Skip to content

Commit 789ec23

Browse files
vishnu2kmohanclaude
andcommitted
fix(deps): address Trivy security scan findings and dependency conflicts
Security updates: - starlette: 0.48.0 → 0.50.0 (fixes CVE-2025-62727 Range header DoS) - langchain-core: 0.2.1 → 1.1.0 (security fixes) - pydantic-ai: 0.0.13 → 1.22.0 (resolves dependency conflicts) Dependency resolution: - Resolved pydantic-evals/pydantic-ai-slim version mismatch - Resolved cohere/httpx-sse version conflict - All pydantic-ai packages now consistent at 1.22.0 Go client cleanup: - Removed unused golang.org/x/net and golang.org/x/text dependencies - Cleaned via go mod tidy Notes: - urllib3 remains at <2.4.0 due to kubernetes client constraint - CVE-2025-50181, CVE-2025-50182 fixes pending kubernetes-client/python#2439 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
1 parent 9b428c6 commit 789ec23

4 files changed

Lines changed: 909 additions & 909 deletions

File tree

clients/go/go.mod

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,11 @@
11
module github.com/GIT_USER_ID/GIT_REPO_ID
22

3-
go 1.23
3+
go 1.23.0
4+
5+
require github.com/stretchr/testify v1.11.1
46

57
require (
8+
github.com/davecgh/go-spew v1.1.1 // indirect
9+
github.com/pmezard/go-difflib v1.0.0 // indirect
10+
gopkg.in/yaml.v3 v3.0.1 // indirect
611
)

clients/go/go.sum

Lines changed: 10 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,10 @@
1-
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
2-
github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
3-
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
4-
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
5-
golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e h1:bRhVy7zSSasaqNksaRZiA5EEI+Ei4I1nO5Jh72wfHlg=
6-
golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
7-
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
8-
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
9-
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
10-
google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
11-
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
1+
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
2+
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
3+
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
4+
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
5+
github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
6+
github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
7+
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
8+
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
9+
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
10+
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

pyproject.toml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ keywords = ["mcp", "model-context-protocol", "langgraph", "llm", "agent", "anthr
2828
dependencies = [
2929
"langgraph>=1.0.3",
3030
"langgraph-checkpoint-redis>=0.1.2", # Redis checkpointer for distributed conversation state
31-
"langchain-core>=1.0.4",
31+
"langchain-core>=1.1.0", # Updated from 1.0.4 for security fixes
3232
"langsmith>=0.4.37",
3333
"litellm>=1.80.0", # Latest stable with Gemini 3 Pro support (gemini-3-pro-preview)
3434
"mcp>=1.18.0",
@@ -46,10 +46,13 @@ dependencies = [
4646
"python-dotenv>=1.1.1",
4747
"pydantic>=2.12.3",
4848
"pydantic-settings>=2.11.0",
49-
"pydantic-ai>=0.0.13", # Type-safe AI agent framework for structured routing
49+
"pydantic-ai>=1.22.0", # Type-safe AI agent framework for structured routing (updated for dependency consistency)
5050
"httpx>=0.28.1",
51+
# NOTE: urllib3 capped at <2.4.0 by kubernetes client (34.1.0)
52+
# CVE-2025-50181, CVE-2025-50182 fixes in 2.5.0 pending kubernetes-client/python#2439
53+
# https://github.com/kubernetes-client/python/issues/2458 tracks the blocker
5154
"fastapi>=0.120.3",
52-
"starlette>=0.48.0", # Explicitly listed (also transitively via FastAPI) for direct imports
55+
"starlette>=0.50.0", # Updated from 0.48.0, fixes CVE-2025-62727 (Range header DoS)
5356
"uvicorn[standard]>=0.38.0",
5457
"python-keycloak>=5.8.1",
5558
"authlib>=1.6.5",

0 commit comments

Comments
 (0)