langchain

mirror of https://github.com/hwchase17/langchain.git synced 2026-05-15 11:36:43 +00:00

Author	SHA1	Message	Date
dependabot[bot]	2086b91c78	chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/core (#37329 ) [//]: # (dependabot-start) ⚠️ Dependabot is rebasing this PR ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.7.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially. (Reported by <a href="https://github.com/Cycloctane"><code>@Cycloctane</code></a>)</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <a href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by <a href="https://github.com/kimkou2024"><code>@kimkou2024</code></a>)</li> </ol> <p>See GHSA-mf9v-mfxr-j63j for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a href="https://github.com/christos-spearbit"><code>@christos-spearbit</code></a>)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li> <li>Removed support for end-of-life Python 3.9. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li> <li>Removed support for end-of-life PyPy3.10. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li> <li>Fixed <code>HTTPResponse.stream()</code> and <code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li> <li>Updated <code>_TYPE_BODY</code> type alias to include missing <code>Iterable[str]</code>, matching the documented and runtime behavior of chunked request bodies. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li> <li>Fixed <code>LocationParseError</code> when paths resembling schemeless URIs were passed to <code>HTTPConnectionPool.urlopen()</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li> <li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to accept <code>memoryview</code> in addition to <code>bytearray</code>, matching the <code>io.RawIOBase.readinto</code> contract and enabling use with <code>io.BufferedReader</code> without type errors. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.7.0 (2026-05-07)</h1> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially.</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <code>Brotli <https://pypi.org/project/brotli/></code>__ library.</li> </ol> <p>See <code>GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j></code>__ for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (<code>GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc></code>__)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<code>[#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763></code>__)</li> <li>Removed support for end-of-life Python 3.9. (<code>[#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720></code>__)</li> <li>Removed support for end-of-life PyPy3.10. (<code>[#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979></code>__)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<code>[#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777></code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<code>[#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636></code>__)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`9a950b92d9`"><code>9a950b9</code></a> Release 2.7.0</li> <li><a href="`5ec0de499b`"><code>5ec0de4</code></a> Merge commit from fork</li> <li><a href="`2bdcc44d1e`"><code>2bdcc44</code></a> Merge commit from fork</li> <li><a href="`f45b0df09d`"><code>f45b0df</code></a> Fix a misleading example for <code>ProxyManager</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4970">#4970</a>)</li> <li><a href="`577193ca02`"><code>577193c</code></a> Switch to nightly PyPy3.11 in CI for now (<a href="https://redirect.github.com/urllib3/urllib3/issues/4984">#4984</a>)</li> <li><a href="`e90af45bb0`"><code>e90af45</code></a> Avoid infinite loop in <code>HTTPResponse.read_chunked</code> when <code>amt=0</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4974">#4974</a>)</li> <li><a href="`67ed74fdae`"><code>67ed74f</code></a> Bump dev dependencies (<a href="https://redirect.github.com/urllib3/urllib3/issues/4972">#4972</a>)</li> <li><a href="`3abd481097`"><code>3abd481</code></a> Upgrade mypy to version 1.20.2 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4978">#4978</a>)</li> <li><a href="`2b8725dfca`"><code>2b8725d</code></a> Drop support for EOL PyPy3.10 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">#4979</a>)</li> <li><a href="`2944b2a0a6`"><code>2944b2a</code></a> Upgrade <code>setup-chrome</code> and <code>setup-firefox</code> to fix warnings (<a href="https://redirect.github.com/urllib3/urllib3/issues/4973">#4973</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=uv&previous-version=2.6.3&new-version=2.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-11 11:19:44 -07:00
dependabot[bot]	407e33abca	chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/langchain (#37327 ) [//]: # (dependabot-start) ⚠️ Dependabot is rebasing this PR ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.7.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially. (Reported by <a href="https://github.com/Cycloctane"><code>@Cycloctane</code></a>)</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <a href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by <a href="https://github.com/kimkou2024"><code>@kimkou2024</code></a>)</li> </ol> <p>See GHSA-mf9v-mfxr-j63j for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a href="https://github.com/christos-spearbit"><code>@christos-spearbit</code></a>)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li> <li>Removed support for end-of-life Python 3.9. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li> <li>Removed support for end-of-life PyPy3.10. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li> <li>Fixed <code>HTTPResponse.stream()</code> and <code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li> <li>Updated <code>_TYPE_BODY</code> type alias to include missing <code>Iterable[str]</code>, matching the documented and runtime behavior of chunked request bodies. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li> <li>Fixed <code>LocationParseError</code> when paths resembling schemeless URIs were passed to <code>HTTPConnectionPool.urlopen()</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li> <li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to accept <code>memoryview</code> in addition to <code>bytearray</code>, matching the <code>io.RawIOBase.readinto</code> contract and enabling use with <code>io.BufferedReader</code> without type errors. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.7.0 (2026-05-07)</h1> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially.</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <code>Brotli <https://pypi.org/project/brotli/></code>__ library.</li> </ol> <p>See <code>GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j></code>__ for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (<code>GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc></code>__)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<code>[#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763></code>__)</li> <li>Removed support for end-of-life Python 3.9. (<code>[#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720></code>__)</li> <li>Removed support for end-of-life PyPy3.10. (<code>[#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979></code>__)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<code>[#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777></code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<code>[#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636></code>__)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`9a950b92d9`"><code>9a950b9</code></a> Release 2.7.0</li> <li><a href="`5ec0de499b`"><code>5ec0de4</code></a> Merge commit from fork</li> <li><a href="`2bdcc44d1e`"><code>2bdcc44</code></a> Merge commit from fork</li> <li><a href="`f45b0df09d`"><code>f45b0df</code></a> Fix a misleading example for <code>ProxyManager</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4970">#4970</a>)</li> <li><a href="`577193ca02`"><code>577193c</code></a> Switch to nightly PyPy3.11 in CI for now (<a href="https://redirect.github.com/urllib3/urllib3/issues/4984">#4984</a>)</li> <li><a href="`e90af45bb0`"><code>e90af45</code></a> Avoid infinite loop in <code>HTTPResponse.read_chunked</code> when <code>amt=0</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4974">#4974</a>)</li> <li><a href="`67ed74fdae`"><code>67ed74f</code></a> Bump dev dependencies (<a href="https://redirect.github.com/urllib3/urllib3/issues/4972">#4972</a>)</li> <li><a href="`3abd481097`"><code>3abd481</code></a> Upgrade mypy to version 1.20.2 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4978">#4978</a>)</li> <li><a href="`2b8725dfca`"><code>2b8725d</code></a> Drop support for EOL PyPy3.10 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">#4979</a>)</li> <li><a href="`2944b2a0a6`"><code>2944b2a</code></a> Upgrade <code>setup-chrome</code> and <code>setup-firefox</code> to fix warnings (<a href="https://redirect.github.com/urllib3/urllib3/issues/4973">#4973</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=uv&previous-version=2.6.3&new-version=2.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-11 11:19:39 -07:00
dependabot[bot]	ab67e2a9e7	chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/deepseek (#37341 ) [//]: # (dependabot-start) ⚠️ Dependabot is rebasing this PR ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.7.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially. (Reported by <a href="https://github.com/Cycloctane"><code>@Cycloctane</code></a>)</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <a href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by <a href="https://github.com/kimkou2024"><code>@kimkou2024</code></a>)</li> </ol> <p>See GHSA-mf9v-mfxr-j63j for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a href="https://github.com/christos-spearbit"><code>@christos-spearbit</code></a>)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li> <li>Removed support for end-of-life Python 3.9. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li> <li>Removed support for end-of-life PyPy3.10. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li> <li>Fixed <code>HTTPResponse.stream()</code> and <code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li> <li>Updated <code>_TYPE_BODY</code> type alias to include missing <code>Iterable[str]</code>, matching the documented and runtime behavior of chunked request bodies. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li> <li>Fixed <code>LocationParseError</code> when paths resembling schemeless URIs were passed to <code>HTTPConnectionPool.urlopen()</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li> <li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to accept <code>memoryview</code> in addition to <code>bytearray</code>, matching the <code>io.RawIOBase.readinto</code> contract and enabling use with <code>io.BufferedReader</code> without type errors. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.7.0 (2026-05-07)</h1> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially.</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <code>Brotli <https://pypi.org/project/brotli/></code>__ library.</li> </ol> <p>See <code>GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j></code>__ for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (<code>GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc></code>__)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<code>[#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763></code>__)</li> <li>Removed support for end-of-life Python 3.9. (<code>[#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720></code>__)</li> <li>Removed support for end-of-life PyPy3.10. (<code>[#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979></code>__)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<code>[#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777></code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<code>[#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636></code>__)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`9a950b92d9`"><code>9a950b9</code></a> Release 2.7.0</li> <li><a href="`5ec0de499b`"><code>5ec0de4</code></a> Merge commit from fork</li> <li><a href="`2bdcc44d1e`"><code>2bdcc44</code></a> Merge commit from fork</li> <li><a href="`f45b0df09d`"><code>f45b0df</code></a> Fix a misleading example for <code>ProxyManager</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4970">#4970</a>)</li> <li><a href="`577193ca02`"><code>577193c</code></a> Switch to nightly PyPy3.11 in CI for now (<a href="https://redirect.github.com/urllib3/urllib3/issues/4984">#4984</a>)</li> <li><a href="`e90af45bb0`"><code>e90af45</code></a> Avoid infinite loop in <code>HTTPResponse.read_chunked</code> when <code>amt=0</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4974">#4974</a>)</li> <li><a href="`67ed74fdae`"><code>67ed74f</code></a> Bump dev dependencies (<a href="https://redirect.github.com/urllib3/urllib3/issues/4972">#4972</a>)</li> <li><a href="`3abd481097`"><code>3abd481</code></a> Upgrade mypy to version 1.20.2 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4978">#4978</a>)</li> <li><a href="`2b8725dfca`"><code>2b8725d</code></a> Drop support for EOL PyPy3.10 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">#4979</a>)</li> <li><a href="`2944b2a0a6`"><code>2944b2a</code></a> Upgrade <code>setup-chrome</code> and <code>setup-firefox</code> to fix warnings (<a href="https://redirect.github.com/urllib3/urllib3/issues/4973">#4973</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=uv&previous-version=2.6.3&new-version=2.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-11 18:19:06 +00:00
dependabot[bot]	c92e5c5a71	chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/xai (#37331 ) [//]: # (dependabot-start) ⚠️ Dependabot is rebasing this PR ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.7.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially. (Reported by <a href="https://github.com/Cycloctane"><code>@Cycloctane</code></a>)</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <a href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by <a href="https://github.com/kimkou2024"><code>@kimkou2024</code></a>)</li> </ol> <p>See GHSA-mf9v-mfxr-j63j for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a href="https://github.com/christos-spearbit"><code>@christos-spearbit</code></a>)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li> <li>Removed support for end-of-life Python 3.9. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li> <li>Removed support for end-of-life PyPy3.10. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li> <li>Fixed <code>HTTPResponse.stream()</code> and <code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li> <li>Updated <code>_TYPE_BODY</code> type alias to include missing <code>Iterable[str]</code>, matching the documented and runtime behavior of chunked request bodies. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li> <li>Fixed <code>LocationParseError</code> when paths resembling schemeless URIs were passed to <code>HTTPConnectionPool.urlopen()</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li> <li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to accept <code>memoryview</code> in addition to <code>bytearray</code>, matching the <code>io.RawIOBase.readinto</code> contract and enabling use with <code>io.BufferedReader</code> without type errors. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.7.0 (2026-05-07)</h1> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially.</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <code>Brotli <https://pypi.org/project/brotli/></code>__ library.</li> </ol> <p>See <code>GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j></code>__ for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (<code>GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc></code>__)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<code>[#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763></code>__)</li> <li>Removed support for end-of-life Python 3.9. (<code>[#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720></code>__)</li> <li>Removed support for end-of-life PyPy3.10. (<code>[#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979></code>__)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<code>[#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777></code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<code>[#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636></code>__)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`9a950b92d9`"><code>9a950b9</code></a> Release 2.7.0</li> <li><a href="`5ec0de499b`"><code>5ec0de4</code></a> Merge commit from fork</li> <li><a href="`2bdcc44d1e`"><code>2bdcc44</code></a> Merge commit from fork</li> <li><a href="`f45b0df09d`"><code>f45b0df</code></a> Fix a misleading example for <code>ProxyManager</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4970">#4970</a>)</li> <li><a href="`577193ca02`"><code>577193c</code></a> Switch to nightly PyPy3.11 in CI for now (<a href="https://redirect.github.com/urllib3/urllib3/issues/4984">#4984</a>)</li> <li><a href="`e90af45bb0`"><code>e90af45</code></a> Avoid infinite loop in <code>HTTPResponse.read_chunked</code> when <code>amt=0</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4974">#4974</a>)</li> <li><a href="`67ed74fdae`"><code>67ed74f</code></a> Bump dev dependencies (<a href="https://redirect.github.com/urllib3/urllib3/issues/4972">#4972</a>)</li> <li><a href="`3abd481097`"><code>3abd481</code></a> Upgrade mypy to version 1.20.2 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4978">#4978</a>)</li> <li><a href="`2b8725dfca`"><code>2b8725d</code></a> Drop support for EOL PyPy3.10 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">#4979</a>)</li> <li><a href="`2944b2a0a6`"><code>2944b2a</code></a> Upgrade <code>setup-chrome</code> and <code>setup-firefox</code> to fix warnings (<a href="https://redirect.github.com/urllib3/urllib3/issues/4973">#4973</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=uv&previous-version=2.6.3&new-version=2.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-11 18:18:53 +00:00
dependabot[bot]	525fa5a534	chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/perplexity (#37336 ) [//]: # (dependabot-start) ⚠️ Dependabot is rebasing this PR ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.7.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially. (Reported by <a href="https://github.com/Cycloctane"><code>@Cycloctane</code></a>)</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <a href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by <a href="https://github.com/kimkou2024"><code>@kimkou2024</code></a>)</li> </ol> <p>See GHSA-mf9v-mfxr-j63j for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a href="https://github.com/christos-spearbit"><code>@christos-spearbit</code></a>)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li> <li>Removed support for end-of-life Python 3.9. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li> <li>Removed support for end-of-life PyPy3.10. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li> <li>Fixed <code>HTTPResponse.stream()</code> and <code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li> <li>Updated <code>_TYPE_BODY</code> type alias to include missing <code>Iterable[str]</code>, matching the documented and runtime behavior of chunked request bodies. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li> <li>Fixed <code>LocationParseError</code> when paths resembling schemeless URIs were passed to <code>HTTPConnectionPool.urlopen()</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li> <li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to accept <code>memoryview</code> in addition to <code>bytearray</code>, matching the <code>io.RawIOBase.readinto</code> contract and enabling use with <code>io.BufferedReader</code> without type errors. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.7.0 (2026-05-07)</h1> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially.</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <code>Brotli <https://pypi.org/project/brotli/></code>__ library.</li> </ol> <p>See <code>GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j></code>__ for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (<code>GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc></code>__)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<code>[#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763></code>__)</li> <li>Removed support for end-of-life Python 3.9. (<code>[#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720></code>__)</li> <li>Removed support for end-of-life PyPy3.10. (<code>[#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979></code>__)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<code>[#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777></code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<code>[#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636></code>__)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`9a950b92d9`"><code>9a950b9</code></a> Release 2.7.0</li> <li><a href="`5ec0de499b`"><code>5ec0de4</code></a> Merge commit from fork</li> <li><a href="`2bdcc44d1e`"><code>2bdcc44</code></a> Merge commit from fork</li> <li><a href="`f45b0df09d`"><code>f45b0df</code></a> Fix a misleading example for <code>ProxyManager</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4970">#4970</a>)</li> <li><a href="`577193ca02`"><code>577193c</code></a> Switch to nightly PyPy3.11 in CI for now (<a href="https://redirect.github.com/urllib3/urllib3/issues/4984">#4984</a>)</li> <li><a href="`e90af45bb0`"><code>e90af45</code></a> Avoid infinite loop in <code>HTTPResponse.read_chunked</code> when <code>amt=0</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4974">#4974</a>)</li> <li><a href="`67ed74fdae`"><code>67ed74f</code></a> Bump dev dependencies (<a href="https://redirect.github.com/urllib3/urllib3/issues/4972">#4972</a>)</li> <li><a href="`3abd481097`"><code>3abd481</code></a> Upgrade mypy to version 1.20.2 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4978">#4978</a>)</li> <li><a href="`2b8725dfca`"><code>2b8725d</code></a> Drop support for EOL PyPy3.10 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">#4979</a>)</li> <li><a href="`2944b2a0a6`"><code>2944b2a</code></a> Upgrade <code>setup-chrome</code> and <code>setup-firefox</code> to fix warnings (<a href="https://redirect.github.com/urllib3/urllib3/issues/4973">#4973</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=uv&previous-version=2.6.3&new-version=2.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-11 18:18:50 +00:00
dependabot[bot]	d3da636e89	chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/exa (#37342 ) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.7.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially. (Reported by <a href="https://github.com/Cycloctane"><code>@Cycloctane</code></a>)</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <a href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by <a href="https://github.com/kimkou2024"><code>@kimkou2024</code></a>)</li> </ol> <p>See GHSA-mf9v-mfxr-j63j for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a href="https://github.com/christos-spearbit"><code>@christos-spearbit</code></a>)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li> <li>Removed support for end-of-life Python 3.9. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li> <li>Removed support for end-of-life PyPy3.10. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li> <li>Fixed <code>HTTPResponse.stream()</code> and <code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li> <li>Updated <code>_TYPE_BODY</code> type alias to include missing <code>Iterable[str]</code>, matching the documented and runtime behavior of chunked request bodies. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li> <li>Fixed <code>LocationParseError</code> when paths resembling schemeless URIs were passed to <code>HTTPConnectionPool.urlopen()</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li> <li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to accept <code>memoryview</code> in addition to <code>bytearray</code>, matching the <code>io.RawIOBase.readinto</code> contract and enabling use with <code>io.BufferedReader</code> without type errors. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.7.0 (2026-05-07)</h1> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially.</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <code>Brotli <https://pypi.org/project/brotli/></code>__ library.</li> </ol> <p>See <code>GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j></code>__ for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (<code>GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc></code>__)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<code>[#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763></code>__)</li> <li>Removed support for end-of-life Python 3.9. (<code>[#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720></code>__)</li> <li>Removed support for end-of-life PyPy3.10. (<code>[#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979></code>__)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<code>[#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777></code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<code>[#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636></code>__)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`9a950b92d9`"><code>9a950b9</code></a> Release 2.7.0</li> <li><a href="`5ec0de499b`"><code>5ec0de4</code></a> Merge commit from fork</li> <li><a href="`2bdcc44d1e`"><code>2bdcc44</code></a> Merge commit from fork</li> <li><a href="`f45b0df09d`"><code>f45b0df</code></a> Fix a misleading example for <code>ProxyManager</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4970">#4970</a>)</li> <li><a href="`577193ca02`"><code>577193c</code></a> Switch to nightly PyPy3.11 in CI for now (<a href="https://redirect.github.com/urllib3/urllib3/issues/4984">#4984</a>)</li> <li><a href="`e90af45bb0`"><code>e90af45</code></a> Avoid infinite loop in <code>HTTPResponse.read_chunked</code> when <code>amt=0</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4974">#4974</a>)</li> <li><a href="`67ed74fdae`"><code>67ed74f</code></a> Bump dev dependencies (<a href="https://redirect.github.com/urllib3/urllib3/issues/4972">#4972</a>)</li> <li><a href="`3abd481097`"><code>3abd481</code></a> Upgrade mypy to version 1.20.2 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4978">#4978</a>)</li> <li><a href="`2b8725dfca`"><code>2b8725d</code></a> Drop support for EOL PyPy3.10 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">#4979</a>)</li> <li><a href="`2944b2a0a6`"><code>2944b2a</code></a> Upgrade <code>setup-chrome</code> and <code>setup-firefox</code> to fix warnings (<a href="https://redirect.github.com/urllib3/urllib3/issues/4973">#4973</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=uv&previous-version=2.6.3&new-version=2.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-11 11:18:45 -07:00
dependabot[bot]	0a8b1524e0	chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/groq (#37340 ) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.7.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially. (Reported by <a href="https://github.com/Cycloctane"><code>@Cycloctane</code></a>)</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <a href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by <a href="https://github.com/kimkou2024"><code>@kimkou2024</code></a>)</li> </ol> <p>See GHSA-mf9v-mfxr-j63j for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a href="https://github.com/christos-spearbit"><code>@christos-spearbit</code></a>)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li> <li>Removed support for end-of-life Python 3.9. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li> <li>Removed support for end-of-life PyPy3.10. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li> <li>Fixed <code>HTTPResponse.stream()</code> and <code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li> <li>Updated <code>_TYPE_BODY</code> type alias to include missing <code>Iterable[str]</code>, matching the documented and runtime behavior of chunked request bodies. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li> <li>Fixed <code>LocationParseError</code> when paths resembling schemeless URIs were passed to <code>HTTPConnectionPool.urlopen()</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li> <li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to accept <code>memoryview</code> in addition to <code>bytearray</code>, matching the <code>io.RawIOBase.readinto</code> contract and enabling use with <code>io.BufferedReader</code> without type errors. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.7.0 (2026-05-07)</h1> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially.</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <code>Brotli <https://pypi.org/project/brotli/></code>__ library.</li> </ol> <p>See <code>GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j></code>__ for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (<code>GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc></code>__)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<code>[#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763></code>__)</li> <li>Removed support for end-of-life Python 3.9. (<code>[#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720></code>__)</li> <li>Removed support for end-of-life PyPy3.10. (<code>[#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979></code>__)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<code>[#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777></code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<code>[#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636></code>__)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`9a950b92d9`"><code>9a950b9</code></a> Release 2.7.0</li> <li><a href="`5ec0de499b`"><code>5ec0de4</code></a> Merge commit from fork</li> <li><a href="`2bdcc44d1e`"><code>2bdcc44</code></a> Merge commit from fork</li> <li><a href="`f45b0df09d`"><code>f45b0df</code></a> Fix a misleading example for <code>ProxyManager</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4970">#4970</a>)</li> <li><a href="`577193ca02`"><code>577193c</code></a> Switch to nightly PyPy3.11 in CI for now (<a href="https://redirect.github.com/urllib3/urllib3/issues/4984">#4984</a>)</li> <li><a href="`e90af45bb0`"><code>e90af45</code></a> Avoid infinite loop in <code>HTTPResponse.read_chunked</code> when <code>amt=0</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4974">#4974</a>)</li> <li><a href="`67ed74fdae`"><code>67ed74f</code></a> Bump dev dependencies (<a href="https://redirect.github.com/urllib3/urllib3/issues/4972">#4972</a>)</li> <li><a href="`3abd481097`"><code>3abd481</code></a> Upgrade mypy to version 1.20.2 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4978">#4978</a>)</li> <li><a href="`2b8725dfca`"><code>2b8725d</code></a> Drop support for EOL PyPy3.10 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">#4979</a>)</li> <li><a href="`2944b2a0a6`"><code>2944b2a</code></a> Upgrade <code>setup-chrome</code> and <code>setup-firefox</code> to fix warnings (<a href="https://redirect.github.com/urllib3/urllib3/issues/4973">#4973</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=uv&previous-version=2.6.3&new-version=2.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-11 11:18:38 -07:00
dependabot[bot]	70cf7ccde0	chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/ollama (#37337 ) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.7.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially. (Reported by <a href="https://github.com/Cycloctane"><code>@Cycloctane</code></a>)</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <a href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by <a href="https://github.com/kimkou2024"><code>@kimkou2024</code></a>)</li> </ol> <p>See GHSA-mf9v-mfxr-j63j for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a href="https://github.com/christos-spearbit"><code>@christos-spearbit</code></a>)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li> <li>Removed support for end-of-life Python 3.9. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li> <li>Removed support for end-of-life PyPy3.10. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li> <li>Fixed <code>HTTPResponse.stream()</code> and <code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li> <li>Updated <code>_TYPE_BODY</code> type alias to include missing <code>Iterable[str]</code>, matching the documented and runtime behavior of chunked request bodies. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li> <li>Fixed <code>LocationParseError</code> when paths resembling schemeless URIs were passed to <code>HTTPConnectionPool.urlopen()</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li> <li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to accept <code>memoryview</code> in addition to <code>bytearray</code>, matching the <code>io.RawIOBase.readinto</code> contract and enabling use with <code>io.BufferedReader</code> without type errors. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.7.0 (2026-05-07)</h1> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially.</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <code>Brotli <https://pypi.org/project/brotli/></code>__ library.</li> </ol> <p>See <code>GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j></code>__ for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (<code>GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc></code>__)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<code>[#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763></code>__)</li> <li>Removed support for end-of-life Python 3.9. (<code>[#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720></code>__)</li> <li>Removed support for end-of-life PyPy3.10. (<code>[#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979></code>__)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<code>[#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777></code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<code>[#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636></code>__)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`9a950b92d9`"><code>9a950b9</code></a> Release 2.7.0</li> <li><a href="`5ec0de499b`"><code>5ec0de4</code></a> Merge commit from fork</li> <li><a href="`2bdcc44d1e`"><code>2bdcc44</code></a> Merge commit from fork</li> <li><a href="`f45b0df09d`"><code>f45b0df</code></a> Fix a misleading example for <code>ProxyManager</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4970">#4970</a>)</li> <li><a href="`577193ca02`"><code>577193c</code></a> Switch to nightly PyPy3.11 in CI for now (<a href="https://redirect.github.com/urllib3/urllib3/issues/4984">#4984</a>)</li> <li><a href="`e90af45bb0`"><code>e90af45</code></a> Avoid infinite loop in <code>HTTPResponse.read_chunked</code> when <code>amt=0</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4974">#4974</a>)</li> <li><a href="`67ed74fdae`"><code>67ed74f</code></a> Bump dev dependencies (<a href="https://redirect.github.com/urllib3/urllib3/issues/4972">#4972</a>)</li> <li><a href="`3abd481097`"><code>3abd481</code></a> Upgrade mypy to version 1.20.2 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4978">#4978</a>)</li> <li><a href="`2b8725dfca`"><code>2b8725d</code></a> Drop support for EOL PyPy3.10 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">#4979</a>)</li> <li><a href="`2944b2a0a6`"><code>2944b2a</code></a> Upgrade <code>setup-chrome</code> and <code>setup-firefox</code> to fix warnings (<a href="https://redirect.github.com/urllib3/urllib3/issues/4973">#4973</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=uv&previous-version=2.6.3&new-version=2.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-11 11:18:34 -07:00
dependabot[bot]	dad1e79261	chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/huggingface (#37335 ) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.7.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially. (Reported by <a href="https://github.com/Cycloctane"><code>@Cycloctane</code></a>)</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <a href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by <a href="https://github.com/kimkou2024"><code>@kimkou2024</code></a>)</li> </ol> <p>See GHSA-mf9v-mfxr-j63j for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a href="https://github.com/christos-spearbit"><code>@christos-spearbit</code></a>)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li> <li>Removed support for end-of-life Python 3.9. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li> <li>Removed support for end-of-life PyPy3.10. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li> <li>Fixed <code>HTTPResponse.stream()</code> and <code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li> <li>Updated <code>_TYPE_BODY</code> type alias to include missing <code>Iterable[str]</code>, matching the documented and runtime behavior of chunked request bodies. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li> <li>Fixed <code>LocationParseError</code> when paths resembling schemeless URIs were passed to <code>HTTPConnectionPool.urlopen()</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li> <li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to accept <code>memoryview</code> in addition to <code>bytearray</code>, matching the <code>io.RawIOBase.readinto</code> contract and enabling use with <code>io.BufferedReader</code> without type errors. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.7.0 (2026-05-07)</h1> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially.</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <code>Brotli <https://pypi.org/project/brotli/></code>__ library.</li> </ol> <p>See <code>GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j></code>__ for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (<code>GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc></code>__)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<code>[#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763></code>__)</li> <li>Removed support for end-of-life Python 3.9. (<code>[#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720></code>__)</li> <li>Removed support for end-of-life PyPy3.10. (<code>[#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979></code>__)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<code>[#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777></code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<code>[#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636></code>__)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`9a950b92d9`"><code>9a950b9</code></a> Release 2.7.0</li> <li><a href="`5ec0de499b`"><code>5ec0de4</code></a> Merge commit from fork</li> <li><a href="`2bdcc44d1e`"><code>2bdcc44</code></a> Merge commit from fork</li> <li><a href="`f45b0df09d`"><code>f45b0df</code></a> Fix a misleading example for <code>ProxyManager</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4970">#4970</a>)</li> <li><a href="`577193ca02`"><code>577193c</code></a> Switch to nightly PyPy3.11 in CI for now (<a href="https://redirect.github.com/urllib3/urllib3/issues/4984">#4984</a>)</li> <li><a href="`e90af45bb0`"><code>e90af45</code></a> Avoid infinite loop in <code>HTTPResponse.read_chunked</code> when <code>amt=0</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4974">#4974</a>)</li> <li><a href="`67ed74fdae`"><code>67ed74f</code></a> Bump dev dependencies (<a href="https://redirect.github.com/urllib3/urllib3/issues/4972">#4972</a>)</li> <li><a href="`3abd481097`"><code>3abd481</code></a> Upgrade mypy to version 1.20.2 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4978">#4978</a>)</li> <li><a href="`2b8725dfca`"><code>2b8725d</code></a> Drop support for EOL PyPy3.10 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">#4979</a>)</li> <li><a href="`2944b2a0a6`"><code>2944b2a</code></a> Upgrade <code>setup-chrome</code> and <code>setup-firefox</code> to fix warnings (<a href="https://redirect.github.com/urllib3/urllib3/issues/4973">#4973</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=uv&previous-version=2.6.3&new-version=2.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-11 11:18:30 -07:00
dependabot[bot]	8071327815	chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/openai (#37330 ) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.7.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially. (Reported by <a href="https://github.com/Cycloctane"><code>@Cycloctane</code></a>)</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <a href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by <a href="https://github.com/kimkou2024"><code>@kimkou2024</code></a>)</li> </ol> <p>See GHSA-mf9v-mfxr-j63j for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a href="https://github.com/christos-spearbit"><code>@christos-spearbit</code></a>)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li> <li>Removed support for end-of-life Python 3.9. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li> <li>Removed support for end-of-life PyPy3.10. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li> <li>Fixed <code>HTTPResponse.stream()</code> and <code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li> <li>Updated <code>_TYPE_BODY</code> type alias to include missing <code>Iterable[str]</code>, matching the documented and runtime behavior of chunked request bodies. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li> <li>Fixed <code>LocationParseError</code> when paths resembling schemeless URIs were passed to <code>HTTPConnectionPool.urlopen()</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li> <li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to accept <code>memoryview</code> in addition to <code>bytearray</code>, matching the <code>io.RawIOBase.readinto</code> contract and enabling use with <code>io.BufferedReader</code> without type errors. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.7.0 (2026-05-07)</h1> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially.</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <code>Brotli <https://pypi.org/project/brotli/></code>__ library.</li> </ol> <p>See <code>GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j></code>__ for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (<code>GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc></code>__)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<code>[#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763></code>__)</li> <li>Removed support for end-of-life Python 3.9. (<code>[#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720></code>__)</li> <li>Removed support for end-of-life PyPy3.10. (<code>[#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979></code>__)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<code>[#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777></code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<code>[#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636></code>__)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`9a950b92d9`"><code>9a950b9</code></a> Release 2.7.0</li> <li><a href="`5ec0de499b`"><code>5ec0de4</code></a> Merge commit from fork</li> <li><a href="`2bdcc44d1e`"><code>2bdcc44</code></a> Merge commit from fork</li> <li><a href="`f45b0df09d`"><code>f45b0df</code></a> Fix a misleading example for <code>ProxyManager</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4970">#4970</a>)</li> <li><a href="`577193ca02`"><code>577193c</code></a> Switch to nightly PyPy3.11 in CI for now (<a href="https://redirect.github.com/urllib3/urllib3/issues/4984">#4984</a>)</li> <li><a href="`e90af45bb0`"><code>e90af45</code></a> Avoid infinite loop in <code>HTTPResponse.read_chunked</code> when <code>amt=0</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4974">#4974</a>)</li> <li><a href="`67ed74fdae`"><code>67ed74f</code></a> Bump dev dependencies (<a href="https://redirect.github.com/urllib3/urllib3/issues/4972">#4972</a>)</li> <li><a href="`3abd481097`"><code>3abd481</code></a> Upgrade mypy to version 1.20.2 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4978">#4978</a>)</li> <li><a href="`2b8725dfca`"><code>2b8725d</code></a> Drop support for EOL PyPy3.10 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">#4979</a>)</li> <li><a href="`2944b2a0a6`"><code>2944b2a</code></a> Upgrade <code>setup-chrome</code> and <code>setup-firefox</code> to fix warnings (<a href="https://redirect.github.com/urllib3/urllib3/issues/4973">#4973</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=uv&previous-version=2.6.3&new-version=2.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-11 11:18:19 -07:00
dependabot[bot]	6e49b519ea	chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/langchain_v1 (#37328 ) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.7.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially. (Reported by <a href="https://github.com/Cycloctane"><code>@Cycloctane</code></a>)</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <a href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by <a href="https://github.com/kimkou2024"><code>@kimkou2024</code></a>)</li> </ol> <p>See GHSA-mf9v-mfxr-j63j for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a href="https://github.com/christos-spearbit"><code>@christos-spearbit</code></a>)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li> <li>Removed support for end-of-life Python 3.9. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li> <li>Removed support for end-of-life PyPy3.10. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li> <li>Fixed <code>HTTPResponse.stream()</code> and <code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li> <li>Updated <code>_TYPE_BODY</code> type alias to include missing <code>Iterable[str]</code>, matching the documented and runtime behavior of chunked request bodies. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li> <li>Fixed <code>LocationParseError</code> when paths resembling schemeless URIs were passed to <code>HTTPConnectionPool.urlopen()</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li> <li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to accept <code>memoryview</code> in addition to <code>bytearray</code>, matching the <code>io.RawIOBase.readinto</code> contract and enabling use with <code>io.BufferedReader</code> without type errors. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.7.0 (2026-05-07)</h1> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially.</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <code>Brotli <https://pypi.org/project/brotli/></code>__ library.</li> </ol> <p>See <code>GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j></code>__ for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (<code>GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc></code>__)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<code>[#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763></code>__)</li> <li>Removed support for end-of-life Python 3.9. (<code>[#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720></code>__)</li> <li>Removed support for end-of-life PyPy3.10. (<code>[#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979></code>__)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<code>[#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777></code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<code>[#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636></code>__)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`9a950b92d9`"><code>9a950b9</code></a> Release 2.7.0</li> <li><a href="`5ec0de499b`"><code>5ec0de4</code></a> Merge commit from fork</li> <li><a href="`2bdcc44d1e`"><code>2bdcc44</code></a> Merge commit from fork</li> <li><a href="`f45b0df09d`"><code>f45b0df</code></a> Fix a misleading example for <code>ProxyManager</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4970">#4970</a>)</li> <li><a href="`577193ca02`"><code>577193c</code></a> Switch to nightly PyPy3.11 in CI for now (<a href="https://redirect.github.com/urllib3/urllib3/issues/4984">#4984</a>)</li> <li><a href="`e90af45bb0`"><code>e90af45</code></a> Avoid infinite loop in <code>HTTPResponse.read_chunked</code> when <code>amt=0</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4974">#4974</a>)</li> <li><a href="`67ed74fdae`"><code>67ed74f</code></a> Bump dev dependencies (<a href="https://redirect.github.com/urllib3/urllib3/issues/4972">#4972</a>)</li> <li><a href="`3abd481097`"><code>3abd481</code></a> Upgrade mypy to version 1.20.2 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4978">#4978</a>)</li> <li><a href="`2b8725dfca`"><code>2b8725d</code></a> Drop support for EOL PyPy3.10 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">#4979</a>)</li> <li><a href="`2944b2a0a6`"><code>2944b2a</code></a> Upgrade <code>setup-chrome</code> and <code>setup-firefox</code> to fix warnings (<a href="https://redirect.github.com/urllib3/urllib3/issues/4973">#4973</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=uv&previous-version=2.6.3&new-version=2.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-11 11:18:16 -07:00
dependabot[bot]	4bf3dd180a	chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/text-splitters (#37326 ) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.7.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially. (Reported by <a href="https://github.com/Cycloctane"><code>@Cycloctane</code></a>)</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <a href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by <a href="https://github.com/kimkou2024"><code>@kimkou2024</code></a>)</li> </ol> <p>See GHSA-mf9v-mfxr-j63j for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a href="https://github.com/christos-spearbit"><code>@christos-spearbit</code></a>)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li> <li>Removed support for end-of-life Python 3.9. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li> <li>Removed support for end-of-life PyPy3.10. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li> <li>Fixed <code>HTTPResponse.stream()</code> and <code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li> <li>Updated <code>_TYPE_BODY</code> type alias to include missing <code>Iterable[str]</code>, matching the documented and runtime behavior of chunked request bodies. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li> <li>Fixed <code>LocationParseError</code> when paths resembling schemeless URIs were passed to <code>HTTPConnectionPool.urlopen()</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li> <li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to accept <code>memoryview</code> in addition to <code>bytearray</code>, matching the <code>io.RawIOBase.readinto</code> contract and enabling use with <code>io.BufferedReader</code> without type errors. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.7.0 (2026-05-07)</h1> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially.</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <code>Brotli <https://pypi.org/project/brotli/></code>__ library.</li> </ol> <p>See <code>GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j></code>__ for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (<code>GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc></code>__)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<code>[#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763></code>__)</li> <li>Removed support for end-of-life Python 3.9. (<code>[#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720></code>__)</li> <li>Removed support for end-of-life PyPy3.10. (<code>[#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979></code>__)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<code>[#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777></code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<code>[#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636></code>__)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`9a950b92d9`"><code>9a950b9</code></a> Release 2.7.0</li> <li><a href="`5ec0de499b`"><code>5ec0de4</code></a> Merge commit from fork</li> <li><a href="`2bdcc44d1e`"><code>2bdcc44</code></a> Merge commit from fork</li> <li><a href="`f45b0df09d`"><code>f45b0df</code></a> Fix a misleading example for <code>ProxyManager</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4970">#4970</a>)</li> <li><a href="`577193ca02`"><code>577193c</code></a> Switch to nightly PyPy3.11 in CI for now (<a href="https://redirect.github.com/urllib3/urllib3/issues/4984">#4984</a>)</li> <li><a href="`e90af45bb0`"><code>e90af45</code></a> Avoid infinite loop in <code>HTTPResponse.read_chunked</code> when <code>amt=0</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4974">#4974</a>)</li> <li><a href="`67ed74fdae`"><code>67ed74f</code></a> Bump dev dependencies (<a href="https://redirect.github.com/urllib3/urllib3/issues/4972">#4972</a>)</li> <li><a href="`3abd481097`"><code>3abd481</code></a> Upgrade mypy to version 1.20.2 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4978">#4978</a>)</li> <li><a href="`2b8725dfca`"><code>2b8725d</code></a> Drop support for EOL PyPy3.10 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">#4979</a>)</li> <li><a href="`2944b2a0a6`"><code>2944b2a</code></a> Upgrade <code>setup-chrome</code> and <code>setup-firefox</code> to fix warnings (<a href="https://redirect.github.com/urllib3/urllib3/issues/4973">#4973</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=uv&previous-version=2.6.3&new-version=2.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-11 11:18:12 -07:00
