Prevent double counting, since the sum of all `input_token_details`
should never exceed `input_tokens`
---------
Co-authored-by: Chester Curme <chester.curme@gmail.com>
During an automated code review of .github/scripts/get_min_versions.py,
the following issue was identified. Set a timeout on get min versions
HTTP calls. Network calls without a timeout can hang a worker
indefinitely. I kept the patch small and re-ran syntax checks after
applying it.
Remove the redundant `lc_attributes` override from `ChatXAI`. The
`xai_api_base` field is a declared Pydantic `Field`, so
`Serializable.to_json()` already picks it up via its standard field
iteration loop (line 225-232 in `serializable.py`). The override was a
no-op — it re-inserted the same key with the same value that the base
serialization already included.
Add `base_url` alias and `XAI_API_BASE` env variable support to
`ChatXAI.xai_api_base`, aligning the xAI integration with the pattern
used across other partner packages (OpenAI, Groq, Fireworks, etc.).
Previously the base URL was a plain string field with no alias or
env-var lookup, making it inconsistent with the rest of the ecosystem
and harder to configure in deployment environments.
## Changes
- Add `alias="base_url"` and `default_factory=from_env("XAI_API_BASE",
default="https://api.x.ai/v1/")` to `ChatXAI.xai_api_base`, matching the
convention in `langchain_openai`, `langchain_groq`, and
`langchain_fireworks`
Extract additional fields from models.dev into `_model_data_to_profile`:
`name`, `status`, `release_date`, `last_updated`, `open_weights`,
`attachment`, `temperature`
Move the model profile refresh logic from an inline bash script in the
GitHub Actions workflow into a `make refresh-profiles` target in
`libs/model-profiles/Makefile`. This makes it runnable locally with a
single command and keeps the provider map in one place instead of
duplicated between CI and developer docs.
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.2 to
6.5.5.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's
changelog</a>.</em></p>
<blockquote>
<h1>Release notes</h1>
<p>.. toctree::
:maxdepth: 2</p>
<p>releases/v6.5.5
releases/v6.5.4
releases/v6.5.3
releases/v6.5.2
releases/v6.5.1
releases/v6.5.0
releases/v6.4.2
releases/v6.4.1
releases/v6.4.0
releases/v6.3.3
releases/v6.3.2
releases/v6.3.1
releases/v6.3.0
releases/v6.2.0
releases/v6.1.0
releases/v6.0.4
releases/v6.0.3
releases/v6.0.2
releases/v6.0.1
releases/v6.0.0
releases/v5.1.1
releases/v5.1.0
releases/v5.0.2
releases/v5.0.1
releases/v5.0.0
releases/v4.5.3
releases/v4.5.2
releases/v4.5.1
releases/v4.5.0
releases/v4.4.3
releases/v4.4.2
releases/v4.4.1
releases/v4.4.0
releases/v4.3.0
releases/v4.2.1
releases/v4.2.0
releases/v4.1.0
releases/v4.0.2
releases/v4.0.1
releases/v4.0.0
releases/v3.2.2
releases/v3.2.1
releases/v3.2.0
releases/v3.1.1</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7d6465056c"><code>7d64650</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3586">#3586</a>
from bdarnell/update-cibw</li>
<li><a
href="d05d59b808"><code>d05d59b</code></a>
build: Bump cibuildwheel to 3.4.0</li>
<li><a
href="c2f46732b0"><code>c2f4673</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3585">#3585</a>
from bdarnell/release-655</li>
<li><a
href="e5f1aa4b6f"><code>e5f1aa4</code></a>
Release notes and version bump for v6.5.5</li>
<li><a
href="78a046f99f"><code>78a046f</code></a>
httputil: Add CRLF to _FORBIDDEN_HEADER_CHARS_RE</li>
<li><a
href="24a2d96ea1"><code>24a2d96</code></a>
web: Validate characters in all cookie attributes.</li>
<li><a
href="119a195e29"><code>119a195</code></a>
httputil: Add limits on multipart form data parsing</li>
<li><a
href="63d4df4eef"><code>63d4df4</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3564">#3564</a>
from bdarnell/release-654</li>
<li><a
href="eadbf9adbe"><code>eadbf9a</code></a>
Release notes and version bump for 6.5.4</li>
<li><a
href="bbc2b1429c"><code>bbc2b14</code></a>
Make sure that the in-operator on HTTPHeaders is case insensitive</li>
<li>Additional commits viewable in <a
href="https://github.com/tornadoweb/tornado/compare/v6.5.2...v6.5.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Fixed typo in comment: "equivelent" -> "equivalent" in
libs/partners/openai/langchain_openai/chat_models/base.py
Co-authored-by: AI Assistant <assistant@example.com>
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.
🤖 Generated by the `refresh_model_profiles` workflow.
Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.
🤖 Generated by the `refresh_model_profiles` workflow.
Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.
🤖 Generated by the `refresh_model_profiles` workflow.
Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.
🤖 Generated by the `refresh_model_profiles` workflow.
Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
Fix `_wrap_messages_for_sdk` stripping `role` before `model_construct` —
on `openrouter==0.6.0` (minimum dep), the SDK models don't auto-populate
a default `role`, so `model_dump()` omitted it entirely, causing
`KeyError: 'role'` in pre-release checks.
Streaming token usage was silently dropped for `ChatOpenRouter`. Both
`_stream` and `_astream` skipped any SSE chunk without a `choices` array
— which is exactly the shape OpenRouter uses for the final
usage-reporting chunk. This meant `usage_metadata` was never populated
on streamed responses, causing downstream consumers (like the Deep
Agents CLI) to show "unknown" model with 0 tokens.
## Changes
- Add `stream_usage: bool = True` field to `ChatOpenRouter`, which
passes `stream_options: {"include_usage": True}` to the OpenRouter API
when streaming — matching the pattern already established in
`langchain-openai`'s `BaseChatOpenAI`
- Handle usage-only chunks (no `choices`, just `usage`) in both
`_stream` and `_astream` by emitting a `ChatGenerationChunk` with
`usage_metadata` via `_create_usage_metadata`, instead of silently
`continue`-ing past them
Add a `model` property to `ChatFireworks`, `ChatGroq`, and
`ChatOpenRouter` that returns `model_name`. These partners use
Pydantic's `Field(alias="model")` on `model_name`, which means
`instance.model` doesn't work as a read accessor after construction — it
raises an `AttributeError` or returns the field descriptor. `ChatOpenAI`
already has this property; this brings the remaining in-repo partners to
parity.
Switch the `TestHuggingFaceEndpoint` serverless inference provider from
`sambanova` to `together` for `Llama-3.3-70B-Instruct`. Sambanova
doesn't support `tool_choice: "any"` (needed by
`test_structured_few_shot_examples` and
`test_unicode_tool_call_integration`) and doesn't return
`usage_metadata` in streaming responses.
- Switch `TestHuggingFaceEndpoint` from `Llama-4-Maverick` +
`fireworks-ai` to `Llama-3.3-70B-Instruct` + `sambanova` — Maverick is
no longer routed to Fireworks in hub 1.x
- Switch `test_stream_usage` provider from `nebius` to `scaleway` for
`gemma-3-27b-it` — same provider routing change
Bump `transformers` and `sentence-transformers` lower bounds in
`langchain-huggingface` to resolve a dependency conflict with
`huggingface-hub` 1.x. The existing constraints allowed
`huggingface-hub>=0.33.4,<2.0.0` (so hub 1.x is valid), but
`transformers` 4.x requires `huggingface-hub<1.0` — causing the
pre-release CI job to fail when `uv pip install --force-reinstall`
resolved hub to 1.5.0 while leaving `transformers` at 4.56.2.
Breaking change for users on transformers 4.x or
sentence-transformers<5.2.0 who install langchain-huggingface[full].
## Description
OpenRouter returns `cost` and `cost_details` in its API response `usage`
object, providing the actual cost of each API call. Currently,
`_create_usage_metadata()` only extracts token counts and drops these
cost fields.
This PR surfaces both `cost` and `cost_details` in `response_metadata`
for both non-streaming and streaming paths, allowing users to access
actual API costs directly from the response without manual estimation
from token counts.
**Example response from OpenRouter:**
```json
{
"usage": {
"prompt_tokens": 100,
"completion_tokens": 50,
"cost": 0.000075,
"cost_details": {
"upstream_inference_cost": 0.00007745,
"upstream_inference_prompt_cost": 0.00000895,
"upstream_inference_completions_cost": 0.0000685
}
}
}
```
**After this change:**
```python
result = chat.invoke("hello")
result.response_metadata["cost"] # 0.000075
result.response_metadata["cost_details"] # {...}
```
## Changes
- **`_create_chat_result`**: Surface `cost` and `cost_details` from
`token_usage` into `response_metadata` (non-streaming)
- **`_convert_chunk_to_message_chunk`**: Same for streaming
`AIMessageChunk`
- Added `PLR0912` to `noqa` comments (new branches pushed count over
threshold)
- Added two unit tests: one verifying cost fields are present when
returned, one verifying they're absent when not in usage
## Issue
N/A — discovered while integrating OpenRouter in a production pipeline.
The cost data is already returned by the API but was being silently
dropped.
## Dependencies
None.
## Twitter handle
@hamza_kyamanywa
---------
Co-authored-by: Mason Daugherty <mason@langchain.dev>
This PR updates the update_documents docstring to accurately reflect its
batch behavior and clarify the positional mapping between ids and
documents.
No breaking changes. Documentation-only update.
## Summary
- Fixes [CodeQL alert
#43](https://github.com/langchain-ai/langchain/security/code-scanning/43)
(CWE-20: incomplete URL substring sanitization)
- Replaces `"azure.com" in url` substring check with `urlparse`-based
hostname validation to prevent bypass via crafted URLs (e.g.,
`https://evil-azure.com`, `https://example.com/azure.com`)
- Adds bypass-attempt test cases to the existing Azure endpoint
detection tests
## Why
The substring check `"azure.com" in url` matches URLs where `azure.com`
appears anywhere in the string, not just in the hostname. An
attacker-controlled endpoint like `https://evil-azure.com` or
`https://example.com/azure.com` would incorrectly trigger the Azure code
path. Using `urlparse` to extract and validate the hostname is the
standard fix per CodeQL guidance.
## Test plan
- [x] Existing Azure endpoint detection tests pass
- [x] New negative test cases for bypass attempts pass
- [x] `uv run pytest tests/unit_tests/test_chat_models.py -k azure` —
6/6 passing
> [!NOTE]
> This PR was authored with assistance from an AI agent (Claude Code).
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.
🤖 Generated by the `refresh_model_profiles` workflow.
Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
