fix: upgrade dependencies to address CVE vulnerabilities by Jkavia · Pull Request #12470 · langflow-ai/langflow

Jkavia · 2026-04-02T19:49:53Z

Security Fix: Dependency Vulnerability Remediation

This PR addresses multiple dependency vulnerabilities identified through security scanning. The approach was to upgrade affected packages where possible and remove unused vulnerable dependencies.

Summary of Changes

Fixed (Upgraded Above Vulnerable Versions)
pypdf: 6.4.0 → 6.9.2
Upgraded minimum version above vulnerable 6.6.2
gunicorn: 22.0.0 → 25.3.0
Major version upgrade to address vulnerabilities

Already Safe (No Action Required)

orjson: 3.11.7 (above vulnerable 3.10.15)
nltk: 3.9.4 (above vulnerable 3.9.1)
Markdown: 3.10.2 (above vulnerable 3.7)
dynaconf: 3.2.13 (above vulnerable 3.2.12)

Removed Unused Dependencies

pydantic_ai removed (unused optional dependency)
pydantic_ai_slim removed (transitive dependency of pydantic_ai)

Not Applicable / Not in Use

deepdiff is not a project dependency (no action required)

Known Issues (No Fix Available / Constraints)

diskcache (5.6.3)
Still flagged as vulnerable. No patched version currently available on PyPI.
pillow (11.3.0)
Remains vulnerable. Cannot upgrade to 12.x due to constraint: docling requires pillow < 12.0.0

coderabbitai · 2026-04-02T19:50:00Z

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7b6bc3c8-d24f-4cee-9a3b-b9710351ef11

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch security/fixes

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Adam-Aghili

LGTM.

did a very quick pass and didn't see any major errors

codecov · 2026-04-02T19:55:28Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.05%. Comparing base (4e8c5e7) to head (985d717).
⚠️ Report is 3 commits behind head on release-1.9.0.

❌ Your project status has failed because the head coverage (48.01%) is below the target coverage (60.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@                Coverage Diff                @@
##           release-1.9.0   #12470      +/-   ##
=================================================
- Coverage          49.36%   49.05%   -0.32%     
=================================================
  Files               1925     1924       -1     
  Lines             170783   170752      -31     
  Branches           23642    23692      +50     
=================================================
- Hits               84302    83755     -547     
- Misses             85473    85989     +516     
  Partials            1008     1008

Flag	Coverage Δ
backend	`55.61% <ø> (+<0.01%)`	⬆️
frontend	`47.77% <ø> (-0.47%)`	⬇️
lfx	`48.01% <ø> (ø)`

Flags with carried forward coverage won't be shown. Click here to find out more.
see 143 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

github-actions · 2026-04-02T19:57:26Z

Frontend Unit Test Coverage Report

Coverage Summary

Lines	Statements	Branches	Functions
	27.99% (29259/104533)	64.62% (3721/5758)	30.03% (690/2297)

Unit Test Results

Tests	Skipped	Failures	Errors	Time
3049	0 💤	0 ❌	0 🔥	4m 39s ⏱️

ogabrielluiz

hey, nice work on the security fixes! just one thing i noticed with the lock file.

ogabrielluiz · 2026-04-02T20:15:57Z

    { name = "pyasn1", specifier = ">=0.6.3,<0.7.0" },
    { name = "pydantic", specifier = "~=2.12.5" },
-    { name = "pydantic-ai", marker = "extra == 'pydantic-ai'", specifier = ">=0.0.19" },
+    { name = "pydantic-ai", marker = "extra == 'pydantic-ai'", specifier = ">=0.8.1" },


it looks like the lock file wasn't regenerated after removing the pydantic-ai optional extra from pyproject.toml. this line should have been removed entirely (since the extra no longer exists), but instead it was bumped from >=0.0.19 to >=0.8.1.

because pydantic-ai 0.8.1 now depends on pydantic-ai-slim[temporal], this pulls in temporalio (1.16.0, ~13MB C extension), nexus-rpc, and genai-prices as new transitive dependencies. worth noting that temporalio was a known platform problem in the past (see fe124ed and 027ebed which added explicit workarounds for macOS x86_64).

running uv lock after the pyproject.toml changes should clean this up and drop these unintended transitive deps.

Good catch @ogabrielluiz
@Jkavia make sure to run both uv lock and uv sync

thanks for the review @ogabrielluiz re-ran the given commands, now pydantic-ai should be completely removed from uv.lock

ogabrielluiz

looks good, lock file is clean now. thanks for the quick fix!

security: upgrade dependencies to address CVE vulnerabilities Co-authored-by: Janardan S Kavia <janardanskavia@Janardans-MacBook-Pro.local>