mirror of
https://github.com/hwchase17/langchain.git
synced 2026-06-09 10:17:00 +00:00
0f4f3f74c85b7438538a6d54ed5c375adebc92fd
30 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
John Kennedy
|
0f4f3f74c8 |
chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385)
## Summary Bumps `pygments` to `>=2.20.0` across all 21 affected packages to address [CVE-2026-4539](https://github.com/advisories/GHSA-XXXX) — ReDoS via inefficient GUID regex in Pygments. - **Severity:** Low - **Fixed in:** 2.20.0 (was 2.19.2) - **Change:** Added `pygments>=2.20.0` to `constraint-dependencies` in `[tool.uv]` for each package, then ran `uv lock --upgrade-package pygments` to regenerate lock files. Closes Dependabot alerts #3435–#3455. ## Release Note Patch deps ### Test Plan - [x] CI Green 🙏 Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
Christophe Bornet
|
494b760028 |
fix(chroma): fix Python 3.14 support in langchain-chroma (#36199)
Latest chromadb version supports Python 3.14 and pydantic 3.12. Co-authored-by: Mason Daugherty <mason@langchain.dev> |
||
dependabot[bot]
|
1122a57f14 |
chore: bump requests from 2.32.5 to 2.33.0 in /libs/partners/chroma (#36257)
[//]: # (dependabot-start) ⚠️ **Dependabot is rebasing this PR** ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [requests](https://github.com/psf/requests) from 2.32.5 to 2.33.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/psf/requests/releases">requests's releases</a>.</em></p> <blockquote> <h2>v2.33.0</h2> <h2>2.33.0 (2026-03-25)</h2> <p><strong>Announcements</strong></p> <ul> <li>📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at <a href="https://redirect.github.com/psf/requests/issues/7271">#7271</a>. Give it a try, and report any gaps or feedback you may have in the issue. 📣</li> </ul> <p><strong>Security</strong></p> <ul> <li>CVE-2026-25645 <code>requests.utils.extract_zipped_paths</code> now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.</li> </ul> <p><strong>Improvements</strong></p> <ul> <li>Migrated to a PEP 517 build system using setuptools. (<a href="https://redirect.github.com/psf/requests/issues/7012">#7012</a>)</li> </ul> <p><strong>Bugfixes</strong></p> <ul> <li>Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (<a href="https://redirect.github.com/psf/requests/issues/7205">#7205</a>)</li> </ul> <p><strong>Deprecations</strong></p> <ul> <li>Dropped support for Python 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/7196">#7196</a>)</li> </ul> <p><strong>Documentation</strong></p> <ul> <li>Various typo fixes and doc improvements.</li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/M0d3v1"><code>@M0d3v1</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/6865">psf/requests#6865</a></li> <li><a href="https://github.com/aminvakil"><code>@aminvakil</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/7220">psf/requests#7220</a></li> <li><a href="https://github.com/E8Price"><code>@E8Price</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/6960">psf/requests#6960</a></li> <li><a href="https://github.com/mitre88"><code>@mitre88</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/7244">psf/requests#7244</a></li> <li><a href="https://github.com/magsen"><code>@magsen</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/6553">psf/requests#6553</a></li> <li><a href="https://github.com/Rohan5commit"><code>@Rohan5commit</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/7227">psf/requests#7227</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25">https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's changelog</a>.</em></p> <blockquote> <h2>2.33.0 (2026-03-25)</h2> <p><strong>Announcements</strong></p> <ul> <li>📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at <a href="https://redirect.github.com/psf/requests/issues/7271">#7271</a>. Give it a try, and report any gaps or feedback you may have in the issue. 📣</li> </ul> <p><strong>Security</strong></p> <ul> <li>CVE-2026-25645 <code>requests.utils.extract_zipped_paths</code> now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.</li> </ul> <p><strong>Improvements</strong></p> <ul> <li>Migrated to a PEP 517 build system using setuptools. (<a href="https://redirect.github.com/psf/requests/issues/7012">#7012</a>)</li> </ul> <p><strong>Bugfixes</strong></p> <ul> <li>Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (<a href="https://redirect.github.com/psf/requests/issues/7205">#7205</a>)</li> </ul> <p><strong>Deprecations</strong></p> <ul> <li>Dropped support for Python 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/7196">#7196</a>)</li> </ul> <p><strong>Documentation</strong></p> <ul> <li>Various typo fixes and doc improvements.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
313d353646 | chore: bump orjson from 3.11.5 to 3.11.6 in /libs/partners/chroma (#35800) | ||
|
dependabot[bot]
|
c05a2fb71b |
chore(deps): bump langsmith from 0.4.31 to 0.6.3 in /libs/partners/chroma (#35165)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.4.31 to 0.6.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's releases</a>.</em></p> <blockquote> <h2>v0.6.1</h2> <h2>What's Changed</h2> <ul> <li>ci: test more bundlers by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2263">langchain-ai/langsmith-sdk#2263</a></li> <li>feat(python sdk): Add support for setting commit tags when pushing a prompt by <a href="https://github.com/bees"><code>@bees</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2265">langchain-ai/langsmith-sdk#2265</a></li> <li>feat: Pass in Cache, rename by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2264">langchain-ai/langsmith-sdk#2264</a></li> <li>chore: bump sdk by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2268">langchain-ai/langsmith-sdk#2268</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.6.0...v0.6.1">https://github.com/langchain-ai/langsmith-sdk/compare/v0.6.0...v0.6.1</a></p> <h2>v0.6.0</h2> <h2>What's Changed</h2> <ul> <li>chore(js): bump JS to 0.4.3 by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2253">langchain-ai/langsmith-sdk#2253</a></li> <li>Revert "feat: add js prompt caching" by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2258">langchain-ai/langsmith-sdk#2258</a></li> <li>Revert "feat: Replace UUID5 with deterministic UUID7 for replicas" by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2257">langchain-ai/langsmith-sdk#2257</a></li> <li>release(js): bump to 0.4.4 by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2259">langchain-ai/langsmith-sdk#2259</a></li> <li>feat: add prompt cache back and setup environment tests by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2260">langchain-ai/langsmith-sdk#2260</a></li> <li>feat(python): Bump pydantic to v2 by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2248">langchain-ai/langsmith-sdk#2248</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.5.2...v0.6.0">https://github.com/langchain-ai/langsmith-sdk/compare/v0.5.2...v0.6.0</a></p> <h2>v0.6.0rc0</h2> <h2>What's Changed</h2> <ul> <li>feat(js): Add support for tracing AI SDK 6 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2237">langchain-ai/langsmith-sdk#2237</a></li> <li>fix(js): Remove default Jestlike timeout by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2243">langchain-ai/langsmith-sdk#2243</a></li> <li>feat(js): Add support for tracing tool loop agent by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2244">langchain-ai/langsmith-sdk#2244</a></li> <li>feat: Replace UUID5 with deterministic UUID7 for replicas by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2249">langchain-ai/langsmith-sdk#2249</a></li> <li>feat: add prompt caching to python sdk by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2246">langchain-ai/langsmith-sdk#2246</a></li> <li>feat: add js prompt caching by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2251">langchain-ai/langsmith-sdk#2251</a></li> <li>fix(claude): correctly parse llm and tool inputs in claude agent sdk by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2255">langchain-ai/langsmith-sdk#2255</a></li> <li>bump(python): 0.5.2 by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2256">langchain-ai/langsmith-sdk#2256</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.5.1...v0.6.0rc0">https://github.com/langchain-ai/langsmith-sdk/compare/v0.5.1...v0.6.0rc0</a></p> <h2>v0.5.2</h2> <h2>What's Changed</h2> <ul> <li>feat(js): Add support for tracing AI SDK 6 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2237">langchain-ai/langsmith-sdk#2237</a></li> <li>fix(js): Remove default Jestlike timeout by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2243">langchain-ai/langsmith-sdk#2243</a></li> <li>feat(js): Add support for tracing tool loop agent by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2244">langchain-ai/langsmith-sdk#2244</a></li> <li>feat: Replace UUID5 with deterministic UUID7 for replicas by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2249">langchain-ai/langsmith-sdk#2249</a></li> <li>feat: add prompt caching to python sdk by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2246">langchain-ai/langsmith-sdk#2246</a></li> <li>feat: add js prompt caching by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2251">langchain-ai/langsmith-sdk#2251</a></li> <li>fix(claude): correctly parse llm and tool inputs in claude agent sdk by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2255">langchain-ai/langsmith-sdk#2255</a></li> <li>bump(python): 0.5.2 by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2256">langchain-ai/langsmith-sdk#2256</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.5.1...v0.5.2">https://github.com/langchain-ai/langsmith-sdk/compare/v0.5.1...v0.5.2</a></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/langchain-ai/langsmith-sdk/commits">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
328bf24a4c |
chore(deps): bump the uv group across 20 directories with 3 updates (#34941)
Bumps the uv group with 1 update in the /libs/core directory: [nbconvert](https://github.com/jupyter/nbconvert). Bumps the uv group with 3 updates in the /libs/langchain directory: [nbconvert](https://github.com/jupyter/nbconvert), [orjson](https://github.com/ijl/orjson) and [protobuf](https://github.com/protocolbuffers/protobuf). Bumps the uv group with 2 updates in the /libs/langchain_v1 directory: [orjson](https://github.com/ijl/orjson) and [protobuf](https://github.com/protocolbuffers/protobuf). Bumps the uv group with 1 update in the /libs/model-profiles directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/anthropic directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 2 updates in the /libs/partners/chroma directory: [orjson](https://github.com/ijl/orjson) and [protobuf](https://github.com/protocolbuffers/protobuf). Bumps the uv group with 1 update in the /libs/partners/deepseek directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/exa directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/fireworks directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/groq directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/huggingface directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/mistralai directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/nomic directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/ollama directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/openai directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/perplexity directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 1 update in the /libs/partners/prompty directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 2 updates in the /libs/partners/qdrant directory: [orjson](https://github.com/ijl/orjson) and [protobuf](https://github.com/protocolbuffers/protobuf). Bumps the uv group with 1 update in the /libs/partners/xai directory: [orjson](https://github.com/ijl/orjson). Bumps the uv group with 2 updates in the /libs/text-splitters directory: [nbconvert](https://github.com/jupyter/nbconvert) and [orjson](https://github.com/ijl/orjson). Updates `nbconvert` from 7.16.6 to 7.17.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/jupyter/nbconvert/releases">nbconvert's releases</a>.</em></p> <blockquote> <h2>v7.17.0</h2> <h2>7.17.0</h2> <p>(<a href="https://github.com/jupyter/nbconvert/compare/v7.16.6...c9ac1d1040459ed1ff9eb34e9918ce5a87cf9d71">Full Changelog</a>)</p> <h3>Enhancements made</h3> <ul> <li>Add support for arbitrary browser arguments <a href="https://redirect.github.com/jupyter/nbconvert/pull/2227">#2227</a> (<a href="https://github.com/shreve"><code>@shreve</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Bugs fixed</h3> <ul> <li>Fix QtPNGExporter returning empty bytes on macOS <a href="https://redirect.github.com/jupyter/nbconvert/pull/2264">#2264</a> (<a href="https://github.com/h3pdesign"><code>@h3pdesign</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/QuLogic"><code>@QuLogic</code></a>)</li> <li>Fix CVE-2025-53000: Secure Inkscape Windows path (registry first + block CWD) <a href="https://redirect.github.com/jupyter/nbconvert/pull/2261">#2261</a> (<a href="https://github.com/h3pdesign"><code>@h3pdesign</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/mberlanda"><code>@mberlanda</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>, <a href="https://github.com/salmankadaya"><code>@salmankadaya</code></a>, <a href="https://github.com/th3gowtham"><code>@th3gowtham</code></a>)</li> <li>Fix get_export_names and get_exporter default args <a href="https://redirect.github.com/jupyter/nbconvert/pull/2228">#2228</a> (<a href="https://github.com/shreve"><code>@shreve</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>PyPA-Compliant Summary <a href="https://redirect.github.com/jupyter/nbconvert/pull/2226">#2226</a> (<a href="https://github.com/hackowitz-af"><code>@hackowitz-af</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> </ul> <h3>Maintenance and upkeep improvements</h3> <ul> <li>avoid cov environment on free-threaded Pythons <a href="https://redirect.github.com/jupyter/nbconvert/pull/2267">#2267</a> (<a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>update pre-commit, and fix all issues. <a href="https://redirect.github.com/jupyter/nbconvert/pull/2238">#2238</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Drop test on 3.9, test on 3.13, 3.14, 3.14t <a href="https://redirect.github.com/jupyter/nbconvert/pull/2237">#2237</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Bump the actions group across 1 directory with 2 updates <a href="https://redirect.github.com/jupyter/nbconvert/pull/2231">#2231</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Replace <code>@flaky.flaky</code> decorate with pytest marker <a href="https://redirect.github.com/jupyter/nbconvert/pull/2229">#2229</a> (<a href="https://github.com/mgorny"><code>@mgorny</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>update to mermaid 11.10.0 <a href="https://redirect.github.com/jupyter/nbconvert/pull/2224">#2224</a> (<a href="https://github.com/bollwyvl"><code>@bollwyvl</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Drop support for Python 3.8, fix the CI tests <a href="https://redirect.github.com/jupyter/nbconvert/pull/2221">#2221</a> (<a href="https://github.com/shreve"><code>@shreve</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> </ul> <h3>Documentation improvements</h3> <ul> <li>Use <code>intersphinx_registry</code> <a href="https://redirect.github.com/jupyter/nbconvert/pull/2232">#2232</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Contributors to this release</h3> <p>The following people contributed discussions, new ideas, code and documentation contributions, and review. See <a href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our definition of contributors</a>.</p> <p>(<a href="https://github.com/jupyter/nbconvert/graphs/contributors?from=2025-01-28&to=2026-01-29&type=c">GitHub contributors page for this release</a>)</p> <p><a href="https://github.com/bollwyvl"><code>@bollwyvl</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Abollwyvl+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/Carreau"><code>@Carreau</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3ACarreau+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/h3pdesign"><code>@h3pdesign</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Ah3pdesign+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/hackowitz-af"><code>@hackowitz-af</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Ahackowitz-af+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/krassowski"><code>@krassowski</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Akrassowski+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/mberlanda"><code>@mberlanda</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Amberlanda+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/mgorny"><code>@mgorny</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Amgorny+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/minrk"><code>@minrk</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Aminrk+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/MSeal"><code>@MSeal</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3AMSeal+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/QuLogic"><code>@QuLogic</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3AQuLogic+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/salmankadaya"><code>@salmankadaya</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Asalmankadaya+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/shreve"><code>@shreve</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Ashreve+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/th3gowtham"><code>@th3gowtham</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Ath3gowtham+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>)</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jupyter/nbconvert/blob/main/CHANGELOG.md">nbconvert's changelog</a>.</em></p> <blockquote> <h2>7.17.0</h2> <p>(<a href="https://github.com/jupyter/nbconvert/compare/v7.16.6...c9ac1d1040459ed1ff9eb34e9918ce5a87cf9d71">Full Changelog</a>)</p> <h3>Enhancements made</h3> <ul> <li>Add support for arbitrary browser arguments <a href="https://redirect.github.com/jupyter/nbconvert/pull/2227">#2227</a> (<a href="https://github.com/shreve"><code>@shreve</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Bugs fixed</h3> <ul> <li>Fix QtPNGExporter returning empty bytes on macOS <a href="https://redirect.github.com/jupyter/nbconvert/pull/2264">#2264</a> (<a href="https://github.com/h3pdesign"><code>@h3pdesign</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/QuLogic"><code>@QuLogic</code></a>)</li> <li>Fix CVE-2025-53000: Secure Inkscape Windows path (registry first + block CWD) <a href="https://redirect.github.com/jupyter/nbconvert/pull/2261">#2261</a> (<a href="https://github.com/h3pdesign"><code>@h3pdesign</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/mberlanda"><code>@mberlanda</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>, <a href="https://github.com/salmankadaya"><code>@salmankadaya</code></a>, <a href="https://github.com/th3gowtham"><code>@th3gowtham</code></a>)</li> <li>Fix get_export_names and get_exporter default args <a href="https://redirect.github.com/jupyter/nbconvert/pull/2228">#2228</a> (<a href="https://github.com/shreve"><code>@shreve</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>PyPA-Compliant Summary <a href="https://redirect.github.com/jupyter/nbconvert/pull/2226">#2226</a> (<a href="https://github.com/hackowitz-af"><code>@hackowitz-af</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> </ul> <h3>Maintenance and upkeep improvements</h3> <ul> <li>avoid cov environment on free-threaded Pythons <a href="https://redirect.github.com/jupyter/nbconvert/pull/2267">#2267</a> (<a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>update pre-commit, and fix all issues. <a href="https://redirect.github.com/jupyter/nbconvert/pull/2238">#2238</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Drop test on 3.9, test on 3.13, 3.14, 3.14t <a href="https://redirect.github.com/jupyter/nbconvert/pull/2237">#2237</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Bump the actions group across 1 directory with 2 updates <a href="https://redirect.github.com/jupyter/nbconvert/pull/2231">#2231</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Replace <code>@flaky.flaky</code> decorate with pytest marker <a href="https://redirect.github.com/jupyter/nbconvert/pull/2229">#2229</a> (<a href="https://github.com/mgorny"><code>@mgorny</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>update to mermaid 11.10.0 <a href="https://redirect.github.com/jupyter/nbconvert/pull/2224">#2224</a> (<a href="https://github.com/bollwyvl"><code>@bollwyvl</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Drop support for Python 3.8, fix the CI tests <a href="https://redirect.github.com/jupyter/nbconvert/pull/2221">#2221</a> (<a href="https://github.com/shreve"><code>@shreve</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> </ul> <h3>Documentation improvements</h3> <ul> <li>Use <code>intersphinx_registry</code> <a href="https://redirect.github.com/jupyter/nbconvert/pull/2232">#2232</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Contributors to this release</h3> <p>The following people contributed discussions, new ideas, code and documentation contributions, and review. See <a href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our definition of contributors</a>.</p> <p>(<a href="https://github.com/jupyter/nbconvert/graphs/contributors?from=2025-01-28&to=2026-01-29&type=c">GitHub contributors page for this release</a>)</p> <p><a href="https://github.com/bollwyvl"><code>@bollwyvl</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Abollwyvl+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/Carreau"><code>@Carreau</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3ACarreau+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/h3pdesign"><code>@h3pdesign</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Ah3pdesign+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/hackowitz-af"><code>@hackowitz-af</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Ahackowitz-af+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/krassowski"><code>@krassowski</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Akrassowski+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/mberlanda"><code>@mberlanda</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Amberlanda+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/mgorny"><code>@mgorny</