Security Fixes - CVE Remediation (#4115)

Main Changes:

  1. Removed Clarifai Dependency
- Completely removed the clarifai dependency which is no longer used in
the codebase
- Removed clarifai from the unstructured-ingest extras list in
requirements/ingest/ingest.txt:1
- Removed clarifai test script reference from
test_unstructured_ingest/test-ingest-dest.sh:23

  2. Updated Dependencies to Resolve CVEs
  - pypdf: Updated from 6.1.1 → 6.1.3 (fixes GHSA-vr63-x8vc-m265)
- pip: Added explicit upgrade to >=25.3 in Dockerfile (fixes
GHSA-4xh5-x5gv-qwph)
  - uv: Addressed GHSA-8qf3-x8v5-2pj8 and GHSA-pqhf-p39g-3x64

  3. Dockerfile Security Enhancements (Dockerfile:17,28-29)
  - Added Alpine package upgrade for py3.12-pip
- Added explicit pip upgrade step before installing Python dependencies

  4. General Dependency Updates
  Ran pip-compile across all requirement files, resulting in updates to:
  - cryptography: 46.0.2 → 46.0.3
  - psutil: 7.1.0 → 7.1.3
  - rapidfuzz: 3.14.1 → 3.14.3
  - regex: 2025.9.18 → 2025.11.3
  - wrapt: 1.17.3 → 2.0.0
- Plus many other transitive dependencies across all extra requirement
files

  5. Version Bump
- Updated version from 0.18.16 → 0.18.17 in
unstructured/__version__.py:1
  - Updated CHANGELOG.md with security fixes documentation

  Impact:

This PR resolves 4 CVEs total without introducing breaking changes,
making it a pure security maintenance release.

---------

Co-authored-by: Claude <[email protected]>

Author: luke-kucing

CHANGELOG.md

@@ -1,3 +1,16 @@
+## 0.18.17
+
+### Enhancement
+
+### Features
+
+### Fixes
+- Removed `Clardy` dependency as it is no longer used
+- Bumped dependencies via pip-compile to address the following CVEs:
+  - **pypdf**: GHSA-vr63-x8vc-m265
+  - **pip**: GHSA-4xh5-x5gv-qwph
+  - **uv**: GHSA-8qf3-x8v5-2pj8 GHSA-pqhf-p39g-3x64
+
 ## 0.18.16
 
 ### Enhancement

Dockerfile

@@ -14,6 +14,7 @@ COPY example-docs example-docs
 
 RUN chown -R notebook-user:notebook-user /app && \
     apk add --no-cache font-ubuntu fontconfig git && \
+    apk upgrade --no-cache py3.12-pip && \
     fc-cache -fv && \
     [ -e /usr/bin/python3 ] || ln -s /usr/bin/$PYTHON /usr/bin/python3
 
@@ -24,6 +25,9 @@ ENV PATH="${PATH}:/home/notebook-user/.local/bin"
 ENV TESSDATA_PREFIX=/usr/local/share/tessdata
 ENV NLTK_DATA=/home/notebook-user/nltk_data
 
+# Upgrade pip to fix CVE-2025-8869
+RUN $PIP install --no-cache-dir --user --upgrade "pip>=25.3"
+
 # Install Python dependencies and download required NLTK packages
 RUN find requirements/ -type f -name "*.txt" ! -name "test.txt" ! -name "dev.txt" ! -name "constraints.txt" -exec $PIP install --no-cache-dir --user -r '{}' ';' && \
     mkdir -p ${NLTK_DATA} && \

requirements/base.txt

@@ -27,7 +27,7 @@ click==8.3.0
     # via
     #   nltk
     #   python-oxmsg
-cryptography==46.0.2
+cryptography==46.0.3
     # via unstructured-client
 dataclasses-json==0.6.7
     # via
@@ -85,11 +85,11 @@ packaging==25.0
     # via
     #   marshmallow
     #   unstructured-client
-psutil==7.1.0
+psutil==7.1.3
     # via -r ./base.in
 pycparser==2.23
     # via cffi
-pypdf==6.1.1
+pypdf==6.1.3
     # via unstructured-client
 python-dateutil==2.9.0.post0
     # via unstructured-client
@@ -99,9 +99,9 @@ python-magic==0.4.27
     # via -r ./base.in
 python-oxmsg==0.0.2
     # via -r ./base.in
-rapidfuzz==3.14.1
+rapidfuzz==3.14.3
     # via -r ./base.in
-regex==2025.9.18
+regex==2025.11.3
     # via nltk
 requests==2.32.5
     # via
@@ -141,14 +141,14 @@ typing-inspect==0.9.0
     #   unstructured-client
 unstructured-client==0.25.9
     # via
-    #   -c ./deps/constraints.txt
+    #   -c /Users/luke/git/unstructured/requirements/deps/constraints.txt
     #   -r ./base.in
 urllib3==2.5.0
     # via
-    #   -c ./deps/constraints.txt
+    #   -c /Users/luke/git/unstructured/requirements/deps/constraints.txt
     #   requests
     #   unstructured-client
 webencodings==0.5.1
     # via html5lib
-wrapt==1.17.3
+wrapt==2.0.0
     # via -r ./base.in

requirements/dev.txt

@@ -10,8 +10,8 @@ cfgv==3.4.0
     # via pre-commit
 click==8.3.0
     # via
-    #   -c ./base.txt
-    #   -c ./test.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
+    #   -c /Users/luke/git/unstructured/requirements/test.txt
     #   pip-tools
 distlib==0.4.0
     # via virtualenv
@@ -23,14 +23,14 @@ nodeenv==1.9.1
     # via pre-commit
 packaging==25.0
     # via
-    #   -c ./base.txt
-    #   -c ./test.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
+    #   -c /Users/luke/git/unstructured/requirements/test.txt
     #   build
 pip-tools==7.5.1
     # via -r ./dev.in
 platformdirs==4.5.0
     # via
-    #   -c ./test.txt
+    #   -c /Users/luke/git/unstructured/requirements/test.txt
     #   virtualenv
 pre-commit==4.3.0
     # via -r ./dev.in
@@ -42,15 +42,15 @@ pyyaml==6.0.3
     # via pre-commit
 tomli==2.3.0
     # via
-    #   -c ./test.txt
+    #   -c /Users/luke/git/unstructured/requirements/test.txt
     #   build
     #   pip-tools
 typing-extensions==4.15.0
     # via
-    #   -c ./base.txt
-    #   -c ./test.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
+    #   -c /Users/luke/git/unstructured/requirements/test.txt
     #   virtualenv
-virtualenv==20.35.3
+virtualenv==20.35.4
     # via pre-commit
 wheel==0.45.1
     # via pip-tools

requirements/extra-csv.txt

@@ -6,19 +6,19 @@
 #
 numpy==2.2.6
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   pandas
 pandas==2.3.3
     # via -r ./extra-csv.in
 python-dateutil==2.9.0.post0
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   pandas
 pytz==2025.2
     # via pandas
 six==1.17.0
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   python-dateutil
 tzdata==2025.2
     # via pandas

requirements/extra-docx.txt

@@ -6,11 +6,11 @@
 #
 lxml==6.0.2
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   python-docx
 python-docx==1.2.0
     # via -r ./extra-docx.in
 typing-extensions==4.15.0
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   python-docx

requirements/extra-markdown.txt

@@ -4,5 +4,5 @@
 #
 #    pip-compile ./extra-markdown.in
 #
-markdown==3.9
+markdown==3.10
     # via -r ./extra-markdown.in

requirements/extra-odt.txt

@@ -6,13 +6,13 @@
 #
 lxml==6.0.2
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   python-docx
 pypandoc==1.15
     # via -r ./extra-odt.in
 python-docx==1.2.0
     # via -r ./extra-odt.in
 typing-extensions==4.15.0
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   python-docx

requirements/extra-paddleocr.txt

@@ -14,65 +14,65 @@ annotated-types==0.7.0
     # via pydantic
 anyio==4.11.0
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   httpx
 beautifulsoup4==4.14.2
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   unstructured-paddleocr
 certifi==2025.10.5
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   httpcore
     #   httpx
     #   requests
 charset-normalizer==3.4.4
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   requests
-cython==3.1.4
+cython==3.2.0
     # via unstructured-paddleocr
 exceptiongroup==1.3.0
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   anyio
 fire==0.7.1
     # via unstructured-paddleocr
 fonttools==4.60.1
     # via unstructured-paddleocr
 h11==0.16.0
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   httpcore
 httpcore==1.0.9
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   httpx
 httpx==0.28.1
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   paddlepaddle
 idna==3.11
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   anyio
     #   httpx
     #   requests
-imageio==2.37.0
+imageio==2.37.2
     # via scikit-image
 lazy-loader==0.4
     # via scikit-image
 lxml==6.0.2
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   python-docx
 networkx==3.4.2
     # via
     #   paddlepaddle
     #   scikit-image
 numpy==2.2.6
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   albucore
     #   albumentations
     #   imageio
@@ -98,40 +98,40 @@ opt-einsum==3.3.0
     # via paddlepaddle
 packaging==25.0
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   lazy-loader
     #   scikit-image
-paddlepaddle==3.2.0
+paddlepaddle==3.2.1
     # via -r ./extra-paddleocr.in
-pillow==11.3.0
+pillow==12.0.0
     # via
     #   imageio
     #   paddlepaddle
     #   scikit-image
     #   unstructured-paddleocr
-protobuf==6.32.1
+protobuf==6.33.0
     # via
-    #   -c ./deps/constraints.txt
+    #   -c /Users/luke/git/unstructured/requirements/deps/constraints.txt
     #   paddlepaddle
 pyclipper==1.3.0.post6
     # via unstructured-paddleocr
-pydantic==2.12.2
+pydantic==2.12.4
     # via albumentations
-pydantic-core==2.41.4
+pydantic-core==2.41.5
     # via pydantic
 python-docx==1.2.0
     # via unstructured-paddleocr
 pyyaml==6.0.3
     # via
     #   albumentations
     #   unstructured-paddleocr
-rapidfuzz==3.14.1
+rapidfuzz==3.14.3
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   unstructured-paddleocr
 requests==2.32.5
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   unstructured-paddleocr
 safetensors==0.6.2
     # via paddlepaddle
@@ -147,25 +147,25 @@ simsimd==6.5.3
     # via albucore
 sniffio==1.3.1
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   anyio
 soupsieve==2.8
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   beautifulsoup4
-stringzilla==4.2.1
+stringzilla==4.2.3
     # via albucore
-termcolor==3.1.0
+termcolor==3.2.0
     # via fire
 tifffile==2025.5.10
     # via scikit-image
 tqdm==4.67.1
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   unstructured-paddleocr
 typing-extensions==4.15.0
     # via
-    #   -c ./base.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
     #   anyio
     #   beautifulsoup4
     #   exceptiongroup
@@ -180,6 +180,6 @@ unstructured-paddleocr==2.10.0
     # via -r ./extra-paddleocr.in
 urllib3==2.5.0
     # via
-    #   -c ./base.txt
-    #   -c ./deps/constraints.txt
+    #   -c /Users/luke/git/unstructured/requirements/base.txt
+    #   -c /Users/luke/git/unstructured/requirements/deps/constraints.txt
     #   requests