chore(deps): update dependency langchain to v0.0.329 [security] - autoclosed #40
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/pypi-langchain-vulnerability
branch
from
8301559
to
f88bdb5
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-langchain-vulnerability
branch
from
f88bdb5
to
6de1d66
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-langchain-vulnerability
branch
from
6de1d66
to
eb3d606
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-langchain-vulnerability
branch
from
eb3d606
to
383e933
Compare
renovate
bot
force-pushed
the
renovate/pypi-langchain-vulnerability
branch
from
383e933
to
f19e851
Compare
renovate
bot
changed the title
renovate
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==0.0.239->==0.0.329GitHub Vulnerability Alerts
CVE-2023-39631
An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.
Patches: Released in v.0.0.308. numexpr dependency is optional for langchain.
CVE-2023-36281
An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via the via the a json file to the
load_promptparameter. This is related to__subclasses__or a template.CVE-2023-36258
An issue in langchain allows an attacker to execute arbitrary code via the PALChain in the python exec method.
CVE-2023-34541
Langchain 0.0.171 is vulnerable to Arbitrary code execution in
load_prompt.CVE-2023-46229
LangChain before 0.0.317 allows SSRF via
document_loaders/recursive_url_loader.pybecause crawling can proceed from an external server to an internal server.CVE-2023-39659
An issue in langchain langchain-ai before version 0.0.325 allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component.
CVE-2023-32786
In Langchain before 0.0.329, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing SSRF and potentially injecting content into downstream tasks.
Release Notes
langchain-ai/langchain (langchain)
v0.0.329Compare Source
What's Changed
ruff formatinstead of black for code formatting. by @obi1kenobi in https://github.com/langchain-ai/langchain/pull/12585actions/checkout@v4in the docs lint job. by @obi1kenobi in https://github.com/langchain-ai/langchain/pull/12581print()statements which seemed leftover from debugging. by @obi1kenobi in https://github.com/langchain-ai/langchain/pull/12648rufffor both linting and formatting inlangchain-cli. by @obi1kenobi in https://github.com/langchain-ai/langchain/pull/12672templateswith ruff v0.1.3. by @obi1kenobi in https://github.com/langchain-ai/langchain/pull/12676YahooFinanceNewsToolby @leo-gan in https://github.com/langchain-ai/langchain/pull/12665_test_release.ymlworkflow. by @obi1kenobi in https://github.com/langchain-ai/langchain/pull/12668blackcaching config from CI lint workflow. by @obi1kenobi in https://github.com/langchain-ai/langchain/pull/12594ruffautoformatter. by @obi1kenobi in https://github.com/langchain-ai/langchain/pull/12691New Contributors
CVEs
CVE-2023-32786 -- resolved by APIChain add restrictions to domains (GHSA-6h8p-4hx9-w66c) by @eyurtsev in https://github.com/langchain-ai/langchain/pull/12747
Full Changelog: langchain-ai/langchain@v0.0.327...v0.0.329
v0.0.327Compare Source
What's Changed
poetry lock --no-updatefor all templates by @dqbd in https://github.com/langchain-ai/langchain/pull/12531New Contributors
Full Changelog: langchain-ai/langchain@v0.0.326...v0.0.327
v0.0.326Compare Source
What's Changed
_dalle_image_urlreturns list of urls if n>1 by @silvhua in https://github.com/langchain-ai/langchain/pull/11800New Contributors
Full Changelog: langchain-ai/langchain@v0.0.325...v0.0.326
v0.0.325Compare Source
What's Changed
New Contributors
CVEs
CVE-2023-39659 resolved in https://github.com/langchain-ai/langchain/pull/12427
Full Changelog: langchain-ai/langchain@v0.0.324...v0.0.325
v0.0.324Compare Source
What's Changed
Configuration
📅 Schedule: Branch creation - "" in timezone Africa/Lusaka, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.