Security Fixes - CVE Remediation (#4115)
Main Changes:
1. Removed Clarifai Dependency
- Completely removed the clarifai dependency which is no longer used in
the codebase
- Removed clarifai from the unstructured-ingest extras list in
requirements/ingest/ingest.txt:1
- Removed clarifai test script reference from
test_unstructured_ingest/test-ingest-dest.sh:23
2. Updated Dependencies to Resolve CVEs
- pypdf: Updated from 6.1.1 → 6.1.3 (fixes GHSA-vr63-x8vc-m265)
- pip: Added explicit upgrade to >=25.3 in Dockerfile (fixes
GHSA-4xh5-x5gv-qwph)
- uv: Addressed GHSA-8qf3-x8v5-2pj8 and GHSA-pqhf-p39g-3x64
3. Dockerfile Security Enhancements (Dockerfile:17,28-29)
- Added Alpine package upgrade for py3.12-pip
- Added explicit pip upgrade step before installing Python dependencies
4. General Dependency Updates
Ran pip-compile across all requirement files, resulting in updates to:
- cryptography: 46.0.2 → 46.0.3
- psutil: 7.1.0 → 7.1.3
- rapidfuzz: 3.14.1 → 3.14.3
- regex: 2025.9.18 → 2025.11.3
- wrapt: 1.17.3 → 2.0.0
- Plus many other transitive dependencies across all extra requirement
files
5. Version Bump
- Updated version from 0.18.16 → 0.18.17 in
unstructured/__version__.py:1
- Updated CHANGELOG.md with security fixes documentation
Impact:
This PR resolves 4 CVEs total without introducing breaking changes,
making it a pure security maintenance release.
---------
Co-authored-by: Claude <noreply@anthropic.com>
