Skip to content

fix(deps)!: patch vulnerabilities flagged by Socket#187

Merged
Larry-Osakwe merged 1 commit into
mainfrom
allie/socket-fix-aiohttp-3.13.5
Jul 8, 2026
Merged

fix(deps)!: patch vulnerabilities flagged by Socket#187
Larry-Osakwe merged 1 commit into
mainfrom
allie/socket-fix-aiohttp-3.13.5

Conversation

@alliehowe29

Copy link
Copy Markdown
Contributor

Patches dependency vulnerabilities flagged by socket ci / socket fix --all across all lockfiles in the repo.

Linear: SEC-102 — https://linear.app/keycardlabs/issue/SEC-102/patch-socket-flagged-dependency-vulnerabilities-in-python-sdk

Applied upgrades

The table shows the versions that actually landed in the lockfiles. Four packages resolved to versions newer than Socket's minimum-safe plan (the uv resolver pulled the latest compatible release) — these still fully resolve the advisories, since the landed version exceeds the patched threshold:

  • langchain-core planned 1.3.3 → landed 1.4.8
  • langgraph-sdk planned 0.3.15 → landed 0.4.2
  • pydantic-ai planned 1.56.0 → landed 2.0.0
  • pydantic-ai-slim planned 1.56.0 → landed 2.0.0
Package Old version New version Breaking? GHSAs / advisories patched
pydantic-settings 2.14.0 2.14.2 GHSA-4xgf-cpjx-pc3j
aiohttp 3.13.5 3.14.1 GHSA-jg22-mg44-37j8, GHSA-hg6j-4rv6-33pg, GHSA-xcgm-r5h9-7989, GHSA-m6qw-4cw2-hm4m, GHSA-hpj7-wq8m-9hgp, GHSA-9x8q-7h8h-wcw9, GHSA-g3cq-j2xw-wf74, GHSA-63hw-fmq6-xxg2, GHSA-4m7w-qmgq-4wj5, GHSA-4fvr-rgm6-gqmc, GHSA-2fqr-mr3j-6wp8
pydantic-ai 0.8.1 2.0.0 GHSA-2jrp-274c-jhv3
pydantic-ai-slim 0.8.1 2.0.0 GHSA-2jrp-274c-jhv3
langchain 1.2.15 1.3.9 GHSA-gr75-jv2w-4656
authlib 1.7.0 1.7.1 GHSA-r95x-qfjj-fjj2, GHSA-w8p2-r796-3vmq
cryptography 46.0.7 48.0.1 GHSA-537c-gmf6-5ccf
cryptography 47.0.0 48.0.1 GHSA-537c-gmf6-5ccf
fastmcp 3.2.4 3.3.0 GHSA-537c-gmf6-5ccf
starlette 1.0.0 1.3.1 GHSA-86qp-5c8j-p5mr, GHSA-x746-7m8f-x49c, GHSA-wqp7-x3pw-xc5r, GHSA-82w8-qh3p-5jfq, GHSA-jp82-jpqv-5vv3
starlette 1.0.1 1.3.1 GHSA-x746-7m8f-x49c, GHSA-wqp7-x3pw-xc5r, GHSA-82w8-qh3p-5jfq, GHSA-jp82-jpqv-5vv3
idna 3.13 3.15 GHSA-65pc-fj4g-8rjx
langchain-core 1.3.2 1.4.8 GHSA-pjwx-r37v-7724
langgraph-checkpoint 4.0.3 4.1.1 GHSA-fjqc-hq36-qh5p
langgraph-sdk 0.3.13 0.4.2 GHSA-w39p-vh2g-g8g5
langsmith 0.7.37 0.8.18 GHSA-3644-q5cj-c5c7, GHSA-f4xh-w4cj-qxq8
pyjwt 2.12.1 2.13.0 GHSA-fhv5-28vv-h8m8, GHSA-xgmm-8j9v-c9wx, GHSA-jq35-7prp-9v3f, GHSA-w7vc-732c-9m39, GHSA-993g-76c3-p5m4
python-multipart 0.0.27 0.0.31 GHSA-vffw-93wf-4j4q, GHSA-6jv3-5f52-599m, GHSA-v9pg-7xvm-68hf, GHSA-5rvq-cxj2-64vf
urllib3 2.6.3 2.7.0 GHSA-qccp-gfcp-xxvc, GHSA-mf9v-mfxr-j63j
uv 0.11.8 0.11.15 GHSA-4gg8-gxpx-9rph

Not fixed

  • chromadb@1.1.1 (GHSA-f4j7-r4q5-qw2c) — Socket/Coana returned "Unknown error"; no upgrade could be computed. The package remains flagged by policy and socket ci still reports unhealthy solely because of it.

Reviewers

Top repo committers requested: @kamil-keycard, @Larry-Osakwe. The #3 contributor by commit count (actions-user) is a CI service account, not a human, so it was skipped in favor of the next human committer @seriousben.

BREAKING CHANGE:

  • pydantic-ai: 0.8.1 → 2.0.0
  • pydantic-ai-slim: 0.8.1 → 2.0.0
  • cryptography: 46.0.7 → 48.0.1
  • cryptography: 47.0.0 → 48.0.1
  • langsmith: 0.7.37 → 0.8.18
  • langgraph-sdk: 0.3.13 → 0.4.2

@socket-security

socket-security Bot commented Jun 25, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedpypi/​pydantic-ai@​0.8.1 ⏵ 2.0.0100100 +1690100100
Updatedpypi/​aiohttp@​3.13.5 ⏵ 3.14.197 +1100 +21100100100
Updatedpypi/​langchain@​1.2.15 ⏵ 1.3.1199 +1100 +2100100100
Updatedpypi/​cryptography@​46.0.7 ⏵ 48.0.1100100 +16100100100
Updatedpypi/​pydantic-settings@​2.14.0 ⏵ 2.14.2100 +1100 +2100100100

View full report

@Larry-Osakwe Larry-Osakwe force-pushed the allie/socket-fix-aiohttp-3.13.5 branch from b01d862 to 829056b Compare July 8, 2026 23:03
Apply socket fix --all to resolve dependency vulnerabilities across all
lockfiles. Resolves all fixable Socket policy-flagged packages; chromadb
remains flagged (no upstream fix available).

Linear: SEC-102

BREAKING CHANGE: pydantic-ai 0.8.1 -> 2.0.0; pydantic-ai-slim 0.8.1 -> 2.0.0; cryptography 46.0.7 -> 48.0.1; cryptography 47.0.0 -> 48.0.1; langsmith 0.7.37 -> 0.8.18; langgraph-sdk 0.3.13 -> 0.4.2
@Larry-Osakwe Larry-Osakwe force-pushed the allie/socket-fix-aiohttp-3.13.5 branch from 829056b to 2127791 Compare July 8, 2026 23:05
@Larry-Osakwe Larry-Osakwe merged commit d02eed3 into main Jul 8, 2026
5 checks passed
@Larry-Osakwe Larry-Osakwe deleted the allie/socket-fix-aiohttp-3.13.5 branch July 8, 2026 23:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants