2842 Commits

Author SHA1 Message Date
dependabot[bot]
e7c3834e40 chore: bump langgraph-checkpoint from 4.0.3 to 4.1.1 in /libs/langchain (#38477)
Bumps [langgraph-checkpoint](https://github.com/langchain-ai/langgraph)
from 4.0.3 to 4.1.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/langchain-ai/langgraph/releases">langgraph-checkpoint's
releases</a>.</em></p>
<blockquote>
<h2>langgraph-checkpoint==4.1.1</h2>
<p>Changes since checkpoint==4.1.0</p>
<ul>
<li>release(checkpoint): 4.1.1 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7890">#7890</a>)</li>
<li>fix(checkpoint): restrict lc:2 envelope revival to default
constructor (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7892">#7892</a>)</li>
<li>chore(deps): bump idna from 3.11 to 3.15 in /libs/checkpoint (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7860">#7860</a>)</li>
<li>chore(deps): bump langsmith from 0.7.31 to 0.8.0 in /libs/checkpoint
(<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7784">#7784</a>)</li>
</ul>
<h2>langgraph-checkpoint==4.1.0</h2>
<p>Changes since checkpoint==4.1.0a4</p>
<ul>
<li>release: bump alpha packages to official versions (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7775">#7775</a>)</li>
<li>chore(deps): bump urllib3 from 2.6.3 to 2.7.0 in /libs/checkpoint
(<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7762">#7762</a>)</li>
<li>chore(deps): bump langchain-core from 1.3.2 to 1.3.3 in
/libs/checkpoint (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7752">#7752</a>)</li>
<li>feat(checkpoint): force delta channel snapshot after max supersteps
since last snapshot (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7746">#7746</a>)</li>
<li>fix(checkpoint): specify allowed_objects in Reviver (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7743">#7743</a>)</li>
<li>chore: remove keepset helper (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7745">#7745</a>)</li>
<li>chore(langgraph): add guide/conformance for delta channel
checkpointer (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7736">#7736</a>)</li>
<li>docs(checkpoint): mark DeltaChannel and delta-history APIs as beta
(<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7732">#7732</a>)</li>
<li>chore(deps): bump the minor-and-patch group across 1 directory with
3 updates (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7670">#7670</a>)</li>
<li>chore: &quot;chore: minor clean up around checkpoint and delta
channel&quot; (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7706">#7706</a>)</li>
<li>chore: minor clean up around checkpoint and delta channel (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7705">#7705</a>)</li>
</ul>
<h2>langgraph-checkpoint==4.1.0a4</h2>
<p>Changes since checkpoint==4.1.0a3</p>
<ul>
<li>release: alpha bump (a4) for langgraph, checkpoint,
checkpoint-postgres (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7701">#7701</a>)</li>
<li>feat: public get_writes_history saver API + delta cadence rework (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7699">#7699</a>)</li>
</ul>
<h2>langgraph-checkpoint==4.1.0a3</h2>
<p>Changes since checkpoint==4.1.0a2</p>
<ul>
<li>release: alpha bump (a3) for langgraph, checkpoint,
checkpoint-postgres (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7678">#7678</a>)</li>
<li>chore(langgraph): use two phase read to avoid unnecessary data
transport (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7660">#7660</a>)</li>
<li>release: alpha for timers (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7647">#7647</a>)</li>
<li>feat(langgraph): <code>DeltaChannel</code>: store sentinel in blobs,
reconstruct from checkpoint_writes (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7586">#7586</a>)</li>
<li>chore: dynamic push-task timeouts (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7646">#7646</a>)</li>
<li>chore: update x links to langchain_oss (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7645">#7645</a>)</li>
<li>release(checkpoint): 4.0.3 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7625">#7625</a>)</li>
<li>fix(checkpoint): revive lc=2 JSON blobs for safe types without
allowlist (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7582">#7582</a>)</li>
</ul>
<h2>langgraph-checkpoint==4.1.0a2</h2>
<p>Changes since checkpoint==4.1.0a1</p>
<h2>langgraph-checkpoint==4.1.0a1</h2>
<p>Changes since checkpoint==4.0.3</p>
<ul>
<li>release: alpha for timers (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7647">#7647</a>)</li>
<li>feat(langgraph): <code>DeltaChannel</code>: store sentinel in blobs,
reconstruct from checkpoint_writes (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7586">#7586</a>)</li>
<li>chore: dynamic push-task timeouts (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7646">#7646</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="d1e2ff0561"><code>d1e2ff0</code></a>
release(checkpoint): 4.1.1 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7890">#7890</a>)</li>
<li><a
href="e787af200e"><code>e787af2</code></a>
release(sdk-py): 0.3.15 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7891">#7891</a>)</li>
<li><a
href="604534e1b7"><code>604534e</code></a>
fix(sdk-py): percent-encode caller-supplied identifiers in URL paths (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7893">#7893</a>)</li>
<li><a
href="346aa97425"><code>346aa97</code></a>
fix(checkpoint): restrict lc:2 envelope revival to default constructor
(<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7892">#7892</a>)</li>
<li><a
href="82b3872820"><code>82b3872</code></a>
chore(deps): bump the uv group across 2 directories with 1 update (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7853">#7853</a>)</li>
<li><a
href="fcc4ab8dd8"><code>fcc4ab8</code></a>
chore(deps): bump idna from 3.11 to 3.15 in /libs/checkpoint (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7860">#7860</a>)</li>
<li><a
href="701d34494c"><code>701d344</code></a>
chore(deps): bump idna from 3.11 to 3.15 in /libs/checkpoint-postgres
(<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7861">#7861</a>)</li>
<li><a
href="2c7967ca96"><code>2c7967c</code></a>
chore(deps): bump idna from 3.11 to 3.15 in /libs/cli (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7865">#7865</a>)</li>
<li><a
href="bf7fec0bd1"><code>bf7fec0</code></a>
release(langgraph): 1.2.1 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7883">#7883</a>)</li>
<li><a
href="8215a9d024"><code>8215a9d</code></a>
feat(langgraph): add <code>before_builtins</code> opt-in for stream
transformers (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7882">#7882</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/langchain-ai/langgraph/compare/checkpoint==4.0.3...checkpoint==4.1.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=langgraph-checkpoint&package-manager=uv&previous-version=4.0.3&new-version=4.1.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-26 01:17:06 -07:00
dependabot[bot]
0a71a1d40e chore: bump langgraph-sdk from 0.3.13 to 0.3.15 in /libs/langchain (#38475)
Bumps [langgraph-sdk](https://github.com/langchain-ai/langgraph) from
0.3.13 to 0.3.15.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/langchain-ai/langgraph/releases">langgraph-sdk's
releases</a>.</em></p>
<blockquote>
<h2>langgraph-sdk==0.3.15</h2>
<p>Changes since sdk==0.3.14</p>
<ul>
<li>release(checkpoint): 4.1.1 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7890">#7890</a>)</li>
<li>release(sdk-py): 0.3.15 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7891">#7891</a>)</li>
<li>fix(sdk-py): percent-encode caller-supplied identifiers in URL paths
(<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7893">#7893</a>)</li>
<li>release(langgraph): 1.2.1 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7883">#7883</a>)</li>
<li>chore(deps): bump idna from 3.11 to 3.15 in /libs/sdk-py (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7863">#7863</a>)</li>
<li>chore(deps): bump urllib3 from 2.6.3 to 2.7.0 in /libs/sdk-py (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7764">#7764</a>)</li>
<li>chore(deps): bump langsmith from 0.7.31 to 0.8.0 in /libs/sdk-py (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7789">#7789</a>)</li>
<li>release: bump alpha packages to official versions (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7775">#7775</a>)</li>
<li>chore(langgraph): bump langchain-core to 1.4.0 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7767">#7767</a>)</li>
<li>feat(sdk-py): support metadata filter for crons search/count (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7737">#7737</a>)</li>
<li>chore(deps): bump ty from 0.0.23 to 0.0.33 in /libs/sdk-py (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7666">#7666</a>)</li>
</ul>
<h2>langgraph-sdk==0.3.14</h2>
<p>Changes since sdk==0.3.13</p>
<ul>
<li>release(sdk-py): 0.3.14 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7712">#7712</a>)</li>
<li>feat(sdk-py): add return_minimal to threads update (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7704">#7704</a>)</li>
<li>release: alpha bump (a4) for langgraph, checkpoint,
checkpoint-postgres (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7701">#7701</a>)</li>
<li>release: alpha bump langgraph 1.2.0a6 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7697">#7697</a>)</li>
<li>release: alpha bump prebuilt 1.1.0a2, langgraph 1.2.0a5 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7682">#7682</a>)</li>
<li>release: alpha bump prebuilt 1.1.0a1, langgraph 1.2.0a4 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7679">#7679</a>)</li>
<li>feat(langgraph): dispatch stream_events(version='v3') on Pregel (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7677">#7677</a>)</li>
<li>release: alpha bump (a3) for langgraph, checkpoint,
checkpoint-postgres (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7678">#7678</a>)</li>
<li>release: alpha for timers (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7647">#7647</a>)</li>
<li>chore: update x links to langchain_oss (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7645">#7645</a>)</li>
<li>feat(langgraph): add streaming transformer infrastructure and tests
(<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7519">#7519</a>)</li>
<li>chore(deps): bump the minor-and-patch group across 1 directory with
4 updates (ty held back) (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7635">#7635</a>)</li>
<li>release(prebuilt): 1.0.12, langgraph 1.1.10 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7623">#7623</a>)</li>
<li>release(checkpoint): 4.0.3 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7625">#7625</a>)</li>
<li>release(prebuilt): 1.0.11 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7610">#7610</a>)</li>
<li>feat(prebuilt): allow ToolNode tools to return list[Command |
ToolMessage] (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7596">#7596</a>)</li>
<li>chore(langgraph): bump version 1.1.8 -&gt; 1.1.9 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7563">#7563</a>)</li>
<li>release(langgraph): 1.1.8 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7545">#7545</a>)</li>
<li>release(prebuilt): 1.0.10 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7541">#7541</a>)</li>
<li>release(langgraph): 1.1.7 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7540">#7540</a>)</li>
<li>chore(deps): bump langsmith from 0.7.20 to 0.7.31 in /libs/sdk-py
(<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7528">#7528</a>)</li>
<li>release(checkpoint): 4.0.2 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7518">#7518</a>)</li>
<li>chore(deps-dev): bump pytest from 9.0.2 to 9.0.3 in /libs/sdk-py (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7504">#7504</a>)</li>
<li>release(langgraph): 1.1.7a2 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7511">#7511</a>)</li>
<li>chore: allow passing some metadata only for tracing purposes (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7383">#7383</a>)</li>
<li>release(langgraph): 1.1.7a1 (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7476">#7476</a>)</li>
<li>chore(deps): bump langchain-core from 1.2.22 to 1.2.28 in
/libs/sdk-py (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/7449">#7449</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e1aa1a4510"><code>e1aa1a4</code></a>
0.3.15</li>
<li><a
href="7a959f62cc"><code>7a959f6</code></a>
Fix assertion</li>
<li><a
href="9b5549f759"><code>9b5549f</code></a>
Fix flaky assertion</li>
<li><a
href="fa96c0ac76"><code>fa96c0a</code></a>
One more</li>
<li><a
href="98b8ff904c"><code>98b8ff9</code></a>
Update test assertions for triggers</li>
<li><a
href="951131c8ec"><code>951131c</code></a>
Lint</li>
<li><a
href="8bcdba822e"><code>8bcdba8</code></a>
Reduce to 4.1s</li>
<li><a
href="60fc49b448"><code>60fc49b</code></a>
Speed up prepare_single_task</li>
<li><a
href="1d21b4ba08"><code>1d21b4b</code></a>
Improve prepare_single_task trigger checks to linear complexity (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/3891">#3891</a>)</li>
<li><a
href="55ec0d3d2a"><code>55ec0d3</code></a>
Speed up task triggers check (<a
href="https://redirect.github.com/langchain-ai/langgraph/issues/3890">#3890</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/langchain-ai/langgraph/compare/0.3.13...0.3.15">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=langgraph-sdk&package-manager=uv&previous-version=0.3.13&new-version=0.3.15)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-26 01:16:57 -07:00
dependabot[bot]
afe25593ac chore: bump vcrpy from 8.1.1 to 8.2.1 in /libs/langchain (#38282)
[//]: # (dependabot-start)
⚠️  **Dependabot is rebasing this PR** ⚠️ 

Rebasing might not happen immediately, so don't worry if this takes some
time.

Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.

---

[//]: # (dependabot-end)

Bumps [vcrpy](https://github.com/kevin1024/vcrpy) from 8.1.1 to 8.2.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/kevin1024/vcrpy/releases">vcrpy's
releases</a>.</em></p>
<blockquote>
<h2>v8.2.1</h2>
<h2>What's Changed</h2>
<ul>
<li><strong>SECURITY:</strong> Cassettes are now loaded with a safe YAML
loader, preventing arbitrary code execution when a cassette from an
untrusted source is loaded. Previously a crafted cassette containing a
Python object tag (e.g. <code>!!python/object/apply:os.system</code>)
would execute code on load, including via the normal
<code>vcr.use_cassette()</code> path. Existing cassettes (including
file-upload/streaming bodies) continue to load. Advisory:
GHSA-rpj2-4hq8-938g — thanks <a
href="https://github.com/RamiAltai"><code>@​RamiAltai</code></a> and <a
href="https://github.com/EQSTLab"><code>@​EQSTLab</code></a> for the
reports.</li>
<li>Validate <code>record_mode</code> and raise a clear error on an
invalid value (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/208">#208</a>)</li>
<li>Recommend pytest-recording over the unmaintained pytest-vcr in the
docs (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/986">#986</a>)</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/kevin1024/vcrpy/compare/v8.2.0...v8.2.1">https://github.com/kevin1024/vcrpy/compare/v8.2.0...v8.2.1</a></p>
<h2>v8.2.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Add support for httpx 2.x (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/993">#993</a>)
- thanks <a
href="https://github.com/dsfaccini"><code>@​dsfaccini</code></a></li>
<li>Patch httpx transports instead of httpcore (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/972">#972</a>)
- thanks <a
href="https://github.com/seowalex"><code>@​seowalex</code></a></li>
<li>Fix aiohttp 3.14 compatibility: <code>AsyncStreamReaderMixin</code>
removed and <code>ClientResponse</code> now requires
<code>stream_writer</code> (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/995">#995</a>)
- thanks <a
href="https://github.com/dsfaccini"><code>@​dsfaccini</code></a></li>
<li>Account for modified requests when storing played cassettes, so
<code>drop_unused_requests</code> honours
<code>before_record_request</code> filtering (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/962">#962</a>)
- thanks <a
href="https://github.com/jamesbraza"><code>@​jamesbraza</code></a></li>
<li>Make the request URL available on <code>VCRHTTPResponse</code> (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/976">#976</a>)
- thanks <a
href="https://github.com/dAnjou"><code>@​dAnjou</code></a></li>
<li>Improve error message when a matching request has already been
consumed (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/985">#985</a>)
- thanks <a
href="https://github.com/Polandia94"><code>@​Polandia94</code></a></li>
<li>Fix body check in <code>convert_body_to_unicode</code> to use an
explicit type check (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/982">#982</a>)
- thanks <a
href="https://github.com/Polandia94"><code>@​Polandia94</code></a></li>
<li>Add env proxy cassette regression test (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/994">#994</a>)
- thanks <a
href="https://github.com/tine1117"><code>@​tine1117</code></a></li>
<li>Remove milestone references from docs (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/984">#984</a>)
- thanks <a
href="https://github.com/Polandia94"><code>@​Polandia94</code></a></li>
<li>CI: bump sphinx-rtd-theme from 3.0.2 to 3.1.0 (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/973">#973</a>)</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/kevin1024/vcrpy/compare/v8.1.1...v8.2.0">https://github.com/kevin1024/vcrpy/compare/v8.1.1...v8.2.0</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/kevin1024/vcrpy/blob/master/docs/changelog.rst">vcrpy's
changelog</a>.</em></p>
<blockquote>
<h2>Changelog</h2>
<p>All help in providing PRs to close out bug issues is appreciated.
Even if that is providing a repo that fully replicates issues. We have
very generous contributors that have added these to bug issues which
meant another contributor picked up the bug and closed it out.</p>
<ul>
<li>
<p>8.2.1</p>
<ul>
<li>SECURITY: Load cassettes with a safe YAML loader, preventing
arbitrary code execution when a cassette from an untrusted source is
loaded (GHSA-rpj2-4hq8-938g) - thanks <a
href="https://github.com/RamiAltai"><code>@​RamiAltai</code></a> and <a
href="https://github.com/EQSTLab"><code>@​EQSTLab</code></a></li>
<li>Validate <code>record_mode</code> and raise a clear error on an
invalid value (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/208">#208</a>)</li>
<li>Recommend pytest-recording over the unmaintained pytest-vcr in the
docs (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/986">#986</a>)</li>
</ul>
</li>
<li>
<p>8.2.0</p>
<ul>
<li>Add support for httpx 2.x (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/993">#993</a>)
- thanks <a
href="https://github.com/dsfaccini"><code>@​dsfaccini</code></a></li>
<li>Patch httpx transports instead of httpcore (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/972">#972</a>)
- thanks <a
href="https://github.com/seowalex"><code>@​seowalex</code></a></li>
<li>Fix aiohttp 3.14 compatibility: <code>AsyncStreamReaderMixin</code>
removed and <code>ClientResponse</code> now requires
<code>stream_writer</code> (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/995">#995</a>)
- thanks <a
href="https://github.com/dsfaccini"><code>@​dsfaccini</code></a></li>
<li>Account for modified requests when storing played cassettes, so
<code>drop_unused_requests</code> honours
<code>before_record_request</code> filtering (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/962">#962</a>)
- thanks <a
href="https://github.com/jamesbraza"><code>@​jamesbraza</code></a></li>
<li>Make the request URL available on <code>VCRHTTPResponse</code> (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/976">#976</a>)
- thanks <a
href="https://github.com/dAnjou"><code>@​dAnjou</code></a></li>
<li>Improve error message when a matching request has already been
consumed (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/985">#985</a>)
- thanks <a
href="https://github.com/Polandia94"><code>@​Polandia94</code></a></li>
<li>Fix body check in <code>convert_body_to_unicode</code> to use an
explicit type check (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/982">#982</a>)
- thanks <a
href="https://github.com/Polandia94"><code>@​Polandia94</code></a></li>
<li>Add env proxy cassette regression test (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/994">#994</a>)
- thanks <a
href="https://github.com/tine1117"><code>@​tine1117</code></a></li>
<li>Remove milestone references from docs (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/984">#984</a>)
- thanks <a
href="https://github.com/Polandia94"><code>@​Polandia94</code></a></li>
<li>CI: bump sphinx-rtd-theme from 3.0.2 to 3.1.0 (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/973">#973</a>)</li>
</ul>
</li>
<li>
<p>8.1.1</p>
<ul>
<li>Fix sync requests in async contexts for HTTPX (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/965">#965</a>)
- thanks <a
href="https://github.com/seowalex"><code>@​seowalex</code></a></li>
<li>CI: bump peter-evans/create-pull-request from 7 to 8 (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/969">#969</a>)</li>
</ul>
</li>
<li>
<p>8.1.0</p>
<ul>
<li>Enable brotli decompression if available (via <code>brotli</code>,
<code>brotlipy</code> or <code>brotlicffi</code>) (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/620">#620</a>)
- thanks <a
href="https://github.com/immerrr"><code>@​immerrr</code></a></li>
<li>Fix aiohttp allowing both <code>data</code> and <code>json</code>
arguments when one is None (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/624">#624</a>)
- thanks <a
href="https://github.com/leorochael"><code>@​leorochael</code></a></li>
<li>Fix usage of io-like interface with VCR.py (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/906">#906</a>)
- thanks <a href="https://github.com/tito"><code>@​tito</code></a> and
<a href="https://github.com/kevdevg"><code>@​kevdevg</code></a></li>
<li>Migrate to declarative Python package config (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/767">#767</a>)
- thanks <a
href="https://github.com/deronnax"><code>@​deronnax</code></a></li>
<li>Various linting fixes - thanks <a
href="https://github.com/jairhenrique"><code>@​jairhenrique</code></a></li>
<li>CI: bump actions/checkout from 5 to 6 (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/955">#955</a>)</li>
</ul>
</li>
<li>
<p>8.0.0</p>
<ul>
<li>BREAKING: Drop support for Python 3.9 (major version bump) - thanks
<a
href="https://github.com/jairhenrique"><code>@​jairhenrique</code></a></li>
<li>BREAKING: Drop support for urllib3 &lt; 2 - fixes CVE warnings from
urllib3 1.x (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/926">#926</a>,
<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/880">#880</a>)
- thanks <a
href="https://github.com/jairhenrique"><code>@​jairhenrique</code></a></li>
<li>New feature: <code>drop_unused_requests</code> option to remove
unused interactions from cassettes (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/763">#763</a>)
- thanks <a
href="https://github.com/danielnsilva"><code>@​danielnsilva</code></a></li>
<li>Rewrite httpx support to patch httpcore instead of httpx (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/943">#943</a>)
- thanks <a
href="https://github.com/seowalex"><code>@​seowalex</code></a>
<ul>
<li>Fixes <code>httpx.ResponseNotRead</code> exceptions (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/832">#832</a>,
<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/834">#834</a>)</li>
<li>Fixes <code>KeyError: 'follow_redirects'</code> (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/945">#945</a>)</li>
<li>Adds support for custom httpx transports</li>
</ul>
</li>
<li>Fix HTTPS proxy handling - proxy address no longer ends up in
cassette URIs (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/809">#809</a>,
<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/914">#914</a>)
- thanks <a href="https://github.com/alga"><code>@​alga</code></a></li>
<li>Fix <code>iscoroutinefunction</code> deprecation warning on Python
3.14 - thanks <a
href="https://github.com/kloczek"><code>@​kloczek</code></a></li>
<li>Only log message if response is appended - thanks <a
href="https://github.com/talfus-laddus"><code>@​talfus-laddus</code></a></li>
<li>Optimize urllib.parse calls - thanks <a
href="https://github.com/Martin-Brunthaler"><code>@​Martin-Brunthaler</code></a></li>
<li>Fix CI for Ubuntu 24.04 - thanks <a
href="https://github.com/hartwork"><code>@​hartwork</code></a></li>
<li>Various CI improvements: migrate to uv, update GitHub Actions -
thanks <a
href="https://github.com/jairhenrique"><code>@​jairhenrique</code></a></li>
<li>Various linting and test improvements - thanks <a
href="https://github.com/jairhenrique"><code>@​jairhenrique</code></a>
and <a
href="https://github.com/hartwork"><code>@​hartwork</code></a></li>
</ul>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="85312039e9"><code>8531203</code></a>
Release v8.2.1</li>
<li><a
href="045acb1b5f"><code>045acb1</code></a>
Use a safe YAML loader for cassettes to prevent code execution</li>
<li><a
href="de43f46247"><code>de43f46</code></a>
Fix lint failures from merged PRs (codespell + ruff UP032)</li>
<li><a
href="514c374796"><code>514c374</code></a>
Validate record_mode and raise a clear error on invalid values</li>
<li><a
href="b736cadd58"><code>b736cad</code></a>
docs: recommend pytest-recording over unmaintained pytest-vcr</li>
<li><a
href="06758c9879"><code>06758c9</code></a>
Release v8.2.0</li>
<li><a
href="6554837e02"><code>6554837</code></a>
Add env proxy cassette regression test (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/994">#994</a>)</li>
<li><a
href="62cf5e1272"><code>62cf5e1</code></a>
Accounting for modified requests when storing played cassettes, with a
test (...</li>
<li><a
href="13f201a820"><code>13f201a</code></a>
make url available in VCRHTTPResponse (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/976">#976</a>)</li>
<li><a
href="d57b55339e"><code>d57b553</code></a>
improve error message on repeated requestt (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/985">#985</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/kevin1024/vcrpy/compare/v8.1.1...v8.2.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=vcrpy&package-manager=uv&previous-version=8.1.1&new-version=8.2.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-19 22:11:12 -04:00
dependabot[bot]
ffc7364ed2 chore: bump langsmith from 0.8.0 to 0.8.18 in /libs/langchain (#38284)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from
0.8.0 to 0.8.18.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's
releases</a>.</em></p>
<blockquote>
<h2>v0.8.18</h2>
<h2>What's Changed</h2>
<ul>
<li>chore(deps-dev): bump vitest from 3.2.4 to 3.2.6 in /js by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3002">langchain-ai/langsmith-sdk#3002</a></li>
<li>chore(deps): bump pyjwt from 2.12.1 to 2.13.0 in /python by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3030">langchain-ai/langsmith-sdk#3030</a></li>
<li>chore(deps): bump python-multipart from 0.0.27 to 0.0.31 in /python
by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3036">langchain-ai/langsmith-sdk#3036</a></li>
<li>chore(deps): bump aiohttp from 3.14.0 to 3.14.1 in /python by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3037">langchain-ai/langsmith-sdk#3037</a></li>
<li>chore(deps): bump cryptography from 46.0.7 to 48.0.1 in /python by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3038">langchain-ai/langsmith-sdk#3038</a></li>
<li>chore(deps): bump starlette from 1.0.1 to 1.3.1 in /python by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3039">langchain-ai/langsmith-sdk#3039</a></li>
<li>chore(deps-dev): bump langchain-anthropic from 1.4.4 to 1.4.6 in
/python by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3044">langchain-ai/langsmith-sdk#3044</a></li>
<li>chore(deps): bump the npm_and_yarn group across 4 directories with 4
updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3046">langchain-ai/langsmith-sdk#3046</a></li>
<li>chore(deps): bump the npm_and_yarn group across 2 directories with 2
updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3060">langchain-ai/langsmith-sdk#3060</a></li>
<li>test(python): fix integration assertions for updated attachment
error message by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3061">langchain-ai/langsmith-sdk#3061</a></li>
<li>chore: reconcile bumpversion config and mandate release process for
agents by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3062">langchain-ai/langsmith-sdk#3062</a></li>
<li>release(py): 0.8.18 by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3063">langchain-ai/langsmith-sdk#3063</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.17...v0.8.18">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.17...v0.8.18</a></p>
<h2>v0.8.17</h2>
<h2>What's Changed</h2>
<ul>
<li>feat: expose the resources from the generated openapi client in the
langsmith client by <a
href="https://github.com/sineha-mani"><code>@​sineha-mani</code></a> in
<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3018">langchain-ai/langsmith-sdk#3018</a></li>
<li>feat(js): port <code>isTracingEnabled</code> utility from Python by
<a href="https://github.com/dqbd"><code>@​dqbd</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3032">langchain-ai/langsmith-sdk#3032</a></li>
<li>Add sandbox mount support to JS SDK by <a
href="https://github.com/DanielKneipp"><code>@​DanielKneipp</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3010">langchain-ai/langsmith-sdk#3010</a></li>
<li>release(js): bump to 0.7.9 by <a
href="https://github.com/dqbd"><code>@​dqbd</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3035">langchain-ai/langsmith-sdk#3035</a></li>
<li>Add sandbox mount support to Python SDK by <a
href="https://github.com/DanielKneipp"><code>@​DanielKneipp</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3009">langchain-ai/langsmith-sdk#3009</a></li>
<li>docs: note that _openapi_client directories are auto-generated by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3034">langchain-ai/langsmith-sdk#3034</a></li>
<li>fix: update JS SDK type declarations with skipLibCheck disabled by
<a href="https://github.com/sineha-mani"><code>@​sineha-mani</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3043">langchain-ai/langsmith-sdk#3043</a></li>
<li>release(js): 0.7.10 by <a
href="https://github.com/dqbd"><code>@​dqbd</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3045">langchain-ai/langsmith-sdk#3045</a></li>
<li>feat: adding python async for online evals by <a
href="https://github.com/sineha-mani"><code>@​sineha-mani</code></a> in
<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3048">langchain-ai/langsmith-sdk#3048</a></li>
<li>Add sandbox Git mount SDK helpers by <a
href="https://github.com/DanielKneipp"><code>@​DanielKneipp</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3040">langchain-ai/langsmith-sdk#3040</a></li>
<li>fix: use insights tab in sdk report links [closes LSO-2936] by <a
href="https://github.com/eric-langchain"><code>@​eric-langchain</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3050">langchain-ai/langsmith-sdk#3050</a></li>
<li>feat(client): warn when backend version is below minimum required by
<a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3041">langchain-ai/langsmith-sdk#3041</a></li>
<li>chore: bump _MIN_BACKEND_VERSION to 0.16.5rc1 by <a
href="https://github.com/langtions-bot"><code>@​langtions-bot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3053">langchain-ai/langsmith-sdk#3053</a></li>
<li>fix(sandbox): use built-in gcp auth host matching by <a
href="https://github.com/DanielKneipp"><code>@​DanielKneipp</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3055">langchain-ai/langsmith-sdk#3055</a></li>
<li>chore(python): py to 0.8.17 by <a
href="https://github.com/sineha-mani"><code>@​sineha-mani</code></a> in
<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3056">langchain-ai/langsmith-sdk#3056</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/sineha-mani"><code>@​sineha-mani</code></a>
made their first contribution in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3018">langchain-ai/langsmith-sdk#3018</a></li>
<li><a
href="https://github.com/eric-langchain"><code>@​eric-langchain</code></a>
made their first contribution in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3050">langchain-ai/langsmith-sdk#3050</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.16...v0.8.17">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.16...v0.8.17</a></p>
<h2>v0.8.16</h2>
<h2>What's Changed</h2>
<ul>
<li>feat(py): add sync/async conversion for Sandbox and SandboxClient
[INF-0000] by <a
href="https://github.com/ramon-langchain"><code>@​ramon-langchain</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3019">langchain-ai/langsmith-sdk#3019</a></li>
<li>fix(experiments): extract keys from wrapped evaluator function by <a
href="https://github.com/shamikkarkhanis"><code>@​shamikkarkhanis</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3014">langchain-ai/langsmith-sdk#3014</a></li>
<li>chore: repoint <a
href="mailto:support@langchain.dev">support@langchain.dev</a> mentions
to the Support Portal by <a
href="https://github.com/lutan-langchain"><code>@​lutan-langchain</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3024">langchain-ai/langsmith-sdk#3024</a></li>
<li>fix(python): derive create_child run id from start_time [LSDK-220]
by <a
href="https://github.com/harisaiharish"><code>@​harisaiharish</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3027">langchain-ai/langsmith-sdk#3027</a></li>
<li>chore: sync langsmith_api by <a
href="https://github.com/langtions-bot"><code>@​langtions-bot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3020">langchain-ai/langsmith-sdk#3020</a></li>
<li>chore: js to 0.7.8 and py to 0.8.16 by <a
href="https://github.com/shamikkarkhanis"><code>@​shamikkarkhanis</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3029">langchain-ai/langsmith-sdk#3029</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="31c2bf650b"><code>31c2bf6</code></a>
release(py): 0.8.18 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3063">#3063</a>)</li>
<li><a
href="8955b68868"><code>8955b68</code></a>
chore: reconcile bumpversion config and mandate release process for
agents (#...</li>
<li><a
href="411401f6ca"><code>411401f</code></a>
test(python): fix integration assertions for updated attachment error
message...</li>
<li><a
href="9c5515620f"><code>9c55156</code></a>
Merge commit from fork</li>
<li><a
href="5b2bd8db3c"><code>5b2bd8d</code></a>
chore(deps): bump the npm_and_yarn group across 2 directories with 2
updates ...</li>
<li><a
href="d8642f9099"><code>d8642f9</code></a>
chore(deps): bump the npm_and_yarn group across 4 directories with 4
updates ...</li>
<li><a
href="953c2e5e25"><code>953c2e5</code></a>
chore(deps-dev): bump langchain-anthropic from 1.4.4 to 1.4.6 in /python
(<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3044">#3044</a>)</li>
<li><a
href="5513699e2d"><code>5513699</code></a>
chore(deps): bump starlette from 1.0.1 to 1.3.1 in /python (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3039">#3039</a>)</li>
<li><a
href="8becdefdf4"><code>8becdef</code></a>
chore(deps): bump cryptography from 46.0.7 to 48.0.1 in /python (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3038">#3038</a>)</li>
<li><a
href="1a9c522feb"><code>1a9c522</code></a>
chore(deps): bump aiohttp from 3.14.0 to 3.14.1 in /python (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3037">#3037</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.0...v0.8.18">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=langsmith&package-manager=uv&previous-version=0.8.0&new-version=0.8.18)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-19 22:09:56 -04:00
dependabot[bot]
2e9665ec66 chore: bump pydantic-settings from 2.14.0 to 2.14.2 in /libs/langchain (#38286)
Bumps [pydantic-settings](https://github.com/pydantic/pydantic-settings)
from 2.14.0 to 2.14.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pydantic/pydantic-settings/releases">pydantic-settings's
releases</a>.</em></p>
<blockquote>
<h2>v2.14.2</h2>
<h2>What's Changed</h2>
<p>This is a security patch release.</p>
<ul>
<li>Prevent <code>NestedSecretsSettingsSource</code> from following
symlinks outside <code>secrets_dir</code> by <a
href="https://github.com/hramezani"><code>@​hramezani</code></a> in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/889">pydantic/pydantic-settings#889</a></li>
<li>Prepare release 2.14.2 by <a
href="https://github.com/hramezani"><code>@​hramezani</code></a> in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/890">pydantic/pydantic-settings#890</a></li>
</ul>
<h3>Security</h3>
<p>Fixes <a
href="https://github.com/pydantic/pydantic-settings/security/advisories/GHSA-4xgf-cpjx-pc3j">GHSA-4xgf-cpjx-pc3j</a>:
<code>NestedSecretsSettingsSource</code> with
<code>secrets_nested_subdir=True</code> could follow a symbolic link
inside <code>secrets_dir</code> pointing outside it, reading out-of-tree
files into settings values and bypassing the
<code>secrets_dir_max_size</code> cap. Affected versions: <code>&gt;=
2.12.0, &lt; 2.14.2</code>.</p>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/pydantic/pydantic-settings/compare/v2.14.1...v2.14.2">https://github.com/pydantic/pydantic-settings/compare/v2.14.1...v2.14.2</a></p>
<h2>v2.14.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Bump the python-packages group with 4 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/850">pydantic/pydantic-settings#850</a></li>
<li>Bump the python-packages group with 5 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/854">pydantic/pydantic-settings#854</a></li>
<li>Bump the github-actions group with 3 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/853">pydantic/pydantic-settings#853</a></li>
<li>Bump the python-packages group with 2 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/856">pydantic/pydantic-settings#856</a></li>
<li>Fix field named <code>cls</code> conflicting with classmethod
parameter by <a
href="https://github.com/hramezani"><code>@​hramezani</code></a> in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/858">pydantic/pydantic-settings#858</a></li>
<li>Prepare release 2.14.1 by <a
href="https://github.com/hramezani"><code>@​hramezani</code></a> in <a
href="https://redirect.github.com/pydantic/pydantic-settings/pull/859">pydantic/pydantic-settings#859</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/pydantic/pydantic-settings/compare/v2.14.0...v2.14.1">https://github.com/pydantic/pydantic-settings/compare/v2.14.0...v2.14.1</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="d703bd717e"><code>d703bd7</code></a>
Prepare release 2.14.2 (<a
href="https://redirect.github.com/pydantic/pydantic-settings/issues/890">#890</a>)</li>
<li><a
href="e95c30bec8"><code>e95c30b</code></a>
Prepare release 2.14.1 (<a
href="https://redirect.github.com/pydantic/pydantic-settings/issues/859">#859</a>)</li>
<li><a
href="0c8734581b"><code>0c87345</code></a>
Fix field named <code>cls</code> conflicting with classmethod parameter
(<a
href="https://redirect.github.com/pydantic/pydantic-settings/issues/858">#858</a>)</li>
<li><a
href="7bd0072795"><code>7bd0072</code></a>
Bump the python-packages group with 2 updates (<a
href="https://redirect.github.com/pydantic/pydantic-settings/issues/856">#856</a>)</li>
<li><a
href="b03e573d01"><code>b03e573</code></a>
Bump the github-actions group with 3 updates (<a
href="https://redirect.github.com/pydantic/pydantic-settings/issues/853">#853</a>)</li>
<li><a
href="eaa3b43493"><code>eaa3b43</code></a>
Bump the python-packages group with 5 updates (<a
href="https://redirect.github.com/pydantic/pydantic-settings/issues/854">#854</a>)</li>
<li><a
href="9f95615c24"><code>9f95615</code></a>
Bump the python-packages group with 4 updates (<a
href="https://redirect.github.com/pydantic/pydantic-settings/issues/850">#850</a>)</li>
<li>See full diff in <a
href="https://github.com/pydantic/pydantic-settings/compare/v2.14.0...v2.14.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pydantic-settings&package-manager=uv&previous-version=2.14.0&new-version=2.14.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-19 22:09:52 -04:00
dependabot[bot]
34ef1eb5cc chore: bump jupyterlab from 4.5.7 to 4.5.9 in /libs/langchain (#38317)
Bumps [jupyterlab](https://github.com/jupyterlab/jupyterlab) from 4.5.7
to 4.5.9.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/jupyterlab/jupyterlab/releases">jupyterlab's
releases</a>.</em></p>
<blockquote>
<h2>v4.5.9</h2>
<h2>4.5.9</h2>
<p>(<a
href="https://github.com/jupyterlab/jupyterlab/compare/v4.5.8...26936727d7f197bab4f314ca50690cd162d50312">Full
Changelog</a>)</p>
<h3>Bugs fixed</h3>
<ul>
<li>Fix <code>jupyter labextension build</code> crash on <code>webpack ≥
5.107</code> <a
href="https://redirect.github.com/jupyterlab/jupyterlab/pull/19021">#19021</a>
(<a href="https://github.com/Darshan808"><code>@​Darshan808</code></a>,
<a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Backport PR <a
href="https://redirect.github.com/jupyterlab/jupyterlab/issues/18992">#18992</a>:
Fix hidden cells after moving collapsed headings <a
href="https://redirect.github.com/jupyterlab/jupyterlab/pull/19016">#19016</a>
(<a href="https://github.com/MUFFANUJ"><code>@​MUFFANUJ</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Forbid relative URLs in extensionmanager <a
href="https://redirect.github.com/jupyterlab/jupyterlab/pull/19013">#19013</a>
(<a href="https://github.com/Yann-P"><code>@​Yann-P</code></a>)</li>
<li>Fix XSS in extension manager's <code>homepage_url</code> <a
href="https://redirect.github.com/jupyterlab/jupyterlab/pull/19003">#19003</a>
(<a href="https://github.com/Yann-P"><code>@​Yann-P</code></a>)</li>
<li>Fix toolbar popup row clipping in Safari <a
href="https://redirect.github.com/jupyterlab/jupyterlab/pull/18998">#18998</a>
(<a href="https://github.com/arun-357"><code>@​arun-357</code></a>)</li>
</ul>
<h3>Contributors to this release</h3>
<p>The following people contributed discussions, new ideas, code and
documentation contributions, and review.
See <a
href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our
definition of contributors</a>.</p>
<p>(<a
href="https://github.com/jupyterlab/jupyterlab/graphs/contributors?from=2026-06-04&amp;to=2026-06-17&amp;type=c">GitHub
contributors page for this release</a>)</p>
<p><a href="https://github.com/arun-357"><code>@​arun-357</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyterlab%2Fjupyterlab+involves%3Aarun-357+updated%3A2026-06-04..2026-06-17&amp;type=Issues">activity</a>)
| <a href="https://github.com/Darshan808"><code>@​Darshan808</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyterlab%2Fjupyterlab+involves%3ADarshan808+updated%3A2026-06-04..2026-06-17&amp;type=Issues">activity</a>)
| <a href="https://github.com/krassowski"><code>@​krassowski</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyterlab%2Fjupyterlab+involves%3Akrassowski+updated%3A2026-06-04..2026-06-17&amp;type=Issues">activity</a>)
| <a href="https://github.com/MUFFANUJ"><code>@​MUFFANUJ</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyterlab%2Fjupyterlab+involves%3AMUFFANUJ+updated%3A2026-06-04..2026-06-17&amp;type=Issues">activity</a>)
| <a href="https://github.com/Yann-P"><code>@​Yann-P</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyterlab%2Fjupyterlab+involves%3AYann-P+updated%3A2026-06-04..2026-06-17&amp;type=Issues">activity</a>)</p>
<h2>v4.5.8</h2>
<h2>4.5.8</h2>
<p>(<a
href="https://github.com/jupyterlab/jupyterlab/compare/v4.5.7...8d30d481fbab784096e04d85dfa3b0c36e77be2c">Full
Changelog</a>)</p>
<h3>Bugs fixed</h3>
<ul>
<li>Prevent dialog from hanging when <code>getValue()</code> throws <a
href="https://redirect.github.com/jupyterlab/jupyterlab/pull/18938">#18938</a>
(<a
href="https://github.com/AliMahmoudDev"><code>@​AliMahmoudDev</code></a>)</li>
<li>Add <code>packaging</code> min version pin <a
href="https://redirect.github.com/jupyterlab/jupyterlab/pull/18910">#18910</a>
(<a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Use CSS <code>anchor</code> for prompt overlay <a
href="https://redirect.github.com/jupyterlab/jupyterlab/pull/18840">#18840</a>
(<a
href="https://github.com/CrafterKolyan"><code>@​CrafterKolyan</code></a>)</li>
</ul>
<h3>Maintenance and upkeep improvements</h3>
<ul>
<li>Fix completer test failures on CI <a
href="https://redirect.github.com/jupyterlab/jupyterlab/pull/18946">#18946</a>
(<a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Bump license webpack plugin <a
href="https://redirect.github.com/jupyterlab/jupyterlab/pull/18929">#18929</a>
(<a href="https://github.com/Darshan808"><code>@​Darshan808</code></a>,
<a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
</ul>
<h3>Contributors to this release</h3>
<p>The following people contributed discussions, new ideas, code and
documentation contributions, and review.
See <a
href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our
definition of contributors</a>.</p>
<p>(<a
href="https://github.com/jupyterlab/jupyterlab/graphs/contributors?from=2026-04-29&amp;to=2026-06-04&amp;type=c">GitHub
contributors page for this release</a>)</p>
<p><a
href="https://github.com/AliMahmoudDev"><code>@​AliMahmoudDev</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyterlab%2Fjupyterlab+involves%3AAliMahmoudDev+updated%3A2026-04-29..2026-06-04&amp;type=Issues">activity</a>)
| <a
href="https://github.com/CrafterKolyan"><code>@​CrafterKolyan</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyterlab%2Fjupyterlab+involves%3ACrafterKolyan+updated%3A2026-04-29..2026-06-04&amp;type=Issues">activity</a>)
| <a href="https://github.com/Darshan808"><code>@​Darshan808</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyterlab%2Fjupyterlab+involves%3ADarshan808+updated%3A2026-04-29..2026-06-04&amp;type=Issues">activity</a>)
| <a href="https://github.com/krassowski"><code>@​krassowski</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyterlab%2Fjupyterlab+involves%3Akrassowski+updated%3A2026-04-29..2026-06-04&amp;type=Issues">activity</a>)</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="dd65403362"><code>dd65403</code></a>
[ci skip] Publish 4.5.9</li>
<li><a
href="26936727d7"><code>2693672</code></a>
Backport PR <a
href="https://redirect.github.com/jupyterlab/jupyterlab/issues/18992">#18992</a>:
Fix hidden cells after moving collapsed headings (<a
href="https://redirect.github.com/jupyterlab/jupyterlab/issues/19016">#19016</a>)</li>
<li><a
href="360c1760b5"><code>360c176</code></a>
Backport PR <a
href="https://redirect.github.com/jupyterlab/jupyterlab/issues/18998">#18998</a>
on branch 4.5.x (Fix toolbar popup row clipping in Safari)...</li>
<li><a
href="e9db01011d"><code>e9db010</code></a>
Fix <code>jupyter labextension build</code> crash on <code>webpack ≥
5.107</code> (<a
href="https://redirect.github.com/jupyterlab/jupyterlab/issues/19021">#19021</a>)</li>
<li><a
href="3b8428c04e"><code>3b8428c</code></a>
Backport PR <a
href="https://redirect.github.com/jupyterlab/jupyterlab/issues/19013">#19013</a>
on branch 4.5.x (Forbid relative URLs in extensionmanager)...</li>
<li><a
href="3c84a84cf4"><code>3c84a84</code></a>
Backport PR <a
href="https://redirect.github.com/jupyterlab/jupyterlab/issues/19003">#19003</a>
on branch 4.5.x (Fix XSS in extension manager's `homepage_...</li>
<li><a
href="0dee9961fa"><code>0dee996</code></a>
[ci skip] Publish 4.5.8</li>
<li><a
href="8d30d481fb"><code>8d30d48</code></a>
Backport PR <a
href="https://redirect.github.com/jupyterlab/jupyterlab/issues/18946">#18946</a>
on branch 4.5.x (Fix completer test failures on CI) (<a
href="https://redirect.github.com/jupyterlab/jupyterlab/issues/18949">#18949</a>)</li>
<li><a
href="872d4c8449"><code>872d4c8</code></a>
Backport PR <a
href="https://redirect.github.com/jupyterlab/jupyterlab/issues/18938">#18938</a>
on branch 4.5.x (Prevent dialog from hanging when `getValu...</li>
<li><a
href="d8a387498b"><code>d8a3874</code></a>
Bump license webpack plugin (<a
href="https://redirect.github.com/jupyterlab/jupyterlab/issues/18929">#18929</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/jupyterlab/jupyterlab/compare/@jupyterlab/lsp@4.5.7...@jupyterlab/lsp@4.5.9">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=jupyterlab&package-manager=uv&previous-version=4.5.7&new-version=4.5.9)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-19 22:07:26 -04:00
dependabot[bot]
8d51355f1f chore: bump aiohttp from 3.14.0 to 3.14.1 in /libs/langchain (#38180)
[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=aiohttp&package-manager=uv&previous-version=3.14.0&new-version=3.14.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-18 15:27:47 -04:00
dependabot[bot]
0b1b7bb77a chore: bump cryptography from 46.0.7 to 48.0.1 in /libs/langchain (#38181)
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.7
to 48.0.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's
changelog</a>.</em></p>
<blockquote>
<p>48.0.1 - 2026-06-09</p>
<pre><code>
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL
4.0.1.
<p>.. _v48-0-0:</p>
<p>48.0.0 - 2026-05-04<br />
</code></pre></p>
<ul>
<li>
<p><strong>BACKWARDS INCOMPATIBLE:</strong> Support for Python 3.8 has
been removed.
<code>cryptography</code> now requires Python 3.9 or later.</p>
</li>
<li>
<p><strong>BACKWARDS INCOMPATIBLE:</strong> Loading an X.509 CRL whose
inner
<code>TBSCertList.signature</code> algorithm does not match the outer
<code>signatureAlgorithm</code> now raises <code>ValueError</code>.
Previously, such CRLs
were parsed successfully and only rejected during signature
validation.</p>
</li>
<li>
<p>Added support for
:doc:<code>/hazmat/primitives/asymmetric/mlkem</code> and
:doc:<code>/hazmat/primitives/asymmetric/mldsa</code> when using OpenSSL
3.5.0 or
later, in addition to the existing AWS-LC and BoringSSL support. This
means
post-quantum algorithms are now available to users of our wheels.</p>
<ul>
<li><strong>Note:</strong> Going forward, we do not guarantee that all
functionality
in <code>cryptography</code> will be available when building against
OpenSSL. See :doc:<code>/statements/state-of-openssl</code> for more
information.</li>
</ul>
</li>
</ul>
<p>.. _v47-0-0:</p>
<p>47.0.0 - 2026-04-24</p>
<pre><code>
* Support for Python 3.8 is deprecated and will be removed in the next
  ``cryptography`` release.
* **BACKWARDS INCOMPATIBLE:** Support for binary elliptic curves
  (``SECT*`` classes) has been removed. These curves are rarely used and
  have additional security considerations that make them undesirable.
* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.x has been
removed.
OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC
  continue to be supported.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL &lt; 4.1.
* **BACKWARDS INCOMPATIBLE:** Loading keys with unsupported algorithms
or
  keys with unsupported explicit curve encodings now raises
  :class:`~cryptography.exceptions.UnsupportedAlgorithm` instead of
  ``ValueError``. This change affects

:func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`,

:func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`,

:func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`,

:func:`~cryptography.hazmat.primitives.serialization.load_der_public_key`,
  and :meth:`~cryptography.x509.Certificate.public_key` when called on
  certificates with unsupported public key algorithms.
&lt;/tr&gt;&lt;/table&gt; 
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="de987ce48c"><code>de987ce</code></a>
48.0.1 version bump and changelog (<a
href="https://redirect.github.com/pyca/cryptography/issues/14996">#14996</a>)</li>
<li><a
href="8e03e30e3a"><code>8e03e30</code></a>
bump for 48.0.0 release (<a
href="https://redirect.github.com/pyca/cryptography/issues/14796">#14796</a>)</li>
<li><a
href="295e0d254e"><code>295e0d2</code></a>
Add AGENTS.md with CLAUDE.md symlink (<a
href="https://redirect.github.com/pyca/cryptography/issues/14794">#14794</a>)</li>
<li><a
href="104a2de19e"><code>104a2de</code></a>
Bump BoringSSL, OpenSSL, AWS-LC in CI (<a
href="https://redirect.github.com/pyca/cryptography/issues/14793">#14793</a>)</li>
<li><a
href="67ec1e5198"><code>67ec1e5</code></a>
call check_length early on AesSiv::encrypt (<a
href="https://redirect.github.com/pyca/cryptography/issues/14792">#14792</a>)</li>
<li><a
href="b2da57a0d9"><code>b2da57a</code></a>
changelog for mldsa/mlkem for openssl (<a
href="https://redirect.github.com/pyca/cryptography/issues/14791">#14791</a>)</li>
<li><a
href="3cf44adee2"><code>3cf44ad</code></a>
ML-KEM OpenSSL support (<a
href="https://redirect.github.com/pyca/cryptography/issues/14781">#14781</a>)</li>
<li><a
href="2e31639666"><code>2e31639</code></a>
ML-DSA OpenSSL support (<a
href="https://redirect.github.com/pyca/cryptography/issues/14773">#14773</a>)</li>
<li><a
href="5affe5a286"><code>5affe5a</code></a>
fix rust nightly clippy (<a
href="https://redirect.github.com/pyca/cryptography/issues/14790">#14790</a>)</li>
<li><a
href="2e73ca448e"><code>2e73ca4</code></a>
bump rust-openssl dep and update EcPoint::mul_generator to
mul_generator2 (<a
href="https://redirect.github.com/pyca/cryptography/issues/1">#1</a>...</li>
<li>Additional commits viewable in <a
href="https://github.com/pyca/cryptography/compare/46.0.7...48.0.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=cryptography&package-manager=uv&previous-version=46.0.7&new-version=48.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-18 15:27:37 -04:00
dependabot[bot]
dfd0627422 chore: bump starlette from 1.0.1 to 1.3.1 in /libs/langchain (#38182)
Bumps [starlette](https://github.com/Kludex/starlette) from 1.0.1 to
1.3.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/Kludex/starlette/releases">starlette's
releases</a>.</em></p>
<blockquote>
<h2>Version 1.3.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Use <code>StarletteDeprecationWarning</code> instead of
<code>DeprecationWarning</code> by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3119">Kludex/starlette#3119</a></li>
<li>Enforce <code>max_fields</code> and <code>max_part_size</code> in
<code>FormParser</code> by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3329">Kludex/starlette#3329</a></li>
<li>Enforce <code>FormParser</code> limits in parser callbacks by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3331">Kludex/starlette#3331</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/starlette/compare/1.3.0...1.3.1">https://github.com/Kludex/starlette/compare/1.3.0...1.3.1</a></p>
<h2>Version 1.3.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Clamp oversized suffix ranges in <code>FileResponse</code> by <a
href="https://github.com/jiyujie2006"><code>@​jiyujie2006</code></a> in
<a
href="https://redirect.github.com/Kludex/starlette/pull/3307">Kludex/starlette#3307</a></li>
<li>Catch <code>OSError</code> alongside <code>MultiPartException</code>
when closing temp files by <a
href="https://github.com/N3XT3R1337"><code>@​N3XT3R1337</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3191">Kludex/starlette#3191</a></li>
<li>Add <code>httpx2</code> to the <code>full</code> extra by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3323">Kludex/starlette#3323</a></li>
<li>Adjust testclient typing and warnings by <a
href="https://github.com/waketzheng"><code>@​waketzheng</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3322">Kludex/starlette#3322</a></li>
<li>Fix IndexError in URL.replace() on a URL with no authority by <a
href="https://github.com/LeSingh1"><code>@​LeSingh1</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3317">Kludex/starlette#3317</a></li>
<li>Annotate URLPath protocol parameter with Literal by <a
href="https://github.com/Chang-LeHung"><code>@​Chang-LeHung</code></a>
in <a
href="https://redirect.github.com/Kludex/starlette/pull/3285">Kludex/starlette#3285</a></li>
<li>avoid collapsing exception groups from user code by <a
href="https://github.com/graingert"><code>@​graingert</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/2830">Kludex/starlette#2830</a></li>
<li>Use <code>removeprefix</code> to strip weak ETag indicator in
<code>is_not_modified</code> by <a
href="https://github.com/gnosyslambda"><code>@​gnosyslambda</code></a>
in <a
href="https://redirect.github.com/Kludex/starlette/pull/3193">Kludex/starlette#3193</a></li>
<li>Build <code>request.url</code> from structured components by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3326">Kludex/starlette#3326</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/jiyujie2006"><code>@​jiyujie2006</code></a>
made their first contribution in <a
href="https://redirect.github.com/Kludex/starlette/pull/3307">Kludex/starlette#3307</a></li>
<li><a
href="https://github.com/N3XT3R1337"><code>@​N3XT3R1337</code></a> made
their first contribution in <a
href="https://redirect.github.com/Kludex/starlette/pull/3191">Kludex/starlette#3191</a></li>
<li><a
href="https://github.com/leestana01"><code>@​leestana01</code></a> made
their first contribution in <a
href="https://redirect.github.com/Kludex/starlette/pull/3319">Kludex/starlette#3319</a></li>
<li><a href="https://github.com/LeSingh1"><code>@​LeSingh1</code></a>
made their first contribution in <a
href="https://redirect.github.com/Kludex/starlette/pull/3317">Kludex/starlette#3317</a></li>
<li><a
href="https://github.com/EmmanuelNiyonshuti"><code>@​EmmanuelNiyonshuti</code></a>
made their first contribution in <a
href="https://redirect.github.com/Kludex/starlette/pull/3204">Kludex/starlette#3204</a></li>
<li><a
href="https://github.com/Chang-LeHung"><code>@​Chang-LeHung</code></a>
made their first contribution in <a
href="https://redirect.github.com/Kludex/starlette/pull/3285">Kludex/starlette#3285</a></li>
<li><a
href="https://github.com/gnosyslambda"><code>@​gnosyslambda</code></a>
made their first contribution in <a
href="https://redirect.github.com/Kludex/starlette/pull/3193">Kludex/starlette#3193</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/starlette/compare/1.2.1...1.3.0">https://github.com/Kludex/starlette/compare/1.2.1...1.3.0</a></p>
<h2>Version 1.2.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Use <code>httpx2</code> for type checking in the
<code>testclient</code> module by <a
href="https://github.com/leifwar"><code>@​leifwar</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3304">Kludex/starlette#3304</a></li>
<li>Add assert error for requires() when request param is not Request
type by <a
href="https://github.com/KeeganOP"><code>@​KeeganOP</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3298">Kludex/starlette#3298</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/leifwar"><code>@​leifwar</code></a> made
their first contribution in <a
href="https://redirect.github.com/Kludex/starlette/pull/3304">Kludex/starlette#3304</a></li>
<li><a href="https://github.com/diskeu"><code>@​diskeu</code></a> made
their first contribution in <a
href="https://redirect.github.com/Kludex/starlette/pull/3243">Kludex/starlette#3243</a></li>
<li><a href="https://github.com/KeeganOP"><code>@​KeeganOP</code></a>
made their first contribution in <a
href="https://redirect.github.com/Kludex/starlette/pull/3298">Kludex/starlette#3298</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/starlette/compare/1.2.0...1.2.1">https://github.com/Kludex/starlette/compare/1.2.0...1.2.1</a></p>
<h2>Version 1.2.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Support httpx2 in the test client by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3291">Kludex/starlette#3291</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/starlette/compare/1.1.0...1.2.0">https://github.com/Kludex/starlette/compare/1.1.0...1.2.0</a></p>
<h2>Version 1.1.0</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/Kludex/starlette/blob/main/docs/release-notes.md">starlette's
changelog</a>.</em></p>
<blockquote>
<h2>1.3.1 (June 12, 2026)</h2>
<h4>Fixed</h4>
<ul>
<li>Enforce <code>max_fields</code> and <code>max_part_size</code> in
<code>FormParser</code> <a
href="https://redirect.github.com/encode/starlette/pull/3329">#3329</a>.</li>
<li>Enforce <code>FormParser</code> limits in parser callbacks <a
href="https://redirect.github.com/encode/starlette/pull/3331">#3331</a>.</li>
</ul>
<h2>1.3.0 (June 11, 2026)</h2>
<h4>Added</h4>
<ul>
<li>Add <code>httpx2</code> to the <code>full</code> extra <a
href="https://redirect.github.com/encode/starlette/pull/3323">#3323</a>.</li>
<li>Annotate the <code>URLPath</code> <code>protocol</code> parameter
with <code>Literal</code> <a
href="https://redirect.github.com/encode/starlette/pull/3285">#3285</a>.</li>
</ul>
<h4>Fixed</h4>
<ul>
<li>Build <code>request.url</code> from structured components <a
href="https://redirect.github.com/encode/starlette/pull/3326">#3326</a>.</li>
<li>Clamp oversized suffix ranges in <code>FileResponse</code> <a
href="https://redirect.github.com/encode/starlette/pull/3307">#3307</a>.</li>
<li>Catch <code>OSError</code> alongside <code>MultiPartException</code>
when closing temp files <a
href="https://redirect.github.com/encode/starlette/pull/3191">#3191</a>.</li>
<li>Avoid collapsing exception groups raised from user code <a
href="https://redirect.github.com/encode/starlette/pull/2830">#2830</a>.</li>
<li>Use <code>removeprefix</code> to strip the weak <code>ETag</code>
indicator in <code>is_not_modified</code> <a
href="https://redirect.github.com/encode/starlette/pull/3193">#3193</a>.</li>
<li>Fix <code>IndexError</code> in <code>URL.replace()</code> on a URL
with no authority <a
href="https://redirect.github.com/encode/starlette/pull/3317">#3317</a>.</li>
<li>Adjust <code>testclient</code> typing and warnings <a
href="https://redirect.github.com/encode/starlette/pull/3322">#3322</a>.</li>
</ul>
<h2>1.2.1 (May 31, 2026)</h2>
<h4>Fixed</h4>
<ul>
<li>Use <code>httpx2</code> for type checking in the
<code>testclient</code> module <a
href="https://redirect.github.com/encode/starlette/pull/3304">#3304</a>.</li>
<li>Add assert error for <code>requires()</code> when the request
parameter is not a <code>Request</code> type <a
href="https://redirect.github.com/encode/starlette/pull/3298">#3298</a>.</li>
</ul>
<h2>1.2.0 (May 28, 2026)</h2>
<h4>Added</h4>
<ul>
<li>Support httpx2 in the test client <a
href="https://redirect.github.com/encode/starlette/pull/3291">#3291</a>.</li>
</ul>
<h2>1.1.0 (May 23, 2026)</h2>
<h4>Added</h4>
<ul>
<li>Use <code>&quot;application/octet-stream&quot;</code> as the
<code>FileResponse</code> media type fallback <a
href="https://redirect.github.com/encode/starlette/pull/3283">#3283</a>.</li>
</ul>
<h4>Fixed</h4>
<ul>
<li>Only dispatch standard HTTP verbs in <code>HTTPEndpoint</code> <a
href="https://redirect.github.com/encode/starlette/pull/3286">#3286</a>.</li>
<li>Reject absolute paths in <code>StaticFiles.lookup_path</code> <a
href="https://redirect.github.com/encode/starlette/pull/3287">#3287</a>.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="8ebffd0678"><code>8ebffd0</code></a>
Version 1.3.1 (<a
href="https://redirect.github.com/Kludex/starlette/issues/3330">#3330</a>)</li>
<li><a
href="25b8e179d8"><code>25b8e17</code></a>
Enforce <code>FormParser</code> limits in parser callbacks (<a
href="https://redirect.github.com/Kludex/starlette/issues/3331">#3331</a>)</li>
<li><a
href="dba1c4babc"><code>dba1c4b</code></a>
Enforce <code>max_fields</code> and <code>max_part_size</code> in
<code>FormParser</code> (<a
href="https://redirect.github.com/Kludex/starlette/issues/3329">#3329</a>)</li>
<li><a
href="45e51dcf99"><code>45e51dc</code></a>
Use <code>StarletteDeprecationWarning</code> instead of
<code>DeprecationWarning</code> (<a
href="https://redirect.github.com/Kludex/starlette/issues/3119">#3119</a>)</li>
<li><a
href="5f8610c386"><code>5f8610c</code></a>
Version 1.3.0 (<a
href="https://redirect.github.com/Kludex/starlette/issues/3327">#3327</a>)</li>
<li><a
href="167b5850e8"><code>167b585</code></a>
Build <code>request.url</code> from structured components (<a
href="https://redirect.github.com/Kludex/starlette/issues/3326">#3326</a>)</li>
<li><a
href="37309255b4"><code>3730925</code></a>
Use <code>removeprefix</code> to strip weak ETag indicator in
<code>is_not_modified</code> (<a
href="https://redirect.github.com/Kludex/starlette/issues/3193">#3193</a>)</li>
<li><a
href="e6f7ad1ab8"><code>e6f7ad1</code></a>
avoid collapsing exception groups from user code (<a
href="https://redirect.github.com/Kludex/starlette/issues/2830">#2830</a>)</li>
<li><a
href="115228fcdc"><code>115228f</code></a>
Annotate URLPath protocol parameter with Literal (<a
href="https://redirect.github.com/Kludex/starlette/issues/3285">#3285</a>)</li>
<li><a
href="113f193a34"><code>113f193</code></a>
docs: replace inline ASGI server list with link to canonical implemen…
(<a
href="https://redirect.github.com/Kludex/starlette/issues/3204">#3204</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/Kludex/starlette/compare/1.0.1...1.3.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=starlette&package-manager=uv&previous-version=1.0.1&new-version=1.3.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-18 15:27:29 -04:00
dependabot[bot]
0269392514 chore: bump tornado from 6.5.6 to 6.5.7 in /libs/langchain (#38183)
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.6 to
6.5.7.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's
changelog</a>.</em></p>
<blockquote>
<h1>Release notes</h1>
<p>.. toctree::
:maxdepth: 2</p>
<p>releases/v6.5.7
releases/v6.5.6
releases/v6.5.5
releases/v6.5.4
releases/v6.5.3
releases/v6.5.2
releases/v6.5.1
releases/v6.5.0
releases/v6.4.2
releases/v6.4.1
releases/v6.4.0
releases/v6.3.3
releases/v6.3.2
releases/v6.3.1
releases/v6.3.0
releases/v6.2.0
releases/v6.1.0
releases/v6.0.4
releases/v6.0.3
releases/v6.0.2
releases/v6.0.1
releases/v6.0.0
releases/v5.1.1
releases/v5.1.0
releases/v5.0.2
releases/v5.0.1
releases/v5.0.0
releases/v4.5.3
releases/v4.5.2
releases/v4.5.1
releases/v4.5.0
releases/v4.4.3
releases/v4.4.2
releases/v4.4.1
releases/v4.4.0
releases/v4.3.0
releases/v4.2.1
releases/v4.2.0
releases/v4.1.0
releases/v4.0.2
releases/v4.0.1
releases/v4.0.0
releases/v3.2.2
releases/v3.2.1</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="48fc2d43d1"><code>48fc2d4</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3633">#3633</a>
from bdarnell/curl-reset-65</li>
<li><a
href="4ae1ddd142"><code>4ae1ddd</code></a>
Release notes and version bump for 6.5.7</li>
<li><a
href="3154caabc9"><code>3154caa</code></a>
curl_httpclient: Reset the curl object before putting it on the
freelist</li>
<li><a
href="7d869c0739"><code>7d869c0</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3631">#3631</a>
from bdarnell/cve-links</li>
<li><a
href="288241f681"><code>288241f</code></a>
docs: Use the correct link syntax</li>
<li><a
href="8da981c0f6"><code>8da981c</code></a>
docs: Add CVE links to 6.5.6 release notes</li>
<li>See full diff in <a
href="https://github.com/tornadoweb/tornado/compare/v6.5.6...v6.5.7">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-18 15:27:19 -04:00
dependabot[bot]
0168f5a453 chore: bump bleach from 6.2.0 to 6.4.0 in /libs/langchain (#38196)
[//]: # (dependabot-start)
⚠️  **Dependabot is rebasing this PR** ⚠️ 

Rebasing might not happen immediately, so don't worry if this takes some
time.

Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.

---

[//]: # (dependabot-end)

Bumps [bleach](https://github.com/mozilla/bleach) from 6.2.0 to 6.4.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/mozilla/bleach/blob/main/CHANGES">bleach's
changelog</a>.</em></p>
<blockquote>
<h2>Version 6.4.0 (June 5th, 2026)</h2>
<p><strong>NOTE: 2026-06-05: Bleach is no longer maintained. There will
be no future
releases including for security issues.</strong>
See issue:
<code>&lt;https://github.com/mozilla/bleach/issues/698&gt;</code>__</p>
<p><strong>Backwards incompatible changes</strong></p>
<ul>
<li>Dropped support for pypy 3.10. (<a
href="https://redirect.github.com/mozilla/bleach/issues/764">#764</a>)</li>
</ul>
<p><strong>Security fixes</strong></p>
<ul>
<li>
<p>Fix bug 2023812 / GHSA-8rfp-98v4-mmr6.</p>
<p>Fix XSS issue with sanitize_uri_value where disallowed schemes with
Unicode invisible characters wouldn't be rejected.</p>
<p>For example::</p>
<p>import bleach
payload1 = '<!-- raw HTML omitted -->Click<!-- raw HTML omitted -->'
result1 = bleach.clean(payload1)
print(repr(result1))</p>
<p>outputs::</p>
<p>'<!-- raw HTML omitted -->Click<!-- raw HTML omitted -->'</p>
<p>See the advisory for details.</p>
</li>
<li>
<p>Fix GHSA-gj48-438w-jh9v.</p>
<p>Fix issue where URI sanitization wasn't happening in formaction
attributes.</p>
<p>See the advisory for details.</p>
</li>
</ul>
<p><strong>Bug fixes</strong></p>
<ul>
<li>
<p>Add support for pypy 3.11. (<a
href="https://redirect.github.com/mozilla/bleach/issues/764">#764</a>)</p>
</li>
<li>
<p>Drop version max in tinycss2 pin. (<a
href="https://redirect.github.com/mozilla/bleach/issues/772">#772</a>)</p>
<p>This removes one of the things we had to keep checking and updating.
Users
now own the responsibility for correctness with the version of tinycss2
they're using.</p>
</li>
</ul>
<h2>Version 6.3.0 (October 27th, 2025)</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="f0355a7af0"><code>f0355a7</code></a>
fix: fix last release date in CHANGES</li>
<li><a
href="ae4e8a2670"><code>ae4e8a2</code></a>
chore: bleach 6.4.0 and final release</li>
<li><a
href="970df58e9f"><code>970df58</code></a>
fix: uri-sanitization in formaction attributes</li>
<li><a
href="7c4867c323"><code>7c4867c</code></a>
fix: xss bypass in allowed protocol test using unicode invisible
characters</li>
<li><a
href="913ab75992"><code>913ab75</code></a>
fix: reduce redundancy in workflow jobs</li>
<li><a
href="218c15af45"><code>218c15a</code></a>
fix: rework pip caching</li>
<li><a
href="4f0b097bf8"><code>4f0b097</code></a>
fix: fix tox platform restrictions</li>
<li><a
href="e95a79d07b"><code>e95a79d</code></a>
chore: update pytest</li>
<li><a
href="91539d4e80"><code>91539d4</code></a>
Bump actions/cache from 5.0.3 to 5.0.4</li>
<li><a
href="cd47b4ce49"><code>cd47b4c</code></a>
fix: handle left-angle-bracket that's not a tag (<a
href="https://redirect.github.com/mozilla/bleach/issues/733">#733</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/mozilla/bleach/compare/v6.2.0...v6.4.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=bleach&package-manager=uv&previous-version=6.2.0&new-version=6.4.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-18 15:26:51 -04:00
dependabot[bot]
8a7a33d67a chore: bump langchain-anthropic from 1.3.4 to 1.4.6 in /libs/langchain (#38197)
Bumps [langchain-anthropic](https://github.com/langchain-ai/langchain)
from 1.3.4 to 1.4.6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/langchain-ai/langchain/releases">langchain-anthropic's
releases</a>.</em></p>
<blockquote>
<h2>langchain-anthropic==1.4.6</h2>
<p>Changes since langchain-anthropic==1.4.5</p>
<p>release(anthropic): 1.4.6 (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/38105">#38105</a>)
fix(langchain,anthropic): confine file-search results and tighten
anthropic <code>allowed_prefixes</code> (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/38106">#38106</a>)
release(core): 1.4.6 (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/38061">#38061</a>)
feat(core,partners): add package version tracking to tracing metadata
(<a
href="https://redirect.github.com/langchain-ai/langchain/issues/35295">#35295</a>)
chore(infra): bump mypy to 2.1 and unify type-check config across the
monorepo (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/36470">#36470</a>)
feat(standard-tests): validate tool call chunks during streaming (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/34707">#34707</a>)
test(anthropic): make expected warnings explicit (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/38044">#38044</a>)
test(anthropic): make tests robust to gateway base URL (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/38043">#38043</a>)</p>
<h2>langchain-anthropic==1.4.5</h2>
<p>Changes since langchain-anthropic==1.4.4</p>
<p>release(anthropic): 1.4.5 (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/38036">#38036</a>)
fix(core): support content block tokens in callbacks (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/34739">#34739</a>)
chore(model-profiles): refresh model profile data (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/38012">#38012</a>)
hotfix(openai): min core dep (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/37990">#37990</a>)
test(langchain,partners): disable pytest-benchmark under xdist to
silence <code>PytestBenchmarkWarning</code> (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/37901">#37901</a>)
chore(model-profiles): refresh model profile data (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/37895">#37895</a>)
chore(model-profiles): refresh model profile data (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/37771">#37771</a>)</p>
<h2>langchain-anthropic==1.4.4</h2>
<p>Changes since langchain-anthropic==1.4.3</p>
<p>release(anthropic): 1.4.4 (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/37757">#37757</a>)
fix(anthropic): normalize cross-provider tool-call IDs (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/37756">#37756</a>)
test(anthropic): retry integration tests on transient failures (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/37697">#37697</a>)
chore(infra): bump <code>langchain-tests</code> floor to 1.1.9 (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/37610">#37610</a>)
chore: bump langsmith from 0.8.3 to 0.8.5 in /libs/partners/anthropic
(<a
href="https://redirect.github.com/langchain-ai/langchain/issues/37564">#37564</a>)
chore: bump idna from 3.11 to 3.15 in /libs/partners/anthropic (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/37565">#37565</a>)
ci(infra): harden Dependabot version-bound preservation (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/37510">#37510</a>)
chore(infra): merge v1.4 into master (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/37350">#37350</a>)
chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/anthropic (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/37343">#37343</a>)
chore: bump requests from 2.33.0 to 2.33.1 in /libs/partners/anthropic
(<a
href="https://redirect.github.com/langchain-ai/langchain/issues/37286">#37286</a>)
chore: bump langsmith from 0.7.31 to 0.8.3 in /libs/partners/anthropic
(<a
href="https://redirect.github.com/langchain-ai/langchain/issues/37287">#37287</a>)
chore: bump langchain-core from 1.3.2 to 1.3.3 in
/libs/partners/anthropic (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/37288">#37288</a>)</p>
<h2>langchain-anthropic==1.4.3</h2>
<p>Changes since langchain-anthropic==1.4.2</p>
<p>release(anthropic): 1.4.3 (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/37166">#37166</a>)
refactor(langchain-classic): retarget deprecations to
<code>create_agent</code>, other chores (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/37164">#37164</a>)
chore(docs): update x handle references (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/37081">#37081</a>)
fix(anthropic): guard httpx finalizers (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/37064">#37064</a>)</p>
<h2>langchain-anthropic==1.4.2</h2>
<p>Changes since langchain-anthropic==1.4.1</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="c9f98c1bcd"><code>c9f98c1</code></a>
release(anthropic): 1.4.6 (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/38105">#38105</a>)</li>
<li><a
href="3bfb6a33e7"><code>3bfb6a3</code></a>
release(langchain): 1.3.9 (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/38104">#38104</a>)</li>
<li><a
href="dcaf7795a3"><code>dcaf779</code></a>
fix(langchain,anthropic): confine file-search results and tighten
anthropic `...</li>
<li><a
href="0392b6bae4"><code>0392b6b</code></a>
fix(core): fix Pydantic v1 support in tools/runnable (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/33698">#33698</a>)</li>
<li><a
href="f6d63bc9f3"><code>f6d63bc</code></a>
release(langchain): 1.3.8 (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/38096">#38096</a>)</li>
<li><a
href="5d20596d73"><code>5d20596</code></a>
style(core,langchain,langchain-classic,partners): replace double
backticks in...</li>
<li><a
href="fb55c6660a"><code>fb55c66</code></a>
chore: bump langsmith from 0.8.9 to 0.8.14 in /libs/partners/huggingface
(<a
href="https://redirect.github.com/langchain-ai/langchain/issues/38">#38</a>...</li>
<li><a
href="51daae5c13"><code>51daae5</code></a>
chore: bump langsmith from 0.8.9 to 0.8.14 in /libs/partners/chroma (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/38092">#38092</a>)</li>
<li><a
href="70e9579e43"><code>70e9579</code></a>
chore: bump langsmith from 0.8.9 to 0.8.14 in /libs/partners/fireworks
(<a
href="https://redirect.github.com/langchain-ai/langchain/issues/38093">#38093</a>)</li>
<li><a
href="6c0e9af324"><code>6c0e9af</code></a>
chore: bump langsmith from 0.8.9 to 0.8.14 in /libs/partners/xai (<a
href="https://redirect.github.com/langchain-ai/langchain/issues/38094">#38094</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/langchain-ai/langchain/compare/langchain-anthropic==1.3.4...langchain-anthropic==1.4.6">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=langchain-anthropic&package-manager=uv&previous-version=1.3.4&new-version=1.4.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-18 15:26:42 -04:00
dependabot[bot]
386f8b5ab3 chore: bump jupyter-server from 2.18.0 to 2.20.0 in /libs/langchain (#38251)
Bumps [jupyter-server](https://github.com/jupyter-server/jupyter_server)
from 2.18.0 to 2.20.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/jupyter-server/jupyter_server/releases">jupyter-server's
releases</a>.</em></p>
<blockquote>
<h2>v2.20.0</h2>
<h2>2.20.0</h2>
<p>(<a
href="https://github.com/jupyter-server/jupyter_server/compare/v2.19.0...333e700119ee0bcc0b5fcd4c158213d7c275c778">Full
Changelog</a>)</p>
<h3>Security fixes</h3>
<ul>
<li>CVE-2026-44727 <a
href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-fcw5-x6j4-ccmp">GHSA-fcw5-x6j4-ccmp</a></li>
</ul>
<h3>Enhancements made</h3>
<ul>
<li>Fix confusing terminal output when using ServerApp.ip=0.0.0.0 <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1643">#1643</a>
(<a href="https://github.com/Yann-P"><code>@​Yann-P</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Add a toggle to enable curve encryption for all kernels that support
it <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1638">#1638</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/ianthomas23"><code>@​ianthomas23</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
</ul>
<h3>Bugs fixed</h3>
<ul>
<li>Grab the port from <code>bind_sockets</code> in case its different
<a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1651">#1651</a>
(<a href="https://github.com/choldgraf"><code>@​choldgraf</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
</ul>
<h3>Maintenance and upkeep improvements</h3>
<ul>
<li>Fix <code>test_authorizer</code> having a spurious comma in params
<a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1664">#1664</a>
(<a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Add a reminder to merge GHSA before release <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1659">#1659</a>
(<a href="https://github.com/Yann-P"><code>@​Yann-P</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Exclude problematic <code>pywinpty</code> 3.0.4 version <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1658">#1658</a>
(<a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>ci: explicitly pass base-setup inputs to fix strict validation
failures <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1626">#1626</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/Copilot"><code>@​Copilot</code></a>)</li>
</ul>
<h3>Documentation improvements</h3>
<ul>
<li>Align docs for curve encryption with latest JEP version <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1660">#1660</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Remove PGP key from docs <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1653">#1653</a>
(<a href="https://github.com/Yann-P"><code>@​Yann-P</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
</ul>
<h3>Contributors to this release</h3>
<p>The following people contributed discussions, new ideas, code and
documentation contributions, and review.
See <a
href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our
definition of contributors</a>.</p>
<p>(<a
href="https://github.com/jupyter-server/jupyter_server/graphs/contributors?from=2026-05-29&amp;to=2026-06-17&amp;type=c">GitHub
contributors page for this release</a>)</p>
<p><a href="https://github.com/Carreau"><code>@​Carreau</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3ACarreau+updated%3A2026-05-29..2026-06-17&amp;type=Issues">activity</a>)
| <a href="https://github.com/choldgraf"><code>@​choldgraf</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Acholdgraf+updated%3A2026-05-29..2026-06-17&amp;type=Issues">activity</a>)
| <a href="https://github.com/Copilot"><code>@​Copilot</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3ACopilot+updated%3A2026-05-29..2026-06-17&amp;type=Issues">activity</a>)
| <a
href="https://github.com/ianthomas23"><code>@​ianthomas23</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Aianthomas23+updated%3A2026-05-29..2026-06-17&amp;type=Issues">activity</a>)
| <a href="https://github.com/krassowski"><code>@​krassowski</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Akrassowski+updated%3A2026-05-29..2026-06-17&amp;type=Issues">activity</a>)
| <a href="https://github.com/minrk"><code>@​minrk</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Aminrk+updated%3A2026-05-29..2026-06-17&amp;type=Issues">activity</a>)
| <a href="https://github.com/Yann-P"><code>@​Yann-P</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3AYann-P+updated%3A2026-05-29..2026-06-17&amp;type=Issues">activity</a>)</p>
<h2>v2.19.0</h2>
<h2>2.19.0</h2>
<p>(<a
href="https://github.com/jupyter-server/jupyter_server/compare/v2.18.2...664e2255c71efe963f397b9f803dbcf503b5a920">Full
Changelog</a>)</p>
<h3>Enhancements made</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jupyter-server/jupyter_server/blob/main/CHANGELOG.md">jupyter-server's
changelog</a>.</em></p>
<blockquote>
<h2>2.20.0</h2>
<p>(<a
href="https://github.com/jupyter-server/jupyter_server/compare/v2.19.0...333e700119ee0bcc0b5fcd4c158213d7c275c778">Full
Changelog</a>)</p>
<h3>Enhancements made</h3>
<ul>
<li>Fix confusing terminal output when using ServerApp.ip=0.0.0.0 <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1643">#1643</a>
(<a href="https://github.com/Yann-P"><code>@​Yann-P</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Add a toggle to enable curve encryption for all kernels that support
it <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1638">#1638</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/ianthomas23"><code>@​ianthomas23</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
</ul>
<h3>Bugs fixed</h3>
<ul>
<li>Grab the port from <code>bind_sockets</code> in case its different
<a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1651">#1651</a>
(<a href="https://github.com/choldgraf"><code>@​choldgraf</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
</ul>
<h3>Maintenance and upkeep improvements</h3>
<ul>
<li>Fix <code>test_authorizer</code> having a spurious comma in params
<a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1664">#1664</a>
(<a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Add a reminder to merge GHSA before release <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1659">#1659</a>
(<a href="https://github.com/Yann-P"><code>@​Yann-P</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Exclude problematic <code>pywinpty</code> 3.0.4 version <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1658">#1658</a>
(<a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>ci: explicitly pass base-setup inputs to fix strict validation
failures <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1626">#1626</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/Copilot"><code>@​Copilot</code></a>)</li>
</ul>
<h3>Documentation improvements</h3>
<ul>
<li>Align docs for curve encryption with latest JEP version <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1660">#1660</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Remove PGP key from docs <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1653">#1653</a>
(<a href="https://github.com/Yann-P"><code>@​Yann-P</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
</ul>
<h3>Contributors to this release</h3>
<p>The following people contributed discussions, new ideas, code and
documentation contributions, and review.
See <a
href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our
definition of contributors</a>.</p>
<p>(<a
href="https://github.com/jupyter-server/jupyter_server/graphs/contributors?from=2026-05-29&amp;to=2026-06-17&amp;type=c">GitHub
contributors page for this release</a>)</p>
<p><a href="https://github.com/Carreau"><code>@​Carreau</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3ACarreau+updated%3A2026-05-29..2026-06-17&amp;type=Issues">activity</a>)
| <a href="https://github.com/choldgraf"><code>@​choldgraf</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Acholdgraf+updated%3A2026-05-29..2026-06-17&amp;type=Issues">activity</a>)
| <a href="https://github.com/Copilot"><code>@​Copilot</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3ACopilot+updated%3A2026-05-29..2026-06-17&amp;type=Issues">activity</a>)
| <a
href="https://github.com/ianthomas23"><code>@​ianthomas23</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Aianthomas23+updated%3A2026-05-29..2026-06-17&amp;type=Issues">activity</a>)
| <a href="https://github.com/krassowski"><code>@​krassowski</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Akrassowski+updated%3A2026-05-29..2026-06-17&amp;type=Issues">activity</a>)
| <a href="https://github.com/minrk"><code>@​minrk</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Aminrk+updated%3A2026-05-29..2026-06-17&amp;type=Issues">activity</a>)
| <a href="https://github.com/Yann-P"><code>@​Yann-P</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3AYann-P+updated%3A2026-05-29..2026-06-17&amp;type=Issues">activity</a>)</p>
<!-- raw HTML omitted -->
<h2>2.19.0</h2>
<p>(<a
href="https://github.com/jupyter-server/jupyter_server/compare/v2.18.2...664e2255c71efe963f397b9f803dbcf503b5a920">Full
Changelog</a>)</p>
<h3>Enhancements made</h3>
<ul>
<li>Return <code>unresolved</code> stanza when kernel scope is
unavailable for <code>resolvePath</code> (instead of failing with 404)
<a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1641">#1641</a>
(<a href="https://github.com/MUFFANUJ"><code>@​MUFFANUJ</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
</ul>
<h3>Bugs fixed</h3>
<ul>
<li>Recreate notary store on failure to prevent save deadlock and data
loss <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1640">#1640</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
</ul>
<h3>Maintenance and upkeep improvements</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="05a78ad879"><code>05a78ad</code></a>
Publish 2.20.0</li>
<li><a
href="6cbee8d65e"><code>6cbee8d</code></a>
Merge commit from fork</li>
<li><a
href="333e700119"><code>333e700</code></a>
Fix <code>test_authorizer</code> having a spurious comma in params (<a
href="https://redirect.github.com/jupyter-server/jupyter_server/issues/1664">#1664</a>)</li>
<li><a
href="cccd543352"><code>cccd543</code></a>
Fix CI: explicitly pass base-setup inputs to avoid strict validation
failures</li>
<li><a
href="cd16d715df"><code>cd16d71</code></a>
Align docs for curve encryption with latest JEP version (<a
href="https://redirect.github.com/jupyter-server/jupyter_server/issues/1660">#1660</a>)</li>
<li><a
href="e458061e6e"><code>e458061</code></a>
Add a toggle to enable curve encryption for all kernels that support it
(<a
href="https://redirect.github.com/jupyter-server/jupyter_server/issues/1638">#1638</a>)</li>
<li><a
href="0ceeb4fb61"><code>0ceeb4f</code></a>
Add note in RELEASE.md</li>
<li><a
href="b13f8a241b"><code>b13f8a2</code></a>
Markdown does not work.</li>
<li><a
href="e885b10a26"><code>e885b10</code></a>
Add GHSA reminder in prep-release</li>
<li><a
href="0e28c901e8"><code>0e28c90</code></a>
Exclude problematic <code>pywinpty</code> 3.0.4 version (<a
href="https://redirect.github.com/jupyter-server/jupyter_server/issues/1658">#1658</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/jupyter-server/jupyter_server/compare/v2.18.0...v2.20.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=jupyter-server&package-manager=uv&previous-version=2.18.0&new-version=2.20.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-18 15:24:38 -04:00
Christophe Bornet
9ac8882a2c refactor(langchain-classic): remove code for Python < 3.10 (#38194) 2026-06-18 13:15:32 -04:00
dependabot[bot]
5f0abc1152 chore: bump pyjwt from 2.12.1 to 2.13.0 in /libs/langchain (#38169)
Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.12.1 to 2.13.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/jpadilla/pyjwt/releases">pyjwt's
releases</a>.</em></p>
<blockquote>
<h2>2.13.0</h2>
<h1>PyJWT 2.13.0 — Security Release</h1>
<p>This release bundles five security fixes plus three additional
hardening / spec-compliance changes. We recommend all users upgrade.</p>
<h2>Security</h2>
<ul>
<li>
<p><strong><a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx"><code>GHSA-xgmm-8j9v-c9wx</code></a>
— JWK JSON accepted as HMAC secret (algorithm confusion).</strong>
<code>HMACAlgorithm.prepare_key</code> previously rejected PEM- and
SSH-formatted asymmetric keys but did not catch a JWK passed as a raw
JSON string. In a verifier configured with both symmetric and asymmetric
algorithms in <code>algorithms=[…]</code> and a raw-JSON JWK as the key,
an attacker could forge HS256 tokens using the JWK text as the HMAC
secret. The guard has been extended to reject any JWK-shaped JSON.
<em>Reported by <a
href="https://github.com/aradona91"><code>@​aradona91</code></a>.</em></p>
</li>
<li>
<p><strong><a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f"><code>GHSA-jq35-7prp-9v3f</code></a>
— Algorithm allow-list bypass with <code>PyJWK</code> /
<code>PyJWKClient</code>.</strong> When verifying with a
<code>PyJWK</code>, the caller's <code>algorithms=[…]</code> allow-list
was checked against the token header <code>alg</code> as a string only;
actual verification used the algorithm bound to the <code>PyJWK</code>.
An attacker who controlled a registered JWKS key could sign with one
algorithm and advertise another on the header. PyJWT now requires the
token header <code>alg</code> to match the <code>PyJWK</code>'s
algorithm before verification. <em>Reported by <a
href="https://github.com/sushi-gif"><code>@​sushi-gif</code></a>.</em></p>
</li>
<li>
<p><strong><a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39"><code>GHSA-w7vc-732c-9m39</code></a>
— DoS via base64 decode of unused payload segment when
<code>b64=false</code>.</strong> For detached-payload JWS
(<code>b64=false</code>), the compact-form payload segment was
base64-decoded before being discarded in favor of the caller-supplied
<code>detached_payload</code>. An attacker could inflate the unused
segment to force CPU + memory cost without holding a valid signature.
The segment is now required to be empty per RFC 7515 Appendix F, and is
no longer decoded. <em>Reported by <a
href="https://github.com/thesmartshadow"><code>@​thesmartshadow</code></a>.</em></p>
</li>
<li>
<p><strong><a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4"><code>GHSA-993g-76c3-p5m4</code></a>
— <code>PyJWKClient</code> accepts non-HTTP(S) URIs.</strong>
<code>PyJWKClient.fetch_data</code> passed its URI to
<code>urllib.request.urlopen</code>, which by default also handles
<code>file://</code>, <code>ftp://</code>, and <code>data:</code>
schemes. An application that fed an attacker-influenced URI into
<code>PyJWKClient</code> could be coerced into reading local files or
reaching other unintended schemes. <code>PyJWKClient</code> now rejects
any URI whose scheme isn't <code>http</code> or <code>https</code>.
<em>Reported by <a
href="https://github.com/KEIJOT"><code>@​KEIJOT</code></a>.</em></p>
</li>
<li>
<p><strong><a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8"><code>GHSA-fhv5-28vv-h8m8</code></a>
— <code>PyJWKClient</code> cache wiped on fetch error.</strong> A
<code>finally</code>-block <code>put(jwk_set=None)</code> cleared the
JWK Set cache whenever a fetch raised, turning a transient JWKS-endpoint
outage into application-wide auth failure. The cache write was moved
into the success path; transient errors no longer evict valid cached
keys. <em>Reported by <a
href="https://github.com/eddieran"><code>@​eddieran</code></a>.</em></p>
</li>
</ul>
<h2>Fixed</h2>
<ul>
<li>Reject empty HMAC keys outright in
<code>HMACAlgorithm.prepare_key</code> with <code>InvalidKeyError</code>
instead of accepting them with only a warning. Defends against the
<code>os.getenv(&quot;JWT_SECRET&quot;, &quot;&quot;)</code> footgun.
<em>Thanks to <a
href="https://github.com/SnailSploit"><code>@​SnailSploit</code></a> and
<a href="https://github.com/spartan8806"><code>@​spartan8806</code></a>
for the reports.</em></li>
<li>Forward per-call <code>options</code> (including
<code>enforce_minimum_key_length</code>) from <code>PyJWT.decode</code>
through to <code>PyJWS._verify_signature</code>. The option was
previously silently dropped between the two layers, so it only took
effect when set on the <code>PyJWT</code> instance. <em>Thanks to <a
href="https://github.com/WLUB"><code>@​WLUB</code></a> for the
report.</em></li>
<li><strong>RFC 7797 §3 compliance for <code>b64=false</code>:</strong>
the encoder now auto-adds <code>&quot;b64&quot;</code> to
<code>crit</code>, and the decoder rejects tokens that set
<code>b64=false</code> without listing it in <code>crit</code>.
<em>Thanks to <a
href="https://github.com/MachineLearning-Nerd"><code>@​MachineLearning-Nerd</code></a>
for the report.</em></li>
</ul>
<h2>Changed</h2>
<ul>
<li>Migrate the <code>dev</code>, <code>docs</code>, and
<code>tests</code> package extras to dependency groups, by <a
href="https://github.com/kurtmckee"><code>@​kurtmckee</code></a> in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1152">#1152</a>.</li>
</ul>
<h2>Upgrade notes</h2>
<p>Most fixes are invisible to correctly-configured callers. A few
behavioral changes you may encounter:</p>
<ul>
<li><strong>Empty HMAC keys now raise.</strong> If your app passed
<code>&quot;&quot;</code> or <code>b&quot;&quot;</code> as a secret
(often via a missing env var, e.g.
<code>os.getenv(&quot;JWT_SECRET&quot;, &quot;&quot;)</code>),
<code>encode</code>/<code>decode</code> will now raise
<code>InvalidKeyError</code>. This is the intended behavior — fix the
configuration.</li>
<li><strong><code>PyJWK</code> decoding now requires the token's
<code>alg</code> to match the JWK's algorithm.</strong> Previously a
mismatch was silently honored if the header <code>alg</code> appeared in
the allow-list. Tokens that relied on this mismatch will now fail with
<code>InvalidAlgorithmError</code>.</li>
<li><strong><code>PyJWKClient</code> now rejects non-HTTP(S) URIs at
construction time.</strong> Tests or dev environments that fetched JWKS
from <code>file://</code> URIs need to switch to a local HTTP server or
load the JWKS by other means (e.g. construct
<code>PyJWKSet.from_dict(...)</code> directly).</li>
<li><strong><code>b64=false</code> tokens are now strictly RFC 7515 /
7797 compliant.</strong> Tokens with a non-empty compact-form payload
segment, or that omit <code>&quot;b64&quot;</code> from
<code>crit</code>, will be rejected. PyJWT-produced tokens always
satisfy both invariants, so round-trips through PyJWT are
unaffected.</li>
<li><strong><code>enforce_minimum_key_length</code> set per-call now
takes effect.</strong> Callers who passed
<code>options={&quot;enforce_minimum_key_length&quot;: True}</code> to
<code>jwt.decode()</code> previously got no enforcement; they will now
get <code>InvalidKeyError</code> on undersized keys, as documented.</li>
</ul>
<p><strong>Full changelog:</strong> <a
href="https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0">https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst">pyjwt's
changelog</a>.</em></p>
<blockquote>
<h2><code>v2.13.0
&lt;https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0&gt;</code>__</h2>
<p>Security</p>
<pre><code>
- Reject JWK JSON documents passed as raw HMAC secrets in
  ``HMACAlgorithm.prepare_key`` to close an algorithm-confusion gap that
  the existing PEM/SSH guard did not cover. Reported by @aradona91 in
`GHSA-xgmm-8j9v-c9wx
&lt;https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx&gt;`__.
- Bind the JWT header ``alg`` to ``PyJWK.algorithm_name`` during
  verification so the caller's ``algorithms=[...]`` allow-list cannot be
bypassed when decoding with a ``PyJWK`` / ``PyJWKClient`` key. Reported
by @sushi-gif in `GHSA-jq35-7prp-9v3f
&lt;https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f&gt;`__.
- Reject non-``http(s)`` URI schemes in ``PyJWKClient`` so attacker-
influenced URIs cannot read local files or reach unintended schemes via
urllib's default ``file://`` / ``ftp://`` / ``data:`` handlers. Reported
by @KEIJOT in `GHSA-993g-76c3-p5m4
&lt;https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4&gt;`__.
- Preserve the cached JWK Set on fetch errors in
``PyJWKClient.fetch_data``.
  The previous ``finally``-block ``put(None)`` pattern cleared the cache
on any transient outage, turning one bad JWKS request into application-
wide auth failure. Reported by @eddieran in `GHSA-fhv5-28vv-h8m8
&lt;https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8&gt;`__.
- Skip the unconditional base64 decode of the compact-form payload
segment
  when ``b64=false`` is set in the protected header, and require that
  segment to be empty (RFC 7515 Appendix F detached form). Closes an
  unauthenticated DoS amplifier. Reported by @thesmartshadow in
`GHSA-w7vc-732c-9m39
&lt;https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39&gt;`__.
<p>Fixed</p>
<pre><code>
- Reject empty HMAC keys outright in ``HMACAlgorithm.prepare_key`` with
  ``InvalidKeyError`` instead of accepting them with only a warning.
  Thanks to @SnailSploit and @spartan8806 for independently flagging the
  footgun.
- Forward per-call ``options`` (including
``enforce_minimum_key_length``)
  from ``PyJWT.decode`` through to ``PyJWS._verify_signature`` so the
option actually takes effect when set at the call site rather than only
  on the ``PyJWT`` instance. Thanks to @WLUB for the report.
- RFC 7797 §3 compliance for ``b64=false``: the encoder now auto-adds
``&amp;quot;b64&amp;quot;`` to the ``crit`` header parameter, and the
decoder rejects
tokens that set ``b64=false`` without listing it in ``crit``. Thanks to
  @MachineLearning-Nerd for the report.

Changed
</code></pre>
<ul>
<li>Migrate the <code>dev</code>, <code>docs</code>, and
<code>tests</code> package extras to dependency groups by <a
href="https://github.com/kurtmckee"><code>@​kurtmckee</code></a> in
<code>[#1152](https://github.com/jpadilla/pyjwt/issues/1152)
&amp;lt;https://github.com/jpadilla/pyjwt/pull/1152&amp;gt;</code>__
</code></pre></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7144e4534c"><code>7144e45</code></a>
Apply ruff format</li>
<li><a
href="d2f4bec496"><code>d2f4bec</code></a>
Restore <code>cast()</code> calls with cross-version <code>type:
ignore</code> for <code>prepare_key</code></li>
<li><a
href="22f478cebd"><code>22f478c</code></a>
Remove redundant casts in <code>RSAAlgorithm.prepare_key</code> and
`ECAlgorithm.prepare...</li>
<li><a
href="95791b1759"><code>95791b1</code></a>
Bundle security fixes and hardening into 2.13.0</li>
<li><a
href="dcc27a9d31"><code>dcc27a9</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1155">#1155</a>)</li>
<li><a
href="9d08a9a189"><code>9d08a9a</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1146">#1146</a>)</li>
<li><a
href="b87c10014d"><code>b87c100</code></a>
Bump codecov/codecov-action from 5 to 6 (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1154">#1154</a>)</li>
<li><a
href="40e3147eb5"><code>40e3147</code></a>
Migrate development extras to dependency groups (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1152">#1152</a>)</li>
<li>See full diff in <a
href="https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pyjwt&package-manager=uv&previous-version=2.12.1&new-version=2.13.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-15 14:53:11 -04:00
Mason Daugherty
879cad0676 release(openai): 1.3.2 (#38130) 2026-06-13 01:34:56 -04:00
Mason Daugherty
9e6f58ba46 hotfix(openai): switch version (#38123) 2026-06-12 22:21:34 -04:00
Mason Daugherty
8180a09dd7 release(openai): 1.4.0 (#38120) 2026-06-12 21:52:20 -04:00
Mason Daugherty
63cc1f4e7d docs: refresh README installation and resources (#38119)
README installation examples now use `uv add` consistently, matching the
repo's `uv`-based Python workflow. The top-level README also gets a
cleaner quickstart and resource section with current links for docs,
community, learning, and contribution guidance.

## Changes
- Replaced `pip install` snippets with `uv add` across package quick
install docs, including the Hugging Face extras and
`sentence-transformers` upgrade examples.
- Updated the top-level quickstart to show only `uv add langchain` and
refreshed the example model to `openai:gpt-5.5`.
- Pointed the LangGraph orchestration link at the LangGraph GitHub
repository.
- Consolidated top-level documentation and additional-resource links
under a single `Resources` section covering docs, ecosystem overview,
API reference, discussions, Academy, contributing, and the Code of
Conduct.
- Added LangChain Academy and Code of Conduct links to package README
resource sections.
2026-06-12 17:38:22 -04:00
dependabot[bot]
2be6ae1808 chore: bump tornado from 6.5.5 to 6.5.6 in /libs/langchain (#38114)
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.5 to
6.5.6.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's
changelog</a>.</em></p>
<blockquote>
<h1>Release notes</h1>
<p>.. toctree::
:maxdepth: 2</p>
<p>releases/v6.5.7
releases/v6.5.6
releases/v6.5.5
releases/v6.5.4
releases/v6.5.3
releases/v6.5.2
releases/v6.5.1
releases/v6.5.0
releases/v6.4.2
releases/v6.4.1
releases/v6.4.0
releases/v6.3.3
releases/v6.3.2
releases/v6.3.1
releases/v6.3.0
releases/v6.2.0
releases/v6.1.0
releases/v6.0.4
releases/v6.0.3
releases/v6.0.2
releases/v6.0.1
releases/v6.0.0
releases/v5.1.1
releases/v5.1.0
releases/v5.0.2
releases/v5.0.1
releases/v5.0.0
releases/v4.5.3
releases/v4.5.2
releases/v4.5.1
releases/v4.5.0
releases/v4.4.3
releases/v4.4.2
releases/v4.4.1
releases/v4.4.0
releases/v4.3.0
releases/v4.2.1
releases/v4.2.0
releases/v4.1.0
releases/v4.0.2
releases/v4.0.1
releases/v4.0.0
releases/v3.2.2
releases/v3.2.1</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="aba2569f7e"><code>aba2569</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3626">#3626</a>
from bdarnell/fixes-656</li>
<li><a
href="a24b260e0d"><code>a24b260</code></a>
httpclient_test: Accept an additional error message variant</li>
<li><a
href="a74240a702"><code>a74240a</code></a>
Release notes and version bump for 6.5.6.</li>
<li><a
href="e8fc7edb23"><code>e8fc7ed</code></a>
simple_httpclient: Strip auth headers on cross-origin redirects</li>
<li><a
href="96dc88c2a0"><code>96dc88c</code></a>
speedups: validate mask length</li>
<li><a
href="ff808b33ad"><code>ff808b3</code></a>
http1connection: Enforce max_body_size in _GzipMessageDelegate</li>
<li><a
href="ede4e37f93"><code>ede4e37</code></a>
auth: Correctly parse check_authentication response</li>
<li><a
href="1c178bef88"><code>1c178be</code></a>
Remove obsolete curl force_timeout workaround</li>
<li><a
href="c99d55bb6c"><code>c99d55b</code></a>
Replace deprecated pycurl IOCTLFUNCTION callback with SEEKFUNCTION</li>
<li><a
href="27614316ef"><code>2761431</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3587">#3587</a>
from bdarnell/fix-link</li>
<li>Additional commits viewable in <a
href="https://github.com/tornadoweb/tornado/compare/v6.5.5...v6.5.6">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=tornado&package-manager=uv&previous-version=6.5.5&new-version=6.5.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-12 15:04:11 -04:00
Mason Daugherty
4108c0738c release(core): 1.4.7 (#38111)
Bumps `langchain-core` to `1.4.7` for the next patch release and updates
downstream minimum `langchain-core` requirements so package locks
resolve against the new core version.

This also refreshes the runnable snapshots that embed `lc_versions`
metadata so the version consistency check continues to validate
checked-in artifacts.

Validated with `python libs/core/scripts/check_version.py`, `uv lock
--check` across package lockfiles, and the core runnable tests that own
the updated snapshots with local LangSmith tracing env disabled.
2026-06-12 14:54:25 -04:00
Christophe Bornet
0392b6bae4 fix(core): fix Pydantic v1 support in tools/runnable (#33698)
`BaseTool.args_schema` is documented as accepting a Pydantic v1 model,
but several code paths assumed v2 and raised when handed a v1 schema
(e.g. an `AttributeError` from calling
`model_json_schema()`/`model_fields` on a v1 model). This affected
anyone using a v1 `args_schema`, and anyone composing runnables whose
input/output schema is a v1 model.

This PR makes the tool/runnable schema-derivation code version-agnostic.

## Type contract

`TypeBaseModel` (and `PydanticBaseModel`) now include
`pydantic.v1.BaseModel`, so the type honestly reflects what tools and
runnables already accept at runtime. The public schema accessors
(`Runnable.get_input_schema`/`get_output_schema` and the
`input_schema`/`output_schema` properties) return `TypeBaseModel`.

## Version-agnostic helpers

Added to `langchain_core.utils.pydantic`, each dispatching on the
model's Pydantic version so callers don't have to:

- `model_json_schema(model)` — JSON schema for either version.
- `model_validate(model, obj)` — validation for either version.
- `get_fields(model)` — field map for either version (existing helper,
now used consistently).

Internally, direct `.model_json_schema()` / `.model_fields` calls are
replaced with these helpers (or with `get_input_jsonschema()` /
`get_output_jsonschema()`).

## Behavior change worth a close look

When deriving a schema from a v1 model (in `RunnableParallel`,
`RunnableAssign`, and `RunnableSequence` output schemas), a **required**
v1 field is now correctly carried over as required. Previously the v1
path read the field's `default` — which is `None` for a required v1
field — and silently turned required fields into optional/nullable ones;
`default_factory` fields were dropped entirely. The new
`_get_schema_field_definition` helper translates a v1 `ModelField`
faithfully (required → `...`, factory preserved) and dispatches
explicitly on the field type.

---------

Co-authored-by: Mason Daugherty <mason@langchain.dev>
Co-authored-by: Mason Daugherty <github@mdrxy.com>
2026-06-12 00:18:49 -04:00
Mason Daugherty
f6d63bc9f3 release(langchain): 1.3.8 (#38096) 2026-06-12 00:17:58 -04:00
Mason Daugherty
05cc55f1bc release(core): 1.4.6 (#38061) 2026-06-11 02:58:40 -04:00
Christophe Bornet
1de100f278 chore(infra): bump mypy to 2.1 and unify type-check config across the monorepo (#36470)
Originally a narrow bump of mypy to `1.20` in four packages. Expanded to
get the whole monorepo onto a single, current mypy and a consistent
type-check configuration, so contributors no longer hit different mypy
versions and divergent behavior depending on which package they touch.

### What changed

- **Unified the mypy pin to `>=2.1.0,<2.2.0`** in every mypy-using
package (6 libs + 14 partners), replacing the previously scattered pins
(`1.10`/`1.17`/`1.18`/`1.19`/`1.20`, with assorted upper bounds).
- **Unified the `[tool.mypy]` base per tier:**
- libs: `plugins = ["pydantic.mypy"]`, `strict = true`,
`enable_error_code = "deprecated"`, `warn_unreachable = true`
  - partners: `disallow_untyped_defs = true`
- Normalized style (`disallow_untyped_defs = "True"` string → bool,
quote/key consistency).
- **Fixed the 20 real errors** mypy 2.1 surfaces: `redundant-cast` from
improved narrowing (`core`, `langchain-classic`), a `var-annotated` for
`_LOGGED`, a return-type widening in `langchain-groq`'s
`_convert_from_v1_to_groq` (it can legitimately return a bare `str`),
and stale `type-arg`/`unused-ignore` in `langchain-model-profiles`
tests.

### Deliberate non-uniformity (documented inline in the relevant
`pyproject.toml`s)

Going fully byte-identical would surface ~196 additional errors that are
*not* real bugs, so two settings are kept package-appropriate:

- **`warn_unreachable`** is enabled on every strict lib **except
`core`**, where it false-flags intentional defensive code — including
the SSRF / IP-policy guards in `_security/` — as unreachable.
- **`pydantic.mypy` plugin** is used only on `anthropic` and
`perplexity` (their code is authored against it and reports ~99/~132
errors without it). It is *not* added to the other partners, where it
only flags the public alias constructor API (e.g. `ChatGroq(model=...)`)
in tests rather than finding bugs.
- **`ollama`** is left on its `ty` type checker; it does not use mypy.

---------

Co-authored-by: Mason Daugherty <github@mdrxy.com>
2026-06-11 00:24:59 -04:00
Mason Daugherty
d74e537dac fix(langchain-classic): align arank_fusion string normalization with rank_fusion in EnsembleRetriever (#38051)
Closes #37736

---

`EnsembleRetriever` normalizes retriever outputs to `Document` objects
in both `rank_fusion` (sync) and `arank_fusion` (async), but the two
methods used different conditions:

- `rank_fusion` wraps only bare strings: `isinstance(doc, str)`
- `arank_fusion` wrapped anything that isn't a `Document`: `not
isinstance(doc, Document)`

If a retriever returns a non-string, non-`Document` value through the
async path, `arank_fusion` would try to construct
`Document(page_content=<non-string>)` and Pydantic raises a
`ValidationError`. The sync path handles the same input without crashing
— the behavior is inconsistent.

The fix is a one-line change in `arank_fusion` to use `isinstance(doc,
str)`, matching the sync path exactly.

Three tests were added to `test_ensemble.py`:

- `test_rank_fusion_bare_strings` — sync path wraps bare strings into
Documents
- `test_arank_fusion_bare_strings` — async path wraps bare strings into
Documents
- `test_arank_fusion_matches_rank_fusion` — sync and async return
identical results for normal Document input

---

This continues the work from #37737 by @AliMuhammadAslam (credited as
co-author), rebased onto `master` with the type-check lint failure
resolved. Supersedes that PR.

Co-authored-by: AliMuhammadAslam <aaalimohdaslam@gmail.com>
2026-06-10 21:33:13 -04:00
Mason Daugherty
6b9e22dbbc fix(langchain): tighten structured output model fallbacks (#38042)
Provider-native structured output fallback detection now uses bounded
model-name patterns instead of broad substring checks, reducing false
positives for unrelated model IDs. The model examples and test fixtures
across OpenAI/OpenRouter-facing code were refreshed around current
OpenAI model families while preserving shipped defaults.

## Changes
- Tightened `FALLBACK_MODELS_WITH_STRUCTURED_OUTPUT` from loose string
fragments to regex patterns, with `_supports_provider_strategy` matching
full model-name segments instead of arbitrary substrings.
- Expanded structured-output fallback coverage for newer OpenAI,
Anthropic, and xAI/Grok model families, including `gpt-5.x`, newer
Claude 4/5-style names, and `grok-build`.
- Reused `_attempt_infer_model_provider` in provider tool search routing
so `_provider_from_model_name` follows the same provider inference
behavior as `init_chat_model`.
- Suppressed irrelevant provider-inference deprecation warnings during
provider tool search registry lookup.
- Refreshed OpenAI, Azure OpenAI, OpenRouter, core metadata, and example
model references from older fixtures like `gpt-4`, `gpt-4o`, `o1`, and
`o4-mini` to current test/profile models such as `gpt-5.5`,
`gpt-5-nano`, and `gpt-4.1-mini`.
- Removed outdated OpenAI test assumptions around legacy `o1` behavior
and narrowed legacy structured-output checks to explicitly legacy model
names.
2026-06-10 21:18:14 -04:00
Mason Daugherty
1aa17046de release(langchain-classic): 1.0.8 (#38033) 2026-06-10 17:25:50 -04:00
Mason Daugherty
8ac91e3f5f hotfix(core): bump lockfile(s) (#38032) 2026-06-10 17:05:23 -04:00
Mason Daugherty
f89f4c5afe fix(core): support content block tokens in callbacks (#34739)
Supersedes #34727
Closes #30703

Related:
* langchain-ai/langchain-google#1460
* langchain-ai/langchain-google#1501

Fixing this at the `langchain-core` callback layer instead of
normalizing inside individual provider integrations, so structured
streaming content is preserved consistently.

---

Models are increasingly streaming structured content blocks instead of
plain text tokens. For example, Gemini 3 can stream text as
content-block lists, and Anthropic/tool-use flows can also produce
non-text message content. Today those values already reach
`on_llm_new_token`, but the callback API still advertises `token: str`,
which makes custom callbacks, tracers, and streaming helpers assume
every streamed value is text.

User story: as a LangChain user building a streaming callback for chat
models with tool calls, reasoning/thinking blocks, or provider-specific
structured content, I need `on_llm_new_token` to accept the same content
shape that chat model chunks can actually emit, so my callback can
observe the stream without providers flattening or dropping non-text
data.

Fixing this in `langchain-core` makes the existing runtime behavior
explicit at the shared callback boundary. Normalizing content blocks
inside each provider would duplicate logic, produce inconsistent
behavior across integrations, and in some cases lose required provider
metadata such as Gemini thought signatures.

## Changes

- Update the callback contract so streamed tokens can be either plain
text or structured content blocks
- Carry structured streamed content through tracing and event/log
streaming paths without forcing provider data into text too early
- Keep built-in text-oriented streaming callbacks working by converting
structured tokens only at the display/queue boundary
- Drop the now-incorrect `cast("str", ...)` on streamed content in
`BaseChatModel` so the producer side matches the widened callback
signature instead of asserting a string it doesn't always have (no
runtime change — `cast` is erased)
- Align Anthropic and Mistral content typing with the structured content
shapes already used by chat model messages
- Update callback tests to reflect that not every streamed value is text

## Compatibility

No runtime behavior change: no producer emits anything it wasn't already
emitting, and widening a parameter type is safe for existing callers and
handlers that pass or receive `str`. The one caveat is downstream code
that subclasses a callback handler or tracer and overrides
`on_llm_new_token` with a `token: str` annotation — under strict type
checking that override is now narrower than the base and will be flagged
as incompatible with the supertype. Such code still runs unchanged; the
fix is to widen the annotation to match.
2026-06-10 16:59:08 -04:00
Christophe Bornet
720dfd3b09 chore(core): improve typing of Runnable __or__ (#34530)
`Runnable.__or__`, `Runnable.__ror__`, and their `RunnableSequence` and
`StructuredPrompt` overrides previously erased composition types: the
right-hand operand was typed `Runnable[Any, Other]`, so piping two
runnables together always produced `RunnableSerializable[Input, Any]`.
Type information was lost at every `|`, which is why chains so often
needed a `chain: Runnable = ...` annotation just to recover usable
inference.

This adds `@overload`s so the `Output` of one step flows into the
`Input` of the next and the composed result carries the real `Output`
type through. `Runnable[int, str] | Runnable[str, float]` now infers
`RunnableSerializable[int, float]` instead of `[int, Any]`.
`coerce_to_runnable` gains overloads so a `Mapping` resolves to
`RunnableParallel` while everything else stays a `Runnable`. As a
knock-on effect, dozens of now-unnecessary `: Runnable` annotations were
dropped from the test suite.

Runtime behavior is unchanged — this is a typing-only change.

## Impact on type-checked code

Most users will simply get better inference. Two changes can require a
small adjustment if you run a type checker (`mypy`, `pyright`):

### Stricter operand matching in `|`

The right-hand side of `|` is now typed `Runnable[Output, Other]` rather
than `Runnable[Any, Other]`, so the right operand's declared **input**
must match the left operand's **output**. This is more accurate, but it
surfaces a common pattern that was previously silent: piping a step that
outputs a plain `dict` into a step whose declared input is a more
specific type (for example a `TypedDict`). It still works at runtime;
the checker now reports an `[operator]` error.

If you hit this, narrow the boundary with a `cast` (or an explicit
annotation):

```python
from typing import Any, cast

from langchain_core.runnables import Runnable

# upstream outputs a dict; downstream declares a narrower input type
chain = cast("Runnable[Any, MyInput]", upstream) | downstream
```

### `list` → `Sequence` on `RunnableEach` / `map()`

`Runnable.map()` and the `invoke` / `ainvoke` methods of `RunnableEach`
now accept `Sequence[Input]` instead of `list[Input]`. Callers are
unaffected — a `list` is a `Sequence`, and tuples or other sequences now
type-check too. The only thing to adjust: if you **subclass**
`RunnableEach` (or `RunnableEachBase`) and override these methods with a
`list[...]` parameter, widen the annotation to `Sequence[...]` so the
override stays compatible with the base signature.

---------

Co-authored-by: Mason Daugherty <github@mdrxy.com>
2026-06-10 16:16:03 -04:00
Mason Daugherty
c0103c3d2c hotfix(openai): min core dep (#37990) 2026-06-09 16:32:08 -04:00
dependabot[bot]
2ef987bf7d chore: bump pyarrow from 21.0.0 to 23.0.1 in /libs/langchain (#37929)
Bumps [pyarrow](https://github.com/apache/arrow) from 21.0.0 to 23.0.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/apache/arrow/releases">pyarrow's
releases</a>.</em></p>
<blockquote>
<h2>Apache Arrow 23.0.1</h2>
<p>Release Notes URL: <a
href="https://arrow.apache.org/release/23.0.1.html">https://arrow.apache.org/release/23.0.1.html</a></p>
<h2>Apache Arrow 23.0.1 RC0</h2>
<p>Release Notes: Release Candidate: 23.0.1 RC0</p>
<h2>Apache Arrow 23.0.0</h2>
<p>Release Notes URL: <a
href="https://arrow.apache.org/release/23.0.0.html">https://arrow.apache.org/release/23.0.0.html</a></p>
<h2>Apache Arrow 23.0.0 RC2</h2>
<p>Release Notes: Release Candidate: 23.0.0 RC2</p>
<h2>Apache Arrow 22.0.0</h2>
<p>Release Notes URL: <a
href="https://arrow.apache.org/release/22.0.0.html">https://arrow.apache.org/release/22.0.0.html</a></p>
<h2>Apache Arrow 22.0.0 RC1</h2>
<p>Release Notes: Release Candidate: 22.0.0 RC1</p>
<h2>Apache Arrow 22.0.0 RC0</h2>
<p>Release Notes: Release Candidate: 22.0.0 RC0</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="82a374e5f3"><code>82a374e</code></a>
MINOR: [Release] Update versions for 23.0.1</li>
<li><a
href="c1ae37c4a5"><code>c1ae37c</code></a>
MINOR: [Release] Update .deb/.rpm changelogs for 23.0.1</li>
<li><a
href="8f6e55736f"><code>8f6e557</code></a>
MINOR: [Release] Update CHANGELOG.md for 23.0.1</li>
<li><a
href="4e16a1aeed"><code>4e16a1a</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49159">GH-49159</a>:
[C++][Gandiva] Detect overflow in repeat() (<a
href="https://redirect.github.com/apache/arrow/issues/49160">#49160</a>)</li>
<li><a
href="985621dbfc"><code>985621d</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/48817">GH-48817</a>
[R][C++] Bump C++20 in R build infrastructure (<a
href="https://redirect.github.com/apache/arrow/issues/48819">#48819</a>)</li>
<li><a
href="1bea06ad4e"><code>1bea06a</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49024">GH-49024</a>:
[CI] Update Debian version in <code>.env</code> (<a
href="https://redirect.github.com/apache/arrow/issues/49032">#49032</a>)</li>
<li><a
href="147bcd6d8f"><code>147bcd6</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49156">GH-49156</a>:
[Python] Require GIL for string comparison (<a
href="https://redirect.github.com/apache/arrow/issues/49161">#49161</a>)</li>
<li><a
href="e4f922b162"><code>e4f922b</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49138">GH-49138</a>:
[Packaging][Python] Remove nightly cython install from manylinux
wh...</li>
<li><a
href="f9376e4721"><code>f9376e4</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49003">GH-49003</a>:
[C++] Don't consider <code>out_of_range</code> an error in float parsing
(<a
href="https://redirect.github.com/apache/arrow/issues/49095">#49095</a>)</li>
<li><a
href="ab2c0ad6b2"><code>ab2c0ad</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49044">GH-49044</a>:
[CI][Python] Fix test_download_tzdata_on_windows by adding
required...</li>
<li>Additional commits viewable in <a
href="https://github.com/apache/arrow/compare/apache-arrow-21.0.0...apache-arrow-23.0.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pyarrow&package-manager=uv&previous-version=21.0.0&new-version=23.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-07 13:14:58 -07:00
dependabot[bot]
6f7c8f5445 chore: bump starlette from 0.49.1 to 1.0.1 in /libs/langchain (#37899)
Bumps [starlette](https://github.com/Kludex/starlette) from 0.49.1 to
1.0.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/Kludex/starlette/releases">starlette's
releases</a>.</em></p>
<blockquote>
<h2>Version 1.0.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Ignore malformed <code>Host</code> header when constructing
<code>request.url</code> by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3279">Kludex/starlette#3279</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/starlette/compare/1.0.0...1.0.1">https://github.com/Kludex/starlette/compare/1.0.0...1.0.1</a></p>
<h2>Version 1.0.0</h2>
<p>Starlette 1.0 is here! 🎉</p>
<p>After nearly eight years since its creation, Starlette has reached
its first stable release.</p>
<p>A special thank you to <a
href="https://github.com/lovelydinosaur"><code>@​lovelydinosaur</code></a>,
the creator of Starlette, Uvicorn, HTTPX and MkDocs, whose work helped
to lay the foundation for the modern async Python ecosystem. 🙏</p>
<p>Thank you to <a
href="https://github.com/adriangb"><code>@​adriangb</code></a>, <a
href="https://github.com/graingert"><code>@​graingert</code></a>, <a
href="https://github.com/agronholm"><code>@​agronholm</code></a>, <a
href="https://github.com/florimondmanca"><code>@​florimondmanca</code></a>,
<a href="https://github.com/aminalaee"><code>@​aminalaee</code></a>, <a
href="https://github.com/tiangolo"><code>@​tiangolo</code></a>, <a
href="https://github.com/alex-oleshkevich"><code>@​alex-oleshkevich</code></a>,
<a href="https://github.com/abersheeran"><code>@​abersheeran</code></a>,
and <a href="https://github.com/uSpike"><code>@​uSpike</code></a> for
helping make Starlette what it is today. And to all my sponsors -
especially <a
href="https://github.com/tiangolo"><code>@​tiangolo</code></a>, <a
href="https://github.com/huggingface"><code>@​huggingface</code></a>,
and <a
href="https://github.com/elevenlabs"><code>@​elevenlabs</code></a> -
thank you for your support!</p>
<p>Thank you to all <a
href="https://github.com/encode/starlette/graphs/contributors">290+
contributors</a> who have shaped Starlette over the years! ❤️</p>
<p>Read more on the <a
href="https://marcelotryle.com/blog/2026/03/22/starlette-10-is-here/">blog
post</a>.</p>
<p>Check out the full release notes at <a
href="https://www.starlette.io/release-notes/#100-march-22-2026">https://www.starlette.io/release-notes/#100-march-22-2026</a></p>
<hr />
<p><strong>Full Changelog</strong>: <a
href="https://github.com/encode/starlette/compare/1.0.0rc1...1.0.0">https://github.com/encode/starlette/compare/1.0.0rc1...1.0.0</a></p>
<h2>Version 1.0.0rc1</h2>
<p>We're ready! 🚀</p>
<p>The first release candidate for Starlette 1.0 is here! After years on
ZeroVer, we're finally making the jump.</p>
<p>This release removes all deprecated features marked for 1.0.0, along
with some last-minute bug fixes.</p>
<p>A special thank you to <a
href="https://github.com/lovelydinosaur"><code>@​lovelydinosaur</code></a>,
the creator of Starlette, Uvicorn, HTTPX and MkDocs, whose work helped
to lay the foundation for the modern async Python ecosystem. 🙏</p>
<p>Thank you to <a
href="https://github.com/adriangb"><code>@​adriangb</code></a>, <a
href="https://github.com/graingert"><code>@​graingert</code></a>, <a
href="https://github.com/agronholm"><code>@​agronholm</code></a>, <a
href="https://github.com/florimondmanca"><code>@​florimondmanca</code></a>,
<a href="https://github.com/aminalaee"><code>@​aminalaee</code></a>, <a
href="https://github.com/tiangolo"><code>@​tiangolo</code></a>, <a
href="https://github.com/alex-oleshkevich"><code>@​alex-oleshkevich</code></a>,
and <a
href="https://github.com/abersheeran"><code>@​abersheeran</code></a> for
helping make Starlette what it is today. And to all my sponsors -
especially <a
href="https://github.com/tiangolo"><code>@​tiangolo</code></a>, <a
href="https://github.com/huggingface"><code>@​huggingface</code></a>,
and <a
href="https://github.com/elevenlabs"><code>@​elevenlabs</code></a> -
thank you for your support!</p>
<p>Thank you to all <a
href="https://github.com/encode/starlette/graphs/contributors">290+
contributors</a> who have shaped Starlette over the years!</p>
<p>Check out the full release notes at <a
href="https://www.starlette.io/release-notes/#100rc1-february-23-2026">https://www.starlette.io/release-notes/#100rc1-february-23-2026</a></p>
<hr />
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/starlette/compare/0.52.1...1.0.0rc1">https://github.com/Kludex/starlette/compare/0.52.1...1.0.0rc1</a></p>
<h2>Version 0.52.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Only use <code>typing_extensions</code> in older Python versions by
<a href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3109">Kludex/starlette#3109</a></li>
</ul>
<hr />
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/Kludex/starlette/blob/main/docs/release-notes.md">starlette's
changelog</a>.</em></p>
<blockquote>
<h2>1.0.1 (May 21, 2026)</h2>
<h4>Fixed</h4>
<ul>
<li>Ignore malformed <code>Host</code> header when constructing
<code>request.url</code> <a
href="https://redirect.github.com/encode/starlette/pull/3279">#3279</a>.</li>
</ul>
<h2>1.0.0 (March 22, 2026)</h2>
<p>Starlette 1.0 is here!</p>
<p>After nearly eight years since its creation, Starlette has reached
its first stable release.
Thank you to everyone who tested the release candidate and reported
issues.</p>
<p>You can read more on the <a
href="https://marcelotryle.com/blog/2026/03/22/starlette-10-is-here/">blog
post</a>.</p>
<h4>Added</h4>
<ul>
<li>Track session access and modification in
<code>SessionMiddleware</code> <a
href="https://redirect.github.com/encode/starlette/pull/3166">#3166</a>.</li>
</ul>
<h4>Fixed</h4>
<ul>
<li>Handle websocket denial responses in <code>StreamingResponse</code>
and <code>FileResponse</code> <a
href="https://redirect.github.com/encode/starlette/pull/3189">#3189</a>.</li>
<li>Use <code>bytearray</code> for field accumulation in
<code>FormParser</code> <a
href="https://redirect.github.com/encode/starlette/pull/3179">#3179</a>.</li>
<li>Move <code>parser.finalize()</code> inside try/except in
<code>MultiPartParser.parse()</code> <a
href="https://redirect.github.com/encode/starlette/pull/3153">#3153</a>.</li>
</ul>
<h2>1.0.0rc1 (February 23, 2026)</h2>
<p>We're ready! I'm thrilled to announce the first release candidate for
Starlette 1.0.</p>
<p>Starlette was created in June 2018 by Tom Christie, and has been on
ZeroVer for years. Today, it's downloaded
almost <a href="https://pypistats.org/packages/starlette">10 million
times a day</a>, serves as the foundation for FastAPI,
and has inspired many other frameworks. In the age of AI, Starlette
continues to play an important role as a
dependency of the Python MCP SDK.</p>
<p>This release focuses on removing deprecated features that were marked
for removal in 1.0.0, along with some
last minute bug fixes. It's a release candidate, so we can gather
feedback from the community before the final
1.0.0 release soon.</p>
<p>A huge thank you to all the contributors who have helped make
Starlette what it is today.
In particular, I'd like to recognize:</p>
<ul>
<li><a href="https://github.com/lovelydinosaur">Kim Christie</a> - The
original creator of Starlette, Uvicorn, and MkDocs, and the
current maintainer of HTTPX. Kim's work helped lay the foundation for
the modern async Python ecosystem.</li>
<li><a href="https://github.com/adriangb">Adrian Garcia Badaracco</a> -
One of the smartest people I know, whom I have the pleasure of working
with at Pydantic.</li>
<li><a href="https://github.com/graingert">Thomas Grainger</a> - My
async teacher, always ready to help with questions.</li>
<li><a href="https://github.com/agronholm">Alex Grönholm</a> - Another
async mentor, always prompt to help with questions.</li>
<li><a href="https://github.com/florimondmanca">Florimond Manca</a> -
Always present in the early days of both Starlette and Uvicorn, and
helped a lot in the ecosystem.</li>
<li><a href="https://github.com/aminalaee">Amin Alaee</a> - Contributed
a lot with file-related PRs.</li>
<li><a href="https://github.com/tiangolo">Sebastián Ramírez</a> -
Maintains FastAPI upstream, and always in contact to help with upstream
issues.</li>
<li><a href="https://github.com/alex-oleshkevich">Alex Oleshkevich</a> -
Helped a lot on templates and many discussions.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="48f8e331b2"><code>48f8e33</code></a>
Version 1.0.1 (<a
href="https://redirect.github.com/Kludex/starlette/issues/3281">#3281</a>)</li>
<li><a
href="f078832be1"><code>f078832</code></a>
Remove Hugging Face sponsor block from docs (<a
href="https://redirect.github.com/Kludex/starlette/issues/3280">#3280</a>)</li>
<li><a
href="472951eba8"><code>472951e</code></a>
chore(deps): bump the github-actions group with 2 updates (<a
href="https://redirect.github.com/Kludex/starlette/issues/3277">#3277</a>)</li>
<li><a
href="764dab0dcf"><code>764dab0</code></a>
Ignore malformed <code>Host</code> header when constructing
<code>request.url</code> (<a
href="https://redirect.github.com/Kludex/starlette/issues/3279">#3279</a>)</li>
<li><a
href="19d08115ce"><code>19d0811</code></a>
Harden GitHub Actions workflows and Dependabot config (<a
href="https://redirect.github.com/Kludex/starlette/issues/3276">#3276</a>)</li>
<li><a
href="01f4637812"><code>01f4637</code></a>
chore(deps): bump idna from 3.10 to 3.15 (<a
href="https://redirect.github.com/Kludex/starlette/issues/3274">#3274</a>)</li>
<li><a
href="b8fa5140d2"><code>b8fa514</code></a>
docs: fix typos in TestClient docs and test_requests comment (<a
href="https://redirect.github.com/Kludex/starlette/issues/3266">#3266</a>)</li>
<li><a
href="e935b6b5d4"><code>e935b6b</code></a>
fix uvicorn domain (<a
href="https://redirect.github.com/Kludex/starlette/issues/3269">#3269</a>)</li>
<li><a
href="96af9521a7"><code>96af952</code></a>
Add 7-day cooldown for dependency resolution via uv exclude-newer (<a
href="https://redirect.github.com/Kludex/starlette/issues/3265">#3265</a>)</li>
<li><a
href="61e385bd6d"><code>61e385b</code></a>
Add zizmor GitHub Actions security analysis workflow (<a
href="https://redirect.github.com/Kludex/starlette/issues/3264">#3264</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/Kludex/starlette/compare/0.49.1...1.0.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=starlette&package-manager=uv&previous-version=0.49.1&new-version=1.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-04 15:52:20 -04:00
Mason Daugherty
3b999176c8 test(langchain,partners): disable pytest-benchmark under xdist to silence PytestBenchmarkWarning (#37901)
Test targets run with `-n auto`, which makes `pytest-benchmark` (present
via `langchain-tests`) auto-disable itself and emit a
`PytestBenchmarkWarning` once per xdist worker. Passing
`--benchmark-disable` turns the plugin off explicitly so the warning
never fires, matching what `core` and `langchain_v1` already do.

