Commit Graph

16139 Commits

Author SHA1 Message Date
Mason Daugherty
3d3a4c27cc release(langchain): 1.3.7 (#38024) langchain==1.3.7 2026-06-10 14:17:49 -04:00
Christophe Bornet
7ffe092657 style(langchain): add ruff rules ARG (#34435)
In this order:
* used `@override` when overriding a parent method.
* prefixed param with `_` when the param could be renamed.
* used `*_args, **_kwargs` when it was not possible to rename (eg:
protocol)
* used `_ = some_variable` when the variable name is inspected (in
tools)

---------

Co-authored-by: Mason Daugherty <github@mdrxy.com>
Co-authored-by: Mason Daugherty <mason@langchain.dev>
2026-06-10 14:12:38 -04:00
Alexander Olsen
92ee772761 feat(langchain): add ProviderToolSearchMiddleware (#37969)
[Docs](https://github.com/langchain-ai/docs/pull/4355)

Adds `ProviderToolSearchMiddleware` to let agents defer selected tools
behind OpenAI/Anthropic provider-native tool search while preserving
existing `extras={"defer_loading": True}` behavior. The middleware
validates searchable tool names, injects the provider search tool only
when a tool is deferred, and rejects unsupported providers up front.

Made by [Open SWE](https://openswe.vercel.app)

---------

Co-authored-by: Alexander Olsen <13665641+aolsenjazz@users.noreply.github.com>
Co-authored-by: open-swe[bot] <open-swe@users.noreply.github.com>
Co-authored-by: Mason Daugherty <github@mdrxy.com>
Co-authored-by: Mason Daugherty <mason@langchain.dev>
2026-06-10 14:03:28 -04:00
Christophe Bornet
23ce677870 chore(langchain): activate mypy warn_return_any (#34249)
Co-authored-by: Mason Daugherty <github@mdrxy.com>
2026-06-10 13:53:06 -04:00
langchain-model-profile-bot[bot]
2b4735712c chore(model-profiles): refresh model profile data (#38012)
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.

🤖 Generated by the `refresh_model_profiles` workflow.

Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
2026-06-10 10:57:23 -04:00
Mason Daugherty
bee470cc29 ci(infra): attach release artifacts from package dist directory (#38010)
The release workflow's `mark-release` job downloads built wheels to
`<package>/dist/` but told `ncipollo/release-action` to glob `dist/*`.
Because JS actions don't honor `defaults.run.working-directory`, that
pattern resolved against the repo root, matched nothing, and logged
`Artifact pattern :dist/* did not match any files`. The warning is
non-fatal, so tags and releases were still created — just with no assets
attached. Verified across published releases (`langchain-groq`,
`langchain-core`, `langchain-openai`, `langchain-anthropic`): every one
has an empty asset list.
2026-06-10 00:22:42 -04:00
Mason Daugherty
64ee4d8154 release(groq): 1.1.3 (#38009)
Closes #37996
langchain-groq==1.1.3
2026-06-10 04:12:05 +00:00
Mason Daugherty
b9fb3da891 ci(model-profiles): skip profile refresh workflow on forks (#38008)
Closes #37997

Forked repositories with Actions enabled currently run the scheduled
model profile refresh without access to the GitHub App secrets used to
open the automated PR. Guarding the job to the `langchain-ai` owner
prevents noisy daily failures on forks while preserving the scheduled
refresh for the main repository.

## Changes
- Added a repository-owner guard to the `refresh-profiles` job so
`refresh_model_profiles` only runs under `langchain-ai`.
- Kept the existing reusable workflow invocation and bot secret wiring
unchanged for the canonical repository.
2026-06-10 00:08:36 -04:00
Mason Daugherty
6fde3f06a3 docs(infra): clarify PR description expectations (#38007)
PR authors get clearer guidance for writing descriptions that reviewers
can understand quickly. The template and contributor guidance now ask
for a short explanation of who benefits, what problem they had, and how
the change solves it instead of a generic summary.
2026-06-09 23:05:15 -04:00
Mason Daugherty
8bc96308d0 fix(core): accept sequence tool error content (#38005)
`handle_tool_error` callables can now return structured message content
as any valid sequence, not just a mutable `list`. Valid structured
sequences are normalized to the `ToolMessage` content shape at the tool
output boundary, while invalid content still falls back to
stringification.

## Changes
- Widened `ToolExceptionHandlerOutput` from `list[str | dict[str, Any]]`
to `Sequence[MessageContentBlock]` so handlers returning `list[dict[str,
Any]]` or tuple content blocks type-check cleanly.
- Added `_normalize_message_content` to validate structured message
content and convert valid non-string sequences to the `list` shape
expected by `ToolMessage`.
- Preserved existing stringification behavior for invalid structured
content blocks instead of treating failed normalization as `None`.
- Removed the now-unused `_is_message_content_type` helper; output
formatting validates content directly through
`_normalize_message_content`.
2026-06-09 22:35:33 -04:00
Mason Daugherty
0f1b291f42 fix(core): type structured tool error handler output (#38003)
`handle_tool_error` callables can already return structured message
content at runtime, but the public typing only allowed strings. The tool
error handling API now reflects the existing output formatting path,
including clearer docs for how handled errors become
`ToolMessage(status="error")` results.
2026-06-09 21:18:19 -04:00
Mason Daugherty
77bbf8ba39 test(langchain): mark legacy trigger view for 2.0 removal (#38002)
`SummarizationMiddleware._trigger_conditions` is now explicitly marked
as a temporary compatibility view for private consumers. The regression
test is tied to the package major version so the 2.0 release path fails
loudly until the legacy attr and test are removed.
2026-06-09 21:15:36 -04:00
Mason Daugherty
e16386d3b2 release(langchain): 1.3.6 (#38001) langchain==1.3.6 2026-06-09 20:50:17 -04:00
Mason Daugherty
8c5b36c851 fix(langchain): preserve summarization trigger compatibility (#38000)
`SummarizationMiddleware` now uses `_trigger_clauses` as the canonical
internal representation for AND/OR trigger evaluation while keeping
`_trigger_conditions` as a tuple-shaped compatibility view. This keeps
the new dict-style `TriggerClause` behavior intact without breaking
private consumers that still inspect the old tuple-normalized trigger
state.

## Changes
- Added `_trigger_clauses` as the source of truth for summarization
trigger evaluation, profile requirement checks, and compound AND clause
handling.
- Restored `_trigger_conditions` as a legacy compatibility projection
for tuple-expressible triggers, so tuple and single-key dict triggers
remain visible in the previous private shape.
- Avoided misrepresenting compound `TriggerClause` inputs like
`{"tokens": 1000, "messages": 5}` as independent OR-style tuple
conditions.
2026-06-09 20:49:15 -04:00
Mason Daugherty
90b2f94583 release(langchain): 1.3.5 (#37998) langchain==1.3.5 2026-06-09 19:54:27 -04:00
James
05fe08201c feat(langchain): port AND-capable trigger conditions to SummarizationMiddleware (#34576)
Closes #34442

[Docs](https://github.com/langchain-ai/docs/pull/4377)

---

Add parity with LangChain.js trigger semantics for Python
`SummarizationMiddleware`. `trigger` can now express AND conditions
within a single dict-style `TriggerClause` while preserving the existing
tuple and list-of-tuples behavior.

A simple user story: a support agent is helping debug an issue over a
long conversation. One tool call may return a large log snippet, briefly
pushing the token count over a limit, but the conversation is still only
a few messages long and the recent context is valuable. Separately, the
user may send many short follow-up messages that increase message count
without using much context.

With `trigger={"tokens": 4000, "messages": 10}`, both thresholds must be
met at the same time: at least 4,000 tokens and at least 10 messages.
This means 5,000 tokens across only 3 messages does not summarize, and
20 short messages totaling only 1,000 tokens does not summarize either.
Summarization waits until the conversation is large enough by both
measures, making it less likely to discard useful recent context too
early.

