Commit Graph

421 Commits

Author SHA1 Message Date
Nick Hollon
94ea96d542 release(core): 1.4.8 (#38254) 2026-06-18 15:23:00 -04:00
Christophe Bornet
fc956c8680 style(core): fix style in langchain_core/_security (#38189)
Co-authored-by: Mason Daugherty <mason@langchain.dev>
2026-06-16 11:40:50 -04:00
Nick Hollon
221f934f9d fix(core): preserve usage token details in v3 streaming events (#38021)
`stream_events(version="v3")` / `astream_events(version="v3")` drops
`input_token_details` and `output_token_details` from the usage metadata
on the assembled message and the `on_llm_end` payload: the conversion to
the protocol `UsageInfo` shape copied only the flat token counts.

Providers fold cached tokens into `input_tokens` and break them out in
`input_token_details`, so tracers (e.g. LangSmith) price every input
token at the uncached rate on the v3 path, inflating reported cost for
prompt-cached runs (cache reads bill at roughly a tenth of the base
input rate). The v2 events path and `astream` aggregation preserve the
details and report correctly; reasoning-token breakdowns in
`output_token_details` are lost the same way.

The detail breakdowns now live on the wire type itself:
`input_token_details` / `output_token_details` were added to `UsageInfo`
in `langchain-protocol` 0.0.17 (alongside `InputTokenDetails` /
`OutputTokenDetails`), so core imports `UsageInfo` directly instead of
carrying a local subclass. The v3 usage accumulator threads the details
through end to end, shallow-copying the nested dicts (`_isolate_usage`)
so later accumulator mutation cannot leak into already-emitted events.
Since native provider converters share `build_message_finish`, this also
covers provider-native v3 streams.

Verified against a live claude-sonnet-4-6 call with a cached prompt: v3
`on_llm_end` usage now matches v2, with `cache_read` / `cache_creation`
intact. Requires `langchain-protocol>=0.0.17` (core pin bumped
accordingly).
2026-06-16 10:04:55 -04:00
Christophe Bornet
afff89a9f7 fix(core): disallow_any_generics (#38156)
Co-authored-by: Mason Daugherty <github@mdrxy.com>
2026-06-15 09:46:29 -04:00
Christophe Bornet
62f255980d chore(core): add mypy warn_unreachable (#38109)
Enables mypy's `warn_unreachable` rule for `langchain-core`, bringing it
in line with the other strict libraries in the monorepo. Previously this
rule was intentionally disabled by a code comment, because under mypy
2.x it false-flags intentional defensive runtime checks — most notably
the SSRF / IP-policy guards in `langchain_core/_security/` — as
unreachable.

This PR resolves all of those warnings without deleting or
blanket-ignoring the defensive guards, so contributors get
unreachable-code coverage going forward and accidental dead code is
caught in CI.

The bulk of the change is mechanical: a targeted `# type:
ignore[unreachable]` on each defensive `else`/error branch that mypy
considers unreachable but that we deliberately keep as a runtime guard
against unexpected input. A few changes are more substantive and worth a
closer look:

- **`coro_with_context` (`runnables/utils.py`) — behavior change on
Python < 3.11.** The pre-3.11 path is rewritten to always route through
`context.run(asyncio.create_task, coro)`, so the supplied context is
reliably propagated to the task. Previously, on 3.10 the helper returned
the bare coroutine (run in the caller's context) when
`create_task=False`, and dropped the context entirely when
`create_task=True`. The new behavior matches 3.11+. The `create_task`
parameter is now inert but retained for signature compatibility. All
callers `await` the result, so returning a `Task` rather than a
coroutine is transparent.
- **`_create_template_from_message_type` (`prompts/chat.py`) — signature
widening.** This private helper's `template` parameter now accepts
`bool` inside the list, accurately reflecting the existing `["{var}",
is_optional]` placeholder form. No public-API impact.
- **`PydanticOutputFunctionsParser`
(`output_parsers/openai_functions.py`).** The `pydantic_schema` field is
typed as `TypeBaseModel` (which covers both v1 and v2 model classes,
unlike the prior annotation), and the `args_only` parse path now
dispatches explicitly on `BaseModel` vs `BaseModelV1` rather than
duck-typing via `hasattr`. This also yields clearer errors for
unsupported / dict schemas.
- **`_security/_policy.py`.** Loop variables are renamed so mypy can
narrow their types, which lets the old `# type: ignore[assignment]`
comments be dropped. The IP-blocklist logic is unchanged.

---------

Co-authored-by: Mason Daugherty <mason@langchain.dev>
Co-authored-by: Mason Daugherty <github@mdrxy.com>
2026-06-14 17:05:48 -04:00
Mason Daugherty
4108c0738c release(core): 1.4.7 (#38111)
Bumps `langchain-core` to `1.4.7` for the next patch release and updates
downstream minimum `langchain-core` requirements so package locks
resolve against the new core version.

This also refreshes the runnable snapshots that embed `lc_versions`
metadata so the version consistency check continues to validate
checked-in artifacts.

Validated with `python libs/core/scripts/check_version.py`, `uv lock
--check` across package lockfiles, and the core runnable tests that own
the updated snapshots with local LangSmith tracing env disabled.
2026-06-12 14:54:25 -04:00
Mason Daugherty
05cc55f1bc release(core): 1.4.6 (#38061) 2026-06-11 02:58:40 -04:00
Christophe Bornet
1de100f278 chore(infra): bump mypy to 2.1 and unify type-check config across the monorepo (#36470)
Originally a narrow bump of mypy to `1.20` in four packages. Expanded to
get the whole monorepo onto a single, current mypy and a consistent
type-check configuration, so contributors no longer hit different mypy
versions and divergent behavior depending on which package they touch.

### What changed

- **Unified the mypy pin to `>=2.1.0,<2.2.0`** in every mypy-using
package (6 libs + 14 partners), replacing the previously scattered pins
(`1.10`/`1.17`/`1.18`/`1.19`/`1.20`, with assorted upper bounds).
- **Unified the `[tool.mypy]` base per tier:**
- libs: `plugins = ["pydantic.mypy"]`, `strict = true`,
`enable_error_code = "deprecated"`, `warn_unreachable = true`
  - partners: `disallow_untyped_defs = true`
- Normalized style (`disallow_untyped_defs = "True"` string → bool,
quote/key consistency).
- **Fixed the 20 real errors** mypy 2.1 surfaces: `redundant-cast` from
improved narrowing (`core`, `langchain-classic`), a `var-annotated` for
`_LOGGED`, a return-type widening in `langchain-groq`'s
`_convert_from_v1_to_groq` (it can legitimately return a bare `str`),
and stale `type-arg`/`unused-ignore` in `langchain-model-profiles`
tests.

### Deliberate non-uniformity (documented inline in the relevant
`pyproject.toml`s)

Going fully byte-identical would surface ~196 additional errors that are
*not* real bugs, so two settings are kept package-appropriate:

- **`warn_unreachable`** is enabled on every strict lib **except
`core`**, where it false-flags intentional defensive code — including
the SSRF / IP-policy guards in `_security/` — as unreachable.
- **`pydantic.mypy` plugin** is used only on `anthropic` and
`perplexity` (their code is authored against it and reports ~99/~132
errors without it). It is *not* added to the other partners, where it
only flags the public alias constructor API (e.g. `ChatGroq(model=...)`)
in tests rather than finding bugs.
- **`ollama`** is left on its `ty` type checker; it does not use mypy.

