt injection issue.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main changes: fixing osv-scanner.toml format and suppressing langchain vulnerabilities.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, detailing vulnerabilities, format corrections, and the root cause of suppressions.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch andriy/ENG-14837-fix-osv-scanner-ignores

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@osv-scanner.toml`:
- Around line 1-24: The TOML ignoreUntil values in the [[IgnoredVulns]] blocks
are currently unquoted dates (TOML date types) which osv-scanner expects as
STRINGs; update each ignoreUntil entry to a quoted YYYY-MM-DD string for the
listed GHSA IDs (GHSA-fv5p-p927-qmxr, GHSA-2g6r-c272-w58r, GHSA-qh6h-p6c9-ff54,
GHSA-6w46-j5rx-g56g, GHSA-r7w7-9xr2-qq2r) by replacing lines like ignoreUntil =
2026-07-24 with ignoreUntil = "2026-07-24" so the parser sees strings, not TOML
date objects.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 41148387-1525-471f-b685-c5834ca3669d

📥 Commits

Reviewing files that changed from the base of the PR and between 11afff1 and 3be19da.

📒 Files selected for processing (1)

• osv-scanner.toml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python - <<'PY'
import sys, tomllib, pathlib

p = pathlib.Path("osv-scanner.toml")
data = tomllib.loads(p.read_text())

# Depending on osv-scanner.toml structure, adjust key access.
# This assumes the file is only a list under the top-level key `IgnoredVulns`.
# If it’s top-level array-of-tables, tomllib will place it as a key matching the table name.
key_candidates = ["IgnoredVulns", "Ignoredvulns", "ignoredvulns"]
key = next((k for k in key_candidates if k in data), None)

if key is None:
    print("Could not find IgnoredVulns key in parsed TOML. Parsed keys:", list(data.keys()))
    print("Parsed document:", data)
    sys.exit(1)

for item in data[key]:
    vid = item.get("id")
    iu = item.get("ignoreUntil")
    print(f"{vid}: ignoreUntil={iu!r} (python_type={type(iu).__name__})")
PY

Repository: tinyfish-io/agentql-integrations

Length of output: 471

---

🏁 Script executed:

# Search for osv-scanner references in the codebase
rg -i "osv-scanner|osv.scanner" --type toml --type json --type yaml --type md -A 3 -B 3

Repository: tinyfish-io/agentql-integrations

Length of output: 58

---

🏁 Script executed:

# Check for any dependency files that might mention osv-scanner
fd -e "go.mod" -e "go.sum" -e "package.json" -e "yarn.lock" -e "requirements.txt" -e "pyproject.toml" -e "Pipfile" | head -20

Repository: tinyfish-io/agentql-integrations

Length of output: 58

---

🏁 Script executed:

# Search for osv-scanner in documentation or config files
find . -type f \( -name "*.md" -o -name "*.txt" -o -name ".github" \) | xargs grep -l "osv-scanner" 2>/dev/null | head -10

Repository: tinyfish-io/agentql-integrations

Length of output: 58

---

🌐 Web query:

osv-scanner ignoreUntil TOML schema format string date

💡 Result:

In osv-scanner's TOML configuration file (osv-scanner.toml), ignoreUntil is an optional field used in [[IgnoredVulns]] and [[PackageOverrides]] sections to specify an expiry date for ignoring vulnerabilities or package overrides. It is a string in YYYY-MM-DD format (ISO 8601 date). Example for IgnoredVulns: [[IgnoredVulns]] id = "GO-2022-0968" ignoreUntil = "2022-11-09" # Optional exception expiry date reason = "No ssh servers are connected to or hosted in Go lang" Example for PackageOverrides: [[PackageOverrides]] name = "lib" version = "1.0.0" ecosystem = "Go" ignore = true effectiveUntil = "2022-11-09" # Optional exception expiry date (note: uses effectiveUntil here) reason = "abc" Note: PackageOverrides uses effectiveUntil instead of ignoreUntil, but both follow the same date string format. After the date passes, the ignore/override no longer applies.

Citations:

• 1: https://google.github.io/osv-scanner/configuration/
• 2: https://github.com/google/osv.dev/blob/master/osv-scanner.toml
• 3: https://github.com/mullvad/mullvadvpn-app/blob/main/osv-scanner.toml

---

Critical: Fix ignoreUntil format—must be quoted strings, not unquoted dates.

osv-scanner's official schema specifies ignoreUntil as a STRING in YYYY-MM-DD format (e.g., "2026-07-24"), not a TOML date type. Your current changes use unquoted dates (ignoreUntil = 2026-07-24), which TOML parsers decode as datetime.date objects. osv-scanner will not recognize this type, causing all vulnerability suppressions in this file to be silently ignored. This breaks security compliance and may cause CI failures.

Change all five ignoreUntil entries from unquoted to quoted:

• ignoreUntil = 2026-07-24 → ignoreUntil = "2026-07-24"
• ignoreUntil = 2026-06-15 → ignoreUntil = "2026-06-15"
• ignoreUntil = 2026-07-16 → ignoreUntil = "2026-07-16"
• ignoreUntil = 2026-07-27 → ignoreUntil = "2026-07-27"

Reference: https://google.github.io/osv-scanner/configuration/

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@osv-scanner.toml` around lines 1 - 24, The TOML ignoreUntil values in the
[[IgnoredVulns]] blocks are currently unquoted dates (TOML date types) which
osv-scanner expects as STRINGs; update each ignoreUntil entry to a quoted
YYYY-MM-DD string for the listed GHSA IDs (GHSA-fv5p-p927-qmxr,
GHSA-2g6r-c272-w58r, GHSA-qh6h-p6c9-ff54, GHSA-6w46-j5rx-g56g,
GHSA-r7w7-9xr2-qq2r) by replacing lines like ignoreUntil = 2026-07-24 with
ignoreUntil = "2026-07-24" so the parser sees strings, not TOML date objects.

[andriy-sudo]

@hongjingzhou — security fix PR, all CI green. Please review when you have a chance.