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Amgorny+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/minrk"><code>@minrk</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Aminrk+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/MSeal"><code>@MSeal</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3AMSeal+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/QuLogic"><code>@QuLogic</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3AQuLogic+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/salmankadaya"><code>@salmankadaya</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Asalmankadaya+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/shreve"><code>@shreve</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Ashreve+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>) | <a href="https://github.com/th3gowtham"><code>@th3gowtham</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Ath3gowtham+updated%3A2025-01-28..2026-01-29&type=Issues">activity</a>)</p> <!-- raw HTML omitted --> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
John Kennedy
|
c5834cc028 | chore: upgrade urllib3 to 2.6.3 (#34940) | ||
|
dependabot[bot]
|
89e1594196 |
chore(deps): bump the uv group across 5 directories with 5 updates (#34785)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
3356d05557 |
chore(deps): bump the uv group across 3 directories with 1 update (#34741)
Bumps the uv group with 1 update in the /libs/langchain directory: [filelock](https://github.com/tox-dev/py-filelock). Bumps the uv group with 1 update in the /libs/text-splitters directory: [filelock](https://github.com/tox-dev/py-filelock). Bumps the uv group with 1 update in the /libs/partners/chroma directory: [filelock](https://github.com/tox-dev/py-filelock). Updates `filelock` from 3.19.1 to 3.20.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tox-dev/py-filelock/releases">filelock's releases</a>.</em></p> <blockquote> <h2>3.20.3</h2> <!-- raw HTML omitted --> <h2>What's Changed</h2> <ul> <li>Fix TOCTOU symlink vulnerability in SoftFileLock by <a href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/tox-dev/filelock/pull/465">tox-dev/filelock#465</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/tox-dev/filelock/compare/3.20.2...3.20.3">https://github.com/tox-dev/filelock/compare/3.20.2...3.20.3</a></p> <h2>3.20.2</h2> <!-- raw HTML omitted --> <h2>What's Changed</h2> <ul> <li>Support Unix systems without O_NOFOLLOW by <a href="https://github.com/mwilliamson"><code>@mwilliamson</code></a> in <a href="https://redirect.github.com/tox-dev/filelock/pull/463">tox-dev/filelock#463</a></li> <li>[pre-commit.ci] pre-commit autoupdate by <a href="https://github.com/pre-commit-ci"><code>@pre-commit-ci</code></a>[bot] in <a href="https://redirect.github.com/tox-dev/filelock/pull/464">tox-dev/filelock#464</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/mwilliamson"><code>@mwilliamson</code></a> made their first contribution in <a href="https://redirect.github.com/tox-dev/filelock/pull/463">tox-dev/filelock#463</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/tox-dev/filelock/compare/3.20.1...3.20.2">https://github.com/tox-dev/filelock/compare/3.20.1...3.20.2</a></p> <h2>3.20.1</h2> <!-- raw HTML omitted --> <h2>What's Changed</h2> <ul> <li>CVE-2025-68146: Fix TOCTOU symlink vulnerability in lock file creation by <a href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/tox-dev/filelock/pull/461">tox-dev/filelock#461</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/tox-dev/filelock/compare/3.20.0...3.20.1">https://github.com/tox-dev/filelock/compare/3.20.0...3.20.1</a></p> <h2>3.20.0</h2> <!-- raw HTML omitted --> <h2>What's Changed</h2> <ul> <li>Add tox.toml to sdist by <a href="https://github.com/mtelka"><code>@mtelka</code></a> in <a href="https://redirect.github.com/tox-dev/filelock/pull/436">tox-dev/filelock#436</a></li> <li>Update docs with example by <a href="https://github.com/znichollscr"><code>@znichollscr</code></a> in <a href="https://redirect.github.com/tox-dev/filelock/pull/438">tox-dev/filelock#438</a></li> <li>Add 3.14 support and drop 3.9 by <a href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/tox-dev/filelock/pull/448">tox-dev/filelock#448</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/mtelka"><code>@mtelka</code></a> made their first contribution in <a href="https://redirect.github.com/tox-dev/filelock/pull/436">tox-dev/filelock#436</a></li> <li><a href="https://github.com/znichollscr"><code>@znichollscr</code></a> made their first contribution in <a href="https://redirect.github.com/tox-dev/filelock/pull/438">tox-dev/filelock#438</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/tox-dev/filelock/compare/3.19.1...3.20.0">https://github.com/tox-dev/filelock/compare/3.19.1...3.20.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
ccurme
|
bc232e6d03 | release(chroma): 1.1 (#34316) | ||
itaismith
|
be32382d92 | feat(chroma): Add Search API (#34273) | ||
Sydney Runkle
|
78c10f8790 | chore: update core dep in lockfiles (#34216) | ||
Mason Daugherty
|
f1fca4f46f | release(chroma): 1.0.0 (#33569) | ||
|
Mason Daugherty
|
31eeb50ce0 |
chore: drop UP045 (#33362)
Python 3.9 EOL |
||
|
Mason Daugherty
|
86cf3fad4d | release(chroma): 1.0.0a1 (#33227) | ||
|
Christophe Bornet
|
eaf8dce7c2 |
chore: bump ruff version to 0.13 (#33043)
Co-authored-by: Mason Daugherty <mason@langchain.dev> |
||
|
Mason Daugherty
|
781db9d892 |
chore: update pyproject.toml files, remove codespell (#33028)
- Removes Codespell from deps, docs, and `Makefile`s - Python version requirements in all `pyproject.toml` files now use the `~=` (compatible release) specifier - All dependency groups and main dependencies now use explicit lower and upper bounds, reducing potential for breaking changes |
||
|
Mason Daugherty
|
bd765753ca | release(chroma): 0.2.6 (#32901) | ||
|
Mason Daugherty
|
3d08b6bd11 |
chore: adress pytest-asyncio deprecation warnings + other nits (#32696)
amongst some linting imcompatible rules |
||
|
ccurme
|
e41e6ec6aa | release(chroma): 0.2.5 (#32183) | ||
|
Mason Daugherty
|
4d9eefecab |
fix: bump lockfiles (#31923)
* bump lockfiles after upgrading ruff * resolve resulting linting fixes |
||
|
ccurme
|
14c561e15d | infra: relax types-requests version range (#31504) | ||
|
ccurme
|
6bbc12b7f7 | chroma: release 0.2.4 (#31252) | ||
Jai Radhakrishnan
|
aa4890c136 |
partners: update deps for langchain-chroma (#31251)
Updates dependencies to Chroma to integrate the major release of Chroma with improved performance, and to fix issues users have been seeing using the latest chroma docker image with langchain-chroma https://github.com/langchain-ai/langchain/issues/31047#issuecomment-2850790841 Updates chromadb dependency to >=1.0.9 This also removes the dependency of chroma-hnswlib, meaning it can run against python 3.13 runners for tests as well. Tested this by pulling the latest Chroma docker image, running langchain-chroma using client mode ``` httpClient = chromadb.HttpClient(host="localhost", port=8000) vector_store = Chroma( client=httpClient, collection_name="test", embedding_function=embeddings, ) ``` |
||
|
Sydney Runkle
|
7e926520d5 |
packaging: remove Python upper bound for langchain and co libs (#31025)
Follow up to https://github.com/langchain-ai/langsmith-sdk/pull/1696, I've bumped the `langsmith` version where applicable in `uv.lock`. Type checking problems here because deps have been updated in `pyproject.toml` and `uv lock` hasn't been run - we should enforce that in the future - goes with the other dependabot todos :). |
||
|
Sydney Runkle
|
cf2697ec53 | chroma: release 0.2.3 (#30860) | ||
|
Sydney Runkle
|
4556b81b1d |
Clean up numpy dependencies and speed up 3.13 CI with numpy>=2.1.0 (#30714)
Generally, this PR is CI performance focused + aims to clean up some dependencies at the same time. 1. Unpins upper bounds for `numpy` in all `pyproject.toml` files where `numpy` is specified 2. Requires `numpy >= 2.1.0` for Python 3.13 and `numpy > v1.26.0` for Python 3.12, plus a `numpy` min version bump for `chroma` 3. Speeds up CI by minutes - linting on Python 3.13, installing `numpy < 2.1.0` was taking [~3 minutes](https://github.com/langchain-ai/langchain/actions/runs/14316342925/job/40123305868?pr=30713), now the entire env setup takes a few seconds 4. Deleted the `numpy` test dependency from partners where that was not used, specifically `huggingface`, `voyageai`, `xai`, and `nomic`. It's a bit unfortunate that `langchain-community` depends on `numpy`, we might want to try to fix that in the future... Closes https://github.com/langchain-ai/langchain/issues/26026 Fixes https://github.com/langchain-ai/langchain/issues/30555 |
||
Erick Friis
|
1a225fad03 |
multiple: fix uv path deps (#29790)
file:// format wasn't working with updates - it doesn't install as an editable dep move to tool.uv.sources with path= instead |
||
|
ccurme
|
16fb1f5371 |
chroma[patch]: release 0.2.2 (#29769)
Resolves https://github.com/langchain-ai/langchain/issues/29765 |
||
|
ccurme
|
d172984c91 | infra: migrate to uv (#29566) |