Merge pull request #115 from ansible/TamiTakamiya/AAP-52825/CVE-2025-6984-rework

TamiTakamiya · web-flow · commit 24bf9ff7b740 · 2025-09-15T18:51:59.000-04:00
Rework CVE-2025-6984
diff --git a/pdm.lock b/pdm.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -76,30 +76,30 @@ dependencies = [
     "langchain-ibm>=0.3.10",
     "llama-index>=0.12.28",
     "llama-index-core>=0.12.28",
-    "llama-index-vector-stores-faiss>=0.3.0",
-    "llama-index-embeddings-huggingface>=0.4.0",
+    "llama-index-vector-stores-faiss==0.3.0",
+    "llama-index-embeddings-huggingface==0.4.0",
     "uvicorn==0.32.1",
     "redis==5.2.0",
     "faiss-cpu==1.9.0.post1",
     "sentence-transformers==3.1.1",
     "openai>=1.77.0",
     "pyarrow==18.0.0",
     "ibm-generative-ai==3.0.0",
-    "ibm-cos-sdk>=2.13.6",
+    "ibm-cos-sdk==2.13.6",
     "langchain-openai>=0.3.16",
     "pydantic==2.9.2",
     "setuptools==78.1.1",
     "prometheus-client==0.20.0",
     "kubernetes==30.1.0",
     "psycopg2-binary==2.9.9",
     "azure-identity==1.18.0",
-    "langchain-community>=0.3.29",
+    "langchain-community>=0.3.27",
     "SQLAlchemy==2.0.35",
     "huggingface-hub>=0.33.1",
     "ibm-watsonx-ai>=1.3.3",
     "certifi==2024.8.30",
     "cryptography==44.0.1",
-    "urllib3>=2.2.3",
+    "urllib3==2.2.3",
     "nltk==3.9.1",
     "aiohttp==3.11.11",
     "zipp==3.20.1",
@@ -114,6 +114,8 @@ dependencies = [
     "msgpack==1.1.0",
     "llama-index-vector-stores-postgres>=0.4.0",
     "h11>=0.16.0",
+    # need to pin to avoid deadlock
+    "requests==2.32.2",
 ]
 requires-python = ">=3.11.1,<=3.12.8"
 readme = "README.md"
diff --git a/requirements.txt b/requirements.txt
@@ -320,12 +320,12 @@ httpx[socks]==0.27.2 \
 huggingface-hub[inference]==0.33.1 \
     --hash=sha256:589b634f979da3ea4b8bdb3d79f97f547840dc83715918daf0b64209c0844c7b \
     --hash=sha256:ec8d7444628210c0ba27e968e3c4c973032d44dcea59ca0d78ef3f612196f095
-ibm-cos-sdk==2.14.3 \
-    --hash=sha256:643b6f2aa1683adad7f432df23407d11ae5adb9d9ad01214115bee77dc64364a
-ibm-cos-sdk-core==2.14.3 \
-    --hash=sha256:85dee7790c92e8db69bf39dae4c02cac211e3c1d81bb86e64fa2d1e929674623
-ibm-cos-sdk-s3transfer==2.14.3 \
-    --hash=sha256:2251ebfc4a46144401e431f4a5d9f04c262a0d6f95c88a8e71071da056e55f72
+ibm-cos-sdk==2.13.6 \
+    --hash=sha256:171cf2ae4ab662a4b8ab58dcf4ac994b0577d6c92d78490295fd7704a83978f6
+ibm-cos-sdk-core==2.13.6 \
+    --hash=sha256:dd41fb789eeb65546501afabcd50e78846ab4513b6ad4042e410b6a14ff88413
+ibm-cos-sdk-s3transfer==2.13.6 \
+    --hash=sha256:e0acce6f380c47d11e07c6765b684b4ababbf5c66cc0503bc246469a1e2b9790
