Update TensorFlow dependency to address CVE-2026-2492 (Uncontrolled Search Path Element)

Hello,

It seems that the Tensorflow versions currently allowed by Meridian include a known vulnerability: CVE-2026-2492.
The pyproject.toml currently allows:
tensorflow >= 2.18, < 2.21

Here is the official CVE record : https://www.cve.org/CVERecord?id=CVE-2026-2492

Suggested fix :
Set Tensorflow minimum version requirements to >= 2.21.0, which seems to be the minimum version fixing the CVE.

Thank you !

[gousesb]

Hello @ghost,

Thank you for bringing CVE-2026-2492 to our attention regarding the TensorFlow requirements in Meridian.

While I’ve reviewed the CVE record you shared, it doesn't explicitly detail the fix or mitigation steps. Could you please provide additional information or documentation showing how version 2.21.0 specifically resolves this vulnerability? Once we have that clarification, we can better evaluate updating the requirements in the pyproject.toml file.

Feel free to reach out for any further queries or feedback regarding Meridian.

Google Meridian Support Team

[elie-pont-1]

Hello and thank you for your answer.
You can find more information in this record :
https://security-tracker.debian.org/tracker/CVE-2026-2492

And here is the tensorflow commit released in 2.21.0 to adress the CVE : tensorflow/tensorflow@46e7f7f

[gousesb]

Hello @elie-pont-1

Thank you for providing the additional details and the specific commit reference. We are now evaluating the compatibility of TensorFlow 2.21 with Meridian and will be taking action to address this. We appreciate you bringing this to our attention.

Feel free to reach out for any further queries or feedback regarding Meridian.

Google Meridian Support Team