Saved in:
| 主要作者: | |
|---|---|
| 格式: | Recurso digital |
| 語言: | |
| 出版: |
Zenodo
2026
|
| 在線閱讀: | https://doi.org/10.5281/zenodo.19045155 |
| 標簽: |
添加標簽
沒有標簽, 成為第一個標記此記錄!
|
書本目錄:
- <h2>Summary</h2> <ul> <li><strong>Migrate Phoenix telemetry to modern Spaces API</strong> — switches from legacy <code>api_key=</code> to <code>Authorization=Bearer</code> JWT authentication, adds <code>PHOENIX_API_KEY</code>, <code>PHOENIX_SPACE_ID</code>, and space-based collector endpoint</li> <li><strong>Patch 15 of 16 Dependabot security alerts</strong> — fixes 2 critical, 4 high, 7 medium, and 2 low severity vulnerabilities across Python and frontend dependencies</li> <li><strong>Update LLM model targets</strong> to <code>claude-sonnet-4-6</code></li> </ul> <h2>Telemetry Changes</h2> <ul> <li>Upgrade Phoenix SDK: <code>arize-phoenix</code> 10.7→12.9, <code>arize-phoenix-client</code> 1.10→1.21, <code>arize-phoenix-evals</code> 0.20→2.5</li> <li>Collector endpoint now uses space path (<code>/s/aiinfra</code>)</li> <li>Feedback annotation API converted to async (<code>httpx.AsyncClient</code>)</li> <li>Added <code>X-Telemetry-Opt-In</code> header support for privacy toggle</li> </ul> <h2>Security Fixes</h2> <p>| Severity | Package | Fix | |----------|---------|-----| | Critical | nltk | 3.9.1→3.9.3 (Zip Slip) | | Critical | unstructured | 0.17.2→0.18.18 (path traversal) | | High | python-multipart | 0.0.20→0.0.22 (arbitrary file write) | | High | langchain-core | 0.3.66→≥0.3.81 (template injection + serialization injection) | | High | langchain-community | 0.3.23→0.3.27 (XXE) | | High | langchain-text-splitters | 0.3.8→0.3.9 (XXE) | | Medium | transformers | 4.52.1→4.53.0 (ReDoS ×4) | | Medium | torch | 2.7.1→≥2.8.0 (resource shutdown) | | Medium+Low | vite | ^4.5.14→^5.4.21 (fs.deny bypass, HTML settings) |</p> <p><strong>Remaining:</strong> langchain-core SSRF (low severity, requires major version jump to 1.x — not yet addressed upstream either)</p> <h2>Upgrade Notes</h2> <ul> <li>Run <code>pip install -r config/requirements.txt</code> to update Python dependencies</li> <li>Run <code>npm install</code> in <code>frontend/</code> to update vite (major version 4→5)</li> <li>Update your <code>.env</code> files with the new Phoenix Spaces variables (see <code>.env.template</code>)</li> </ul>