Skip to content

fix(deps)!: patch vulnerabilities flagged by Socket#187

Open
alliehowe29 wants to merge 1 commit into
mainfrom
allie/socket-fix-aiohttp-3.13.5
Open

fix(deps)!: patch vulnerabilities flagged by Socket#187
alliehowe29 wants to merge 1 commit into
mainfrom
allie/socket-fix-aiohttp-3.13.5

Conversation

@alliehowe29

@alliehowe29 alliehowe29 commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Patches dependency vulnerabilities flagged by socket ci / socket fix --all across all lockfiles in the repo.

Linear: SEC-102 — https://linear.app/keycardlabs/issue/SEC-102/patch-socket-flagged-dependency-vulnerabilities-in-python-sdk

Applied upgrades

The table shows the versions that actually landed in the lockfiles. Four packages resolved to versions newer than Socket's minimum-safe plan (the uv resolver pulled the latest compatible release) — these still fully resolve the advisories, since the landed version exceeds the patched threshold:

  • langchain-core planned 1.3.3 → landed 1.4.8
  • langgraph-sdk planned 0.3.15 → landed 0.4.2
  • pydantic-ai planned 1.56.0 → landed 2.0.0
  • pydantic-ai-slim planned 1.56.0 → landed 2.0.0
Package Old version New version Breaking? GHSAs / advisories patched
pydantic-settings 2.14.0 2.14.2 GHSA-4xgf-cpjx-pc3j
aiohttp 3.13.5 3.14.1 GHSA-jg22-mg44-37j8, GHSA-hg6j-4rv6-33pg, GHSA-xcgm-r5h9-7989, GHSA-m6qw-4cw2-hm4m, GHSA-hpj7-wq8m-9hgp, GHSA-9x8q-7h8h-wcw9, GHSA-g3cq-j2xw-wf74, GHSA-63hw-fmq6-xxg2, GHSA-4m7w-qmgq-4wj5, GHSA-4fvr-rgm6-gqmc, GHSA-2fqr-mr3j-6wp8
pydantic-ai 0.8.1 2.0.0 GHSA-2jrp-274c-jhv3
pydantic-ai-slim 0.8.1 2.0.0 GHSA-2jrp-274c-jhv3
langchain 1.2.15 1.3.9 GHSA-gr75-jv2w-4656
authlib 1.7.0 1.7.1 GHSA-r95x-qfjj-fjj2, GHSA-w8p2-r796-3vmq
cryptography 46.0.7 48.0.1 GHSA-537c-gmf6-5ccf
cryptography 47.0.0 48.0.1 GHSA-537c-gmf6-5ccf
fastmcp 3.2.4 3.3.0 GHSA-537c-gmf6-5ccf
starlette 1.0.0 1.3.1 GHSA-86qp-5c8j-p5mr, GHSA-x746-7m8f-x49c, GHSA-wqp7-x3pw-xc5r, GHSA-82w8-qh3p-5jfq, GHSA-jp82-jpqv-5vv3
starlette 1.0.1 1.3.1 GHSA-x746-7m8f-x49c, GHSA-wqp7-x3pw-xc5r, GHSA-82w8-qh3p-5jfq, GHSA-jp82-jpqv-5vv3
idna 3.13 3.15 GHSA-65pc-fj4g-8rjx
langchain-core 1.3.2 1.4.8 GHSA-pjwx-r37v-7724
langgraph-checkpoint 4.0.3 4.1.1 GHSA-fjqc-hq36-qh5p
langgraph-sdk 0.3.13 0.4.2 GHSA-w39p-vh2g-g8g5
langsmith 0.7.37 0.8.18 GHSA-3644-q5cj-c5c7, GHSA-f4xh-w4cj-qxq8
pyjwt 2.12.1 2.13.0 GHSA-fhv5-28vv-h8m8, GHSA-xgmm-8j9v-c9wx, GHSA-jq35-7prp-9v3f, GHSA-w7vc-732c-9m39, GHSA-993g-76c3-p5m4
python-multipart 0.0.27 0.0.31 GHSA-vffw-93wf-4j4q, GHSA-6jv3-5f52-599m, GHSA-v9pg-7xvm-68hf, GHSA-5rvq-cxj2-64vf
urllib3 2.6.3 2.7.0 GHSA-qccp-gfcp-xxvc, GHSA-mf9v-mfxr-j63j
uv 0.11.8 0.11.15 GHSA-4gg8-gxpx-9rph

Not fixed

  • chromadb@1.1.1 (GHSA-f4j7-r4q5-qw2c) — Socket/Coana returned "Unknown error"; no upgrade could be computed. The package remains flagged by policy and socket ci still reports unhealthy solely because of it.

Reviewers

Top repo committers requested: @kamil-keycard, @Larry-Osakwe. The #3 contributor by commit count (actions-user) is a CI service account, not a human, so it was skipped in favor of the next human committer @seriousben.

BREAKING CHANGE:

  • pydantic-ai: 0.8.1 → 2.0.0
  • pydantic-ai-slim: 0.8.1 → 2.0.0
  • cryptography: 46.0.7 → 48.0.1
  • cryptography: 47.0.0 → 48.0.1
  • langsmith: 0.7.37 → 0.8.18
  • langgraph-sdk: 0.3.13 → 0.4.2

@alliehowe29
fix(deps)!: patch vulnerabilities flagged by Socket
b01d862 
Apply socket fix --all to resolve dependency vulnerabilities across all
lockfiles. Resolves all fixable Socket policy-flagged packages; chromadb
remains flagged (no upstream fix available).

Linear: SEC-102

BREAKING CHANGE: pydantic-ai 0.8.1 -> 2.0.0; pydantic-ai-slim 0.8.1 -> 2.0.0; cryptography 46.0.7 -> 48.0.1; cryptography 47.0.0 -> 48.0.1; langsmith 0.7.37 -> 0.8.18; langgraph-sdk 0.3.13 -> 0.4.2
@socket-security

socket-security Bot commented Jun 25, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedpypi/​fastmcp@​3.2.4 ⏵ 3.3.0100 +510090 -10100100
Updatedpypi/​pydantic-ai@​0.8.1 ⏵ 2.0.0100100 +1690100100
Updatedpypi/​aiohttp@​3.13.5 ⏵ 3.14.197 +1100 +21100100100
Updatedpypi/​langchain@​1.2.15 ⏵ 1.3.999 +1100 +2100100100
Updatedpypi/​starlette@​1.0.1 ⏵ 1.3.1100 +1100 +24100100100
Updatedpypi/​cryptography@​46.0.7 ⏵ 48.0.1100100 +16100100100
Updatedpypi/​pydantic-settings@​2.14.0 ⏵ 2.14.2100 +1100 +2100100100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kamil-keycard kamil-keycard Awaiting requested review from kamil-keycard
@Larry-Osakwe Larry-Osakwe Awaiting requested review from Larry-Osakwe
@seriousben seriousben Awaiting requested review from seriousben

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alliehowe29