dependabot[bot]	83f3aaaa7a	chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/model-profiles (#37325 ) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.7.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially. (Reported by <a href="https://github.com/Cycloctane"><code>@Cycloctane</code></a>)</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <a href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by <a href="https://github.com/kimkou2024"><code>@kimkou2024</code></a>)</li> </ol> <p>See GHSA-mf9v-mfxr-j63j for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a href="https://github.com/christos-spearbit"><code>@christos-spearbit</code></a>)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li> <li>Removed support for end-of-life Python 3.9. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li> <li>Removed support for end-of-life PyPy3.10. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li> <li>Fixed <code>HTTPResponse.stream()</code> and <code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li> <li>Updated <code>_TYPE_BODY</code> type alias to include missing <code>Iterable[str]</code>, matching the documented and runtime behavior of chunked request bodies. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li> <li>Fixed <code>LocationParseError</code> when paths resembling schemeless URIs were passed to <code>HTTPConnectionPool.urlopen()</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li> <li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to accept <code>memoryview</code> in addition to <code>bytearray</code>, matching the <code>io.RawIOBase.readinto</code> contract and enabling use with <code>io.BufferedReader</code> without type errors. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.7.0 (2026-05-07)</h1> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially.</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <code>Brotli <https://pypi.org/project/brotli/></code>__ library.</li> </ol> <p>See <code>GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j></code>__ for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (<code>GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc></code>__)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<code>[#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763></code>__)</li> <li>Removed support for end-of-life Python 3.9. (<code>[#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720></code>__)</li> <li>Removed support for end-of-life PyPy3.10. (<code>[#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979></code>__)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<code>[#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777></code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<code>[#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636></code>__)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`9a950b92d9`"><code>9a950b9</code></a> Release 2.7.0</li> <li><a href="`5ec0de499b`"><code>5ec0de4</code></a> Merge commit from fork</li> <li><a href="`2bdcc44d1e`"><code>2bdcc44</code></a> Merge commit from fork</li> <li><a href="`f45b0df09d`"><code>f45b0df</code></a> Fix a misleading example for <code>ProxyManager</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4970">#4970</a>)</li> <li><a href="`577193ca02`"><code>577193c</code></a> Switch to nightly PyPy3.11 in CI for now (<a href="https://redirect.github.com/urllib3/urllib3/issues/4984">#4984</a>)</li> <li><a href="`e90af45bb0`"><code>e90af45</code></a> Avoid infinite loop in <code>HTTPResponse.read_chunked</code> when <code>amt=0</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4974">#4974</a>)</li> <li><a href="`67ed74fdae`"><code>67ed74f</code></a> Bump dev dependencies (<a href="https://redirect.github.com/urllib3/urllib3/issues/4972">#4972</a>)</li> <li><a href="`3abd481097`"><code>3abd481</code></a> Upgrade mypy to version 1.20.2 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4978">#4978</a>)</li> <li><a href="`2b8725dfca`"><code>2b8725d</code></a> Drop support for EOL PyPy3.10 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">#4979</a>)</li> <li><a href="`2944b2a0a6`"><code>2944b2a</code></a> Upgrade <code>setup-chrome</code> and <code>setup-firefox</code> to fix warnings (<a href="https://redirect.github.com/urllib3/urllib3/issues/4973">#4973</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=uv&previous-version=2.6.3&new-version=2.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-11 11:18:05 -07:00
dependabot[bot]	6312a81a2b	chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/standard-tests (#37324 ) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.7.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially. (Reported by <a href="https://github.com/Cycloctane"><code>@Cycloctane</code></a>)</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <a href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by <a href="https://github.com/kimkou2024"><code>@kimkou2024</code></a>)</li> </ol> <p>See GHSA-mf9v-mfxr-j63j for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a href="https://github.com/christos-spearbit"><code>@christos-spearbit</code></a>)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li> <li>Removed support for end-of-life Python 3.9. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li> <li>Removed support for end-of-life PyPy3.10. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li> <li>Fixed <code>HTTPResponse.stream()</code> and <code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li> <li>Updated <code>_TYPE_BODY</code> type alias to include missing <code>Iterable[str]</code>, matching the documented and runtime behavior of chunked request bodies. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li> <li>Fixed <code>LocationParseError</code> when paths resembling schemeless URIs were passed to <code>HTTPConnectionPool.urlopen()</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li> <li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to accept <code>memoryview</code> in addition to <code>bytearray</code>, matching the <code>io.RawIOBase.readinto</code> contract and enabling use with <code>io.BufferedReader</code> without type errors. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.7.0 (2026-05-07)</h1> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially.</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <code>Brotli <https://pypi.org/project/brotli/></code>__ library.</li> </ol> <p>See <code>GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j></code>__ for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (<code>GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc></code>__)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<code>[#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763></code>__)</li> <li>Removed support for end-of-life Python 3.9. (<code>[#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720></code>__)</li> <li>Removed support for end-of-life PyPy3.10. (<code>[#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979></code>__)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<code>[#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777></code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<code>[#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636></code>__)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`9a950b92d9`"><code>9a950b9</code></a> Release 2.7.0</li> <li><a href="`5ec0de499b`"><code>5ec0de4</code></a> Merge commit from fork</li> <li><a href="`2bdcc44d1e`"><code>2bdcc44</code></a> Merge commit from fork</li> <li><a href="`f45b0df09d`"><code>f45b0df</code></a> Fix a misleading example for <code>ProxyManager</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4970">#4970</a>)</li> <li><a href="`577193ca02`"><code>577193c</code></a> Switch to nightly PyPy3.11 in CI for now (<a href="https://redirect.github.com/urllib3/urllib3/issues/4984">#4984</a>)</li> <li><a href="`e90af45bb0`"><code>e90af45</code></a> Avoid infinite loop in <code>HTTPResponse.read_chunked</code> when <code>amt=0</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/4974">#4974</a>)</li> <li><a href="`67ed74fdae`"><code>67ed74f</code></a> Bump dev dependencies (<a href="https://redirect.github.com/urllib3/urllib3/issues/4972">#4972</a>)</li> <li><a href="`3abd481097`"><code>3abd481</code></a> Upgrade mypy to version 1.20.2 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4978">#4978</a>)</li> <li><a href="`2b8725dfca`"><code>2b8725d</code></a> Drop support for EOL PyPy3.10 (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">#4979</a>)</li> <li><a href="`2944b2a0a6`"><code>2944b2a</code></a> Upgrade <code>setup-chrome</code> and <code>setup-firefox</code> to fix warnings (<a href="https://redirect.github.com/urllib3/urllib3/issues/4973">#4973</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=uv&previous-version=2.6.3&new-version=2.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-11 11:18:00 -07:00
Mason Daugherty	8b21400627	fix(core): avoid eager `pydantic.v1` import in `@deprecated` (#37308 ) `langchain_core._api.deprecation` previously did `from pydantic.v1.fields import FieldInfo as FieldInfoV1` at module scope, which triggers Pydantic's `UserWarning("Core Pydantic V1 functionality isn't compatible with Python 3.14 or greater.")` on every `langchain_core` import under 3.14+. The v1 symbol is only needed inside one runtime branch of `@deprecated`, so it's now resolved lazily. ## Changes - Replace the top-level v1 `FieldInfo` import with `_is_pydantic_v1_field_info`, which probes `sys.modules.get("pydantic.v1.fields")` instead of forcing the import. The reconstruction inside `deprecated`'s `finalize` closure imports `FieldInfoV1` lazily, gated by the predicate — so the warning only fires if a caller has already loaded `pydantic.v1` themselves. - Add a subprocess-based regression test asserting that importing `langchain_core._api.deprecation` does not pull any `pydantic.v1*` module into `sys.modules`. Verified to fail when the eager import is reintroduced. - Add a v1 `FieldInfo` decoration test — the v1 branch of `@deprecated` previously had zero direct coverage. - Update the stale `# Last Any should be FieldInfoV1 but this leads to circular imports` comment on `T`'s bound, which no longer reflects the real reason (it's about the 3.14 warning, not circularity).	2026-05-09 20:35:17 -04:00
dependabot[bot]	85e491821e	chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/partners/openrouter (#37263 ) Bumps [langchain-core](https://github.com/langchain-ai/langchain) from 1.3.2 to 1.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.3.3</h2> <p>Changes since langchain-core==1.3.2</p> <p>release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>) fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>) fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37109">#37109</a>) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37129">#37129</a>) fix(core): preserve structured <code>inputs</code> on tool runs in tracers (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37108">#37108</a>) release(perplexity): 1.2.0 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37091">#37091</a>) chore(docs): update x handle references (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37081">#37081</a>) fix(core): make <code>removal</code> optional in <code>warn_deprecated</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37056">#37056</a>) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36663">#36663</a>) chore(core): mark stream_v2/astream_v2 as beta (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36992">#36992</a>)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="`5039dfec1f`"><code>5039dfe</code></a> release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>)</li> <li><a href="`55a7707837`"><code>55a7707</code></a> fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>)</li> <li><a href="`c979c6187b`"><code>c979c61</code></a> fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>)</li> <li><a href="`d7031101da`"><code>d703110</code></a> docs: update README.md (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37190">#37190</a>)</li> <li><a href="`4d50a2a68b`"><code>4d50a2a</code></a> ci(infra): run pre-release checks before TestPyPI publish (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37194">#37194</a>)</li> <li><a href="`9bd730e199`"><code>9bd730e</code></a> fix(fireworks): require <code>api_key</code> in <code>FireworksEmbeddings</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37193">#37193</a>)</li> <li><a href="`f475f4191f`"><code>f475f41</code></a> release(mistralai): 1.1.4 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37191">#37191</a>)</li> <li><a href="`7dbff48aff`"><code>7dbff48</code></a> fix(mistralai): strip non-wire keys from <code>ToolMessage</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37188">#37188</a>)</li> <li><a href="`913816c440`"><code>913816c</code></a> release(fireworks): 1.3.1 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37189">#37189</a>)</li> <li><a href="`4498d3dc84`"><code>4498d3d</code></a> fix(fireworks): strip non-wire keys from <code>ToolMessage</code> text content blocks (#...</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langchain/compare/langchain-core==1.3.2...langchain-core==1.3.3">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 16:26:26 +00:00
dependabot[bot]	cbdd586076	chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/standard-tests (#37253 ) Bumps [langchain-core](https://github.com/langchain-ai/langchain) from 1.3.2 to 1.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.3.3</h2> <p>Changes since langchain-core==1.3.2</p> <p>release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>) fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>) fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37109">#37109</a>) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37129">#37129</a>) fix(core): preserve structured <code>inputs</code> on tool runs in tracers (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37108">#37108</a>) release(perplexity): 1.2.0 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37091">#37091</a>) chore(docs): update x handle references (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37081">#37081</a>) fix(core): make <code>removal</code> optional in <code>warn_deprecated</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37056">#37056</a>) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36663">#36663</a>) chore(core): mark stream_v2/astream_v2 as beta (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36992">#36992</a>)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="`5039dfec1f`"><code>5039dfe</code></a> release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>)</li> <li><a href="`55a7707837`"><code>55a7707</code></a> fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>)</li> <li><a href="`c979c6187b`"><code>c979c61</code></a> fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>)</li> <li><a href="`d7031101da`"><code>d703110</code></a> docs: update README.md (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37190">#37190</a>)</li> <li><a href="`4d50a2a68b`"><code>4d50a2a</code></a> ci(infra): run pre-release checks before TestPyPI publish (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37194">#37194</a>)</li> <li><a href="`9bd730e199`"><code>9bd730e</code></a> fix(fireworks): require <code>api_key</code> in <code>FireworksEmbeddings</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37193">#37193</a>)</li> <li><a href="`f475f4191f`"><code>f475f41</code></a> release(mistralai): 1.1.4 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37191">#37191</a>)</li> <li><a href="`7dbff48aff`"><code>7dbff48</code></a> fix(mistralai): strip non-wire keys from <code>ToolMessage</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37188">#37188</a>)</li> <li><a href="`913816c440`"><code>913816c</code></a> release(fireworks): 1.3.1 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37189">#37189</a>)</li> <li><a href="`4498d3dc84`"><code>4498d3d</code></a> fix(fireworks): strip non-wire keys from <code>ToolMessage</code> text content blocks (#...</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langchain/compare/langchain-core==1.3.2...langchain-core==1.3.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=langchain-core&package-manager=uv&previous-version=1.3.2&new-version=1.3.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 12:26:19 -04:00
dependabot[bot]	fa4e609b61	chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/model-profiles (#37254 ) Bumps [langchain-core](https://github.com/langchain-ai/langchain) from 1.3.2 to 1.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.3.3</h2> <p>Changes since langchain-core==1.3.2</p> <p>release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>) fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>) fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37109">#37109</a>) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37129">#37129</a>) fix(core): preserve structured <code>inputs</code> on tool runs in tracers (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37108">#37108</a>) release(perplexity): 1.2.0 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37091">#37091</a>) chore(docs): update x handle references (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37081">#37081</a>) fix(core): make <code>removal</code> optional in <code>warn_deprecated</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37056">#37056</a>) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36663">#36663</a>) chore(core): mark stream_v2/astream_v2 as beta (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36992">#36992</a>)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="`5039dfec1f`"><code>5039dfe</code></a> release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>)</li> <li><a href="`55a7707837`"><code>55a7707</code></a> fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>)</li> <li><a href="`c979c6187b`"><code>c979c61</code></a> fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>)</li> <li><a href="`d7031101da`"><code>d703110</code></a> docs: update README.md (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37190">#37190</a>)</li> <li><a href="`4d50a2a68b`"><code>4d50a2a</code></a> ci(infra): run pre-release checks before TestPyPI publish (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37194">#37194</a>)</li> <li><a href="`9bd730e199`"><code>9bd730e</code></a> fix(fireworks): require <code>api_key</code> in <code>FireworksEmbeddings</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37193">#37193</a>)</li> <li><a href="`f475f4191f`"><code>f475f41</code></a> release(mistralai): 1.1.4 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37191">#37191</a>)</li> <li><a href="`7dbff48aff`"><code>7dbff48</code></a> fix(mistralai): strip non-wire keys from <code>ToolMessage</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37188">#37188</a>)</li> <li><a href="`913816c440`"><code>913816c</code></a> release(fireworks): 1.3.1 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37189">#37189</a>)</li> <li><a href="`4498d3dc84`"><code>4498d3d</code></a> fix(fireworks): strip non-wire keys from <code>ToolMessage</code> text content blocks (#...</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langchain/compare/langchain-core==1.3.2...langchain-core==1.3.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=langchain-core&package-manager=uv&previous-version=1.3.2&new-version=1.3.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 12:26:16 -04:00
dependabot[bot]	52a218e3ef	chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/partners/openai (#37266 ) [//]: # (dependabot-start) ⚠️ Dependabot is rebasing this PR ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [langchain-core](https://github.com/langchain-ai/langchain) from 1.3.2 to 1.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.3.3</h2> <p>Changes since langchain-core==1.3.2</p> <p>release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>) fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>) fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37109">#37109</a>) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37129">#37129</a>) fix(core): preserve structured <code>inputs</code> on tool runs in tracers (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37108">#37108</a>) release(perplexity): 1.2.0 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37091">#37091</a>) chore(docs): update x handle references (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37081">#37081</a>) fix(core): make <code>removal</code> optional in <code>warn_deprecated</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37056">#37056</a>) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36663">#36663</a>) chore(core): mark stream_v2/astream_v2 as beta (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36992">#36992</a>)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="`5039dfec1f`"><code>5039dfe</code></a> release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>)</li> <li><a href="`55a7707837`"><code>55a7707</code></a> fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>)</li> <li><a href="`c979c6187b`"><code>c979c61</code></a> fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>)</li> <li><a href="`d7031101da`"><code>d703110</code></a> docs: update README.md (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37190">#37190</a>)</li> <li><a href="`4d50a2a68b`"><code>4d50a2a</code></a> ci(infra): run pre-release checks before TestPyPI publish (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37194">#37194</a>)</li> <li><a href="`9bd730e199`"><code>9bd730e</code></a> fix(fireworks): require <code>api_key</code> in <code>FireworksEmbeddings</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37193">#37193</a>)</li> <li><a href="`f475f4191f`"><code>f475f41</code></a> release(mistralai): 1.1.4 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37191">#37191</a>)</li> <li><a href="`7dbff48aff`"><code>7dbff48</code></a> fix(mistralai): strip non-wire keys from <code>ToolMessage</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37188">#37188</a>)</li> <li><a href="`913816c440`"><code>913816c</code></a> release(fireworks): 1.3.1 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37189">#37189</a>)</li> <li><a href="`4498d3dc84`"><code>4498d3d</code></a> fix(fireworks): strip non-wire keys from <code>ToolMessage</code> text content blocks (#...</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langchain/compare/langchain-core==1.3.2...langchain-core==1.3.3">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 16:24:54 +00:00
dependabot[bot]	9dd188e853	chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/partners/xai (#37255 ) [//]: # (dependabot-start) ⚠️ Dependabot is rebasing this PR ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [langchain-core](https://github.com/langchain-ai/langchain) from 1.3.2 to 1.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.3.3</h2> <p>Changes since langchain-core==1.3.2</p> <p>release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>) fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>) fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37109">#37109</a>) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37129">#37129</a>) fix(core): preserve structured <code>inputs</code> on tool runs in tracers (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37108">#37108</a>) release(perplexity): 1.2.0 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37091">#37091</a>) chore(docs): update x handle references (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37081">#37081</a>) fix(core): make <code>removal</code> optional in <code>warn_deprecated</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37056">#37056</a>) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36663">#36663</a>) chore(core): mark stream_v2/astream_v2 as beta (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36992">#36992</a>)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="`5039dfec1f`"><code>5039dfe</code></a> release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>)</li> <li><a href="`55a7707837`"><code>55a7707</code></a> fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>)</li> <li><a href="`c979c6187b`"><code>c979c61</code></a> fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>)</li> <li><a href="`d7031101da`"><code>d703110</code></a> docs: update README.md (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37190">#37190</a>)</li> <li><a href="`4d50a2a68b`"><code>4d50a2a</code></a> ci(infra): run pre-release checks before TestPyPI publish (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37194">#37194</a>)</li> <li><a href="`9bd730e199`"><code>9bd730e</code></a> fix(fireworks): require <code>api_key</code> in <code>FireworksEmbeddings</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37193">#37193</a>)</li> <li><a href="`f475f4191f`"><code>f475f41</code></a> release(mistralai): 1.1.4 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37191">#37191</a>)</li> <li><a href="`7dbff48aff`"><code>7dbff48</code></a> fix(mistralai): strip non-wire keys from <code>ToolMessage</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37188">#37188</a>)</li> <li><a href="`913816c440`"><code>913816c</code></a> release(fireworks): 1.3.1 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37189">#37189</a>)</li> <li><a href="`4498d3dc84`"><code>4498d3d</code></a> fix(fireworks): strip non-wire keys from <code>ToolMessage</code> text content blocks (#...</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langchain/compare/langchain-core==1.3.2...langchain-core==1.3.3">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 16:24:34 +00:00
dependabot[bot]	929aeb6289	chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/partners/perplexity (#37262 ) Bumps [langchain-core](https://github.com/langchain-ai/langchain) from 1.3.2 to 1.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.3.3</h2> <p>Changes since langchain-core==1.3.2</p> <p>release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>) fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>) fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37109">#37109</a>) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37129">#37129</a>) fix(core): preserve structured <code>inputs</code> on tool runs in tracers (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37108">#37108</a>) release(perplexity): 1.2.0 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37091">#37091</a>) chore(docs): update x handle references (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37081">#37081</a>) fix(core): make <code>removal</code> optional in <code>warn_deprecated</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37056">#37056</a>) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36663">#36663</a>) chore(core): mark stream_v2/astream_v2 as beta (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36992">#36992</a>)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="`5039dfec1f`"><code>5039dfe</code></a> release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>)</li> <li><a href="`55a7707837`"><code>55a7707</code></a> fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>)</li> <li><a href="`c979c6187b`"><code>c979c61</code></a> fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>)</li> <li><a href="`d7031101da`"><code>d703110</code></a> docs: update README.md (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37190">#37190</a>)</li> <li><a href="`4d50a2a68b`"><code>4d50a2a</code></a> ci(infra): run pre-release checks before TestPyPI publish (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37194">#37194</a>)</li> <li><a href="`9bd730e199`"><code>9bd730e</code></a> fix(fireworks): require <code>api_key</code> in <code>FireworksEmbeddings</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37193">#37193</a>)</li> <li><a href="`f475f4191f`"><code>f475f41</code></a> release(mistralai): 1.1.4 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37191">#37191</a>)</li> <li><a href="`7dbff48aff`"><code>7dbff48</code></a> fix(mistralai): strip non-wire keys from <code>ToolMessage</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37188">#37188</a>)</li> <li><a href="`913816c440`"><code>913816c</code></a> release(fireworks): 1.3.1 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37189">#37189</a>)</li> <li><a href="`4498d3dc84`"><code>4498d3d</code></a> fix(fireworks): strip non-wire keys from <code>ToolMessage</code> text content blocks (#...</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langchain/compare/langchain-core==1.3.2...langchain-core==1.3.3">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 16:24:25 +00:00
dependabot[bot]	ec6e5a777b	chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/partners/huggingface (#37273 ) Bumps [langchain-core](https://github.com/langchain-ai/langchain) from 1.3.2 to 1.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.3.3</h2> <p>Changes since langchain-core==1.3.2</p> <p>release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>) fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>) fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37109">#37109</a>) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37129">#37129</a>) fix(core): preserve structured <code>inputs</code> on tool runs in tracers (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37108">#37108</a>) release(perplexity): 1.2.0 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37091">#37091</a>) chore(docs): update x handle references (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37081">#37081</a>) fix(core): make <code>removal</code> optional in <code>warn_deprecated</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37056">#37056</a>) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36663">#36663</a>) chore(core): mark stream_v2/astream_v2 as beta (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36992">#36992</a>)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="`5039dfec1f`"><code>5039dfe</code></a> release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>)</li> <li><a href="`55a7707837`"><code>55a7707</code></a> fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>)</li> <li><a href="`c979c6187b`"><code>c979c61</code></a> fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>)</li> <li><a href="`d7031101da`"><code>d703110</code></a> docs: update README.md (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37190">#37190</a>)</li> <li><a href="`4d50a2a68b`"><code>4d50a2a</code></a> ci(infra): run pre-release checks before TestPyPI publish (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37194">#37194</a>)</li> <li><a href="`9bd730e199`"><code>9bd730e</code></a> fix(fireworks): require <code>api_key</code> in <code>FireworksEmbeddings</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37193">#37193</a>)</li> <li><a href="`f475f4191f`"><code>f475f41</code></a> release(mistralai): 1.1.4 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37191">#37191</a>)</li> <li><a href="`7dbff48aff`"><code>7dbff48</code></a> fix(mistralai): strip non-wire keys from <code>ToolMessage</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37188">#37188</a>)</li> <li><a href="`913816c440`"><code>913816c</code></a> release(fireworks): 1.3.1 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37189">#37189</a>)</li> <li><a href="`4498d3dc84`"><code>4498d3d</code></a> fix(fireworks): strip non-wire keys from <code>ToolMessage</code> text content blocks (#...</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langchain/compare/langchain-core==1.3.2...langchain-core==1.3.3">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 16:24:15 +00:00
dependabot[bot]	4544825f50	chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/partners/qdrant (#37258 ) Bumps [langchain-core](https://github.com/langchain-ai/langchain) from 1.3.2 to 1.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.3.3</h2> <p>Changes since langchain-core==1.3.2</p> <p>release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>) fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>) fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37109">#37109</a>) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37129">#37129</a>) fix(core): preserve structured <code>inputs</code> on tool runs in tracers (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37108">#37108</a>) release(perplexity): 1.2.0 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37091">#37091</a>) chore(docs): update x handle references (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37081">#37081</a>) fix(core): make <code>removal</code> optional in <code>warn_deprecated</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37056">#37056</a>) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36663">#36663</a>) chore(core): mark stream_v2/astream_v2 as beta (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36992">#36992</a>)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="`5039dfec1f`"><code>5039dfe</code></a> release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>)</li> <li><a href="`55a7707837`"><code>55a7707</code></a> fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>)</li> <li><a href="`c979c6187b`"><code>c979c61</code></a> fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>)</li> <li><a href="`d7031101da`"><code>d703110</code></a> docs: update README.md (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37190">#37190</a>)</li> <li><a href="`4d50a2a68b`"><code>4d50a2a</code></a> ci(infra): run pre-release checks before TestPyPI publish (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37194">#37194</a>)</li> <li><a href="`9bd730e199`"><code>9bd730e</code></a> fix(fireworks): require <code>api_key</code> in <code>FireworksEmbeddings</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37193">#37193</a>)</li> <li><a href="`f475f4191f`"><code>f475f41</code></a> release(mistralai): 1.1.4 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37191">#37191</a>)</li> <li><a href="`7dbff48aff`"><code>7dbff48</code></a> fix(mistralai): strip non-wire keys from <code>ToolMessage</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37188">#37188</a>)</li> <li><a href="`913816c440`"><code>913816c</code></a> release(fireworks): 1.3.1 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37189">#37189</a>)</li> <li><a href="`4498d3dc84`"><code>4498d3d</code></a> fix(fireworks): strip non-wire keys from <code>ToolMessage</code> text content blocks (#...</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langchain/compare/langchain-core==1.3.2...langchain-core==1.3.3">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 16:23:52 +00:00
dependabot[bot]	593dbb94c2	chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/partners/ollama (#37268 ) [//]: # (dependabot-start) ⚠️ Dependabot is rebasing this PR ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [langchain-core](https://github.com/langchain-ai/langchain) from 1.3.2 to 1.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.3.3</h2> <p>Changes since langchain-core==1.3.2</p> <p>release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>) fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>) fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37109">#37109</a>) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37129">#37129</a>) fix(core): preserve structured <code>inputs</code> on tool runs in tracers (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37108">#37108</a>) release(perplexity): 1.2.0 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37091">#37091</a>) chore(docs): update x handle references (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37081">#37081</a>) fix(core): make <code>removal</code> optional in <code>warn_deprecated</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37056">#37056</a>) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36663">#36663</a>) chore(core): mark stream_v2/astream_v2 as beta (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36992">#36992</a>)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="`5039dfec1f`"><code>5039dfe</code></a> release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>)</li> <li><a href="`55a7707837`"><code>55a7707</code></a> fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>)</li> <li><a href="`c979c6187b`"><code>c979c61</code></a> fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>)</li> <li><a href="`d7031101da`"><code>d703110</code></a> docs: update README.md (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37190">#37190</a>)</li> <li><a href="`4d50a2a68b`"><code>4d50a2a</code></a> ci(infra): run pre-release checks before TestPyPI publish (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37194">#37194</a>)</li> <li><a href="`9bd730e199`"><code>9bd730e</code></a> fix(fireworks): require <code>api_key</code> in <code>FireworksEmbeddings</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37193">#37193</a>)</li> <li><a href="`f475f4191f`"><code>f475f41</code></a> release(mistralai): 1.1.4 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37191">#37191</a>)</li> <li><a href="`7dbff48aff`"><code>7dbff48</code></a> fix(mistralai): strip non-wire keys from <code>ToolMessage</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37188">#37188</a>)</li> <li><a href="`913816c440`"><code>913816c</code></a> release(fireworks): 1.3.1 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37189">#37189</a>)</li> <li><a href="`4498d3dc84`"><code>4498d3d</code></a> fix(fireworks): strip non-wire keys from <code>ToolMessage</code> text content blocks (#...</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langchain/compare/langchain-core==1.3.2...langchain-core==1.3.3">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 12:23:18 -04:00
dependabot[bot]	47a4ccfa7f	chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/partners/mistralai (#37272 ) Bumps [langchain-core](https://github.com/langchain-ai/langchain) from 1.3.2 to 1.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.3.3</h2> <p>Changes since langchain-core==1.3.2</p> <p>release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>) fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>) fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37109">#37109</a>) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37129">#37129</a>) fix(core): preserve structured <code>inputs</code> on tool runs in tracers (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37108">#37108</a>) release(perplexity): 1.2.0 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37091">#37091</a>) chore(docs): update x handle references (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37081">#37081</a>) fix(core): make <code>removal</code> optional in <code>warn_deprecated</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37056">#37056</a>) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36663">#36663</a>) chore(core): mark stream_v2/astream_v2 as beta (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36992">#36992</a>)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="`5039dfec1f`"><code>5039dfe</code></a> release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>)</li> <li><a href="`55a7707837`"><code>55a7707</code></a> fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>)</li> <li><a href="`c979c6187b`"><code>c979c61</code></a> fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>)</li> <li><a href="`d7031101da`"><code>d703110</code></a> docs: update README.md (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37190">#37190</a>)</li> <li><a href="`4d50a2a68b`"><code>4d50a2a</code></a> ci(infra): run pre-release checks before TestPyPI publish (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37194">#37194</a>)</li> <li><a href="`9bd730e199`"><code>9bd730e</code></a> fix(fireworks): require <code>api_key</code> in <code>FireworksEmbeddings</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37193">#37193</a>)</li> <li><a href="`f475f4191f`"><code>f475f41</code></a> release(mistralai): 1.1.4 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37191">#37191</a>)</li> <li><a href="`7dbff48aff`"><code>7dbff48</code></a> fix(mistralai): strip non-wire keys from <code>ToolMessage</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37188">#37188</a>)</li> <li><a href="`913816c440`"><code>913816c</code></a> release(fireworks): 1.3.1 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37189">#37189</a>)</li> <li><a href="`4498d3dc84`"><code>4498d3d</code></a> fix(fireworks): strip non-wire keys from <code>ToolMessage</code> text content blocks (#...</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langchain/compare/langchain-core==1.3.2...langchain-core==1.3.3">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 16:23:15 +00:00
dependabot[bot]	feb0f30a15	chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/partners/nomic (#37269 ) Bumps [langchain-core](https://github.com/langchain-ai/langchain) from 1.3.2 to 1.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.3.3</h2> <p>Changes since langchain-core==1.3.2</p> <p>release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>) fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>) fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37109">#37109</a>) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37129">#37129</a>) fix(core): preserve structured <code>inputs</code> on tool runs in tracers (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37108">#37108</a>) release(perplexity): 1.2.0 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37091">#37091</a>) chore(docs): update x handle references (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37081">#37081</a>) fix(core): make <code>removal</code> optional in <code>warn_deprecated</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37056">#37056</a>) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36663">#36663</a>) chore(core): mark stream_v2/astream_v2 as beta (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36992">#36992</a>)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="`5039dfec1f`"><code>5039dfe</code></a> release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>)</li> <li><a href="`55a7707837`"><code>55a7707</code></a> fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>)</li> <li><a href="`c979c6187b`"><code>c979c61</code></a> fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>)</li> <li><a href="`d7031101da`"><code>d703110</code></a> docs: update README.md (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37190">#37190</a>)</li> <li><a href="`4d50a2a68b`"><code>4d50a2a</code></a> ci(infra): run pre-release checks before TestPyPI publish (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37194">#37194</a>)</li> <li><a href="`9bd730e199`"><code>9bd730e</code></a> fix(fireworks): require <code>api_key</code> in <code>FireworksEmbeddings</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37193">#37193</a>)</li> <li><a href="`f475f4191f`"><code>f475f41</code></a> release(mistralai): 1.1.4 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37191">#37191</a>)</li> <li><a href="`7dbff48aff`"><code>7dbff48</code></a> fix(mistralai): strip non-wire keys from <code>ToolMessage</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37188">#37188</a>)</li> <li><a href="`913816c440`"><code>913816c</code></a> release(fireworks): 1.3.1 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37189">#37189</a>)</li> <li><a href="`4498d3dc84`"><code>4498d3d</code></a> fix(fireworks): strip non-wire keys from <code>ToolMessage</code> text content blocks (#...</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langchain/compare/langchain-core==1.3.2...langchain-core==1.3.3">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 12:23:12 -04:00
dependabot[bot]	649422fbc3	chore: bump setuptools from 80.9.0 to 82.0.1 in /libs/partners/huggingface (#37274 ) Bumps [setuptools](https://github.com/pypa/setuptools) from 80.9.0 to 82.0.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/setuptools/blob/main/NEWS.rst">setuptools's changelog</a>.</em></p> <blockquote> <h1>v82.0.1</h1> <h2>Bugfixes</h2> <ul> <li>Fix the loading of <code>launcher manifest.xml</code> file. (<a href="https://redirect.github.com/pypa/setuptools/issues/5047">#5047</a>)</li> <li>Replaced deprecated <code>json.__version__</code> with fixture in tests. (<a href="https://redirect.github.com/pypa/setuptools/issues/5186">#5186</a>)</li> </ul> <h2>Improved Documentation</h2> <ul> <li>Add advice about how to improve predictability when installing sdists. (<a href="https://redirect.github.com/pypa/setuptools/issues/5168">#5168</a>)</li> </ul> <h2>Misc</h2> <ul> <li><a href="https://redirect.github.com/pypa/setuptools/issues/4941">#4941</a>, <a href="https://redirect.github.com/pypa/setuptools/issues/5157">#5157</a>, <a href="https://redirect.github.com/pypa/setuptools/issues/5169">#5169</a>, <a href="https://redirect.github.com/pypa/setuptools/issues/5175">#5175</a></li> </ul> <h1>v82.0.0</h1> <h2>Deprecations and Removals</h2> <ul> <li><code>pkg_resources</code> has been removed from Setuptools. Most common uses of <code>pkg_resources</code> have been superseded by the <code>importlib.resources <https://docs.python.org/3/library/importlib.resources.html></code>_ and <code>importlib.metadata <https://docs.python.org/3/library/importlib.metadata.html></code>_ projects. Projects and environments relying on <code>pkg_resources</code> for namespace packages or other behavior should depend on older versions of <code>setuptools</code>. (<a href="https://redirect.github.com/pypa/setuptools/issues/3085">#3085</a>)</li> </ul> <h1>v81.0.0</h1> <h2>Deprecations and Removals</h2> <ul> <li>Removed support for the --dry-run parameter to setup.py. This one feature by its nature threads through lots of core and ancillary functionality, adding complexity and friction. Removal of this parameter will help decouple the compiler functionality from distutils and thus the eventual full integration of distutils. These changes do affect some class and function signatures, so any derivative functionality may require some compatibility shims to support their expected interface. Please report any issues to the Setuptools project for investigation. (<a href="https://redirect.github.com/pypa/setuptools/issues/4872">#4872</a>)</li> </ul> <h1>v80.10.2</h1> <h2>Bugfixes</h2> <ul> <li>Update vendored dependencies. (<a href="https://redirect.github.com/pypa/setuptools/issues/5159">#5159</a>)</li> </ul> <p>Misc</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`5a13876673`"><code>5a13876</code></a> Bump version: 82.0.0 → 82.0.1</li> <li><a href="`51ab8f183f`"><code>51ab8f1</code></a> Avoid using (deprecated) 'json.<strong>version</strong>' in tests (<a href="https://redirect.github.com/pypa/setuptools/issues/5194">#5194</a>)</li> <li><a href="`f9c37b20bb`"><code>f9c37b2</code></a> Docs/CI: Fix intersphinx references (<a href="https://redirect.github.com/pypa/setuptools/issues/5195">#5195</a>)</li> <li><a href="`8173db2a4f`"><code>8173db2</code></a> Docs: Fix intersphinx references</li> <li><a href="`09bafbc749`"><code>09bafbc</code></a> Fix past tense on newsfragment</li> <li><a href="`461ea56c8e`"><code>461ea56</code></a> Add news fragment</li> <li><a href="`c4ffe535b5`"><code>c4ffe53</code></a> Avoid using (deprecated) 'json.<strong>version</strong>' in tests</li> <li><a href="`749258b1a9`"><code>749258b</code></a> Cleanup <code>pkg_resources</code> dependencies and configuration (<a href="https://redirect.github.com/pypa/setuptools/issues/5175">#5175</a>)</li> <li><a href="`2019c16701`"><code>2019c16</code></a> Parse <code>ext-module.define-macros</code> from <code>pyproject.toml</code> as list of tuples (<a href="https://redirect.github.com/pypa/setuptools/issues/5169">#5169</a>)</li> <li><a href="`b809c86a37`"><code>b809c86</code></a> Sync setuptools schema with validate-pyproject (<a href="https://redirect.github.com/pypa/setuptools/issues/5157">#5157</a>)</li> <li>Additional commits viewable in <a href="https://github.com/pypa/setuptools/compare/v80.9.0...v82.0.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=setuptools&package-manager=uv&previous-version=80.9.0&new-version=82.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 12:22:42 -04:00
dependabot[bot]	e545a68cc4	chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/partners/groq (#37276 ) Bumps [langchain-core](https://github.com/langchain-ai/langchain) from 1.3.2 to 1.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.3.3</h2> <p>Changes since langchain-core==1.3.2</p> <p>release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>) fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>) fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37109">#37109</a>) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37129">#37129</a>) fix(core): preserve structured <code>inputs</code> on tool runs in tracers (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37108">#37108</a>) release(perplexity): 1.2.0 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37091">#37091</a>) chore(docs): update x handle references (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37081">#37081</a>) fix(core): make <code>removal</code> optional in <code>warn_deprecated</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37056">#37056</a>) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36663">#36663</a>) chore(core): mark stream_v2/astream_v2 as beta (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36992">#36992</a>)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="`5039dfec1f`"><code>5039dfe</code></a> release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>)</li> <li><a href="`55a7707837`"><code>55a7707</code></a> fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>)</li> <li><a href="`c979c6187b`"><code>c979c61</code></a> fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>)</li> <li><a href="`d7031101da`"><code>d703110</code></a> docs: update README.md (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37190">#37190</a>)</li> <li><a href="`4d50a2a68b`"><code>4d50a2a</code></a> ci(infra): run pre-release checks before TestPyPI publish (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37194">#37194</a>)</li> <li><a href="`9bd730e199`"><code>9bd730e</code></a> fix(fireworks): require <code>api_key</code> in <code>FireworksEmbeddings</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37193">#37193</a>)</li> <li><a href="`f475f4191f`"><code>f475f41</code></a> release(mistralai): 1.1.4 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37191">#37191</a>)</li> <li><a href="`7dbff48aff`"><code>7dbff48</code></a> fix(mistralai): strip non-wire keys from <code>ToolMessage</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37188">#37188</a>)</li> <li><a href="`913816c440`"><code>913816c</code></a> release(fireworks): 1.3.1 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37189">#37189</a>)</li> <li><a href="`4498d3dc84`"><code>4498d3d</code></a> fix(fireworks): strip non-wire keys from <code>ToolMessage</code> text content blocks (#...</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langchain/compare/langchain-core==1.3.2...langchain-core==1.3.3">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 12:22:23 -04:00
