Remove the redundant `lc_attributes` override from `ChatXAI`. The
`xai_api_base` field is a declared Pydantic `Field`, so
`Serializable.to_json()` already picks it up via its standard field
iteration loop (line 225-232 in `serializable.py`). The override was a
no-op — it re-inserted the same key with the same value that the base
serialization already included.
Add `base_url` alias and `XAI_API_BASE` env variable support to
`ChatXAI.xai_api_base`, aligning the xAI integration with the pattern
used across other partner packages (OpenAI, Groq, Fireworks, etc.).
Previously the base URL was a plain string field with no alias or
env-var lookup, making it inconsistent with the rest of the ecosystem
and harder to configure in deployment environments.
## Changes
- Add `alias="base_url"` and `default_factory=from_env("XAI_API_BASE",
default="https://api.x.ai/v1/")` to `ChatXAI.xai_api_base`, matching the
convention in `langchain_openai`, `langchain_groq`, and
`langchain_fireworks`
Extract additional fields from models.dev into `_model_data_to_profile`:
`name`, `status`, `release_date`, `last_updated`, `open_weights`,
`attachment`, `temperature`
Move the model profile refresh logic from an inline bash script in the
GitHub Actions workflow into a `make refresh-profiles` target in
`libs/model-profiles/Makefile`. This makes it runnable locally with a
single command and keeps the provider map in one place instead of
duplicated between CI and developer docs.
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.2 to
6.5.5.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's
changelog</a>.</em></p>
<blockquote>
<h1>Release notes</h1>
<p>.. toctree::
:maxdepth: 2</p>
<p>releases/v6.5.5
releases/v6.5.4
releases/v6.5.3
releases/v6.5.2
releases/v6.5.1
releases/v6.5.0
releases/v6.4.2
releases/v6.4.1
releases/v6.4.0
releases/v6.3.3
releases/v6.3.2
releases/v6.3.1
releases/v6.3.0
releases/v6.2.0
releases/v6.1.0
releases/v6.0.4
releases/v6.0.3
releases/v6.0.2
releases/v6.0.1
releases/v6.0.0
releases/v5.1.1
releases/v5.1.0
releases/v5.0.2
releases/v5.0.1
releases/v5.0.0
releases/v4.5.3
releases/v4.5.2
releases/v4.5.1
releases/v4.5.0
releases/v4.4.3
releases/v4.4.2
releases/v4.4.1
releases/v4.4.0
releases/v4.3.0
releases/v4.2.1
releases/v4.2.0
releases/v4.1.0
releases/v4.0.2
releases/v4.0.1
releases/v4.0.0
releases/v3.2.2
releases/v3.2.1
releases/v3.2.0
releases/v3.1.1</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7d6465056c"><code>7d64650</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3586">#3586</a>
from bdarnell/update-cibw</li>
<li><a
href="d05d59b808"><code>d05d59b</code></a>
build: Bump cibuildwheel to 3.4.0</li>
<li><a
href="c2f46732b0"><code>c2f4673</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3585">#3585</a>
from bdarnell/release-655</li>
<li><a
href="e5f1aa4b6f"><code>e5f1aa4</code></a>
Release notes and version bump for v6.5.5</li>
<li><a
href="78a046f99f"><code>78a046f</code></a>
httputil: Add CRLF to _FORBIDDEN_HEADER_CHARS_RE</li>
<li><a
href="24a2d96ea1"><code>24a2d96</code></a>
web: Validate characters in all cookie attributes.</li>
<li><a
href="119a195e29"><code>119a195</code></a>
httputil: Add limits on multipart form data parsing</li>
<li><a
href="63d4df4eef"><code>63d4df4</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3564">#3564</a>
from bdarnell/release-654</li>
<li><a
href="eadbf9adbe"><code>eadbf9a</code></a>
Release notes and version bump for 6.5.4</li>
<li><a
href="bbc2b1429c"><code>bbc2b14</code></a>
Make sure that the in-operator on HTTPHeaders is case insensitive</li>
<li>Additional commits viewable in <a
href="https://github.com/tornadoweb/tornado/compare/v6.5.2...v6.5.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.2 to
6.5.5.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's
changelog</a>.</em></p>
<blockquote>
<h1>Release notes</h1>
<p>.. toctree::
:maxdepth: 2</p>
<p>releases/v6.5.5
releases/v6.5.4
releases/v6.5.3
releases/v6.5.2
releases/v6.5.1
releases/v6.5.0
releases/v6.4.2
releases/v6.4.1
releases/v6.4.0
releases/v6.3.3
releases/v6.3.2
releases/v6.3.1
releases/v6.3.0
releases/v6.2.0
releases/v6.1.0
releases/v6.0.4
releases/v6.0.3
releases/v6.0.2
releases/v6.0.1
releases/v6.0.0
releases/v5.1.1
releases/v5.1.0
releases/v5.0.2
releases/v5.0.1
releases/v5.0.0
releases/v4.5.3
releases/v4.5.2
releases/v4.5.1
releases/v4.5.0
releases/v4.4.3
releases/v4.4.2
releases/v4.4.1
releases/v4.4.0
releases/v4.3.0
releases/v4.2.1
releases/v4.2.0
releases/v4.1.0
releases/v4.0.2
releases/v4.0.1
releases/v4.0.0
releases/v3.2.2
releases/v3.2.1
releases/v3.2.0
releases/v3.1.1</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7d6465056c"><code>7d64650</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3586">#3586</a>
from bdarnell/update-cibw</li>
<li><a
href="d05d59b808"><code>d05d59b</code></a>
build: Bump cibuildwheel to 3.4.0</li>
<li><a
href="c2f46732b0"><code>c2f4673</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3585">#3585</a>
from bdarnell/release-655</li>
<li><a
href="e5f1aa4b6f"><code>e5f1aa4</code></a>
Release notes and version bump for v6.5.5</li>
<li><a
href="78a046f99f"><code>78a046f</code></a>
httputil: Add CRLF to _FORBIDDEN_HEADER_CHARS_RE</li>
<li><a
href="24a2d96ea1"><code>24a2d96</code></a>
web: Validate characters in all cookie attributes.</li>
<li><a
href="119a195e29"><code>119a195</code></a>
httputil: Add limits on multipart form data parsing</li>
<li><a
href="63d4df4eef"><code>63d4df4</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3564">#3564</a>
from bdarnell/release-654</li>
<li><a
href="eadbf9adbe"><code>eadbf9a</code></a>
Release notes and version bump for 6.5.4</li>
<li><a
href="bbc2b1429c"><code>bbc2b14</code></a>
Make sure that the in-operator on HTTPHeaders is case insensitive</li>
<li>Additional commits viewable in <a
href="https://github.com/tornadoweb/tornado/compare/v6.5.2...v6.5.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.2 to
6.5.5.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's
changelog</a>.</em></p>
<blockquote>
<h1>Release notes</h1>
<p>.. toctree::
:maxdepth: 2</p>
<p>releases/v6.5.5
releases/v6.5.4
releases/v6.5.3
releases/v6.5.2
releases/v6.5.1
releases/v6.5.0
releases/v6.4.2
releases/v6.4.1
releases/v6.4.0
releases/v6.3.3
releases/v6.3.2
releases/v6.3.1
releases/v6.3.0
releases/v6.2.0
releases/v6.1.0
releases/v6.0.4
releases/v6.0.3
releases/v6.0.2
releases/v6.0.1
releases/v6.0.0
releases/v5.1.1
releases/v5.1.0
releases/v5.0.2
releases/v5.0.1
releases/v5.0.0
releases/v4.5.3
releases/v4.5.2
releases/v4.5.1
releases/v4.5.0
releases/v4.4.3
releases/v4.4.2
releases/v4.4.1
releases/v4.4.0
releases/v4.3.0
releases/v4.2.1
releases/v4.2.0
releases/v4.1.0
releases/v4.0.2
releases/v4.0.1
releases/v4.0.0
releases/v3.2.2
releases/v3.2.1
releases/v3.2.0
releases/v3.1.1</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7d6465056c"><code>7d64650</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3586">#3586</a>
from bdarnell/update-cibw</li>
<li><a
href="d05d59b808"><code>d05d59b</code></a>
build: Bump cibuildwheel to 3.4.0</li>
<li><a
href="c2f46732b0"><code>c2f4673</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3585">#3585</a>
from bdarnell/release-655</li>
<li><a
href="e5f1aa4b6f"><code>e5f1aa4</code></a>
Release notes and version bump for v6.5.5</li>
<li><a
href="78a046f99f"><code>78a046f</code></a>
httputil: Add CRLF to _FORBIDDEN_HEADER_CHARS_RE</li>
<li><a
href="24a2d96ea1"><code>24a2d96</code></a>
web: Validate characters in all cookie attributes.</li>
<li><a
href="119a195e29"><code>119a195</code></a>
httputil: Add limits on multipart form data parsing</li>
<li><a
href="63d4df4eef"><code>63d4df4</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3564">#3564</a>
from bdarnell/release-654</li>
<li><a
href="eadbf9adbe"><code>eadbf9a</code></a>
Release notes and version bump for 6.5.4</li>
<li><a
href="bbc2b1429c"><code>bbc2b14</code></a>
Make sure that the in-operator on HTTPHeaders is case insensitive</li>
<li>Additional commits viewable in <a
href="https://github.com/tornadoweb/tornado/compare/v6.5.2...v6.5.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.2 to
6.5.5.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's
changelog</a>.</em></p>
<blockquote>
<h1>Release notes</h1>
<p>.. toctree::
:maxdepth: 2</p>
<p>releases/v6.5.5
releases/v6.5.4
releases/v6.5.3
releases/v6.5.2
releases/v6.5.1
releases/v6.5.0
releases/v6.4.2
releases/v6.4.1
releases/v6.4.0
releases/v6.3.3
releases/v6.3.2
releases/v6.3.1
releases/v6.3.0
releases/v6.2.0
releases/v6.1.0
releases/v6.0.4
releases/v6.0.3
releases/v6.0.2
releases/v6.0.1
releases/v6.0.0
releases/v5.1.1
releases/v5.1.0
releases/v5.0.2
releases/v5.0.1
releases/v5.0.0
releases/v4.5.3
releases/v4.5.2
releases/v4.5.1
releases/v4.5.0
releases/v4.4.3
releases/v4.4.2
releases/v4.4.1
releases/v4.4.0
releases/v4.3.0
releases/v4.2.1
releases/v4.2.0
releases/v4.1.0
releases/v4.0.2
releases/v4.0.1
releases/v4.0.0
releases/v3.2.2
releases/v3.2.1
releases/v3.2.0
releases/v3.1.1</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7d6465056c"><code>7d64650</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3586">#3586</a>
from bdarnell/update-cibw</li>
<li><a
href="d05d59b808"><code>d05d59b</code></a>
build: Bump cibuildwheel to 3.4.0</li>
<li><a
href="c2f46732b0"><code>c2f4673</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3585">#3585</a>
from bdarnell/release-655</li>
<li><a
href="e5f1aa4b6f"><code>e5f1aa4</code></a>
Release notes and version bump for v6.5.5</li>
<li><a
href="78a046f99f"><code>78a046f</code></a>
httputil: Add CRLF to _FORBIDDEN_HEADER_CHARS_RE</li>
<li><a
href="24a2d96ea1"><code>24a2d96</code></a>
web: Validate characters in all cookie attributes.</li>
<li><a
href="119a195e29"><code>119a195</code></a>
httputil: Add limits on multipart form data parsing</li>
<li><a
href="63d4df4eef"><code>63d4df4</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3564">#3564</a>
from bdarnell/release-654</li>
<li><a
href="eadbf9adbe"><code>eadbf9a</code></a>
Release notes and version bump for 6.5.4</li>
<li><a
href="bbc2b1429c"><code>bbc2b14</code></a>
Make sure that the in-operator on HTTPHeaders is case insensitive</li>
<li>Additional commits viewable in <a
href="https://github.com/tornadoweb/tornado/compare/v6.5.2...v6.5.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Fixed typo in comment: "equivelent" -> "equivalent" in
libs/partners/openai/langchain_openai/chat_models/base.py
Co-authored-by: AI Assistant <assistant@example.com>
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.
🤖 Generated by the `refresh_model_profiles` workflow.
Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
Bypass the issue-link requirement for external contributors who have
earned the `trusted-contributor` tier label (>=5 merged PRs). Previously
only PRs with the `internal` label skipped the gate, meaning repeat
contributors still had to link an approved issue on every PR. Also
includes minor template and linting tweaks for contributor experience.
## Changes
- Add `trusted-contributor` bypass to the `check-issue-link` job
condition in `require_issue_link.yml`, with a secondary live-label API
fetch inside the script to cover the race where the `external` labeled
event payload doesn't yet include the tier label
- Add a `bypass-trusted-contributor` job in `require_issue_link.yml`
that removes `missing-issue-link` and reopens the PR when the
`trusted-contributor` label arrives after enforcement has already closed
it
- Reorder steps in `tag-external-contributions.yml` so the tier label is
applied *before* the `external` label — eliminates the race window
entirely since `trusted-contributor` is already on the PR when the
downstream `labeled` event fires
- Switch the tier-label step from `GITHUB_TOKEN` to the app token so the
`trusted-contributor` labeled event propagates to downstream workflows
- Add `hotfix` to allowed PR title types in `pr_lint.yml`
- Promote the English language policy to a blockquote callout in issue
and PR templates; add a "do not begin work without assignment" note to
the feature request template
The `tag-external-contributions.yml` workflow was using `GITHUB_TOKEN`
to add the `external` label to PRs, which silently prevented the
`labeled` event from propagating to `require_issue_link.yml`. GitHub
Actions suppresses events created by `GITHUB_TOKEN` to avoid infinite
loops — but in this case, the downstream workflow depends on that event
to enforce the issue-link requirement on external PRs.
## Changes
- Switch `github-token` from `secrets.GITHUB_TOKEN` to the existing App
token (`steps.app-token.outputs.token`) in the "Add external label to
pull request" step of `tag-external-contributions.yml`, so the `labeled`
event fires and triggers `require_issue_link.yml`
Auto-reopen external PRs that were closed by the `require_issue_link`
workflow once the author fixes their PR description. Previously, the
workflow closed non-compliant PRs but required a maintainer to manually
reopen them — creating unnecessary back-and-forth when the contributor
just needed to add an issue link or get assigned.
## Changes
- Add reopen logic to the success path in `require_issue_link.yml`:
after removing the `missing-issue-link` label, call `pulls.update({
state: 'open' })` if the PR is closed *and* still carries the
`missing-issue-link` label — gating on the label ensures only
workflow-closed PRs are reopened, not PRs closed manually by maintainers
- Update the bot's auto-close comments to tell contributors the PR will
reopen automatically once they fix the issue, instead of directing them
to ask a maintainer
Auto-close external PRs that fail the issue-link or assignee check
instead of just failing the CI status. The bot comment now explains the
PR was closed and gives numbered steps to resolve — including asking a
maintainer to reopen, since external contributors can't reopen PRs
themselves.
## Changes
- Close the PR via `pulls.update` after posting the bot comment in the
`check-issue-link` job, gated on `state === 'open'` to avoid redundant
API calls on re-runs
- Rewrite bot comment copy for both failure modes (missing link, not
assigned) to lead with "This PR has been automatically closed" and end
with "ask a maintainer to reopen this PR"
Extend the external PR gate to verify that the PR author is actually
assigned to the issue they reference. Previously, anyone could link to
any open issue with `Fixes #NNN` to pass the check — this closes the
loophole by fetching each linked issue via the GitHub API and comparing
assignees against the PR author (case-insensitive). The bot comment now
adapts its message based on which check failed, and updates in place if
the failure reason changes on a re-check.
## Changes
- Add assignee validation in the `check-link` step: after parsing issue
numbers from the PR body, fetch each via `github.rest.issues.get` and
check if the PR author appears in `assignees` — short-circuits on first
match
- Gate all downstream steps (`missing-issue-link` label add/remove,
comment, `setFailed`) on both `has-link` and `is-assigned` outputs
- Serve a distinct bot comment when the issue link exists but the author
isn't assigned, directing them to request assignment from a maintainer
- Update the existing marker comment in place (via `updateComment`) when
the failure reason changes between re-runs, instead of leaving a stale
message
Enforce that all external PRs reference an approved issue via GitHub
auto-close keywords (`Fixes #NNN`, `Closes #NNN`, `Resolves #NNN`). This
replaces the previous AI-disclaimer policy in the PR template with a
stricter requirement: external contributors must link to a
maintainer-approved issue before their PR can merge.
## Changes
- Add `require_issue_link.yml` workflow that chains off the `external`
label applied by `tag-external-contributions.yml` — listens for
`labeled`, `edited`, and `reopened` events to avoid duplicating the org
membership API call
- Scan PR body with a case-insensitive regex matching all conjugations
of `close/fix/resolve` + `#NNN`; fail the check and post a deduplicated
comment (via `<!-- require-issue-link -->` HTML marker) when no link is
found
- Apply a `missing-issue-link` label on failure, remove it on pass —
enables bulk cleanup via label filter
- Add `workflow_dispatch` backfill job to `pr_size_labeler.yml` for
retroactively applying size labels to open PRs
- Quote `author` in GitHub search queries in
`tag-external-contributions.yml` to prevent mismatches on usernames with
special characters
- Update `PULL_REQUEST_TEMPLATE.md` to replace the AI-disclaimer
guideline with the new issue-link requirement
> [!NOTE]
> `require_issue_link.yml` depends on `tag-external-contributions.yml`
running first to apply the `external` label. Deploy as a non-required
check initially, then promote to required after validation.
Extend the existing `tag-external-contributions.yml` workflow with
tiered contributor labels (`trusted-contributor` at ≥4 merged PRs,
`experienced-contributor` at ≥10) for both issues and PRs, and add a new
`pr_size_labeler.yml` workflow. The tier step piggybacks on the existing
org membership check — no additional API call for that — and the
backfill job reuses the same membership + search logic with a per-author
cache to avoid redundant calls.
## Changes
- Add a consolidated `Apply contributor tier label` step to the
`tag-external` job that handles both `pull_request_target` and `issues`
events, querying the search API for merged PR count and applying the
appropriate tier label
- Add `workflow_dispatch` trigger with `backfill_type` (prs/issues/both)
and `max_items` inputs, gated to a separate `backfill` job that iterates
open PRs and issues, applies `external`/`internal` + tier + size labels,
and uses a `contributorCache` Map to deduplicate org membership and
search API calls per author
- Add `pr_size_labeler.yml` — standalone workflow on
`pull_request_target` (opened/synchronize/reopened) that computes
changed lines excluding `docs/`, `poetry.lock`, and `uv.lock`, then
applies `size: XS`/`S`/`M`/`L`/`XL` labels (auto-created on first run
with color `b76e79`), removing stale size labels before applying the new
one
## Security notes
Both workflows use `pull_request_target` but neither checks out PR code
— all operations are GitHub API calls via `actions/github-script@v8`.
The `${{ inputs.max_items }}` interpolation is a `workflow_dispatch`
input restricted to users with write access (equivalent or greater
privilege than the workflow token). `${{ inputs.backfill_type }}` is a
`choice` type with server-side enforcement. Author values in search
queries come from GitHub API responses with restricted character sets.
No high-confidence vulnerabilities identified.
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.
🤖 Generated by the `refresh_model_profiles` workflow.
Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.
🤖 Generated by the `refresh_model_profiles` workflow.
Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
Bumps [types-pytz](https://github.com/typeshed-internal/stub_uploader)
from 2025.2.0.20251108 to 2026.1.1.20260304.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/typeshed-internal/stub_uploader/commits">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [packaging](https://github.com/pypa/packaging) from 24.2 to 26.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/packaging/releases">packaging's
releases</a>.</em></p>
<blockquote>
<h2>26.0</h2>
<p>Read about the performance improvements here: <a
href="https://iscinumpy.dev/post/packaging-faster">https://iscinumpy.dev/post/packaging-faster</a>.</p>
<h2>What's Changed</h2>
<p>Features:</p>
<ul>
<li>PEP 751: support pylock by <a
href="https://github.com/sbidoul"><code>@sbidoul</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/900">pypa/packaging#900</a></li>
<li>PEP 794: import name metadata by <a
href="https://github.com/brettcannon"><code>@brettcannon</code></a> in
<a
href="https://redirect.github.com/pypa/packaging/pull/948">pypa/packaging#948</a></li>
<li>Support writing metadata by <a
href="https://github.com/henryiii"><code>@henryiii</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/846">pypa/packaging#846</a></li>
<li>Support <code>__replace__</code> for <code>Version</code> by <a
href="https://github.com/henryiii"><code>@henryiii</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/1003">pypa/packaging#1003</a></li>
<li>Support positional pattern matching for <code>Version</code> and
<code>Specifier</code> by <a
href="https://github.com/henryiii"><code>@henryiii</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/1004">pypa/packaging#1004</a></li>
</ul>
<p>Behavior adaptations:</p>
<ul>
<li>PEP 440 handling of prereleases for <code>Specifier.contains</code>,
<code>SpecifierSet.contains</code>, and <code>SpecifierSet.filter</code>
by <a
href="https://github.com/notatallshaw"><code>@notatallshaw</code></a>
in <a
href="https://redirect.github.com/pypa/packaging/pull/897">pypa/packaging#897</a></li>
<li>Handle PEP 440 edge case in <code>SpecifierSet.filter</code> by <a
href="https://github.com/notatallshaw"><code>@notatallshaw</code></a>
in <a
