mirror of
https://github.com/hwchase17/langchain.git
synced 2026-07-13 03:42:57 +00:00
cc/tool_error
107 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
a4294f9a39 | chore(deps): refresh lockfiles (#38746) | ||
|
|
7e7292a210 |
chore: bump vcrpy from 8.1.1 to 8.2.1 in /libs/partners/nomic (#38300)
Bumps [vcrpy](https://github.com/kevin1024/vcrpy) from 8.1.1 to 8.2.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/kevin1024/vcrpy/releases">vcrpy's releases</a>.</em></p> <blockquote> <h2>v8.2.1</h2> <h2>What's Changed</h2> <ul> <li><strong>SECURITY:</strong> Cassettes are now loaded with a safe YAML loader, preventing arbitrary code execution when a cassette from an untrusted source is loaded. Previously a crafted cassette containing a Python object tag (e.g. <code>!!python/object/apply:os.system</code>) would execute code on load, including via the normal <code>vcr.use_cassette()</code> path. Existing cassettes (including file-upload/streaming bodies) continue to load. Advisory: GHSA-rpj2-4hq8-938g — thanks <a href="https://github.com/RamiAltai"><code>@RamiAltai</code></a> and <a href="https://github.com/EQSTLab"><code>@EQSTLab</code></a> for the reports.</li> <li>Validate <code>record_mode</code> and raise a clear error on an invalid value (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/208">#208</a>)</li> <li>Recommend pytest-recording over the unmaintained pytest-vcr in the docs (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/986">#986</a>)</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/kevin1024/vcrpy/compare/v8.2.0...v8.2.1">https://github.com/kevin1024/vcrpy/compare/v8.2.0...v8.2.1</a></p> <h2>v8.2.0</h2> <h2>What's Changed</h2> <ul> <li>Add support for httpx 2.x (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/993">#993</a>) - thanks <a href="https://github.com/dsfaccini"><code>@dsfaccini</code></a></li> <li>Patch httpx transports instead of httpcore (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/972">#972</a>) - thanks <a href="https://github.com/seowalex"><code>@seowalex</code></a></li> <li>Fix aiohttp 3.14 compatibility: <code>AsyncStreamReaderMixin</code> removed and <code>ClientResponse</code> now requires <code>stream_writer</code> (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/995">#995</a>) - thanks <a href="https://github.com/dsfaccini"><code>@dsfaccini</code></a></li> <li>Account for modified requests when storing played cassettes, so <code>drop_unused_requests</code> honours <code>before_record_request</code> filtering (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/962">#962</a>) - thanks <a href="https://github.com/jamesbraza"><code>@jamesbraza</code></a></li> <li>Make the request URL available on <code>VCRHTTPResponse</code> (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/976">#976</a>) - thanks <a href="https://github.com/dAnjou"><code>@dAnjou</code></a></li> <li>Improve error message when a matching request has already been consumed (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/985">#985</a>) - thanks <a href="https://github.com/Polandia94"><code>@Polandia94</code></a></li> <li>Fix body check in <code>convert_body_to_unicode</code> to use an explicit type check (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/982">#982</a>) - thanks <a href="https://github.com/Polandia94"><code>@Polandia94</code></a></li> <li>Add env proxy cassette regression test (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/994">#994</a>) - thanks <a href="https://github.com/tine1117"><code>@tine1117</code></a></li> <li>Remove milestone references from docs (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/984">#984</a>) - thanks <a href="https://github.com/Polandia94"><code>@Polandia94</code></a></li> <li>CI: bump sphinx-rtd-theme from 3.0.2 to 3.1.0 (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/973">#973</a>)</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/kevin1024/vcrpy/compare/v8.1.1...v8.2.0">https://github.com/kevin1024/vcrpy/compare/v8.1.1...v8.2.0</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/kevin1024/vcrpy/blob/master/docs/changelog.rst">vcrpy's changelog</a>.</em></p> <blockquote> <h2>Changelog</h2> <p>All help in providing PRs to close out bug issues is appreciated. Even if that is providing a repo that fully replicates issues. We have very generous contributors that have added these to bug issues which meant another contributor picked up the bug and closed it out.</p> <ul> <li> <p>8.2.1</p> <ul> <li>SECURITY: Load cassettes with a safe YAML loader, preventing arbitrary code execution when a cassette from an untrusted source is loaded (GHSA-rpj2-4hq8-938g) - thanks <a href="https://github.com/RamiAltai"><code>@RamiAltai</code></a> and <a href="https://github.com/EQSTLab"><code>@EQSTLab</code></a></li> <li>Validate <code>record_mode</code> and raise a clear error on an invalid value (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/208">#208</a>)</li> <li>Recommend pytest-recording over the unmaintained pytest-vcr in the docs (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/986">#986</a>)</li> </ul> </li> <li> <p>8.2.0</p> <ul> <li>Add support for httpx 2.x (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/993">#993</a>) - thanks <a href="https://github.com/dsfaccini"><code>@dsfaccini</code></a></li> <li>Patch httpx transports instead of httpcore (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/972">#972</a>) - thanks <a href="https://github.com/seowalex"><code>@seowalex</code></a></li> <li>Fix aiohttp 3.14 compatibility: <code>AsyncStreamReaderMixin</code> removed and <code>ClientResponse</code> now requires <code>stream_writer</code> (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/995">#995</a>) - thanks <a href="https://github.com/dsfaccini"><code>@dsfaccini</code></a></li> <li>Account for modified requests when storing played cassettes, so <code>drop_unused_requests</code> honours <code>before_record_request</code> filtering (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/962">#962</a>) - thanks <a href="https://github.com/jamesbraza"><code>@jamesbraza</code></a></li> <li>Make the request URL available on <code>VCRHTTPResponse</code> (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/976">#976</a>) - thanks <a href="https://github.com/dAnjou"><code>@dAnjou</code></a></li> <li>Improve error message when a matching request has already been consumed (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/985">#985</a>) - thanks <a href="https://github.com/Polandia94"><code>@Polandia94</code></a></li> <li>Fix body check in <code>convert_body_to_unicode</code> to use an explicit type check (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/982">#982</a>) - thanks <a href="https://github.com/Polandia94"><code>@Polandia94</code></a></li> <li>Add env proxy cassette regression test (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/994">#994</a>) - thanks <a href="https://github.com/tine1117"><code>@tine1117</code></a></li> <li>Remove milestone references from docs (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/984">#984</a>) - thanks <a href="https://github.com/Polandia94"><code>@Polandia94</code></a></li> <li>CI: bump sphinx-rtd-theme from 3.0.2 to 3.1.0 (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/973">#973</a>)</li> </ul> </li> <li> <p>8.1.1</p> <ul> <li>Fix sync requests in async contexts for HTTPX (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/965">#965</a>) - thanks <a href="https://github.com/seowalex"><code>@seowalex</code></a></li> <li>CI: bump peter-evans/create-pull-request from 7 to 8 (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/969">#969</a>)</li> </ul> </li> <li> <p>8.1.0</p> <ul> <li>Enable brotli decompression if available (via <code>brotli</code>, <code>brotlipy</code> or <code>brotlicffi</code>) (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/620">#620</a>) - thanks <a href="https://github.com/immerrr"><code>@immerrr</code></a></li> <li>Fix aiohttp allowing both <code>data</code> and <code>json</code> arguments when one is None (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/624">#624</a>) - thanks <a href="https://github.com/leorochael"><code>@leorochael</code></a></li> <li>Fix usage of io-like interface with VCR.py (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/906">#906</a>) - thanks <a href="https://github.com/tito"><code>@tito</code></a> and <a href="https://github.com/kevdevg"><code>@kevdevg</code></a></li> <li>Migrate to declarative Python package config (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/767">#767</a>) - thanks <a href="https://github.com/deronnax"><code>@deronnax</code></a></li> <li>Various linting fixes - thanks <a href="https://github.com/jairhenrique"><code>@jairhenrique</code></a></li> <li>CI: bump actions/checkout from 5 to 6 (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/955">#955</a>)</li> </ul> </li> <li> <p>8.0.0</p> <ul> <li>BREAKING: Drop support for Python 3.9 (major version bump) - thanks <a href="https://github.com/jairhenrique"><code>@jairhenrique</code></a></li> <li>BREAKING: Drop support for urllib3 < 2 - fixes CVE warnings from urllib3 1.x (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/926">#926</a>, <a href="https://redirect.github.com/kevin1024/vcrpy/issues/880">#880</a>) - thanks <a href="https://github.com/jairhenrique"><code>@jairhenrique</code></a></li> <li>New feature: <code>drop_unused_requests</code> option to remove unused interactions from cassettes (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/763">#763</a>) - thanks <a href="https://github.com/danielnsilva"><code>@danielnsilva</code></a></li> <li>Rewrite httpx support to patch httpcore instead of httpx (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/943">#943</a>) - thanks <a href="https://github.com/seowalex"><code>@seowalex</code></a> <ul> <li>Fixes <code>httpx.ResponseNotRead</code> exceptions (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/832">#832</a>, <a href="https://redirect.github.com/kevin1024/vcrpy/issues/834">#834</a>)</li> <li>Fixes <code>KeyError: 'follow_redirects'</code> (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/945">#945</a>)</li> <li>Adds support for custom httpx transports</li> </ul> </li> <li>Fix HTTPS proxy handling - proxy address no longer ends up in cassette URIs (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/809">#809</a>, <a href="https://redirect.github.com/kevin1024/vcrpy/issues/914">#914</a>) - thanks <a href="https://github.com/alga"><code>@alga</code></a></li> <li>Fix <code>iscoroutinefunction</code> deprecation warning on Python 3.14 - thanks <a href="https://github.com/kloczek"><code>@kloczek</code></a></li> <li>Only log message if response is appended - thanks <a href="https://github.com/talfus-laddus"><code>@talfus-laddus</code></a></li> <li>Optimize urllib.parse calls - thanks <a href="https://github.com/Martin-Brunthaler"><code>@Martin-Brunthaler</code></a></li> <li>Fix CI for Ubuntu 24.04 - thanks <a href="https://github.com/hartwork"><code>@hartwork</code></a></li> <li>Various CI improvements: migrate to uv, update GitHub Actions - thanks <a href="https://github.com/jairhenrique"><code>@jairhenrique</code></a></li> <li>Various linting and test improvements - thanks <a href="https://github.com/jairhenrique"><code>@jairhenrique</code></a> and <a href="https://github.com/hartwork"><code>@hartwork</code></a></li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
9884693436 |
chore: bump langsmith from 0.8.5 to 0.8.18 in /libs/partners/nomic (#38298)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.8.5 to 0.8.18. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's releases</a>.</em></p> <blockquote> <h2>v0.8.18</h2> <h2>What's Changed</h2> <ul> <li>chore(deps-dev): bump vitest from 3.2.4 to 3.2.6 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3002">langchain-ai/langsmith-sdk#3002</a></li> <li>chore(deps): bump pyjwt from 2.12.1 to 2.13.0 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3030">langchain-ai/langsmith-sdk#3030</a></li> <li>chore(deps): bump python-multipart from 0.0.27 to 0.0.31 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3036">langchain-ai/langsmith-sdk#3036</a></li> <li>chore(deps): bump aiohttp from 3.14.0 to 3.14.1 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3037">langchain-ai/langsmith-sdk#3037</a></li> <li>chore(deps): bump cryptography from 46.0.7 to 48.0.1 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3038">langchain-ai/langsmith-sdk#3038</a></li> <li>chore(deps): bump starlette from 1.0.1 to 1.3.1 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3039">langchain-ai/langsmith-sdk#3039</a></li> <li>chore(deps-dev): bump langchain-anthropic from 1.4.4 to 1.4.6 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3044">langchain-ai/langsmith-sdk#3044</a></li> <li>chore(deps): bump the npm_and_yarn group across 4 directories with 4 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3046">langchain-ai/langsmith-sdk#3046</a></li> <li>chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3060">langchain-ai/langsmith-sdk#3060</a></li> <li>test(python): fix integration assertions for updated attachment error message by <a href="https://github.com/QuentinBrosse"><code>@QuentinBrosse</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3061">langchain-ai/langsmith-sdk#3061</a></li> <li>chore: reconcile bumpversion config and mandate release process for agents by <a href="https://github.com/QuentinBrosse"><code>@QuentinBrosse</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3062">langchain-ai/langsmith-sdk#3062</a></li> <li>release(py): 0.8.18 by <a href="https://github.com/QuentinBrosse"><code>@QuentinBrosse</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3063">langchain-ai/langsmith-sdk#3063</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.17...v0.8.18">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.17...v0.8.18</a></p> <h2>v0.8.17</h2> <h2>What's Changed</h2> <ul> <li>feat: expose the resources from the generated openapi client in the langsmith client by <a href="https://github.com/sineha-mani"><code>@sineha-mani</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3018">langchain-ai/langsmith-sdk#3018</a></li> <li>feat(js): port <code>isTracingEnabled</code> utility from Python by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3032">langchain-ai/langsmith-sdk#3032</a></li> <li>Add sandbox mount support to JS SDK by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3010">langchain-ai/langsmith-sdk#3010</a></li> <li>release(js): bump to 0.7.9 by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3035">langchain-ai/langsmith-sdk#3035</a></li> <li>Add sandbox mount support to Python SDK by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3009">langchain-ai/langsmith-sdk#3009</a></li> <li>docs: note that _openapi_client directories are auto-generated by <a href="https://github.com/KiewanVillatel"><code>@KiewanVillatel</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3034">langchain-ai/langsmith-sdk#3034</a></li> <li>fix: update JS SDK type declarations with skipLibCheck disabled by <a href="https://github.com/sineha-mani"><code>@sineha-mani</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3043">langchain-ai/langsmith-sdk#3043</a></li> <li>release(js): 0.7.10 by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3045">langchain-ai/langsmith-sdk#3045</a></li> <li>feat: adding python async for online evals by <a href="https://github.com/sineha-mani"><code>@sineha-mani</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3048">langchain-ai/langsmith-sdk#3048</a></li> <li>Add sandbox Git mount SDK helpers by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3040">langchain-ai/langsmith-sdk#3040</a></li> <li>fix: use insights tab in sdk report links [closes LSO-2936] by <a href="https://github.com/eric-langchain"><code>@eric-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3050">langchain-ai/langsmith-sdk#3050</a></li> <li>feat(client): warn when backend version is below minimum required by <a href="https://github.com/KiewanVillatel"><code>@KiewanVillatel</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3041">langchain-ai/langsmith-sdk#3041</a></li> <li>chore: bump _MIN_BACKEND_VERSION to 0.16.5rc1 by <a href="https://github.com/langtions-bot"><code>@langtions-bot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3053">langchain-ai/langsmith-sdk#3053</a></li> <li>fix(sandbox): use built-in gcp auth host matching by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3055">langchain-ai/langsmith-sdk#3055</a></li> <li>chore(python): py to 0.8.17 by <a href="https://github.com/sineha-mani"><code>@sineha-mani</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3056">langchain-ai/langsmith-sdk#3056</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/sineha-mani"><code>@sineha-mani</code></a> made their first contribution in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3018">langchain-ai/langsmith-sdk#3018</a></li> <li><a href="https://github.com/eric-langchain"><code>@eric-langchain</code></a> made their first contribution in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3050">langchain-ai/langsmith-sdk#3050</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.16...v0.8.17">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.16...v0.8.17</a></p> <h2>v0.8.16</h2> <h2>What's Changed</h2> <ul> <li>feat(py): add sync/async conversion for Sandbox and SandboxClient [INF-0000] by <a href="https://github.com/ramon-langchain"><code>@ramon-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3019">langchain-ai/langsmith-sdk#3019</a></li> <li>fix(experiments): extract keys from wrapped evaluator function by <a href="https://github.com/shamikkarkhanis"><code>@shamikkarkhanis</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3014">langchain-ai/langsmith-sdk#3014</a></li> <li>chore: repoint <a href="mailto:support@langchain.dev">support@langchain.dev</a> mentions to the Support Portal by <a href="https://github.com/lutan-langchain"><code>@lutan-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3024">langchain-ai/langsmith-sdk#3024</a></li> <li>fix(python): derive create_child run id from start_time [LSDK-220] by <a href="https://github.com/harisaiharish"><code>@harisaiharish</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3027">langchain-ai/langsmith-sdk#3027</a></li> <li>chore: sync langsmith_api by <a href="https://github.com/langtions-bot"><code>@langtions-bot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3020">langchain-ai/langsmith-sdk#3020</a></li> <li>chore: js to 0.7.8 and py to 0.8.16 by <a href="https://github.com/shamikkarkhanis"><code>@shamikkarkhanis</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3029">langchain-ai/langsmith-sdk#3029</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
d517bf52e8 |
chore: bump pyjwt from 2.12.0 to 2.13.0 in /libs/partners/nomic (#38167)
Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.12.0 to 2.13.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/jpadilla/pyjwt/releases">pyjwt's releases</a>.</em></p> <blockquote> <h2>2.13.0</h2> <h1>PyJWT 2.13.0 — Security Release</h1> <p>This release bundles five security fixes plus three additional hardening / spec-compliance changes. We recommend all users upgrade.</p> <h2>Security</h2> <ul> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx"><code>GHSA-xgmm-8j9v-c9wx</code></a> — JWK JSON accepted as HMAC secret (algorithm confusion).</strong> <code>HMACAlgorithm.prepare_key</code> previously rejected PEM- and SSH-formatted asymmetric keys but did not catch a JWK passed as a raw JSON string. In a verifier configured with both symmetric and asymmetric algorithms in <code>algorithms=[…]</code> and a raw-JSON JWK as the key, an attacker could forge HS256 tokens using the JWK text as the HMAC secret. The guard has been extended to reject any JWK-shaped JSON. <em>Reported by <a href="https://github.com/aradona91"><code>@aradona91</code></a>.</em></p> </li> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f"><code>GHSA-jq35-7prp-9v3f</code></a> — Algorithm allow-list bypass with <code>PyJWK</code> / <code>PyJWKClient</code>.</strong> When verifying with a <code>PyJWK</code>, the caller's <code>algorithms=[…]</code> allow-list was checked against the token header <code>alg</code> as a string only; actual verification used the algorithm bound to the <code>PyJWK</code>. An attacker who controlled a registered JWKS key could sign with one algorithm and advertise another on the header. PyJWT now requires the token header <code>alg</code> to match the <code>PyJWK</code>'s algorithm before verification. <em>Reported by <a href="https://github.com/sushi-gif"><code>@sushi-gif</code></a>.</em></p> </li> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39"><code>GHSA-w7vc-732c-9m39</code></a> — DoS via base64 decode of unused payload segment when <code>b64=false</code>.</strong> For detached-payload JWS (<code>b64=false</code>), the compact-form payload segment was base64-decoded before being discarded in favor of the caller-supplied <code>detached_payload</code>. An attacker could inflate the unused segment to force CPU + memory cost without holding a valid signature. The segment is now required to be empty per RFC 7515 Appendix F, and is no longer decoded. <em>Reported by <a href="https://github.com/thesmartshadow"><code>@thesmartshadow</code></a>.</em></p> </li> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4"><code>GHSA-993g-76c3-p5m4</code></a> — <code>PyJWKClient</code> accepts non-HTTP(S) URIs.</strong> <code>PyJWKClient.fetch_data</code> passed its URI to <code>urllib.request.urlopen</code>, which by default also handles <code>file://</code>, <code>ftp://</code>, and <code>data:</code> schemes. An application that fed an attacker-influenced URI into <code>PyJWKClient</code> could be coerced into reading local files or reaching other unintended schemes. <code>PyJWKClient</code> now rejects any URI whose scheme isn't <code>http</code> or <code>https</code>. <em>Reported by <a href="https://github.com/KEIJOT"><code>@KEIJOT</code></a>.</em></p> </li> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8"><code>GHSA-fhv5-28vv-h8m8</code></a> — <code>PyJWKClient</code> cache wiped on fetch error.</strong> A <code>finally</code>-block <code>put(jwk_set=None)</code> cleared the JWK Set cache whenever a fetch raised, turning a transient JWKS-endpoint outage into application-wide auth failure. The cache write was moved into the success path; transient errors no longer evict valid cached keys. <em>Reported by <a href="https://github.com/eddieran"><code>@eddieran</code></a>.</em></p> </li> </ul> <h2>Fixed</h2> <ul> <li>Reject empty HMAC keys outright in <code>HMACAlgorithm.prepare_key</code> with <code>InvalidKeyError</code> instead of accepting them with only a warning. Defends against the <code>os.getenv("JWT_SECRET", "")</code> footgun. <em>Thanks to <a href="https://github.com/SnailSploit"><code>@SnailSploit</code></a> and <a href="https://github.com/spartan8806"><code>@spartan8806</code></a> for the reports.</em></li> <li>Forward per-call <code>options</code> (including <code>enforce_minimum_key_length</code>) from <code>PyJWT.decode</code> through to <code>PyJWS._verify_signature</code>. The option was previously silently dropped between the two layers, so it only took effect when set on the <code>PyJWT</code> instance. <em>Thanks to <a href="https://github.com/WLUB"><code>@WLUB</code></a> for the report.</em></li> <li><strong>RFC 7797 §3 compliance for <code>b64=false</code>:</strong> the encoder now auto-adds <code>"b64"</code> to <code>crit</code>, and the decoder rejects tokens that set <code>b64=false</code> without listing it in <code>crit</code>. <em>Thanks to <a href="https://github.com/MachineLearning-Nerd"><code>@MachineLearning-Nerd</code></a> for the report.</em></li> </ul> <h2>Changed</h2> <ul> <li>Migrate the <code>dev</code>, <code>docs</code>, and <code>tests</code> package extras to dependency groups, by <a href="https://github.com/kurtmckee"><code>@kurtmckee</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1152">#1152</a>.</li> </ul> <h2>Upgrade notes</h2> <p>Most fixes are invisible to correctly-configured callers. A few behavioral changes you may encounter:</p> <ul> <li><strong>Empty HMAC keys now raise.</strong> If your app passed <code>""</code> or <code>b""</code> as a secret (often via a missing env var, e.g. <code>os.getenv("JWT_SECRET", "")</code>), <code>encode</code>/<code>decode</code> will now raise <code>InvalidKeyError</code>. This is the intended behavior — fix the configuration.</li> <li><strong><code>PyJWK</code> decoding now requires the token's <code>alg</code> to match the JWK's algorithm.</strong> Previously a mismatch was silently honored if the header <code>alg</code> appeared in the allow-list. Tokens that relied on this mismatch will now fail with <code>InvalidAlgorithmError</code>.</li> <li><strong><code>PyJWKClient</code> now rejects non-HTTP(S) URIs at construction time.</strong> Tests or dev environments that fetched JWKS from <code>file://</code> URIs need to switch to a local HTTP server or load the JWKS by other means (e.g. construct <code>PyJWKSet.from_dict(...)</code> directly).</li> <li><strong><code>b64=false</code> tokens are now strictly RFC 7515 / 7797 compliant.</strong> Tokens with a non-empty compact-form payload segment, or that omit <code>"b64"</code> from <code>crit</code>, will be rejected. PyJWT-produced tokens always satisfy both invariants, so round-trips through PyJWT are unaffected.</li> <li><strong><code>enforce_minimum_key_length</code> set per-call now takes effect.</strong> Callers who passed <code>options={"enforce_minimum_key_length": True}</code> to <code>jwt.decode()</code> previously got no enforcement; they will now get <code>InvalidKeyError</code> on undersized keys, as documented.</li> </ul> <p><strong>Full changelog:</strong> <a href="https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0">https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0</a></p> <h2>2.12.1</h2> <h2>What's Changed</h2> <ul> <li>Add typing_extensions dependency for Python < 3.11 by <a href="https://github.com/jpadilla"><code>@jpadilla</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1151">jpadilla/pyjwt#1151</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/jpadilla/pyjwt/compare/2.12.0...2.12.1">https://github.com/jpadilla/pyjwt/compare/2.12.0...2.12.1</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst">pyjwt's changelog</a>.</em></p> <blockquote> <h2><code>v2.13.0 <https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0></code>__</h2> <p>Security</p> <pre><code> - Reject JWK JSON documents passed as raw HMAC secrets in ``HMACAlgorithm.prepare_key`` to close an algorithm-confusion gap that the existing PEM/SSH guard did not cover. Reported by @aradona91 in `GHSA-xgmm-8j9v-c9wx <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx>`__. - Bind the JWT header ``alg`` to ``PyJWK.algorithm_name`` during verification so the caller's ``algorithms=[...]`` allow-list cannot be bypassed when decoding with a ``PyJWK`` / ``PyJWKClient`` key. Reported by @sushi-gif in `GHSA-jq35-7prp-9v3f <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f>`__. - Reject non-``http(s)`` URI schemes in ``PyJWKClient`` so attacker- influenced URIs cannot read local files or reach unintended schemes via urllib's default ``file://`` / ``ftp://`` / ``data:`` handlers. Reported by @KEIJOT in `GHSA-993g-76c3-p5m4 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4>`__. - Preserve the cached JWK Set on fetch errors in ``PyJWKClient.fetch_data``. The previous ``finally``-block ``put(None)`` pattern cleared the cache on any transient outage, turning one bad JWKS request into application- wide auth failure. Reported by @eddieran in `GHSA-fhv5-28vv-h8m8 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8>`__. - Skip the unconditional base64 decode of the compact-form payload segment when ``b64=false`` is set in the protected header, and require that segment to be empty (RFC 7515 Appendix F detached form). Closes an unauthenticated DoS amplifier. Reported by @thesmartshadow in `GHSA-w7vc-732c-9m39 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39>`__. <p>Fixed</p> <pre><code> - Reject empty HMAC keys outright in ``HMACAlgorithm.prepare_key`` with ``InvalidKeyError`` instead of accepting them with only a warning. Thanks to @SnailSploit and @spartan8806 for independently flagging the footgun. - Forward per-call ``options`` (including ``enforce_minimum_key_length``) from ``PyJWT.decode`` through to ``PyJWS._verify_signature`` so the option actually takes effect when set at the call site rather than only on the ``PyJWT`` instance. Thanks to @WLUB for the report. - RFC 7797 §3 compliance for ``b64=false``: the encoder now auto-adds ``&quot;b64&quot;`` to the ``crit`` header parameter, and the decoder rejects tokens that set ``b64=false`` without listing it in ``crit``. Thanks to @MachineLearning-Nerd for the report. Changed </code></pre> <ul> <li>Migrate the <code>dev</code>, <code>docs</code>, and <code>tests</code> package extras to dependency groups by <a href="https://github.com/kurtmckee"><code>@kurtmckee</code></a> in <code>[#1152](https://github.com/jpadilla/pyjwt/issues/1152) &lt;https://github.com/jpadilla/pyjwt/pull/1152&gt;</code>__</li> </ul> <p><code>v2.12.1 &lt;https://github.com/jpadilla/pyjwt/compare/2.12.0...2.12.1&gt;</code>__ </tr></table> </code></pre></p> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
63cc1f4e7d |
docs: refresh README installation and resources (#38119)
README installation examples now use `uv add` consistently, matching the repo's `uv`-based Python workflow. The top-level README also gets a cleaner quickstart and resource section with current links for docs, community, learning, and contribution guidance. ## Changes - Replaced `pip install` snippets with `uv add` across package quick install docs, including the Hugging Face extras and `sentence-transformers` upgrade examples. - Updated the top-level quickstart to show only `uv add langchain` and refreshed the example model to `openai:gpt-5.5`. - Pointed the LangGraph orchestration link at the LangGraph GitHub repository. - Consolidated top-level documentation and additional-resource links under a single `Resources` section covering docs, ecosystem overview, API reference, discussions, Academy, contributing, and the Code of Conduct. - Added LangChain Academy and Code of Conduct links to package README resource sections. |
||
|
|
4108c0738c |
release(core): 1.4.7 (#38111)
Bumps `langchain-core` to `1.4.7` for the next patch release and updates downstream minimum `langchain-core` requirements so package locks resolve against the new core version. This also refreshes the runnable snapshots that embed `lc_versions` metadata so the version consistency check continues to validate checked-in artifacts. Validated with `python libs/core/scripts/check_version.py`, `uv lock --check` across package lockfiles, and the core runnable tests that own the updated snapshots with local LangSmith tracing env disabled. |
||
|
|
05cc55f1bc | release(core): 1.4.6 (#38061) | ||
|
|
447663fd8b |
feat(partners): expose package versions for remaining partners (#38060)
Chroma, Exa, Nomic, and Qdrant now expose package `__version__` values through package-local `_version.py` modules, matching the version-file pattern used by the other partner packages. Each package also gets a `check_version` target so release version drift between `pyproject.toml` and runtime exports is caught consistently. |
||
|
|
1de100f278 |
chore(infra): bump mypy to 2.1 and unify type-check config across the monorepo (#36470)
Originally a narrow bump of mypy to `1.20` in four packages. Expanded to get the whole monorepo onto a single, current mypy and a consistent type-check configuration, so contributors no longer hit different mypy versions and divergent behavior depending on which package they touch. ### What changed - **Unified the mypy pin to `>=2.1.0,<2.2.0`** in every mypy-using package (6 libs + 14 partners), replacing the previously scattered pins (`1.10`/`1.17`/`1.18`/`1.19`/`1.20`, with assorted upper bounds). - **Unified the `[tool.mypy]` base per tier:** - libs: `plugins = ["pydantic.mypy"]`, `strict = true`, `enable_error_code = "deprecated"`, `warn_unreachable = true` - partners: `disallow_untyped_defs = true` - Normalized style (`disallow_untyped_defs = "True"` string → bool, quote/key consistency). - **Fixed the 20 real errors** mypy 2.1 surfaces: `redundant-cast` from improved narrowing (`core`, `langchain-classic`), a `var-annotated` for `_LOGGED`, a return-type widening in `langchain-groq`'s `_convert_from_v1_to_groq` (it can legitimately return a bare `str`), and stale `type-arg`/`unused-ignore` in `langchain-model-profiles` tests. ### Deliberate non-uniformity (documented inline in the relevant `pyproject.toml`s) Going fully byte-identical would surface ~196 additional errors that are *not* real bugs, so two settings are kept package-appropriate: - **`warn_unreachable`** is enabled on every strict lib **except `core`**, where it false-flags intentional defensive code — including the SSRF / IP-policy guards in `_security/` — as unreachable. - **`pydantic.mypy` plugin** is used only on `anthropic` and `perplexity` (their code is authored against it and reports ~99/~132 errors without it). It is *not* added to the other partners, where it only flags the public alias constructor API (e.g. `ChatGroq(model=...)`) in tests rather than finding bugs. - **`ollama`** is left on its `ty` type checker; it does not use mypy. --------- Co-authored-by: Mason Daugherty <github@mdrxy.com> |
||
|
|
c0103c3d2c | hotfix(openai): min core dep (#37990) | ||
|
|
ad8c0fc4cc |
chore: bump pyarrow from 22.0.0 to 23.0.1 in /libs/partners/nomic (#37931)
Bumps [pyarrow](https://github.com/apache/arrow) from 22.0.0 to 23.0.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/apache/arrow/releases">pyarrow's releases</a>.</em></p> <blockquote> <h2>Apache Arrow 23.0.1</h2> <p>Release Notes URL: <a href="https://arrow.apache.org/release/23.0.1.html">https://arrow.apache.org/release/23.0.1.html</a></p> <h2>Apache Arrow 23.0.1 RC0</h2> <p>Release Notes: Release Candidate: 23.0.1 RC0</p> <h2>Apache Arrow 23.0.0</h2> <p>Release Notes URL: <a href="https://arrow.apache.org/release/23.0.0.html">https://arrow.apache.org/release/23.0.0.html</a></p> <h2>Apache Arrow 23.0.0 RC2</h2> <p>Release Notes: Release Candidate: 23.0.0 RC2</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
3b999176c8 |
test(langchain,partners): disable pytest-benchmark under xdist to silence PytestBenchmarkWarning (#37901)
Test targets run with `-n auto`, which makes `pytest-benchmark` (present via `langchain-tests`) auto-disable itself and emit a `PytestBenchmarkWarning` once per xdist worker. Passing `--benchmark-disable` turns the plugin off explicitly so the warning never fires, matching what `core` and `langchain_v1` already do. ## Changes - Add `--benchmark-disable` to the `-n auto` test targets across `langchain` (unit) and 14 partner packages' integration targets: `anthropic`, `chroma`, `deepseek`, `exa`, `fireworks`, `groq`, `huggingface`, `mistralai`, `nomic`, `ollama`, `openai`, `openrouter`, `qdrant`, `xai`. - Deliberately excluded `text-splitters` and `model-profiles`: their `test` group doesn't install `pytest-benchmark`, so the flag would fail with `unrecognized arguments`. Verified by importing the plugin under each package's actual dependency group before editing. |
||
|
|
aef86c476d |
chore(infra): bump langchain-tests floor to 1.1.9 (#37610)
Bumps the `langchain-tests` minimum across the monorepo from `1.0.0` to `1.1.9` and adds a partner-level `Makefile` so partner lockfiles can be regenerated in one command, matching the existing convention under `libs/`. |
||
|
|
61a43c9b06 |
chore: bump idna from 3.10 to 3.15 in /libs/partners/nomic (#37552)
Bumps [idna](https://github.com/kjd/idna) from 3.10 to 3.15. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/kjd/idna/blob/master/HISTORY.md">idna's changelog</a>.</em></p> <blockquote> <h2>3.15 (2026-05-12)</h2> <ul> <li>Enforce DNS-length cap on individual labels early in <code>check_label</code>, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.</li> <li>Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared <code>_unicode_dots_re</code> from <code>idna.core</code> in the codec module.</li> <li>Use <code>raise ... from err</code> for proper exception chaining and switch internal string formatting to f-strings.</li> <li>Allow <code>flit_core</code> 4.x in the build backend.</li> <li>Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.</li> <li>Add Dependabot configuration for GitHub Actions.</li> <li>Convert README and HISTORY from reStructuredText to Markdown.</li> <li>Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.</li> </ul> <p>Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.</p> <h2>3.14 (2026-05-10)</h2> <ul> <li>Removed opportunity to process long inputs into quadratic time by rejecting oversize inputs up-front. Closes a bypass of the CVE-2024-3651 mitigation. [CVE-2026-45409]</li> </ul> <p>Thanks to Stan Ulbrych for reporting the issue.</p> <h2>3.13 (2026-04-22)</h2> <ul> <li>Correct classification error for codepoint U+A7F1</li> </ul> <h2>3.12 (2026-04-21)</h2> <ul> <li>Update to Unicode 17.0.0.</li> <li>Issue a deprecation warning for the transitional argument.</li> <li>Added lazy-loading to provide some performance improvements.</li> <li>Removed vestiges of code related to Python 2 support, including segmentation of data structures specific to Jython.</li> </ul> <p>Thanks to Rodrigo Nogueira for contributions to this release.</p> <h2>3.11 (2025-10-12)</h2> <ul> <li>Update to Unicode 16.0.0, including significant changes to UTS46 processing. As a result of Unicode ending support for it, transitional processing no longer has an effect and returns the same result.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
26859b7dac |
chore: bump langsmith from 0.8.4 to 0.8.5 in /libs/partners/nomic (#37553)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.8.4 to 0.8.5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's releases</a>.</em></p> <blockquote> <h2>v0.8.5</h2> <h2>What's Changed</h2> <ul> <li>release(js): 0.7.0 by <a href="https://github.com/ramon-langchain"><code>@ramon-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2890">langchain-ai/langsmith-sdk#2890</a></li> <li>fix(js): add alias for <code>experimental/sandbox</code> to appease broad peer dep range within <code>deepagents</code> by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2893">langchain-ai/langsmith-sdk#2893</a></li> <li>feat(js): allow disabling multipart streaming via env variable by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2900">langchain-ai/langsmith-sdk#2900</a></li> <li>feat(python): add Client.close() to release session [closes LSDK-183] by <a href="https://github.com/open-swe"><code>@open-swe</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2866">langchain-ai/langsmith-sdk#2866</a></li> <li>feat(sandbox): forward client default headers on exec WebSocket by <a href="https://github.com/open-swe"><code>@open-swe</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2899">langchain-ai/langsmith-sdk#2899</a></li> <li>release(js): 0.7.1 by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2902">langchain-ai/langsmith-sdk#2902</a></li> <li>release(py): 0.8.5 by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2903">langchain-ai/langsmith-sdk#2903</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.4...v0.8.5">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.4...v0.8.5</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
abd9d4ce31 |
ci(infra): harden Dependabot version-bound preservation (#37510)
Dependabot has been stripping upper/lower bounds from internal `langchain-*` deps in partner `pyproject.toml` files (e.g. #37288 reduced `langchain-core>=1.3.2,<2.0.0` to bare `langchain-core`). Locks down the config so bumps preserve existing specifiers, and restores the bounds it already mangled across the monorepo. ## Changes - Add `versioning-strategy: increase` to every `uv` ecosystem block in `.github/dependabot.yml` so future bumps move the lower bound in place instead of rewriting the constraint. - Ignore workspace-internal packages (`langchain-core`, `langchain`, `langchain-classic`, `langchain-text-splitters`, `langchain-tests`, `langchain-model-profiles`) on every `uv` block — these are editable installs from local paths and their published constraints are hand-curated for release, not Dependabot's to bump. - Restore stripped bounds across all `libs/` packages — runtime `dependencies` and every dep group (`test`, `dev`, `test_integration`, `typing`, `lint`) — to `>=1.4.0,<2.0.0` for `langchain-core` and `>=1.0.0,<2.0.0` for the other internal packages. |
||
|
|
329f2120c4 |
chore: bump langsmith from 0.8.0 to 0.8.4 in /libs/partners/nomic (#37417)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.8.0 to 0.8.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's releases</a>.</em></p> <blockquote> <h2>v0.8.4</h2> <h2>What's Changed</h2> <ul> <li>release(js): 0.6.3 by <a href="https://github.com/vishnu-ssuresh"><code>@vishnu-ssuresh</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2864">langchain-ai/langsmith-sdk#2864</a></li> <li>chore(deps): bump python-multipart from 0.0.26 to 0.0.27 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2859">langchain-ai/langsmith-sdk#2859</a></li> <li>chore(deps-dev): bump <code>@anthropic-ai/sdk</code> from 0.91.1 to 0.92.0 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2858">langchain-ai/langsmith-sdk#2858</a></li> <li>chore(deps): bump postcss from 8.5.8 to 8.5.14 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2857">langchain-ai/langsmith-sdk#2857</a></li> <li>chore(deps): bump hono from 4.12.15 to 4.12.18 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2860">langchain-ai/langsmith-sdk#2860</a></li> <li>chore(deps-dev): bump langchain-core from 1.3.2 to 1.3.3 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2867">langchain-ai/langsmith-sdk#2867</a></li> <li>chore(deps-dev): bump <code>@anthropic-ai/sdk</code> from 0.92.0 to 0.93.0 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2869">langchain-ai/langsmith-sdk#2869</a></li> <li>chore(deps): bump urllib3 from 2.6.3 to 2.7.0 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2873">langchain-ai/langsmith-sdk#2873</a></li> <li>chore(deps): bump the py-minor-and-patch group across 1 directory with 12 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2876">langchain-ai/langsmith-sdk#2876</a></li> <li>chore(deps-dev): bump the js-minor-and-patch group across 1 directory with 16 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2877">langchain-ai/langsmith-sdk#2877</a></li> <li>chore(deps): bump the py-minor-and-patch group across 1 directory with 11 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2879">langchain-ai/langsmith-sdk#2879</a></li> <li>chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2868">langchain-ai/langsmith-sdk#2868</a></li> <li>chore(deps-dev): bump <code>@anthropic-ai/sdk</code> from 0.93.0 to 0.94.0 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2878">langchain-ai/langsmith-sdk#2878</a></li> <li>sdk(js): rename experimental/sandbox -> sandbox (breaking) by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2885">langchain-ai/langsmith-sdk#2885</a></li> <li>sdk(py): drop sandbox alpha/experimental warnings by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2884">langchain-ai/langsmith-sdk#2884</a></li> <li>feat(sandbox): make snapshot optional and add TS options overload by <a href="https://github.com/ramon-langchain"><code>@ramon-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2887">langchain-ai/langsmith-sdk#2887</a></li> <li>release(py): 0.8.4 by <a href="https://github.com/ramon-langchain"><code>@ramon-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2889">langchain-ai/langsmith-sdk#2889</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.3...v0.8.4">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.3...v0.8.4</a></p> <h2>v0.8.3</h2> <h2>What's Changed</h2> <ul> <li>fix(js): prevent sending [object Object] as span attribute when dealing with nested objects, send full langsmith.usage_metadata if present by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2845">langchain-ai/langsmith-sdk#2845</a></li> <li>release(js): bump to 0.6.2 by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2856">langchain-ai/langsmith-sdk#2856</a></li> <li>sdk(py): replace ttl_seconds with idle_ttl_seconds + delete_after_stop_seconds by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2853">langchain-ai/langsmith-sdk#2853</a></li> <li>sdk(js): replace ttlSeconds with idleTtlSeconds + deleteAfterStopSeconds by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2854">langchain-ai/langsmith-sdk#2854</a></li> <li>Fix push_agent URL owner for name-only identifiers by <a href="https://github.com/vishnu-ssuresh"><code>@vishnu-ssuresh</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2862">langchain-ai/langsmith-sdk#2862</a></li> <li>docs(langsmith): clarify trust boundaries when working with hub by <a href="https://github.com/eyurtsev"><code>@eyurtsev</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2861">langchain-ai/langsmith-sdk#2861</a></li> <li>release(py): 0.8.3 by <a href="https://github.com/vishnu-ssuresh"><code>@vishnu-ssuresh</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2863">langchain-ai/langsmith-sdk#2863</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.2...v0.8.3">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.2...v0.8.3</a></p> <h2>v0.8.2</h2> <h2>What's Changed</h2> <ul> <li>Bump JS SDK version to 0.6.1 by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2847">langchain-ai/langsmith-sdk#2847</a></li> <li>fix: parse urllib3 version with packaging.Version by <a href="https://github.com/justinwolfington"><code>@justinwolfington</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2851">langchain-ai/langsmith-sdk#2851</a></li> <li>Bump Python SDK version to 0.8.2 by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2855">langchain-ai/langsmith-sdk#2855</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/justinwolfington"><code>@justinwolfington</code></a> made their first contribution in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2851">langchain-ai/langsmith-sdk#2851</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.1...v0.8.2">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.1...v0.8.2</a></p> <h2>v0.8.1</h2> <h2>What's Changed</h2> <ul> <li>chore(js): remove experimental opencode integration by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2836">langchain-ai/langsmith-sdk#2836</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
10022be933 |
chore: bump langsmith from 0.7.31 to 0.8.0 in /libs/partners/nomic (#37400)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.7.31 to 0.8.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's releases</a>.</em></p> <blockquote> <h2>v0.8.0</h2> <h2>What's Changed</h2> <ul> <li>feat(js,py): JS 0.6.0, Py 0.8.0 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2831">langchain-ai/langsmith-sdk#2831</a></li> <li>release(js): 0.6.0 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2832">langchain-ai/langsmith-sdk#2832</a></li> <li>release(py): 0.8.0 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2833">langchain-ai/langsmith-sdk#2833</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.38...v0.8.0">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.38...v0.8.0</a></p> <h2>v0.7.38</h2> <h2>What's Changed</h2> <ul> <li>feat(js): add tracing of opencode by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2776">langchain-ai/langsmith-sdk#2776</a></li> <li>chore(js): Remove types/uuid by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2814">langchain-ai/langsmith-sdk#2814</a></li> <li>docs(sandbox): document default idle TTL of 10 minutes by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2788">langchain-ai/langsmith-sdk#2788</a></li> <li>ci(py): Bump pytest timeout to 2m by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2815">langchain-ai/langsmith-sdk#2815</a></li> <li>chore(deps-dev): bump the js-minor-and-patch group across 1 directory with 4 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2803">langchain-ai/langsmith-sdk#2803</a></li> <li>chore(deps): update sphinx-autobuild requirement from >=2024 to >=2024.10.3 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2809">langchain-ai/langsmith-sdk#2809</a></li> <li>chore(deps): update myst-nb requirement from >=1.1.1 to >=1.4.0 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2810">langchain-ai/langsmith-sdk#2810</a></li> <li>chore(deps-dev): bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2812">langchain-ai/langsmith-sdk#2812</a></li> <li>chore(deps-dev): bump <code>@langchain/openai</code> from 0.5.18 to 0.6.17 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2806">langchain-ai/langsmith-sdk#2806</a></li> <li>chore(deps): bump the py-minor-and-patch group across 1 directory with 18 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2808">langchain-ai/langsmith-sdk#2808</a></li> <li>feat(py): Adds strands OTEL exporter by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2817">langchain-ai/langsmith-sdk#2817</a></li> <li>chore(js): Switch to oxfmt and oxlint by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2819">langchain-ai/langsmith-sdk#2819</a></li> <li>fix(py): fix RunTree ValidationError when inputs or outputs is a Pydantic BaseModel by <a href="https://github.com/QuentinBrosse"><code>@QuentinBrosse</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2820">langchain-ai/langsmith-sdk#2820</a></li> <li>chore: add apac support by <a href="https://github.com/joaquin-borggio-lc"><code>@joaquin-borggio-lc</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2821">langchain-ai/langsmith-sdk#2821</a></li> <li>fix(js): Pull Claude Agent SDK subagent runs from transcript, add tool span for subagents, merge message blocks by id by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2816">langchain-ai/langsmith-sdk#2816</a></li> <li>release(js): 0.5.26 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2824">langchain-ai/langsmith-sdk#2824</a></li> <li>release(py): 0.7.38 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2825">langchain-ai/langsmith-sdk#2825</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.37...v0.7.38">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.37...v0.7.38</a></p> <h2>v0.7.37</h2> <h2>What's Changed</h2> <ul> <li>perf(js): Offload serialize to worker thread at flush time by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2781">langchain-ai/langsmith-sdk#2781</a></li> <li>release(js): 0.5.24 by <a href="https://github.com/emil-lc"><code>@emil-lc</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2790">langchain-ai/langsmith-sdk#2790</a></li> <li>chore(js): Fix perf test flagging by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2792">langchain-ai/langsmith-sdk#2792</a></li> <li>feat(js,python): Adds hub model config and provider to schemas by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2793">langchain-ai/langsmith-sdk#2793</a></li> <li>fix(js): minor test improvements by <a href="https://github.com/christian-bromann"><code>@christian-bromann</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2429">langchain-ai/langsmith-sdk#2429</a></li> <li>fix(js): Include auth headers on info requests by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2800">langchain-ai/langsmith-sdk#2800</a></li> <li>release(js): 0.5.25 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2801">langchain-ai/langsmith-sdk#2801</a></li> <li>fix(python): flush both tracing_queue and compressed_traces in flush() by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2796">langchain-ai/langsmith-sdk#2796</a></li> <li>chore(deps): bump postcss from 8.5.8 to 8.5.10 in /js/internal/environment_tests/test-exports-vite in the npm_and_yarn group across 1 directory by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2791">langchain-ai/langsmith-sdk#2791</a></li> <li>chore(deps-dev): bump google-adk from 1.10.0 to 1.28.1 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2794">langchain-ai/langsmith-sdk#2794</a></li> <li>fix(python): flush pending traces during Client.cleanup() by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2799">langchain-ai/langsmith-sdk#2799</a></li> <li>fix(py): Fix concurrency for multiple Claude Agent SDK sessions by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2795">langchain-ai/langsmith-sdk#2795</a></li> <li>release(py): 0.7.37 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2802">langchain-ai/langsmith-sdk#2802</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.36...v0.7.37">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.36...v0.7.37</a></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
5c096bba36 |
chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/nomic (#37334)
[//]: # (dependabot-start) ⚠️ **Dependabot is rebasing this PR** ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.7.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially. (Reported by <a href="https://github.com/Cycloctane"><code>@Cycloctane</code></a>)</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <a href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by <a href="https://github.com/kimkou2024"><code>@kimkou2024</code></a>)</li> </ol> <p>See GHSA-mf9v-mfxr-j63j for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a href="https://github.com/christos-spearbit"><code>@christos-spearbit</code></a>)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li> <li>Removed support for end-of-life Python 3.9. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li> <li>Removed support for end-of-life PyPy3.10. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li> <li>Fixed <code>HTTPResponse.stream()</code> and <code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li> <li>Updated <code>_TYPE_BODY</code> type alias to include missing <code>Iterable[str]</code>, matching the documented and runtime behavior of chunked request bodies. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li> <li>Fixed <code>LocationParseError</code> when paths resembling schemeless URIs were passed to <code>HTTPConnectionPool.urlopen()</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li> <li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to accept <code>memoryview</code> in addition to <code>bytearray</code>, matching the <code>io.RawIOBase.readinto</code> contract and enabling use with <code>io.BufferedReader</code> without type errors. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.7.0 (2026-05-07)</h1> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially.</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <code>Brotli <https://pypi.org/project/brotli/></code>__ library.</li> </ol> <p>See <code>GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j></code>__ for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (<code>GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc></code>__)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<code>[#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763></code>__)</li> <li>Removed support for end-of-life Python 3.9. (<code>[#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720></code>__)</li> <li>Removed support for end-of-life PyPy3.10. (<code>[#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979></code>__)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<code>[#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777></code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<code>[#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636></code>__)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
feb0f30a15 |
chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/partners/nomic (#37269)
Bumps [langchain-core](https://github.com/langchain-ai/langchain) from 1.3.2 to 1.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.3.3</h2> <p>Changes since langchain-core==1.3.2</p> <p>release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>) fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>) fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37109">#37109</a>) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37129">#37129</a>) fix(core): preserve structured <code>inputs</code> on tool runs in tracers (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37108">#37108</a>) release(perplexity): 1.2.0 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37091">#37091</a>) chore(docs): update x handle references (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37081">#37081</a>) fix(core): make <code>removal</code> optional in <code>warn_deprecated</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37056">#37056</a>) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36663">#36663</a>) chore(core): mark stream_v2/astream_v2 as beta (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36992">#36992</a>)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
ba897ffa7e |
chore(docs): update x handle references (#37081)
## Description Updates package metadata and README badges so LangChain social links point to the new `@langchain_oss` X handle. This was completed with AI-agent assistance. ## Test Plan - [ ] Validate README badges and package metadata links point to `https://x.com/langchain_oss` _Opened collaboratively by Mason Daugherty and open-swe._ --------- Co-authored-by: open-swe[bot] <open-swe@users.noreply.github.com> Co-authored-by: Mason Daugherty <61371264+mdrxy@users.noreply.github.com> |
||
|
|
56d6e89be0 | hotfix: bump min core versions (#36996) | ||
|
|
9ce72eba9f | feat(core): add content-block-centric streaming (v2) (#36834) | ||
|
|
ffaac42bf9 |
ci(infra): add pytest-xdist to partner test groups (#36988)
|
||
|
|
b57eea2aed | hotfix(ci): remove nobenchmark flag (#36959) | ||
|
|
ec337534c5 |
chore(partners): standardize integration test invocation (#36958)
Standardize the `integration_tests` Makefile target across all 15 partner packages in `libs/partners/`, mirroring the deepagents `libs/evals` pattern (`-v --tb=short`). Previously each partner had its own ad-hoc flag stack (some missing `-n auto`, some with `-vvv`, others with nothing), and every partner that used `-n auto` was emitting a `PytestBenchmarkWarning` because `pytest-benchmark` is pulled in transitively via `langchain-tests` even though no partner has benchmark tests. |
||
|
|
7e81d09f2a |
chore(deps): bump pytest to 9.0.3 (#36801)
CVE-2025-71176 (medium severity) All are dev-only (test dependency group) — no impact on published packages. ### Why syrupy was also bumped syrupy 4.x (`<5.0.0`) constrains pytest to `<9.0.0`, blocking the CVE fix. Widening to `<6.0.0` allows syrupy 5.x which supports pytest 9.x. |
||
|
|
e56763f8ed |
chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/partners/nomic (#36784)
[//]: # (dependabot-start) ⚠️ **Dependabot is rebasing this PR** ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.6.3 to 0.7.31. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's releases</a>.</em></p> <blockquote> <h2>v0.7.31</h2> <h2>What's Changed</h2> <ul> <li>chore(deps-dev): bump langchain-core from 1.2.23 to 1.2.28 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2692">langchain-ai/langsmith-sdk#2692</a></li> <li>chore(deps-dev): bump <code>@anthropic-ai/sdk</code> from 0.82.0 to 0.84.0 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2684">langchain-ai/langsmith-sdk#2684</a></li> <li>chore(deps): bump cryptography from 46.0.6 to 46.0.7 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2693">langchain-ai/langsmith-sdk#2693</a></li> <li>chore(deps-dev): bump <code>@anthropic-ai/sdk</code> from 0.84.0 to 0.85.0 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2700">langchain-ai/langsmith-sdk#2700</a></li> <li>feat(py): Tag OpenAI Agent Python SDK runs with ls_agent_type by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2699">langchain-ai/langsmith-sdk#2699</a></li> <li>feat(js): Adds ls_agent_type metadata to AI SDK runs by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2701">langchain-ai/langsmith-sdk#2701</a></li> <li>chore(deps-dev): bump types-tqdm from 4.67.3.20260303 to 4.67.3.20260408 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2710">langchain-ai/langsmith-sdk#2710</a></li> <li>chore(deps): bump pnpm/action-setup from 5 to 6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2705">langchain-ai/langsmith-sdk#2705</a></li> <li>chore(deps): bump the py-minor-and-patch group across 1 directory with 10 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2711">langchain-ai/langsmith-sdk#2711</a></li> <li>chore(deps-dev): bump <code>@anthropic-ai/sdk</code> from 0.85.0 to 0.86.0 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2702">langchain-ai/langsmith-sdk#2702</a></li> <li>chore(deps): bump actions/github-script from 8 to 9 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2706">langchain-ai/langsmith-sdk#2706</a></li> <li>chore(deps-dev): bump the js-minor-and-patch group across 1 directory with 7 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2712">langchain-ai/langsmith-sdk#2712</a></li> <li>chore(deps-dev): bump types-psutil from 7.2.2.20260130 to 7.2.2.20260408 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2709">langchain-ai/langsmith-sdk#2709</a></li> <li>chore(deps-dev): bump rich from 14.3.3 to 15.0.0 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2708">langchain-ai/langsmith-sdk#2708</a></li> <li>feat: Filter kwargs from new token events by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2714">langchain-ai/langsmith-sdk#2714</a></li> <li>release(py): 0.7.31 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2716">langchain-ai/langsmith-sdk#2716</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.30...v0.7.31">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.30...v0.7.31</a></p> <h2>v0.7.30</h2> <h2>What's Changed</h2> <ul> <li>feat(python): add service feature to sandbox by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2665">langchain-ai/langsmith-sdk#2665</a></li> <li>fix(js): Fix prototype pollution bug in anonymizers by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2690">langchain-ai/langsmith-sdk#2690</a></li> <li>release(js): 0.5.18 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2691">langchain-ai/langsmith-sdk#2691</a></li> <li>chore(js/sandbox): suppress warning log by <a href="https://github.com/hntrl"><code>@hntrl</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2694">langchain-ai/langsmith-sdk#2694</a></li> <li>feat(js): Add metadata to Claude Agent SDK JS tracing by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2695">langchain-ai/langsmith-sdk#2695</a></li> <li>fix(py): Fix run tree memory leak by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2696">langchain-ai/langsmith-sdk#2696</a></li> <li>release(py): 0.7.30 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2698">langchain-ai/langsmith-sdk#2698</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.29...v0.7.30">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.29...v0.7.30</a></p> <h2>v0.7.29</h2> <h2>What's Changed</h2> <ul> <li>release(js): 0.5.17 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2681">langchain-ai/langsmith-sdk#2681</a></li> <li>feat(py): Fix race condition around Claude Agent SDK instrumentation by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2685">langchain-ai/langsmith-sdk#2685</a></li> <li>release(py): 0.7.29 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2686">langchain-ai/langsmith-sdk#2686</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.28...v0.7.29">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.28...v0.7.29</a></p> <h2>v0.7.28</h2> <h2>What's Changed</h2> <ul> <li>feat(py): Support subagent tracing in Claude Agents SDK, fix usage and duplicate messages by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2670">langchain-ai/langsmith-sdk#2670</a></li> <li>chore(deps-dev): bump the py-minor-and-patch group across 1 directory with 11 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2677">langchain-ai/langsmith-sdk#2677</a></li> <li>chore(deps-dev): bump the js-minor-and-patch group across 1 directory with 8 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2667">langchain-ai/langsmith-sdk#2667</a></li> <li>chore(deps): bump pnpm/action-setup from 4 to 5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2658">langchain-ai/langsmith-sdk#2658</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/langchain-ai/langsmith-sdk/commits/v0.7.31">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
263c0f23c2 |
chore: bump pillow from 12.1.1 to 12.2.0 in /libs/partners/nomic (#36779)
Bumps [pillow](https://github.com/python-pillow/Pillow) from 12.1.1 to 12.2.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/python-pillow/Pillow/releases">pillow's releases</a>.</em></p> <blockquote> <h2>12.2.0</h2> <p><a href="https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html">https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html</a></p> <h2>Documentation</h2> <ul> <li>Update 12.2.0 release notes <a href="https://redirect.github.com/python-pillow/Pillow/issues/9522">#9522</a> [<a href="https://github.com/hugovk"><code>@hugovk</code></a>]</li> <li>Add loader plugins: AMOS abk, Atari Degas, 40+ more obscure formats via Netpbm <a href="https://redirect.github.com/python-pillow/Pillow/issues/9482">#9482</a> [<a href="https://github.com/bitplane"><code>@bitplane</code></a>]</li> <li>Update Python versions <a href="https://redirect.github.com/python-pillow/Pillow/issues/9515">#9515</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Jeffrey A. Clark -> Jeffrey 'Alex' Clark <a href="https://redirect.github.com/python-pillow/Pillow/issues/9513">#9513</a> [<a href="https://github.com/aclark4life"><code>@aclark4life</code></a>]</li> <li>Add release notes for <a href="https://redirect.github.com/python-pillow/Pillow/issues/9394">#9394</a>, <a href="https://redirect.github.com/python-pillow/Pillow/issues/9419">#9419</a> and <a href="https://redirect.github.com/python-pillow/Pillow/issues/9456">#9456</a> <a href="https://redirect.github.com/python-pillow/Pillow/issues/9467">#9467</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Add Amiga Workbench .info loader to 3rd party plugins list <a href="https://redirect.github.com/python-pillow/Pillow/issues/9459">#9459</a> [<a href="https://github.com/bitplane"><code>@bitplane</code></a>]</li> <li>Merge PFM documentation into PPM <a href="https://redirect.github.com/python-pillow/Pillow/issues/9434">#9434</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Update macOS tested Pillow versions <a href="https://redirect.github.com/python-pillow/Pillow/issues/9431">#9431</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Fix CVE number <a href="https://redirect.github.com/python-pillow/Pillow/issues/9430">#9430</a> [<a href="https://github.com/hugovk"><code>@hugovk</code></a>]</li> </ul> <h2>Dependencies</h2> <ul> <li>Update xz to 5.8.3 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9523">#9523</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Update libjpeg-turbo to 3.1.4.1 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9507">#9507</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Update libpng to 1.6.56 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9499">#9499</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Update freetype to 2.14.3 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9485">#9485</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Updated libavif to 1.4.1 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9479">#9479</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Updated harfbuzz to 13.2.1 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9461">#9461</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Update Ghostscript to 10.7.0 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9469">#9469</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Update harfbuzz to 13.0.1 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9453">#9453</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Update libavif to 1.4.0 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9460">#9460</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Update freetype to 2.14.2 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9449">#9449</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Update actions/download-artifact action to v8 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9451">#9451</a> [@<a href="https://github.com/apps/renovate">renovate[bot]</a>]</li> <li>Updated libpng to 1.6.55 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9425">#9425</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> </ul> <h2>Testing</h2> <ul> <li>Cleanup .spider extension in the same test where it is added <a href="https://redirect.github.com/python-pillow/Pillow/issues/9517">#9517</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Run tests in parallel via tox for 3.5x speedup <a href="https://redirect.github.com/python-pillow/Pillow/issues/9516">#9516</a> [<a href="https://github.com/hugovk"><code>@hugovk</code></a>]</li> <li>Enable colour in CI logs <a href="https://redirect.github.com/python-pillow/Pillow/issues/9486">#9486</a> [<a href="https://github.com/hugovk"><code>@hugovk</code></a>]</li> <li>Update Ghostscript to 10.7.0 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9469">#9469</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Simplify TGA test code <a href="https://redirect.github.com/python-pillow/Pillow/issues/9477">#9477</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Update tests to check for ValueError when encoding an empty image <a href="https://redirect.github.com/python-pillow/Pillow/issues/9464">#9464</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Upgrade CI from <code>macos-15-intel</code> to <code>macos-26-intel</code> <a href="https://redirect.github.com/python-pillow/Pillow/issues/9454">#9454</a> [<a href="https://github.com/hugovk"><code>@hugovk</code></a>]</li> <li>Add check-case-conflict hook <a href="https://redirect.github.com/python-pillow/Pillow/issues/9446">#9446</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Specify platform when pulling docker image <a href="https://redirect.github.com/python-pillow/Pillow/issues/9440">#9440</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>GHA: Cache libavif and webp builds for Ubuntu <a href="https://redirect.github.com/python-pillow/Pillow/issues/9437">#9437</a> [<a href="https://github.com/hugovk"><code>@hugovk</code></a>]</li> <li>Update macOS tested Pillow versions <a href="https://redirect.github.com/python-pillow/Pillow/issues/9431">#9431</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> </ul> <h2>Other changes</h2> <ul> <li>Check calloc return value <a href="https://redirect.github.com/python-pillow/Pillow/issues/9527">#9527</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Check all allocs in the Arrow tree <a href="https://redirect.github.com/python-pillow/Pillow/issues/9488">#9488</a> [<a href="https://github.com/wiredfool"><code>@wiredfool</code></a>]</li> <li>Reject non-numeric elements inside list coords <a href="https://redirect.github.com/python-pillow/Pillow/issues/9526">#9526</a> [<a href="https://github.com/hugovk"><code>@hugovk</code></a>]</li> <li>Move variable declaration inside define <a href="https://redirect.github.com/python-pillow/Pillow/issues/9525">#9525</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
555bdfbade |
chore: add comment explaining pygments>=2.20.0 (#36570)
|
||
|
|
0f4f3f74c8 |
chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385)
## Summary Bumps `pygments` to `>=2.20.0` across all 21 affected packages to address [CVE-2026-4539](https://github.com/advisories/GHSA-XXXX) — ReDoS via inefficient GUID regex in Pygments. - **Severity:** Low - **Fixed in:** 2.20.0 (was 2.19.2) - **Change:** Added `pygments>=2.20.0` to `constraint-dependencies` in `[tool.uv]` for each package, then ran `uv lock --upgrade-package pygments` to regenerate lock files. Closes Dependabot alerts #3435–#3455. ## Release Note Patch deps ### Test Plan - [x] CI Green 🙏 Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|
|
b5f260eaa6 |
chore: bump requests from 2.32.5 to 2.33.0 in /libs/partners/nomic (#36250)
Bumps [requests](https://github.com/psf/requests) from 2.32.5 to 2.33.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/psf/requests/releases">requests's releases</a>.</em></p> <blockquote> <h2>v2.33.0</h2> <h2>2.33.0 (2026-03-25)</h2> <p><strong>Announcements</strong></p> <ul> <li>📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at <a href="https://redirect.github.com/psf/requests/issues/7271">#7271</a>. Give it a try, and report any gaps or feedback you may have in the issue. 📣</li> </ul> <p><strong>Security</strong></p> <ul> <li>CVE-2026-25645 <code>requests.utils.extract_zipped_paths</code> now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.</li> </ul> <p><strong>Improvements</strong></p> <ul> <li>Migrated to a PEP 517 build system using setuptools. (<a href="https://redirect.github.com/psf/requests/issues/7012">#7012</a>)</li> </ul> <p><strong>Bugfixes</strong></p> <ul> <li>Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (<a href="https://redirect.github.com/psf/requests/issues/7205">#7205</a>)</li> </ul> <p><strong>Deprecations</strong></p> <ul> <li>Dropped support for Python 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/7196">#7196</a>)</li> </ul> <p><strong>Documentation</strong></p> <ul> <li>Various typo fixes and doc improvements.</li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/M0d3v1"><code>@M0d3v1</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/6865">psf/requests#6865</a></li> <li><a href="https://github.com/aminvakil"><code>@aminvakil</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/7220">psf/requests#7220</a></li> <li><a href="https://github.com/E8Price"><code>@E8Price</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/6960">psf/requests#6960</a></li> <li><a href="https://github.com/mitre88"><code>@mitre88</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/7244">psf/requests#7244</a></li> <li><a href="https://github.com/magsen"><code>@magsen</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/6553">psf/requests#6553</a></li> <li><a href="https://github.com/Rohan5commit"><code>@Rohan5commit</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/7227">psf/requests#7227</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25">https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's changelog</a>.</em></p> <blockquote> <h2>2.33.0 (2026-03-25)</h2> <p><strong>Announcements</strong></p> <ul> <li>📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at <a href="https://redirect.github.com/psf/requests/issues/7271">#7271</a>. Give it a try, and report any gaps or feedback you may have in the issue. 📣</li> </ul> <p><strong>Security</strong></p> <ul> <li>CVE-2026-25645 <code>requests.utils.extract_zipped_paths</code> now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.</li> </ul> <p><strong>Improvements</strong></p> <ul> <li>Migrated to a PEP 517 build system using setuptools. (<a href="https://redirect.github.com/psf/requests/issues/7012">#7012</a>)</li> </ul> <p><strong>Bugfixes</strong></p> <ul> <li>Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (<a href="https://redirect.github.com/psf/requests/issues/7205">#7205</a>)</li> </ul> <p><strong>Deprecations</strong></p> <ul> <li>Dropped support for Python 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/7196">#7196</a>)</li> </ul> <p><strong>Documentation</strong></p> <ul> <li>Various typo fixes and doc improvements.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
1778b082ec |
chore(partners): bump langchain-core min to 1.2.21 (#36183)
Bump the minimum `langchain-core` dependency to `>=1.2.21` across all 14 partner packages in the monorepo. Aligns partner lower bounds with the latest core release so consumers pick up recent fixes (notably the `ModelProfile` schema drift fix from core 1.2.21). |
||
|
|
faadc1f3ce |
ci: suppress pytest streaming output in CI (#36092)
Reduce CI log noise by suppressing pytest's per-test dot/verbose streaming output. The `_test.yml` workflow now passes `PYTEST_EXTRA=-q` to `make test`, which overrides the default verbosity with quiet mode — failures still print in full, but the thousands of `.......` progress lines are gone. Local `make test` is unaffected since `PYTEST_EXTRA` defaults empty. ## Changes - Add `PYTEST_EXTRA ?=` variable to all 21 package Makefiles and inject it into each `test` target's pytest invocation - Pass `PYTEST_EXTRA=-q` in `_test.yml` for both the main test step and the min-version retest step |
||
|
|
07fa576de1 |
ci: avoid unnecessary dep installs in lint targets (#36046)
CI lint jobs use `uv run --all-groups` for all tools, but ruff doesn't need dependency resolution — only mypy does. By splitting into `UV_RUN_LINT` (ruff) and `UV_RUN_TYPE` (mypy), the CI-facing targets run ruff with `--group lint` only, giving fast-fail feedback before mypy triggers the full environment sync. For packages where source code only conditionally imports heavy deps (text-splitters, huggingface), `lint_package` also overrides `UV_RUN_TYPE` to `--group lint --group typing`, skipping the ~3.5GB `test_integration` download entirely. `lint_tests` keeps `--all-groups` since test code legitimately imports those deps. Additionally, `lint_imports.sh` was inconsistently wired — most packages had the script but weren't calling it. ## Changes **Makefile optimization** - Introduce `UV_RUN_LINT` and `UV_RUN_TYPE` Make variables, both defaulting to `uv run --all-groups`. For `lint_package` and `lint_tests`, `UV_RUN_LINT` is overridden to `uv run --group lint` so ruff runs instantly without syncing heavy deps - For `text-splitters` and `huggingface`, override `UV_RUN_TYPE` on `lint_package` to `uv run --group lint --group typing` — mypy runs without downloading torch, CUDA, spacy, etc. **mypy config for lean groups** - Add `transformers` and `transformers.*` to `ignore_missing_imports` in `text-splitters` pyproject.toml (conditional `try/except` import, same treatment as existing `konlpy`/`nltk` entries) - Add `torch`, `torch.*`, `langchain_community`, `langchain_community.*` to `ignore_missing_imports` in `huggingface` pyproject.toml - Add dual `# type: ignore[unreachable, unused-ignore]` in `text-splitters/base.py` to handle the `PreTrainedTokenizerBase` isinstance check that behaves differently depending on whether transformers is installed **lint_imports.sh consistency** - Add `./scripts/lint_imports.sh` to the lint recipe in every package that wasn't calling it (standard-tests, model-profiles, all 15 partners), and create the script for the two packages missing it entirely (`model-profiles`, `openrouter`) - Update all `lint_imports.sh` scripts to allow `from langchain.agents` and `from langchain.tools` imports (legitimate v1 middleware dependencies used by `langchain-anthropic` and `langchain-openai`) |
||
|
|
1d2916bd5f |
chore: bump pyjwt from 2.10.1 to 2.12.0 in /libs/partners/nomic (#36031)
Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.10.1 to 2.12.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/jpadilla/pyjwt/releases">pyjwt's releases</a>.</em></p> <blockquote> <h2>2.12.0</h2> <h2>Security</h2> <ul> <li>Validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. by <a href="https://github.com/dmbs335"><code>@dmbs335</code></a> in <a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f">GHSA-752w-5fwx-jx9f</a></li> </ul> <h2>What's Changed</h2> <ul> <li>[pre-commit.ci] pre-commit autoupdate by <a href="https://github.com/pre-commit-ci"><code>@pre-commit-ci</code></a>[bot] in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1132">jpadilla/pyjwt#1132</a></li> <li>chore(docs): fix docs build by <a href="https://github.com/tamird"><code>@tamird</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1137">jpadilla/pyjwt#1137</a></li> <li>Annotate PyJWKSet.keys for pyright by <a href="https://github.com/tamird"><code>@tamird</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1134">jpadilla/pyjwt#1134</a></li> <li>fix: close HTTPError to prevent ResourceWarning on Python 3.14 by <a href="https://github.com/veeceey"><code>@veeceey</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1133">jpadilla/pyjwt#1133</a></li> <li>chore: remove superfluous constants by <a href="https://github.com/tamird"><code>@tamird</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1136">jpadilla/pyjwt#1136</a></li> <li>[pre-commit.ci] pre-commit autoupdate by <a href="https://github.com/pre-commit-ci"><code>@pre-commit-ci</code></a>[bot] in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1135">jpadilla/pyjwt#1135</a></li> <li>chore(tests): enable mypy by <a href="https://github.com/tamird"><code>@tamird</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1138">jpadilla/pyjwt#1138</a></li> <li>Bump actions/download-artifact from 7 to 8 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1142">jpadilla/pyjwt#1142</a></li> <li>[pre-commit.ci] pre-commit autoupdate by <a href="https://github.com/pre-commit-ci"><code>@pre-commit-ci</code></a>[bot] in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1141">jpadilla/pyjwt#1141</a></li> <li>[pre-commit.ci] pre-commit autoupdate by <a href="https://github.com/pre-commit-ci"><code>@pre-commit-ci</code></a>[bot] in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1145">jpadilla/pyjwt#1145</a></li> <li>fix: do not store reference to algorithms dict on PyJWK by <a href="https://github.com/akx"><code>@akx</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1143">jpadilla/pyjwt#1143</a></li> <li>Use PyJWK algorithm when encoding without explicit algorithm by <a href="https://github.com/jpadilla"><code>@jpadilla</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1148">jpadilla/pyjwt#1148</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/tamird"><code>@tamird</code></a> made their first contribution in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1137">jpadilla/pyjwt#1137</a></li> <li><a href="https://github.com/veeceey"><code>@veeceey</code></a> made their first contribution in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1133">jpadilla/pyjwt#1133</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/jpadilla/pyjwt/compare/2.11.0...2.12.0">https://github.com/jpadilla/pyjwt/compare/2.11.0...2.12.0</a></p> <h2>2.11.0</h2> <h2>What's Changed</h2> <ul> <li>Fixed type error in comment by <a href="https://github.com/shuhaib-aot"><code>@shuhaib-aot</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1026">jpadilla/pyjwt#1026</a></li> <li>[pre-commit.ci] pre-commit autoupdate by <a href="https://github.com/pre-commit-ci"><code>@pre-commit-ci</code></a>[bot] in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1018">jpadilla/pyjwt#1018</a></li> <li>[pre-commit.ci] pre-commit autoupdate by <a href="https://github.com/pre-commit-ci"><code>@pre-commit-ci</code></a>[bot] in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1033">jpadilla/pyjwt#1033</a></li> <li>Make note of use of leeway with nbf by <a href="https://github.com/djw8605"><code>@djw8605</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1034">jpadilla/pyjwt#1034</a></li> <li>[pre-commit.ci] pre-commit autoupdate by <a href="https://github.com/pre-commit-ci"><code>@pre-commit-ci</code></a>[bot] in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1035">jpadilla/pyjwt#1035</a></li> <li>Fixes <a href="https://redirect.github.com/jpadilla/pyjwt/issues/964">#964</a>: Validate key against allowed types for Algorithm family by <a href="https://github.com/pachewise"><code>@pachewise</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/985">jpadilla/pyjwt#985</a></li> <li>Feat <a href="https://redirect.github.com/jpadilla/pyjwt/issues/1024">#1024</a>: Add iterator for PyJWKSet by <a href="https://github.com/pachewise"><code>@pachewise</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1041">jpadilla/pyjwt#1041</a></li> <li>Fixes <a href="https://redirect.github.com/jpadilla/pyjwt/issues/1039">#1039</a>: Add iss, issuer type checks by <a href="https://github.com/pachewise"><code>@pachewise</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1040">jpadilla/pyjwt#1040</a></li> <li>Fixes <a href="https://redirect.github.com/jpadilla/pyjwt/issues/660">#660</a>: Improve typing/logic for <code>options</code> in decode, decode_complete; Improve docs by <a href="https://github.com/pachewise"><code>@pachewise</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1045">jpadilla/pyjwt#1045</a></li> <li>[pre-commit.ci] pre-commit autoupdate by <a href="https://github.com/pre-commit-ci"><code>@pre-commit-ci</code></a>[bot] in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1042">jpadilla/pyjwt#1042</a></li> <li>[pre-commit.ci] pre-commit autoupdate by <a href="https://github.com/pre-commit-ci"><code>@pre-commit-ci</code></a>[bot] in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1052">jpadilla/pyjwt#1052</a></li> <li>[pre-commit.ci] pre-commit autoupdate by <a href="https://github.com/pre-commit-ci"><code>@pre-commit-ci</code></a>[bot] in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1053">jpadilla/pyjwt#1053</a></li> <li>Fix <a href="https://redirect.github.com/jpadilla/pyjwt/issues/1022">#1022</a>: Map <code>algorithm=None</code> to "none" by <a href="https://github.com/qqii"><code>@qqii</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1056">jpadilla/pyjwt#1056</a></li> <li>[pre-commit.ci] pre-commit autoupdate by <a href="https://github.com/pre-commit-ci"><code>@pre-commit-ci</code></a>[bot] in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1055">jpadilla/pyjwt#1055</a></li> <li>[pre-commit.ci] pre-commit autoupdate by <a href="https://github.com/pre-commit-ci"><code>@pre-commit-ci</code></a>[bot] in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1058">jpadilla/pyjwt#1058</a></li> <li>[pre-commit.ci] pre-commit autoupdate by <a href="https://github.com/pre-commit-ci"><code>@pre-commit-ci</code></a>[bot] in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1060">jpadilla/pyjwt#1060</a></li> <li>[pre-commit.ci] pre-commit autoupdate by <a href="https://github.com/pre-commit-ci"><code>@pre-commit-ci</code></a>[bot] in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1061">jpadilla/pyjwt#1061</a></li> <li>Fixes <a href="https://redirect.github.com/jpadilla/pyjwt/issues/1047">#1047</a>: Correct <code>PyJWKClient.get_signing_key_from_jwt</code> annotation by <a href="https://github.com/khvn26"><code>@khvn26</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1048">jpadilla/pyjwt#1048</a></li> <li>[pre-commit.ci] pre-commit autoupdate by <a href="https://github.com/pre-commit-ci"><code>@pre-commit-ci</code></a>[bot] in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1062">jpadilla/pyjwt#1062</a></li> <li>Fixed doc string typo in _validate_jti() function <a href="https://redirect.github.com/jpadilla/pyjwt/issues/1063">#1063</a> by <a href="https://github.com/kuldeepkhatke"><code>@kuldeepkhatke</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1064">jpadilla/pyjwt#1064</a></li> <li>[pre-commit.ci] pre-commit autoupdate by <a href="https://github.com/pre-commit-ci"><code>@pre-commit-ci</code></a>[bot] in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1065">jpadilla/pyjwt#1065</a></li> <li>Update SECURITY.md by <a href="https://github.com/auvipy"><code>@auvipy</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1057">jpadilla/pyjwt#1057</a></li> <li>Typing fix: use <code>float</code> instead of <code>int</code> for <code>lifespan</code> and <code>timeout</code> by <a href="https://github.com/nikitagashkov"><code>@nikitagashkov</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1068">jpadilla/pyjwt#1068</a></li> <li>[pre-commit.ci] pre-commit autoupdate by <a href="https://github.com/pre-commit-ci"><code>@pre-commit-ci</code></a>[bot] in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1067">jpadilla/pyjwt#1067</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst">pyjwt's changelog</a>.</em></p> <blockquote> <h2><code>v2.12.0 <https://github.com/jpadilla/pyjwt/compare/2.11.0...2.12.0></code>__</h2> <p>Fixed</p> <pre><code> - Annotate PyJWKSet.keys for pyright by @tamird in `[#1134](https://github.com/jpadilla/pyjwt/issues/1134) <https://github.com/jpadilla/pyjwt/pull/1134>`__ - Close ``HTTPError`` response to prevent ``ResourceWarning`` on Python 3.14 by @veeceey in `[#1133](https://github.com/jpadilla/pyjwt/issues/1133) <https://github.com/jpadilla/pyjwt/pull/1133>`__ - Do not keep ``algorithms`` dict in PyJWK instances by @akx in `[#1143](https://github.com/jpadilla/pyjwt/issues/1143) <https://github.com/jpadilla/pyjwt/pull/1143>`__ - Validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. by @dmbs335 in `GHSA-752w-5fwx-jx9f <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f>`__ - Use PyJWK algorithm when encoding without explicit algorithm in `[#1148](https://github.com/jpadilla/pyjwt/issues/1148) <https://github.com/jpadilla/pyjwt/pull/1148>`__ <p>Added </code></pre></p> <ul> <li>Docs: Add <code>PyJWKClient</code> API reference and document the two-tier caching system (JWK Set cache and signing key LRU cache).</li> </ul> <h2><code>v2.11.0 <https://github.com/jpadilla/pyjwt/compare/2.10.1...2.11.0></code>__</h2> <p>Fixed</p> <pre><code> - Enforce ECDSA curve validation per RFC 7518 Section 3.4. - Fix build system warnings by @kurtmckee in `[#1105](https://github.com/jpadilla/pyjwt/issues/1105) <https://github.com/jpadilla/pyjwt/pull/1105>`__ - Validate key against allowed types for Algorithm family in `[#964](https://github.com/jpadilla/pyjwt/issues/964) <https://github.com/jpadilla/pyjwt/pull/964>`__ - Add iterator for JWKSet in `[#1041](https://github.com/jpadilla/pyjwt/issues/1041) <https://github.com/jpadilla/pyjwt/pull/1041>`__ - Validate `iss` claim is a string during encoding and decoding by @pachewise in `[#1040](https://github.com/jpadilla/pyjwt/issues/1040) <https://github.com/jpadilla/pyjwt/pull/1040>`__ - Improve typing/logic for `options` in decode, decode_complete by @pachewise in `[#1045](https://github.com/jpadilla/pyjwt/issues/1045) <https://github.com/jpadilla/pyjwt/pull/1045>`__ - Declare float supported type for lifespan and timeout by @nikitagashkov in `[#1068](https://github.com/jpadilla/pyjwt/issues/1068) <https://github.com/jpadilla/pyjwt/pull/1068>`__ - Fix ``SyntaxWarning``\s/``DeprecationWarning``\s caused by invalid escape sequences by @kurtmckee in `[#1103](https://github.com/jpadilla/pyjwt/issues/1103) <https://github.com/jpadilla/pyjwt/pull/1103>`__ - Development: Build a shared wheel once to speed up test suite setup times by @kurtmckee in `[#1114](https://github.com/jpadilla/pyjwt/issues/1114) <https://github.com/jpadilla/pyjwt/pull/1114>`__ - Development: Test type annotations across all supported Python versions, increase the strictness of the type checking, and remove the mypy pre-commit hook by @kurtmckee in `[#1112](https://github.com/jpadilla/pyjwt/issues/1112) <https://github.com/jpadilla/pyjwt/pull/1112>`__ <p>Added </code></pre></p> <ul> <li>Support Python 3.14, and test against PyPy 3.10 and 3.11 by <a href="https://github.com/kurtmckee"><code>@kurtmckee</code></a> in <code>[#1104](https://github.com/jpadilla/pyjwt/issues/1104) <https://github.com/jpadilla/pyjwt/pull/1104></code>__</li> <li>Development: Migrate to <code>build</code> to test package building in CI by <a href="https://github.com/kurtmckee"><code>@kurtmckee</code></a> in <code>[#1108](https://github.com/jpadilla/pyjwt/issues/1108) <https://github.com/jpadilla/pyjwt/pull/1108></code>__</li> <li>Development: Improve coverage config and eliminate unused test suite code by <a href="https://github.com/kurtmckee"><code>@kurtmckee</code></a> in <code>[#1115](https://github.com/jpadilla/pyjwt/issues/1115) <https://github.com/jpadilla/pyjwt/pull/1115></code>__</li> <li>Docs: Standardize CHANGELOG links to PRs by <a href="https://github.com/kurtmckee"><code>@kurtmckee</code></a> in <code>[#1110](https://github.com/jpadilla/pyjwt/issues/1110) <https://github.com/jpadilla/pyjwt/pull/1110></code>__</li> <li>Docs: Fix Read the Docs builds by <a href="https://github.com/kurtmckee"><code>@kurtmckee</code></a> in <code>[#1111](https://github.com/jpadilla/pyjwt/issues/1111) <https://github.com/jpadilla/pyjwt/pull/1111></code>__</li> <li>Docs: Add example of using leeway with nbf by <a href="https://github.com/djw8605"><code>@djw8605</code></a> in <code>[#1034](https://github.com/jpadilla/pyjwt/issues/1034) <https://github.com/jpadilla/pyjwt/pull/1034></code>__</li> <li>Docs: Refactored docs with <code>autodoc</code>; added <code>PyJWS</code> and <code>jwt.algorithms</code> docs by <a href="https://github.com/pachewise"><code>@pachewise</code></a> in <code>[#1045](https://github.com/jpadilla/pyjwt/issues/1045) <https://github.com/jpadilla/pyjwt/pull/1045></code>__</li> <li>Docs: Documentation improvements for "sub" and "jti" claims by <a href="https://github.com/cleder"><code>@cleder</code></a> in <code>[#1088](https://github.com/jpadilla/pyjwt/issues/1088) <https://github.com/jpadilla/pyjwt/pull/1088></code>__</li> <li>Development: Add pyupgrade as a pre-commit hook by <a href="https://github.com/kurtmckee"><code>@kurtmckee</code></a> in <code>[#1109](https://github.com/jpadilla/pyjwt/issues/1109) <https://github.com/jpadilla/pyjwt/pull/1109></code>__</li> <li>Add minimum key length validation for HMAC and RSA keys (CWE-326). Warns by default via <code>InsecureKeyLengthWarning</code> when keys are below</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
6f27c2b2c1 | chore: bump orjson from 3.11.5 to 3.11.6 in /libs/partners/nomic (#35859) | ||
|
|
68a14844b5 |
fix(nomic,openai,perplexity): update pillow version to >= 12.1.1, <13.0.0 (#35254)
Updates the minimum Pillow version to address CVE-2026-25990 (HIGH severity out-of-bounds write vulnerability affecting versions 10.3.0 through 12.1.0). Changes: langchain-nomic: pillow>=10.3.0,<13.0.0 → pillow>=12.1.1,<13.0.0 langchain-openai: pillow>=10.3.0,<13.0.0 → pillow>=12.1.1,<13.0.0 langchain-perplexity: pillow>=10.3.0,<13.0.0 → pillow>=12.1.1,<13.0.0 Safety: This is a minimum version bump within the existing constraint range (<13.0.0), so no breaking changes are introduced. CVE Details: CVE-2026-25990: An out-of-bounds write may be triggered when loading a specially crafted PSD image Affected versions: 10.3.0 to <12.1.1 Fixed in: 12.1.1 Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-25990 ** Claude Helped me write this nice message ** The original findings was thanks to a Trivy scan --------- Co-authored-by: Mason Daugherty <mason@langchain.dev> |
||
|
|
5e2f203e1d | chore(deps): bump pillow from 11.3.0 to 12.1.1 in /libs/partners/nomic (#35178) | ||
|
|
cfc362b947 |
chore(deps): bump langsmith from 0.4.31 to 0.6.3 in /libs/partners/nomic (#35153)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.4.31 to 0.6.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's releases</a>.</em></p> <blockquote> <h2>v0.6.1</h2> <h2>What's Changed</h2> <ul> <li>ci: test more bundlers by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2263">langchain-ai/langsmith-sdk#2263</a></li> <li>feat(python sdk): Add support for setting commit tags when pushing a prompt by <a href="https://github.com/bees"><code>@bees</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2265">langchain-ai/langsmith-sdk#2265</a></li> <li>feat: Pass in Cache, rename by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2264">langchain-ai/langsmith-sdk#2264</a></li> <li>chore: bump sdk by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2268">langchain-ai/langsmith-sdk#2268</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.6.0...v0.6.1">https://github.com/langchain-ai/langsmith-sdk/compare/v0.6.0...v0.6.1</a></p> <h2>v0.6.0</h2> <h2>What's Changed</h2> <ul> <li>chore(js): bump JS to 0.4.3 by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2253">langchain-ai/langsmith-sdk#2253</a></li> <li>Revert "feat: add js prompt caching" by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2258">langchain-ai/langsmith-sdk#2258</a></li> <li>Revert "feat: Replace UUID5 with deterministic UUID7 for replicas" by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2257">langchain-ai/langsmith-sdk#2257</a></li> <li>release(js): bump to 0.4.4 by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2259">langchain-ai/langsmith-sdk#2259</a></li> <li>feat: add prompt cache back and setup environment tests by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2260">langchain-ai/langsmith-sdk#2260</a></li> <li>feat(python): Bump pydantic to v2 by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2248">langchain-ai/langsmith-sdk#2248</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.5.2...v0.6.0">https://github.com/langchain-ai/langsmith-sdk/compare/v0.5.2...v0.6.0</a></p> <h2>v0.6.0rc0</h2> <h2>What's Changed</h2> <ul> <li>feat(js): Add support for tracing AI SDK 6 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2237">langchain-ai/langsmith-sdk#2237</a></li> <li>fix(js): Remove default Jestlike timeout by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2243">langchain-ai/langsmith-sdk#2243</a></li> <li>feat(js): Add support for tracing tool loop agent by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2244">langchain-ai/langsmith-sdk#2244</a></li> <li>feat: Replace UUID5 with deterministic UUID7 for replicas by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2249">langchain-ai/langsmith-sdk#2249</a></li> <li>feat: add prompt caching to python sdk by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2246">langchain-ai/langsmith-sdk#2246</a></li> <li>feat: add js prompt caching by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2251">langchain-ai/langsmith-sdk#2251</a></li> <li>fix(claude): correctly parse llm and tool inputs in claude agent sdk by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2255">langchain-ai/langsmith-sdk#2255</a></li> <li>bump(python): 0.5.2 by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2256">langchain-ai/langsmith-sdk#2256</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.5.1...v0.6.0rc0">https://github.com/langchain-ai/langsmith-sdk/compare/v0.5.1...v0.6.0rc0</a></p> <h2>v0.5.2</h2> <h2>What's Changed</h2> <ul> <li>feat(js): Add support for tracing AI SDK 6 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2237">langchain-ai/langsmith-sdk#2237</a></li> <li>fix(js): Remove default Jestlike timeout by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2243">langchain-ai/langsmith-sdk#2243</a></li> <li>feat(js): Add support for tracing tool loop agent by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2244">langchain-ai/langsmith-sdk#2244</a></li> <li>feat: Replace UUID5 with deterministic UUID7 for replicas by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2249">langchain-ai/langsmith-sdk#2249</a></li> <li>feat: add prompt caching to python sdk by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2246">langchain-ai/langsmith-sdk#2246</a></li> <li>feat: add js prompt caching by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2251">langchain-ai/langsmith-sdk#2251</a></li> <li>fix(claude): correctly parse llm and tool inputs in claude agent sdk by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2255">langchain-ai/langsmith-sdk#2255</a></li> <li>bump(python): 0.5.2 by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2256">langchain-ai/langsmith-sdk#2256</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.5.1...v0.5.2">https://github.com/langchain-ai/langsmith-sdk/compare/v0.5.1...v0.5.2</a></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/langchain-ai/langsmith-sdk/commits">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
1bb366315f |
chore: add make type target (#35015)
|
||
|
|
8e4c433541 |
revert: "chore: add typing target in Makefile" (#35013)
Reverts langchain-ai/langchain#35012 |
||
|
|
88fa71a166 |
chore: add typing target in Makefile (#35012)
|
||
|
|
5c018f5cd1 |
chore: enrich pyproject.toml files (#34980)
|
||
|
|
328bf24a4c |
chore(deps): bump the uv group across 20 directories with 3 updates (#34941)
Bumps the uv group with 1 update in the /libs/core directory: [nbconvert](https://github.com/jupyter/nbconvert). Bumps the uv group with 3 updates in the /libs/langchain directory: [nbconvert](https://github.com/jupyter/nbconvert), [orjson](https://github.com/ijl/orjson) and [protobuf](https://github.com/protocolbuffers/protobuf). Bumps the uv group with 2 updates in the /libs/langchain_v1 directory: [orjson](https://github.com/ijl/orjson) and [protobuf](https://github.com/protocolbuffers/protobuf). Bumps the uv group with 1 update in the /libs/model-profiles directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/anthropic directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 2 updates in the /libs/partners/chroma directory: [orjson](https://github.com/ijl/orjson) and [protobuf](https://github.com/protocolbuffers/protobuf). Bumps the uv group with 1 update in the /libs/partners/deepseek directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/exa directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/fireworks directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/groq directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/huggingface directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/mistralai directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/nomic directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/ollama directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/openai directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/perplexity directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/prompty directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 2 updates in the /libs/partners/qdrant directory: [orjson](https://github.com/ijl/orjson) and [protobuf](https://github.com/protocolbuffers/protobuf). Bumps the uv group with 1 update in the /libs/partners/xai directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 2 updates in the /libs/text-splitters directory: [nbconvert](https://github.com/jupyter/nbconvert) and [orjson](https://github.com/ijl/orjson). Updates `nbconvert` from 7.16.6 to 7.17.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/jupyter/nbconvert/releases">nbconvert's releases</a>.</em></p> <blockquote> <h2>v7.17.0</h2> <h2>7.17.0</h2> <p>(<a href="https://github.com/jupyter/nbconvert/compare/v7.16.6...c9ac1d1040459ed1ff9eb34e9918ce5a87cf9d71">Full Changelog</a>)</p> <h3>Enhancements made</h3> <ul> <li>Add support for arbitrary browser arguments <a href="https://redirect.github.com/jupyter/nbconvert/pull/2227">#2227</a> (<a href="https://github.com/shreve"><code>@shreve</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Bugs fixed</h3> <ul> <li>Fix QtPNGExporter returning empty bytes on macOS <a href="https://redirect.github.com/jupyter/nbconvert/pull/2264">#2264</a> (<a href="https://github.com/h3pdesign"><code>@h3pdesign</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/QuLogic"><code>@QuLogic</code></a>)</li> <li>Fix CVE-2025-53000: Secure Inkscape Windows path (registry first + block CWD) <a href="https://redirect.github.com/jupyter/nbconvert/pull/2261">#2261</a> (<a href="https://github.com/h3pdesign"><code>@h3pdesign</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/mberlanda"><code>@mberlanda</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>, <a href="https://github.com/salmankadaya"><code>@salmankadaya</code></a>, <a href="https://github.com/th3gowtham"><code>@th3gowtham</code></a>)</li> <li>Fix get_export_names and get_exporter default args <a href="https://redirect.github.com/jupyter/nbconvert/pull/2228">#2228</a> (<a href="https://github.com/shreve"><code>@shreve</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>PyPA-Compliant Summary <a href="https://redirect.github.com/jupyter/nbconvert/pull/2226">#2226</a> (<a href="https://github.com/hackowitz-af"><code>@hackowitz-af</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> </ul> <h3>Maintenance and upkeep improvements</h3> <ul> <li>avoid cov environment on free-threaded Pythons <a href="https://redirect.github.com/jupyter/nbconvert/pull/2267">#2267</a> (<a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>update pre-commit, and fix all issues. <a href="https://redirect.github.com/jupyter/nbconvert/pull/2238">#2238</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Drop test on 3.9, test on 3.13, 3.14, 3.14t <a href="https://redirect.github.com/jupyter/nbconvert/pull/2237">#2237</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Bump the actions group across 1 directory with 2 updates <a href="https://redirect.github.com/jupyter/nbconvert/pull/2231">#2231</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Replace <code>@flaky.flaky</code> decorate with pytest marker <a href="https://redirect.github.com/jupyter/nbconvert/pull/2229">#2229</a> (<a href="https://github.com/mgorny"><code>@mgorny</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>update to mermaid 11.10.0 <a href="https://redirect.github.com/jupyter/nbconvert/pull/2224">#2224</a> (<a href="https://github.com/bollwyvl"><code>@bollwyvl</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Drop support for Python 3.8, fix the CI tests <a href="https://redirect.github.com/jupyter/nbconvert/pull/2221">#2221</a> (<a href="https://github.com/shreve"><code>@shreve</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> </ul> <h3>Documentation improvements</h3> <ul> <li>Use <code>intersphinx_registry</code> <a href="https://redirect.github.com/jupyter/nbconvert/pull/2232">#2232</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Contributors to this release</h3> <p>The following people contributed discussions, new ideas, code and documentation contributions, and review. See <a href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our definition of contributors</a>.</p> <p>(<a href="https://github.com/jupyter/nbconvert/graphs/contributors?from=2025-01-28&to=2026-01-29&type=c">GitHub contributors page for this release</a>)</p> <p><a href="https://github.com/bollwyvl"><code>@bollwyvl</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Abollwyvl+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/Carreau"><code>@Carreau</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3ACarreau+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/h3pdesign"><code>@h3pdesign</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Ah3pdesign+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/hackowitz-af"><code>@hackowitz-af</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Ahackowitz-af+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/krassowski"><code>@krassowski</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Akrassowski+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/mberlanda"><code>@mberlanda</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Amberlanda+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/mgorny"><code>@mgorny</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Amgorny+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/minrk"><code>@minrk</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Aminrk+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/MSeal"><code>@MSeal</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3AMSeal+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/QuLogic"><code>@QuLogic</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3AQuLogic+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/salmankadaya"><code>@salmankadaya</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Asalmankadaya+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/shreve"><code>@shreve</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Ashreve+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/th3gowtham"><code>@th3gowtham</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Ath3gowtham+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>)</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jupyter/nbconvert/blob/main/CHANGELOG.md">nbconvert's changelog</a>.</em></p> <blockquote> <h2>7.17.0</h2> <p>(<a href="https://github.com/jupyter/nbconvert/compare/v7.16.6...c9ac1d1040459ed1ff9eb34e9918ce5a87cf9d71">Full Changelog</a>)</p> <h3>Enhancements made</h3> <ul> <li>Add support for arbitrary browser arguments <a href="https://redirect.github.com/jupyter/nbconvert/pull/2227">#2227</a> (<a href="https://github.com/shreve"><code>@shreve</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Bugs fixed</h3> <ul> <li>Fix QtPNGExporter returning empty bytes on macOS <a href="https://redirect.github.com/jupyter/nbconvert/pull/2264">#2264</a> (<a href="https://github.com/h3pdesign"><code>@h3pdesign</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/QuLogic"><code>@QuLogic</code></a>)</li> <li>Fix CVE-2025-53000: Secure Inkscape Windows path (registry first + block CWD) <a href="https://redirect.github.com/jupyter/nbconvert/pull/2261">#2261</a> (<a href="https://github.com/h3pdesign"><code>@h3pdesign</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/mberlanda"><code>@mberlanda</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>, <a href="https://github.com/salmankadaya"><code>@salmankadaya</code></a>, <a href="https://github.com/th3gowtham"><code>@th3gowtham</code></a>)</li> <li>Fix get_export_names and get_exporter default args <a href="https://redirect.github.com/jupyter/nbconvert/pull/2228">#2228</a> (<a href="https://github.com/shreve"><code>@shreve</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>PyPA-Compliant Summary <a href="https://redirect.github.com/jupyter/nbconvert/pull/2226">#2226</a> (<a href="https://github.com/hackowitz-af"><code>@hackowitz-af</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> </ul> <h3>Maintenance and upkeep improvements</h3> <ul> <li>avoid cov environment on free-threaded Pythons <a href="https://redirect.github.com/jupyter/nbconvert/pull/2267">#2267</a> (<a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>update pre-commit, and fix all issues. <a href="https://redirect.github.com/jupyter/nbconvert/pull/2238">#2238</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Drop test on 3.9, test on 3.13, 3.14, 3.14t <a href="https://redirect.github.com/jupyter/nbconvert/pull/2237">#2237</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Bump the actions group across 1 directory with 2 updates <a href="https://redirect.github.com/jupyter/nbconvert/pull/2231">#2231</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Replace <code>@flaky.flaky</code> decorate with pytest marker <a href="https://redirect.github.com/jupyter/nbconvert/pull/2229">#2229</a> (<a href="https://github.com/mgorny"><code>@mgorny</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>update to mermaid 11.10.0 <a href="https://redirect.github.com/jupyter/nbconvert/pull/2224">#2224</a> (<a href="https://github.com/bollwyvl"><code>@bollwyvl</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Drop support for Python 3.8, fix the CI tests <a href="https://redirect.github.com/jupyter/nbconvert/pull/2221">#2221</a> (<a href="https://github.com/shreve"><code>@shreve</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> </ul> <h3>Documentation improvements</h3> <ul> <li>Use <code>intersphinx_registry</code> <a href="https://redirect.github.com/jupyter/nbconvert/pull/2232">#2232</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Contributors to this release</h3> <p>The following people contributed discussions, new ideas, code and documentation contributions, and review. See <a href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our definition of contributors</a>.</p> <p>(<a href="https://github.com/jupyter/nbconvert/graphs/contributors?from=2025-01-28&to=2026-01-29&type=c">GitHub contributors page for this release</a>)</p> <p><a href="https://github.com/bollwyvl"><code>@bollwyvl</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Abollwyvl+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/Carreau"><code>@Carreau</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3ACarreau+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/h3pdesign"><code>@h3pdesign</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Ah3pdesign+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/hackowitz-af"><code>@hackowitz-af</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Ahackowitz-af+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/krassowski"><code>@krassowski</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Akrassowski+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/mberlanda"><code>@mberlanda</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Amberlanda+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/mgorny"><code>@mgorny</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Amgorny+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/minrk"><code>@minrk</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Aminrk+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/MSeal"><code>@MSeal</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3AMSeal+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/QuLogic"><code>@QuLogic</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3AQuLogic+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/salmankadaya"><code>@salmankadaya</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Asalmankadaya+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/shreve"><code>@shreve</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Ashreve+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/th3gowtham"><code>@th3gowtham</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Ath3gowtham+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>)</p> <!-- raw HTML omitted --> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
c5834cc028 | chore: upgrade urllib3 to 2.6.3 (#34940) | ||
|
|
3d687ea8fb | chore: update twitter URLs (#34736) | ||
|
|
18c25e9f10 | chore: ban relative imports on all packages (#34691) | ||
|
|
78c10f8790 | chore: update core dep in lockfiles (#34216) | ||
|
|
5d799b3174 |
release(nomic): 1.0.1 (#33948)
support Python 3.14 #33655 |