Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency langchain to v0.0.329 [security] #1267

Merged
merged 1 commit into from
Jan 5, 2024
Merged

chore(deps): update dependency langchain to v0.0.329 [security] #1267

merged 1 commit into from
Jan 5, 2024

Conversation

plural-renovate[bot]
Copy link
Contributor

@plural-renovate plural-renovate bot commented Oct 25, 2023
edited
Loading

This PR contains the following updates:

Package Update Change
langchain patch ==0.0.312 -> ==0.0.329

GitHub Vulnerability Alerts

CVE-2023-46229

LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server.

CVE-2023-39659

An issue in langchain langchain-ai before version 0.0.325 allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component.

CVE-2023-32786

In Langchain before 0.0.329, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing SSRF and potentially injecting content into downstream tasks.

Release Notes

langchain-ai/langchain (langchain)

v0.0.329

Compare Source

What's Changed

New Contributors

CVEs

CVE-2023-32786 -- resolved by APIChain add restrictions to domains (GHSA-6h8p-4hx9-w66c) by @​eyurtsev in https://github.com/langchain-ai/langchain/pull/12747

Full Changelog: langchain-ai/langchain@v0.0.327...v0.0.329

v0.0.327

Compare Source

What's Changed

New Contributors

Full Changelog: langchain-ai/langchain@v0.0.326...v0.0.327

v0.0.326

Compare Source

What's Changed

New Contributors

Full Changelog: langchain-ai/langchain@v0.0.325...v0.0.326

v0.0.325

Compare Source

What's Changed

New Contributors

CVEs

CVE-2023-39659 resolved in https://github.com/langchain-ai/langchain/pull/12427

Full Changelog: langchain-ai/langchain@v0.0.324...v0.0.325

v0.0.324

Compare Source

What's Changed

New Contributors

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@plural-renovate plural-renovate bot added the dependencies Pull requests that update a dependency file label Oct 25, 2023
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-langchain-vulnerability branch from 5442201 to 04899f2 Compare October 30, 2023 21:37
@plural-renovate plural-renovate bot changed the title chore(deps): update dependency langchain to v0.0.317 [security] chore(deps): update dependency langchain to v0.0.325 [security] Oct 30, 2023
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-langchain-vulnerability branch 2 times, most recently from 93623ac to 56b7e93 Compare November 11, 2023 06:18
@plural-renovate plural-renovate bot changed the title chore(deps): update dependency langchain to v0.0.325 [security] chore(deps): update dependency langchain to v0.0.329 [security] Nov 11, 2023
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-langchain-vulnerability branch 5 times, most recently from c74f1ed to 7a56bc4 Compare November 14, 2023 03:03
@plural-renovate plural-renovate bot changed the title chore(deps): update dependency langchain to v0.0.329 [security] chore(deps): update dependency langchain to v0.0.329 [security] - autoclosed Nov 27, 2023
@plural-renovate plural-renovate bot closed this Nov 27, 2023
@plural-renovate plural-renovate bot deleted the renovate/pypi-langchain-vulnerability branch November 27, 2023 17:38
@plural-renovate plural-renovate bot changed the title chore(deps): update dependency langchain to v0.0.329 [security] - autoclosed chore(deps): update dependency langchain to v0.0.329 [security] Nov 27, 2023
@plural-renovate plural-renovate bot reopened this Nov 27, 2023
@plural-renovate plural-renovate bot restored the renovate/pypi-langchain-vulnerability branch November 27, 2023 19:46
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-langchain-vulnerability branch 2 times, most recently from 71d2232 to 0166bbd Compare December 18, 2023 22:22
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-langchain-vulnerability branch 4 times, most recently from 568adec to 148af90 Compare January 5, 2024 01:49
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-langchain-vulnerability branch from 148af90 to 18a4054 Compare January 5, 2024 01:54
@michaeljguarino michaeljguarino merged commit c7045e2 into master Jan 5, 2024
5 of 10 checks passed
@michaeljguarino michaeljguarino deleted the renovate/pypi-langchain-vulnerability branch January 5, 2024 01:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaeljguarino michaeljguarino michaeljguarino approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@michaeljguarino