Skip to content

LCORE-2465: Upgrade docling to 2.94.0 and docling-core to 2.74.1 to address CVEs#209

Merged
syedriko merged 5 commits into
lightspeed-core:mainfrom
are-ces:lcore-2465-2466-docling-core-cve
Jun 13, 2026
Merged

LCORE-2465: Upgrade docling to 2.94.0 and docling-core to 2.74.1 to address CVEs#209
syedriko merged 5 commits into
lightspeed-core:mainfrom
are-ces:lcore-2465-2466-docling-core-cve

Conversation

@are-ces

@are-ces are-ces commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Description

Upgrade docling from 2.88.0 to 2.94.0 and docling-core from 2.73.0 to 2.74.1 in both CPU and CUDA Konflux overrides. Regenerated hashed requirements via konflux_resolve.py.

Type of change

  • Refactor
  • New feature
  • Bug fix
  • CVE fix
  • Optimization
  • Documentation Update
  • Configuration Update
  • Bump-up service version
  • Bump-up dependent library
  • Bump-up library or tool used for development (does not change the final image)
  • CI configuration change
  • Konflux configuration change
  • Unit tests improvement
  • Integration tests improvement
  • End to end tests improvement
  • Benchmarks improvement

Tools used to create PR

  • Assisted-by: Claude Opus 4.6

Related Tickets & Documents

Checklist before requesting a review

  • I have performed a self-review of my code.
  • PR has passed all pre-merge test jobs.
  • If it is a core feature, I have added thorough tests.

Testing

  • Verified docling 2.94.0 and docling-core 2.74.1 are available on both RHOAI 3.4 CPU and CUDA indexes
  • Regenerated requirements with konflux_resolve.py for both profiles successfully

Summary by CodeRabbit

  • Chores

    • Updated build toolchain pins (hatchling, maturin, uv-build) and refreshed lockfile hashes.
    • Raised project docling constraint to >=2.94.0 and updated docling-related pins.
  • New Dependencies

    • Added pinned packages for document processing and image handling (antlr4 runtime, colorlog, opencv-python, pyclipper, rapidocr, shapely).
  • Chores

    • Updated CI/CD pipeline prefetch package lists for CUDA and standard builds.

@coderabbitai

coderabbitai Bot commented Jun 12, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 95395526-9419-41d9-bc79-de72d6b0a624

📥 Commits

Reviewing files that changed from the base of the PR and between 5f89b7c and 1f81179.

📒 Files selected for processing (8)
  • .konflux/requirements.hashes.wheel.cuda.txt
  • .konflux/requirements.hashes.wheel.txt
  • .konflux/requirements.overrides.cuda.txt
  • .konflux/requirements.overrides.txt
  • .tekton/rag-content-cpu-0-6-pull-request.yaml
  • .tekton/rag-content-cpu-0-6-push.yaml
  • .tekton/rag-content-cuda-12-9-0-6-pull-request.yaml
  • .tekton/rag-content-cuda-12-9-0-6-push.yaml
✅ Files skipped from review due to trivial changes (4)
  • .konflux/requirements.overrides.txt
  • .tekton/rag-content-cpu-0-6-pull-request.yaml
  • .konflux/requirements.hashes.wheel.txt
  • .konflux/requirements.hashes.wheel.cuda.txt
🚧 Files skipped from review as they are similar to previous changes (3)
  • .tekton/rag-content-cpu-0-6-push.yaml
  • .konflux/requirements.overrides.cuda.txt
  • .tekton/rag-content-cuda-12-9-0-6-pull-request.yaml

Walkthrough

Bumps build tool pins (maturin, uv-build), refreshes source and wheel hash lockfiles (crc32c, oci, added wheel pins including antlr4/opencv/rapidocr/shapely), updates docling pins and overrides, and adjusts Tekton prefetch package lists to include the new packages.

