Problem
pip-audit in the security CI job flags a known vulnerability in docling:
docling 2.91.0 — CVE-2026-47214 — Fix Versions: 2.94.0
This causes the Security (bandit + pip-audit) job to fail on every PR
(e.g. https://github.com/cuga-project/cuga-eval/actions/runs/26955127632/job/79530191596).
Why we can't just bump
docling is pinned to <2.92 due to a transitive API breakage with langchain-docling
So upgrading docling to >=2.94.0 will break the langchain-docling
integration, and langchain-docling does not yet support the newer docling API.
Options
- Ignore the CVE in CI (short-term workaround). Add
--ignore-vuln CVE-2026-47214 to the pip-audit invocation in .github/workflows/ci.yml, alongside the existing --ignore-vuln GHSA-r7w7-9xr2-qq2r, with a comment linking back to this issue and the langchain-docling constraint.
- Upgrade docling to
>=2.94.0 and fix the langchain-docling breakage (proper fix). Either patch the integration locally or replace it.
- Track upstream
langchain-docling for docling 2.94+ support and bump once available.
Problem
pip-auditin the security CI job flags a known vulnerability indocling:docling 2.91.0 — CVE-2026-47214 — Fix Versions: 2.94.0
This causes the Security (bandit + pip-audit) job to fail on every PR
(e.g. https://github.com/cuga-project/cuga-eval/actions/runs/26955127632/job/79530191596).
Why we can't just bump
doclingis pinned to<2.92due to a transitive API breakage withlangchain-doclingSo upgrading docling to
>=2.94.0will break thelangchain-doclingintegration, and
langchain-doclingdoes not yet support the newer docling API.Options
--ignore-vuln CVE-2026-47214to thepip-auditinvocation in.github/workflows/ci.yml, alongside the existing--ignore-vuln GHSA-r7w7-9xr2-qq2r, with a comment linking back to this issue and the langchain-docling constraint.>=2.94.0and fix the langchain-docling breakage (proper fix). Either patch the integration locally or replace it.langchain-doclingfor docling 2.94+ support and bump once available.