manual fix for open CVEs (#4085)

Author: luke-kucing

CHANGELOG.md

@@ -1,4 +1,4 @@
-## 0.18.14-dev0
+## 0.18.14
 
 ### Enhancements
 - Speed up function sentence_count by 59% (codeflash)
@@ -11,7 +11,14 @@
 ### Fixes
 
 - **change short text language detection log to debug** reduce warning level log spamming
-
+  - Bumped dependencies via pip-compile to address the following CVEs:
+    - **Python 3.12/3.13**: CVE-2025-8194, GHSA-v594-44hm-2j7p
+    - **glibc & related (glibc, glibc-locale-posix, ld-linux, libcrypt1)**: CVE-2025-8058, GHSA-8xjp-c72j-67q8
+    - **aiohttp**: GHSA-9548-qrrj-x5pj
+    - **openjpeg**: CVE-2025-54874
+    - **pypdf**: GHSA-7hfw-26vp-jp8m
+    - **transformers**: GHSA-9356-575x-2w9m
+    - **urllib3**: GHSA-48p4-8xcf-vxj5
 
 ## 0.18.13
 

requirements/base.txt

@@ -1,39 +1,39 @@
 #
-# This file is autogenerated by pip-compile with Python 3.10
+# This file is autogenerated by pip-compile with Python 3.9
 # by the following command:
 #
 #    pip-compile ./base.in
 #
-anyio==4.9.0
+anyio==4.10.0
     # via httpx
 backoff==2.2.1
     # via -r ./base.in
-beautifulsoup4==4.13.4
+beautifulsoup4==4.13.5
     # via -r ./base.in
-certifi==2025.7.14
+certifi==2025.8.3
     # via
     #   httpcore
     #   httpx
     #   requests
     #   unstructured-client
 cffi==1.17.1
     # via cryptography
-charset-normalizer==3.4.2
+charset-normalizer==3.4.3
     # via
     #   -r ./base.in
     #   requests
     #   unstructured-client
-click==8.2.1
+click==8.1.8
     # via
     #   nltk
     #   python-oxmsg
-cryptography==45.0.5
+cryptography==45.0.6
     # via unstructured-client
 dataclasses-json==0.6.7
     # via
     #   -r ./base.in
     #   unstructured-client
-deepdiff==8.5.0
+deepdiff==8.6.0
     # via unstructured-client
 emoji==2.14.1
     # via -r ./base.in
@@ -61,7 +61,7 @@ jsonpath-python==1.0.6
     # via unstructured-client
 langdetect==1.0.9
     # via -r ./base.in
-lxml==6.0.0
+lxml==6.0.1
     # via -r ./base.in
 marshmallow==3.26.1
     # via
@@ -75,7 +75,7 @@ nest-asyncio==1.6.0
     # via unstructured-client
 nltk==3.9.1
     # via -r ./base.in
-numpy==2.2.6
+numpy==2.0.2
     # via -r ./base.in
 olefile==0.47
     # via python-oxmsg
@@ -89,7 +89,7 @@ psutil==7.0.0
     # via -r ./base.in
 pycparser==2.22
     # via cffi
-pypdf==5.8.0
+pypdf==6.0.0
     # via unstructured-client
 python-dateutil==2.9.0.post0
     # via unstructured-client
@@ -101,9 +101,9 @@ python-oxmsg==0.0.2
     # via -r ./base.in
 rapidfuzz==3.13.0
     # via -r ./base.in
-regex==2024.11.6
+regex==2025.7.34
     # via nltk
-requests==2.32.4
+requests==2.32.5
     # via
     #   -r ./base.in
     #   requests-toolbelt
@@ -124,7 +124,7 @@ tqdm==4.67.1
     # via
     #   -r ./base.in
     #   nltk
-typing-extensions==4.14.1
+typing-extensions==4.15.0
     # via
     #   -r ./base.in
     #   anyio
@@ -140,14 +140,14 @@ typing-inspect==0.9.0
     #   unstructured-client
 unstructured-client==0.25.9
     # via
-    #   -c requirements/deps/constraints.txt
+    #   -c ././deps/constraints.txt
     #   -r ./base.in
 urllib3==2.5.0
     # via
-    #   -c requirements/deps/constraints.txt
+    #   -c ././deps/constraints.txt
     #   requests
     #   unstructured-client
 webencodings==0.5.1
     # via html5lib
-wrapt==1.17.2
+wrapt==1.17.3
     # via -r ./base.in

requirements/deps/constraints.txt

@@ -14,4 +14,4 @@ unstructured-client>=0.23.0,<0.26.0
 # paddle constrains protobuf; maybe we should put paddle here since its version is pinned in .in file
 protobuf>=6.30.0
 # (yao) issues with pdfminer-six above 20250416
-pdfminer.six<20250416
+pdfminer.six<20250416