dependabot[bot]	8e519630d7	chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/partners/fireworks (#37279 ) [//]: # (dependabot-start) ⚠️ Dependabot is rebasing this PR ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [langchain-core](https://github.com/langchain-ai/langchain) from 1.3.2 to 1.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.3.3</h2> <p>Changes since langchain-core==1.3.2</p> <p>release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>) fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>) fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37109">#37109</a>) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37129">#37129</a>) fix(core): preserve structured <code>inputs</code> on tool runs in tracers (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37108">#37108</a>) release(perplexity): 1.2.0 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37091">#37091</a>) chore(docs): update x handle references (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37081">#37081</a>) fix(core): make <code>removal</code> optional in <code>warn_deprecated</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37056">#37056</a>) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36663">#36663</a>) chore(core): mark stream_v2/astream_v2 as beta (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36992">#36992</a>)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="`5039dfec1f`"><code>5039dfe</code></a> release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>)</li> <li><a href="`55a7707837`"><code>55a7707</code></a> fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>)</li> <li><a href="`c979c6187b`"><code>c979c61</code></a> fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>)</li> <li><a href="`d7031101da`"><code>d703110</code></a> docs: update README.md (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37190">#37190</a>)</li> <li><a href="`4d50a2a68b`"><code>4d50a2a</code></a> ci(infra): run pre-release checks before TestPyPI publish (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37194">#37194</a>)</li> <li><a href="`9bd730e199`"><code>9bd730e</code></a> fix(fireworks): require <code>api_key</code> in <code>FireworksEmbeddings</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37193">#37193</a>)</li> <li><a href="`f475f4191f`"><code>f475f41</code></a> release(mistralai): 1.1.4 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37191">#37191</a>)</li> <li><a href="`7dbff48aff`"><code>7dbff48</code></a> fix(mistralai): strip non-wire keys from <code>ToolMessage</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37188">#37188</a>)</li> <li><a href="`913816c440`"><code>913816c</code></a> release(fireworks): 1.3.1 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37189">#37189</a>)</li> <li><a href="`4498d3dc84`"><code>4498d3d</code></a> fix(fireworks): strip non-wire keys from <code>ToolMessage</code> text content blocks (#...</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langchain/compare/langchain-core==1.3.2...langchain-core==1.3.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=langchain-core&package-manager=uv&previous-version=1.3.2&new-version=1.3.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 12:21:56 -04:00
dependabot[bot]	9278dae4be	chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/partners/exa (#37280 ) [//]: # (dependabot-start) ⚠️ Dependabot is rebasing this PR ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [langchain-core](https://github.com/langchain-ai/langchain) from 1.3.2 to 1.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.3.3</h2> <p>Changes since langchain-core==1.3.2</p> <p>release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>) fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>) fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37109">#37109</a>) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37129">#37129</a>) fix(core): preserve structured <code>inputs</code> on tool runs in tracers (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37108">#37108</a>) release(perplexity): 1.2.0 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37091">#37091</a>) chore(docs): update x handle references (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37081">#37081</a>) fix(core): make <code>removal</code> optional in <code>warn_deprecated</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37056">#37056</a>) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36663">#36663</a>) chore(core): mark stream_v2/astream_v2 as beta (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36992">#36992</a>)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="`5039dfec1f`"><code>5039dfe</code></a> release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>)</li> <li><a href="`55a7707837`"><code>55a7707</code></a> fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>)</li> <li><a href="`c979c6187b`"><code>c979c61</code></a> fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>)</li> <li><a href="`d7031101da`"><code>d703110</code></a> docs: update README.md (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37190">#37190</a>)</li> <li><a href="`4d50a2a68b`"><code>4d50a2a</code></a> ci(infra): run pre-release checks before TestPyPI publish (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37194">#37194</a>)</li> <li><a href="`9bd730e199`"><code>9bd730e</code></a> fix(fireworks): require <code>api_key</code> in <code>FireworksEmbeddings</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37193">#37193</a>)</li> <li><a href="`f475f4191f`"><code>f475f41</code></a> release(mistralai): 1.1.4 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37191">#37191</a>)</li> <li><a href="`7dbff48aff`"><code>7dbff48</code></a> fix(mistralai): strip non-wire keys from <code>ToolMessage</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37188">#37188</a>)</li> <li><a href="`913816c440`"><code>913816c</code></a> release(fireworks): 1.3.1 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37189">#37189</a>)</li> <li><a href="`4498d3dc84`"><code>4498d3d</code></a> fix(fireworks): strip non-wire keys from <code>ToolMessage</code> text content blocks (#...</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langchain/compare/langchain-core==1.3.2...langchain-core==1.3.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=langchain-core&package-manager=uv&previous-version=1.3.2&new-version=1.3.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 12:21:25 -04:00
dependabot[bot]	8a8341f56d	chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/partners/deepseek (#37282 ) [//]: # (dependabot-start) ⚠️ Dependabot is rebasing this PR ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [langchain-core](https://github.com/langchain-ai/langchain) from 1.3.2 to 1.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.3.3</h2> <p>Changes since langchain-core==1.3.2</p> <p>release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>) fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>) fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37109">#37109</a>) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37129">#37129</a>) fix(core): preserve structured <code>inputs</code> on tool runs in tracers (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37108">#37108</a>) release(perplexity): 1.2.0 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37091">#37091</a>) chore(docs): update x handle references (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37081">#37081</a>) fix(core): make <code>removal</code> optional in <code>warn_deprecated</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37056">#37056</a>) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36663">#36663</a>) chore(core): mark stream_v2/astream_v2 as beta (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36992">#36992</a>)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="`5039dfec1f`"><code>5039dfe</code></a> release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>)</li> <li><a href="`55a7707837`"><code>55a7707</code></a> fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>)</li> <li><a href="`c979c6187b`"><code>c979c61</code></a> fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>)</li> <li><a href="`d7031101da`"><code>d703110</code></a> docs: update README.md (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37190">#37190</a>)</li> <li><a href="`4d50a2a68b`"><code>4d50a2a</code></a> ci(infra): run pre-release checks before TestPyPI publish (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37194">#37194</a>)</li> <li><a href="`9bd730e199`"><code>9bd730e</code></a> fix(fireworks): require <code>api_key</code> in <code>FireworksEmbeddings</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37193">#37193</a>)</li> <li><a href="`f475f4191f`"><code>f475f41</code></a> release(mistralai): 1.1.4 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37191">#37191</a>)</li> <li><a href="`7dbff48aff`"><code>7dbff48</code></a> fix(mistralai): strip non-wire keys from <code>ToolMessage</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37188">#37188</a>)</li> <li><a href="`913816c440`"><code>913816c</code></a> release(fireworks): 1.3.1 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37189">#37189</a>)</li> <li><a href="`4498d3dc84`"><code>4498d3d</code></a> fix(fireworks): strip non-wire keys from <code>ToolMessage</code> text content blocks (#...</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langchain/compare/langchain-core==1.3.2...langchain-core==1.3.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=langchain-core&package-manager=uv&previous-version=1.3.2&new-version=1.3.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 12:21:17 -04:00
dependabot[bot]	d79dd58b07	chore: bump langsmith from 0.7.31 to 0.8.3 in /libs/partners/exa (#37281 ) [//]: # (dependabot-start) ⚠️ Dependabot is rebasing this PR ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.7.31 to 0.8.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's releases</a>.</em></p> <blockquote> <h2>v0.8.3</h2> <h2>What's Changed</h2> <ul> <li>fix(js): prevent sending [object Object] as span attribute when dealing with nested objects, send full langsmith.usage_metadata if present by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2845">langchain-ai/langsmith-sdk#2845</a></li> <li>release(js): bump to 0.6.2 by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2856">langchain-ai/langsmith-sdk#2856</a></li> <li>sdk(py): replace ttl_seconds with idle_ttl_seconds + delete_after_stop_seconds by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2853">langchain-ai/langsmith-sdk#2853</a></li> <li>sdk(js): replace ttlSeconds with idleTtlSeconds + deleteAfterStopSeconds by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2854">langchain-ai/langsmith-sdk#2854</a></li> <li>Fix push_agent URL owner for name-only identifiers by <a href="https://github.com/vishnu-ssuresh"><code>@vishnu-ssuresh</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2862">langchain-ai/langsmith-sdk#2862</a></li> <li>docs(langsmith): clarify trust boundaries when working with hub by <a href="https://github.com/eyurtsev"><code>@eyurtsev</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2861">langchain-ai/langsmith-sdk#2861</a></li> <li>release(py): 0.8.3 by <a href="https://github.com/vishnu-ssuresh"><code>@vishnu-ssuresh</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2863">langchain-ai/langsmith-sdk#2863</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.2...v0.8.3">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.2...v0.8.3</a></p> <h2>v0.8.2</h2> <h2>What's Changed</h2> <ul> <li>Bump JS SDK version to 0.6.1 by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2847">langchain-ai/langsmith-sdk#2847</a></li> <li>fix: parse urllib3 version with packaging.Version by <a href="https://github.com/justinwolfington"><code>@justinwolfington</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2851">langchain-ai/langsmith-sdk#2851</a></li> <li>Bump Python SDK version to 0.8.2 by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2855">langchain-ai/langsmith-sdk#2855</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/justinwolfington"><code>@justinwolfington</code></a> made their first contribution in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2851">langchain-ai/langsmith-sdk#2851</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.1...v0.8.2">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.1...v0.8.2</a></p> <h2>v0.8.1</h2> <h2>What's Changed</h2> <ul> <li>chore(js): remove experimental opencode integration by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2836">langchain-ai/langsmith-sdk#2836</a></li> <li>chore(deps-dev): bump google-adk from 1.10.0 to 1.28.1 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2823">langchain-ai/langsmith-sdk#2823</a></li> <li>chore(deps): bump postcss from 8.5.8 to 8.5.12 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2827">langchain-ai/langsmith-sdk#2827</a></li> <li>Add JS profile loading by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2834">langchain-ai/langsmith-sdk#2834</a></li> <li>Add Python profile loading by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2835">langchain-ai/langsmith-sdk#2835</a></li> <li>Extract JS profile auth service by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2846">langchain-ai/langsmith-sdk#2846</a></li> <li>Bump Python SDK version to 0.8.1 by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2848">langchain-ai/langsmith-sdk#2848</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.0...v0.8.1">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.0...v0.8.1</a></p> <h2>v0.8.0</h2> <h2>What's Changed</h2> <ul> <li>feat(js,py): JS 0.6.0, Py 0.8.0 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2831">langchain-ai/langsmith-sdk#2831</a></li> <li>release(js): 0.6.0 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2832">langchain-ai/langsmith-sdk#2832</a></li> <li>release(py): 0.8.0 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2833">langchain-ai/langsmith-sdk#2833</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.38...v0.8.0">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.38...v0.8.0</a></p> <h2>v0.7.38</h2> <h2>What's Changed</h2> <ul> <li>feat(js): add tracing of opencode by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2776">langchain-ai/langsmith-sdk#2776</a></li> <li>chore(js): Remove types/uuid by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2814">langchain-ai/langsmith-sdk#2814</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`e2386ad8aa`"><code>e2386ad</code></a> release(py): 0.8.3 (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2863">#2863</a>)</li> <li><a href="`11d51a370f`"><code>11d51a3</code></a> docs(langsmith): clarify trust boundaries when working with hub (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2861">#2861</a>)</li> <li><a href="`d98c3ed8a9`"><code>d98c3ed</code></a> Fix push_agent URL owner for name-only identifiers (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2862">#2862</a>)</li> <li><a href="`418fd415fc`"><code>418fd41</code></a> sdk(js): replace ttlSeconds with idleTtlSeconds + deleteAfterStopSeconds (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2854">#2854</a>)</li> <li><a href="`1baa2c197d`"><code>1baa2c1</code></a> sdk(py): replace ttl_seconds with idle_ttl_seconds + delete_after_stop_second...</li> <li><a href="`361c8dd869`"><code>361c8dd</code></a> release(js): bump to 0.6.2 (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2856">#2856</a>)</li> <li><a href="`0d42882f2d`"><code>0d42882</code></a> fix(js): prevent sending [object Object] as span attribute when dealing with ...</li> <li><a href="`619818ba8d`"><code>619818b</code></a> Bump Python SDK version to 0.8.2 (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2855">#2855</a>)</li> <li><a href="`8a7d3c1356`"><code>8a7d3c1</code></a> fix: parse urllib3 version with packaging.Version (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2851">#2851</a>)</li> <li><a href="`54f887704f`"><code>54f8877</code></a> Bump JS SDK version to 0.6.1 (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2847">#2847</a>)</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.31...v0.8.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=langsmith&package-manager=uv&previous-version=0.7.31&new-version=0.8.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 12:21:07 -04:00
dependabot[bot]	d972968b86	chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/partners/chroma (#37284 ) [//]: # (dependabot-start) ⚠️ Dependabot is rebasing this PR ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [langchain-core](https://github.com/langchain-ai/langchain) from 1.3.2 to 1.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.3.3</h2> <p>Changes since langchain-core==1.3.2</p> <p>release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>) fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>) fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37109">#37109</a>) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37129">#37129</a>) fix(core): preserve structured <code>inputs</code> on tool runs in tracers (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37108">#37108</a>) release(perplexity): 1.2.0 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37091">#37091</a>) chore(docs): update x handle references (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37081">#37081</a>) fix(core): make <code>removal</code> optional in <code>warn_deprecated</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37056">#37056</a>) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36663">#36663</a>) chore(core): mark stream_v2/astream_v2 as beta (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36992">#36992</a>)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="`5039dfec1f`"><code>5039dfe</code></a> release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>)</li> <li><a href="`55a7707837`"><code>55a7707</code></a> fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>)</li> <li><a href="`c979c6187b`"><code>c979c61</code></a> fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>)</li> <li><a href="`d7031101da`"><code>d703110</code></a> docs: update README.md (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37190">#37190</a>)</li> <li><a href="`4d50a2a68b`"><code>4d50a2a</code></a> ci(infra): run pre-release checks before TestPyPI publish (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37194">#37194</a>)</li> <li><a href="`9bd730e199`"><code>9bd730e</code></a> fix(fireworks): require <code>api_key</code> in <code>FireworksEmbeddings</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37193">#37193</a>)</li> <li><a href="`f475f4191f`"><code>f475f41</code></a> release(mistralai): 1.1.4 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37191">#37191</a>)</li> <li><a href="`7dbff48aff`"><code>7dbff48</code></a> fix(mistralai): strip non-wire keys from <code>ToolMessage</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37188">#37188</a>)</li> <li><a href="`913816c440`"><code>913816c</code></a> release(fireworks): 1.3.1 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37189">#37189</a>)</li> <li><a href="`4498d3dc84`"><code>4498d3d</code></a> fix(fireworks): strip non-wire keys from <code>ToolMessage</code> text content blocks (#...</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langchain/compare/langchain-core==1.3.2...langchain-core==1.3.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=langchain-core&package-manager=uv&previous-version=1.3.2&new-version=1.3.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 12:20:55 -04:00
dependabot[bot]	f5569e333d	chore: bump langsmith from 0.7.31 to 0.8.3 in /libs/partners/deepseek (#37283 ) [//]: # (dependabot-start) ⚠️ Dependabot is rebasing this PR ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.7.31 to 0.8.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's releases</a>.</em></p> <blockquote> <h2>v0.8.3</h2> <h2>What's Changed</h2> <ul> <li>fix(js): prevent sending [object Object] as span attribute when dealing with nested objects, send full langsmith.usage_metadata if present by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2845">langchain-ai/langsmith-sdk#2845</a></li> <li>release(js): bump to 0.6.2 by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2856">langchain-ai/langsmith-sdk#2856</a></li> <li>sdk(py): replace ttl_seconds with idle_ttl_seconds + delete_after_stop_seconds by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2853">langchain-ai/langsmith-sdk#2853</a></li> <li>sdk(js): replace ttlSeconds with idleTtlSeconds + deleteAfterStopSeconds by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2854">langchain-ai/langsmith-sdk#2854</a></li> <li>Fix push_agent URL owner for name-only identifiers by <a href="https://github.com/vishnu-ssuresh"><code>@vishnu-ssuresh</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2862">langchain-ai/langsmith-sdk#2862</a></li> <li>docs(langsmith): clarify trust boundaries when working with hub by <a href="https://github.com/eyurtsev"><code>@eyurtsev</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2861">langchain-ai/langsmith-sdk#2861</a></li> <li>release(py): 0.8.3 by <a href="https://github.com/vishnu-ssuresh"><code>@vishnu-ssuresh</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2863">langchain-ai/langsmith-sdk#2863</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.2...v0.8.3">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.2...v0.8.3</a></p> <h2>v0.8.2</h2> <h2>What's Changed</h2> <ul> <li>Bump JS SDK version to 0.6.1 by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2847">langchain-ai/langsmith-sdk#2847</a></li> <li>fix: parse urllib3 version with packaging.Version by <a href="https://github.com/justinwolfington"><code>@justinwolfington</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2851">langchain-ai/langsmith-sdk#2851</a></li> <li>Bump Python SDK version to 0.8.2 by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2855">langchain-ai/langsmith-sdk#2855</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/justinwolfington"><code>@justinwolfington</code></a> made their first contribution in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2851">langchain-ai/langsmith-sdk#2851</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.1...v0.8.2">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.1...v0.8.2</a></p> <h2>v0.8.1</h2> <h2>What's Changed</h2> <ul> <li>chore(js): remove experimental opencode integration by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2836">langchain-ai/langsmith-sdk#2836</a></li> <li>chore(deps-dev): bump google-adk from 1.10.0 to 1.28.1 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2823">langchain-ai/langsmith-sdk#2823</a></li> <li>chore(deps): bump postcss from 8.5.8 to 8.5.12 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2827">langchain-ai/langsmith-sdk#2827</a></li> <li>Add JS profile loading by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2834">langchain-ai/langsmith-sdk#2834</a></li> <li>Add Python profile loading by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2835">langchain-ai/langsmith-sdk#2835</a></li> <li>Extract JS profile auth service by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2846">langchain-ai/langsmith-sdk#2846</a></li> <li>Bump Python SDK version to 0.8.1 by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2848">langchain-ai/langsmith-sdk#2848</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.0...v0.8.1">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.0...v0.8.1</a></p> <h2>v0.8.0</h2> <h2>What's Changed</h2> <ul> <li>feat(js,py): JS 0.6.0, Py 0.8.0 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2831">langchain-ai/langsmith-sdk#2831</a></li> <li>release(js): 0.6.0 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2832">langchain-ai/langsmith-sdk#2832</a></li> <li>release(py): 0.8.0 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2833">langchain-ai/langsmith-sdk#2833</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.38...v0.8.0">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.38...v0.8.0</a></p> <h2>v0.7.38</h2> <h2>What's Changed</h2> <ul> <li>feat(js): add tracing of opencode by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2776">langchain-ai/langsmith-sdk#2776</a></li> <li>chore(js): Remove types/uuid by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2814">langchain-ai/langsmith-sdk#2814</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`e2386ad8aa`"><code>e2386ad</code></a> release(py): 0.8.3 (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2863">#2863</a>)</li> <li><a href="`11d51a370f`"><code>11d51a3</code></a> docs(langsmith): clarify trust boundaries when working with hub (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2861">#2861</a>)</li> <li><a href="`d98c3ed8a9`"><code>d98c3ed</code></a> Fix push_agent URL owner for name-only identifiers (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2862">#2862</a>)</li> <li><a href="`418fd415fc`"><code>418fd41</code></a> sdk(js): replace ttlSeconds with idleTtlSeconds + deleteAfterStopSeconds (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2854">#2854</a>)</li> <li><a href="`1baa2c197d`"><code>1baa2c1</code></a> sdk(py): replace ttl_seconds with idle_ttl_seconds + delete_after_stop_second...</li> <li><a href="`361c8dd869`"><code>361c8dd</code></a> release(js): bump to 0.6.2 (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2856">#2856</a>)</li> <li><a href="`0d42882f2d`"><code>0d42882</code></a> fix(js): prevent sending [object Object] as span attribute when dealing with ...</li> <li><a href="`619818ba8d`"><code>619818b</code></a> Bump Python SDK version to 0.8.2 (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2855">#2855</a>)</li> <li><a href="`8a7d3c1356`"><code>8a7d3c1</code></a> fix: parse urllib3 version with packaging.Version (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2851">#2851</a>)</li> <li><a href="`54f887704f`"><code>54f8877</code></a> Bump JS SDK version to 0.6.1 (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2847">#2847</a>)</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.31...v0.8.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=langsmith&package-manager=uv&previous-version=0.7.31&new-version=0.8.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 12:20:48 -04:00
