Commit Graph

183 Commits

Author SHA1 Message Date
Mason Daugherty
a4294f9a39 chore(deps): refresh lockfiles (#38746) 2026-07-09 12:43:43 -04:00
ccurme
123d83282a release(langchain): 1.3.12 (#38730) 2026-07-08 18:34:51 -04:00
Hunter Lovell
4cdd47b253 fix(langchain): sanitize anthropic cache markers on fallback retries (#37867)
## Summary

Fixes #33709.

When `AnthropicPromptCachingMiddleware` runs before
`ModelFallbackMiddleware`, Anthropic-specific `cache_control` markers
can leak into fallback attempts targeting non-Anthropic models. This
change makes fallback retries sanitize those markers only on non-primary
attempts, preserving primary-call behavior and avoiding API changes.

Related: langchain-ai/deepagentsjs#551.

## Changes

### libs/langchain_v1

- Added a private fallback sanitizer in `model_fallback.py` to remove
Anthropic `cache_control` markers from fallback requests.
- Sanitization covers `model_settings`, system/content message blocks,
and tool payloads (`BaseTool.extras` plus dict-style tools/extras).
- Applied sanitization in both sync and async fallback retry paths
(`wrap_model_call` and `awrap_model_call`) while leaving the primary
attempt unchanged.

### libs/langchain_v1 tests

- Added sync and async regression tests in `test_model_fallback.py` that
simulate primary failure and assert fallback calls only succeed when
cache markers are stripped.
- Verified non-cache settings (for example `temperature` and `top_p`)
are preserved on fallback.
- Preserved existing fallback behavior coverage (ordering, exhaustion,
and error propagation).

## Compatibility with `BedrockPromptCachingMiddleware`

The sanitizer also covers `BedrockPromptCachingMiddleware`, which
injects `cache_control` into `model_settings` only. Bedrock-specific
markers (`cachePoint` blocks, content-block `cache_control`) are applied
by the chat model classes at API-call time and never appear in the
`ModelRequest`, so no additional handling is needed.

---------

Co-authored-by: Mason Daugherty <mason@langchain.dev>
Co-authored-by: Mason Daugherty <github@mdrxy.com>
2026-07-05 00:27:29 -04:00
Christophe Bornet
f912638334 style: fix some ruff preview rules in langchain_v1 and standard-tests (#38657) 2026-07-04 22:22:24 -04:00
Mason Daugherty
83e824922a release(langchain): 1.3.11 (#38377) 2026-06-22 18:57:51 -04:00
dependabot[bot]
7d6519166b chore: bump pydantic-settings from 2.12.0 to 2.14.2 in /libs/langchain_v1 (#38279)
Bumps [pydantic-settings](https://github.com/pydantic/pydantic-settings)
from 2.12.0 to 2.14.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pydantic/pydantic-settings/releases">pydantic-settings's
releases</a>.</em></p>
<blockquote>
<h2>v2.14.2</h2>
<h2>What's Changed</h2>
<p>This is a security patch release.</p>
<ul>
<li>Prevent <code>NestedSecretsSettingsSource</code> from following
symlinks outside <code>secrets_dir</code> by <a
href="https://github.com/hramezani"><code>@​hramezani</code></a> in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/889">pydantic/pydantic-settings#889</a></li>
<li>Prepare release 2.14.2 by <a
href="https://github.com/hramezani"><code>@​hramezani</code></a> in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/890">pydantic/pydantic-settings#890</a></li>
</ul>
<h3>Security</h3>
<p>Fixes <a
href="https://github.com/pydantic/pydantic-settings/security/advisories/GHSA-4xgf-cpjx-pc3j">GHSA-4xgf-cpjx-pc3j</a>:
<code>NestedSecretsSettingsSource</code> with
<code>secrets_nested_subdir=True</code> could follow a symbolic link
inside <code>secrets_dir</code> pointing outside it, reading out-of-tree
files into settings values and bypassing the
<code>secrets_dir_max_size</code> cap. Affected versions: <code>&gt;=
2.12.0, &lt; 2.14.2</code>.</p>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/pydantic/pydantic-settings/compare/v2.14.1...v2.14.2">https://github.com/pydantic/pydantic-settings/compare/v2.14.1...v2.14.2</a></p>
<h2>v2.14.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Bump the python-packages group with 4 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/850">pydantic/pydantic-settings#850</a></li>
<li>Bump the python-packages group with 5 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/854">pydantic/pydantic-settings#854</a></li>
<li>Bump the github-actions group with 3 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/853">pydantic/pydantic-settings#853</a></li>
<li>Bump the python-packages group with 2 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/856">pydantic/pydantic-settings#856</a></li>
<li>Fix field named <code>cls</code> conflicting with classmethod
parameter by <a
href="https://github.com/hramezani"><code>@​hramezani</code></a> in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/858">pydantic/pydantic-settings#858</a></li>
<li>Prepare release 2.14.1 by <a
href="https://github.com/hramezani"><code>@​hramezani</code></a> in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/859">pydantic/pydantic-settings#859</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/pydantic/pydantic-settings/compare/v2.14.0...v2.14.1">https://github.com/pydantic/pydantic-settings/compare/v2.14.0...v2.14.1</a></p>
<h2>v2.14.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Fix parsing env vars into Optional Strict types by <a
href="https://github.com/hramezani"><code>@​hramezani</code></a> in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/792">pydantic/pydantic-settings#792</a></li>
<li>Fix RecursionError with mutually recursive models in CLI by <a
href="https://github.com/hramezani"><code>@​hramezani</code></a> in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/794">pydantic/pydantic-settings#794</a></li>
<li>Fix env_file from model_config ignored in CliApp.run() (<a
href="https://redirect.github.com/pydantic/pydantic-settings/issues/795">#795</a>)
by <a href="https://github.com/hramezani"><code>@​hramezani</code></a>
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/796">pydantic/pydantic-settings#796</a></li>
<li>Update dependencies by <a
href="https://github.com/hramezani"><code>@​hramezani</code></a> in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/798">pydantic/pydantic-settings#798</a></li>
<li>Add Dependabot configuration by <a
href="https://github.com/hramezani"><code>@​hramezani</code></a> in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/801">pydantic/pydantic-settings#801</a></li>
<li>Bump samuelcolvin/check-python-version from 4.1 to 5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/802">pydantic/pydantic-settings#802</a></li>
<li>Bump actions/upload-artifact from 4 to 7 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/803">pydantic/pydantic-settings#803</a></li>
<li>Bump actions/checkout from 4 to 6 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/804">pydantic/pydantic-settings#804</a></li>
<li>Bump astral-sh/setup-uv from 5 to 7 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/805">pydantic/pydantic-settings#805</a></li>
<li>Bump actions/setup-python from 5 to 6 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/806">pydantic/pydantic-settings#806</a></li>
<li>Ignore chardet and group GitHub Actions in Dependabot by <a
href="https://github.com/hramezani"><code>@​hramezani</code></a> in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/808">pydantic/pydantic-settings#808</a></li>
<li>Bump actions/download-artifact from 4 to 8 in the github-actions
group by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/809">pydantic/pydantic-settings#809</a></li>
<li>Bump the python-packages group with 2 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/810">pydantic/pydantic-settings#810</a></li>
<li>Support reading .env files from FIFOs (e.g. 1Password Environments)
by <a href="https://github.com/JacobHayes"><code>@​JacobHayes</code></a>
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/776">pydantic/pydantic-settings#776</a></li>
<li>Fix AliasChoices ignored when changing provider priority by <a
href="https://github.com/hramezani"><code>@​hramezani</code></a> in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/813">pydantic/pydantic-settings#813</a></li>
<li>fix: resolve KeyError in run_subcommand for underscore field names
by <a
href="https://github.com/bradykieffer"><code>@​bradykieffer</code></a>
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/799">pydantic/pydantic-settings#799</a></li>
<li>Bump the python-packages group with 3 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/814">pydantic/pydantic-settings#814</a></li>
<li>Fix <code>Literal[numeric Enum]</code> coercion for CLI and env vars
by <a href="https://github.com/m9810223"><code>@​m9810223</code></a> in
<a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/811">pydantic/pydantic-settings#811</a></li>
<li>Fix nested discriminated unions not discovered by env/CLI providers
by <a href="https://github.com/hramezani"><code>@​hramezani</code></a>
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/816">pydantic/pydantic-settings#816</a></li>
<li>Bump the python-packages group with 3 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/820">pydantic/pydantic-settings#820</a></li>
<li>CLI ensure env nested max split internally. by <a
href="https://github.com/kschwab"><code>@​kschwab</code></a> in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/821">pydantic/pydantic-settings#821</a></li>
<li>Bump the python-packages group with 4 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/824">pydantic/pydantic-settings#824</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="d703bd717e"><code>d703bd7</code></a>
Prepare release 2.14.2 (<a
href="https://redirect.github.com/pydantic/pydantic-settings/issues/890">#890</a>)</li>
<li><a
href="e95c30bec8"><code>e95c30b</code></a>
Prepare release 2.14.1 (<a
href="https://redirect.github.com/pydantic/pydantic-settings/issues/859">#859</a>)</li>
<li><a
href="0c8734581b"><code>0c87345</code></a>
Fix field named <code>cls</code> conflicting with classmethod parameter
(<a
href="https://redirect.github.com/pydantic/pydantic-settings/issues/858">#858</a>)</li>
<li><a
href="7bd0072795"><code>7bd0072</code></a>
Bump the python-packages group with 2 updates (<a
href="https://redirect.github.com/pydantic/pydantic-settings/issues/856">#856</a>)</li>
<li><a
href="b03e573d01"><code>b03e573</code></a>
Bump the github-actions group with 3 updates (<a
href="https://redirect.github.com/pydantic/pydantic-settings/issues/853">#853</a>)</li>
<li><a
href="eaa3b43493"><code>eaa3b43</code></a>
Bump the python-packages group with 5 updates (<a
href="https://redirect.github.com/pydantic/pydantic-settings/issues/854">#854</a>)</li>
<li><a
href="9f95615c24"><code>9f95615</code></a>
Bump the python-packages group with 4 updates (<a
href="https://redirect.github.com/pydantic/pydantic-settings/issues/850">#850</a>)</li>
<li><a
href="8916beeecc"><code>8916bee</code></a>
Prepare release 2.14.0 (<a
href="https://redirect.github.com/pydantic/pydantic-settings/issues/848">#848</a>)</li>
<li><a
href="39e551c091"><code>39e551c</code></a>
Fix CLI descriptions lost under <code>python -OO</code> by falling back
to `json_schema_...</li>
<li><a
href="9ed7f48ea2"><code>9ed7f48</code></a>
Bump the python-packages group with 4 updates (<a
href="https://redirect.github.com/pydantic/pydantic-settings/issues/847">#847</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/pydantic/pydantic-settings/compare/v2.12.0...v2.14.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pydantic-settings&package-manager=uv&previous-version=2.12.0&new-version=2.14.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-19 22:10:55 -04:00
dependabot[bot]
e85b734b7e chore: bump vcrpy from 8.1.1 to 8.2.1 in /libs/langchain_v1 (#38280)
Bumps [vcrpy](https://github.com/kevin1024/vcrpy) from 8.1.1 to 8.2.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/kevin1024/vcrpy/releases">vcrpy's
releases</a>.</em></p>
<blockquote>
<h2>v8.2.1</h2>
<h2>What's Changed</h2>
<ul>
<li><strong>SECURITY:</strong> Cassettes are now loaded with a safe YAML
loader, preventing arbitrary code execution when a cassette from an
untrusted source is loaded. Previously a crafted cassette containing a
Python object tag (e.g. <code>!!python/object/apply:os.system</code>)
would execute code on load, including via the normal
<code>vcr.use_cassette()</code> path. Existing cassettes (including
file-upload/streaming bodies) continue to load. Advisory:
GHSA-rpj2-4hq8-938g — thanks <a
href="https://github.com/RamiAltai"><code>@​RamiAltai</code></a> and <a
href="https://github.com/EQSTLab"><code>@​EQSTLab</code></a> for the
reports.</li>
<li>Validate <code>record_mode</code> and raise a clear error on an
invalid value (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/208">#208</a>)</li>
<li>Recommend pytest-recording over the unmaintained pytest-vcr in the
docs (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/986">#986</a>)</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/kevin1024/vcrpy/compare/v8.2.0...v8.2.1">https://github.com/kevin1024/vcrpy/compare/v8.2.0...v8.2.1</a></p>
<h2>v8.2.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Add support for httpx 2.x (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/993">#993</a>)
- thanks <a
href="https://github.com/dsfaccini"><code>@​dsfaccini</code></a></li>
<li>Patch httpx transports instead of httpcore (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/972">#972</a>)
- thanks <a
href="https://github.com/seowalex"><code>@​seowalex</code></a></li>
<li>Fix aiohttp 3.14 compatibility: <code>AsyncStreamReaderMixin</code>
removed and <code>ClientResponse</code> now requires
<code>stream_writer</code> (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/995">#995</a>)
- thanks <a
href="https://github.com/dsfaccini"><code>@​dsfaccini</code></a></li>
<li>Account for modified requests when storing played cassettes, so
<code>drop_unused_requests</code> honours
<code>before_record_request</code> filtering (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/962">#962</a>)
- thanks <a
href="https://github.com/jamesbraza"><code>@​jamesbraza</code></a></li>
<li>Make the request URL available on <code>VCRHTTPResponse</code> (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/976">#976</a>)
- thanks <a
href="https://github.com/dAnjou"><code>@​dAnjou</code></a></li>
<li>Improve error message when a matching request has already been
consumed (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/985">#985</a>)
- thanks <a
href="https://github.com/Polandia94"><code>@​Polandia94</code></a></li>
<li>Fix body check in <code>convert_body_to_unicode</code> to use an
explicit type check (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/982">#982</a>)
- thanks <a
href="https://github.com/Polandia94"><code>@​Polandia94</code></a></li>
<li>Add env proxy cassette regression test (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/994">#994</a>)
- thanks <a
href="https://github.com/tine1117"><code>@​tine1117</code></a></li>
<li>Remove milestone references from docs (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/984">#984</a>)
- thanks <a
href="https://github.com/Polandia94"><code>@​Polandia94</code></a></li>
<li>CI: bump sphinx-rtd-theme from 3.0.2 to 3.1.0 (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/973">#973</a>)</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/kevin1024/vcrpy/compare/v8.1.1...v8.2.0">https://github.com/kevin1024/vcrpy/compare/v8.1.1...v8.2.0</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/kevin1024/vcrpy/blob/master/docs/changelog.rst">vcrpy's
changelog</a>.</em></p>
<blockquote>
<h2>Changelog</h2>
<p>All help in providing PRs to close out bug issues is appreciated.
Even if that is providing a repo that fully replicates issues. We have
very generous contributors that have added these to bug issues which
meant another contributor picked up the bug and closed it out.</p>
<ul>
<li>
<p>8.2.1</p>
<ul>
<li>SECURITY: Load cassettes with a safe YAML loader, preventing
arbitrary code execution when a cassette from an untrusted source is
loaded (GHSA-rpj2-4hq8-938g) - thanks <a
href="https://github.com/RamiAltai"><code>@​RamiAltai</code></a> and <a
href="https://github.com/EQSTLab"><code>@​EQSTLab</code></a></li>
<li>Validate <code>record_mode</code> and raise a clear error on an
invalid value (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/208">#208</a>)</li>
<li>Recommend pytest-recording over the unmaintained pytest-vcr in the
docs (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/986">#986</a>)</li>
</ul>
</li>
<li>
<p>8.2.0</p>
<ul>
<li>Add support for httpx 2.x (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/993">#993</a>)
- thanks <a
href="https://github.com/dsfaccini"><code>@​dsfaccini</code></a></li>
<li>Patch httpx transports instead of httpcore (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/972">#972</a>)
- thanks <a
href="https://github.com/seowalex"><code>@​seowalex</code></a></li>
<li>Fix aiohttp 3.14 compatibility: <code>AsyncStreamReaderMixin</code>
removed and <code>ClientResponse</code> now requires
<code>stream_writer</code> (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/995">#995</a>)
- thanks <a
href="https://github.com/dsfaccini"><code>@​dsfaccini</code></a></li>
<li>Account for modified requests when storing played cassettes, so
<code>drop_unused_requests</code> honours
<code>before_record_request</code> filtering (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/962">#962</a>)
- thanks <a
href="https://github.com/jamesbraza"><code>@​jamesbraza</code></a></li>
<li>Make the request URL available on <code>VCRHTTPResponse</code> (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/976">#976</a>)
- thanks <a
href="https://github.com/dAnjou"><code>@​dAnjou</code></a></li>
<li>Improve error message when a matching request has already been
consumed (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/985">#985</a>)
- thanks <a
href="https://github.com/Polandia94"><code>@​Polandia94</code></a></li>
<li>Fix body check in <code>convert_body_to_unicode</code> to use an
explicit type check (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/982">#982</a>)
- thanks <a
href="https://github.com/Polandia94"><code>@​Polandia94</code></a></li>
<li>Add env proxy cassette regression test (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/994">#994</a>)
- thanks <a
href="https://github.com/tine1117"><code>@​tine1117</code></a></li>
<li>Remove milestone references from docs (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/984">#984</a>)
- thanks <a
href="https://github.com/Polandia94"><code>@​Polandia94</code></a></li>
<li>CI: bump sphinx-rtd-theme from 3.0.2 to 3.1.0 (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/973">#973</a>)</li>
</ul>
</li>
<li>
<p>8.1.1</p>
<ul>
<li>Fix sync requests in async contexts for HTTPX (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/965">#965</a>)
- thanks <a
href="https://github.com/seowalex"><code>@​seowalex</code></a></li>
<li>CI: bump peter-evans/create-pull-request from 7 to 8 (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/969">#969</a>)</li>
</ul>
</li>
<li>
<p>8.1.0</p>
<ul>
<li>Enable brotli decompression if available (via <code>brotli</code>,
<code>brotlipy</code> or <code>brotlicffi</code>) (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/620">#620</a>)
- thanks <a
href="https://github.com/immerrr"><code>@​immerrr</code></a></li>
<li>Fix aiohttp allowing both <code>data</code> and <code>json</code>
arguments when one is None (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/624">#624</a>)
- thanks <a
href="https://github.com/leorochael"><code>@​leorochael</code></a></li>
<li>Fix usage of io-like interface with VCR.py (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/906">#906</a>)
- thanks <a href="https://github.com/tito"><code>@​tito</code></a> and
<a href="https://github.com/kevdevg"><code>@​kevdevg</code></a></li>
<li>Migrate to declarative Python package config (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/767">#767</a>)
- thanks <a
href="https://github.com/deronnax"><code>@​deronnax</code></a></li>
<li>Various linting fixes - thanks <a
href="https://github.com/jairhenrique"><code>@​jairhenrique</code></a></li>
<li>CI: bump actions/checkout from 5 to 6 (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/955">#955</a>)</li>
</ul>
</li>
<li>
<p>8.0.0</p>
<ul>
<li>BREAKING: Drop support for Python 3.9 (major version bump) - thanks
<a
href="https://github.com/jairhenrique"><code>@​jairhenrique</code></a></li>
<li>BREAKING: Drop support for urllib3 &lt; 2 - fixes CVE warnings from
urllib3 1.x (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/926">#926</a>,
<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/880">#880</a>)
- thanks <a
href="https://github.com/jairhenrique"><code>@​jairhenrique</code></a></li>
<li>New feature: <code>drop_unused_requests</code> option to remove
unused interactions from cassettes (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/763">#763</a>)
- thanks <a
href="https://github.com/danielnsilva"><code>@​danielnsilva</code></a></li>
<li>Rewrite httpx support to patch httpcore instead of httpx (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/943">#943</a>)
- thanks <a
href="https://github.com/seowalex"><code>@​seowalex</code></a>
<ul>
<li>Fixes <code>httpx.ResponseNotRead</code> exceptions (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/832">#832</a>,
<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/834">#834</a>)</li>
<li>Fixes <code>KeyError: 'follow_redirects'</code> (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/945">#945</a>)</li>
<li>Adds support for custom httpx transports</li>
</ul>
</li>
<li>Fix HTTPS proxy handling - proxy address no longer ends up in
cassette URIs (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/809">#809</a>,
<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/914">#914</a>)
- thanks <a href="https://github.com/alga"><code>@​alga</code></a></li>
<li>Fix <code>iscoroutinefunction</code> deprecation warning on Python
3.14 - thanks <a
href="https://github.com/kloczek"><code>@​kloczek</code></a></li>
<li>Only log message if response is appended - thanks <a
href="https://github.com/talfus-laddus"><code>@​talfus-laddus</code></a></li>
<li>Optimize urllib.parse calls - thanks <a
href="https://github.com/Martin-Brunthaler"><code>@​Martin-Brunthaler</code></a></li>
<li>Fix CI for Ubuntu 24.04 - thanks <a
href="https://github.com/hartwork"><code>@​hartwork</code></a></li>
<li>Various CI improvements: migrate to uv, update GitHub Actions -
thanks <a
href="https://github.com/jairhenrique"><code>@​jairhenrique</code></a></li>
<li>Various linting and test improvements - thanks <a
href="https://github.com/jairhenrique"><code>@​jairhenrique</code></a>
and <a
href="https://github.com/hartwork"><code>@​hartwork</code></a></li>
</ul>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="85312039e9"><code>8531203</code></a>
Release v8.2.1</li>
<li><a
href="045acb1b5f"><code>045acb1</code></a>
Use a safe YAML loader for cassettes to prevent code execution</li>
<li><a
href="de43f46247"><code>de43f46</code></a>
Fix lint failures from merged PRs (codespell + ruff UP032)</li>
<li><a
href="514c374796"><code>514c374</code></a>
Validate record_mode and raise a clear error on invalid values</li>
<li><a
href="b736cadd58"><code>b736cad</code></a>
docs: recommend pytest-recording over unmaintained pytest-vcr</li>
<li><a
href="06758c9879"><code>06758c9</code></a>
Release v8.2.0</li>
<li><a
href="6554837e02"><code>6554837</code></a>
Add env proxy cassette regression test (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/994">#994</a>)</li>
<li><a
href="62cf5e1272"><code>62cf5e1</code></a>
Accounting for modified requests when storing played cassettes, with a
test (...</li>
<li><a
href="13f201a820"><code>13f201a</code></a>
make url available in VCRHTTPResponse (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/976">#976</a>)</li>
<li><a
href="d57b55339e"><code>d57b553</code></a>
improve error message on repeated requestt (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/985">#985</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/kevin1024/vcrpy/compare/v8.1.1...v8.2.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=vcrpy&package-manager=uv&previous-version=8.1.1&new-version=8.2.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-19 22:10:39 -04:00
dependabot[bot]
f5a358d5e3 chore: bump langsmith from 0.8.9 to 0.8.18 in /libs/langchain_v1 (#38281)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from
0.8.9 to 0.8.18.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's
releases</a>.</em></p>
<blockquote>
<h2>v0.8.18</h2>
<h2>What's Changed</h2>
<ul>
<li>chore(deps-dev): bump vitest from 3.2.4 to 3.2.6 in /js by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3002">langchain-ai/langsmith-sdk#3002</a></li>
<li>chore(deps): bump pyjwt from 2.12.1 to 2.13.0 in /python by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3030">langchain-ai/langsmith-sdk#3030</a></li>
<li>chore(deps): bump python-multipart from 0.0.27 to 0.0.31 in /python
by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3036">langchain-ai/langsmith-sdk#3036</a></li>
<li>chore(deps): bump aiohttp from 3.14.0 to 3.14.1 in /python by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3037">langchain-ai/langsmith-sdk#3037</a></li>
<li>chore(deps): bump cryptography from 46.0.7 to 48.0.1 in /python by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3038">langchain-ai/langsmith-sdk#3038</a></li>
<li>chore(deps): bump starlette from 1.0.1 to 1.3.1 in /python by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3039">langchain-ai/langsmith-sdk#3039</a></li>
<li>chore(deps-dev): bump langchain-anthropic from 1.4.4 to 1.4.6 in
/python by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3044">langchain-ai/langsmith-sdk#3044</a></li>
<li>chore(deps): bump the npm_and_yarn group across 4 directories with 4
updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3046">langchain-ai/langsmith-sdk#3046</a></li>
<li>chore(deps): bump the npm_and_yarn group across 2 directories with 2
updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3060">langchain-ai/langsmith-sdk#3060</a></li>
<li>test(python): fix integration assertions for updated attachment
error message by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3061">langchain-ai/langsmith-sdk#3061</a></li>
<li>chore: reconcile bumpversion config and mandate release process for
agents by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3062">langchain-ai/langsmith-sdk#3062</a></li>
<li>release(py): 0.8.18 by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3063">langchain-ai/langsmith-sdk#3063</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.17...v0.8.18">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.17...v0.8.18</a></p>
<h2>v0.8.17</h2>
<h2>What's Changed</h2>
<ul>
<li>feat: expose the resources from the generated openapi client in the
langsmith client by <a
href="https://github.com/sineha-mani"><code>@​sineha-mani</code></a> in
<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3018">langchain-ai/langsmith-sdk#3018</a></li>
<li>feat(js): port <code>isTracingEnabled</code> utility from Python by
<a href="https://github.com/dqbd"><code>@​dqbd</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3032">langchain-ai/langsmith-sdk#3032</a></li>
<li>Add sandbox mount support to JS SDK by <a
href="https://github.com/DanielKneipp"><code>@​DanielKneipp</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3010">langchain-ai/langsmith-sdk#3010</a></li>
<li>release(js): bump to 0.7.9 by <a
href="https://github.com/dqbd"><code>@​dqbd</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3035">langchain-ai/langsmith-sdk#3035</a></li>
<li>Add sandbox mount support to Python SDK by <a
href="https://github.com/DanielKneipp"><code>@​DanielKneipp</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3009">langchain-ai/langsmith-sdk#3009</a></li>
<li>docs: note that _openapi_client directories are auto-generated by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3034">langchain-ai/langsmith-sdk#3034</a></li>
<li>fix: update JS SDK type declarations with skipLibCheck disabled by
<a href="https://github.com/sineha-mani"><code>@​sineha-mani</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3043">langchain-ai/langsmith-sdk#3043</a></li>
<li>release(js): 0.7.10 by <a
href="https://github.com/dqbd"><code>@​dqbd</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3045">langchain-ai/langsmith-sdk#3045</a></li>
<li>feat: adding python async for online evals by <a
href="https://github.com/sineha-mani"><code>@​sineha-mani</code></a> in
<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3048">langchain-ai/langsmith-sdk#3048</a></li>
<li>Add sandbox Git mount SDK helpers by <a
href="https://github.com/DanielKneipp"><code>@​DanielKneipp</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3040">langchain-ai/langsmith-sdk#3040</a></li>
<li>fix: use insights tab in sdk report links [closes LSO-2936] by <a
href="https://github.com/eric-langchain"><code>@​eric-langchain</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3050">langchain-ai/langsmith-sdk#3050</a></li>
<li>feat(client): warn when backend version is below minimum required by
<a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3041">langchain-ai/langsmith-sdk#3041</a></li>
<li>chore: bump _MIN_BACKEND_VERSION to 0.16.5rc1 by <a
href="https://github.com/langtions-bot"><code>@​langtions-bot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3053">langchain-ai/langsmith-sdk#3053</a></li>
<li>fix(sandbox): use built-in gcp auth host matching by <a
href="https://github.com/DanielKneipp"><code>@​DanielKneipp</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3055">langchain-ai/langsmith-sdk#3055</a></li>
<li>chore(python): py to 0.8.17 by <a
href="https://github.com/sineha-mani"><code>@​sineha-mani</code></a> in
<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3056">langchain-ai/langsmith-sdk#3056</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/sineha-mani"><code>@​sineha-mani</code></a>
made their first contribution in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3018">langchain-ai/langsmith-sdk#3018</a></li>
<li><a
href="https://github.com/eric-langchain"><code>@​eric-langchain</code></a>
made their first contribution in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3050">langchain-ai/langsmith-sdk#3050</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.16...v0.8.17">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.16...v0.8.17</a></p>
<h2>v0.8.16</h2>
<h2>What's Changed</h2>
<ul>
<li>feat(py): add sync/async conversion for Sandbox and SandboxClient
[INF-0000] by <a
href="https://github.com/ramon-langchain"><code>@​ramon-langchain</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3019">langchain-ai/langsmith-sdk#3019</a></li>
<li>fix(experiments): extract keys from wrapped evaluator function by <a
href="https://github.com/shamikkarkhanis"><code>@​shamikkarkhanis</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3014">langchain-ai/langsmith-sdk#3014</a></li>
<li>chore: repoint <a
href="mailto:support@langchain.dev">support@langchain.dev</a> mentions
to the Support Portal by <a
href="https://github.com/lutan-langchain"><code>@​lutan-langchain</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3024">langchain-ai/langsmith-sdk#3024</a></li>
<li>fix(python): derive create_child run id from start_time [LSDK-220]
by <a
href="https://github.com/harisaiharish"><code>@​harisaiharish</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3027">langchain-ai/langsmith-sdk#3027</a></li>
<li>chore: sync langsmith_api by <a
href="https://github.com/langtions-bot"><code>@​langtions-bot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3020">langchain-ai/langsmith-sdk#3020</a></li>
<li>chore: js to 0.7.8 and py to 0.8.16 by <a
href="https://github.com/shamikkarkhanis"><code>@​shamikkarkhanis</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3029">langchain-ai/langsmith-sdk#3029</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="31c2bf650b"><code>31c2bf6</code></a>
release(py): 0.8.18 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3063">#3063</a>)</li>
<li><a
href="8955b68868"><code>8955b68</code></a>
chore: reconcile bumpversion config and mandate release process for
agents (#...</li>
<li><a
href="411401f6ca"><code>411401f</code></a>
test(python): fix integration assertions for updated attachment error
message...</li>
<li><a
href="9c5515620f"><code>9c55156</code></a>
Merge commit from fork</li>
<li><a
href="5b2bd8db3c"><code>5b2bd8d</code></a>
chore(deps): bump the npm_and_yarn group across 2 directories with 2
updates ...</li>
<li><a
href="d8642f9099"><code>d8642f9</code></a>
chore(deps): bump the npm_and_yarn group across 4 directories with 4
updates ...</li>
<li><a
href="953c2e5e25"><code>953c2e5</code></a>
chore(deps-dev): bump langchain-anthropic from 1.4.4 to 1.4.6 in /python
(<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3044">#3044</a>)</li>
<li><a
href="5513699e2d"><code>5513699</code></a>
chore(deps): bump starlette from 1.0.1 to 1.3.1 in /python (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3039">#3039</a>)</li>
<li><a
href="8becdefdf4"><code>8becdef</code></a>
chore(deps): bump cryptography from 46.0.7 to 48.0.1 in /python (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3038">#3038</a>)</li>
<li><a
href="1a9c522feb"><code>1a9c522</code></a>
chore(deps): bump aiohttp from 3.14.0 to 3.14.1 in /python (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3037">#3037</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.9...v0.8.18">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=langsmith&package-manager=uv&previous-version=0.8.9&new-version=0.8.18)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-19 22:10:01 -04:00
Mason Daugherty
a807a9c7f6 release(langchain): 1.3.10 (#38255) 2026-06-18 15:40:20 -04:00
dependabot[bot]
921e370a67 chore: bump cryptography from 46.0.7 to 48.0.1 in /libs/langchain_v1 (#38176)
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.7
to 48.0.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's
changelog</a>.</em></p>
<blockquote>
<p>48.0.1 - 2026-06-09</p>
<pre><code>
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL
4.0.1.
<p>.. _v48-0-0:</p>
<p>48.0.0 - 2026-05-04<br />
</code></pre></p>
<ul>
<li>
<p><strong>BACKWARDS INCOMPATIBLE:</strong> Support for Python 3.8 has
been removed.
<code>cryptography</code> now requires Python 3.9 or later.</p>
</li>
<li>
<p><strong>BACKWARDS INCOMPATIBLE:</strong> Loading an X.509 CRL whose
inner
<code>TBSCertList.signature</code> algorithm does not match the outer
<code>signatureAlgorithm</code> now raises <code>ValueError</code>.
Previously, such CRLs
were parsed successfully and only rejected during signature
validation.</p>
</li>
<li>
<p>Added support for
:doc:<code>/hazmat/primitives/asymmetric/mlkem</code> and
:doc:<code>/hazmat/primitives/asymmetric/mldsa</code> when using OpenSSL
3.5.0 or
later, in addition to the existing AWS-LC and BoringSSL support. This
means
post-quantum algorithms are now available to users of our wheels.</p>
<ul>
<li><strong>Note:</strong> Going forward, we do not guarantee that all
functionality
in <code>cryptography</code> will be available when building against
OpenSSL. See :doc:<code>/statements/state-of-openssl</code> for more
information.</li>
</ul>
</li>
</ul>
<p>.. _v47-0-0:</p>
<p>47.0.0 - 2026-04-24</p>
<pre><code>
* Support for Python 3.8 is deprecated and will be removed in the next
  ``cryptography`` release.
* **BACKWARDS INCOMPATIBLE:** Support for binary elliptic curves
  (``SECT*`` classes) has been removed. These curves are rarely used and
  have additional security considerations that make them undesirable.
* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.x has been
removed.
OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC
  continue to be supported.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL &lt; 4.1.
* **BACKWARDS INCOMPATIBLE:** Loading keys with unsupported algorithms
or
  keys with unsupported explicit curve encodings now raises
  :class:`~cryptography.exceptions.UnsupportedAlgorithm` instead of
  ``ValueError``. This change affects

:func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`,

:func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`,

:func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`,

:func:`~cryptography.hazmat.primitives.serialization.load_der_public_key`,
  and :meth:`~cryptography.x509.Certificate.public_key` when called on
  certificates with unsupported public key algorithms.
&lt;/tr&gt;&lt;/table&gt; 
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="de987ce48c"><code>de987ce</code></a>
48.0.1 version bump and changelog (<a
href="https://redirect.github.com/pyca/cryptography/issues/14996">#14996</a>)</li>
<li><a
href="8e03e30e3a"><code>8e03e30</code></a>
bump for 48.0.0 release (<a
href="https://redirect.github.com/pyca/cryptography/issues/14796">#14796</a>)</li>
<li><a
href="295e0d254e"><code>295e0d2</code></a>
Add AGENTS.md with CLAUDE.md symlink (<a
href="https://redirect.github.com/pyca/cryptography/issues/14794">#14794</a>)</li>
<li><a
href="104a2de19e"><code>104a2de</code></a>
Bump BoringSSL, OpenSSL, AWS-LC in CI (<a
href="https://redirect.github.com/pyca/cryptography/issues/14793">#14793</a>)</li>
<li><a
href="67ec1e5198"><code>67ec1e5</code></a>
call check_length early on AesSiv::encrypt (<a
href="https://redirect.github.com/pyca/cryptography/issues/14792">#14792</a>)</li>
<li><a
href="b2da57a0d9"><code>b2da57a</code></a>
changelog for mldsa/mlkem for openssl (<a
href="https://redirect.github.com/pyca/cryptography/issues/14791">#14791</a>)</li>
<li><a
href="3cf44adee2"><code>3cf44ad</code></a>
ML-KEM OpenSSL support (<a
href="https://redirect.github.com/pyca/cryptography/issues/14781">#14781</a>)</li>
<li><a
href="2e31639666"><code>2e31639</code></a>
ML-DSA OpenSSL support (<a
href="https://redirect.github.com/pyca/cryptography/issues/14773">#14773</a>)</li>
<li><a
href="5affe5a286"><code>5affe5a</code></a>
fix rust nightly clippy (<a
href="https://redirect.github.com/pyca/cryptography/issues/14790">#14790</a>)</li>
<li><a
href="2e73ca448e"><code>2e73ca4</code></a>
bump rust-openssl dep and update EcPoint::mul_generator to
mul_generator2 (<a
href="https://redirect.github.com/pyca/cryptography/issues/1">#1</a>...</li>
<li>Additional commits viewable in <a
href="https://github.com/pyca/cryptography/compare/46.0.7...48.0.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=cryptography&package-manager=uv&previous-version=46.0.7&new-version=48.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-18 15:27:59 -04:00
dependabot[bot]
1aabc26836 chore: bump aiohttp from 3.14.0 to 3.14.1 in /libs/langchain_v1 (#38179)
[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=aiohttp&package-manager=uv&previous-version=3.14.0&new-version=3.14.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-18 15:27:56 -04:00
Mason Daugherty
ae1c9418b5 fix(langchain): detect provider strategy for dated gpt-5.2/gpt-5.4 snapshots (#38222)
Closes #38220

---

Users calling `create_agent(..., response_format=<schema>)` with an
OpenAI model pinned to a dated snapshot (e.g. `gpt-5.4-2026-03-05`) were
silently downgraded from native structured output (`ProviderStrategy`)
to tool-calling (`ToolStrategy`). This changes runtime behavior: extra
tool-call traces, different token usage, and no provider-side schema
enforcement.

The cause is in `_supports_provider_strategy`'s fallback patterns: the
`gpt-5.2` and `gpt-5.4` base patterns terminated with `($|[/:])`, which
— unlike their sibling families — rejected a trailing `-`, so OpenAI's
`-YYYY-MM-DD` dated-snapshot suffix matched none of the patterns. The
base patterns were deliberately strict to keep
`gpt-5.2-pro`/`gpt-5.4-pro` blocked, so rather than allowing any
trailing `-` (which would re-admit those `-pro` variants) this change
adds an optional dated-snapshot group `(-\d{4}-\d{2}-\d{2})?`. Dated
snapshots now resolve to `ProviderStrategy` while `-pro` variants stay
blocked.

Made by [Open
SWE](https://openswe.vercel.app/agents/c5ebcb29-8ce5-dda0-73f6-198e49f0c36c)

Co-authored-by: open-swe[bot] <open-swe@users.noreply.github.com>
2026-06-17 16:29:08 -04:00
dependabot[bot]
86add86562 chore: bump pyjwt from 2.12.0 to 2.13.0 in /libs/langchain_v1 (#38168)
Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.12.0 to 2.13.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/jpadilla/pyjwt/releases">pyjwt's
releases</a>.</em></p>
<blockquote>
<h2>2.13.0</h2>
<h1>PyJWT 2.13.0 — Security Release</h1>
<p>This release bundles five security fixes plus three additional
hardening / spec-compliance changes. We recommend all users upgrade.</p>
<h2>Security</h2>
<ul>
<li>
<p><strong><a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx"><code>GHSA-xgmm-8j9v-c9wx</code></a>
— JWK JSON accepted as HMAC secret (algorithm confusion).</strong>
<code>HMACAlgorithm.prepare_key</code> previously rejected PEM- and
SSH-formatted asymmetric keys but did not catch a JWK passed as a raw
JSON string. In a verifier configured with both symmetric and asymmetric
algorithms in <code>algorithms=[…]</code> and a raw-JSON JWK as the key,
an attacker could forge HS256 tokens using the JWK text as the HMAC
secret. The guard has been extended to reject any JWK-shaped JSON.
<em>Reported by <a
href="https://github.com/aradona91"><code>@​aradona91</code></a>.</em></p>
</li>
<li>
<p><strong><a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f"><code>GHSA-jq35-7prp-9v3f</code></a>
— Algorithm allow-list bypass with <code>PyJWK</code> /
<code>PyJWKClient</code>.</strong> When verifying with a
<code>PyJWK</code>, the caller's <code>algorithms=[…]</code> allow-list
was checked against the token header <code>alg</code> as a string only;
actual verification used the algorithm bound to the <code>PyJWK</code>.
An attacker who controlled a registered JWKS key could sign with one
algorithm and advertise another on the header. PyJWT now requires the
token header <code>alg</code> to match the <code>PyJWK</code>'s
algorithm before verification. <em>Reported by <a
href="https://github.com/sushi-gif"><code>@​sushi-gif</code></a>.</em></p>
</li>
<li>
<p><strong><a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39"><code>GHSA-w7vc-732c-9m39</code></a>
— DoS via base64 decode of unused payload segment when
<code>b64=false</code>.</strong> For detached-payload JWS
(<code>b64=false</code>), the compact-form payload segment was
base64-decoded before being discarded in favor of the caller-supplied
<code>detached_payload</code>. An attacker could inflate the unused
segment to force CPU + memory cost without holding a valid signature.
The segment is now required to be empty per RFC 7515 Appendix F, and is
no longer decoded. <em>Reported by <a
href="https://github.com/thesmartshadow"><code>@​thesmartshadow</code></a>.</em></p>
</li>
<li>
<p><strong><a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4"><code>GHSA-993g-76c3-p5m4</code></a>
— <code>PyJWKClient</code> accepts non-HTTP(S) URIs.</strong>
<code>PyJWKClient.fetch_data</code> passed its URI to
<code>urllib.request.urlopen</code>, which by default also handles
<code>file://</code>, <code>ftp://</code>, and <code>data:</code>
schemes. An application that fed an attacker-influenced URI into
<code>PyJWKClient</code> could be coerced into reading local files or
reaching other unintended schemes. <code>PyJWKClient</code> now rejects
any URI whose scheme isn't <code>http</code> or <code>https</code>.
<em>Reported by <a
href="https://github.com/KEIJOT"><code>@​KEIJOT</code></a>.</em></p>
</li>
<li>
<p><strong><a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8"><code>GHSA-fhv5-28vv-h8m8</code></a>
— <code>PyJWKClient</code> cache wiped on fetch error.</strong> A
<code>finally</code>-block <code>put(jwk_set=None)</code> cleared the
JWK Set cache whenever a fetch raised, turning a transient JWKS-endpoint
outage into application-wide auth failure. The cache write was moved
into the success path; transient errors no longer evict valid cached
keys. <em>Reported by <a
href="https://github.com/eddieran"><code>@​eddieran</code></a>.</em></p>
</li>
</ul>
<h2>Fixed</h2>
<ul>
<li>Reject empty HMAC keys outright in
<code>HMACAlgorithm.prepare_key</code> with <code>InvalidKeyError</code>
instead of accepting them with only a warning. Defends against the
<code>os.getenv(&quot;JWT_SECRET&quot;, &quot;&quot;)</code> footgun.
<em>Thanks to <a
href="https://github.com/SnailSploit"><code>@​SnailSploit</code></a> and
<a href="https://github.com/spartan8806"><code>@​spartan8806</code></a>
for the reports.</em></li>
<li>Forward per-call <code>options</code> (including
<code>enforce_minimum_key_length</code>) from <code>PyJWT.decode</code>
through to <code>PyJWS._verify_signature</code>. The option was
previously silently dropped between the two layers, so it only took
effect when set on the <code>PyJWT</code> instance. <em>Thanks to <a
href="https://github.com/WLUB"><code>@​WLUB</code></a> for the
report.</em></li>
<li><strong>RFC 7797 §3 compliance for <code>b64=false</code>:</strong>
the encoder now auto-adds <code>&quot;b64&quot;</code> to
<code>crit</code>, and the decoder rejects tokens that set
<code>b64=false</code> without listing it in <code>crit</code>.
<em>Thanks to <a
href="https://github.com/MachineLearning-Nerd"><code>@​MachineLearning-Nerd</code></a>
for the report.</em></li>
</ul>
<h2>Changed</h2>
<ul>
<li>Migrate the <code>dev</code>, <code>docs</code>, and
<code>tests</code> package extras to dependency groups, by <a
href="https://github.com/kurtmckee"><code>@​kurtmckee</code></a> in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1152">#1152</a>.</li>
</ul>
<h2>Upgrade notes</h2>
<p>Most fixes are invisible to correctly-configured callers. A few
behavioral changes you may encounter:</p>
<ul>
<li><strong>Empty HMAC keys now raise.</strong> If your app passed
<code>&quot;&quot;</code> or <code>b&quot;&quot;</code> as a secret
(often via a missing env var, e.g.
<code>os.getenv(&quot;JWT_SECRET&quot;, &quot;&quot;)</code>),
<code>encode</code>/<code>decode</code> will now raise
<code>InvalidKeyError</code>. This is the intended behavior — fix the
configuration.</li>
<li><strong><code>PyJWK</code> decoding now requires the token's
<code>alg</code> to match the JWK's algorithm.</strong> Previously a
mismatch was silently honored if the header <code>alg</code> appeared in
the allow-list. Tokens that relied on this mismatch will now fail with
<code>InvalidAlgorithmError</code>.</li>
<li><strong><code>PyJWKClient</code> now rejects non-HTTP(S) URIs at
construction time.</strong> Tests or dev environments that fetched JWKS
from <code>file://</code> URIs need to switch to a local HTTP server or
load the JWKS by other means (e.g. construct
<code>PyJWKSet.from_dict(...)</code> directly).</li>
<li><strong><code>b64=false</code> tokens are now strictly RFC 7515 /
7797 compliant.</strong> Tokens with a non-empty compact-form payload
segment, or that omit <code>&quot;b64&quot;</code> from
<code>crit</code>, will be rejected. PyJWT-produced tokens always
satisfy both invariants, so round-trips through PyJWT are
unaffected.</li>
<li><strong><code>enforce_minimum_key_length</code> set per-call now
takes effect.</strong> Callers who passed
<code>options={&quot;enforce_minimum_key_length&quot;: True}</code> to
<code>jwt.decode()</code> previously got no enforcement; they will now
get <code>InvalidKeyError</code> on undersized keys, as documented.</li>
</ul>
<p><strong>Full changelog:</strong> <a
href="https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0">https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0</a></p>
<h2>2.12.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Add typing_extensions dependency for Python &lt; 3.11 by <a
href="https://github.com/jpadilla"><code>@​jpadilla</code></a> in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1151">jpadilla/pyjwt#1151</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/jpadilla/pyjwt/compare/2.12.0...2.12.1">https://github.com/jpadilla/pyjwt/compare/2.12.0...2.12.1</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst">pyjwt's
changelog</a>.</em></p>
<blockquote>
<h2><code>v2.13.0
&lt;https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0&gt;</code>__</h2>
<p>Security</p>
<pre><code>
- Reject JWK JSON documents passed as raw HMAC secrets in
  ``HMACAlgorithm.prepare_key`` to close an algorithm-confusion gap that
  the existing PEM/SSH guard did not cover. Reported by @aradona91 in
`GHSA-xgmm-8j9v-c9wx
&lt;https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx&gt;`__.
- Bind the JWT header ``alg`` to ``PyJWK.algorithm_name`` during
  verification so the caller's ``algorithms=[...]`` allow-list cannot be
bypassed when decoding with a ``PyJWK`` / ``PyJWKClient`` key. Reported
by @sushi-gif in `GHSA-jq35-7prp-9v3f
&lt;https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f&gt;`__.
- Reject non-``http(s)`` URI schemes in ``PyJWKClient`` so attacker-
influenced URIs cannot read local files or reach unintended schemes via
urllib's default ``file://`` / ``ftp://`` / ``data:`` handlers. Reported
by @KEIJOT in `GHSA-993g-76c3-p5m4
&lt;https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4&gt;`__.
- Preserve the cached JWK Set on fetch errors in
``PyJWKClient.fetch_data``.
  The previous ``finally``-block ``put(None)`` pattern cleared the cache
on any transient outage, turning one bad JWKS request into application-
wide auth failure. Reported by @eddieran in `GHSA-fhv5-28vv-h8m8
&lt;https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8&gt;`__.
- Skip the unconditional base64 decode of the compact-form payload
segment
  when ``b64=false`` is set in the protected header, and require that
  segment to be empty (RFC 7515 Appendix F detached form). Closes an
  unauthenticated DoS amplifier. Reported by @thesmartshadow in
`GHSA-w7vc-732c-9m39
&lt;https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39&gt;`__.
<p>Fixed</p>
<pre><code>
- Reject empty HMAC keys outright in ``HMACAlgorithm.prepare_key`` with
  ``InvalidKeyError`` instead of accepting them with only a warning.
  Thanks to @SnailSploit and @spartan8806 for independently flagging the
  footgun.
- Forward per-call ``options`` (including
``enforce_minimum_key_length``)
  from ``PyJWT.decode`` through to ``PyJWS._verify_signature`` so the
option actually takes effect when set at the call site rather than only
  on the ``PyJWT`` instance. Thanks to @WLUB for the report.
- RFC 7797 §3 compliance for ``b64=false``: the encoder now auto-adds
``&amp;quot;b64&amp;quot;`` to the ``crit`` header parameter, and the
decoder rejects
tokens that set ``b64=false`` without listing it in ``crit``. Thanks to
  @MachineLearning-Nerd for the report.

Changed
</code></pre>
<ul>
<li>Migrate the <code>dev</code>, <code>docs</code>, and
<code>tests</code> package extras to dependency groups by <a
href="https://github.com/kurtmckee"><code>@​kurtmckee</code></a> in
<code>[#1152](https://github.com/jpadilla/pyjwt/issues/1152)
&amp;lt;https://github.com/jpadilla/pyjwt/pull/1152&amp;gt;</code>__</li>
</ul>
<p><code>v2.12.1
&amp;lt;https://github.com/jpadilla/pyjwt/compare/2.12.0...2.12.1&amp;gt;</code>__
&lt;/tr&gt;&lt;/table&gt;
</code></pre></p>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7144e4534c"><code>7144e45</code></a>
Apply ruff format</li>
<li><a
href="d2f4bec496"><code>d2f4bec</code></a>
Restore <code>cast()</code> calls with cross-version <code>type:
ignore</code> for <code>prepare_key</code></li>
<li><a
href="22f478cebd"><code>22f478c</code></a>
Remove redundant casts in <code>RSAAlgorithm.prepare_key</code> and
`ECAlgorithm.prepare...</li>
<li><a
href="95791b1759"><code>95791b1</code></a>
Bundle security fixes and hardening into 2.13.0</li>
<li><a
href="dcc27a9d31"><code>dcc27a9</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1155">#1155</a>)</li>
<li><a
href="9d08a9a189"><code>9d08a9a</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1146">#1146</a>)</li>
<li><a
href="b87c10014d"><code>b87c100</code></a>
Bump codecov/codecov-action from 5 to 6 (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1154">#1154</a>)</li>
<li><a
href="40e3147eb5"><code>40e3147</code></a>
Migrate development extras to dependency groups (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1152">#1152</a>)</li>
<li><a
href="a4e1a3d121"><code>a4e1a3d</code></a>
Add typing_extensions dependency for Python &lt; 3.11 (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1151">#1151</a>)</li>
<li>See full diff in <a
href="https://github.com/jpadilla/pyjwt/compare/2.12.0...2.13.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pyjwt&package-manager=uv&previous-version=2.12.0&new-version=2.13.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-15 14:53:05 -04:00
Mason Daugherty
879cad0676 release(openai): 1.3.2 (#38130) 2026-06-13 01:34:56 -04:00
Mason Daugherty
9e6f58ba46 hotfix(openai): switch version (#38123) 2026-06-12 22:21:34 -04:00
Mason Daugherty
8180a09dd7 release(openai): 1.4.0 (#38120) 2026-06-12 21:52:20 -04:00
Mason Daugherty
86ce95afc2 test(core,langchain): update tests for explicit deserialization allowlists (#38118)
Core serialization tests now opt into the object allowlists they rely on
instead of assuming default deserialization permits core objects.
Compatibility tests that intentionally exercise deprecated runnable
streaming and history APIs also suppress the expected deprecation
warnings so they can keep covering those legacy paths cleanly.

## Changes
- Updated serialization and prompt round-trip tests to pass
`allowed_objects="core"` or targeted allowlists when loading
`AIMessage`, prompt templates, structured prompts, runnable maps, and
related core objects.
- Adjusted secret-injection regression coverage to keep testing
`secrets_from_env=True` behavior while explicitly allowing core
deserialization paths.
- Tightened prompt deserialization rejection tests so attribute-access
payloads are loaded only through the specific prompt-template allowlist
needed to reach validation.
- Added module-level warning filters around legacy runnable
compatibility coverage for `astream_log`,
`astream_events(version="v1")`, and `RunnableWithMessageHistory`.
- Bumped the `langchain` package's minimum `langgraph` dependency from
`1.2.4` to `1.2.5`.

## Testing
- Updated unit tests across core serialization, prompt, fake chat model,
runnable history, and runnable event coverage.
2026-06-12 16:49:14 -04:00
Mason Daugherty
4108c0738c release(core): 1.4.7 (#38111)
Bumps `langchain-core` to `1.4.7` for the next patch release and updates
downstream minimum `langchain-core` requirements so package locks
resolve against the new core version.

This also refreshes the runnable snapshots that embed `lc_versions`
metadata so the version consistency check continues to validate
checked-in artifacts.

Validated with `python libs/core/scripts/check_version.py`, `uv lock
--check` across package lockfiles, and the core runnable tests that own
the updated snapshots with local LangSmith tracing env disabled.
2026-06-12 14:54:25 -04:00
Nick Hollon
c9f98c1bcd release(anthropic): 1.4.6 (#38105) 2026-06-12 12:50:59 -04:00
Nick Hollon
3bfb6a33e7 release(langchain): 1.3.9 (#38104) 2026-06-12 12:50:23 -04:00
Mason Daugherty
f6d63bc9f3 release(langchain): 1.3.8 (#38096) 2026-06-12 00:17:58 -04:00
Mason Daugherty
05cc55f1bc release(core): 1.4.6 (#38061) 2026-06-11 02:58:40 -04:00
Christophe Bornet
1de100f278 chore(infra): bump mypy to 2.1 and unify type-check config across the monorepo (#36470)
Originally a narrow bump of mypy to `1.20` in four packages. Expanded to
get the whole monorepo onto a single, current mypy and a consistent
type-check configuration, so contributors no longer hit different mypy
versions and divergent behavior depending on which package they touch.

### What changed

- **Unified the mypy pin to `>=2.1.0,<2.2.0`** in every mypy-using
package (6 libs + 14 partners), replacing the previously scattered pins
(`1.10`/`1.17`/`1.18`/`1.19`/`1.20`, with assorted upper bounds).
- **Unified the `[tool.mypy]` base per tier:**
- libs: `plugins = ["pydantic.mypy"]`, `strict = true`,
`enable_error_code = "deprecated"`, `warn_unreachable = true`
  - partners: `disallow_untyped_defs = true`
- Normalized style (`disallow_untyped_defs = "True"` string → bool,
quote/key consistency).
- **Fixed the 20 real errors** mypy 2.1 surfaces: `redundant-cast` from
improved narrowing (`core`, `langchain-classic`), a `var-annotated` for
`_LOGGED`, a return-type widening in `langchain-groq`'s
`_convert_from_v1_to_groq` (it can legitimately return a bare `str`),
and stale `type-arg`/`unused-ignore` in `langchain-model-profiles`
tests.

### Deliberate non-uniformity (documented inline in the relevant
`pyproject.toml`s)

Going fully byte-identical would surface ~196 additional errors that are
*not* real bugs, so two settings are kept package-appropriate:

- **`warn_unreachable`** is enabled on every strict lib **except
`core`**, where it false-flags intentional defensive code — including
the SSRF / IP-policy guards in `_security/` — as unreachable.
- **`pydantic.mypy` plugin** is used only on `anthropic` and
`perplexity` (their code is authored against it and reports ~99/~132
errors without it). It is *not* added to the other partners, where it
only flags the public alias constructor API (e.g. `ChatGroq(model=...)`)
in tests rather than finding bugs.
- **`ollama`** is left on its `ty` type checker; it does not use mypy.

---------

Co-authored-by: Mason Daugherty <github@mdrxy.com>
2026-06-11 00:24:59 -04:00
Mason Daugherty
e989c869a4 release(anthropic): 1.4.5 (#38036) 2026-06-10 17:38:01 -04:00
Mason Daugherty
8ac91e3f5f hotfix(core): bump lockfile(s) (#38032) 2026-06-10 17:05:23 -04:00
Mason Daugherty
3d3a4c27cc release(langchain): 1.3.7 (#38024) 2026-06-10 14:17:49 -04:00
Mason Daugherty
e16386d3b2 release(langchain): 1.3.6 (#38001) 2026-06-09 20:50:17 -04:00
Mason Daugherty
90b2f94583 release(langchain): 1.3.5 (#37998) 2026-06-09 19:54:27 -04:00
Mason Daugherty
c0103c3d2c hotfix(openai): min core dep (#37990) 2026-06-09 16:32:08 -04:00
Nidhi Rajani
0f45b2c285 feat(openai): support apply_patch built-in tool (#37157)
[Docs](https://github.com/langchain-ai/docs/pull/4370)

Fixes #37031

Adds support for OpenAI Responses API `apply_patch` built-in tool.

This PR:
- Adds `apply_patch` to the OpenAI well-known tools list so
`bind_tools([{"type": "apply_patch"}])` works.
- Preserves `apply_patch_call` and `apply_patch_call_output` items when
converting OpenAI Responses API outputs into LangChain
`AIMessage.content`.
- Preserves the same item types in streaming `AIMessageChunk`
conversion.
- Supports round-trip input conversion for `apply_patch_call` and
`apply_patch_call_output`.
- Adds unit tests for core tool passthrough, non-streaming conversion,
streaming conversion, and round-trip input conversion.

## Testing

- `cd libs/core && uv run --group test pytest
tests/unit_tests/utils/test_function_calling.py -k "apply_patch" -vv`
- `cd libs/partners/openai && uv run --group test pytest
tests/unit_tests/chat_models/test_base.py -k "apply_patch" -vv`
- `cd libs/core && uv run --all-groups ruff check
langchain_core/utils/function_calling.py
tests/unit_tests/utils/test_function_calling.py`
- `cd libs/partners/openai && uv run --all-groups ruff check
langchain_openai/chat_models/base.py
tests/unit_tests/chat_models/test_base.py`

---------

Co-authored-by: Mason Daugherty <github@mdrxy.com>
Co-authored-by: Mason Daugherty <mason@langchain.dev>
2026-06-09 16:13:37 -04:00
dependabot[bot]
8fed1dd641 chore: bump pyarrow from 21.0.0 to 23.0.1 in /libs/langchain_v1 (#37930)
Bumps [pyarrow](https://github.com/apache/arrow) from 21.0.0 to 23.0.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/apache/arrow/releases">pyarrow's
releases</a>.</em></p>
<blockquote>
<h2>Apache Arrow 23.0.1</h2>
<p>Release Notes URL: <a
href="https://arrow.apache.org/release/23.0.1.html">https://arrow.apache.org/release/23.0.1.html</a></p>
<h2>Apache Arrow 23.0.1 RC0</h2>
<p>Release Notes: Release Candidate: 23.0.1 RC0</p>
<h2>Apache Arrow 23.0.0</h2>
<p>Release Notes URL: <a
href="https://arrow.apache.org/release/23.0.0.html">https://arrow.apache.org/release/23.0.0.html</a></p>
<h2>Apache Arrow 23.0.0 RC2</h2>
<p>Release Notes: Release Candidate: 23.0.0 RC2</p>
<h2>Apache Arrow 22.0.0</h2>
<p>Release Notes URL: <a
href="https://arrow.apache.org/release/22.0.0.html">https://arrow.apache.org/release/22.0.0.html</a></p>
<h2>Apache Arrow 22.0.0 RC1</h2>
<p>Release Notes: Release Candidate: 22.0.0 RC1</p>
<h2>Apache Arrow 22.0.0 RC0</h2>
<p>Release Notes: Release Candidate: 22.0.0 RC0</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="82a374e5f3"><code>82a374e</code></a>
MINOR: [Release] Update versions for 23.0.1</li>
<li><a
href="c1ae37c4a5"><code>c1ae37c</code></a>
MINOR: [Release] Update .deb/.rpm changelogs for 23.0.1</li>
<li><a
href="8f6e55736f"><code>8f6e557</code></a>
MINOR: [Release] Update CHANGELOG.md for 23.0.1</li>
<li><a
href="4e16a1aeed"><code>4e16a1a</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49159">GH-49159</a>:
[C++][Gandiva] Detect overflow in repeat() (<a
href="https://redirect.github.com/apache/arrow/issues/49160">#49160</a>)</li>
<li><a
href="985621dbfc"><code>985621d</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/48817">GH-48817</a>
[R][C++] Bump C++20 in R build infrastructure (<a
href="https://redirect.github.com/apache/arrow/issues/48819">#48819</a>)</li>
<li><a
href="1bea06ad4e"><code>1bea06a</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49024">GH-49024</a>:
[CI] Update Debian version in <code>.env</code> (<a
href="https://redirect.github.com/apache/arrow/issues/49032">#49032</a>)</li>
<li><a
href="147bcd6d8f"><code>147bcd6</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49156">GH-49156</a>:
[Python] Require GIL for string comparison (<a
href="https://redirect.github.com/apache/arrow/issues/49161">#49161</a>)</li>
<li><a
href="e4f922b162"><code>e4f922b</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49138">GH-49138</a>:
[Packaging][Python] Remove nightly cython install from manylinux
wh...</li>
<li><a
href="f9376e4721"><code>f9376e4</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49003">GH-49003</a>:
[C++] Don't consider <code>out_of_range</code> an error in float parsing
(<a
href="https://redirect.github.com/apache/arrow/issues/49095">#49095</a>)</li>
<li><a
href="ab2c0ad6b2"><code>ab2c0ad</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49044">GH-49044</a>:
[CI][Python] Fix test_download_tzdata_on_windows by adding
required...</li>
<li>Additional commits viewable in <a
href="https://github.com/apache/arrow/compare/apache-arrow-21.0.0...apache-arrow-23.0.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pyarrow&package-manager=uv&previous-version=21.0.0&new-version=23.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: John Kennedy <65985482+jkennedyvz@users.noreply.github.com>
2026-06-07 20:20:00 +00:00
John Kennedy
bae485bd5e chore: bump dependencies (#37892)
## Summary
- Bump `langsmith` in `libs/partners/huggingface/uv.lock` from 0.7.31 to
0.8.9
- Bump `langchain-classic` in `libs/langchain_v1/uv.lock` from 1.0.0 to
1.0.7
- Bump transitive `langsmith` in `libs/langchain_v1/uv.lock` from 0.8.0
to 0.8.9

## Notes
- The open Chroma alert currently has no patched version in GitHub
Dependabot metadata. `chromadb` is already at 1.5.9 on `master`, and
PyPI shows 1.5.9 as the latest available release.

## Testing
- `uv lock --check` in `libs/partners/huggingface`
- `uv lock --check` in `libs/langchain_v1`
- `uv lock --check` in `libs/partners/chroma`
- `git diff --check`
2026-06-03 20:29:57 -07:00
dependabot[bot]
1a2dcdeee9 chore: bump aiohttp from 3.13.4 to 3.14.0 in /libs/langchain_v1 (#37888)
[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=aiohttp&package-manager=uv&previous-version=3.13.4&new-version=3.14.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: John Kennedy <65985482+jkennedyvz@users.noreply.github.com>
2026-06-04 03:05:18 +00:00
Mason Daugherty
eb2dabb8b7 release(langchain): 1.3.4 (#37861) 2026-06-02 16:02:36 -04:00
Nick Hollon
14b1a243e5 release(langchain): 1.3.3 (#37843) 2026-06-02 14:17:53 -04:00
Nick Hollon
eb1f731aee chore(langchain): bump langgraph to 1.2.4 (#37857) 2026-06-02 13:36:35 -04:00
Nick Hollon
dfca7f4424 feat(langchain): project subagent runs onto typed run.subagents channel (#37739) 2026-06-01 16:28:09 -04:00
Sydney Runkle
7bb4130c7d chore(langchain): bump to 1.3.2, require langgraph>=1.2.2 (#37703)
- Bumps `langchain` to **1.3.2** (patch)
- Raises minimum `langgraph` requirement from `>=1.2.1` to `>=1.2.2`

langgraph 1.2.2 fixes a race condition where DeltaChannel checkpoint
writes
could serialize `BaseMessage` objects with `id=None` before
`apply_writes()`
ran the reducer, causing the same message to appear with a different ID
on
every `get_state()` call and across resumed invocations
(langchain-ai/langgraph#7913).

The lockfile will be updated once langgraph 1.2.2 is published to PyPI
(langchain-ai/langgraph#7914).
2026-05-26 14:16:06 -04:00
Nick Hollon
d08245f70d feat(langchain): redact streamed PII in flight on PIIMiddleware (#37616)
`PIIMiddleware` previously scrubbed detected PII only at the state level
via its `after_model` / `before_model` hooks. Consumers reading the live
stream — `astream_events(version="v3")` or `run.messages` /
`run.tool_calls` / `run.values` — saw the raw model text, the raw
tool-call args, the raw tool outputs, and the raw state snapshots until
the run finished and the canonical conversation history was written.
This change registers a stream transformer ahead of
`MessagesTransformer` that redacts every wire surface of an agent run.

The transformer holds a sliding lookback buffer (default 128 characters)
per `(run_id, content-block index)` so PII patterns that straddle delta
boundaries are caught before the safe prefix is released downstream.
Anything older than the lookback is run through the configured detector
and emitted; the trailing tail stays buffered until a later delta
extends it past the cap or the block finishes. `_finalize_block` always
re-runs detection over the full block snapshot so the finalized content
lands fully redacted even when the in-flight buffer never released a
tail (short responses, or PII arriving in the final delta).

The `block` strategy is now supported on the streaming path via a
buffering mode that withholds every delta until the block resolves —
clean blocks release the full text at finalize, PII-bearing blocks zero
the wire and let `after_model` / `apply_to_tool_results` raise
`PIIDetectionError` on the original state message. Activation is gated
on `apply_to_output=True`, matching the existing post-hoc semantics. The
middleware's transformer factory is cloned by `StreamMux._make_child`
into every subgraph scope, so attaching `PIIMiddleware` at the outer
agent also redacts streamed deltas from sub-agents invoked inside tools.

## Tool-call and tools-channel coverage

The transformer covers every wire surface of an agent run, not just AI
message text:

- **Streamed AI text deltas** (`content-block-delta` of type
`text-delta`) — lookback machinery, redacted in place.
- **Streamed tool-call args** (`content-block-delta` with
`tool_call_chunk` / `server_tool_call_chunk` fields) — each delta
carries the full cumulative args string; detection runs on the field
directly and redacts in place. Verified empirically against
`_compat_bridge.py` and the consumer-side
`_merge_block_delta_into_store` snapshot-replace semantics.
- **Finalized tool-call blocks** (`content-block-finish` with
`tool_call` / `server_tool_call` / `invalid_tool_call`) — `args` dict
walked recursively and each string leaf redacted.
- **Tool execution events on the `tools` channel** —
`tool-started.input`, `tool-output-delta`, `tool-finished.output`,
`tool-error.message` all run through detection. String deltas use the
same lookback machinery as text-deltas keyed by `tool_call_id`;
structured payloads walk recursively.
- **State snapshots on the `values` channel** — message lists are walked
and each message's `.content` is redacted on a fresh copy. Graph state
itself stays intact for the state-level enforcer
(`apply_to_tool_results` via `before_model`) to act on independently.
- **Legacy `(BaseMessage, metadata)` payloads** on the `messages`
channel (Python 3.10 path, where `langgraph`'s `ASYNCIO_ACCEPTS_CONTEXT
= sys.version_info >= (3, 11)` falls back to a code path that doesn't
propagate the streaming callback into the chat model) — `.content` and
`AIMessage.tool_calls[*].args` are scrubbed. For `block`, the event's
`data` tuple is replaced with an empty-content copy so the original
message stays in state for `after_model` to raise on.

## Worth a careful look

- `_PIIStreamTransformer._mutate_text_delta` — lookback partition.
Anything older than `lookback` characters is released after redaction;
the tail stays buffered. Bulletproof against whitespace-permissive
detectors (notably `credit_card`, whose regex matches across spaces).
- `_PIIStreamTransformer._mutate_tool_call_chunk_delta` — direct
in-place redaction of the cumulative args string. No buffer; the wire
shape is cumulative-snapshot, the consumer-side merge is
replace-not-append.
- `_PIIStreamTransformer._mutate_legacy_payload` — the dual path:
mutate-in-place for non-`block` (idempotent with `after_model`),
replace-with-empty-copy for `block` (keeps original in graph state for
`after_model` to raise on).
- `_PIIStreamTransformer._redact_value` — the recursive walker.
`BaseMessage` branch returns a fresh `.content`-redacted copy via
`model_copy(update=...)` — never mutates in place — so tool-output
payloads that wrap a `ToolMessage` and message lists in state snapshots
flow through cleanly.
- The new `transformers` attribute on `PIIMiddleware`: this is what
makes `create_agent` pick the factory up. Multiple `PIIMiddleware`
instances each register one transformer; ordering is preserved within
the `before_builtins` lane.

## Compatibility

Bumps `langgraph` to `>=1.2.1` for the `before_builtins` opt-in on
`StreamTransformer`.
2026-05-22 17:27:02 -04:00
Mason Daugherty
ebc1880444 release(standard-tests): 1.1.9 (#37609) 2026-05-21 13:22:16 -05:00
dependabot[bot]
32556a0611 chore: bump idna from 3.11 to 3.15 in /libs/langchain_v1 (#37534)
Bumps [idna](https://github.com/kjd/idna) from 3.11 to 3.15.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/kjd/idna/blob/master/HISTORY.md">idna's
changelog</a>.</em></p>
<blockquote>
<h2>3.15 (2026-05-12)</h2>
<ul>
<li>Enforce DNS-length cap on individual labels early in
<code>check_label</code>,
short-circuiting contextual-rule processing for oversized input
while staying compatible with UTS 46 usage.</li>
<li>Tidy core helpers: hoist bidi category sets to module-level
frozensets (avoiding per-codepoint list construction), simplify
length checks, and reuse the shared <code>_unicode_dots_re</code> from
<code>idna.core</code> in the codec module.</li>
<li>Use <code>raise ... from err</code> for proper exception chaining
and
switch internal string formatting to f-strings.</li>
<li>Allow <code>flit_core</code> 4.x in the build backend.</li>
<li>Expand the ruff lint set (flake8-bugbear, flake8-simplify,
pyupgrade, perflint) and apply the surfaced fixes; pin lint CI
to Python 3.14.</li>
<li>Add Dependabot configuration for GitHub Actions.</li>
<li>Convert README and HISTORY from reStructuredText to Markdown.</li>
<li>Reference CVE-2026-45409 for the 3.14 advisory in place of the
initial GHSA identifier.</li>
</ul>
<p>Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for
contributions to this release.</p>
<h2>3.14 (2026-05-10)</h2>
<ul>
<li>Removed opportunity to process long inputs into quadratic
time by rejecting oversize inputs up-front. Closes a bypass
of the CVE-2024-3651 mitigation. [CVE-2026-45409]</li>
</ul>
<p>Thanks to Stan Ulbrych for reporting the issue.</p>
<h2>3.13 (2026-04-22)</h2>
<ul>
<li>Correct classification error for codepoint U+A7F1</li>
</ul>
<h2>3.12 (2026-04-21)</h2>
<ul>
<li>Update to Unicode 17.0.0.</li>
<li>Issue a deprecation warning for the transitional argument.</li>
<li>Added lazy-loading to provide some performance improvements.</li>
<li>Removed vestiges of code related to Python 2 support, including
segmentation of data structures specific to Jython.</li>
</ul>
<p>Thanks to Rodrigo Nogueira for contributions to this release.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="af30a092e1"><code>af30a09</code></a>
Release 3.15</li>
<li><a
href="30314d4628"><code>30314d4</code></a>
Pre-release 3.15rc0</li>
<li><a
href="05d4b219aa"><code>05d4b21</code></a>
Merge pull request <a
href="https://redirect.github.com/kjd/idna/issues/237">#237</a> from
kjd/convert-docs-to-markdown</li>
<li><a
href="2987fdba19"><code>2987fdb</code></a>
Convert README and HISTORY from reStructuredText to Markdown</li>
<li><a
href="59fa8002d5"><code>59fa800</code></a>
Merge pull request <a
href="https://redirect.github.com/kjd/idna/issues/236">#236</a> from
kjd/dependabot/github_actions/actions-f3e34333ea</li>
<li><a
href="def69834ce"><code>def6983</code></a>
Merge branch 'master' into
dependabot/github_actions/actions-f3e34333ea</li>
<li><a
href="bbd8004a79"><code>bbd8004</code></a>
Merge pull request <a
href="https://redirect.github.com/kjd/idna/issues/234">#234</a> from
StanFromIreland/patch-1</li>
<li><a
href="edd07c0502"><code>edd07c0</code></a>
Bump github/codeql-action from 3.35.2 to 4.35.2 in the actions
group</li>
<li><a
href="5557db030c"><code>5557db0</code></a>
Merge branch 'master' into patch-1</li>
<li><a
href="f11746cf49"><code>f11746c</code></a>
Merge pull request <a
href="https://redirect.github.com/kjd/idna/issues/235">#235</a> from
StanFromIreland/patch-2</li>
<li>Additional commits viewable in <a
href="https://github.com/kjd/idna/compare/v3.11...v3.15">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=idna&package-manager=uv&previous-version=3.11&new-version=3.15)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-19 14:34:25 -05:00
Mason Daugherty
c7daed8c0f hotfix: bump lockfiles (#37508) 2026-05-18 16:18:26 -05:00
dependabot[bot]
f61841bd0c chore: bump langsmith from 0.7.31 to 0.8.0 in /libs/langchain_v1 (#37391)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from
0.7.31 to 0.8.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's
releases</a>.</em></p>
<blockquote>
<h2>v0.8.0</h2>
<h2>What's Changed</h2>
<ul>
<li>feat(js,py): JS 0.6.0, Py 0.8.0 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2831">langchain-ai/langsmith-sdk#2831</a></li>
<li>release(js): 0.6.0 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2832">langchain-ai/langsmith-sdk#2832</a></li>
<li>release(py): 0.8.0 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2833">langchain-ai/langsmith-sdk#2833</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.38...v0.8.0">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.38...v0.8.0</a></p>
<h2>v0.7.38</h2>
<h2>What's Changed</h2>
<ul>
<li>feat(js): add tracing of opencode by <a
href="https://github.com/dqbd"><code>@​dqbd</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2776">langchain-ai/langsmith-sdk#2776</a></li>
<li>chore(js): Remove types/uuid by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2814">langchain-ai/langsmith-sdk#2814</a></li>
<li>docs(sandbox): document default idle TTL of 10 minutes by <a
href="https://github.com/DanielKneipp"><code>@​DanielKneipp</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2788">langchain-ai/langsmith-sdk#2788</a></li>
<li>ci(py): Bump pytest timeout to 2m by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2815">langchain-ai/langsmith-sdk#2815</a></li>
<li>chore(deps-dev): bump the js-minor-and-patch group across 1
directory with 4 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2803">langchain-ai/langsmith-sdk#2803</a></li>
<li>chore(deps): update sphinx-autobuild requirement from &gt;=2024 to
&gt;=2024.10.3 in /python by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2809">langchain-ai/langsmith-sdk#2809</a></li>
<li>chore(deps): update myst-nb requirement from &gt;=1.1.1 to
&gt;=1.4.0 in /python by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2810">langchain-ai/langsmith-sdk#2810</a></li>
<li>chore(deps-dev): bump types-pyyaml from 6.0.12.20250915 to
6.0.12.20260408 in /python by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2812">langchain-ai/langsmith-sdk#2812</a></li>
<li>chore(deps-dev): bump <code>@​langchain/openai</code> from 0.5.18 to
0.6.17 in /js by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2806">langchain-ai/langsmith-sdk#2806</a></li>
<li>chore(deps): bump the py-minor-and-patch group across 1 directory
with 18 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2808">langchain-ai/langsmith-sdk#2808</a></li>
<li>feat(py): Adds strands OTEL exporter by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2817">langchain-ai/langsmith-sdk#2817</a></li>
<li>chore(js): Switch to oxfmt and oxlint by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2819">langchain-ai/langsmith-sdk#2819</a></li>
<li>fix(py): fix RunTree ValidationError when inputs or outputs is a
Pydantic BaseModel by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2820">langchain-ai/langsmith-sdk#2820</a></li>
<li>chore: add apac support by <a
href="https://github.com/joaquin-borggio-lc"><code>@​joaquin-borggio-lc</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2821">langchain-ai/langsmith-sdk#2821</a></li>
<li>fix(js): Pull Claude Agent SDK subagent runs from transcript, add
tool span for subagents, merge message blocks by id by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2816">langchain-ai/langsmith-sdk#2816</a></li>
<li>release(js): 0.5.26 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2824">langchain-ai/langsmith-sdk#2824</a></li>
<li>release(py): 0.7.38 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2825">langchain-ai/langsmith-sdk#2825</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.37...v0.7.38">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.37...v0.7.38</a></p>
<h2>v0.7.37</h2>
<h2>What's Changed</h2>
<ul>
<li>perf(js): Offload serialize to worker thread at flush time by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2781">langchain-ai/langsmith-sdk#2781</a></li>
<li>release(js): 0.5.24 by <a
href="https://github.com/emil-lc"><code>@​emil-lc</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2790">langchain-ai/langsmith-sdk#2790</a></li>
<li>chore(js): Fix perf test flagging by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2792">langchain-ai/langsmith-sdk#2792</a></li>
<li>feat(js,python): Adds hub model config and provider to schemas by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2793">langchain-ai/langsmith-sdk#2793</a></li>
<li>fix(js): minor test improvements by <a
href="https://github.com/christian-bromann"><code>@​christian-bromann</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2429">langchain-ai/langsmith-sdk#2429</a></li>
<li>fix(js): Include auth headers on info requests by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2800">langchain-ai/langsmith-sdk#2800</a></li>
<li>release(js): 0.5.25 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2801">langchain-ai/langsmith-sdk#2801</a></li>
<li>fix(python): flush both tracing_queue and compressed_traces in
flush() by <a
href="https://github.com/angus-langchain"><code>@​angus-langchain</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2796">langchain-ai/langsmith-sdk#2796</a></li>
<li>chore(deps): bump postcss from 8.5.8 to 8.5.10 in
/js/internal/environment_tests/test-exports-vite in the npm_and_yarn
group across 1 directory by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2791">langchain-ai/langsmith-sdk#2791</a></li>
<li>chore(deps-dev): bump google-adk from 1.10.0 to 1.28.1 in /python by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2794">langchain-ai/langsmith-sdk#2794</a></li>
<li>fix(python): flush pending traces during Client.cleanup() by <a
href="https://github.com/angus-langchain"><code>@​angus-langchain</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2799">langchain-ai/langsmith-sdk#2799</a></li>
<li>fix(py): Fix concurrency for multiple Claude Agent SDK sessions by
<a href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in
<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2795">langchain-ai/langsmith-sdk#2795</a></li>
<li>release(py): 0.7.37 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2802">langchain-ai/langsmith-sdk#2802</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.36...v0.7.37">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.36...v0.7.37</a></p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="cf01c873d5"><code>cf01c87</code></a>
release(py): 0.8.0 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2833">#2833</a>)</li>
<li><a
href="fd049c8464"><code>fd049c8</code></a>
release(js): 0.6.0 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2832">#2832</a>)</li>
<li><a
href="092a8866c4"><code>092a886</code></a>
feat(js,py): JS 0.6.0, Py 0.8.0 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2831">#2831</a>)</li>
<li><a
href="ff180c0423"><code>ff180c0</code></a>
release(py): 0.7.38 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2825">#2825</a>)</li>
<li><a
href="d9de3ca801"><code>d9de3ca</code></a>
release(js): 0.5.26 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2824">#2824</a>)</li>
<li><a
href="1428394831"><code>1428394</code></a>
fix(js): Pull Claude Agent SDK subagent runs from transcript, add tool
span f...</li>
<li><a
href="838e957d80"><code>838e957</code></a>
chore: add apac support (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2821">#2821</a>)</li>
<li><a
href="003f22a768"><code>003f22a</code></a>
fix(py): fix RunTree ValidationError when inputs or outputs is a
Pydantic Bas...</li>
<li><a
href="8f5ef27c2d"><code>8f5ef27</code></a>
chore(js): Switch to oxfmt and oxlint (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2819">#2819</a>)</li>
<li><a
href="9873633c9f"><code>9873633</code></a>
feat(py): Adds strands OTEL exporter (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2817">#2817</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.31...v0.8.0">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-15 17:22:51 -07:00
ccurme
b6b769baf6 release(langchain): 1.3.1 (#37454) 2026-05-15 14:12:59 -04:00
ccurme
21d77d6698 release(langchain): 1.3.0 (#37361) 2026-05-12 10:28:19 -04:00
Nick Hollon
da380bccf8 chore(infra): merge v1.4 into master (#37350) 2026-05-11 11:39:25 -07:00
dependabot[bot]
6e49b519ea chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/langchain_v1 (#37328)
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/urllib3/urllib3/releases">urllib3's
releases</a>.</em></p>
<blockquote>
<h2>2.7.0</h2>
<h2>🚀 urllib3 is fundraising for HTTP/2 support</h2>
<p><a
href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3
is raising ~$40,000 USD</a> to release HTTP/2 support and ensure
long-term sustainable maintenance of the project after a sharp decline
in financial support. If your company or organization uses Python and
would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and
thousands of other projects <a
href="https://opencollective.com/urllib3">please consider contributing
financially</a> to ensure HTTP/2 support is developed sustainably and
maintained for the long-haul.</p>
<p>Thank you for your support.</p>
<h2>Security</h2>
<p>Addressed high-severity security issues. Impact was limited to
specific use cases detailed in the accompanying advisories; overall user
exposure was estimated to be marginal.</p>
<ul>
<li>
<p>Decompression-bomb safeguards of the streaming API were bypassed:</p>
<ol>
<li>When <code>HTTPResponse.drain_conn()</code> was called after the
response had been read and decompressed partially. (Reported by <a
href="https://github.com/Cycloctane"><code>@​Cycloctane</code></a>)</li>
<li>During the second <code>HTTPResponse.read(amt=N)</code> or
<code>HTTPResponse.stream(amt=N)</code> call when the response was
decompressed using the official <a
href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by
<a
href="https://github.com/kimkou2024"><code>@​kimkou2024</code></a>)</li>
</ol>
<p>See GHSA-mf9v-mfxr-j63j for details.</p>
</li>
<li>
<p>HTTP pools created using
<code>ProxyManager.connection_from_url</code> did not strip sensitive
headers specified in <code>Retry.remove_headers_on_redirect</code> when
redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a
href="https://github.com/christos-spearbit"><code>@​christos-spearbit</code></a>)</p>
</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Used <code>FutureWarning</code> instead of
<code>DeprecationWarning</code> for better visibility of existing
deprecation notices. Rescheduled the removal of deprecated features to
version 3.0. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li>
<li>Removed support for end-of-life Python 3.9. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li>
<li>Removed support for end-of-life PyPy3.10. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li>
<li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li>
</ul>
<h2>Bugfixes</h2>
<ul>
<li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was
ignoring decompressed data buffered from previous partial reads. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li>
<li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only
part of the response after a partial read when
<code>cache_content=True</code>. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li>
<li>Fixed <code>HTTPResponse.stream()</code> and
<code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>.
(<a
href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li>
<li>Updated <code>_TYPE_BODY</code> type alias to include missing
<code>Iterable[str]</code>, matching the documented and runtime behavior
of chunked request bodies. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li>
<li>Fixed <code>LocationParseError</code> when paths resembling
schemeless URIs were passed to
<code>HTTPConnectionPool.urlopen()</code>. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li>
<li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to
accept <code>memoryview</code> in addition to <code>bytearray</code>,
matching the <code>io.RawIOBase.readinto</code> contract and enabling
use with <code>io.BufferedReader</code> without type errors. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's
changelog</a>.</em></p>
<blockquote>
<h1>2.7.0 (2026-05-07)</h1>
<h2>Security</h2>
<p>Addressed high-severity security issues.
Impact was limited to specific use cases detailed in the accompanying
advisories; overall user exposure was estimated to be marginal.</p>
<ul>
<li>
<p>Decompression-bomb safeguards of the streaming API were bypassed:</p>
<ol>
<li>When <code>HTTPResponse.drain_conn()</code> was called after the
response had been
read and decompressed partially.</li>
<li>During the second <code>HTTPResponse.read(amt=N)</code> or
<code>HTTPResponse.stream(amt=N)</code> call when the response was
decompressed
using the official <code>Brotli
&lt;https://pypi.org/project/brotli/&gt;</code>__ library.</li>
</ol>
<p>See <code>GHSA-mf9v-mfxr-j63j
&lt;https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j&gt;</code>__
for details.</p>
</li>
<li>
<p>HTTP pools created using
<code>ProxyManager.connection_from_url</code> did not strip
sensitive headers specified in
<code>Retry.remove_headers_on_redirect</code> when
redirecting to a different host.
(<code>GHSA-qccp-gfcp-xxvc
&lt;https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc&gt;</code>__)</p>
</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Used <code>FutureWarning</code> instead of
<code>DeprecationWarning</code> for better
visibility of existing deprecation notices. Rescheduled the removal of
deprecated features to version 3.0.
(<code>[#3763](https://github.com/urllib3/urllib3/issues/3763)
&lt;https://github.com/urllib3/urllib3/issues/3763&gt;</code>__)</li>
<li>Removed support for end-of-life Python 3.9.
(<code>[#3720](https://github.com/urllib3/urllib3/issues/3720)
&lt;https://github.com/urllib3/urllib3/issues/3720&gt;</code>__)</li>
<li>Removed support for end-of-life PyPy3.10.
(<code>[#4979](https://github.com/urllib3/urllib3/issues/4979)
&lt;https://github.com/urllib3/urllib3/issues/4979&gt;</code>__)</li>
<li>Bumped the minimum supported pyOpenSSL version to 19.0.0.
(<code>[#3777](https://github.com/urllib3/urllib3/issues/3777)
&lt;https://github.com/urllib3/urllib3/issues/3777&gt;</code>__)</li>
</ul>
<h2>Bugfixes</h2>
<ul>
<li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was
ignoring decompressed
data buffered from previous partial reads.
(<code>[#3636](https://github.com/urllib3/urllib3/issues/3636)
&lt;https://github.com/urllib3/urllib3/issues/3636&gt;</code>__)</li>
<li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only
part of the
response after a partial read when <code>cache_content=True</code>.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="9a950b92d9"><code>9a950b9</code></a>
Release 2.7.0</li>
<li><a
href="5ec0de499b"><code>5ec0de4</code></a>
Merge commit from fork</li>
<li><a
href="2bdcc44d1e"><code>2bdcc44</code></a>
Merge commit from fork</li>
<li><a
href="f45b0df09d"><code>f45b0df</code></a>
Fix a misleading example for <code>ProxyManager</code> (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4970">#4970</a>)</li>
<li><a
href="577193ca02"><code>577193c</code></a>
Switch to nightly PyPy3.11 in CI for now (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4984">#4984</a>)</li>
<li><a
href="e90af45bb0"><code>e90af45</code></a>
Avoid infinite loop in <code>HTTPResponse.read_chunked</code> when
<code>amt=0</code> (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4974">#4974</a>)</li>
<li><a
href="67ed74fdae"><code>67ed74f</code></a>
Bump dev dependencies (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4972">#4972</a>)</li>
<li><a
href="3abd481097"><code>3abd481</code></a>
Upgrade mypy to version 1.20.2 (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4978">#4978</a>)</li>
<li><a
href="2b8725dfca"><code>2b8725d</code></a>
Drop support for EOL PyPy3.10 (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4979">#4979</a>)</li>
<li><a
href="2944b2a0a6"><code>2944b2a</code></a>
Upgrade <code>setup-chrome</code> and <code>setup-firefox</code> to fix
warnings (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4973">#4973</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=uv&previous-version=2.6.3&new-version=2.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-11 11:18:16 -07:00
ccurme
4c593b35fb release(langchain): 1.2.18 (#37250) 2026-05-08 09:57:27 -04:00
Eugene Yurtsev
cccefce0b1 chore(langchain-classic): deprecate hub, limit loads/dumps (#37234)
deprecate hub classic and hub runnable. This code path isn't expected to
be active for most users (it's dependent on having a very old version of
the langsmith sdk). harden usage of loads/dumps.
2026-05-07 10:37:33 -04:00
Mason Daugherty
255f227541 chore(langchain,langchain-classic): uncomment optional deps (#37163)
Re-enable the `[community]`, `[azure-ai]`, and `[cohere]` extras on
`langchain-classic`, and the `[cohere]` extra on `langchain` (v1). These
had been commented out as a temporary workaround during the `langchain`
-> `langchain-classic` rename so the renamed package could ship before
downstream partners were re-released against it. Now that
`langchain-community` 0.4.1, `langchain-cohere` 0.5.1, and
`langchain-azure-ai` 1.2.3 are published with the correct dependency
targets, the extras can be restored.
2026-05-03 11:19:55 -04:00