requirements/dev.txt

@@ -1,38 +1,40 @@
 #
-# This file is autogenerated by pip-compile with Python 3.10
+# This file is autogenerated by pip-compile with Python 3.9
 # by the following command:
 #
 #    pip-compile ./dev.in
 #
-build==1.2.2.post1
+build==1.3.0
     # via pip-tools
 cfgv==3.4.0
     # via pre-commit
-click==8.2.1
+click==8.1.8
     # via
-    #   -c requirements/base.txt
-    #   -c requirements/test.txt
+    #   -c ./base.txt
+    #   -c ./test.txt
     #   pip-tools
-distlib==0.3.9
+distlib==0.4.0
     # via virtualenv
-filelock==3.18.0
+filelock==3.19.1
     # via virtualenv
-identify==2.6.12
+identify==2.6.13
     # via pre-commit
+importlib-metadata==8.7.0
+    # via build
 nodeenv==1.9.1
     # via pre-commit
 packaging==25.0
     # via
-    #   -c requirements/base.txt
-    #   -c requirements/test.txt
+    #   -c ./base.txt
+    #   -c ./test.txt
     #   build
-pip-tools==7.4.1
+pip-tools==7.5.0
     # via -r ./dev.in
 platformdirs==4.3.8
     # via
-    #   -c requirements/test.txt
+    #   -c ./test.txt
     #   virtualenv
-pre-commit==4.2.0
+pre-commit==4.3.0
     # via -r ./dev.in
 pyproject-hooks==1.2.0
     # via
@@ -42,13 +44,20 @@ pyyaml==6.0.2
     # via pre-commit
 tomli==2.2.1
     # via
-    #   -c requirements/test.txt
+    #   -c ./test.txt
     #   build
     #   pip-tools
-virtualenv==20.31.2
+typing-extensions==4.15.0
+    # via
+    #   -c ./base.txt
+    #   -c ./test.txt
+    #   virtualenv
+virtualenv==20.34.0
     # via pre-commit
 wheel==0.45.1
     # via pip-tools
+zipp==3.23.0
+    # via importlib-metadata
 
 # The following packages are considered to be unsafe in a requirements file:
 # pip

requirements/extra-csv.txt

@@ -1,24 +1,24 @@
 #
-# This file is autogenerated by pip-compile with Python 3.10
+# This file is autogenerated by pip-compile with Python 3.9
 # by the following command:
 #
 #    pip-compile ./extra-csv.in
 #
-numpy==2.2.6
+numpy==2.0.2
     # via
-    #   -c requirements/base.txt
+    #   -c ./base.txt
     #   pandas
-pandas==2.3.1
+pandas==2.3.2
     # via -r ./extra-csv.in
 python-dateutil==2.9.0.post0
     # via
-    #   -c requirements/base.txt
+    #   -c ./base.txt
     #   pandas
 pytz==2025.2
     # via pandas
 six==1.17.0
     # via
-    #   -c requirements/base.txt
+    #   -c ./base.txt
     #   python-dateutil
 tzdata==2025.2
     # via pandas

requirements/extra-docx.txt

@@ -1,16 +1,16 @@
 #
-# This file is autogenerated by pip-compile with Python 3.10
+# This file is autogenerated by pip-compile with Python 3.9
 # by the following command:
 #
 #    pip-compile ./extra-docx.in
 #
-lxml==6.0.0
+lxml==6.0.1
     # via
-    #   -c requirements/base.txt
+    #   -c ./base.txt
     #   python-docx
 python-docx==1.2.0
     # via -r ./extra-docx.in
-typing-extensions==4.14.1
+typing-extensions==4.15.0
     # via
-    #   -c requirements/base.txt
+    #   -c ./base.txt
     #   python-docx

requirements/extra-epub.txt

@@ -1,5 +1,5 @@
 #
-# This file is autogenerated by pip-compile with Python 3.10
+# This file is autogenerated by pip-compile with Python 3.9
 # by the following command:
 #
 #    pip-compile ./extra-epub.in

requirements/extra-markdown.txt

@@ -1,8 +1,12 @@
 #
-# This file is autogenerated by pip-compile with Python 3.10
+# This file is autogenerated by pip-compile with Python 3.9
 # by the following command:
 #
 #    pip-compile ./extra-markdown.in
 #
+importlib-metadata==8.7.0
+    # via markdown
 markdown==3.8.2
     # via -r ./extra-markdown.in
+zipp==3.23.0
+    # via importlib-metadata

requirements/extra-odt.txt

@@ -1,18 +1,18 @@
 #
-# This file is autogenerated by pip-compile with Python 3.10
+# This file is autogenerated by pip-compile with Python 3.9
 # by the following command:
 #
 #    pip-compile ./extra-odt.in
 #
-lxml==6.0.0
+lxml==6.0.1
     # via
-    #   -c requirements/base.txt
+    #   -c ./base.txt
     #   python-docx
 pypandoc==1.15
     # via -r ./extra-odt.in
 python-docx==1.2.0
     # via -r ./extra-odt.in
-typing-extensions==4.14.1
+typing-extensions==4.15.0
     # via
-    #   -c requirements/base.txt
+    #   -c ./base.txt
     #   python-docx