## Changes

- Add `TriggerClause` support so `trigger={"tokens": 4000, "messages":
10}` only summarizes when all configured thresholds are met
- Export `TriggerClause` from `langchain.agents.middleware` so users can
import and annotate dict-style trigger clauses from the public
middleware entrypoint
- Normalize tuple and mapping trigger inputs through
`_normalize_trigger`, preserving existing `ContextSize` tuple semantics
as single-condition clauses
- Defensively copy mutable trigger list and dict inputs during
initialization so caller-side mutations do not change the middleware's
stored public configuration after construction
- Keep list inputs as OR semantics across clauses, including mixed lists
like `[{"tokens": 4000, "messages": 10}, ("messages", 50)]`
- Update `_should_summarize` to evaluate AND within each clause and OR
across clauses for `tokens`, `messages`, and `fraction`
- Update the docs and API link map so `TriggerClause` resolves in the
Python middleware docs
- Preserve tuple-trigger compatibility while allowing message-based
`keep` configurations to summarize at least one message when a trigger
fires near the cutoff boundary

AI assistance was used to help draft and refine this contribution.

---------

Co-authored-by: Mason Daugherty <mason@langchain.dev>
Co-authored-by: Mason Daugherty <github@mdrxy.com>
2026-06-09 19:30:39 -04:00
Mason Daugherty
ac18ef5871 docs(core): document multimodal handling in get_buffer_string (#37994)
Clarifies how `get_buffer_string` treats multimodal message content
across output formats. The docs now make the default prefix format's
text-only behavior explicit and point users to XML when they need
structured multimodal block representations.

This behavior may change in future iterations
2026-06-09 17:28:44 -04:00
Mason Daugherty
53f2ad18a0 release(perplexity): 1.4.0 (#37993) langchain-perplexity==1.4.0 2026-06-09 17:18:28 -04:00
rbuchmayer-pplx
de9502525a feat(perplexity): bind_tools and Responses-API tool round-trip (#37934)
## Summary

Follow-up to #37911 (released in `langchain-perplexity` 1.3.2). That PR
fixed the outbound `ToolMessage` / `AIMessage.tool_calls` serialization;
this one implements **`ChatPerplexity.bind_tools`**, which flips
`has_tool_calling` to `True` and lights up the full `langchain-tests`
standard tool-calling suite — the suite that would have caught #37911 in
the first place.

Verified live against the Perplexity Agent API (`openai/gpt-5.5`,
`use_responses_api=True`): a client-side function-tool round-trip
(invoke + stream) works end-to-end.

## Core change (the `bind_tools` work + the Responses-API follow-up)

- **`bind_tools`** mirrors `langchain-openai`: converts tools via
`convert_to_openai_tool`, normalizes `tool_choice`, and passes
Perplexity built-in tools (`web_search`, etc.) through unchanged.
- **`_to_responses_payload`** now translates tool turns into the
Responses (Agent) API's typed input items: `AIMessage.tool_calls` →
`function_call`, `ToolMessage` → `function_call_output`, and flattens
function tool specs. (The Responses API has no `tool` role, so this
translation is required for round-trips.)

## Changes required to make standard-suite tests pass on the Responses
route

- Streaming: `_convert_responses_stream_event_to_chunk` emits a
`tool_call_chunk` on `response.output_item.done` function calls —
required by `test_tool_calling` (which streams and asserts tool calls).
- `_content_to_text` reduces list-shaped assistant content to text in
the tool-call branch — required by `test_agent_loop` and
`test_tool_message_histories_list_content`.
- `response_metadata["model_name"]` on the Responses route, mirroring
Chat Completions — required by `test_usage_metadata` /
`test_usage_metadata_streaming` (used by `langchain_core` usage
callbacks).