 ibm-generative-ai==3.0.0 \
     --hash=sha256:0d86297371a5bb7c41d143a8c770e068f37489b5ca88e6bd56dca61a4f6dc1a8 \
     --hash=sha256:e0c39a5c84356f7408de31988ee055349a4ab7ec7030f313fa1c19d76b2b6d85
@@ -385,24 +385,24 @@ jsonpointer==3.0.0 \
 kubernetes==30.1.0 \
     --hash=sha256:41e4c77af9f28e7a6c314e3bd06a8c6229ddd787cad684e0ab9f69b498e98ebc \
     --hash=sha256:e212e8b7579031dd2e512168b617373bc1e03888d41ac4e04039240a292d478d
-langchain==0.3.27 \
-    --hash=sha256:7b20c4f338826acb148d885b20a73a16e410ede9ee4f19bb02011852d5f98798 \
-    --hash=sha256:aa6f1e6274ff055d0fd36254176770f356ed0a8994297d1df47df341953cec62
-langchain-community==0.3.29 \
-    --hash=sha256:1f3d37973b10458052bb3cc02dce9773a8ffbd02961698c6d395b8c8d7f9e004 \
-    --hash=sha256:c876ec7ef40b46353af164197f4e08e157650e8a02c9fb9d49351cdc16c839fe
-langchain-core==0.3.76 \
-    --hash=sha256:46e0eb48c7ac532432d51f8ca1ece1804c82afe9ae3dcf027b867edadf82b3ec \
-    --hash=sha256:71136a122dd1abae2c289c5809d035cf12b5f2bb682d8a4c1078cd94feae7419
+langchain==0.3.26 \
+    --hash=sha256:361bb2e61371024a8c473da9f9c55f4ee50f269c5ab43afdb2b1309cb7ac36cf \
+    --hash=sha256:8ff034ee0556d3e45eff1f1e96d0d745ced57858414dba7171c8ebdbeb5580c9
+langchain-community==0.3.27 \
+    --hash=sha256:581f97b795f9633da738ea95da9cb78f8879b538090c9b7a68c0aed49c828f0d \
+    --hash=sha256:e1037c3b9da0c6d10bf06e838b034eb741e016515c79ef8f3f16e53ead33d882
+langchain-core==0.3.66 \
+    --hash=sha256:350c92e792ec1401f4b740d759b95f297710a50de29e1be9fbfff8676ef62117 \
+    --hash=sha256:65cd6c3659afa4f91de7aa681397a0c53ff9282425c281e53646dd7faf16099e
 langchain-ibm==0.3.13 \
     --hash=sha256:61f3ece7c665bb37da6809f60824a521420eeda84d00927414e76d9221340cc6 \
     --hash=sha256:ca68cbb4338b50fdffd08926e8901fa96ebe12e07422193decc2f46c32ab5ea1
 langchain-openai==0.3.26 \
     --hash=sha256:2f216b92195e43fc30a28af8842cf704e72abe3b0ae2cbf85004ca75c5274575 \
     --hash=sha256:6f8420f164095834477d13715bc08a7553cdc229df30110d390c3d8880b728f3
-langchain-text-splitters==0.3.11 \
-    --hash=sha256:7a50a04ada9a133bbabb80731df7f6ddac51bc9f1b9cab7fa09304d71d38a6cc \
-    --hash=sha256:cf079131166a487f1372c8ab5d0bfaa6c0a4291733d9c43a34a16ac9bcd6a393
+langchain-text-splitters==0.3.8 \
+    --hash=sha256:116d4b9f2a22dda357d0b79e30acf005c5518177971c66a9f1ab0edfdb0f912e \
+    --hash=sha256:e75cc0f4ae58dcf07d9f18776400cf8ade27fadd4ff6d264df6278bb302f6f02
 langsmith==0.4.3 \
     --hash=sha256:151d8cbf3d26a49f67bd720462eae20d3282196958f86b59d1ac1aad484c52f1 \
     --hash=sha256:b8ed57fb21fb3370bc7e4e8c4a3003017040336df694a66a34afe6f9872e68da
@@ -454,9 +454,9 @@ llama-index-readers-llama-parse==0.4.0 \
 llama-index-vector-stores-faiss==0.3.0 \
     --hash=sha256:2148163dba1222c855bd367a7b796bc35d46dc2e77d57bafd321ba14aac00177 \
     --hash=sha256:c9df99dd00fe7058606ef4fce113535fa30b73edd650136be87c9b5b240df3f9
-llama-index-vector-stores-postgres==0.5.4 \
-    --hash=sha256:40fa6757c7ddccc1a23f5413f6676e339583c5bfb3364dbf7e371aab5d94ed07 \
-    --hash=sha256:df6f05ffd7c148e4d3663ab386cf059a76fb59b3c9b34110add97fc154a16e2a
+llama-index-vector-stores-postgres==0.5.2 \
+    --hash=sha256:51926e4e350f814ca10c4615b0e153980e411ef71a6bec83bc547e740d424ff9 \
+    --hash=sha256:a70b4db043ac590f772b316ff59e3937d39da5e17bb9d3f4422fbaa96e066e53
 llama-parse==0.6.34 \
     --hash=sha256:395174c3c4d22dc372ab310727de2b3fc4e268e36f11fe9959a95bfa9cf63d66 \
     --hash=sha256:a228619806687ff7b3fb44f21210e98c337f7e05f19374f0fb52196158caae0d
@@ -894,9 +894,9 @@ regex==2024.11.6 \
     --hash=sha256:e5364a4502efca094731680e80009632ad6624084aff9a23ce8c8c6820de3e51 \
     --hash=sha256:f2a19f302cd1ce5dd01a9099aaa19cae6173306d1302a43b627f62e21cf18ac0 \
     --hash=sha256:fdd6028445d2460f33136c55eeb1f601ab06d74cb3347132e1c24250187500d9
-requests==2.32.5 \
-    --hash=sha256:2462f94637a34fd532264295e186976db0f5d453d1cdd31473c85a6a161affb6 \
-    --hash=sha256:dbba0bac56e100853db0ea71b82b4dfd5fe2bf6d3754a8893c3af500cec7d7cf
+requests==2.32.2 \
+    --hash=sha256:dd951ff5ecf3e3b3aa26b40703ba77495dab41da839ae72ef3c8e5d8e2433289 \
+    --hash=sha256:fc06670dd0ed212426dfeb94fc1b983d917c4f9847c863f313c9dfaaffb7c23c
 requests-oauthlib==2.0.0 \
     --hash=sha256:7dd8a5c40426b779b0868c404bdef9768deccf22749cde15852df527e6269b36 \
     --hash=sha256:b3dffaebd884d8cd778494369603a9e7b58d29111bf6b41bdc2dcd87203af4e9
@@ -1079,9 +1079,9 @@ tzdata==2025.2 \
 unearth==0.17.5 \
     --hash=sha256:9963e66b14f0484644c9b45b517e530befb2de6a8da4b06a9a38bed2d086dfe6 \
     --hash=sha256:a19e1c02e64b40518d088079c7416fc41b45a648b81a4128aac02597234ee6ba
-urllib3==2.5.0 \
-    --hash=sha256:3fc47733c7e419d4bc3f6b3dc2b4f890bb743906a30d56ba4a5bfa4bbff92760 \
-    --hash=sha256:e6b01673c0fa6a13e374b50871808eb3bf7046c4b125b216f6bf1cc604cff0dc
+urllib3==2.2.3 \
+    --hash=sha256:ca899ca043dcb1bafa3e262d73aa25c465bfb49e0bd9dd5d59f1d0acba2f8fac \
+    --hash=sha256:e7d814a81dad81e6caf2ec9fdedb284ecc9c73076b62654547cc64ccdcae26e9
 uvicorn==0.32.1 \
     --hash=sha256:82ad92fd58da0d12af7482ecdb5f2470a04c9c9a53ced65b9bbb4a205377602e \
     --hash=sha256:ee9519c246a72b1c084cea8d3b44ed6026e78a4a309cbedae9c37e4cb9fbb175