Changes

Build and Lockfile Updates

Layer / File(s) Summary
Build toolchain pins
.konflux/requirements-build.cuda.txt, .konflux/requirements-build.txt
maturin bumped to 1.14.0 and uv-build bumped to 0.11.21; removed one setuptools “via … crc32c” comment in the CUDA build file.
Source hash updates
.konflux/requirements.hashes.source.cuda.txt
Replaces crc32c==2.8 with crc32c==2.7.1 and updates oci to 2.178.0, refreshing associated source hashes.
Wheel hash additions and docling pins
.konflux/requirements.hashes.wheel.cuda.txt, .konflux/requirements.hashes.wheel.txt
Adds multiple wheel pins and SHA256 hashes (e.g., antlr4-python3-runtime, colorlog, opencv-python, pyclipper, rapidocr, shapely, omegaconf), updates docling/docling-core/docling-slim, and bumps pydantic-settings to 2.14.1; expands yarl hash entries.
Overrides and project dependency
.konflux/requirements.overrides.cuda.txt, .konflux/requirements.overrides.txt, pyproject.toml
Pins antlr4-python3-runtime==4.9.3, bumps pydantic_settings to 2.14.1, docling-core to 2.74.1, and raises project docling minimum to >=2.94.0.
Tekton prefetch lists
.tekton/rag-tool-*.yaml, .tekton/rag-content-*-*.yaml
Updates comma-separated binary.packages/prefetch-input lists across multiple Tekton PipelineRun YAMLs to include the new packages (notably antlr4-python3-runtime).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Suggested reviewers

  • syedriko
  • tisnik
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: upgrading docling to 2.94.0 and docling-core to 2.74.1 to address CVEs, which aligns perfectly with the PR objectives and the primary changes across configuration files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.konflux/requirements-build.cuda.txt (1)

16-20: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove the stale hatchling pin.

hatchling==1.26.3 is still present here while hatchling==1.30.1 is added below, so the CUDA build requirements now carry conflicting exact pins for the same package. Regenerate the lockfile or drop the stale entry so the file contains only one hatchling version.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.konflux/requirements-build.cuda.txt around lines 16 - 20, There are
duplicate exact pins for the same package (hatchling==1.26.3 and
hatchling==1.30.1) causing a conflict; remove the stale entry so only the
intended pin remains (keep hatchling==1.30.1 or regenerate the lockfile to
produce a single hatchling entry). Locate the duplicate lines referencing
"hatchling==1.26.3" and "hatchling==1.30.1" in
.konflux/requirements-build.cuda.txt and delete the older pin or refresh the
lockfile so the file contains only one hatchling version.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.konflux/requirements-build.cuda.txt:
- Around line 27-28: The pinned maturin version in the generated requirements
files is being overwritten by the regeneration script; update
konflux_requirements.sh so it no longer rewrites maturin back to 1.10.2—either
stop the replacement logic or make it use a single source of truth (e.g., a
MATURIN_VERSION variable) and write that value into both
.konflux/requirements-build.cuda.txt and .konflux/requirements-build.txt;
specifically change the code that searches for or substitutes the
"maturin==1.10.2" string to use "maturin==1.14.0" or the new variable, ensuring
regeneration preserves the upgraded pin.

---

Outside diff comments:
In @.konflux/requirements-build.cuda.txt:
- Around line 16-20: There are duplicate exact pins for the same package
(hatchling==1.26.3 and hatchling==1.30.1) causing a conflict; remove the stale
entry so only the intended pin remains (keep hatchling==1.30.1 or regenerate the
lockfile to produce a single hatchling entry). Locate the duplicate lines
referencing "hatchling==1.26.3" and "hatchling==1.30.1" in
.konflux/requirements-build.cuda.txt and delete the older pin or refresh the
lockfile so the file contains only one hatchling version.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a41107ae-eec7-48dd-b868-f34661883cd5

📥 Commits

Reviewing files that changed from the base of the PR and between a1c45c7 and ee9eb8e.

📒 Files selected for processing (11)
  • .konflux/requirements-build.cuda.txt
  • .konflux/requirements-build.txt
  • .konflux/requirements.hashes.source.cuda.txt
  • .konflux/requirements.hashes.wheel.cuda.txt
  • .konflux/requirements.hashes.wheel.txt
  • .konflux/requirements.overrides.cuda.txt
  • .konflux/requirements.overrides.txt
  • .tekton/rag-tool-cuda-pull-request.yaml
  • .tekton/rag-tool-cuda-push.yaml
  • .tekton/rag-tool-pull-request.yaml
  • .tekton/rag-tool-push.yaml

Comment on lines +27 to 28
maturin==1.14.0
# via uv-build

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

maturin is still being pinned back to 1.10.2.

Both build files pin maturin==1.14.0, but scripts/konflux_requirements.sh#L162-L167 rewrites that pin after compilation. The upgrade therefore does not survive regeneration in either .konflux/requirements-build.cuda.txt or .konflux/requirements-build.txt.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.konflux/requirements-build.cuda.txt around lines 27 - 28, The pinned
maturin version in the generated requirements files is being overwritten by the
regeneration script; update konflux_requirements.sh so it no longer rewrites
maturin back to 1.10.2—either stop the replacement logic or make it use a single
source of truth (e.g., a MATURIN_VERSION variable) and write that value into
both .konflux/requirements-build.cuda.txt and .konflux/requirements-build.txt;
specifically change the code that searches for or substitutes the
"maturin==1.10.2" string to use "maturin==1.14.0" or the new variable, ensuring
regeneration preserves the upgraded pin.