## Changes
- Add `--benchmark-disable` to the `-n auto` test targets across
`langchain` (unit) and 14 partner packages' integration targets:
`anthropic`, `chroma`, `deepseek`, `exa`, `fireworks`, `groq`,
`huggingface`, `mistralai`, `nomic`, `ollama`, `openai`, `openrouter`,
`qdrant`, `xai`.
- Deliberately excluded `text-splitters` and `model-profiles`: their
`test` group doesn't install `pytest-benchmark`, so the flag would fail
with `unrecognized arguments`. Verified by importing the plugin under
each package's actual dependency group before editing.
2026-06-04 13:25:26 -04:00
dependabot[bot]
e9f4182988 chore: bump aiohttp from 3.13.4 to 3.14.0 in /libs/langchain (#37889)
[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=aiohttp&package-manager=uv&previous-version=3.13.4&new-version=3.14.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-03 20:00:00 -07:00
Mason Daugherty
aef86c476d chore(infra): bump langchain-tests floor to 1.1.9 (#37610)
Bumps the `langchain-tests` minimum across the monorepo from `1.0.0` to
`1.1.9` and adds a partner-level `Makefile` so partner lockfiles can be
regenerated in one command, matching the existing convention under
`libs/`.
2026-05-21 13:36:22 -05:00
Mason Daugherty
ebc1880444 release(standard-tests): 1.1.9 (#37609) 2026-05-21 13:22:16 -05:00
dependabot[bot]
40329ae2a3 chore: bump idna from 3.10 to 3.15 in /libs/langchain (#37537)
Bumps [idna](https://github.com/kjd/idna) from 3.10 to 3.15.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/kjd/idna/blob/master/HISTORY.md">idna's
changelog</a>.</em></p>
<blockquote>
<h2>3.15 (2026-05-12)</h2>
<ul>
<li>Enforce DNS-length cap on individual labels early in
<code>check_label</code>,
short-circuiting contextual-rule processing for oversized input
while staying compatible with UTS 46 usage.</li>
<li>Tidy core helpers: hoist bidi category sets to module-level
frozensets (avoiding per-codepoint list construction), simplify
length checks, and reuse the shared <code>_unicode_dots_re</code> from
<code>idna.core</code> in the codec module.</li>
<li>Use <code>raise ... from err</code> for proper exception chaining
and
switch internal string formatting to f-strings.</li>
<li>Allow <code>flit_core</code> 4.x in the build backend.</li>
<li>Expand the ruff lint set (flake8-bugbear, flake8-simplify,
pyupgrade, perflint) and apply the surfaced fixes; pin lint CI
to Python 3.14.</li>
<li>Add Dependabot configuration for GitHub Actions.</li>
<li>Convert README and HISTORY from reStructuredText to Markdown.</li>
<li>Reference CVE-2026-45409 for the 3.14 advisory in place of the
initial GHSA identifier.</li>
</ul>
<p>Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for
contributions to this release.</p>
<h2>3.14 (2026-05-10)</h2>
<ul>
<li>Removed opportunity to process long inputs into quadratic
time by rejecting oversize inputs up-front. Closes a bypass
of the CVE-2024-3651 mitigation. [CVE-2026-45409]</li>
</ul>
<p>Thanks to Stan Ulbrych for reporting the issue.</p>
<h2>3.13 (2026-04-22)</h2>
<ul>
<li>Correct classification error for codepoint U+A7F1</li>
</ul>
<h2>3.12 (2026-04-21)</h2>
<ul>
<li>Update to Unicode 17.0.0.</li>
<li>Issue a deprecation warning for the transitional argument.</li>
<li>Added lazy-loading to provide some performance improvements.</li>
<li>Removed vestiges of code related to Python 2 support, including
segmentation of data structures specific to Jython.</li>
</ul>
<p>Thanks to Rodrigo Nogueira for contributions to this release.</p>
<h2>3.11 (2025-10-12)</h2>
<ul>
<li>Update to Unicode 16.0.0, including significant changes to UTS46
processing. As a result of Unicode ending support for it, transitional
processing no longer has an effect and returns the same result.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="af30a092e1"><code>af30a09</code></a>
Release 3.15</li>
<li><a
href="30314d4628"><code>30314d4</code></a>
Pre-release 3.15rc0</li>
<li><a
href="05d4b219aa"><code>05d4b21</code></a>
Merge pull request <a
href="https://redirect.github.com/kjd/idna/issues/237">#237</a> from
kjd/convert-docs-to-markdown</li>
<li><a
href="2987fdba19"><code>2987fdb</code></a>
Convert README and HISTORY from reStructuredText to Markdown</li>
<li><a
href="59fa8002d5"><code>59fa800</code></a>
Merge pull request <a
href="https://redirect.github.com/kjd/idna/issues/236">#236</a> from
kjd/dependabot/github_actions/actions-f3e34333ea</li>
<li><a
href="def69834ce"><code>def6983</code></a>
Merge branch 'master' into
dependabot/github_actions/actions-f3e34333ea</li>
<li><a
href="bbd8004a79"><code>bbd8004</code></a>
Merge pull request <a
href="https://redirect.github.com/kjd/idna/issues/234">#234</a> from
StanFromIreland/patch-1</li>
<li><a
href="edd07c0502"><code>edd07c0</code></a>
Bump github/codeql-action from 3.35.2 to 4.35.2 in the actions
group</li>
<li><a
href="5557db030c"><code>5557db0</code></a>
Merge branch 'master' into patch-1</li>
<li><a
href="f11746cf49"><code>f11746c</code></a>
Merge pull request <a
href="https://redirect.github.com/kjd/idna/issues/235">#235</a> from
StanFromIreland/patch-2</li>
<li>Additional commits viewable in <a
href="https://github.com/kjd/idna/compare/v3.10...v3.15">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=idna&package-manager=uv&previous-version=3.10&new-version=3.15)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-19 14:34:06 -05:00
Mason Daugherty
abd9d4ce31 ci(infra): harden Dependabot version-bound preservation (#37510)
Dependabot has been stripping upper/lower bounds from internal
`langchain-*` deps in partner `pyproject.toml` files (e.g. #37288
reduced `langchain-core>=1.3.2,<2.0.0` to bare `langchain-core`). Locks
down the config so bumps preserve existing specifiers, and restores the
bounds it already mangled across the monorepo.

## Changes
- Add `versioning-strategy: increase` to every `uv` ecosystem block in
`.github/dependabot.yml` so future bumps move the lower bound in place
instead of rewriting the constraint.
- Ignore workspace-internal packages (`langchain-core`, `langchain`,
`langchain-classic`, `langchain-text-splitters`, `langchain-tests`,
`langchain-model-profiles`) on every `uv` block — these are editable
installs from local paths and their published constraints are
hand-curated for release, not Dependabot's to bump.
- Restore stripped bounds across all `libs/` packages — runtime
`dependencies` and every dep group (`test`, `dev`, `test_integration`,
`typing`, `lint`) — to `>=1.4.0,<2.0.0` for `langchain-core` and
`>=1.0.0,<2.0.0` for the other internal packages.
2026-05-18 17:24:19 -05:00
Mason Daugherty
c7daed8c0f hotfix: bump lockfiles (#37508) 2026-05-18 16:18:26 -05:00
dependabot[bot]
14d21cd913 chore: bump langsmith from 0.7.31 to 0.8.0 in /libs/langchain (#37393)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from
0.7.31 to 0.8.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's
releases</a>.</em></p>
<blockquote>
<h2>v0.8.0</h2>
<h2>What's Changed</h2>
<ul>
<li>feat(js,py): JS 0.6.0, Py 0.8.0 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2831">langchain-ai/langsmith-sdk#2831</a></li>
<li>release(js): 0.6.0 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2832">langchain-ai/langsmith-sdk#2832</a></li>
<li>release(py): 0.8.0 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2833">langchain-ai/langsmith-sdk#2833</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.38...v0.8.0">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.38...v0.8.0</a></p>
<h2>v0.7.38</h2>
<h2>What's Changed</h2>
<ul>
<li>feat(js): add tracing of opencode by <a
href="https://github.com/dqbd"><code>@​dqbd</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2776">langchain-ai/langsmith-sdk#2776</a></li>
<li>chore(js): Remove types/uuid by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2814">langchain-ai/langsmith-sdk#2814</a></li>
<li>docs(sandbox): document default idle TTL of 10 minutes by <a
href="https://github.com/DanielKneipp"><code>@​DanielKneipp</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2788">langchain-ai/langsmith-sdk#2788</a></li>
<li>ci(py): Bump pytest timeout to 2m by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2815">langchain-ai/langsmith-sdk#2815</a></li>
<li>chore(deps-dev): bump the js-minor-and-patch group across 1
directory with 4 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2803">langchain-ai/langsmith-sdk#2803</a></li>
<li>chore(deps): update sphinx-autobuild requirement from &gt;=2024 to
&gt;=2024.10.3 in /python by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2809">langchain-ai/langsmith-sdk#2809</a></li>
<li>chore(deps): update myst-nb requirement from &gt;=1.1.1 to
&gt;=1.4.0 in /python by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2810">langchain-ai/langsmith-sdk#2810</a></li>
<li>chore(deps-dev): bump types-pyyaml from 6.0.12.20250915 to
6.0.12.20260408 in /python by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2812">langchain-ai/langsmith-sdk#2812</a></li>
<li>chore(deps-dev): bump <code>@​langchain/openai</code> from 0.5.18 to
0.6.17 in /js by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2806">langchain-ai/langsmith-sdk#2806</a></li>
<li>chore(deps): bump the py-minor-and-patch group across 1 directory
with 18 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2808">langchain-ai/langsmith-sdk#2808</a></li>
<li>feat(py): Adds strands OTEL exporter by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2817">langchain-ai/langsmith-sdk#2817</a></li>
<li>chore(js): Switch to oxfmt and oxlint by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2819">langchain-ai/langsmith-sdk#2819</a></li>
<li>fix(py): fix RunTree ValidationError when inputs or outputs is a
Pydantic BaseModel by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2820">langchain-ai/langsmith-sdk#2820</a></li>
<li>chore: add apac support by <a
href="https://github.com/joaquin-borggio-lc"><code>@​joaquin-borggio-lc</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2821">langchain-ai/langsmith-sdk#2821</a></li>
<li>fix(js): Pull Claude Agent SDK subagent runs from transcript, add
tool span for subagents, merge message blocks by id by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2816">langchain-ai/langsmith-sdk#2816</a></li>
<li>release(js): 0.5.26 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2824">langchain-ai/langsmith-sdk#2824</a></li>
<li>release(py): 0.7.38 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2825">langchain-ai/langsmith-sdk#2825</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.37...v0.7.38">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.37...v0.7.38</a></p>
<h2>v0.7.37</h2>
<h2>What's Changed</h2>
<ul>
<li>perf(js): Offload serialize to worker thread at flush time by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2781">langchain-ai/langsmith-sdk#2781</a></li>
<li>release(js): 0.5.24 by <a
href="https://github.com/emil-lc"><code>@​emil-lc</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2790">langchain-ai/langsmith-sdk#2790</a></li>
<li>chore(js): Fix perf test flagging by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2792">langchain-ai/langsmith-sdk#2792</a></li>
<li>feat(js,python): Adds hub model config and provider to schemas by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2793">langchain-ai/langsmith-sdk#2793</a></li>
<li>fix(js): minor test improvements by <a
href="https://github.com/christian-bromann"><code>@​christian-bromann</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2429">langchain-ai/langsmith-sdk#2429</a></li>
<li>fix(js): Include auth headers on info requests by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2800">langchain-ai/langsmith-sdk#2800</a></li>
<li>release(js): 0.5.25 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2801">langchain-ai/langsmith-sdk#2801</a></li>
<li>fix(python): flush both tracing_queue and compressed_traces in
flush() by <a
href="https://github.com/angus-langchain"><code>@​angus-langchain</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2796">langchain-ai/langsmith-sdk#2796</a></li>
<li>chore(deps): bump postcss from 8.5.8 to 8.5.10 in
/js/internal/environment_tests/test-exports-vite in the npm_and_yarn
group across 1 directory by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2791">langchain-ai/langsmith-sdk#2791</a></li>
<li>chore(deps-dev): bump google-adk from 1.10.0 to 1.28.1 in /python by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2794">langchain-ai/langsmith-sdk#2794</a></li>
<li>fix(python): flush pending traces during Client.cleanup() by <a
href="https://github.com/angus-langchain"><code>@​angus-langchain</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2799">langchain-ai/langsmith-sdk#2799</a></li>
<li>fix(py): Fix concurrency for multiple Claude Agent SDK sessions by
<a href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in
<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2795">langchain-ai/langsmith-sdk#2795</a></li>
<li>release(py): 0.7.37 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2802">langchain-ai/langsmith-sdk#2802</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.36...v0.7.37">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.36...v0.7.37</a></p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="cf01c873d5"><code>cf01c87</code></a>
release(py): 0.8.0 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2833">#2833</a>)</li>
<li><a
href="fd049c8464"><code>fd049c8</code></a>
release(js): 0.6.0 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2832">#2832</a>)</li>
<li><a
href="092a8866c4"><code>092a886</code></a>
feat(js,py): JS 0.6.0, Py 0.8.0 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2831">#2831</a>)</li>
<li><a
href="ff180c0423"><code>ff180c0</code></a>
release(py): 0.7.38 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2825">#2825</a>)</li>
<li><a
href="d9de3ca801"><code>d9de3ca</code></a>
release(js): 0.5.26 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2824">#2824</a>)</li>
<li><a
href="1428394831"><code>1428394</code></a>
fix(js): Pull Claude Agent SDK subagent runs from transcript, add tool
span f...</li>
<li><a
href="838e957d80"><code>838e957</code></a>
chore: add apac support (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2821">#2821</a>)</li>
<li><a
href="003f22a768"><code>003f22a</code></a>
fix(py): fix RunTree ValidationError when inputs or outputs is a
Pydantic Bas...</li>
<li><a
href="8f5ef27c2d"><code>8f5ef27</code></a>
chore(js): Switch to oxfmt and oxlint (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2819">#2819</a>)</li>
<li><a
href="9873633c9f"><code>9873633</code></a>
feat(py): Adds strands OTEL exporter (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2817">#2817</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.31...v0.8.0">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-15 17:22:40 -07:00
Nick Hollon
da380bccf8 chore(infra): merge v1.4 into master (#37350) 2026-05-11 11:39:25 -07:00
dependabot[bot]
407e33abca chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/langchain (#37327)
[//]: # (dependabot-start)
⚠️  **Dependabot is rebasing this PR** ⚠️ 

Rebasing might not happen immediately, so don't worry if this takes some
time.

Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.

---

[//]: # (dependabot-end)

Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/urllib3/urllib3/releases">urllib3's
releases</a>.</em></p>
<blockquote>
<h2>2.7.0</h2>
<h2>🚀 urllib3 is fundraising for HTTP/2 support</h2>
<p><a
href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3
is raising ~$40,000 USD</a> to release HTTP/2 support and ensure
long-term sustainable maintenance of the project after a sharp decline
in financial support. If your company or organization uses Python and
would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and
thousands of other projects <a
href="https://opencollective.com/urllib3">please consider contributing
financially</a> to ensure HTTP/2 support is developed sustainably and
maintained for the long-haul.</p>
<p>Thank you for your support.</p>
<h2>Security</h2>
<p>Addressed high-severity security issues. Impact was limited to
specific use cases detailed in the accompanying advisories; overall user
exposure was estimated to be marginal.</p>
<ul>
<li>
<p>Decompression-bomb safeguards of the streaming API were bypassed:</p>
<ol>
<li>When <code>HTTPResponse.drain_conn()</code> was called after the
response had been read and decompressed partially. (Reported by <a
href="https://github.com/Cycloctane"><code>@​Cycloctane</code></a>)</li>
<li>During the second <code>HTTPResponse.read(amt=N)</code> or
<code>HTTPResponse.stream(amt=N)</code> call when the response was
decompressed using the official <a
href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by
<a
href="https://github.com/kimkou2024"><code>@​kimkou2024</code></a>)</li>
</ol>
<p>See GHSA-mf9v-mfxr-j63j for details.</p>
</li>
<li>
<p>HTTP pools created using
<code>ProxyManager.connection_from_url</code> did not strip sensitive
headers specified in <code>Retry.remove_headers_on_redirect</code> when
redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a
href="https://github.com/christos-spearbit"><code>@​christos-spearbit</code></a>)</p>
</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Used <code>FutureWarning</code> instead of
<code>DeprecationWarning</code> for better visibility of existing
deprecation notices. Rescheduled the removal of deprecated features to
version 3.0. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li>
<li>Removed support for end-of-life Python 3.9. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li>
<li>Removed support for end-of-life PyPy3.10. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li>
<li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li>
</ul>
<h2>Bugfixes</h2>
<ul>
<li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was
ignoring decompressed data buffered from previous partial reads. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li>
<li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only
part of the response after a partial read when
<code>cache_content=True</code>. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li>
<li>Fixed <code>HTTPResponse.stream()</code> and
<code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>.
(<a
href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li>
<li>Updated <code>_TYPE_BODY</code> type alias to include missing
<code>Iterable[str]</code>, matching the documented and runtime behavior
of chunked request bodies. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li>
<li>Fixed <code>LocationParseError</code> when paths resembling
schemeless URIs were passed to
<code>HTTPConnectionPool.urlopen()</code>. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li>
<li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to
accept <code>memoryview</code> in addition to <code>bytearray</code>,
matching the <code>io.RawIOBase.readinto</code> contract and enabling
use with <code>io.BufferedReader</code> without type errors. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's
changelog</a>.</em></p>
<blockquote>
<h1>2.7.0 (2026-05-07)</h1>
<h2>Security</h2>
<p>Addressed high-severity security issues.
Impact was limited to specific use cases detailed in the accompanying
advisories; overall user exposure was estimated to be marginal.</p>
<ul>
<li>
<p>Decompression-bomb safeguards of the streaming API were bypassed:</p>
<ol>
<li>When <code>HTTPResponse.drain_conn()</code> was called after the
response had been
read and decompressed partially.</li>
<li>During the second <code>HTTPResponse.read(amt=N)</code> or
<code>HTTPResponse.stream(amt=N)</code> call when the response was
decompressed
using the official <code>Brotli
&lt;https://pypi.org/project/brotli/&gt;</code>__ library.</li>
</ol>
<p>See <code>GHSA-mf9v-mfxr-j63j
&lt;https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j&gt;</code>__
for details.</p>
</li>
<li>
<p>HTTP pools created using
<code>ProxyManager.connection_from_url</code> did not strip
sensitive headers specified in
<code>Retry.remove_headers_on_redirect</code> when
redirecting to a different host.
(<code>GHSA-qccp-gfcp-xxvc
&lt;https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc&gt;</code>__)</p>
</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Used <code>FutureWarning</code> instead of
<code>DeprecationWarning</code> for better
visibility of existing deprecation notices. Rescheduled the removal of
deprecated features to version 3.0.
(<code>[#3763](https://github.com/urllib3/urllib3/issues/3763)
&lt;https://github.com/urllib3/urllib3/issues/3763&gt;</code>__)</li>
<li>Removed support for end-of-life Python 3.9.
(<code>[#3720](https://github.com/urllib3/urllib3/issues/3720)
&lt;https://github.com/urllib3/urllib3/issues/3720&gt;</code>__)</li>
<li>Removed support for end-of-life PyPy3.10.
(<code>[#4979](https://github.com/urllib3/urllib3/issues/4979)
&lt;https://github.com/urllib3/urllib3/issues/4979&gt;</code>__)</li>
<li>Bumped the minimum supported pyOpenSSL version to 19.0.0.
(<code>[#3777](https://github.com/urllib3/urllib3/issues/3777)
&lt;https://github.com/urllib3/urllib3/issues/3777&gt;</code>__)</li>
</ul>
<h2>Bugfixes</h2>
<ul>
<li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was
ignoring decompressed
data buffered from previous partial reads.
(<code>[#3636](https://github.com/urllib3/urllib3/issues/3636)
&lt;https://github.com/urllib3/urllib3/issues/3636&gt;</code>__)</li>
<li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only
part of the
response after a partial read when <code>cache_content=True</code>.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="9a950b92d9"><code>9a950b9</code></a>
Release 2.7.0</li>
<li><a
href="5ec0de499b"><code>5ec0de4</code></a>
Merge commit from fork</li>
<li><a
href="2bdcc44d1e"><code>2bdcc44</code></a>
Merge commit from fork</li>
<li><a
href="f45b0df09d"><code>f45b0df</code></a>
Fix a misleading example for <code>ProxyManager</code> (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4970">#4970</a>)</li>
<li><a
href="577193ca02"><code>577193c</code></a>
Switch to nightly PyPy3.11 in CI for now (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4984">#4984</a>)</li>
<li><a
href="e90af45bb0"><code>e90af45</code></a>
Avoid infinite loop in <code>HTTPResponse.read_chunked</code> when
<code>amt=0</code> (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4974">#4974</a>)</li>
<li><a
href="67ed74fdae"><code>67ed74f</code></a>
Bump dev dependencies (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4972">#4972</a>)</li>
<li><a
href="3abd481097"><code>3abd481</code></a>
Upgrade mypy to version 1.20.2 (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4978">#4978</a>)</li>
<li><a
href="2b8725dfca"><code>2b8725d</code></a>
Drop support for EOL PyPy3.10 (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4979">#4979</a>)</li>
<li><a
href="2944b2a0a6"><code>2944b2a</code></a>
Upgrade <code>setup-chrome</code> and <code>setup-firefox</code> to fix
warnings (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4973">#4973</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=uv&previous-version=2.6.3&new-version=2.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-11 11:19:39 -07:00
dependabot[bot]
2fe237a0b0 chore: bump mistune from 3.1.4 to 3.2.1 in /libs/langchain (#37236)
Bumps [mistune](https://github.com/lepture/mistune) from 3.1.4 to 3.2.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/lepture/mistune/releases">mistune's
releases</a>.</em></p>
<blockquote>
<h2>v3.2.1</h2>
<h3>   🐞 Bug Fixes</h3>
<ul>
<li>Resolve Windows compatibility issues in file inclusion and tests  - 
by <a href="https://github.com/Yuki9814"><code>@​Yuki9814</code></a> <a
href="https://github.com/lepture/mistune/commit/2547102"><!-- raw HTML
omitted -->(25471)<!-- raw HTML omitted --></a></li>
<li>Escape html text  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/a3cb6e5"><!-- raw HTML
omitted -->(a3cb6)<!-- raw HTML omitted --></a></li>
<li>Update link reference  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/85eb54f"><!-- raw HTML
omitted -->(85eb5)<!-- raw HTML omitted --></a></li>
<li>Handle escaped dollar signs in inline math  -  by <a
href="https://github.com/saschabuehrle"><code>@​saschabuehrle</code></a>
in <a
href="https://redirect.github.com/lepture/mistune/issues/370">lepture/mistune#370</a>
<a href="https://github.com/lepture/mistune/commit/7bd5709"><!-- raw
HTML omitted -->(7bd57)<!-- raw HTML omitted --></a></li>
<li>Escape id of toc  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/04880a0"><!-- raw HTML
omitted -->(04880)<!-- raw HTML omitted --></a></li>
<li>Escape id of headings  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/2855622"><!-- raw HTML
omitted -->(28556)<!-- raw HTML omitted --></a></li>
<li>Remove double-encoding of image alt text  -  by <a
href="https://github.com/lawrence3699"><code>@​lawrence3699</code></a>
<a href="https://github.com/lepture/mistune/commit/0d6f3d8"><!-- raw
HTML omitted -->(0d6f3)<!-- raw HTML omitted --></a></li>
<li>Escape xml for math plugin  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/5fa092e"><!-- raw HTML
omitted -->(5fa09)<!-- raw HTML omitted --></a></li>
<li>Use strict regex for image's height and width  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/8d0cb75"><!-- raw HTML
omitted -->(8d0cb)<!-- raw HTML omitted --></a></li>
</ul>
<h5>    <a
href="https://github.com/lepture/mistune/compare/v3.2.0...v3.2.1">View
changes on GitHub</a></h5>
<h2>v3.2.0</h2>
<h3>   🚀 Features</h3>
<ul>
<li>Support footnotes that start on the next line.  -  by <a
href="https://github.com/kylechui"><code>@​kylechui</code></a> <a
href="https://github.com/lepture/mistune/commit/2677e2d"><!-- raw HTML
omitted -->(2677e)<!-- raw HTML omitted --></a></li>
<li>Properly handle code blocks inside footnotes.  -  by <a
href="https://github.com/kylechui"><code>@​kylechui</code></a> <a
href="https://github.com/lepture/mistune/commit/0516c9e"><!-- raw HTML
omitted -->(0516c)<!-- raw HTML omitted --></a></li>
<li>Support python 3.14  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/7e0eb65"><!-- raw HTML
omitted -->(7e0eb)<!-- raw HTML omitted --></a></li>
</ul>
<h3>   🐞 Bug Fixes</h3>
<ul>
<li>Render ref links and footnotes in footnotes.  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/bd90e44"><!-- raw HTML
omitted -->(bd90e)<!-- raw HTML omitted --></a></li>
<li>Render ref links in TOC.  -  by <a
href="https://github.com/lemon24"><code>@​lemon24</code></a> <a
href="https://github.com/lepture/mistune/commit/a0a0148"><!-- raw HTML
omitted -->(a0a01)<!-- raw HTML omitted --></a></li>
<li>Update typing for mypy upgrades  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/8d49cba"><!-- raw HTML
omitted -->(8d49c)<!-- raw HTML omitted --></a></li>
<li>Render correct html for footnotes  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/9b62204"><!-- raw HTML
omitted -->(9b622)<!-- raw HTML omitted --></a></li>
</ul>
<h5>    <a
href="https://github.com/lepture/mistune/compare/v3.1.4...v3.2.0">View
changes on GitHub</a></h5>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/lepture/mistune/blob/main/docs/changes.rst">mistune's
changelog</a>.</em></p>
<blockquote>
<h2>Version 3.2.1</h2>
<p><strong>Released on May 3, 2026</strong></p>
<ul>
<li>Escape link in <code>render_toc_ul</code>.</li>
<li>Escape text in math plugin.</li>
<li>Fix regex for math plugin.</li>
<li>Escape heading's ID attribute.</li>
<li>Fix <code>LINK_TITLE_RE</code> to prevent DoS.</li>
<li>Escape class attribute for admonition directive.</li>
<li>Remove double-encoding of image alt text.</li>
<li>Escape class attribute for image directive.</li>
<li>Fix width/height attribute for image directive.</li>
</ul>
<h2>Version 3.2.0</h2>
<p><strong>Released on Dec 23, 2025</strong></p>
<ul>
<li>Announce supports for python 3.14</li>
<li>Fix footnotes plugins for code blocks, ref links, blockquote and
etc.</li>
<li>Fix ref links in TOC.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="067f908610"><code>067f908</code></a>
chore: release 3.2.1</li>
<li><a
href="bf5503067a"><code>bf55030</code></a>
Merge pull request <a
href="https://redirect.github.com/lepture/mistune/issues/438">#438</a>
from saschabuehrle/fix/issue-370</li>
<li><a
href="8d0cb7539a"><code>8d0cb75</code></a>
fix: use strict regex for image's height and width</li>
<li><a
href="5fa092e305"><code>5fa092e</code></a>
fix: escape xml for math plugin</li>
<li><a
href="71ec9477eb"><code>71ec947</code></a>
Merge pull request <a
href="https://redirect.github.com/lepture/mistune/issues/440">#440</a>
from lawrence3699/fix/image-alt-double-encoding</li>
<li><a
href="0d6f3d8502"><code>0d6f3d8</code></a>
fix: remove double-encoding of image alt text</li>
<li><a
href="2855622d7f"><code>2855622</code></a>
fix: escape id of headings</li>
<li><a
href="04880a004c"><code>04880a0</code></a>
fix: escape id of toc</li>
<li><a
href="7bd5709671"><code>7bd5709</code></a>
fix: handle escaped dollar signs in inline math (fixes <a
href="https://redirect.github.com/lepture/mistune/issues/370">#370</a>)</li>
<li><a
href="85eb54ff17"><code>85eb54f</code></a>
fix: update link reference</li>
<li>Additional commits viewable in <a
href="https://github.com/lepture/mistune/compare/v3.1.4...v3.2.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=mistune&package-manager=uv&previous-version=3.1.4&new-version=3.2.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-07 13:08:10 -04:00
Eugene Yurtsev
ec9a3c15ad release(langchain-classic): 1.0.7 (#37240)
release 1.0.7
2026-05-07 11:44:10 -04:00
Eugene Yurtsev
cccefce0b1 chore(langchain-classic): deprecate hub, limit loads/dumps (#37234)
deprecate hub classic and hub runnable. This code path isn't expected to
be active for most users (it's dependent on having a very old version of
the langsmith sdk). harden usage of loads/dumps.
2026-05-07 10:37:33 -04:00
Nick Hollon
1519ed5afb release(langchain-classic): 1.0.6 (#37211) 2026-05-05 16:59:12 -04:00
dependabot[bot]
ad305571ba chore: bump jupyter-server from 2.17.0 to 2.18.0 in /libs/langchain (#37203)
[//]: # (dependabot-start)
⚠️  **Dependabot is rebasing this PR** ⚠️ 

Rebasing might not happen immediately, so don't worry if this takes some
time.

Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.

---

[//]: # (dependabot-end)

Bumps [jupyter-server](https://github.com/jupyter-server/jupyter_server)
from 2.17.0 to 2.18.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/jupyter-server/jupyter_server/releases">jupyter-server's
releases</a>.</em></p>
<blockquote>
<h2>v2.18.0</h2>
<h2>2.18.0</h2>
<p>(<a
href="https://github.com/jupyter-server/jupyter_server/compare/v2.17.0...49b34392feaa97735b3b777e3baf8f22f2a14ed8">Full
Changelog</a>)</p>
<h3>Security patches</h3>
<ul>
<li>CVE-2026-40110 <a
href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p">https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p</a></li>
<li>CVE-2025-61669 <a
href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w">https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w</a></li>
<li>CVE-2026-40934 <a
href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f">https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f</a></li>
<li>CVE-2026-35397 <a
href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3">https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3</a></li>
</ul>
<h3>API and Breaking Changes</h3>
<ul>
<li>Add query param to sanitize HTML in GET /nbconvert/html <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1618">#1618</a>
(<a href="https://github.com/Yann-P"><code>@​Yann-P</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
</ul>
<h3>Enhancements made</h3>
<ul>
<li>Update handlers.py to fix ioloop blockers(sync file operations) <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1617">#1617</a>
(<a
href="https://github.com/zolyfarkas-fb"><code>@​zolyfarkas-fb</code></a>,
<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Add resolvePath API for resolving kernel-relative paths <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1331">#1331</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/blink1073"><code>@​blink1073</code></a>)</li>
</ul>
<h3>Bugs fixed</h3>
<ul>
<li>Move check origin into a util function and add it to websocket <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1630">#1630</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/Yann-P"><code>@​Yann-P</code></a>)</li>
<li>Fix flaky test_restart_kernel by unsticking nudge() after
port-changing restart <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1628">#1628</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/claude"><code>@​claude</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Try to fix flaky test &quot;test_restart_kernel&quot; <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1625">#1625</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Fix potential unraisable pytest error <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1624">#1624</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>fix: use %s placeholders in HTTPError to prevent Tornado from
doubling % in gateway URLs <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1620">#1620</a>
(<a
href="https://github.com/terminalchai"><code>@​terminalchai</code></a>,
<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/ptch314"><code>@​ptch314</code></a>)</li>
<li>Fix three file descriptor leaks in kernel connection lifecycle (<a
href="https://redirect.github.com/jupyter-server/jupyter_server/issues/1506">#1506</a>)
<a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1619">#1619</a>
(<a href="https://github.com/tonyx93"><code>@​tonyx93</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Use web.HTTPError for kernel restart failures <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1616">#1616</a>
(<a href="https://github.com/YDawn"><code>@​YDawn</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Handle EADDRINUSE and EACCES in _bind_http_server_tcp <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1613">#1613</a>
(<a href="https://github.com/YDawn"><code>@​YDawn</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Use st_birthtime for file created timestamp on macOS/BSD <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1594">#1594</a>
(<a href="https://github.com/ktaletsk"><code>@​ktaletsk</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Fix double write when refusing hidden files in contents handler <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1585">#1585</a>
(<a href="https://github.com/Krish-876"><code>@​Krish-876</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Close all sockets in _find_http_port explicitly <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1584">#1584</a>
(<a
href="https://github.com/MaryushSoroka"><code>@​MaryushSoroka</code></a>,
<a href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Fix writing on remote file systems with attribute cache <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1574">#1574</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>Add IdentityProvider.cookie_secret_hook <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1569">#1569</a>
(<a href="https://github.com/emin63"><code>@​emin63</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>fix context pollution <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1561">#1561</a>
(<a href="https://github.com/dualc"><code>@​dualc</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>Fix gateway cookie handling <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1558">#1558</a>
(<a
href="https://github.com/kevin-bates"><code>@​kevin-bates</code></a>, <a
href="https://github.com/RRosio"><code>@​RRosio</code></a>, <a
href="https://github.com/lresende"><code>@​lresende</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>fix connection exception cause high cpu load <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1484">#1484</a>
(<a href="https://github.com/dualc"><code>@​dualc</code></a>, <a
href="https://github.com/lresende"><code>@​lresende</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
</ul>
<h3>Maintenance and upkeep improvements</h3>
<ul>
<li>Start to test on Python 3.13 and 3.14 <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1623">#1623</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Bump actions/create-github-app-token from 2 to 3 in the actions
group across 1 directory <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1621">#1621</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Bump brace-expansion from 1.1.12 to 1.1.13 <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1615">#1615</a>
(<a href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Fix package spec for jupytext <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1614">#1614</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>chore: update pre-commit hooks <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1607">#1607</a>
(<a href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>try to fix ci on windows <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1600">#1600</a>
(<a href="https://github.com/minrk"><code>@​minrk</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>run prerelease tests on 3.14 <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1599">#1599</a>
(<a href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Pin sphinx to an older version (&lt;9) to fix docs <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1597">#1597</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jupyter-server/jupyter_server/blob/main/CHANGELOG.md">jupyter-server's
changelog</a>.</em></p>
<blockquote>
<h2>2.18.0</h2>
<p>(<a
href="https://github.com/jupyter-server/jupyter_server/compare/v2.9.1...49b34392feaa97735b3b777e3baf8f22f2a14ed8">Full
Changelog</a>)</p>
<h3>API and Breaking Changes</h3>
<ul>
<li>Add query param to sanitize HTML in GET /nbconvert/html <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1618">#1618</a>
(<a href="https://github.com/Yann-P"><code>@​Yann-P</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
</ul>
<h3>Enhancements made</h3>
<ul>
<li>Update handlers.py to fix ioloop blockers(sync file operations) <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1617">#1617</a>
(<a
href="https://github.com/zolyfarkas-fb"><code>@​zolyfarkas-fb</code></a>,
<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Avoid redundant call to <code>_get_os_path</code> in
<code>_dir_model</code> <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1547">#1547</a>
(<a href="https://github.com/joeyutong"><code>@​joeyutong</code></a>, <a
href="https://github.com/vidartf"><code>@​vidartf</code></a>)</li>
<li>Allow specifying extra params to scrub from logs <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1538">#1538</a>
(<a href="https://github.com/jtpio"><code>@​jtpio</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/vidartf"><code>@​vidartf</code></a>)</li>
<li>Add a logger to the ExtensionPoint API <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1523">#1523</a>
(<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/vidartf"><code>@​vidartf</code></a>)</li>
<li>Allow user to update identity values <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1518">#1518</a>
(<a href="https://github.com/brichet"><code>@​brichet</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>If ServerApp.ip is ipv6 use [::1] as local_url <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1495">#1495</a>
(<a href="https://github.com/manics"><code>@​manics</code></a>, <a
href="https://github.com/afshin"><code>@​afshin</code></a>)</li>
<li>Better error message when starting kernel for session. <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1478">#1478</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/davidbrochart"><code>@​davidbrochart</code></a>,
<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Add a traitlet to disable recording HTTP request metrics <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1472">#1472</a>
(<a href="https://github.com/yuvipanda"><code>@​yuvipanda</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>prometheus: Expose 3 activity metrics <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1471">#1471</a>
(<a href="https://github.com/yuvipanda"><code>@​yuvipanda</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>Add prometheus info metrics listing server extensions + versions <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1470">#1470</a>
(<a href="https://github.com/yuvipanda"><code>@​yuvipanda</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>Add prometheus metric with version information <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1467">#1467</a>
(<a href="https://github.com/yuvipanda"><code>@​yuvipanda</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>Don't hide .so,.dylib files by default <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1457">#1457</a>
(<a href="https://github.com/nokados"><code>@​nokados</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>, <a
href="https://github.com/vidartf"><code>@​vidartf</code></a>)</li>
<li>Better hash format error message <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1442">#1442</a>
(<a href="https://github.com/fcollonval"><code>@​fcollonval</code></a>,
<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>Removing excessive logging from reading local files <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1420">#1420</a>
(<a href="https://github.com/lresende"><code>@​lresende</code></a>, <a
href="https://github.com/kevin-bates"><code>@​kevin-bates</code></a>)</li>
<li>Add async start hook to ExtensionApp API <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1417">#1417</a>
(<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/Darshan808"><code>@​Darshan808</code></a>, <a
href="https://github.com/bollwyvl"><code>@​bollwyvl</code></a>, <a
href="https://github.com/fcollonval"><code>@​fcollonval</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Do not include token in dashboard link, when available <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1406">#1406</a>
(<a href="https://github.com/minrk"><code>@​minrk</code></a>, <a
href="https://github.com/blink1073"><code>@​blink1073</code></a>)</li>
<li>Add an option to have authentication enabled for all endpoints by
default <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1392">#1392</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Wh1isper"><code>@​Wh1isper</code></a>, <a
href="https://github.com/blink1073"><code>@​blink1073</code></a>, <a
href="https://github.com/bollwyvl"><code>@​bollwyvl</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>, <a
href="https://github.com/yuvipanda"><code>@​yuvipanda</code></a>)</li>
<li>websockets: add configurations for ping interval and timeout <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1391">#1391</a>
(<a
href="https://github.com/oliver-sanders"><code>@​oliver-sanders</code></a>,
<a
href="https://github.com/blink1073"><code>@​blink1073</code></a>)</li>
<li>log extension import time at debug level unless it's actually slow
<a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1375">#1375</a>
(<a href="https://github.com/minrk"><code>@​minrk</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/yuvipanda"><code>@​yuvipanda</code></a>)</li>
<li>Add support for async Authorizers (part 2) <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1374">#1374</a>
(<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/blink1073"><code>@​blink1073</code></a>)</li>
<li>Support async Authorizers <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1373">#1373</a>
(<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/blink1073"><code>@​blink1073</code></a>)</li>
<li>Support get file(notebook) md5 <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1363">#1363</a>
(<a href="https://github.com/Wh1isper"><code>@​Wh1isper</code></a>, <a
href="https://github.com/blink1073"><code>@​blink1073</code></a>, <a
href="https://github.com/bollwyvl"><code>@​bollwyvl</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Update kernel env to reflect changes in session <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1354">#1354</a>
(<a href="https://github.com/blink1073"><code>@​blink1073</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Add resolvePath API for resolving kernel-relative paths <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1331">#1331</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/blink1073"><code>@​blink1073</code></a>)</li>
</ul>
<h3>Bugs fixed</h3>
<ul>
<li>Move check origin into a util function and add it to websocket <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1630">#1630</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/Yann-P"><code>@​Yann-P</code></a>)</li>
<li>Fix flaky test_restart_kernel by unsticking nudge() after
port-changing restart <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1628">#1628</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/claude"><code>@​claude</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Try to fix flaky test &quot;test_restart_kernel&quot; <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1625">#1625</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Fix potential unraisable pytest error <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1624">#1624</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>fix: use %s placeholders in HTTPError to prevent Tornado from
doubling % in gateway URLs <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1620">#1620</a>
(<a
href="https://github.com/terminalchai"><code>@​terminalchai</code></a>,
<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/ptch314"><code>@​ptch314</code></a>)</li>
<li>Fix three file descriptor leaks in kernel connection lifecycle (<a
href="https://redirect.github.com/jupyter-server/jupyter_server/issues/1506">#1506</a>)
<a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1619">#1619</a>
(<a href="https://github.com/tonyx93"><code>@​tonyx93</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Use web.HTTPError for kernel restart failures <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1616">#1616</a>
(<a href="https://github.com/YDawn"><code>@​YDawn</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Handle EADDRINUSE and EACCES in _bind_http_server_tcp <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1613">#1613</a>
(<a href="https://github.com/YDawn"><code>@​YDawn</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Use st_birthtime for file created timestamp on macOS/BSD <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1594">#1594</a>
(<a href="https://github.com/ktaletsk"><code>@​ktaletsk</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Fix double write when refusing hidden files in contents handler <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1585">#1585</a>
(<a href="https://github.com/Krish-876"><code>@​Krish-876</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Close all sockets in _find_http_port explicitly <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1584">#1584</a>
(<a
href="https://github.com/MaryushSoroka"><code>@​MaryushSoroka</code></a>,
<a href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Fix writing on remote file systems with attribute cache <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1574">#1574</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>Add IdentityProvider.cookie_secret_hook <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1569">#1569</a>
(<a href="https://github.com/emin63"><code>@​emin63</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="0ceed45a80"><code>0ceed45</code></a>
Publish 2.18.0</li>
<li><a
href="49b34392fe"><code>49b3439</code></a>
Move check origin into a util function and add it to websocket (<a
href="https://redirect.github.com/jupyter-server/jupyter_server/issues/1630">#1630</a>)</li>
<li><a
href="e2e08c845d"><code>e2e08c8</code></a>
Add test case for bad next URL format</li>
<li><a
href="624d6c0daf"><code>624d6c0</code></a>
Delete outdated patch code</li>
<li><a
href="d825b93d9c"><code>d825b93</code></a>
Apply suggestion from <a
href="https://github.com/minrk"><code>@​minrk</code></a></li>
<li><a
href="789fed081a"><code>789fed0</code></a>
patch open redirect in /login</li>
<li><a
href="2ee51eccf3"><code>2ee51ec</code></a>
fix(CVE-2026-35397): path traversal when target dir starts with root
dir</li>
<li><a
href="057869a327"><code>057869a</code></a>
Fix allow_origin_pat to do full matching instead of prefix matching</li>
<li><a
href="4862199a0f"><code>4862199</code></a>
Add resolvePath API for resolving kernel-relative paths</li>
<li><a
href="e31d51406d"><code>e31d514</code></a>
Bump actions/create-github-app-token from 2 to 3 in the actions group
across ...</li>
<li>Additional commits viewable in <a
href="https://github.com/jupyter-server/jupyter_server/compare/v2.17.0...v2.18.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=jupyter-server&package-manager=uv&previous-version=2.17.0&new-version=2.18.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-05 16:41:53 -04:00
Nick Hollon
c0e1d1366e fix(langchain): restrict deserialization in langchain_classic.storage._lc_store (#37208) 2026-05-05 16:29:22 -04:00