Merge pull request #87 from mongodb/dependabot/25_and_26-dev

cbullinger · web-flow · commit 709b3507b19a · 2026-02-13T15:02:47.000-05:00
fix: bump langchain-core and pillow for security fixes
diff --git a/mflix/server/python-fastapi/requirements.in b/mflix/server/python-fastapi/requirements.in
@@ -64,3 +64,5 @@ rich-toolkit~=0.15.1    # Extensions for the 'rich' library
 filelock>=3.20.3        # Transitive dep via huggingface-hub
 aiohttp>=3.13.3         # Transitive dep via voyageai
 orjson>=3.11.7          # Transitive dep via langsmith (CVE fix)
+langchain-core>=1.2.11  # Transitive dep via langchain-text-splitters (CVE-2026-26013 fix)
+pillow>=12.1.1          # Transitive dep via voyageai (CVE-2026-25990 fix)
diff --git a/mflix/server/python-fastapi/requirements.txt b/mflix/server/python-fastapi/requirements.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.13
 # by the following command:
 #
-#    pip-compile requirements.in
+#    pip-compile --output-file=requirements.txt requirements.in
 #
 aiohappyeyeballs==2.6.1
     # via aiohttp
@@ -99,8 +99,10 @@ jsonpatch==1.33
     # via langchain-core
 jsonpointer==3.0.0
     # via jsonpatch
-langchain-core==1.2.9
-    # via langchain-text-splitters
+langchain-core==1.2.11
+    # via
+    #   -r requirements.in
+    #   langchain-text-splitters
 langchain-text-splitters==1.1.0
     # via voyageai
 langsmith==0.6.9
@@ -125,8 +127,10 @@ packaging==26.0
     #   langchain-core
     #   langsmith
     #   pytest
-pillow==12.1.0
-    # via voyageai
+pillow==12.1.1
+    # via
+    #   -r requirements.in
+    #   voyageai
 pluggy==1.6.0
     # via pytest
 propcache==0.4.1