@are-ces are-ces force-pushed the lcore-2465-2466-docling-core-cve branch from ee9eb8e to 055de8a Compare June 12, 2026 08:09
…ddress CVEs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@are-ces are-ces force-pushed the lcore-2465-2466-docling-core-cve branch from 055de8a to aa1726b Compare June 12, 2026 08:13
are-ces and others added 2 commits June 12, 2026 10:35
New transitive dependency from docling 2.94.0. PyPI only has an sdist
for 4.9.3 so hermeto cannot resolve it without the RHOAI override.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ent pipelines

The RHOAI index only has a wheel for this package (no sdist), so hermeto
needs it in the binary packages list to fetch it as a wheel instead of
trying (and failing) to find an sdist.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.konflux/requirements-build.cuda.txt (1)

16-26: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove the stale hatchling pin.

This file now contains both hatchling==1.26.3 and hatchling==1.30.1, which turns the lockfile into conflicting exact requirements and can break regeneration/install steps. Keep only the upgraded pin here.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.konflux/requirements-build.cuda.txt around lines 16 - 26, Remove the stale
duplicate hatchling pin by deleting the older "hatchling==1.26.3" entry and
leaving only "hatchling==1.30.1" in the requirements file (ensure no other
hatchling exact pins remain); after updating, re-run your lockfile/regeneration
step so the requirements reflect the single upgraded hatchling version.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.konflux/requirements-build.cuda.txt:
- Around line 16-26: Remove the stale duplicate hatchling pin by deleting the
older "hatchling==1.26.3" entry and leaving only "hatchling==1.30.1" in the
requirements file (ensure no other hatchling exact pins remain); after updating,
re-run your lockfile/regeneration step so the requirements reflect the single
upgraded hatchling version.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1956f288-91d5-4e5e-b0f1-e470f27fdd6d

📥 Commits

Reviewing files that changed from the base of the PR and between ee9eb8e and 5f89b7c.

⛔ Files ignored due to path filters (1)
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (16)
  • .konflux/requirements-build.cuda.txt
  • .konflux/requirements-build.txt
  • .konflux/requirements.hashes.source.cuda.txt
  • .konflux/requirements.hashes.wheel.cuda.txt
  • .konflux/requirements.hashes.wheel.txt
  • .konflux/requirements.overrides.cuda.txt
  • .konflux/requirements.overrides.txt
  • .tekton/rag-content-cpu-0-6-pull-request.yaml
  • .tekton/rag-content-cpu-0-6-push.yaml
  • .tekton/rag-content-cuda-12-9-0-6-pull-request.yaml
  • .tekton/rag-content-cuda-12-9-0-6-push.yaml
  • .tekton/rag-tool-cuda-pull-request.yaml
  • .tekton/rag-tool-cuda-push.yaml
  • .tekton/rag-tool-pull-request.yaml
  • .tekton/rag-tool-push.yaml
  • pyproject.toml
✅ Files skipped from review due to trivial changes (5)
  • pyproject.toml
  • .konflux/requirements.overrides.cuda.txt
  • .konflux/requirements-build.txt
  • .konflux/requirements.hashes.source.cuda.txt
  • .konflux/requirements.hashes.wheel.cuda.txt
🚧 Files skipped from review as they are similar to previous changes (6)
  • .konflux/requirements.overrides.txt
  • .tekton/rag-tool-cuda-pull-request.yaml
  • .tekton/rag-tool-pull-request.yaml
  • .tekton/rag-tool-cuda-push.yaml
  • .tekton/rag-tool-push.yaml
  • .konflux/requirements.hashes.wheel.txt

are-ces and others added 2 commits June 12, 2026 11:19
Add 7 missing packages to the binary packages list in all rag-content
Tekton pipelines: colorlog, docling-slim, omegaconf, opencv-python,
pyclipper, rapidocr, shapely. These were already present in rag-tool
but missed in rag-content, causing hermeto prefetch failures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…bility

docling-core 2.74.1 requires pydantic-settings>=2.14.0. Bumped from
2.13.1 to 2.14.1 (available on RHOAI index) and re-ran the resolver.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@syedriko syedriko merged commit 50d34a9 into lightspeed-core:main Jun 13, 2026
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants