fix: override pypdf and uv to patched versions for CVE-2026-40260 and GHSA-pjjw-68hj-v9mw

2026-04-30 23:02:50 +00:00 · 2026-04-13 21:04:37 +08:00
parent a4e7b322c5
commit c8694fbed2
2 changed files with 9 additions and 2 deletions
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -162,7 +162,7 @@ info = "Commits must follow Conventional Commits 1.0.0."


 [tool.uv]
-exclude-newer = "2026-04-10"  # pinned for CVE-2026-39892; restore to "3 days" after 2026-04-11
+exclude-newer = "3 days"

 # composio-core pins rich<14 but textual requires rich>=14.
 # onnxruntime 1.24+ dropped Python 3.10 wheels; cap it so qdrant[fastembed] resolves on 3.10.
@@ -170,6 +170,8 @@ exclude-newer = "2026-04-10"  # pinned for CVE-2026-39892; restore to "3 days" a
 # langchain-core <1.2.28 has GHSA-926x-3r5x-gfhw (incomplete f-string validation).
 # transformers 4.57.6 has CVE-2026-1839; force 5.4+ (docling 2.84 allows huggingface-hub>=1).
 # cryptography 46.0.6 has CVE-2026-39892; force 46.0.7+.
+# pypdf <6.10.0 has CVE-2026-40260; force 6.10.0+.
+# uv <0.11.6 has GHSA-pjjw-68hj-v9mw; force 0.11.6+.
 override-dependencies = [
    "rich>=13.7.1",
    "onnxruntime<1.24; python_version < '3.11'",
@@ -178,6 +180,8 @@ override-dependencies = [
    "urllib3>=2.6.3",
    "transformers>=5.4.0; python_version >= '3.10'",
    "cryptography>=46.0.7",
+    "pypdf>=6.10.0,<7",
+    "uv>=0.11.6,<1",
 ]

 [tool.uv.workspace]