fix: resolve security vulnerabilities in dependencies (#2059)

Python (uv.lock): - langchain-core 1.2.7 → 1.2.18 (SSRF via image_url token counting) - langgraph 1.0.7 → 1.1.1 (unsafe msgpack deserialization) - flask 3.1.2 → 3.1.3 (missing Vary: Cookie header) - werkzeug 3.1.5 → 3.1.6 (Windows special device name in safe_join) npm (web/pnpm-lock.yaml): - minimatch updated to fix ReDoS vulnerabilities
2026-06-02 03:55:55 +00:00 · 2026-03-12 20:09:19 +08:00
parent 8b8cfb76de
commit d7df1f05d1
3 changed files with 302 additions and 301 deletions
--- a/web/package.json
+++ b/web/package.json
@@ -102,5 +102,10 @@
    "typescript": "^5.8.3",
    "typescript-eslint": "^8.31.1"
  },
-  "packageManager": "pnpm@8.9.2+sha512.b9d35fe91b2a5854dadc43034a3e7b2e675fa4b56e20e8e09ef078fa553c18f8aed44051e7b36e8b8dd435f97eb0c44c4ff3b44fc7c6fa7d21e1fac17bbe661e"
-}
+  "packageManager": "pnpm@8.9.2+sha512.b9d35fe91b2a5854dadc43034a3e7b2e675fa4b56e20e8e09ef078fa553c18f8aed44051e7b36e8b8dd435f97eb0c44c4ff3b44fc7c6fa7d21e1fac17bbe661e",
+  "pnpm": {
+    "overrides": {
+      "minimatch": "3.1.3"
+    }
+  }
+}