dependabot[bot]	d29a1804f5	chore: bump langsmith from 0.7.31 to 0.8.3 in /libs/partners/chroma (#37285 ) Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.7.31 to 0.8.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's releases</a>.</em></p> <blockquote> <h2>v0.8.3</h2> <h2>What's Changed</h2> <ul> <li>fix(js): prevent sending [object Object] as span attribute when dealing with nested objects, send full langsmith.usage_metadata if present by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2845">langchain-ai/langsmith-sdk#2845</a></li> <li>release(js): bump to 0.6.2 by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2856">langchain-ai/langsmith-sdk#2856</a></li> <li>sdk(py): replace ttl_seconds with idle_ttl_seconds + delete_after_stop_seconds by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2853">langchain-ai/langsmith-sdk#2853</a></li> <li>sdk(js): replace ttlSeconds with idleTtlSeconds + deleteAfterStopSeconds by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2854">langchain-ai/langsmith-sdk#2854</a></li> <li>Fix push_agent URL owner for name-only identifiers by <a href="https://github.com/vishnu-ssuresh"><code>@vishnu-ssuresh</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2862">langchain-ai/langsmith-sdk#2862</a></li> <li>docs(langsmith): clarify trust boundaries when working with hub by <a href="https://github.com/eyurtsev"><code>@eyurtsev</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2861">langchain-ai/langsmith-sdk#2861</a></li> <li>release(py): 0.8.3 by <a href="https://github.com/vishnu-ssuresh"><code>@vishnu-ssuresh</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2863">langchain-ai/langsmith-sdk#2863</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.2...v0.8.3">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.2...v0.8.3</a></p> <h2>v0.8.2</h2> <h2>What's Changed</h2> <ul> <li>Bump JS SDK version to 0.6.1 by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2847">langchain-ai/langsmith-sdk#2847</a></li> <li>fix: parse urllib3 version with packaging.Version by <a href="https://github.com/justinwolfington"><code>@justinwolfington</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2851">langchain-ai/langsmith-sdk#2851</a></li> <li>Bump Python SDK version to 0.8.2 by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2855">langchain-ai/langsmith-sdk#2855</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/justinwolfington"><code>@justinwolfington</code></a> made their first contribution in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2851">langchain-ai/langsmith-sdk#2851</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.1...v0.8.2">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.1...v0.8.2</a></p> <h2>v0.8.1</h2> <h2>What's Changed</h2> <ul> <li>chore(js): remove experimental opencode integration by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2836">langchain-ai/langsmith-sdk#2836</a></li> <li>chore(deps-dev): bump google-adk from 1.10.0 to 1.28.1 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2823">langchain-ai/langsmith-sdk#2823</a></li> <li>chore(deps): bump postcss from 8.5.8 to 8.5.12 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2827">langchain-ai/langsmith-sdk#2827</a></li> <li>Add JS profile loading by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2834">langchain-ai/langsmith-sdk#2834</a></li> <li>Add Python profile loading by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2835">langchain-ai/langsmith-sdk#2835</a></li> <li>Extract JS profile auth service by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2846">langchain-ai/langsmith-sdk#2846</a></li> <li>Bump Python SDK version to 0.8.1 by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2848">langchain-ai/langsmith-sdk#2848</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.0...v0.8.1">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.0...v0.8.1</a></p> <h2>v0.8.0</h2> <h2>What's Changed</h2> <ul> <li>feat(js,py): JS 0.6.0, Py 0.8.0 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2831">langchain-ai/langsmith-sdk#2831</a></li> <li>release(js): 0.6.0 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2832">langchain-ai/langsmith-sdk#2832</a></li> <li>release(py): 0.8.0 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2833">langchain-ai/langsmith-sdk#2833</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.38...v0.8.0">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.38...v0.8.0</a></p> <h2>v0.7.38</h2> <h2>What's Changed</h2> <ul> <li>feat(js): add tracing of opencode by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2776">langchain-ai/langsmith-sdk#2776</a></li> <li>chore(js): Remove types/uuid by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2814">langchain-ai/langsmith-sdk#2814</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`e2386ad8aa`"><code>e2386ad</code></a> release(py): 0.8.3 (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2863">#2863</a>)</li> <li><a href="`11d51a370f`"><code>11d51a3</code></a> docs(langsmith): clarify trust boundaries when working with hub (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2861">#2861</a>)</li> <li><a href="`d98c3ed8a9`"><code>d98c3ed</code></a> Fix push_agent URL owner for name-only identifiers (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2862">#2862</a>)</li> <li><a href="`418fd415fc`"><code>418fd41</code></a> sdk(js): replace ttlSeconds with idleTtlSeconds + deleteAfterStopSeconds (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2854">#2854</a>)</li> <li><a href="`1baa2c197d`"><code>1baa2c1</code></a> sdk(py): replace ttl_seconds with idle_ttl_seconds + delete_after_stop_second...</li> <li><a href="`361c8dd869`"><code>361c8dd</code></a> release(js): bump to 0.6.2 (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2856">#2856</a>)</li> <li><a href="`0d42882f2d`"><code>0d42882</code></a> fix(js): prevent sending [object Object] as span attribute when dealing with ...</li> <li><a href="`619818ba8d`"><code>619818b</code></a> Bump Python SDK version to 0.8.2 (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2855">#2855</a>)</li> <li><a href="`8a7d3c1356`"><code>8a7d3c1</code></a> fix: parse urllib3 version with packaging.Version (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2851">#2851</a>)</li> <li><a href="`54f887704f`"><code>54f8877</code></a> Bump JS SDK version to 0.6.1 (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2847">#2847</a>)</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.31...v0.8.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=langsmith&package-manager=uv&previous-version=0.7.31&new-version=0.8.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 12:20:30 -04:00
dependabot[bot]	2d77aa4a89	chore: bump requests from 2.33.0 to 2.33.1 in /libs/partners/anthropic (#37286 ) Bumps [requests](https://github.com/psf/requests) from 2.33.0 to 2.33.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/psf/requests/releases">requests's releases</a>.</em></p> <blockquote> <h2>v2.33.1</h2> <h2>2.33.1 (2026-03-30)</h2> <p><strong>Bugfixes</strong></p> <ul> <li>Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (<a href="https://redirect.github.com/psf/requests/issues/7305">#7305</a>)</li> <li>Fixed Content-Type header parsing for malformed values. (<a href="https://redirect.github.com/psf/requests/issues/7309">#7309</a>)</li> <li>Improved error consistency for malformed header values. (<a href="https://redirect.github.com/psf/requests/issues/7308">#7308</a>)</li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/ferdnyc"><code>@ferdnyc</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/7277">psf/requests#7277</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/psf/requests/blob/main/HISTORY.md#2331-2026-03-30">https://github.com/psf/requests/blob/main/HISTORY.md#2331-2026-03-30</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's changelog</a>.</em></p> <blockquote> <h2>2.33.1 (2026-03-30)</h2> <p><strong>Bugfixes</strong></p> <ul> <li>Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (<a href="https://redirect.github.com/psf/requests/issues/7305">#7305</a>)</li> <li>Fixed Content-Type header parsing for malformed values. (<a href="https://redirect.github.com/psf/requests/issues/7309">#7309</a>)</li> <li>Improved error consistency for malformed header values. (<a href="https://redirect.github.com/psf/requests/issues/7308">#7308</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="`111d2b7779`"><code>111d2b7</code></a> v2.33.1</li> <li><a href="`f0198e6dfc`"><code>f0198e6</code></a> Fix malformed value parsing for Content-Type (<a href="https://redirect.github.com/psf/requests/issues/7309">#7309</a>)</li> <li><a href="`bc7dd0fc4d`"><code>bc7dd0f</code></a> Fix cosmetic header validity parsing regex (<a href="https://redirect.github.com/psf/requests/issues/7308">#7308</a>)</li> <li><a href="`4443b1a847`"><code>4443b1a</code></a> Fix unintended test extra (<a href="https://redirect.github.com/psf/requests/issues/7306">#7306</a>)</li> <li><a href="`389eea58df`"><code>389eea5</code></a> Cleanup extracted file after extract_zipped_path test (<a href="https://redirect.github.com/psf/requests/issues/7305">#7305</a>)</li> <li><a href="`7407309c8a`"><code>7407309</code></a> Packaging: DRY out extras definition (<a href="https://redirect.github.com/psf/requests/issues/7277">#7277</a>)</li> <li>See full diff in <a href="https://github.com/psf/requests/compare/v2.33.0...v2.33.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=requests&package-manager=uv&previous-version=2.33.0&new-version=2.33.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 12:20:22 -04:00
dependabot[bot]	81f59692aa	chore: bump langsmith from 0.7.31 to 0.8.3 in /libs/partners/anthropic (#37287 ) Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.7.31 to 0.8.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's releases</a>.</em></p> <blockquote> <h2>v0.8.3</h2> <h2>What's Changed</h2> <ul> <li>fix(js): prevent sending [object Object] as span attribute when dealing with nested objects, send full langsmith.usage_metadata if present by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2845">langchain-ai/langsmith-sdk#2845</a></li> <li>release(js): bump to 0.6.2 by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2856">langchain-ai/langsmith-sdk#2856</a></li> <li>sdk(py): replace ttl_seconds with idle_ttl_seconds + delete_after_stop_seconds by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2853">langchain-ai/langsmith-sdk#2853</a></li> <li>sdk(js): replace ttlSeconds with idleTtlSeconds + deleteAfterStopSeconds by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2854">langchain-ai/langsmith-sdk#2854</a></li> <li>Fix push_agent URL owner for name-only identifiers by <a href="https://github.com/vishnu-ssuresh"><code>@vishnu-ssuresh</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2862">langchain-ai/langsmith-sdk#2862</a></li> <li>docs(langsmith): clarify trust boundaries when working with hub by <a href="https://github.com/eyurtsev"><code>@eyurtsev</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2861">langchain-ai/langsmith-sdk#2861</a></li> <li>release(py): 0.8.3 by <a href="https://github.com/vishnu-ssuresh"><code>@vishnu-ssuresh</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2863">langchain-ai/langsmith-sdk#2863</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.2...v0.8.3">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.2...v0.8.3</a></p> <h2>v0.8.2</h2> <h2>What's Changed</h2> <ul> <li>Bump JS SDK version to 0.6.1 by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2847">langchain-ai/langsmith-sdk#2847</a></li> <li>fix: parse urllib3 version with packaging.Version by <a href="https://github.com/justinwolfington"><code>@justinwolfington</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2851">langchain-ai/langsmith-sdk#2851</a></li> <li>Bump Python SDK version to 0.8.2 by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2855">langchain-ai/langsmith-sdk#2855</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/justinwolfington"><code>@justinwolfington</code></a> made their first contribution in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2851">langchain-ai/langsmith-sdk#2851</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.1...v0.8.2">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.1...v0.8.2</a></p> <h2>v0.8.1</h2> <h2>What's Changed</h2> <ul> <li>chore(js): remove experimental opencode integration by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2836">langchain-ai/langsmith-sdk#2836</a></li> <li>chore(deps-dev): bump google-adk from 1.10.0 to 1.28.1 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2823">langchain-ai/langsmith-sdk#2823</a></li> <li>chore(deps): bump postcss from 8.5.8 to 8.5.12 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2827">langchain-ai/langsmith-sdk#2827</a></li> <li>Add JS profile loading by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2834">langchain-ai/langsmith-sdk#2834</a></li> <li>Add Python profile loading by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2835">langchain-ai/langsmith-sdk#2835</a></li> <li>Extract JS profile auth service by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2846">langchain-ai/langsmith-sdk#2846</a></li> <li>Bump Python SDK version to 0.8.1 by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2848">langchain-ai/langsmith-sdk#2848</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.0...v0.8.1">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.0...v0.8.1</a></p> <h2>v0.8.0</h2> <h2>What's Changed</h2> <ul> <li>feat(js,py): JS 0.6.0, Py 0.8.0 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2831">langchain-ai/langsmith-sdk#2831</a></li> <li>release(js): 0.6.0 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2832">langchain-ai/langsmith-sdk#2832</a></li> <li>release(py): 0.8.0 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2833">langchain-ai/langsmith-sdk#2833</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.38...v0.8.0">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.38...v0.8.0</a></p> <h2>v0.7.38</h2> <h2>What's Changed</h2> <ul> <li>feat(js): add tracing of opencode by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2776">langchain-ai/langsmith-sdk#2776</a></li> <li>chore(js): Remove types/uuid by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2814">langchain-ai/langsmith-sdk#2814</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`e2386ad8aa`"><code>e2386ad</code></a> release(py): 0.8.3 (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2863">#2863</a>)</li> <li><a href="`11d51a370f`"><code>11d51a3</code></a> docs(langsmith): clarify trust boundaries when working with hub (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2861">#2861</a>)</li> <li><a href="`d98c3ed8a9`"><code>d98c3ed</code></a> Fix push_agent URL owner for name-only identifiers (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2862">#2862</a>)</li> <li><a href="`418fd415fc`"><code>418fd41</code></a> sdk(js): replace ttlSeconds with idleTtlSeconds + deleteAfterStopSeconds (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2854">#2854</a>)</li> <li><a href="`1baa2c197d`"><code>1baa2c1</code></a> sdk(py): replace ttl_seconds with idle_ttl_seconds + delete_after_stop_second...</li> <li><a href="`361c8dd869`"><code>361c8dd</code></a> release(js): bump to 0.6.2 (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2856">#2856</a>)</li> <li><a href="`0d42882f2d`"><code>0d42882</code></a> fix(js): prevent sending [object Object] as span attribute when dealing with ...</li> <li><a href="`619818ba8d`"><code>619818b</code></a> Bump Python SDK version to 0.8.2 (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2855">#2855</a>)</li> <li><a href="`8a7d3c1356`"><code>8a7d3c1</code></a> fix: parse urllib3 version with packaging.Version (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2851">#2851</a>)</li> <li><a href="`54f887704f`"><code>54f8877</code></a> Bump JS SDK version to 0.6.1 (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2847">#2847</a>)</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.31...v0.8.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=langsmith&package-manager=uv&previous-version=0.7.31&new-version=0.8.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 12:20:15 -04:00
dependabot[bot]	5810dbdf29	chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/partners/anthropic (#37288 ) Bumps [langchain-core](https://github.com/langchain-ai/langchain) from 1.3.2 to 1.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.3.3</h2> <p>Changes since langchain-core==1.3.2</p> <p>release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>) fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>) fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37109">#37109</a>) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37129">#37129</a>) fix(core): preserve structured <code>inputs</code> on tool runs in tracers (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37108">#37108</a>) release(perplexity): 1.2.0 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37091">#37091</a>) chore(docs): update x handle references (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37081">#37081</a>) fix(core): make <code>removal</code> optional in <code>warn_deprecated</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37056">#37056</a>) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36663">#36663</a>) chore(core): mark stream_v2/astream_v2 as beta (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36992">#36992</a>)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="`5039dfec1f`"><code>5039dfe</code></a> release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>)</li> <li><a href="`55a7707837`"><code>55a7707</code></a> fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>)</li> <li><a href="`c979c6187b`"><code>c979c61</code></a> fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>)</li> <li><a href="`d7031101da`"><code>d703110</code></a> docs: update README.md (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37190">#37190</a>)</li> <li><a href="`4d50a2a68b`"><code>4d50a2a</code></a> ci(infra): run pre-release checks before TestPyPI publish (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37194">#37194</a>)</li> <li><a href="`9bd730e199`"><code>9bd730e</code></a> fix(fireworks): require <code>api_key</code> in <code>FireworksEmbeddings</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37193">#37193</a>)</li> <li><a href="`f475f4191f`"><code>f475f41</code></a> release(mistralai): 1.1.4 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37191">#37191</a>)</li> <li><a href="`7dbff48aff`"><code>7dbff48</code></a> fix(mistralai): strip non-wire keys from <code>ToolMessage</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37188">#37188</a>)</li> <li><a href="`913816c440`"><code>913816c</code></a> release(fireworks): 1.3.1 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37189">#37189</a>)</li> <li><a href="`4498d3dc84`"><code>4498d3d</code></a> fix(fireworks): strip non-wire keys from <code>ToolMessage</code> text content blocks (#...</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langchain/compare/langchain-core==1.3.2...langchain-core==1.3.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=langchain-core&package-manager=uv&previous-version=1.3.2&new-version=1.3.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-09 12:20:07 -04:00
langchain-model-profile-bot[bot]	7842258866	chore(model-profiles): refresh model profile data (#37247 ) Automated refresh of model profile data for all in-monorepo partner integrations via `langchain-profiles refresh`. 🤖 Generated by the `refresh_model_profiles` workflow. Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>	2026-05-08 10:14:32 -04:00
ccurme	4c593b35fb	release(langchain): 1.2.18 (#37250 ) langchain==1.2.18	2026-05-08 09:57:27 -04:00
ccurme	9c48a120b9	revert: feat(langchain): ls_agent_type tag on create_agent calls (#37249 )	2026-05-08 09:24:11 -04:00
dependabot[bot]	85a5a04210	chore: bump mistune from 3.1.4 to 3.2.1 in /libs/text-splitters (#37235 ) Bumps [mistune](https://github.com/lepture/mistune) from 3.1.4 to 3.2.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/lepture/mistune/releases">mistune's releases</a>.</em></p> <blockquote> <h2>v3.2.1</h2> <h3> 🐞 Bug Fixes</h3> <ul> <li>Resolve Windows compatibility issues in file inclusion and tests - by <a href="https://github.com/Yuki9814"><code>@Yuki9814</code></a> <a href="https://github.com/lepture/mistune/commit/2547102"><!-- raw HTML omitted -->(25471)<!-- raw HTML omitted --></a></li> <li>Escape html text - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/a3cb6e5"><!-- raw HTML omitted -->(a3cb6)<!-- raw HTML omitted --></a></li> <li>Update link reference - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/85eb54f"><!-- raw HTML omitted -->(85eb5)<!-- raw HTML omitted --></a></li> <li>Handle escaped dollar signs in inline math - by <a href="https://github.com/saschabuehrle"><code>@saschabuehrle</code></a> in <a href="https://redirect.github.com/lepture/mistune/issues/370">lepture/mistune#370</a> <a href="https://github.com/lepture/mistune/commit/7bd5709"><!-- raw HTML omitted -->(7bd57)<!-- raw HTML omitted --></a></li> <li>Escape id of toc - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/04880a0"><!-- raw HTML omitted -->(04880)<!-- raw HTML omitted --></a></li> <li>Escape id of headings - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/2855622"><!-- raw HTML omitted -->(28556)<!-- raw HTML omitted --></a></li> <li>Remove double-encoding of image alt text - by <a href="https://github.com/lawrence3699"><code>@lawrence3699</code></a> <a href="https://github.com/lepture/mistune/commit/0d6f3d8"><!-- raw HTML omitted -->(0d6f3)<!-- raw HTML omitted --></a></li> <li>Escape xml for math plugin - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/5fa092e"><!-- raw HTML omitted -->(5fa09)<!-- raw HTML omitted --></a></li> <li>Use strict regex for image's height and width - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/8d0cb75"><!-- raw HTML omitted -->(8d0cb)<!-- raw HTML omitted --></a></li> </ul> <h5> <a href="https://github.com/lepture/mistune/compare/v3.2.0...v3.2.1">View changes on GitHub</a></h5> <h2>v3.2.0</h2> <h3> 🚀 Features</h3> <ul> <li>Support footnotes that start on the next line. - by <a href="https://github.com/kylechui"><code>@kylechui</code></a> <a href="https://github.com/lepture/mistune/commit/2677e2d"><!-- raw HTML omitted -->(2677e)<!-- raw HTML omitted --></a></li> <li>Properly handle code blocks inside footnotes. - by <a href="https://github.com/kylechui"><code>@kylechui</code></a> <a href="https://github.com/lepture/mistune/commit/0516c9e"><!-- raw HTML omitted -->(0516c)<!-- raw HTML omitted --></a></li> <li>Support python 3.14 - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/7e0eb65"><!-- raw HTML omitted -->(7e0eb)<!-- raw HTML omitted --></a></li> </ul> <h3> 🐞 Bug Fixes</h3> <ul> <li>Render ref links and footnotes in footnotes. - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/bd90e44"><!-- raw HTML omitted -->(bd90e)<!-- raw HTML omitted --></a></li> <li>Render ref links in TOC. - by <a href="https://github.com/lemon24"><code>@lemon24</code></a> <a href="https://github.com/lepture/mistune/commit/a0a0148"><!-- raw HTML omitted -->(a0a01)<!-- raw HTML omitted --></a></li> <li>Update typing for mypy upgrades - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/8d49cba"><!-- raw HTML omitted -->(8d49c)<!-- raw HTML omitted --></a></li> <li>Render correct html for footnotes - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/9b62204"><!-- raw HTML omitted -->(9b622)<!-- raw HTML omitted --></a></li> </ul> <h5> <a href="https://github.com/lepture/mistune/compare/v3.1.4...v3.2.0">View changes on GitHub</a></h5> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/lepture/mistune/blob/main/docs/changes.rst">mistune's changelog</a>.</em></p> <blockquote> <h2>Version 3.2.1</h2> <p><strong>Released on May 3, 2026</strong></p> <ul> <li>Escape link in <code>render_toc_ul</code>.</li> <li>Escape text in math plugin.</li> <li>Fix regex for math plugin.</li> <li>Escape heading's ID attribute.</li> <li>Fix <code>LINK_TITLE_RE</code> to prevent DoS.</li> <li>Escape class attribute for admonition directive.</li> <li>Remove double-encoding of image alt text.</li> <li>Escape class attribute for image directive.</li> <li>Fix width/height attribute for image directive.</li> </ul> <h2>Version 3.2.0</h2> <p><strong>Released on Dec 23, 2025</strong></p> <ul> <li>Announce supports for python 3.14</li> <li>Fix footnotes plugins for code blocks, ref links, blockquote and etc.</li> <li>Fix ref links in TOC.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="`067f908610`"><code>067f908</code></a> chore: release 3.2.1</li> <li><a href="`bf5503067a`"><code>bf55030</code></a> Merge pull request <a href="https://redirect.github.com/lepture/mistune/issues/438">#438</a> from saschabuehrle/fix/issue-370</li> <li><a href="`8d0cb7539a`"><code>8d0cb75</code></a> fix: use strict regex for image's height and width</li> <li><a href="`5fa092e305`"><code>5fa092e</code></a> fix: escape xml for math plugin</li> <li><a href="`71ec9477eb`"><code>71ec947</code></a> Merge pull request <a href="https://redirect.github.com/lepture/mistune/issues/440">#440</a> from lawrence3699/fix/image-alt-double-encoding</li> <li><a href="`0d6f3d8502`"><code>0d6f3d8</code></a> fix: remove double-encoding of image alt text</li> <li><a href="`2855622d7f`"><code>2855622</code></a> fix: escape id of headings</li> <li><a href="`04880a004c`"><code>04880a0</code></a> fix: escape id of toc</li> <li><a href="`7bd5709671`"><code>7bd5709</code></a> fix: handle escaped dollar signs in inline math (fixes <a href="https://redirect.github.com/lepture/mistune/issues/370">#370</a>)</li> <li><a href="`85eb54ff17`"><code>85eb54f</code></a> fix: update link reference</li> <li>Additional commits viewable in <a href="https://github.com/lepture/mistune/compare/v3.1.4...v3.2.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=mistune&package-manager=uv&previous-version=3.1.4&new-version=3.2.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-07 14:48:51 -04:00
