Patch various CVEs (#505)

Author: PastelStorm

.github/workflows/docker-publish.yml

@@ -10,7 +10,7 @@ env:
   DOCKER_BUILD_REPOSITORY: quay.io/unstructured-io/build-unstructured-api
   PACKAGE: "unstructured-api"
   PIPELINE_FAMILY: "general"
-  PIP_VERSION: "22.2.1"
+  PIP_VERSION: "25.1.1"
   PYTHON_VERSION: "3.10"
 
 jobs:

CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.0.85
+* Patch various CVEs
+* Bump Python version to 3.12, some packages no longer support 3.9
+
 ## 0.0.84
 * Patch h11 CVE
 * bump httpcore version due to h11 dependency

Makefile

@@ -1,7 +1,7 @@
 PIPELINE_FAMILY := general
 PIPELINE_PACKAGE := general
 PACKAGE_NAME := prepline_${PIPELINE_PACKAGE}
-PIP_VERSION := 23.2.1
+PIP_VERSION := 25.1.1
 ARCH := $(shell uname -m)
 
 .PHONY: help

prepline_general/api/app.py

@@ -1,10 +1,10 @@
-from fastapi import FastAPI, Request, status, HTTPException
-from fastapi.datastructures import FormData
-from fastapi.responses import JSONResponse
-from fastapi.security import APIKeyHeader
 import logging
 import os
 
+from fastapi import FastAPI, HTTPException, Request, status
+from fastapi.datastructures import FormData
+from fastapi.responses import JSONResponse
+
 from .general import router as general_router
 from .openapi import set_custom_openapi
 
@@ -13,7 +13,7 @@
 app = FastAPI(
     title="Unstructured Pipeline API",
     summary="Partition documents with the Unstructured library",
-    version="0.0.84",
+    version="0.0.85",
     docs_url="/general/docs",
     openapi_url="/general/openapi.json",
     servers=[

prepline_general/api/general.py

@@ -7,11 +7,9 @@
 import mimetypes
 import os
 import secrets
-import zipfile
 from base64 import b64encode
 from concurrent.futures import ThreadPoolExecutor
 from functools import partial
-from types import TracebackType
 from typing import IO, Any, Dict, List, Mapping, Optional, Sequence, Tuple, Union, cast
 
 import backoff
@@ -33,8 +31,8 @@
 from starlette.datastructures import Headers
 from starlette.types import Send
 
-from prepline_general.api.models.form_params import GeneralFormParams
 from prepline_general.api.filetypes import get_validated_mimetype
+from prepline_general.api.models.form_params import GeneralFormParams
 from unstructured.documents.elements import Element
 from unstructured.partition.auto import partition
 from unstructured.staging.base import (
@@ -602,7 +600,7 @@ def return_content_type(filename: str):
 
 
 @router.get("/general/v0/general", include_in_schema=False)
-@router.get("/general/v0.0.84/general", include_in_schema=False)
+@router.get("/general/v0.0.85/general", include_in_schema=False)
 async def handle_invalid_get_request():
     raise HTTPException(
         status_code=status.HTTP_405_METHOD_NOT_ALLOWED, detail="Only POST requests are supported."
@@ -617,7 +615,7 @@ async def handle_invalid_get_request():
     description="Description",
     operation_id="partition_parameters",
 )
-@router.post("/general/v0.0.84/general", include_in_schema=False)
+@router.post("/general/v0.0.85/general", include_in_schema=False)
 def general_partition(
     request: Request,
     # cannot use annotated type here because of a bug described here:

preprocessing-pipeline-family.yaml

@@ -1,2 +1,2 @@
 name: general
-version: 0.0.84
+version: 0.0.85

pyproject.toml

@@ -3,7 +3,7 @@ line-length = 100
 
 [tool.pyright]
 pythonPlatform = "Linux"
-pythonVersion = "3.9"
+pythonVersion = "3.12"
 reportUnnecessaryCast = true
 typeCheckingMode = "strict"
 

requirements/base.txt

@@ -45,7 +45,7 @@ coloredlogs==15.0.1
     # via onnxruntime
 contourpy==1.3.1
     # via matplotlib
-cryptography==44.0.0
+cryptography==44.0.1
     # via
     #   pdfminer-six
     #   unstructured-client
@@ -108,7 +108,7 @@ httpcore==1.0.9
     # via httpx
 httpx==0.28.1
     # via unstructured-client
-huggingface-hub==0.28.1
+huggingface-hub==0.32.1
     # via
     #   timm
     #   tokenizers
@@ -121,7 +121,7 @@ idna==3.10
     #   anyio
     #   httpx
     #   requests
-jinja2==3.1.5
+jinja2==3.1.6
     # via torch
 joblib==1.4.2
     # via nltk
@@ -332,7 +332,7 @@ starlette==0.41.2
     # via
     #   -c requirements/constraints.in
     #   fastapi
-sympy==1.13.1
+sympy==1.13.3
     # via
     #   onnxruntime
     #   torch
@@ -342,13 +342,13 @@ timm==1.0.14
     #   unstructured-inference
 tokenizers==0.21.0
     # via transformers
-torch==2.6.0
+torch==2.7.0
     # via
     #   effdet
     #   timm
     #   torchvision
     #   unstructured-inference
-torchvision==0.21.0
+torchvision==0.22.0
     # via
     #   effdet
     #   timm
@@ -358,7 +358,7 @@ tqdm==4.67.1
     #   nltk
     #   transformers
     #   unstructured
-transformers==4.48.2
+transformers==4.50.0
     # via unstructured-inference
 typing-extensions==4.12.2
     # via

requirements/test.txt

@@ -103,7 +103,7 @@ contourpy==1.3.1
     #   matplotlib
 coverage[toml]==7.6.10
     # via pytest-cov
-cryptography==44.0.0
+cryptography==44.0.1
     # via
     #   -r requirements/base.txt
     #   pdfminer-six
@@ -232,7 +232,7 @@ httpx==0.28.1
     #   -r requirements/test.in
     #   jupyterlab
     #   unstructured-client
-huggingface-hub==0.28.1
+huggingface-hub==0.32.1
     # via
     #   -r requirements/base.txt
     #   timm
@@ -269,7 +269,7 @@ isoduration==20.11.0
     # via jsonschema
 jedi==0.19.2
     # via ipython
-jinja2==3.1.5
+jinja2==3.1.6
     # via
     #   -r requirements/base.txt
     #   jupyter-server
@@ -765,7 +765,7 @@ starlette==0.41.2
     #   -c requirements/constraints.in
     #   -r requirements/base.txt
     #   fastapi
-sympy==1.13.1
+sympy==1.13.3
     # via
     #   -r requirements/base.txt
     #   onnxruntime
@@ -785,19 +785,19 @@ tokenizers==0.21.0
     # via
     #   -r requirements/base.txt
     #   transformers
-torch==2.6.0
+torch==2.7.0
     # via
     #   -r requirements/base.txt
     #   effdet
     #   timm
     #   torchvision
     #   unstructured-inference
-torchvision==0.21.0
+torchvision==0.22.0
     # via
     #   -r requirements/base.txt
     #   effdet
     #   timm
-tornado==6.4.2
+tornado==6.5.0
     # via
     #   ipykernel
     #   jupyter-client
@@ -828,7 +828,7 @@ traitlets==5.14.3
     #   nbclient
     #   nbconvert
     #   nbformat
-transformers==4.48.2
+transformers==4.50.0
     # via
     #   -r requirements/base.txt
     #   unstructured-inference

scripts/docker-build.sh

@@ -4,7 +4,7 @@ set -euo pipefail
 DOCKER_REPOSITORY="${DOCKER_REPOSITORY:-quay.io/unstructured-io/unstructured-api}"
 PIPELINE_PACKAGE=${PIPELINE_PACKAGE:-"general"}
 PIPELINE_FAMILY=${PIPELINE_FAMILY:-"general"}
-PIP_VERSION="${PIP_VERSION:-22.2.1}"
+PIP_VERSION="${PIP_VERSION:-25.1.1}"
 DOCKER_IMAGE="${DOCKER_IMAGE:-pipeline-family-${PIPELINE_FAMILY}-dev}"
 DOCKER_PLATFORM="${DOCKER_PLATFORM:-}"