fix(security): extend langchain-core SSRF suppress to 2026-07-30 (ENG-12311)#30
fix(security): extend langchain-core SSRF suppress to 2026-07-30 (ENG-12311)#30andriy-sudo wants to merge 1 commit intomainfrom
Conversation
…-12311) GHSA-2g6r-c272-w58r / CVE-2026-26013: langchain-core SSRF via image_url token counting. Fix requires langchain-core 0.3.x -> 1.2.11 (breaking major change). No semver-compatible fix available. Extends suppress 2026-06-15 -> 2026-07-30. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
📝 WalkthroughWalkthroughThe pull request updates the 🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Review rate limit: 0/5 reviews remaining, refill in 56 minutes and 41 seconds. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
osv-scanner.toml (1)
8-8: Consider risk prioritization across severity levels.The LOW severity vulnerability
GHSA-2g6r-c272-w58rnow has a suppression expiry of2026-07-30, which is 14 days later than the HIGH severity vulnerabilityGHSA-qh6h-p6c9-ff54(line 13, expires2026-07-16). While the LOW severity designation may justify a longer acceptance window, having a lower-severity issue suppressed beyond a higher-severity one could create confusion in risk management reviews or automated compliance checks.Consider either:
- Aligning LOW severity expiry dates to not exceed HIGH severity dates, or
- Adding a comment explaining the risk acceptance policy that permits this ordering
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@osv-scanner.toml` at line 8, The LOW severity suppression entry for GHSA-2g6r-c272-w58r has ignoreUntil = 2026-07-30 which is later than the HIGH severity GHSA-qh6h-p6c9-ff54 (2026-07-16); either change the ignoreUntil value for GHSA-2g6r-c272-w58r to be on or before 2026-07-16 to align expiries, or add a clear inline comment in osv-scanner.toml next to the GHSA-2g6r-c272-w58r entry explaining the risk acceptance policy that allows a longer suppression window relative to GHSA-qh6h-p6c9-ff54 so auditors and automated checks understand the ordering.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@osv-scanner.toml`:
- Line 8: The LOW severity suppression entry for GHSA-2g6r-c272-w58r has
ignoreUntil = 2026-07-30 which is later than the HIGH severity
GHSA-qh6h-p6c9-ff54 (2026-07-16); either change the ignoreUntil value for
GHSA-2g6r-c272-w58r to be on or before 2026-07-16 to align expiries, or add a
clear inline comment in osv-scanner.toml next to the GHSA-2g6r-c272-w58r entry
explaining the risk acceptance policy that allows a longer suppression window
relative to GHSA-qh6h-p6c9-ff54 so auditors and automated checks understand the
ordering.
2 participants
Vulnerability
Ticket: ENG-12311
Blocker: Fix requires
langchain-core 0.3.x → 1.2.11(major breaking change).langchain-community 0.3.xhard-constrainslangchain-core<1.0.0, making a semver-compatible upgrade impossible. Existing suppress was expiring 2026-06-15; extended to 2026-07-30.🤖 Generated with Claude Code