chore(deps): bump idna from 3.11 to 3.15 in /examples/example-ai-groq

[dependabot]

Bumps idna from 3.11 to 3.15.

Changelog

Sourced from idna's changelog.

3.15 (2026-05-12)

• Enforce DNS-length cap on individual labels early in check_label, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.
• Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared _unicode_dots_re from idna.core in the codec module.
• Use raise ... from err for proper exception chaining and switch internal string formatting to f-strings.
• Allow flit_core 4.x in the build backend.
• Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.
• Add Dependabot configuration for GitHub Actions.
• Convert README and HISTORY from reStructuredText to Markdown.
• Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.

3.14 (2026-05-10)

• Removed opportunity to process long inputs into quadratic time by rejecting oversize inputs up-front. Closes a bypass of the CVE-2024-3651 mitigation. [CVE-2026-45409]

Thanks to Stan Ulbrych for reporting the issue.

3.13 (2026-04-22)

• Correct classification error for codepoint U+A7F1

3.12 (2026-04-21)

• Update to Unicode 17.0.0.
• Issue a deprecation warning for the transitional argument.
• Added lazy-loading to provide some performance improvements.
• Removed vestiges of code related to Python 2 support, including segmentation of data structures specific to Jython.

Thanks to Rodrigo Nogueira for contributions to this release.

Commits

• af30a09 Release 3.15
• 30314d4 Pre-release 3.15rc0
• 05d4b21 Merge pull request #237 from kjd/convert-docs-to-markdown
• 2987fdb Convert README and HISTORY from reStructuredText to Markdown
• 59fa800 Merge pull request #236 from kjd/dependabot/github_actions/actions-f3e34333ea
• def6983 Merge branch 'master' into dependabot/github_actions/actions-f3e34333ea
• bbd8004 Merge pull request #234 from StanFromIreland/patch-1
• edd07c0 Bump github/codeql-action from 3.35.2 to 4.35.2 in the actions group
• 5557db0 Merge branch 'master' into patch-1
• f11746c Merge pull request #235 from StanFromIreland/patch-2
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	semantic-kernel@​1.36.0
	django@​5.2.7
	django@​5.2.4
	setuptools@​80.9.0
	setuptools@​82.0.1
	litellm@​1.83.7
	langchain-community@​0.4.1
	google-genai@​1.69.0
	google-genai@​1.68.0
	langchain-core@​1.2.23
	langchain-core@​1.2.22
	wheel@​0.45.1
	lxml@​6.0.0
	mypy@​1.16.1
	langgraph@​1.1.3
	langgraph@​1.1.4
	crewai@​0.95.0
	llama-index@​0.14.19
	pydantic-ai@​1.71.0
	pytest@​8.4.1
	pytest@​8.4.2
	openai-agents@​0.13.1
	google-genai@​1.24.0
	pre-commit@​4.2.0
	coverage@​7.9.2
	dspy@​3.1.3
	openai@​2.29.0
	openai@​2.30.0
	portkey-ai@​2.2.0
	smolagents@​1.24.0
	instructor@​1.14.5
	uvicorn@​0.42.0
	uvicorn@​0.35.0
See 65 more rows in the dashboard

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Critical CVE: Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. CVE: GHSA-frmv-pr5f-9mcr Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. (CRITICAL) Affected versions: >= 5.2a1 < 5.2.8; >= 5.0a1 < 5.1.14; < 4.2.26 Patched version: 5.2.8 From: pyproject.toml → pypi/django@5.2.4 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Critical CVE: Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. CVE: GHSA-frmv-pr5f-9mcr Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. (CRITICAL) Affected versions: >= 5.2a1 < 5.2.8; >= 5.0a1 < 5.1.14; < 4.2.26 Patched version: 5.2.8 From: integration_tests/django5/pyproject.toml → pypi/django@5.2.7 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Critical CVE: Semantic Kernel has Arbitrary File Write via AI Agent Function Calling in .NET SDK in pypi semantic-kernel CVE: GHSA-2ww3-72rp-wpp4 Semantic Kernel has Arbitrary File Write via AI Agent Function Calling in .NET SDK (CRITICAL) Affected versions: < 1.39.3 Patched version: 1.39.3 From: examples/example-ai-semantic-kernel/pyproject.toml → pypi/semantic-kernel@1.36.0 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/semantic-kernel@1.36.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Critical CVE: Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable to remote code execution in pypi semantic-kernel CVE: GHSA-xjw9-4gw8-4rqx Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable to remote code execution (CRITICAL) Affected versions: < 1.39.4 Patched version: 1.39.4 From: examples/example-ai-semantic-kernel/pyproject.toml → pypi/semantic-kernel@1.36.0 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/semantic-kernel@1.36.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django is subject to SQL injection through its column aliases CVE: GHSA-6w2r-r2m5-xq5w Django is subject to SQL injection through its column aliases (HIGH) Affected versions: < 4.2.24; >= 5.0a1 < 5.1.12; >= 5.2a1 < 5.2.6 Patched version: 5.2.6 From: pyproject.toml → pypi/django@5.2.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django has an SQL Injection issue CVE: GHSA-gvg8-93h5-g6qq Django has an SQL Injection issue (HIGH) Affected versions: >= 6.0a1 < 6.0.2; >= 5.2a1 < 5.2.11; >= 4.2a1 < 4.2.28 Patched version: 5.2.11 From: pyproject.toml → pypi/django@5.2.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django has an SQL Injection issue CVE: GHSA-mwm9-4648-f68q Django has an SQL Injection issue (HIGH) Affected versions: >= 6.0a1 < 6.0.2; >= 5.2a1 < 5.2.11; >= 4.2a1 < 4.2.28 Patched version: 5.2.11 From: pyproject.toml → pypi/django@5.2.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django vulnerable to Uncontrolled Resource Consumption CVE: GHSA-8p8v-wh79-9r56 Django vulnerable to Uncontrolled Resource Consumption (HIGH) Affected versions: >= 6.0 < 6.0.3; >= 5.2 < 5.2.12; >= 4.2 < 4.2.29 Patched version: 5.2.12 From: pyproject.toml → pypi/django@5.2.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django vulnerable to ASGI header spoofing via underscore/hyphen conflation CVE: GHSA-mvfq-ggxm-9mc5 Django vulnerable to ASGI header spoofing via underscore/hyphen conflation (HIGH) Affected versions: >= 6.0 < 6.0.4; >= 5.2 < 5.2.13; >= 4.2 < 4.2.30 Patched version: 5.2.13 From: pyproject.toml → pypi/django@5.2.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django: SGI requests with a missing or understated Content-Length header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit CVE: GHSA-933h-hp56-hf7m Django: SGI requests with a missing or understated Content-Length header could bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit (HIGH) Affected versions: >= 6.0 < 6.0.4; >= 5.2 < 5.2.13; >= 4.2 < 4.2.30 Patched version: 5.2.13 From: pyproject.toml → pypi/django@5.2.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django vulnerable to SQL injection in column aliases CVE: GHSA-hpr9-3m2g-3j9p Django vulnerable to SQL injection in column aliases (HIGH) Affected versions: >= 4.2 < 4.2.25; >= 5.1 < 5.1.13; >= 5.2 < 5.2.7 Patched version: 5.2.7 From: pyproject.toml → pypi/django@5.2.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows CVE: GHSA-qw25-v68c-qjf3 Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows (HIGH) Affected versions: >= 5.2a1 < 5.2.8; >= 5.0a1 < 5.1.14; < 4.2.26 Patched version: 5.2.8 From: pyproject.toml → pypi/django@5.2.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django has an SQL Injection issue CVE: GHSA-gvg8-93h5-g6qq Django has an SQL Injection issue (HIGH) Affected versions: >= 6.0a1 < 6.0.2; >= 5.2a1 < 5.2.11; >= 4.2a1 < 4.2.28 Patched version: 5.2.11 From: integration_tests/django5/pyproject.toml → pypi/django@5.2.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django has an SQL Injection issue CVE: GHSA-mwm9-4648-f68q Django has an SQL Injection issue (HIGH) Affected versions: >= 6.0a1 < 6.0.2; >= 5.2a1 < 5.2.11; >= 4.2a1 < 4.2.28 Patched version: 5.2.11 From: integration_tests/django5/pyproject.toml → pypi/django@5.2.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django vulnerable to Uncontrolled Resource Consumption CVE: GHSA-8p8v-wh79-9r56 Django vulnerable to Uncontrolled Resource Consumption (HIGH) Affected versions: >= 6.0 < 6.0.3; >= 5.2 < 5.2.12; >= 4.2 < 4.2.29 Patched version: 5.2.12 From: integration_tests/django5/pyproject.toml → pypi/django@5.2.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django vulnerable to ASGI header spoofing via underscore/hyphen conflation CVE: GHSA-mvfq-ggxm-9mc5 Django vulnerable to ASGI header spoofing via underscore/hyphen conflation (HIGH) Affected versions: >= 6.0 < 6.0.4; >= 5.2 < 5.2.13; >= 4.2 < 4.2.30 Patched version: 5.2.13 From: integration_tests/django5/pyproject.toml → pypi/django@5.2.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django: SGI requests with a missing or understated Content-Length header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit CVE: GHSA-933h-hp56-hf7m Django: SGI requests with a missing or understated Content-Length header could bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit (HIGH) Affected versions: >= 6.0 < 6.0.4; >= 5.2 < 5.2.13; >= 4.2 < 4.2.30 Patched version: 5.2.13 From: integration_tests/django5/pyproject.toml → pypi/django@5.2.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows CVE: GHSA-qw25-v68c-qjf3 Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows (HIGH) Affected versions: >= 5.2a1 < 5.2.8; >= 5.0a1 < 5.1.14; < 4.2.26 Patched version: 5.2.8 From: integration_tests/django5/pyproject.toml → pypi/django@5.2.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad load() allowlists in pypi `langchain-core` CVE: GHSA-pjwx-r37v-7724 LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad load() allowlists (HIGH) Affected versions: >= 1.0.0 < 1.3.3; < 0.3.85 Patched version: 1.3.3 From: pyproject.toml → pypi/langchain-core@1.2.22 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/langchain-core@1.2.22. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad load() allowlists in pypi `langchain-core` CVE: GHSA-pjwx-r37v-7724 LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad load() allowlists (HIGH) Affected versions: >= 1.0.0 < 1.3.3; < 0.3.85 Patched version: 1.3.3 From: examples/example-ai-langchain/uv.lock → pypi/langchain-core@1.2.23 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/langchain-core@1.2.23. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: LiteLLM has a sandbox escape in custom-code guardrail CVE: GHSA-wxxx-gvqv-xp7p LiteLLM has a sandbox escape in custom-code guardrail (HIGH) Affected versions: >= 1.81.8 < 1.83.10 Patched version: 1.83.10 From: examples/example-ai-crewai/pyproject.toml → pypi/litellm@1.83.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/litellm@1.83.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: pypi lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files CVE: GHSA-vfmq-68hx-4jfw lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files (HIGH) Affected versions: < 6.1.0 Patched version: 6.1.0 From: pyproject.toml → pypi/lxml@6.0.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/lxml@6.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Wheel Affected by Arbitrary File Permission Modification via Path Traversal in pypi wheel unpack CVE: GHSA-8rrh-rw8j-w5fx Wheel Affected by Arbitrary File Permission Modification via Path Traversal in wheel unpack (HIGH) Affected versions: >= 0.40.0 < 0.46.2 Patched version: 0.46.2 From: pyproject.toml → pypi/wheel@0.45.1 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/wheel@0.45.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[github-actions]

posthog-python Compliance Report

Date: 2026-05-21 13:33:01 UTC
Duration: 4674173ms

⚠️ Some Tests Failed

29/45 tests passed, 16 failed

---

Capture Tests

✅ 29/29 tests passed

View Details

Test	Status	Duration
Format Validation.Event Has Required Fields	✅	517ms
Format Validation.Event Has Uuid	✅	1507ms
Format Validation.Event Has Lib Properties	✅	1507ms
Format Validation.Distinct Id Is String	✅	1507ms
Format Validation.Token Is Present	✅	1507ms
Format Validation.Custom Properties Preserved	✅	1507ms
Format Validation.Event Has Timestamp	✅	1507ms
Retry Behavior.Retries On 503	✅	9518ms
Retry Behavior.Does Not Retry On 400	✅	3506ms
Retry Behavior.Does Not Retry On 401	✅	3507ms
Retry Behavior.Respects Retry After Header	✅	9514ms
Retry Behavior.Implements Backoff	✅	23527ms
Retry Behavior.Retries On 500	✅	7502ms
Retry Behavior.Retries On 502	✅	7512ms
Retry Behavior.Retries On 504	✅	7516ms
Retry Behavior.Max Retries Respected	✅	23528ms
Deduplication.Generates Unique Uuids	✅	1496ms
Deduplication.Preserves Uuid On Retry	✅	7509ms
Deduplication.Preserves Uuid And Timestamp On Retry	✅	14524ms
Deduplication.Preserves Uuid And Timestamp On Batch Retry	✅	7505ms
Deduplication.No Duplicate Events In Batch	✅	1508ms
Deduplication.Different Events Have Different Uuids	✅	1507ms
Compression.Sends Gzip When Enabled	✅	1507ms
Batch Format.Uses Proper Batch Structure	✅	1507ms
Batch Format.Flush With No Events Sends Nothing	✅	1005ms
Batch Format.Multiple Events Batched Together	✅	1506ms
Error Handling.Does Not Retry On 403	✅	3509ms
Error Handling.Does Not Retry On 413	✅	3508ms
Error Handling.Retries On 408	✅	7514ms

Feature_Flags Tests

⚠️ 0/16 tests passed, 16 failed

View Details

Test	Status	Duration
Request Payload.Request With Person Properties Device Id	❌	505ms
Request Payload.Flags Request Uses V2 Query Param	❌	300131ms
Request Payload.Flags Request Hits Flags Path Not Decide	❌	301061ms
Request Payload.Flags Request Omits Authorization Header	❌	300973ms
Request Payload.Token In Flags Body Matches Init	❌	301027ms
Request Payload.Groups Round Trip	❌	300994ms
Request Payload.Groups Default To Empty Object	❌	300907ms
Request Payload.Person Properties Distinct Id Auto Populated When Caller Omits It	❌	301046ms
Request Payload.Disable Geoip False Propagates As Geoip Disable False	❌	300986ms
Request Payload.Disable Geoip Omitted Defaults To False	❌	300992ms
Request Payload.Flag Keys To Evaluate Contains Only Requested Key	❌	300984ms
Request Lifecycle.No Flags Request On Init Alone	❌	301091ms
Request Lifecycle.No Flags Request On Normal Capture	❌	300901ms
Request Lifecycle.Two Flag Calls Produce Two Remote Requests	❌	301058ms
Request Lifecycle.Mock Response Value Is Returned To Caller	❌	301040ms
Side Effect Events.Get Feature Flag Captures Feature Flag Called Event	❌	300942ms

Failures

request_payload.request_with_person_properties_device_id

Field 'token' not found in /flags request body at path 'token'. Available keys: ['distinct_id', 'groups', 'person_properties', 'group_properties', 'geoip_disable', 'device_id', 'flag_keys_to_evaluate', 'sentAt', 'api_key']

request_payload.flags_request_uses_v2_query_param

No error message

request_payload.flags_request_hits_flags_path_not_decide

No error message

request_payload.flags_request_omits_authorization_header

No error message

request_payload.token_in_flags_body_matches_init

No error message

request_payload.groups_round_trip

No error message

request_payload.groups_default_to_empty_object

No error message

request_payload.person_properties_distinct_id_auto_populated_when_caller_omits_it

No error message

request_payload.disable_geoip_false_propagates_as_geoip_disable_false

No error message

request_payload.disable_geoip_omitted_defaults_to_false

No error message

request_payload.flag_keys_to_evaluate_contains_only_requested_key

No error message

request_lifecycle.no_flags_request_on_init_alone

No error message

request_lifecycle.no_flags_request_on_normal_capture

No error message

request_lifecycle.two_flag_calls_produce_two_remote_requests

No error message

request_lifecycle.mock_response_value_is_returned_to_caller

No error message

side_effect_events.get_feature_flag_captures_feature_flag_called_event

No error message