From dad0c461a5e34d22107da7d05eb36d57f5061c47 Mon Sep 17 00:00:00 2001
From: Cory Bullinger <cory.bullinger@mongodb.com>
Date: Wed, 11 Feb 2026 16:41:12 -0500
Subject: [PATCH] fix: bump langchain-core and pillow for security fixes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- langchain-core: 1.2.9 → 1.2.11 (CVE-2026-26013 fix per Dependabot alert #25)
- pillow: 12.1.0 → 12.1.1 (CVE-2026-25990 fix per Dependabot alert #26)
---
 mflix/server/python-fastapi/requirements.in  |  2 ++
 mflix/server/python-fastapi/requirements.txt | 14 +++++++++-----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/mflix/server/python-fastapi/requirements.in b/mflix/server/python-fastapi/requirements.in
index c50a667..baf2bf5 100644
--- a/mflix/server/python-fastapi/requirements.in
+++ b/mflix/server/python-fastapi/requirements.in
@@ -64,3 +64,5 @@ rich-toolkit~=0.15.1    # Extensions for the 'rich' library
 filelock>=3.20.3        # Transitive dep via huggingface-hub
 aiohttp>=3.13.3         # Transitive dep via voyageai
 orjson>=3.11.7          # Transitive dep via langsmith (CVE fix)
+langchain-core>=1.2.11  # Transitive dep via langchain-text-splitters (CVE-2026-26013 fix)
+pillow>=12.1.1          # Transitive dep via voyageai (CVE-2026-25990 fix)
diff --git a/mflix/server/python-fastapi/requirements.txt b/mflix/server/python-fastapi/requirements.txt
index 29e4311..9082a76 100644
--- a/mflix/server/python-fastapi/requirements.txt
+++ b/mflix/server/python-fastapi/requirements.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.13
 # by the following command:
 #
-#    pip-compile requirements.in
+#    pip-compile --output-file=requirements.txt requirements.in
 #
 aiohappyeyeballs==2.6.1
     # via aiohttp
@@ -99,8 +99,10 @@ jsonpatch==1.33
     # via langchain-core
 jsonpointer==3.0.0
     # via jsonpatch
-langchain-core==1.2.9
-    # via langchain-text-splitters
+langchain-core==1.2.11
+    # via
+    #   -r requirements.in
+    #   langchain-text-splitters
 langchain-text-splitters==1.1.0
     # via voyageai
 langsmith==0.6.9
@@ -125,8 +127,10 @@ packaging==26.0
     #   langchain-core
     #   langsmith
     #   pytest
-pillow==12.1.0
-    # via voyageai
+pillow==12.1.1
+    # via
+    #   -r requirements.in
+    #   voyageai
 pluggy==1.6.0
     # via pytest
 propcache==0.4.1