---------

Co-authored-by: Mason Daugherty <github@mdrxy.com>
2026-06-11 00:24:59 -04:00
Mason Daugherty
030ec6010b release(core): 1.4.5 (#38056) 2026-06-10 22:49:27 -04:00
Mason Daugherty
2e832c23d4 release(core): 1.4.4 (#38031) 2026-06-10 17:02:02 -04:00
Mason Daugherty
c15cfe21b6 release(core): 1.4.3 (#37991) 2026-06-09 16:27:57 -04:00
Mason Daugherty
e096992984 release(core): 1.4.2 (#37968) 2026-06-08 14:16:11 -04:00
Mason Daugherty
a401351e12 release(core): 1.4.1 (#37922) 2026-06-05 10:49:33 -04:00
Mason Daugherty
aef86c476d chore(infra): bump langchain-tests floor to 1.1.9 (#37610)
Bumps the `langchain-tests` minimum across the monorepo from `1.0.0` to
`1.1.9` and adds a partner-level `Makefile` so partner lockfiles can be
regenerated in one command, matching the existing convention under
`libs/`.
2026-05-21 13:36:22 -05:00
Mason Daugherty
abd9d4ce31 ci(infra): harden Dependabot version-bound preservation (#37510)
Dependabot has been stripping upper/lower bounds from internal
`langchain-*` deps in partner `pyproject.toml` files (e.g. #37288
reduced `langchain-core>=1.3.2,<2.0.0` to bare `langchain-core`). Locks
down the config so bumps preserve existing specifiers, and restores the
bounds it already mangled across the monorepo.

## Changes
- Add `versioning-strategy: increase` to every `uv` ecosystem block in
`.github/dependabot.yml` so future bumps move the lower bound in place
instead of rewriting the constraint.
- Ignore workspace-internal packages (`langchain-core`, `langchain`,
`langchain-classic`, `langchain-text-splitters`, `langchain-tests`,
`langchain-model-profiles`) on every `uv` block — these are editable
installs from local paths and their published constraints are
hand-curated for release, not Dependabot's to bump.
- Restore stripped bounds across all `libs/` packages — runtime
`dependencies` and every dep group (`test`, `dev`, `test_integration`,
`typing`, `lint`) — to `>=1.4.0,<2.0.0` for `langchain-core` and
`>=1.0.0,<2.0.0` for the other internal packages.
2026-05-18 17:24:19 -05:00
Nick Hollon
da380bccf8 chore(infra): merge v1.4 into master (#37350) 2026-05-11 11:39:25 -07:00
Nick Hollon
5039dfec1f release(core): 1.3.3 (#37198) 2026-05-05 15:00:01 -04:00
open-swe[bot]
ba897ffa7e chore(docs): update x handle references (#37081)
## Description
Updates package metadata and README badges so LangChain social links
point to the new `@langchain_oss` X handle. This was completed with
AI-agent assistance.

## Test Plan
- [ ] Validate README badges and package metadata links point to
`https://x.com/langchain_oss`

_Opened collaboratively by Mason Daugherty and open-swe._

---------

Co-authored-by: open-swe[bot] <open-swe@users.noreply.github.com>
Co-authored-by: Mason Daugherty <61371264+mdrxy@users.noreply.github.com>
2026-04-29 13:56:09 -04:00
Nick Hollon
fa0f0d8efa release(core): 1.3.2 (#36990) 2026-04-24 11:46:25 -04:00
Nick Hollon
9ce72eba9f feat(core): add content-block-centric streaming (v2) (#36834) 2026-04-24 11:36:17 -04:00
ccurme
3f382a9e20 release(core): 1.3.1 (#36972) 2026-04-23 14:50:43 -04:00
Eugene Yurtsev
c87cd04927 release(core): release 1.3.0 (#36851)
xRelease 1.3.0
2026-04-17 14:42:01 +00:00
Eugene Yurtsev
af0e174ef7 release(core): 1.3.0a3 (#36829)
release 1.3.0a3
2026-04-16 15:37:28 -04:00
Mason Daugherty
7e81d09f2a chore(deps): bump pytest to 9.0.3 (#36801)
CVE-2025-71176 (medium severity)

All are dev-only (test dependency group) — no impact on published
packages.

### Why syrupy was also bumped

syrupy 4.x (`<5.0.0`) constrains pytest to `<9.0.0`, blocking the CVE
fix. Widening to `<6.0.0` allows syrupy 5.x which supports pytest 9.x.
2026-04-15 21:46:40 -06:00
ccurme
7d601dc2c6 chore(core): harden private SSRF utilities (#36768) 2026-04-15 16:13:20 -04:00
Eugene Yurtsev
8182d6302d release(core): 1.3.0.a2 (#36698)
release 1.3.0a2
2026-04-13 10:13:48 -04:00
Eugene Yurtsev
9ee4617fba release(core): 1.3.0a1 (#36656)
1.3.0a1 release
2026-04-10 11:58:34 -04:00
Eugene Yurtsev
dd7c3eb3a4 release(core): release 1.2.28 (#36614)
release 1.27.8
2026-04-08 14:15:50 -04:00
ccurme
6486404116 release(core): 1.2.27 (#36586) 2026-04-07 10:52:46 -04:00
Mason Daugherty
555bdfbade chore: add comment explaining pygments>=2.20.0 (#36570) 2026-04-06 15:07:07 -04:00
Mason Daugherty
0a1d290ac2 release(core): 1.2.26 (#36511) 2026-04-03 19:27:36 -04:00
ccurme
e89afedfec release(core): 1.2.25 (#36473) 2026-04-02 18:36:14 -04:00
ccurme
b3dff4a04c release(core): 1.2.24 (#36434) 2026-04-01 15:57:16 -04:00
John Kennedy
0f4f3f74c8 chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385)
## Summary

Bumps `pygments` to `>=2.20.0` across all 21 affected packages to
address [CVE-2026-4539](https://github.com/advisories/GHSA-XXXX) — ReDoS
via inefficient GUID regex in Pygments.

- **Severity:** Low
- **Fixed in:** 2.20.0 (was 2.19.2)
- **Change:** Added `pygments>=2.20.0` to `constraint-dependencies` in
`[tool.uv]` for each package, then ran `uv lock --upgrade-package
pygments` to regenerate lock files.

Closes Dependabot alerts #3435–#3455.

## Release Note
Patch deps

### Test Plan
 - [x] CI Green 🙏

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-30 23:26:59 -04:00
ccurme
d48364130d release(core): 1.2.23 (#36323) 2026-03-27 19:25:21 -04:00
ccurme
d22df94537 release(core): 1.2.22 (#36201) 2026-03-24 14:45:30 -04:00
ccurme
19f81cf6f1 release(core): 1.2.21 (#36179) 2026-03-23 13:57:14 -04:00
ccurme
c4abc91ed9 release(core): 1.2.20 (#36085) 2026-03-18 13:31:33 -04:00
ccurme
41cca203e6 release(core): 1.2.19 (#35832) 2026-03-13 09:41:49 -04:00
ccurme
6b25caf1ae release(core): 1.2.18 (#35704) 2026-03-09 16:36:50 -04:00
Mason Daugherty
cdf140e77d release(core): 1.2.17 (#35527) 2026-03-02 17:44:57 -05:00
ccurme
94a58825d3 release(core): 1.2.16 (#35439) 2026-02-25 09:31:15 -05:00
ccurme
bcfb87c211 release(core): 1.2.15 (#35367) 2026-02-20 13:44:26 -05:00
Christophe Bornet
6a6ef8caad style: fix some ruff noqa (#35321) 2026-02-19 13:19:30 -05:00
ccurme
9851838eb8 release(core): 1.2.14 (#35328) 2026-02-19 09:18:24 -05:00
Mason Daugherty
b026fd605b release(core): 1.2.13 (#35230) 2026-02-15 02:42:13 -05:00
Christophe Bornet
b97c629f9a style: bump ruff version to 0.15 (#35042) 2026-02-12 19:34:02 -05:00
ccurme
b06716fb87 release(core): 1.2.12 (#35192) 2026-02-12 15:49:14 -05:00
ccurme
524e1dab5e release(core): 1.2.11 (#35144) 2026-02-10 15:31:35 -05:00
ccurme
f41e049333 release(core): 1.2.10 (#35136) 2026-02-10 09:40:26 -05:00