href="https://redirect.github.com/pypa/packaging/pull/942">pypa/packaging#942</a></li>
<li>Adjust arbitrary equality intersection preservation in
<code>SpecifierSet</code> by <a
href="https://github.com/notatallshaw"><code>@notatallshaw</code></a>
in <a
href="https://redirect.github.com/pypa/packaging/pull/951">pypa/packaging#951</a></li>
<li>Return <code>False</code> instead of raising for
<code>.contains</code> with invalid version by <a
href="https://github.com/Liam-DeVoe"><code>@Liam-DeVoe</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/932">pypa/packaging#932</a></li>
<li>Support arbitrary equality on arbitrary strings for
<code>Specifier</code> and <code>SpecifierSet</code>'s
<code>filter</code> and <code>contains</code> method. by <a
href="https://github.com/notatallshaw"><code>@notatallshaw</code></a>
in <a
href="https://redirect.github.com/pypa/packaging/pull/954">pypa/packaging#954</a></li>
<li>Only try to parse as <code>Version</code> on certain marker keys,
return <code>False</code> on unequal ordered comparsions by <a
href="https://github.com/JP-Ellis"><code>@JP-Ellis</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/939">pypa/packaging#939</a></li>
</ul>
<p>Fixes:</p>
<ul>
<li>Update <code>_hash</code> when unpickling <code>Tag()</code> by <a
href="https://github.com/dholth"><code>@dholth</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/860">pypa/packaging#860</a></li>
<li>Correct comment and simplify implicit prerelease handling in
<code>Specifier.prereleases</code> by <a
href="https://github.com/notatallshaw"><code>@notatallshaw</code></a>
in <a
href="https://redirect.github.com/pypa/packaging/pull/896">pypa/packaging#896</a></li>
<li>Use explicit <code>_GLibCVersion</code> <code>NamedTuple</code> in
<code>_manylinux</code> by <a
href="https://github.com/cthoyt"><code>@cthoyt</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/868">pypa/packaging#868</a></li>
<li>Detect invalid license expressions containing <code>()</code> by <a
href="https://github.com/bwoodsend"><code>@bwoodsend</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/879">pypa/packaging#879</a></li>
<li>Correct regex for metadata <code>'name'</code> format by <a
href="https://github.com/di"><code>@di</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/925">pypa/packaging#925</a></li>
<li>Improve the message around expecting a semicolon by <a
href="https://github.com/pradyunsg"><code>@pradyunsg</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/833">pypa/packaging#833</a></li>
<li>Support nested parens in license expressions by <a
href="https://github.com/Liam-DeVoe"><code>@Liam-DeVoe</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/931">pypa/packaging#931</a></li>
<li>Add space before at symbol in <code>Requirements</code> string by <a
href="https://github.com/henryiii"><code>@henryiii</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/953">pypa/packaging#953</a></li>
<li>A root logger use found by ruff LOG, use <code>packaging</code>
logger instead by <a
href="https://github.com/henryiii"><code>@henryiii</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/965">pypa/packaging#965</a></li>
<li>Better support for subclassing <code>Marker</code> and
<code>Requirement</code> by <a
href="https://github.com/henryiii"><code>@henryiii</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/1022">pypa/packaging#1022</a></li>
<li>Normalize all extras, not just if it comes first by <a
href="https://github.com/henryiii"><code>@henryiii</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/1024">pypa/packaging#1024</a></li>
<li>Don't produce a broken repr if <code>Marker</code> fails to
construct by <a
href="https://github.com/henryiii"><code>@henryiii</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/1033">pypa/packaging#1033</a></li>
</ul>
<p>Performance:</p>
<ul>
<li>Avoid recompiling regexes in the tokenizer for a 3x speedup by <a
href="https://github.com/hauntsaninja"><code>@hauntsaninja</code></a>
in <a
href="https://redirect.github.com/pypa/packaging/pull/1019">pypa/packaging#1019</a></li>
<li>Improve performance in <code>_manylinux.py</code> by <a
href="https://github.com/cthoyt"><code>@cthoyt</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/869">pypa/packaging#869</a></li>
<li>Minor cleanups to <code>Version</code> by <a
href="https://github.com/bearomorphism"><code>@bearomorphism</code></a>
in <a
