Background
We currently pin `docling<2.92` (`pyproject.toml`) because `langchain-docling` 2.0.0 — a transitive dependency via `cuga` — still imports `docling.chunking`, which was removed when docling 2.92.0 split into a slim package. This blocks us from taking docling `>=2.94.0`, which fixes `CVE-2026-47214`.
As a short-term workaround, #48 ignores `CVE-2026-47214` in the `pip-audit` CI/local security checks (`--ignore-vuln CVE-2026-47214`), pointing back to #45 and this issue.
What needs to happen
We're downstream of both `langchain-docling` and `cuga`'s pin on it — we can't independently bump `docling` past `<2.92` without breaking the integration, so this has to wait until:
- `langchain-docling` releases a version that supports docling's new "slim" layout (no longer imports `docling.chunking`), and
- `cuga`/our transitive constraints allow that newer `langchain-docling` version.
Action when unblocked
Once both of the above land:
- Remove the `docling<2.92` pin (or relax it to `>=2.94`) in `pyproject.toml`
- Remove the `--ignore-vuln CVE-2026-47214` flag from the `pip-audit` invocations in `.github/workflows/ci.yml` and the `justfile`'s `security` target
References
Background
We currently pin `docling<2.92` (`pyproject.toml`) because `langchain-docling` 2.0.0 — a transitive dependency via `cuga` — still imports `docling.chunking`, which was removed when docling 2.92.0 split into a slim package. This blocks us from taking docling `>=2.94.0`, which fixes `CVE-2026-47214`.
As a short-term workaround, #48 ignores `CVE-2026-47214` in the `pip-audit` CI/local security checks (`--ignore-vuln CVE-2026-47214`), pointing back to #45 and this issue.
What needs to happen
We're downstream of both `langchain-docling` and `cuga`'s pin on it — we can't independently bump `docling` past `<2.92` without breaking the integration, so this has to wait until:
Action when unblocked
Once both of the above land:
References