Skip to content

Update @langchain/textsplitters to fix a critical vulnerability #854

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
JortegaCognigy merged 1 commit into from
Jan 7, 2026
Merged

Update @langchain/textsplitters to fix a critical vulnerability #854

JortegaCognigy merged 1 commit into from
Jan 7, 2026
+176 −52

Conversation

@JortegaCognigy
Copy link
Contributor

@JortegaCognigy JortegaCognigy commented Jan 5, 2026
edited
Loading

https://cognigy.visualstudio.com/Carbon/_workitems/edit/120167/

Changelog Section

  • Cognigy.AI

Changelog

  • Fixed security vulnerabilities in @langchain/textsplitters dependency

Success criteria

  • Knowledge ingestion through confluence extension should work as expected

How to test

  1. Setup confluence connector in dev (install via marketplace) and local environments (run npm run build inside the extensions/confluence directory, then upload the zip file via UI)
  2. Ingest knowledge from a confluence page (For example https://cognigy.atlassian.net/wiki/spaces/Engineering/pages/1413251084/IAM+Role+based+connections+for+AWS+Bedrock+models) and see that both environments generate the same amount of chunks and content

Security

  • Possible injection vector
  • Authentication/Access controls touched
  • Sensitive Data could be exposed
  • XSS
  • Logging/Monitoring touched
  • Exchanges data with external systems
  • No security implications

Additional considerations

  • This PR impacts NLU
  • This PR might have performance implications
  • This PR changes an existing data model (and might affect existing legacy data)
    • Examples: adding, renaming, removing a field or changing the format or constraints of a field
  • This PR might affect indexing
    • Examples: adding a new param for model query from DB without creating a new index for this model

Documentation Considerations

No additional documentation required.

@JortegaCognigy JortegaCognigy requested a review from a team January 5, 2026 10:23
@JortegaCognigy JortegaCognigy self-assigned this Jan 5, 2026
Copilot AI review requested due to automatic review settings January 5, 2026 10:23
Copilot AI reviewed Jan 5, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the @langchain/textsplitters dependency from version ^0.0.3 to 0.1.0 in the Confluence extension to address a critical security vulnerability. The update removes the caret (^) version range operator to ensure an exact version is used, preventing automatic minor/patch updates that could reintroduce vulnerabilities.

Key Changes

  • Updated @langchain/textsplitters from ^0.0.3 to 0.1.0 with exact version pinning
Files not reviewed (1)
  • extensions/confluence/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@graymalkin77
Copy link

graymalkin77 commented Jan 5, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@JortegaCognigy JortegaCognigy merged commit bcabbcc into master Jan 7, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@falak-asad falak-asad falak-asad approved these changes

Assignees

@JortegaCognigy JortegaCognigy

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@JortegaCognigy @graymalkin77 @falak-asad