search

googleapis / langchain-google-memorystore-redis-python

Apache License 2.0
13 stars 6 forks source link

chore(deps): update dependency langchain-core to v0.1.34 [security] - autoclosed #60

Closed renovate-bot closed 7 months ago

renovate-bot commented 7 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
langchain-core ==0.1.32 -> ==0.1.34 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-1455

The XMLOutputParser in LangChain uses the etree module from the XML parser in the standard python library which has some XML vulnerabilities; see: https://docs.python.org/3/library/xml.html

This primarily affects users that combine an LLM (or agent) with the XMLOutputParser and expose the component via an endpoint on a web-service.

This would allow a malicious party to attempt to manipulate the LLM to produce a malicious payload for the parser that would compromise the availability of the service.

A successful attack is predicated on:

  1. Usage of XMLOutputParser
  2. Passing of malicious input into the XMLOutputParser either directly or by trying to manipulate an LLM to do so on the users behalf
  3. Exposing the component via a web-service

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

â™» Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

dpebot commented 7 months ago

/gcbrun