Update packages with vulns in container builds (#861)

* Fix vulns-flagged imports * Fix archaic pulls in the "trustgraph" package * Add unstructured to meta package
2026-05-01 11:26:22 +02:00 · 2026-04-30 20:02:53 +01:00 · 2026-04-30 20:02:53 +01:00 · 9be257ceee
commit 9be257ceee
parent 89f058d35b
9 changed files with 32 additions and 23 deletions
--- a/containers/Containerfile.base
+++ b/containers/Containerfile.base
@ -11,8 +11,9 @@ ENV PIP_BREAK_SYSTEM_PACKAGES=1
 RUN dnf install -y python3.13 && \
  alternatives --install /usr/bin/python python /usr/bin/python3.13 1 && \
  python -m ensurepip --upgrade && \
+  pip3 install --no-cache-dir --upgrade 'pip>=26.0' 'setuptools>=78.1.1' && \
  pip3 install --no-cache-dir build wheel aiohttp && \
-  pip3 install --no-cache-dir pulsar-client==3.7.0 && \
+  pip3 install --no-cache-dir pulsar-client==3.11.0 && \
  dnf clean all

 # ----------------------------------------------------------------------------
--- a/containers/Containerfile.bedrock
+++ b/containers/Containerfile.bedrock
@ -11,8 +11,9 @@ ENV PIP_BREAK_SYSTEM_PACKAGES=1
 RUN dnf install -y python3.13 && \
  alternatives --install /usr/bin/python python /usr/bin/python3.13 1 && \
  python -m ensurepip --upgrade && \
+  pip3 install --no-cache-dir --upgrade 'pip>=26.0' 'setuptools>=78.1.1' && \
  pip3 install --no-cache-dir build wheel aiohttp && \
-  pip3 install --no-cache-dir pulsar-client==3.7.0 && \
+  pip3 install --no-cache-dir pulsar-client==3.11.0 && \
  dnf clean all

 # ----------------------------------------------------------------------------
--- a/containers/Containerfile.flow
+++ b/containers/Containerfile.flow
@ -11,18 +11,19 @@ ENV PIP_BREAK_SYSTEM_PACKAGES=1
 RUN dnf install -y python3.13 && \
  alternatives --install /usr/bin/python python /usr/bin/python3.13 1 && \
  python -m ensurepip --upgrade && \
+  pip3 install --no-cache-dir --upgrade 'pip>=26.0' 'setuptools>=78.1.1' && \
  pip3 install --no-cache-dir build wheel aiohttp rdflib && \
-  pip3 install --no-cache-dir pulsar-client==3.7.0 && \
+  pip3 install --no-cache-dir pulsar-client==3.11.0 && \
  dnf clean all

 RUN pip3 install --no-cache-dir \
    anthropic cohere mistralai openai \
    ollama \
-    langchain==0.3.25 langchain-core==0.3.60 \
-    langchain-text-splitters==0.3.8 \
-    langchain-community==0.3.24 \
+    langchain==1.2.16 langchain-core==1.3.2 \
+    langchain-text-splitters==1.1.2 \
+    langchain-community==0.4.1 \
    pymilvus \
-    pulsar-client==3.7.0 scylla-driver pyyaml \
+    pulsar-client==3.11.0 scylla-driver pyyaml \
    neo4j tiktoken falkordb && \
    pip3 cache purge

--- a/containers/Containerfile.hf
+++ b/containers/Containerfile.hf
@ -8,8 +8,9 @@ ENV PIP_BREAK_SYSTEM_PACKAGES=1
 RUN dnf install -y python3.12 && \
  alternatives --install /usr/bin/python python /usr/bin/python3.12 1 && \
  python -m ensurepip --upgrade && \
+  pip3 install --no-cache-dir --upgrade 'pip>=26.0' 'setuptools>=78.1.1' && \
  pip3 install --no-cache-dir build wheel aiohttp && \
-  pip3 install --no-cache-dir pulsar-client==3.7.0 && \
+  pip3 install --no-cache-dir pulsar-client==3.11.0 && \
  dnf clean all

 # This won't work on ARM
@ -19,15 +20,15 @@ RUN dnf install -y python3.12 && \
 RUN pip3 install torch

 RUN pip3 install --no-cache-dir \
-    langchain==0.3.25 langchain-core==0.3.60 langchain-huggingface==0.2.0 \
-    langchain-community==0.3.24 \
-    sentence-transformers==4.1.0 transformers==4.51.3 \
-    huggingface-hub==0.31.2 \
-    pulsar-client==3.7.0
+    langchain==1.2.16 langchain-core==1.3.2 langchain-huggingface==1.2.2 \
+    langchain-community==0.4.1 \
+    sentence-transformers==5.4.1 transformers==5.7.0 \
+    huggingface-hub==1.13.0 \
+    pulsar-client==3.11.0

 # Most commonly used embeddings model, just build it into the container
 # image
-RUN huggingface-cli download sentence-transformers/all-MiniLM-L6-v2
+RUN hf download sentence-transformers/all-MiniLM-L6-v2

 # ----------------------------------------------------------------------------
 # Build a container which contains the built Python packages.  The build
--- a/containers/Containerfile.mcp
+++ b/containers/Containerfile.mcp
@ -11,6 +11,7 @@ ENV PIP_BREAK_SYSTEM_PACKAGES=1
 RUN dnf install -y python3.13 && \
  alternatives --install /usr/bin/python python /usr/bin/python3.13 1 && \
  python -m ensurepip --upgrade && \
+  pip3 install --no-cache-dir --upgrade 'pip>=26.0' 'setuptools>=78.1.1' && \
  pip3 install --no-cache-dir mcp websockets && \
  dnf clean all

--- a/containers/Containerfile.ocr
+++ b/containers/Containerfile.ocr
@ -12,8 +12,9 @@ RUN dnf install -y python3.13 && \
  dnf install -y tesseract poppler-utils && \
  alternatives --install /usr/bin/python python /usr/bin/python3.13 1 && \
  python -m ensurepip --upgrade && \
+  pip3 install --no-cache-dir --upgrade 'pip>=26.0' 'setuptools>=78.1.1' && \
  pip3 install --no-cache-dir build wheel aiohttp && \
-  pip3 install --no-cache-dir pulsar-client==3.7.0 && \
+  pip3 install --no-cache-dir pulsar-client==3.11.0 && \
  dnf clean all

 # ----------------------------------------------------------------------------
--- a/containers/Containerfile.unstructured
+++ b/containers/Containerfile.unstructured
@ -10,8 +10,9 @@ ENV PIP_BREAK_SYSTEM_PACKAGES=1
 RUN dnf install -y python3.13 libxcb mesa-libGL && \
  alternatives --install /usr/bin/python python /usr/bin/python3.13 1 && \
  python -m ensurepip --upgrade && \
+  pip3 install --no-cache-dir --upgrade 'pip>=26.0' 'setuptools>=78.1.1' && \
  pip3 install --no-cache-dir build wheel aiohttp && \
-  pip3 install --no-cache-dir pulsar-client==3.7.0 && \
+  pip3 install --no-cache-dir pulsar-client==3.11.0 && \
  dnf clean all

 # ----------------------------------------------------------------------------
--- a/containers/Containerfile.vertexai
+++ b/containers/Containerfile.vertexai
@ -11,8 +11,9 @@ ENV PIP_BREAK_SYSTEM_PACKAGES=1
 RUN dnf install -y python3.13 && \
  alternatives --install /usr/bin/python python /usr/bin/python3.13 1 && \
  python -m ensurepip --upgrade && \
+  pip3 install --no-cache-dir --upgrade 'pip>=26.0' 'setuptools>=78.1.1' && \
  pip3 install --no-cache-dir build wheel aiohttp && \
-  pip3 install --no-cache-dir pulsar-client==3.7.0 && \
+  pip3 install --no-cache-dir pulsar-client==3.11.0 && \
  pip3 install --no-cache-dir google-cloud-aiplatform && \
  dnf clean all

--- a/trustgraph/pyproject.toml
+++ b/trustgraph/pyproject.toml
@ -10,12 +10,13 @@ description = "TrustGraph provides a means to run a pipeline of flexible AI proc
 readme = "README.md"
 requires-python = ">=3.8"
 dependencies = [
-    "trustgraph-base>=1.8,<1.9",
-    "trustgraph-bedrock>=1.8,<1.9",
-    "trustgraph-cli>=1.8,<1.9",
-    "trustgraph-embeddings-hf>=1.8,<1.9",
-    "trustgraph-flow>=1.8,<1.9",
-    "trustgraph-vertexai>=1.8,<1.9",
+    "trustgraph-base>=2.4,<2.5",
+    "trustgraph-bedrock>=2.4,<2.5",
+    "trustgraph-cli>=2.4,<2.5",
+    "trustgraph-embeddings-hf>=2.4,<2.5",
+    "trustgraph-flow>=2.4,<2.5",
+    "trustgraph-unstructured>=2.4,<2.5",
+    "trustgraph-vertexai>=2.4,<2.5",
 ]
 classifiers = [
    "Programming Language :: Python :: 3",