href="https://redirect.github.com/pypa/packaging/pull/913">pypa/packaging#913</a></li>
<li>Skip redundant creation of <code>Version</code>s in specifier
comparison by <a
href="https://github.com/notatallshaw"><code>@notatallshaw</code></a>
in <a
href="https://redirect.github.com/pypa/packaging/pull/986">pypa/packaging#986</a></li>
<li>Cache <code>Specifier</code>'s Version by <a
href="https://github.com/notatallshaw"><code>@notatallshaw</code></a>
in <a
href="https://redirect.github.com/pypa/packaging/pull/985">pypa/packaging#985</a></li>
<li>Make <code>Version</code> a little faster by <a
href="https://github.com/henryiii"><code>@henryiii</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/987">pypa/packaging#987</a></li>
<li>Minor <code>Version</code> regex cleanup by <a
href="https://github.com/henryiii"><code>@henryiii</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/990">pypa/packaging#990</a></li>
<li>Faster regex on Python 3.11.5+ by <a
href="https://github.com/henryiii"><code>@henryiii</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/988">pypa/packaging#988</a>
and <a
href="https://redirect.github.com/pypa/packaging/pull/1055">pypa/packaging#1055</a></li>
<li>Lazily calculate <code>_key</code> in <code>Version</code> by <a
href="https://github.com/notatallshaw"><code>@notatallshaw</code></a>
in <a
href="https://redirect.github.com/pypa/packaging/pull/989">pypa/packaging#989</a>
and regression for <code>packaging_legacy</code> fixed by <a
href="https://github.com/henryiii"><code>@henryiii</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/1048">pypa/packaging#1048</a></li>
<li>Faster <code>canonicalize_version</code> by <a
href="https://github.com/henryiii"><code>@henryiii</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/993">pypa/packaging#993</a></li>
<li>Use <code>fullmatch</code> in a couple more places by <a
href="https://github.com/henryiii"><code>@henryiii</code></a> in <a
href="https://redirect.github.com/pypa/packaging/pull/992">pypa/packaging#992</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/packaging/blob/main/CHANGELOG.rst">packaging's
changelog</a>.</em></p>
<blockquote>
<p>26.0 - 2026-01-20</p>
<pre><code>
Features:
<ul>
<li>PEP 751: support pylock (:pull:<code>900</code>)</li>
<li>PEP 794: import name metadata (:pull:<code>948</code>)</li>
<li>Support for writing metadata to a file (:pull:<code>846</code>)</li>
<li>Support <code>__replace__</code> on Version
(:pull:<code>1003</code>)</li>
<li>Support positional pattern matching for <code>Version</code> and
<code>SpecifierSet</code> (:pull:<code>1004</code>)</li>
</ul>
<p>Behavior adaptations:</p>
<ul>
<li>PEP 440 handling of prereleases for <code>Specifier.contains</code>,
<code>SpecifierSet.contains</code>, and <code>SpecifierSet.filter</code>
(:pull:<code>897</code>)</li>
<li>Handle PEP 440 edge case in <code>SpecifierSet.filter</code>
(:pull:<code>942</code>)</li>
<li>Adjust arbitrary equality intersection preservation in
<code>SpecifierSet</code> (:pull:<code>951</code>)</li>
<li>Return <code>False</code> instead of raising for
<code>.contains</code> with invalid version
(:pull:<code>932</code>)</li>
<li>Support arbitrary equality on arbitrary strings for
<code>Specifier</code> and <code>SpecifierSet</code>'s
<code>filter</code> and <code>contains</code> method.
(:pull:<code>954</code>)</li>
<li>Only try to parse as <code>Version</code> on certain marker keys,
return <code>False</code> on unequal ordered comparisons
(:pull:<code>939</code>)</li>
</ul>
<p>Fixes:</p>
<ul>
<li>Update <code>_hash</code> when unpickling <code>Tag()</code>
(:pull:<code>860</code>)</li>
<li>Correct comment and simplify implicit prerelease handling in
<code>Specifier.prereleases</code> (:pull:<code>896</code>)</li>
<li>Use explicit <code>_GLibCVersion</code> <code>NamedTuple</code> in
<code>_manylinux</code> (:pull:<code>868</code>)</li>
<li>Detect invalid license expressions containing <code>()</code>
(:pull:<code>879</code>)</li>
<li>Correct regex for metadata <code>'name'</code> format
(:pull:<code>925</code>)</li>
<li>Improve the message around expecting a semicolon
(:pull:<code>833</code>)</li>
<li>Support nested parens in license expressions
(:pull:<code>931</code>)</li>
<li>Add space before at symbol in <code>Requirements</code> string
(:pull:<code>953</code>)</li>
<li>A root logger use found, use a <code>packaging</code> logger instead
(:pull:<code>965</code>)</li>
<li>Better support for subclassing <code>Marker</code> and
<code>Requirement</code> (:pull:<code>1022</code>)</li>
<li>Normalize all extras, not just if it comes first
(:pull:<code>1024</code>)</li>
<li>Don't produce a broken repr if <code>Marker</code> fails to
construct (:pull:<code>1033</code>)</li>
</ul>
<p>Performance:</p>
<ul>
<li>Avoid recompiling regexes in the tokenizer for a 3x speedup
(:pull:<code>1019</code>)</li>
<li>Improve performance in <code>_manylinux.py</code>
(:pull:<code>869</code>)</li>
<li>Minor cleanups to <code>Version</code> (:pull:<code>913</code>)</li>
<li>Skip redundant creation of <code>Version</code>'s in specifier
comparison (:pull:<code>986</code>)</li>
<li>Cache the <code>Specifier</code>'s <code>Version</code>
(:pull:<code>985</code>)</li>
<li>Make <code>Version</code> a little faster
(:pull:<code>987</code>)</li>
<li>Minor <code>Version</code> regex cleanup
(:pull:<code>990</code>)</li>
<li>Faster regex on Python 3.11.5+ for <code>Version</code>
(:pull:<code>988</code>, :pull:<code>1055</code>)</li>
<li>Lazily calculate <code>_key</code> in <code>Version</code>
(:pull:<code>989</code>, :pull:<code>1048</code>)</li>
<li>Faster <code>canonicalize_version</code>
(:pull:<code>993</code>)</li>
<li>Use <code>re.fullmatch</code> in a couple more places
(:pull:<code>992</code>, :pull:<code>1029</code>)</li>
<li>Use <code>map</code> instead of generator
(:pull:<code>996</code>)</li>
<li>Deprecate <code>._version</code> (<code>_Version</code>, a
<code>NamedTuple</code>) (:pull:<code>995</code>,
:pull:<code>1062</code>)<br />
</tr></table><br />
</code></pre></li>
</ul>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="3b77a26f5a"><code>3b77a26</code></a>
Bump for release</li>
<li><a
href="31371cce59"><code>31371cc</code></a>
docs: prepare for 26.0 final (<a
href="https://redirect.github.com/pypa/packaging/issues/1063">#1063</a>)</li>
<li><a
href="9627a8821f"><code>9627a88</code></a>
perf: dual replace (<a
href="https://redirect.github.com/pypa/packaging/issues/1064">#1064</a>)</li>
<li><a
href="d5398b8bc1"><code>d5398b8</code></a>
fix: restore ._version as a compat shim (<a
href="https://redirect.github.com/pypa/packaging/issues/1062">#1062</a>)</li>
<li><a
href="3a7b600a12"><code>3a7b600</code></a>
Bump for development</li>
<li><a
href="d4eefdccf9"><code>d4eefdc</code></a>
Bump for release</li>
<li><a
href="46189124fb"><code>4618912</code></a>
docs: prepare for 26.0rc3 (<a
href="https://redirect.github.com/pypa/packaging/issues/1060">#1060</a>)</li>
<li><a
href="0cf1b41b4b"><code>0cf1b41</code></a>
ci: test on first public release of CPythons (<a
href="https://redirect.github.com/pypa/packaging/issues/1056">#1056</a>)</li>
<li><a
href="716beb1c0a"><code>716beb1</code></a>
perf: 10% faster stripping zeros (<a
href="https://redirect.github.com/pypa/packaging/issues/1058">#1058</a>)</li>
<li><a
href="350a230670"><code>350a230</code></a>
fix: support CPython 3.11.0-3.11.4 and older PyPy3.11 (<a
href="https://redirect.github.com/pypa/packaging/issues/1055">#1055</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/pypa/packaging/compare/24.2...26.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The action-parsing regex in `MRKLOutputParser.parse()` and
`ReActSingleInputOutputParser.parse()` used the pattern
`(.*?)[\s]*Action` which causes catastrophic backtracking on crafted
input where whitespace characters sit between two partial `Action`
tokens. An attacker can trigger near-infinite CPU consumption with a
relatively short string.
The fix removes the redundant `[\s]*` quantifier between the first
capture group and the literal `Action` keyword. Since `re.DOTALL` is
active and the preceding `(.*?)` already matches any character
(including whitespace), the `[\s]*` was unnecessary and was the source
of the ambiguity that enabled backtracking.
Adds regression tests for both parsers that use `SIGALRM` timeouts to
assert the regex completes in bounded time on adversarial input.
This fix was reviewed manually.
Created with [Deep Agents
CLI](https://docs.langchain.com/oss/python/deepagents/cli/overview).
ccurme
Mason Daugherty
dependabot[bot]
Matt Van Horn
Sydney Runkle
LincolnBurrows2017
langchain-model-profile-bot[bot]
Anix Lynch
Mohammad Mohtashim
Ethan T.
Giulio Leone
Eugene Yurtsev