github/langchain
1
0
Fork 0
mirror of https://github.com/hwchase17/langchain.git synced 2026-06-09 10:17:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(partners): cap aiohttp below 3.14 for vcrpy compat (#37898)

Browse Source 
aiohttp **3.14.0** (released 2026-06-01) removed
`aiohttp.streams.AsyncStreamReaderMixin`. The current release of `vcrpy`
(8.1.1) still subclasses it in its aiohttp stub:

```python
class MockStream(asyncio.StreamReader, streams.AsyncStreamReaderMixin):
```

As a result, the VCR fixture fails to import during test setup, and the
scheduled integration tests for the `fireworks` and `xai` partners error
out at `test_stream_time`:

```
AttributeError: module 'aiohttp.streams' has no attribute 'AsyncStreamReaderMixin'
```

Only these two partners are affected because their SDKs use `aiohttp`,
so VCR loads its aiohttp stub; partners on `httpx` (e.g. `anthropic`,
`openai`) are unaffected.

This is an upstream incompatibility tracked at kevin1024/vcrpy#995, with
a fix in kevin1024/vcrpy#996 that has not yet been released.

Until a fixed `vcrpy` ships, this caps `aiohttp<3.14.0` via `[tool.uv]
constraint-dependencies` (the same mechanism already used for the
`pygments` CVE pin) in both packages. Using a constraint rather than
tightening the published `aiohttp>=3.9.1,<4.0.0` range means the change
only affects local/CI resolution — the package metadata users install
against is untouched. Both lockfiles re-resolve to `aiohttp` 3.13.5,
which still provides the removed attribute. A code comment points back
to the upstream fix so the pin can be removed once it lands.
This commit is contained in:
Mason Daugherty
2026-06-04 10:44:21 -04:00
committed by GitHub
parent 414d7b8e94
commit 34af59c1a6
4 changed files with 230 additions and 246 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
libs/partners/fireworks/pyproject.toml
View File

@@ -64,7 +64,13 @@ typing = [
]
[tool.uv]
constraint-dependencies = ["pygments>=2.20.0"] # CVE-2026-4539
constraint-dependencies = [
"pygments>=2.20.0", # CVE-2026-4539
# aiohttp 3.14.0 removed `aiohttp.streams.AsyncStreamReaderMixin`, which
# vcrpy (<=8.1.1) still subclasses, breaking VCR-based integration tests.
# Remove once a vcrpy release includes the fix (kevin1024/vcrpy#996).
"aiohttp<3.14.0",
]
# `fireworks-ai` 1.x is currently published as a prerelease (1.2.0a*).
# Allow uv to resolve to those prereleases until a stable 1.x ships.
# End users installing `langchain-fireworks` via `pip` / `uv pip install` must