cherry-picking security fixes main-> release-cpd#1770
Conversation
* Upgraded Langflow to 1.9.3 * update docling remote to throw errors * upgrade docling version on docling manager * style: ruff autofix (auto) * Update docling code and fix docling manager lint * updated langflow to 1.9.4 * change image to future langflow image * upgraded to langflow 1.9.6rc0 * fix langflow image --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
…unt K8S token (langflow-ai#1741) * Fix field indentation / enable-disable automounting of service account K8S token * Fix field indentation in template, must be top-level --------- Co-authored-by: rodageve <rodrigo.geve@datastax.com>
* address lgpl concerns around sharp * style: apply biome auto-fixes [skip ci] --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* fix cves on npm packages * ci fix
…i#1761) * Update test-e2e.yml fix(deps): bump pyjwt, authlib, idna to resolve CVEs Security fixes for CVEs flagged in image scan (openrag-backend): - pyjwt 2.12.1 → 2.13.0 (fixes CVE-2026-48522, CVE-2026-48524, CVE-2026-48525, CVE-2026-48526) - authlib 1.6.10 → 1.7.2 — promoted to direct dep (was transitive); fixes CVE-2026-41425, CVE-2026-44681 - idna 3.11 → 3.18 — promoted to direct dep (was transitive); fixes CVE-2026-45409 authlib and idna are pinned explicitly in pyproject.toml to prevent transitive resolution from pulling in vulnerable versions in future dependency updates. uv.lock updated accordingly; joserfc 1.7.0 added as new transitive dep introduced by authlib 1.7.x. * fix: bump pyjwt, authlib, idna to resolve image scan CVEs Pull Request - langflow-ai#1761 Summary - Bumped `authlib` and `idna` minimum versions to address CVEs flagged by image scanning. Dependency Updates - Raised `authlib` lower bound from `>=1.7.1` to `>=1.7.2` and added an upper bound `<2.0.0` to prevent unvetted major-version upgrades - Raised `idna` lower bound from `>=3.15` to `>=3.18` - Lock file updated to reflect resolved versions: `authlib==1.7.2`, `idna==3.18` --------- Co-authored-by: Mike Pawlowski <mpawlow@ca.ibm.com>
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@lucaseduoli can yo check if the flow changes in this PR are required or not? |
yes, they are, since they were breaking before. Its necessary to update to 1.9.6 @AgNess-G Can we wait for the ubi9 image to be merged so that we can include that commit here? |
|
As SRT required the CVE fixes more than UBI9 @edwinjosechittilappilly @lucaseduoli ,if you could please merge UBI commit before 11pm IST saturday along with this PR, then its okay. otherwise, please merge this. thanks |
|
please test, merge and let me know when its done. thanks |
5 participants
PRs cherry-picked
Check commit 1: a066454 - Langflow upgrade to 1.9.6
Check commit 2: 25b23e4 - field indentation / service account
Check commit 3: 525e68b - Address LGPL License concerns
Check commit 4: fa53e97 - fix cves on npm packages
Check commit 5: 83fc972 - CVE-2026-42561 python-multipart
Check commit 6: e36f86b - CVE-2026-44432 urllib3
Check commit 7: 5aa5858 - CVE-2026-0994 protobuf
Check commit 8: 61da641 - sonarcube static sec findings
Check commit 9: f6eaf76 - bump pyjwt, authlib, idna
please verify if these are all or there are more.
build successful : https://cloud.ibm.com/devops/pipelines/tekton/812870c6-227d-4ff3-9d76-62ada721d579/runs/d7e9e7c9-f6be-43db-aedb-bda8b7aa2ec8/build-artifact?env_id=ibm:yp:us-south&view=logs
release_image
icr.io/wxd_dev/openrag-backend:fix_rel_cpd_cherry-dc71f8c
icr.io/wxd_dev/openrag-frontend:fix_rel_cpd_cherry-dc71f8c
icr.io/wxd_dev/openrag-langflow:fix_rel_cpd_cherry-dc71f8c
not tested