Skip to content

security: fix 5 HIGH CVEs in Python deps (NSPECT-S62Q-PZUD)#696

Draft
nv-rag-cve-bot[bot] wants to merge 1 commit into
developfrom
cve-fix/NSPECT-S62Q-PZUD-20260626-024255
Draft

security: fix 5 HIGH CVEs in Python deps (NSPECT-S62Q-PZUD)#696
nv-rag-cve-bot[bot] wants to merge 1 commit into
developfrom
cve-fix/NSPECT-S62Q-PZUD-20260626-024255

Conversation

@nv-rag-cve-bot

Copy link
Copy Markdown

Summary

Fixes 5 HIGH-severity CVEs in Python dependencies identified in nSpect program NSPECT-S62Q-PZUD (collection), child program NSPECT-UV6I-R3V9 (Container) at version 26.05.2.

All bumps applied via [tool.uv] override-dependencies (existing pattern). uv.lock regenerated. 5 security regression tests added.

Scope

  • pyproject.toml: 4 override-dep floor bumps + 1 new override (starlette) + python-multipart direct dep bump
  • uv.lock: regenerated
  • examples/nvidia_rag_mcp/requirements.txt, tests/integration/requirements.txt: aiohttp floor bump
  • tests/unit/test_security_dependency_pins.py: 5 new regression tests

No application code changes. Pre-existing uncommitted src/ edits are NOT included.

Validation

  • uv.lock confirms all 5 packages at required floors
  • OSV batch sweep: 0 Critical/High remaining
  • 12/12 security pin tests pass locally
  • Expert review: R1–R5 all PASS
  • Full test suite + smoke deferred to CI (pipeline mode, --validate pipeline)

Test plan

  • unit-tests CI job passes (includes test_security_dependency_pins.py)
  • frontend-unit-tests CI job passes
  • static-analysis CI job passes
  • docker-tests chain passes (GPU runner; gated via --ci-wait-gpu)

Incidental findings (deferred)

Container-only CVEs (Go, OpenSSL in base layers of rag-frontend) not addressed — require --include-base-image run or upstream base image update.


🤖 Generated with Claude Code — agentic-cve-fix skill, run ID NSPECT-S62Q-PZUD-20260626-024255

Bumps dependency floors to resolve HIGH-severity CVEs identified in
nSpect program NSPECT-UV6I-R3V9 (container) at version 26.05.2:

- cryptography >=48.0.1: GHSA-537c-gmf6-5ccf (OpenSSL in wheels)
- python-multipart >=0.0.31: GHSA-5rvq-cxj2-64vf/CVE-2026-53539 (DoS)
- langsmith >=0.8.18: GHSA-f4xh-w4cj-qxq8 (arbitrary file read)
- aiohttp >=3.14.1: CVE-2026-47265 (HIGH)
- starlette >=1.3.1: GHSA-82w8-qh3p-5jfq/CVE-2026-48818 (DoS)

Adds 5 security regression tests; regenerates uv.lock.

Signed-off-by: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
@copy-pr-bot

copy-pr-bot Bot commented Jun 26, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant