Skip to content

Security updates: fix vulnerable Python dependencies#1867

Merged
kkraune merged 5 commits intomasterfrom
thomasht86/security-updates
Mar 16, 2026
Merged

Security updates: fix vulnerable Python dependencies#1867
kkraune merged 5 commits intomasterfrom
thomasht86/security-updates

Conversation

@thomasht86
Copy link
Contributor

@thomasht86 thomasht86 commented Mar 13, 2026
edited
Loading

Summary

  • Remove examples/fasthtml-demo — no longer current, replaced by other demos. Had vulnerable cryptography==44.0.1 (CVE-2026-26007)
  • Update transformers to 4.53.0 in visual-retrieval-colpali/pyproject.toml — fixes RCE vulnerabilities (CVE-2024-11392, CVE-2024-11393, CVE-2024-11394)
  • Remove stale uv.lock from visual-retrieval-colpali — was out of sync with pyproject.toml
  • Rename requirements.txt to legacy-requirements.txt — pinned file contained vulnerable versions of pypdf, pillow, cryptography, and transformers. Renamed to signal it may be out of date; pyproject.toml is the source of truth
  • Update README with legacy note and updated file references

Should make the 4 open Renovate security PRs (#1842, #1843, #1844, #1853) obsolete.

Test plan

  • Verify visual-retrieval-colpali installs cleanly from pyproject.toml with uv sync
  • Verify the app starts and serves requests
  • Close obsolete Renovate PRs after merge

🤖 Generated with Claude Code

thomasht86 and others added 5 commits March 13, 2026 12:51
@thomasht86 @claude
Remove examples/fasthtml-demo application
74340d0 
This example app is no longer current. Replaced by other demos.
Also had a vulnerable pinned cryptography==44.0.1 dependency
(CVE-2026-26007).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@thomasht86 @claude
Remove uv.lock from visual-retrieval-colpali
d1fbb36 
Lock file was out of sync with pyproject.toml and requirements.txt.
Dependencies should be resolved at install time from pyproject.toml.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@thomasht86 @claude
Update transformers to 4.53.0 in visual-retrieval-colpali
42d5b46 
Fixes CVE-2024-11392, CVE-2024-11393, CVE-2024-11394 — deserialization
of untrusted data vulnerabilities allowing remote code execution.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@thomasht86 @claude
Rename requirements.txt to legacy-requirements.txt
56c887d 
The pinned requirements file contained multiple vulnerable dependency
versions (pypdf, pillow, cryptography, transformers). Renamed to legacy
to signal it may be out of date; pyproject.toml is the source of truth.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@thomasht86 @claude
Update README references to legacy-requirements.txt
1a1bfab 
Add note that the legacy requirements file may be out of date and
recommend using uv with pyproject.toml instead.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@thomasht86 thomasht86 requested a review from kkraune March 13, 2026 11:55
@thomasht86
Copy link
Contributor Author

thomasht86 commented Mar 13, 2026

fyi @odosk

kkraune
kkraune approved these changes Mar 16, 2026
View reviewed changes
Copy link
Member

@kkraune kkraune left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@kkraune kkraune merged commit df17ef0 into master Mar 16, 2026
7 of 8 checks passed
@kkraune kkraune deleted the thomasht86/security-updates branch March 16, 2026 07:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kkraune kkraune kkraune approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thomasht86 @kkraune