Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency langchain to v0.0.329 [security] - autoclosed #40

Closed
wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 5, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
langchain ==0.0.239 -> ==0.0.329 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-39631

An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.

Patches: Released in v.0.0.308. numexpr dependency is optional for langchain.

CVE-2023-36281

An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via the via the a json file to the load_prompt parameter. This is related to __subclasses__ or a template.

CVE-2023-36258

An issue in langchain allows an attacker to execute arbitrary code via the PALChain in the python exec method.

CVE-2023-34541

Langchain 0.0.171 is vulnerable to Arbitrary code execution in load_prompt.

CVE-2023-46229

LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server.

CVE-2023-39659

An issue in langchain langchain-ai before version 0.0.325 allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component.

CVE-2023-32786

In Langchain before 0.0.329, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing SSRF and potentially injecting content into downstream tasks.


Release Notes

langchain-ai/langchain (langchain)

v0.0.329

Compare Source

What's Changed

New Contributors

CVEs

CVE-2023-32786 -- resolved by APIChain add restrictions to domains (GHSA-6h8p-4hx9-w66c) by @​eyurtsev in https://github.com/langchain-ai/langchain/pull/12747

Full Changelog: langchain-ai/langchain@v0.0.327...v0.0.329

v0.0.327

Compare Source

What's Changed

New Contributors

Full Changelog: langchain-ai/langchain@v0.0.326...v0.0.327

v0.0.326

Compare Source

What's Changed

New Contributors

Full Changelog: langchain-ai/langchain@v0.0.325...v0.0.326

v0.0.325

Compare Source

What's Changed

New Contributors

CVEs

CVE-2023-39659 resolved in https://github.com/langchain-ai/langchain/pull/12427

Full Changelog: langchain-ai/langchain@v0.0.324...v0.0.325

v0.0.324

Compare Source

What's Changed


Configuration

📅 Schedule: Branch creation - "" in timezone Africa/Lusaka, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/pypi-langchain-vulnerability branch from 8301559 to f88bdb5 Compare October 10, 2023 22:22
@renovate renovate bot changed the title chore(deps): update dependency langchain to v0.0.308 [security] chore(deps): update dependency langchain to v0.0.312 [security] Oct 10, 2023
@renovate renovate bot force-pushed the renovate/pypi-langchain-vulnerability branch from f88bdb5 to 6de1d66 Compare October 25, 2023 20:24
@renovate renovate bot changed the title chore(deps): update dependency langchain to v0.0.312 [security] chore(deps): update dependency langchain to v0.0.317 [security] Oct 25, 2023
@renovate renovate bot force-pushed the renovate/pypi-langchain-vulnerability branch from 6de1d66 to eb3d606 Compare October 30, 2023 21:11
@renovate renovate bot changed the title chore(deps): update dependency langchain to v0.0.317 [security] chore(deps): update dependency langchain to v0.0.325 [security] Oct 30, 2023
@renovate renovate bot changed the title chore(deps): update dependency langchain to v0.0.325 [security] chore(deps): update dependency langchain to v0.0.325 [security] - autoclosed Nov 3, 2023
@renovate renovate bot closed this Nov 3, 2023
@renovate renovate bot deleted the renovate/pypi-langchain-vulnerability branch November 3, 2023 00:15
@renovate renovate bot changed the title chore(deps): update dependency langchain to v0.0.325 [security] - autoclosed chore(deps): update dependency langchain to v0.0.325 [security] Nov 3, 2023
@renovate renovate bot reopened this Nov 3, 2023
@renovate renovate bot restored the renovate/pypi-langchain-vulnerability branch November 3, 2023 00:22
@renovate renovate bot force-pushed the renovate/pypi-langchain-vulnerability branch from eb3d606 to 383e933 Compare November 3, 2023 00:23
@renovate renovate bot force-pushed the renovate/pypi-langchain-vulnerability branch from 383e933 to f19e851 Compare November 11, 2023 06:12
@renovate renovate bot changed the title chore(deps): update dependency langchain to v0.0.325 [security] chore(deps): update dependency langchain to v0.0.329 [security] Nov 11, 2023
@renovate renovate bot changed the title chore(deps): update dependency langchain to v0.0.329 [security] chore(deps): update dependency langchain to v0.0.329 [security] - autoclosed Dec 19, 2023
@renovate renovate bot closed this Dec 19, 2023
@renovate renovate bot deleted the renovate/pypi-langchain-vulnerability branch December 19, 2023 18:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants