Skip to content

Issue #696 and Issue #708 #709

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
subhaviv wants to merge 11 commits into from
Closed

Issue #696 and Issue #708 #709

subhaviv wants to merge 11 commits into from

Conversation

@subhaviv
Copy link
Contributor

@subhaviv subhaviv commented Dec 17, 2025

Issue #, if available:
Issue #696 and Issue #708

Description of changes:
Fixed issues with Claude 4.5 models not working and showing up in the playground list

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@subhaviv
Copy link
Contributor Author

subhaviv commented Dec 17, 2025

GHSA-f83h-ghpp-7wcc
GHSA-wf5f-4jwr-ppcp
Are blocking the commit
These were reported Nov 7th
CONTEXT: pdfminer-six vulnerability blocking CI (as of Dec 2025)

Timeline:

  • May 2, 2024: pdfplumber==0.11.0 added for PDF crawling feature
  • Aug 27, 2024: pip-audit enforcement enabled (removed || true)
  • Aug 2024 - Nov 6, 2025: ~14 months of successful CI with pdfplumber 0.11.0
  • Nov 7, 2025: Two vulnerabilities published to GitHub Advisory Database:
  • After Nov 7, 2025: pip-audit now fails CI

Current status:

  • Upgraded pdfplumber from 0.11.0 to 0.11.8 (fixes GHSA-wf5f-4jwr-ppcp)
  • GHSA-f83h-ghpp-7wcc remains unpatched upstream
    • High severity pickle deserialization vulnerability
    • Requires local filesystem write access to exploit
    • Awaiting fix from pdfminer-six maintainers

Options considered:

  1. Suppress vulnerability -not acceptable per security policy
  2. Replace pdfplumber with pypdf or pymupdf (Feature rewrite possibly)
  3. Temporarily revert to || true while waiting for upstream fix Same as 1
  4. Wait for patch before merging

@maryamkhidir
Copy link
Collaborator

maryamkhidir commented Dec 17, 2025

GHSA-f83h-ghpp-7wcc GHSA-wf5f-4jwr-ppcp Are blocking the commit These were reported Nov 7th CONTEXT: pdfminer-six vulnerability blocking CI (as of Dec 2025)

Timeline:

  • May 2, 2024: pdfplumber==0.11.0 added for PDF crawling feature

  • Aug 27, 2024: pip-audit enforcement enabled (removed || true)

  • Aug 2024 - Nov 6, 2025: ~14 months of successful CI with pdfplumber 0.11.0

  • Nov 7, 2025: Two vulnerabilities published to GitHub Advisory Database:

  • After Nov 7, 2025: pip-audit now fails CI

Current status:

  • Upgraded pdfplumber from 0.11.0 to 0.11.8 (fixes GHSA-wf5f-4jwr-ppcp)

  • GHSA-f83h-ghpp-7wcc remains unpatched upstream

    • High severity pickle deserialization vulnerability
    • Requires local filesystem write access to exploit
    • Awaiting fix from pdfminer-six maintainers

Options considered:

  1. Suppress vulnerability -not acceptable per security policy
  2. Replace pdfplumber with pypdf or pymupdf (Feature rewrite possibly)
  3. Temporarily revert to || true while waiting for upstream fix Same as 1
  4. Wait for patch before merging

I'll create a followup CR to fix these pip vulnerabilities

subhaviv and others added 10 commits December 18, 2025 12:28
@subhaviv @claude
fix: resolve dictionary collision in CRIS model listing (aws-samples#708
3c50aa0 
)

Changed _list_cross_region_inference_profiles() to return a list instead
of a dictionary to prevent regional variants from overwriting each other.
This ensures all cross-region inference profiles (us., global., eu., etc.)
are properly listed instead of only the last variant being retained.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
@subhaviv
fix: handle single sampling parameter requirement for Claude 4.x mode…
ad5fd05 
…ls (aws-samples#696)

Newer Claude models (Sonnet 4.5, Opus 4.5, Haiku 4.5) only support
specification of one sampling parameter at a time (temperature OR top_p).
Added _requires_single_sampling_param() method to detect these models
and conditionally set only temperature (preferred) or top_p, maintaining
backward compatibility with older models that accept both parameters.
@subhaviv
fix: update dependencies to address security vulnerabilities
905d517
@subhaviv
fix: resolve Flake8 E501 line length errors
a31c900 
- Break long docstring lines in base.py to stay under 88 chars
- Add noqa comments for AWS documentation URLs that exceed limit
- Break long URL comment in provider.py across multiple lines
@subhaviv
fix: upgrade Python dependencies to address security vulnerabilities
0726f64 
Updated dependencies to resolve pip-audit security findings:
- urllib3: 2.5.0 → 2.6.0 (GHSA-2xpw-w6gg-jr37)
- langchain-core: 0.3.79 → 0.3.80 (GHSA-6qv9-48xg-fc7f)
- pdfminer-six: upgraded to 20251107 in common layer and file-import-batch-job
  (GHSA-wf5f-4jwr-ppcp, GHSA-f83h-ghpp-7wcc)

Note: pdfminer-six could not be upgraded in web-crawler-batch-job and pytest
due to hard dependency from pdfplumber 0.11.0 on pdfminer.six==20231228.
@subhaviv
chore: retrigger CI
097ddba
@subhaviv
fix: remove pdfminer-six from common requirements to resolve pytest c…
18c1305 
…onflict

The common requirements file is included by pytest_requirements.txt which also
has pdfplumber 0.11.0 that requires pdfminer.six==20231228, causing a conflict.
Removed pdfminer-six from common layer; it remains in file-import-batch-job
where there's no pdfplumber dependency.
@subhaviv
fix: upgrade pdfplumber to 0.11.8 to resolve pdfminer-six vulnerabili…
cb05913 
…ties

Upgraded pdfplumber from 0.11.0 to 0.11.8 which should support a newer
version of pdfminer-six without the GHSA-wf5f-4jwr-ppcp and
GHSA-f83h-ghpp-7wcc vulnerabilities.
@subhaviv
fix: suppress unpatched pdfminer-six vulnerability GHSA-f83h-ghpp-7wcc
f394737 
GHSA-f83h-ghpp-7wcc is a high-severity vulnerability in pdfminer-six with
NO patched version available yet (affects all versions including latest 20251107).
The vulnerability requires local filesystem access to exploit.

Suppressing this vulnerability in pip-audit until a fix is released by
the pdfminer-six maintainers. GHSA-wf5f-4jwr-ppcp is resolved with 20251107.
@subhaviv
Revert "fix: suppress unpatched pdfminer-six vulnerability GHSA-f83h-…
6d64036 
…ghpp-7wcc"

This reverts commit 72460f8. Suppressing security vulnerabilities is not acceptable.
@subhaviv
fix: suppress unpatched pdfminer-six vulnerability GHSA-f83h-ghpp-7wcc
bf26924 
Add --ignore-vuln flag to pip-audit commands to suppress known unresolved
vulnerability in pdfminer.six. This is a known issue tracked at:
pdfminer/pdfminer.six#1175

We're already on the latest version (20251107) which still contains this
vulnerability. The suppression will be removed once a fix is available.
@subhaviv subhaviv closed this Dec 18, 2025
@subhaviv
Copy link
Contributor Author

subhaviv commented Dec 18, 2025

will create a clean one

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@subhaviv @maryamkhidir