fix: address 6 Dependabot security vulnerabilities

imran-siddique · Copilot · imran-siddique · commit 5d0420d570b6 · 2026-04-20T07:47:20.000-07:00
- python-multipart 0.0.22 → 0.0.26 (DoS via large preamble/epilogue) - pytest 8.4.1 → 9.0.3 (tmpdir handling vulnerability) - langchain-core 1.2.11 → 1.2.28 (SSRF, path traversal, f-string validation) - langchain-core >=0.2.0,<1.0 → >=1.2.28 in langchain-agentmesh pyproject.toml - tsup 8.0.0 → 8.5.1 (DOM clobbering vulnerability) - rand 0.8.5: dismissed microsoft#176 as inaccurate (vuln affects rand::rng() 0.9.x API only) Fixes Dependabot alerts: microsoft#177, microsoft#175, microsoft#166, microsoft#164, microsoft#157, microsoft#156 Dismissed: microsoft#176 (not applicable to rand 0.8.x) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/packages/agent-os/modules/caas/requirements.txt b/packages/agent-os/modules/caas/requirements.txt
@@ -4,7 +4,7 @@ pydantic==2.10.3
 pypdf==6.7.5  # CVE fix: all DoS/infinite-loop vulnerabilities
 beautifulsoup4==4.12.2
 lxml==5.3.0
-python-multipart==0.0.22
+python-multipart==0.0.26
 tiktoken==0.8.0
 numpy==1.26.4
 scikit-learn==1.6.1
diff --git a/packages/agent-os/modules/scak/requirements.txt b/packages/agent-os/modules/scak/requirements.txt
@@ -27,7 +27,7 @@ anthropic==0.39.0  # For Claude API integration
 # =============================================================================
 # Testing and Development
 # =============================================================================
-pytest==8.4.1
+pytest==9.0.3
 pytest-asyncio==1.1.0
 
 # =============================================================================
@@ -40,7 +40,7 @@ jupyter==1.1.1  # For interactive notebooks
 
 # LangChain Integration
 langchain==0.3.14  # For LangChain integration
-langchain-core==1.2.11  # CVE fix: SSRF via image_url token counting
+langchain-core==1.2.28  # CVE fix: SSRF, path traversal, f-string validation
 
 # Distributed Computing (uncomment as needed)
 # ray>=2.8.0  # For distributed execution
diff --git a/packages/agentmesh-integrations/copilot-governance/package.json b/packages/agentmesh-integrations/copilot-governance/package.json
@@ -40,7 +40,7 @@
   "homepage": "https://github.com/microsoft/agent-governance-toolkit/tree/main/packages/agentmesh-integrations/copilot-governance",
   "devDependencies": {
     "@types/node": "20.0.0",
-    "tsup": "8.0.0",
+    "tsup": "8.5.1",
     "typescript": "5.7.3",
     "vitest": "3.0.5"
   }
diff --git a/packages/agentmesh-integrations/langchain-agentmesh/pyproject.toml b/packages/agentmesh-integrations/langchain-agentmesh/pyproject.toml
@@ -34,7 +34,7 @@ classifiers = [
     "Topic :: Security :: Cryptography",
 ]
 dependencies = [
-    "langchain-core>=0.2.0,<1.0",
+    "langchain-core>=1.2.28",
     "cryptography>=45.0.3,<47.0",
 ]
 

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@`
`40`	`40`	`"homepage": "https://github.com/microsoft/agent-governance-toolkit/tree/main/packages/agentmesh-integrations/copilot-governance",`
`41`	`41`	`"devDependencies": {`
`42`	`42`	`"@types/node": "20.0.0",`
`43`		`- "tsup": "8.0.0",`
	`43`	`+ "tsup": "8.5.1",`
`44`	`44`	`"typescript": "5.7.3",`
`45`	`45`	`"vitest": "3.0.5"`
`46`	`46`	`}`
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ classifiers = [`
`34`	`34`	`"Topic :: Security :: Cryptography",`
`35`	`35`	`]`
`36`	`36`	`dependencies = [`
`37`		`- "langchain-core>=0.2.0,<1.0",`
	`37`	`+ "langchain-core>=1.2.28",`
`38`	`38`	`"cryptography>=45.0.3,<47.0",`
`39`	`39`	`]`
`40`	`40`