Skip to content

fix(deps): bump aiohttp >=3.14.1, bleach >=6.4.0, react-router-dom >=7.15.0 [NSPECT-S62Q-PZUD]#709

Draft
nv-rag-cve-bot[bot] wants to merge 3 commits into
developfrom
cve-fix/NSPECT-S62Q-PZUD-20260707-022824
Draft

fix(deps): bump aiohttp >=3.14.1, bleach >=6.4.0, react-router-dom >=7.15.0 [NSPECT-S62Q-PZUD]#709
nv-rag-cve-bot[bot] wants to merge 3 commits into
developfrom
cve-fix/NSPECT-S62Q-PZUD-20260707-022824

Conversation

@nv-rag-cve-bot

@nv-rag-cve-bot nv-rag-cve-bot Bot commented Jul 7, 2026

Copy link
Copy Markdown

Security fix — NSPECT-S62Q-PZUD (collection: NSPECT-UV6I-R3V9 + NSPECT-O8B9-SHZ8)

Track: B — RECOMMENDATION (UNVERIFIED)
Program version: 26.05.2 (repo: 2.6.0.rc1)

CVEs addressed

CVE / Advisory Package Severity Fix
CVE-2026-50269 aiohttp Critical (9.3) >=3.14.1
CVE-2026-54274, 54277, 54279, 54280 aiohttp High >=3.14.1
BDSA-2026-15483, 15484, 15486 bleach High >=6.4.0
GHSA-rxv8-25v2-qmq8, GHSA-49rj-9fvp-4h2h, GHSA-8646-j5j9-6r62, GHSA-8x6r-g9mw-2r78 react-router-dom High >=7.15.0

Files changed

aiohttp — version floor raised to >=3.14.1 in all manifest + lockfile locations:

  • pyproject.toml (override-dependencies), uv.lock
  • requirements.txt, scripts/requirements.txt, tests/integration/requirements.txt
  • examples/nvidia_rag_mcp/requirements.txt
  • examples/rag_react_agent/pyproject.toml + uv.lock
  • scripts/rag-perf/pyproject.toml + uv.lock
  • scripts/eval/pyproject.toml + uv.lock

bleach — direct dep floor raised: bleach>=6.2,<7.0bleach>=6.4.0,<7.0

  • pyproject.toml, uv.lock, examples/rag_react_agent/uv.lock

react-router-dom — specifier raised: ^7.12.0^7.15.0, resolved to 7.18.1

  • frontend/package.json, frontend/pnpm-lock.yaml

Validation

CI pipeline validation (--validate pipeline) — unit tests, lint, frontend tests, and GPU docker-tests gating. No local scanner run (uv venv lacks pip; Track B lockfile evidence used).

Bleach advisory: bleach 6.4.0 is the final release (project EOL). Migration to nh3 is recommended as a follow-on task.

Commits

  1. fix(deps): bump aiohttp to >=3.14.1 — all Python manifests/lockfiles
  2. fix(deps): bump react-router-dom to >=7.15.0 — frontend
  3. chore(security): add CVE fix report — local audit artifact, do not squash into main

Note

The cve-fix-reports/ commit is a local audit artifact. It can be excluded from the squash merge or main history if not desired upstream.

🤖 Generated with Claude Code

NVIDIA RAG Agentic CVE Fix and others added 3 commits July 7, 2026 02:30
…7/79/80)

Five aiohttp CVEs (1 Critical 9.3, 4 High) fixed by raising the minimum
version to 3.14.1 across all manifest and lockfile locations:

- pyproject.toml: add aiohttp>=3.14.1 to [tool.uv] override-dependencies
- uv.lock: resolved 3.14.1
- requirements.txt: pin aiohttp>=3.14.1 (was unpinned)
- scripts/requirements.txt: aiohttp==3.12.14 -> aiohttp>=3.14.1
- tests/integration/requirements.txt: floor raised to >=3.14.1
- examples/nvidia_rag_mcp/requirements.txt: floor raised to >=3.14.1
- examples/rag_react_agent/pyproject.toml: add override-dependencies
- examples/rag_react_agent/uv.lock: resolved 3.14.1
- scripts/rag-perf/pyproject.toml: add override-dependencies
- scripts/rag-perf/uv.lock: resolved 3.14.1
- scripts/eval/pyproject.toml: add override-dependencies
- scripts/eval/uv.lock: resolved 3.14.1

nSpect: NSPECT-S62Q-PZUD (children: NSPECT-UV6I-R3V9, NSPECT-O8B9-SHZ8)
Track: B (RECOMMENDATION - UNVERIFIED; pip-audit unavailable in uv venv)
Validation: CI pipeline (--validate pipeline); Phase 9 pending.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: NVIDIA RAG Agentic CVE Fix <foundational-rag-dev@exchange.nvidia.com>
…SA-49rj, GHSA-8646, GHSA-8x6r)

Four react-router-dom High CVEs fixed by raising the minimum version:

- frontend/package.json: "^7.12.0" -> "^7.15.0"
- frontend/pnpm-lock.yaml: resolved react-router-dom@7.18.1, react-router@7.18.1

No API breaking changes — BrowserRouter/Routes/Route/useNavigate/useLocation
APIs used in this repo are stable and unchanged across 7.12->7.18.

nSpect: NSPECT-S62Q-PZUD
Track: B (RECOMMENDATION - UNVERIFIED)
Validation: CI pipeline (--validate pipeline); Phase 9 pending.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: NVIDIA RAG Agentic CVE Fix <foundational-rag-dev@exchange.nvidia.com>
Security audit report for aiohttp, bleach, and react-router-dom CVEs.
Report directory: cve-fix-reports/NSPECT-S62Q-PZUD-20260707-022824/

Do not merge this commit to main — reports are local audit artifacts.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: NVIDIA RAG Agentic CVE Fix <foundational-rag-dev@exchange.nvidia.com>
@copy-pr-bot

copy-pr-bot Bot commented Jul 7, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants