Bump deps: concurrent-ruby + httpclient5/httpcore5 (Mend HIGH; opennlp/webrick/pypdf blocked)#1962
Open
odosk wants to merge 2 commits into
Open
Bump deps: concurrent-ruby + httpclient5/httpcore5 (Mend HIGH; opennlp/webrick/pypdf blocked)#1962odosk wants to merge 2 commits into
odosk wants to merge 2 commits into
Conversation
4482f30 to
633bd78
Compare
633bd78 to
2d41e6f
Compare
2d41e6f to
3748d01
Compare
3748d01 to
7311f92
Compare
7311f92 to
a040233
Compare
Regenerated Gemfile.lock via bundle lock --update (Bundler 4.0.6) in an isolated container. Bumps concurrent-ruby 1.3.6 -> 1.3.7 (CVE-2026-54904), plus floating transitive deps to latest. The opennlp-tools CVEs in the lucene-linguistics example cannot be fixed in this scope (transitive via Lucene 9.x); see PR body. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…-54399, CVE-2026-54428) 5.6.2 pulls httpcore5 5.4.3, which fixes the httpcore5 / httpcore5-h2 CVEs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
a040233 to
8e44cbd
Compare
Contributor
Author
|
TL;DR: the one red check (
Posted by Claude (security-workflow) on behalf of @odosk. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Sweeps HIGH/CRITICAL Mend findings on VESPANG-3395: the docs
concurrent-rubygem and (added 2026-07-10) thehttpclient5/httpcore5pair inexamples/reranker. Rebased onto latestmaster. Several findings remain unfixable in this scope — see below.Changed Files
Gemfile.lock— regenerated viabundle lock --update(Bundler 4.0.6) in an isolated container:concurrent-ruby:1.3.6→1.3.7(fixes CVE-2026-54904)google-protobuf4.35.0→4.35.1,i18n1.14.8→1.15.2,io-event1.16.1→1.16.2,json2.19.8→2.19.9examples/reranker/pom.xml—httpclient5:5.6.1→5.6.2(pullshttpcore55.4.3, fixing the httpcore5 CVEs)CVEs Addressed
Verified against the GitHub Advisory Database / OSV.dev / Maven Central:
lucene-analysis-opennlp, pinned to the platform Lucene (${lucene.vespa.version}→ 9.12.3). Fixed inopennlp-tools2.5.9, but Lucene 9.x'slucene-analysis-opennlpis compiled against the opennlp 1.9 API — force-overriding to 2.5.x compiles but fails at runtime (NoSuchMethodError). Needs a platform Lucene 10 upgrade; this example tracks the platform version.1.9.2is the latest published gem and is itself the flagged version (dev-only Jekyll toolchain dep). Tracked at ruby/webrick#199. Nothing to bump to.src/legacy-requirements.txtis auv pip compileoutput that currently cannot be regenerated:pyproject.tomlhas a pre-existing unsatisfiable constraint (transformers==5.12.0vsvidore-benchmark[interpretability]requiringtransformers<5.0.0). Hand-editing the compiled file is disallowed. Path forward: resolve the transformers/vidore-benchmark conflict, thenuv pip compile pyproject.toml -o src/legacy-requirements.txt --upgrade-package pypdf --upgrade-package httplib2.Implementation Notes
concurrent-rubyis transitive (viajekyll~> 1.0); regenerating the lock floats it to1.3.7without aGemfilechange.httpclient55.6.2 (2026) bumps its managedhttpcore.versionto5.4.3(confirmed inhttpclient5-parent-5.6.2.pom), which is the first httpcore5 release fixing the HTTP/1.1 parser DoS — this supersedes the earlier "no fixed release exists" note.BUNDLED WITH(4.0.6) andCHECKSUMSpreserved.Verification
grep concurrent-ruby Gemfile.lockconfirms1.3.7;httpclient55.6.2 inexamples/reranker/pom.xml.🤖 Generated with Claude Code