LCORE-2465: Upgrade docling to 2.94.0 and docling-core to 2.74.1 to address CVEs#209
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (8)
✅ Files skipped from review due to trivial changes (4)
🚧 Files skipped from review as they are similar to previous changes (3)
WalkthroughBumps build tool pins (maturin, uv-build), refreshes source and wheel hash lockfiles (crc32c, oci, added wheel pins including antlr4/opencv/rapidocr/shapely), updates docling pins and overrides, and adjusts Tekton prefetch package lists to include the new packages. ChangesBuild and Lockfile Updates
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.konflux/requirements-build.cuda.txt (1)
16-20:⚠️ Potential issue | 🟠 Major | ⚡ Quick winRemove the stale
hatchlingpin.
hatchling==1.26.3is still present here whilehatchling==1.30.1is added below, so the CUDA build requirements now carry conflicting exact pins for the same package. Regenerate the lockfile or drop the stale entry so the file contains only onehatchlingversion.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.konflux/requirements-build.cuda.txt around lines 16 - 20, There are duplicate exact pins for the same package (hatchling==1.26.3 and hatchling==1.30.1) causing a conflict; remove the stale entry so only the intended pin remains (keep hatchling==1.30.1 or regenerate the lockfile to produce a single hatchling entry). Locate the duplicate lines referencing "hatchling==1.26.3" and "hatchling==1.30.1" in .konflux/requirements-build.cuda.txt and delete the older pin or refresh the lockfile so the file contains only one hatchling version.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.konflux/requirements-build.cuda.txt:
- Around line 27-28: The pinned maturin version in the generated requirements
files is being overwritten by the regeneration script; update
konflux_requirements.sh so it no longer rewrites maturin back to 1.10.2—either
stop the replacement logic or make it use a single source of truth (e.g., a
MATURIN_VERSION variable) and write that value into both
.konflux/requirements-build.cuda.txt and .konflux/requirements-build.txt;
specifically change the code that searches for or substitutes the
"maturin==1.10.2" string to use "maturin==1.14.0" or the new variable, ensuring
regeneration preserves the upgraded pin.
---
Outside diff comments:
In @.konflux/requirements-build.cuda.txt:
- Around line 16-20: There are duplicate exact pins for the same package
(hatchling==1.26.3 and hatchling==1.30.1) causing a conflict; remove the stale
entry so only the intended pin remains (keep hatchling==1.30.1 or regenerate the
lockfile to produce a single hatchling entry). Locate the duplicate lines
referencing "hatchling==1.26.3" and "hatchling==1.30.1" in
.konflux/requirements-build.cuda.txt and delete the older pin or refresh the
lockfile so the file contains only one hatchling version.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: a41107ae-eec7-48dd-b868-f34661883cd5
📒 Files selected for processing (11)
.konflux/requirements-build.cuda.txt.konflux/requirements-build.txt.konflux/requirements.hashes.source.cuda.txt.konflux/requirements.hashes.wheel.cuda.txt.konflux/requirements.hashes.wheel.txt.konflux/requirements.overrides.cuda.txt.konflux/requirements.overrides.txt.tekton/rag-tool-cuda-pull-request.yaml.tekton/rag-tool-cuda-push.yaml.tekton/rag-tool-pull-request.yaml.tekton/rag-tool-push.yaml
| maturin==1.14.0 | ||
| # via uv-build |
There was a problem hiding this comment.
maturin is still being pinned back to 1.10.2.
Both build files pin maturin==1.14.0, but scripts/konflux_requirements.sh#L162-L167 rewrites that pin after compilation. The upgrade therefore does not survive regeneration in either .konflux/requirements-build.cuda.txt or .konflux/requirements-build.txt.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.konflux/requirements-build.cuda.txt around lines 27 - 28, The pinned
maturin version in the generated requirements files is being overwritten by the
regeneration script; update konflux_requirements.sh so it no longer rewrites
maturin back to 1.10.2—either stop the replacement logic or make it use a single
source of truth (e.g., a MATURIN_VERSION variable) and write that value into
both .konflux/requirements-build.cuda.txt and .konflux/requirements-build.txt;
specifically change the code that searches for or substitutes the
"maturin==1.10.2" string to use "maturin==1.14.0" or the new variable, ensuring
regeneration preserves the upgraded pin.
ee9eb8e to
055de8a
Compare
…ddress CVEs Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
055de8a to
aa1726b
Compare
New transitive dependency from docling 2.94.0. PyPI only has an sdist for 4.9.3 so hermeto cannot resolve it without the RHOAI override. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ent pipelines The RHOAI index only has a wheel for this package (no sdist), so hermeto needs it in the binary packages list to fetch it as a wheel instead of trying (and failing) to find an sdist. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.konflux/requirements-build.cuda.txt (1)
16-26:⚠️ Potential issue | 🟠 Major | ⚡ Quick winRemove the stale
hatchlingpin.This file now contains both
hatchling==1.26.3andhatchling==1.30.1, which turns the lockfile into conflicting exact requirements and can break regeneration/install steps. Keep only the upgraded pin here.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.konflux/requirements-build.cuda.txt around lines 16 - 26, Remove the stale duplicate hatchling pin by deleting the older "hatchling==1.26.3" entry and leaving only "hatchling==1.30.1" in the requirements file (ensure no other hatchling exact pins remain); after updating, re-run your lockfile/regeneration step so the requirements reflect the single upgraded hatchling version.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.konflux/requirements-build.cuda.txt:
- Around line 16-26: Remove the stale duplicate hatchling pin by deleting the
older "hatchling==1.26.3" entry and leaving only "hatchling==1.30.1" in the
requirements file (ensure no other hatchling exact pins remain); after updating,
re-run your lockfile/regeneration step so the requirements reflect the single
upgraded hatchling version.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 1956f288-91d5-4e5e-b0f1-e470f27fdd6d
⛔ Files ignored due to path filters (1)
uv.lockis excluded by!**/*.lock
📒 Files selected for processing (16)
.konflux/requirements-build.cuda.txt.konflux/requirements-build.txt.konflux/requirements.hashes.source.cuda.txt.konflux/requirements.hashes.wheel.cuda.txt.konflux/requirements.hashes.wheel.txt.konflux/requirements.overrides.cuda.txt.konflux/requirements.overrides.txt.tekton/rag-content-cpu-0-6-pull-request.yaml.tekton/rag-content-cpu-0-6-push.yaml.tekton/rag-content-cuda-12-9-0-6-pull-request.yaml.tekton/rag-content-cuda-12-9-0-6-push.yaml.tekton/rag-tool-cuda-pull-request.yaml.tekton/rag-tool-cuda-push.yaml.tekton/rag-tool-pull-request.yaml.tekton/rag-tool-push.yamlpyproject.toml
✅ Files skipped from review due to trivial changes (5)
- pyproject.toml
- .konflux/requirements.overrides.cuda.txt
- .konflux/requirements-build.txt
- .konflux/requirements.hashes.source.cuda.txt
- .konflux/requirements.hashes.wheel.cuda.txt
🚧 Files skipped from review as they are similar to previous changes (6)
- .konflux/requirements.overrides.txt
- .tekton/rag-tool-cuda-pull-request.yaml
- .tekton/rag-tool-pull-request.yaml
- .tekton/rag-tool-cuda-push.yaml
- .tekton/rag-tool-push.yaml
- .konflux/requirements.hashes.wheel.txt
Add 7 missing packages to the binary packages list in all rag-content Tekton pipelines: colorlog, docling-slim, omegaconf, opencv-python, pyclipper, rapidocr, shapely. These were already present in rag-tool but missed in rag-content, causing hermeto prefetch failures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…bility docling-core 2.74.1 requires pydantic-settings>=2.14.0. Bumped from 2.13.1 to 2.14.1 (available on RHOAI index) and re-ran the resolver. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Description
Upgrade docling from 2.88.0 to 2.94.0 and docling-core from 2.73.0 to 2.74.1 in both CPU and CUDA Konflux overrides. Regenerated hashed requirements via
konflux_resolve.py.Type of change
Tools used to create PR
Related Tickets & Documents
Checklist before requesting a review
Testing
konflux_resolve.pyfor both profiles successfullySummary by CodeRabbit
Chores
New Dependencies
Chores