dependabot[bot]	2fe237a0b0	chore: bump mistune from 3.1.4 to 3.2.1 in /libs/langchain (#37236 ) Bumps [mistune](https://github.com/lepture/mistune) from 3.1.4 to 3.2.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/lepture/mistune/releases">mistune's releases</a>.</em></p> <blockquote> <h2>v3.2.1</h2> <h3> 🐞 Bug Fixes</h3> <ul> <li>Resolve Windows compatibility issues in file inclusion and tests - by <a href="https://github.com/Yuki9814"><code>@Yuki9814</code></a> <a href="https://github.com/lepture/mistune/commit/2547102"><!-- raw HTML omitted -->(25471)<!-- raw HTML omitted --></a></li> <li>Escape html text - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/a3cb6e5"><!-- raw HTML omitted -->(a3cb6)<!-- raw HTML omitted --></a></li> <li>Update link reference - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/85eb54f"><!-- raw HTML omitted -->(85eb5)<!-- raw HTML omitted --></a></li> <li>Handle escaped dollar signs in inline math - by <a href="https://github.com/saschabuehrle"><code>@saschabuehrle</code></a> in <a href="https://redirect.github.com/lepture/mistune/issues/370">lepture/mistune#370</a> <a href="https://github.com/lepture/mistune/commit/7bd5709"><!-- raw HTML omitted -->(7bd57)<!-- raw HTML omitted --></a></li> <li>Escape id of toc - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/04880a0"><!-- raw HTML omitted -->(04880)<!-- raw HTML omitted --></a></li> <li>Escape id of headings - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/2855622"><!-- raw HTML omitted -->(28556)<!-- raw HTML omitted --></a></li> <li>Remove double-encoding of image alt text - by <a href="https://github.com/lawrence3699"><code>@lawrence3699</code></a> <a href="https://github.com/lepture/mistune/commit/0d6f3d8"><!-- raw HTML omitted -->(0d6f3)<!-- raw HTML omitted --></a></li> <li>Escape xml for math plugin - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/5fa092e"><!-- raw HTML omitted -->(5fa09)<!-- raw HTML omitted --></a></li> <li>Use strict regex for image's height and width - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/8d0cb75"><!-- raw HTML omitted -->(8d0cb)<!-- raw HTML omitted --></a></li> </ul> <h5> <a href="https://github.com/lepture/mistune/compare/v3.2.0...v3.2.1">View changes on GitHub</a></h5> <h2>v3.2.0</h2> <h3> 🚀 Features</h3> <ul> <li>Support footnotes that start on the next line. - by <a href="https://github.com/kylechui"><code>@kylechui</code></a> <a href="https://github.com/lepture/mistune/commit/2677e2d"><!-- raw HTML omitted -->(2677e)<!-- raw HTML omitted --></a></li> <li>Properly handle code blocks inside footnotes. - by <a href="https://github.com/kylechui"><code>@kylechui</code></a> <a href="https://github.com/lepture/mistune/commit/0516c9e"><!-- raw HTML omitted -->(0516c)<!-- raw HTML omitted --></a></li> <li>Support python 3.14 - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/7e0eb65"><!-- raw HTML omitted -->(7e0eb)<!-- raw HTML omitted --></a></li> </ul> <h3> 🐞 Bug Fixes</h3> <ul> <li>Render ref links and footnotes in footnotes. - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/bd90e44"><!-- raw HTML omitted -->(bd90e)<!-- raw HTML omitted --></a></li> <li>Render ref links in TOC. - by <a href="https://github.com/lemon24"><code>@lemon24</code></a> <a href="https://github.com/lepture/mistune/commit/a0a0148"><!-- raw HTML omitted -->(a0a01)<!-- raw HTML omitted --></a></li> <li>Update typing for mypy upgrades - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/8d49cba"><!-- raw HTML omitted -->(8d49c)<!-- raw HTML omitted --></a></li> <li>Render correct html for footnotes - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/9b62204"><!-- raw HTML omitted -->(9b622)<!-- raw HTML omitted --></a></li> </ul> <h5> <a href="https://github.com/lepture/mistune/compare/v3.1.4...v3.2.0">View changes on GitHub</a></h5> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/lepture/mistune/blob/main/docs/changes.rst">mistune's changelog</a>.</em></p> <blockquote> <h2>Version 3.2.1</h2> <p><strong>Released on May 3, 2026</strong></p> <ul> <li>Escape link in <code>render_toc_ul</code>.</li> <li>Escape text in math plugin.</li> <li>Fix regex for math plugin.</li> <li>Escape heading's ID attribute.</li> <li>Fix <code>LINK_TITLE_RE</code> to prevent DoS.</li> <li>Escape class attribute for admonition directive.</li> <li>Remove double-encoding of image alt text.</li> <li>Escape class attribute for image directive.</li> <li>Fix width/height attribute for image directive.</li> </ul> <h2>Version 3.2.0</h2> <p><strong>Released on Dec 23, 2025</strong></p> <ul> <li>Announce supports for python 3.14</li> <li>Fix footnotes plugins for code blocks, ref links, blockquote and etc.</li> <li>Fix ref links in TOC.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="`067f908610`"><code>067f908</code></a> chore: release 3.2.1</li> <li><a href="`bf5503067a`"><code>bf55030</code></a> Merge pull request <a href="https://redirect.github.com/lepture/mistune/issues/438">#438</a> from saschabuehrle/fix/issue-370</li> <li><a href="`8d0cb7539a`"><code>8d0cb75</code></a> fix: use strict regex for image's height and width</li> <li><a href="`5fa092e305`"><code>5fa092e</code></a> fix: escape xml for math plugin</li> <li><a href="`71ec9477eb`"><code>71ec947</code></a> Merge pull request <a href="https://redirect.github.com/lepture/mistune/issues/440">#440</a> from lawrence3699/fix/image-alt-double-encoding</li> <li><a href="`0d6f3d8502`"><code>0d6f3d8</code></a> fix: remove double-encoding of image alt text</li> <li><a href="`2855622d7f`"><code>2855622</code></a> fix: escape id of headings</li> <li><a href="`04880a004c`"><code>04880a0</code></a> fix: escape id of toc</li> <li><a href="`7bd5709671`"><code>7bd5709</code></a> fix: handle escaped dollar signs in inline math (fixes <a href="https://redirect.github.com/lepture/mistune/issues/370">#370</a>)</li> <li><a href="`85eb54ff17`"><code>85eb54f</code></a> fix: update link reference</li> <li>Additional commits viewable in <a href="https://github.com/lepture/mistune/compare/v3.1.4...v3.2.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=mistune&package-manager=uv&previous-version=3.1.4&new-version=3.2.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-07 13:08:10 -04:00
dependabot[bot]	1662347879	chore: bump mistune from 3.1.4 to 3.2.1 in /libs/core (#37237 ) Bumps [mistune](https://github.com/lepture/mistune) from 3.1.4 to 3.2.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/lepture/mistune/releases">mistune's releases</a>.</em></p> <blockquote> <h2>v3.2.1</h2> <h3> 🐞 Bug Fixes</h3> <ul> <li>Resolve Windows compatibility issues in file inclusion and tests - by <a href="https://github.com/Yuki9814"><code>@Yuki9814</code></a> <a href="https://github.com/lepture/mistune/commit/2547102"><!-- raw HTML omitted -->(25471)<!-- raw HTML omitted --></a></li> <li>Escape html text - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/a3cb6e5"><!-- raw HTML omitted -->(a3cb6)<!-- raw HTML omitted --></a></li> <li>Update link reference - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/85eb54f"><!-- raw HTML omitted -->(85eb5)<!-- raw HTML omitted --></a></li> <li>Handle escaped dollar signs in inline math - by <a href="https://github.com/saschabuehrle"><code>@saschabuehrle</code></a> in <a href="https://redirect.github.com/lepture/mistune/issues/370">lepture/mistune#370</a> <a href="https://github.com/lepture/mistune/commit/7bd5709"><!-- raw HTML omitted -->(7bd57)<!-- raw HTML omitted --></a></li> <li>Escape id of toc - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/04880a0"><!-- raw HTML omitted -->(04880)<!-- raw HTML omitted --></a></li> <li>Escape id of headings - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/2855622"><!-- raw HTML omitted -->(28556)<!-- raw HTML omitted --></a></li> <li>Remove double-encoding of image alt text - by <a href="https://github.com/lawrence3699"><code>@lawrence3699</code></a> <a href="https://github.com/lepture/mistune/commit/0d6f3d8"><!-- raw HTML omitted -->(0d6f3)<!-- raw HTML omitted --></a></li> <li>Escape xml for math plugin - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/5fa092e"><!-- raw HTML omitted -->(5fa09)<!-- raw HTML omitted --></a></li> <li>Use strict regex for image's height and width - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/8d0cb75"><!-- raw HTML omitted -->(8d0cb)<!-- raw HTML omitted --></a></li> </ul> <h5> <a href="https://github.com/lepture/mistune/compare/v3.2.0...v3.2.1">View changes on GitHub</a></h5> <h2>v3.2.0</h2> <h3> 🚀 Features</h3> <ul> <li>Support footnotes that start on the next line. - by <a href="https://github.com/kylechui"><code>@kylechui</code></a> <a href="https://github.com/lepture/mistune/commit/2677e2d"><!-- raw HTML omitted -->(2677e)<!-- raw HTML omitted --></a></li> <li>Properly handle code blocks inside footnotes. - by <a href="https://github.com/kylechui"><code>@kylechui</code></a> <a href="https://github.com/lepture/mistune/commit/0516c9e"><!-- raw HTML omitted -->(0516c)<!-- raw HTML omitted --></a></li> <li>Support python 3.14 - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/7e0eb65"><!-- raw HTML omitted -->(7e0eb)<!-- raw HTML omitted --></a></li> </ul> <h3> 🐞 Bug Fixes</h3> <ul> <li>Render ref links and footnotes in footnotes. - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/bd90e44"><!-- raw HTML omitted -->(bd90e)<!-- raw HTML omitted --></a></li> <li>Render ref links in TOC. - by <a href="https://github.com/lemon24"><code>@lemon24</code></a> <a href="https://github.com/lepture/mistune/commit/a0a0148"><!-- raw HTML omitted -->(a0a01)<!-- raw HTML omitted --></a></li> <li>Update typing for mypy upgrades - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/8d49cba"><!-- raw HTML omitted -->(8d49c)<!-- raw HTML omitted --></a></li> <li>Render correct html for footnotes - by <a href="https://github.com/lepture"><code>@lepture</code></a> <a href="https://github.com/lepture/mistune/commit/9b62204"><!-- raw HTML omitted -->(9b622)<!-- raw HTML omitted --></a></li> </ul> <h5> <a href="https://github.com/lepture/mistune/compare/v3.1.4...v3.2.0">View changes on GitHub</a></h5> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/lepture/mistune/blob/main/docs/changes.rst">mistune's changelog</a>.</em></p> <blockquote> <h2>Version 3.2.1</h2> <p><strong>Released on May 3, 2026</strong></p> <ul> <li>Escape link in <code>render_toc_ul</code>.</li> <li>Escape text in math plugin.</li> <li>Fix regex for math plugin.</li> <li>Escape heading's ID attribute.</li> <li>Fix <code>LINK_TITLE_RE</code> to prevent DoS.</li> <li>Escape class attribute for admonition directive.</li> <li>Remove double-encoding of image alt text.</li> <li>Escape class attribute for image directive.</li> <li>Fix width/height attribute for image directive.</li> </ul> <h2>Version 3.2.0</h2> <p><strong>Released on Dec 23, 2025</strong></p> <ul> <li>Announce supports for python 3.14</li> <li>Fix footnotes plugins for code blocks, ref links, blockquote and etc.</li> <li>Fix ref links in TOC.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="`067f908610`"><code>067f908</code></a> chore: release 3.2.1</li> <li><a href="`bf5503067a`"><code>bf55030</code></a> Merge pull request <a href="https://redirect.github.com/lepture/mistune/issues/438">#438</a> from saschabuehrle/fix/issue-370</li> <li><a href="`8d0cb7539a`"><code>8d0cb75</code></a> fix: use strict regex for image's height and width</li> <li><a href="`5fa092e305`"><code>5fa092e</code></a> fix: escape xml for math plugin</li> <li><a href="`71ec9477eb`"><code>71ec947</code></a> Merge pull request <a href="https://redirect.github.com/lepture/mistune/issues/440">#440</a> from lawrence3699/fix/image-alt-double-encoding</li> <li><a href="`0d6f3d8502`"><code>0d6f3d8</code></a> fix: remove double-encoding of image alt text</li> <li><a href="`2855622d7f`"><code>2855622</code></a> fix: escape id of headings</li> <li><a href="`04880a004c`"><code>04880a0</code></a> fix: escape id of toc</li> <li><a href="`7bd5709671`"><code>7bd5709</code></a> fix: handle escaped dollar signs in inline math (fixes <a href="https://redirect.github.com/lepture/mistune/issues/370">#370</a>)</li> <li><a href="`85eb54ff17`"><code>85eb54f</code></a> fix: update link reference</li> <li>Additional commits viewable in <a href="https://github.com/lepture/mistune/compare/v3.1.4...v3.2.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=mistune&package-manager=uv&previous-version=3.1.4&new-version=3.2.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-07 13:07:44 -04:00
Eugene Yurtsev	ec9a3c15ad	release(langchain-classic): 1.0.7 (#37240 ) release 1.0.7 langchain-classic==1.0.7	2026-05-07 11:44:10 -04:00
langchain-model-profile-bot[bot]	3de039a46a	chore(model-profiles): refresh model profile data (#37231 ) Automated refresh of model profile data for all in-monorepo partner integrations via `langchain-profiles refresh`. 🤖 Generated by the `refresh_model_profiles` workflow. Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>	2026-05-07 11:13:12 -04:00
Eugene Yurtsev	cccefce0b1	chore(langchain-classic): deprecate hub, limit loads/dumps (#37234 ) deprecate hub classic and hub runnable. This code path isn't expected to be active for most users (it's dependent on having a very old version of the langsmith sdk). harden usage of loads/dumps.	2026-05-07 10:37:33 -04:00
Nick Hollon	1519ed5afb	release(langchain-classic): 1.0.6 (#37211 ) langchain-classic==1.0.6	2026-05-05 16:59:12 -04:00
dependabot[bot]	16b7e43ef4	chore: bump jupyter-server from 2.17.0 to 2.18.0 in /libs/text-splitters (#37202 ) Bumps [jupyter-server](https://github.com/jupyter-server/jupyter_server) from 2.17.0 to 2.18.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/jupyter-server/jupyter_server/releases">jupyter-server's releases</a>.</em></p> <blockquote> <h2>v2.18.0</h2> <h2>2.18.0</h2> <p>(<a href="https://github.com/jupyter-server/jupyter_server/compare/v2.17.0...49b34392feaa97735b3b777e3baf8f22f2a14ed8">Full Changelog</a>)</p> <h3>Security patches</h3> <ul> <li>CVE-2026-40110 <a href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p">https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p</a></li> <li>CVE-2025-61669 <a href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w">https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w</a></li> <li>CVE-2026-40934 <a href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f">https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f</a></li> <li>CVE-2026-35397 <a href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3">https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3</a></li> </ul> <h3>API and Breaking Changes</h3> <ul> <li>Add query param to sanitize HTML in GET /nbconvert/html <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1618">#1618</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> </ul> <h3>Enhancements made</h3> <ul> <li>Update handlers.py to fix ioloop blockers(sync file operations) <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1617">#1617</a> (<a href="https://github.com/zolyfarkas-fb"><code>@zolyfarkas-fb</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Add resolvePath API for resolving kernel-relative paths <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1331">#1331</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/blink1073"><code>@blink1073</code></a>)</li> </ul> <h3>Bugs fixed</h3> <ul> <li>Move check origin into a util function and add it to websocket <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1630">#1630</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/Yann-P"><code>@Yann-P</code></a>)</li> <li>Fix flaky test_restart_kernel by unsticking nudge() after port-changing restart <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1628">#1628</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/claude"><code>@claude</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Try to fix flaky test "test_restart_kernel" <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1625">#1625</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Fix potential unraisable pytest error <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1624">#1624</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>fix: use %s placeholders in HTTPError to prevent Tornado from doubling % in gateway URLs <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1620">#1620</a> (<a href="https://github.com/terminalchai"><code>@terminalchai</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/ptch314"><code>@ptch314</code></a>)</li> <li>Fix three file descriptor leaks in kernel connection lifecycle (<a href="https://redirect.github.com/jupyter-server/jupyter_server/issues/1506">#1506</a>) <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1619">#1619</a> (<a href="https://github.com/tonyx93"><code>@tonyx93</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Use web.HTTPError for kernel restart failures <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1616">#1616</a> (<a href="https://github.com/YDawn"><code>@YDawn</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Handle EADDRINUSE and EACCES in _bind_http_server_tcp <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1613">#1613</a> (<a href="https://github.com/YDawn"><code>@YDawn</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Use st_birthtime for file created timestamp on macOS/BSD <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1594">#1594</a> (<a href="https://github.com/ktaletsk"><code>@ktaletsk</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Fix double write when refusing hidden files in contents handler <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1585">#1585</a> (<a href="https://github.com/Krish-876"><code>@Krish-876</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Close all sockets in _find_http_port explicitly <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1584">#1584</a> (<a href="https://github.com/MaryushSoroka"><code>@MaryushSoroka</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Fix writing on remote file systems with attribute cache <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1574">#1574</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>)</li> <li>Add IdentityProvider.cookie_secret_hook <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1569">#1569</a> (<a href="https://github.com/emin63"><code>@emin63</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>fix context pollution <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1561">#1561</a> (<a href="https://github.com/dualc"><code>@dualc</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>)</li> <li>Fix gateway cookie handling <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1558">#1558</a> (<a href="https://github.com/kevin-bates"><code>@kevin-bates</code></a>, <a href="https://github.com/RRosio"><code>@RRosio</code></a>, <a href="https://github.com/lresende"><code>@lresende</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>fix connection exception cause high cpu load <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1484">#1484</a> (<a href="https://github.com/dualc"><code>@dualc</code></a>, <a href="https://github.com/lresende"><code>@lresende</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> </ul> <h3>Maintenance and upkeep improvements</h3> <ul> <li>Start to test on Python 3.13 and 3.14 <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1623">#1623</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Bump actions/create-github-app-token from 2 to 3 in the actions group across 1 directory <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1621">#1621</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Bump brace-expansion from 1.1.12 to 1.1.13 <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1615">#1615</a> (<a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Fix package spec for jupytext <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1614">#1614</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>)</li> <li>chore: update pre-commit hooks <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1607">#1607</a> (<a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>try to fix ci on windows <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1600">#1600</a> (<a href="https://github.com/minrk"><code>@minrk</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>run prerelease tests on 3.14 <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1599">#1599</a> (<a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Pin sphinx to an older version (<9) to fix docs <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1597">#1597</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jupyter-server/jupyter_server/blob/main/CHANGELOG.md">jupyter-server's changelog</a>.</em></p> <blockquote> <h2>2.18.0</h2> <p>(<a href="https://github.com/jupyter-server/jupyter_server/compare/v2.9.1...49b34392feaa97735b3b777e3baf8f22f2a14ed8">Full Changelog</a>)</p> <h3>API and Breaking Changes</h3> <ul> <li>Add query param to sanitize HTML in GET /nbconvert/html <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1618">#1618</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> </ul> <h3>Enhancements made</h3> <ul> <li>Update handlers.py to fix ioloop blockers(sync file operations) <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1617">#1617</a> (<a href="https://github.com/zolyfarkas-fb"><code>@zolyfarkas-fb</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Avoid redundant call to <code>_get_os_path</code> in <code>_dir_model</code> <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1547">#1547</a> (<a href="https://github.com/joeyutong"><code>@joeyutong</code></a>, <a href="https://github.com/vidartf"><code>@vidartf</code></a>)</li> <li>Allow specifying extra params to scrub from logs <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1538">#1538</a> (<a href="https://github.com/jtpio"><code>@jtpio</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>, <a href="https://github.com/vidartf"><code>@vidartf</code></a>)</li> <li>Add a logger to the ExtensionPoint API <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1523">#1523</a> (<a href="https://github.com/Zsailer"><code>@Zsailer</code></a>, <a href="https://github.com/vidartf"><code>@vidartf</code></a>)</li> <li>Allow user to update identity values <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1518">#1518</a> (<a href="https://github.com/brichet"><code>@brichet</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>If ServerApp.ip is ipv6 use [::1] as local_url <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1495">#1495</a> (<a href="https://github.com/manics"><code>@manics</code></a>, <a href="https://github.com/afshin"><code>@afshin</code></a>)</li> <li>Better error message when starting kernel for session. <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1478">#1478</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/davidbrochart"><code>@davidbrochart</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Add a traitlet to disable recording HTTP request metrics <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1472">#1472</a> (<a href="https://github.com/yuvipanda"><code>@yuvipanda</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>)</li> <li>prometheus: Expose 3 activity metrics <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1471">#1471</a> (<a href="https://github.com/yuvipanda"><code>@yuvipanda</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>)</li> <li>Add prometheus info metrics listing server extensions + versions <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1470">#1470</a> (<a href="https://github.com/yuvipanda"><code>@yuvipanda</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>)</li> <li>Add prometheus metric with version information <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1467">#1467</a> (<a href="https://github.com/yuvipanda"><code>@yuvipanda</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>)</li> <li>Don't hide .so,.dylib files by default <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1457">#1457</a> (<a href="https://github.com/nokados"><code>@nokados</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>, <a href="https://github.com/vidartf"><code>@vidartf</code></a>)</li> <li>Better hash format error message <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1442">#1442</a> (<a href="https://github.com/fcollonval"><code>@fcollonval</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>)</li> <li>Removing excessive logging from reading local files <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1420">#1420</a> (<a href="https://github.com/lresende"><code>@lresende</code></a>, <a href="https://github.com/kevin-bates"><code>@kevin-bates</code></a>)</li> <li>Add async start hook to ExtensionApp API <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1417">#1417</a> (<a href="https://github.com/Zsailer"><code>@Zsailer</code></a>, <a href="https://github.com/Darshan808"><code>@Darshan808</code></a>, <a href="https://github.com/bollwyvl"><code>@bollwyvl</code></a>, <a href="https://github.com/fcollonval"><code>@fcollonval</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Do not include token in dashboard link, when available <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1406">#1406</a> (<a href="https://github.com/minrk"><code>@minrk</code></a>, <a href="https://github.com/blink1073"><code>@blink1073</code></a>)</li> <li>Add an option to have authentication enabled for all endpoints by default <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1392">#1392</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Wh1isper"><code>@Wh1isper</code></a>, <a href="https://github.com/blink1073"><code>@blink1073</code></a>, <a href="https://github.com/bollwyvl"><code>@bollwyvl</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>, <a href="https://github.com/yuvipanda"><code>@yuvipanda</code></a>)</li> <li>websockets: add configurations for ping interval and timeout <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1391">#1391</a> (<a href="https://github.com/oliver-sanders"><code>@oliver-sanders</code></a>, <a href="https://github.com/blink1073"><code>@blink1073</code></a>)</li> <li>log extension import time at debug level unless it's actually slow <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1375">#1375</a> (<a href="https://github.com/minrk"><code>@minrk</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>, <a href="https://github.com/yuvipanda"><code>@yuvipanda</code></a>)</li> <li>Add support for async Authorizers (part 2) <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1374">#1374</a> (<a href="https://github.com/Zsailer"><code>@Zsailer</code></a>, <a href="https://github.com/blink1073"><code>@blink1073</code></a>)</li> <li>Support async Authorizers <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1373">#1373</a> (<a href="https://github.com/Zsailer"><code>@Zsailer</code></a>, <a href="https://github.com/blink1073"><code>@blink1073</code></a>)</li> <li>Support get file(notebook) md5 <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1363">#1363</a> (<a href="https://github.com/Wh1isper"><code>@Wh1isper</code></a>, <a href="https://github.com/blink1073"><code>@blink1073</code></a>, <a href="https://github.com/bollwyvl"><code>@bollwyvl</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Update kernel env to reflect changes in session <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1354">#1354</a> (<a href="https://github.com/blink1073"><code>@blink1073</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Add resolvePath API for resolving kernel-relative paths <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1331">#1331</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/blink1073"><code>@blink1073</code></a>)</li> </ul> <h3>Bugs fixed</h3> <ul> <li>Move check origin into a util function and add it to websocket <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1630">#1630</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/Yann-P"><code>@Yann-P</code></a>)</li> <li>Fix flaky test_restart_kernel by unsticking nudge() after port-changing restart <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1628">#1628</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/claude"><code>@claude</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Try to fix flaky test "test_restart_kernel" <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1625">#1625</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Fix potential unraisable pytest error <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1624">#1624</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>fix: use %s placeholders in HTTPError to prevent Tornado from doubling % in gateway URLs <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1620">#1620</a> (<a href="https://github.com/terminalchai"><code>@terminalchai</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/ptch314"><code>@ptch314</code></a>)</li> <li>Fix three file descriptor leaks in kernel connection lifecycle (<a href="https://redirect.github.com/jupyter-server/jupyter_server/issues/1506">#1506</a>) <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1619">#1619</a> (<a href="https://github.com/tonyx93"><code>@tonyx93</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Use web.HTTPError for kernel restart failures <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1616">#1616</a> (<a href="https://github.com/YDawn"><code>@YDawn</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Handle EADDRINUSE and EACCES in _bind_http_server_tcp <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1613">#1613</a> (<a href="https://github.com/YDawn"><code>@YDawn</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Use st_birthtime for file created timestamp on macOS/BSD <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1594">#1594</a> (<a href="https://github.com/ktaletsk"><code>@ktaletsk</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Fix double write when refusing hidden files in contents handler <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1585">#1585</a> (<a href="https://github.com/Krish-876"><code>@Krish-876</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Close all sockets in _find_http_port explicitly <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1584">#1584</a> (<a href="https://github.com/MaryushSoroka"><code>@MaryushSoroka</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Fix writing on remote file systems with attribute cache <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1574">#1574</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>)</li> <li>Add IdentityProvider.cookie_secret_hook <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1569">#1569</a> (<a href="https://github.com/emin63"><code>@emin63</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`0ceed45a80`"><code>0ceed45</code></a> Publish 2.18.0</li> <li><a href="`49b34392fe`"><code>49b3439</code></a> Move check origin into a util function and add it to websocket (<a href="https://redirect.github.com/jupyter-server/jupyter_server/issues/1630">#1630</a>)</li> <li><a href="`e2e08c845d`"><code>e2e08c8</code></a> Add test case for bad next URL format</li> <li><a href="`624d6c0daf`"><code>624d6c0</code></a> Delete outdated patch code</li> <li><a href="`d825b93d9c`"><code>d825b93</code></a> Apply suggestion from <a href="https://github.com/minrk"><code>@minrk</code></a></li> <li><a href="`789fed081a`"><code>789fed0</code></a> patch open redirect in /login</li> <li><a href="`2ee51eccf3`"><code>2ee51ec</code></a> fix(CVE-2026-35397): path traversal when target dir starts with root dir</li> <li><a href="`057869a327`"><code>057869a</code></a> Fix allow_origin_pat to do full matching instead of prefix matching</li> <li><a href="`4862199a0f`"><code>4862199</code></a> Add resolvePath API for resolving kernel-relative paths</li> <li><a href="`e31d51406d`"><code>e31d514</code></a> Bump actions/create-github-app-token from 2 to 3 in the actions group across ...</li> <li>Additional commits viewable in <a href="https://github.com/jupyter-server/jupyter_server/compare/v2.17.0...v2.18.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=jupyter-server&package-manager=uv&previous-version=2.17.0&new-version=2.18.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-05 16:41:57 -04:00
dependabot[bot]	ad305571ba	chore: bump jupyter-server from 2.17.0 to 2.18.0 in /libs/langchain (#37203 ) [//]: # (dependabot-start) ⚠️ Dependabot is rebasing this PR ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps [jupyter-server](https://github.com/jupyter-server/jupyter_server) from 2.17.0 to 2.18.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/jupyter-server/jupyter_server/releases">jupyter-server's releases</a>.</em></p> <blockquote> <h2>v2.18.0</h2> <h2>2.18.0</h2> <p>(<a href="https://github.com/jupyter-server/jupyter_server/compare/v2.17.0...49b34392feaa97735b3b777e3baf8f22f2a14ed8">Full Changelog</a>)</p> <h3>Security patches</h3> <ul> <li>CVE-2026-40110 <a href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p">https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p</a></li> <li>CVE-2025-61669 <a href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w">https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w</a></li> <li>CVE-2026-40934 <a href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f">https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f</a></li> <li>CVE-2026-35397 <a href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3">https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3</a></li> </ul> <h3>API and Breaking Changes</h3> <ul> <li>Add query param to sanitize HTML in GET /nbconvert/html <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1618">#1618</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> </ul> <h3>Enhancements made</h3> <ul> <li>Update handlers.py to fix ioloop blockers(sync file operations) <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1617">#1617</a> (<a href="https://github.com/zolyfarkas-fb"><code>@zolyfarkas-fb</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Add resolvePath API for resolving kernel-relative paths <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1331">#1331</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/blink1073"><code>@blink1073</code></a>)</li> </ul> <h3>Bugs fixed</h3> <ul> <li>Move check origin into a util function and add it to websocket <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1630">#1630</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/Yann-P"><code>@Yann-P</code></a>)</li> <li>Fix flaky test_restart_kernel by unsticking nudge() after port-changing restart <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1628">#1628</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/claude"><code>@claude</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Try to fix flaky test "test_restart_kernel" <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1625">#1625</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Fix potential unraisable pytest error <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1624">#1624</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>fix: use %s placeholders in HTTPError to prevent Tornado from doubling % in gateway URLs <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1620">#1620</a> (<a href="https://github.com/terminalchai"><code>@terminalchai</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/ptch314"><code>@ptch314</code></a>)</li> <li>Fix three file descriptor leaks in kernel connection lifecycle (<a href="https://redirect.github.com/jupyter-server/jupyter_server/issues/1506">#1506</a>) <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1619">#1619</a> (<a href="https://github.com/tonyx93"><code>@tonyx93</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Use web.HTTPError for kernel restart failures <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1616">#1616</a> (<a href="https://github.com/YDawn"><code>@YDawn</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Handle EADDRINUSE and EACCES in _bind_http_server_tcp <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1613">#1613</a> (<a href="https://github.com/YDawn"><code>@YDawn</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Use st_birthtime for file created timestamp on macOS/BSD <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1594">#1594</a> (<a href="https://github.com/ktaletsk"><code>@ktaletsk</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Fix double write when refusing hidden files in contents handler <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1585">#1585</a> (<a href="https://github.com/Krish-876"><code>@Krish-876</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Close all sockets in _find_http_port explicitly <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1584">#1584</a> (<a href="https://github.com/MaryushSoroka"><code>@MaryushSoroka</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Fix writing on remote file systems with attribute cache <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1574">#1574</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>)</li> <li>Add IdentityProvider.cookie_secret_hook <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1569">#1569</a> (<a href="https://github.com/emin63"><code>@emin63</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>fix context pollution <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1561">#1561</a> (<a href="https://github.com/dualc"><code>@dualc</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>)</li> <li>Fix gateway cookie handling <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1558">#1558</a> (<a href="https://github.com/kevin-bates"><code>@kevin-bates</code></a>, <a href="https://github.com/RRosio"><code>@RRosio</code></a>, <a href="https://github.com/lresende"><code>@lresende</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>fix connection exception cause high cpu load <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1484">#1484</a> (<a href="https://github.com/dualc"><code>@dualc</code></a>, <a href="https://github.com/lresende"><code>@lresende</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> </ul> <h3>Maintenance and upkeep improvements</h3> <ul> <li>Start to test on Python 3.13 and 3.14 <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1623">#1623</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Bump actions/create-github-app-token from 2 to 3 in the actions group across 1 directory <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1621">#1621</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Bump brace-expansion from 1.1.12 to 1.1.13 <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1615">#1615</a> (<a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Fix package spec for jupytext <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1614">#1614</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>)</li> <li>chore: update pre-commit hooks <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1607">#1607</a> (<a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>try to fix ci on windows <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1600">#1600</a> (<a href="https://github.com/minrk"><code>@minrk</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>run prerelease tests on 3.14 <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1599">#1599</a> (<a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Pin sphinx to an older version (<9) to fix docs <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1597">#1597</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jupyter-server/jupyter_server/blob/main/CHANGELOG.md">jupyter-server's changelog</a>.</em></p> <blockquote> <h2>2.18.0</h2> <p>(<a href="https://github.com/jupyter-server/jupyter_server/compare/v2.9.1...49b34392feaa97735b3b777e3baf8f22f2a14ed8">Full Changelog</a>)</p> <h3>API and Breaking Changes</h3> <ul> <li>Add query param to sanitize HTML in GET /nbconvert/html <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1618">#1618</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> </ul> <h3>Enhancements made</h3> <ul> <li>Update handlers.py to fix ioloop blockers(sync file operations) <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1617">#1617</a> (<a href="https://github.com/zolyfarkas-fb"><code>@zolyfarkas-fb</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Avoid redundant call to <code>_get_os_path</code> in <code>_dir_model</code> <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1547">#1547</a> (<a href="https://github.com/joeyutong"><code>@joeyutong</code></a>, <a href="https://github.com/vidartf"><code>@vidartf</code></a>)</li> <li>Allow specifying extra params to scrub from logs <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1538">#1538</a> (<a href="https://github.com/jtpio"><code>@jtpio</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>, <a href="https://github.com/vidartf"><code>@vidartf</code></a>)</li> <li>Add a logger to the ExtensionPoint API <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1523">#1523</a> (<a href="https://github.com/Zsailer"><code>@Zsailer</code></a>, <a href="https://github.com/vidartf"><code>@vidartf</code></a>)</li> <li>Allow user to update identity values <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1518">#1518</a> (<a href="https://github.com/brichet"><code>@brichet</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>If ServerApp.ip is ipv6 use [::1] as local_url <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1495">#1495</a> (<a href="https://github.com/manics"><code>@manics</code></a>, <a href="https://github.com/afshin"><code>@afshin</code></a>)</li> <li>Better error message when starting kernel for session. <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1478">#1478</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/davidbrochart"><code>@davidbrochart</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Add a traitlet to disable recording HTTP request metrics <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1472">#1472</a> (<a href="https://github.com/yuvipanda"><code>@yuvipanda</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>)</li> <li>prometheus: Expose 3 activity metrics <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1471">#1471</a> (<a href="https://github.com/yuvipanda"><code>@yuvipanda</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>)</li> <li>Add prometheus info metrics listing server extensions + versions <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1470">#1470</a> (<a href="https://github.com/yuvipanda"><code>@yuvipanda</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>)</li> <li>Add prometheus metric with version information <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1467">#1467</a> (<a href="https://github.com/yuvipanda"><code>@yuvipanda</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>)</li> <li>Don't hide .so,.dylib files by default <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1457">#1457</a> (<a href="https://github.com/nokados"><code>@nokados</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>, <a href="https://github.com/vidartf"><code>@vidartf</code></a>)</li> <li>Better hash format error message <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1442">#1442</a> (<a href="https://github.com/fcollonval"><code>@fcollonval</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>)</li> <li>Removing excessive logging from reading local files <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1420">#1420</a> (<a href="https://github.com/lresende"><code>@lresende</code></a>, <a href="https://github.com/kevin-bates"><code>@kevin-bates</code></a>)</li> <li>Add async start hook to ExtensionApp API <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1417">#1417</a> (<a href="https://github.com/Zsailer"><code>@Zsailer</code></a>, <a href="https://github.com/Darshan808"><code>@Darshan808</code></a>, <a href="https://github.com/bollwyvl"><code>@bollwyvl</code></a>, <a href="https://github.com/fcollonval"><code>@fcollonval</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Do not include token in dashboard link, when available <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1406">#1406</a> (<a href="https://github.com/minrk"><code>@minrk</code></a>, <a href="https://github.com/blink1073"><code>@blink1073</code></a>)</li> <li>Add an option to have authentication enabled for all endpoints by default <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1392">#1392</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Wh1isper"><code>@Wh1isper</code></a>, <a href="https://github.com/blink1073"><code>@blink1073</code></a>, <a href="https://github.com/bollwyvl"><code>@bollwyvl</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>, <a href="https://github.com/yuvipanda"><code>@yuvipanda</code></a>)</li> <li>websockets: add configurations for ping interval and timeout <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1391">#1391</a> (<a href="https://github.com/oliver-sanders"><code>@oliver-sanders</code></a>, <a href="https://github.com/blink1073"><code>@blink1073</code></a>)</li> <li>log extension import time at debug level unless it's actually slow <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1375">#1375</a> (<a href="https://github.com/minrk"><code>@minrk</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>, <a href="https://github.com/yuvipanda"><code>@yuvipanda</code></a>)</li> <li>Add support for async Authorizers (part 2) <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1374">#1374</a> (<a href="https://github.com/Zsailer"><code>@Zsailer</code></a>, <a href="https://github.com/blink1073"><code>@blink1073</code></a>)</li> <li>Support async Authorizers <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1373">#1373</a> (<a href="https://github.com/Zsailer"><code>@Zsailer</code></a>, <a href="https://github.com/blink1073"><code>@blink1073</code></a>)</li> <li>Support get file(notebook) md5 <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1363">#1363</a> (<a href="https://github.com/Wh1isper"><code>@Wh1isper</code></a>, <a href="https://github.com/blink1073"><code>@blink1073</code></a>, <a href="https://github.com/bollwyvl"><code>@bollwyvl</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Update kernel env to reflect changes in session <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1354">#1354</a> (<a href="https://github.com/blink1073"><code>@blink1073</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Add resolvePath API for resolving kernel-relative paths <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1331">#1331</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/blink1073"><code>@blink1073</code></a>)</li> </ul> <h3>Bugs fixed</h3> <ul> <li>Move check origin into a util function and add it to websocket <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1630">#1630</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/Yann-P"><code>@Yann-P</code></a>)</li> <li>Fix flaky test_restart_kernel by unsticking nudge() after port-changing restart <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1628">#1628</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/claude"><code>@claude</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Try to fix flaky test "test_restart_kernel" <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1625">#1625</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Fix potential unraisable pytest error <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1624">#1624</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>fix: use %s placeholders in HTTPError to prevent Tornado from doubling % in gateway URLs <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1620">#1620</a> (<a href="https://github.com/terminalchai"><code>@terminalchai</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/ptch314"><code>@ptch314</code></a>)</li> <li>Fix three file descriptor leaks in kernel connection lifecycle (<a href="https://redirect.github.com/jupyter-server/jupyter_server/issues/1506">#1506</a>) <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1619">#1619</a> (<a href="https://github.com/tonyx93"><code>@tonyx93</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Use web.HTTPError for kernel restart failures <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1616">#1616</a> (<a href="https://github.com/YDawn"><code>@YDawn</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Handle EADDRINUSE and EACCES in _bind_http_server_tcp <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1613">#1613</a> (<a href="https://github.com/YDawn"><code>@YDawn</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Use st_birthtime for file created timestamp on macOS/BSD <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1594">#1594</a> (<a href="https://github.com/ktaletsk"><code>@ktaletsk</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Fix double write when refusing hidden files in contents handler <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1585">#1585</a> (<a href="https://github.com/Krish-876"><code>@Krish-876</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Close all sockets in _find_http_port explicitly <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1584">#1584</a> (<a href="https://github.com/MaryushSoroka"><code>@MaryushSoroka</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Fix writing on remote file systems with attribute cache <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1574">#1574</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Zsailer"><code>@Zsailer</code></a>)</li> <li>Add IdentityProvider.cookie_secret_hook <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1569">#1569</a> (<a href="https://github.com/emin63"><code>@emin63</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`0ceed45a80`"><code>0ceed45</code></a> Publish 2.18.0</li> <li><a href="`49b34392fe`"><code>49b3439</code></a> Move check origin into a util function and add it to websocket (<a href="https://redirect.github.com/jupyter-server/jupyter_server/issues/1630">#1630</a>)</li> <li><a href="`e2e08c845d`"><code>e2e08c8</code></a> Add test case for bad next URL format</li> <li><a href="`624d6c0daf`"><code>624d6c0</code></a> Delete outdated patch code</li> <li><a href="`d825b93d9c`"><code>d825b93</code></a> Apply suggestion from <a href="https://github.com/minrk"><code>@minrk</code></a></li> <li><a href="`789fed081a`"><code>789fed0</code></a> patch open redirect in /login</li> <li><a href="`2ee51eccf3`"><code>2ee51ec</code></a> fix(CVE-2026-35397): path traversal when target dir starts with root dir</li> <li><a href="`057869a327`"><code>057869a</code></a> Fix allow_origin_pat to do full matching instead of prefix matching</li> <li><a href="`4862199a0f`"><code>4862199</code></a> Add resolvePath API for resolving kernel-relative paths</li> <li><a href="`e31d51406d`"><code>e31d514</code></a> Bump actions/create-github-app-token from 2 to 3 in the actions group across ...</li> <li>Additional commits viewable in <a href="https://github.com/jupyter-server/jupyter_server/compare/v2.17.0...v2.18.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=jupyter-server&package-manager=uv&previous-version=2.17.0&new-version=2.18.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-05 16:41:53 -04:00

1 2 3 4 5 ...

15921 Commits