## Tests

- `sonar` standard class marked `has_tool_calling=False` (the family
returns 400 "Tool calling is not supported for this model").
- New `TestPerplexityResponsesStandard` runs the full suite on
`openai/gpt-5.5` + `use_responses_api` with `has_tool_choice=False`:
**35 passed, 13 skipped, 2 xfailed**.
- The 2 xfails (`test_unicode_tool_call_integration`,
`test_structured_few_shot_examples`) hard-code `tool_choice="any"`. The
Responses (Agent) API does not support `tool_choice` (verified: every
form returns HTTP 200 without forcing a call), which `ChatPerplexity`
surfaces as `ValueError` — **existing behavior, unchanged here.**
Softening that to a warning can be a separate change.

`make format lint` clean; unit + standard tests green.

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: Mason Daugherty <mason@langchain.dev>
Co-authored-by: Mason Daugherty <github@mdrxy.com>
2026-06-09 17:14:50 -04:00
Mason Daugherty
fac194b34f ci(infra): restore release validation coverage (#37992)
Release validation now covers the release paths that were intended but
not actually exercised. Manual core and `langchain_v1` releases use
short dropdown inputs, so the dependent-package test gate needs to match
those values in addition to full `libs/...` paths.
2026-06-09 16:55:00 -04:00
Mason Daugherty
c0103c3d2c hotfix(openai): min core dep (#37990) langchain-openai==1.3.0 2026-06-09 16:32:08 -04:00
Mason Daugherty
c15cfe21b6 release(core): 1.4.3 (#37991) langchain-core==1.4.3 2026-06-09 16:27:57 -04:00
Mason Daugherty
c7d01d5270 release(openai): 1.3.0 (#37989) 2026-06-09 16:15:29 -04:00
Nidhi Rajani
0f45b2c285 feat(openai): support apply_patch built-in tool (#37157)
[Docs](https://github.com/langchain-ai/docs/pull/4370)

Fixes #37031

Adds support for OpenAI Responses API `apply_patch` built-in tool.

This PR:
- Adds `apply_patch` to the OpenAI well-known tools list so
`bind_tools([{"type": "apply_patch"}])` works.
- Preserves `apply_patch_call` and `apply_patch_call_output` items when
converting OpenAI Responses API outputs into LangChain
`AIMessage.content`.
- Preserves the same item types in streaming `AIMessageChunk`
conversion.
- Supports round-trip input conversion for `apply_patch_call` and
`apply_patch_call_output`.
- Adds unit tests for core tool passthrough, non-streaming conversion,
streaming conversion, and round-trip input conversion.

## Testing

- `cd libs/core && uv run --group test pytest
tests/unit_tests/utils/test_function_calling.py -k "apply_patch" -vv`
- `cd libs/partners/openai && uv run --group test pytest
tests/unit_tests/chat_models/test_base.py -k "apply_patch" -vv`
- `cd libs/core && uv run --all-groups ruff check
langchain_core/utils/function_calling.py
tests/unit_tests/utils/test_function_calling.py`
- `cd libs/partners/openai && uv run --all-groups ruff check
langchain_openai/chat_models/base.py
tests/unit_tests/chat_models/test_base.py`

---------

Co-authored-by: Mason Daugherty <github@mdrxy.com>
Co-authored-by: Mason Daugherty <mason@langchain.dev>
2026-06-09 16:13:37 -04:00
langchain-model-profile-bot[bot]
7e9c916c7e chore(model-profiles): refresh model profile data (#37973)
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.

🤖 Generated by the `refresh_model_profiles` workflow.

Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
2026-06-09 09:59:24 -04:00
Mason Daugherty
e096992984 release(core): 1.4.2 (#37968) langchain-core==1.4.2 2026-06-08 14:16:11 -04:00
Christophe Bornet
74c23741b0 feat(core): deprecate problematic dict() method (#31685)
`dict()` is a problematic method name as it clashes with the builtin
`dict` used as a type annotation.
This PR replaces it with an `asdict` method (inspired by dataclasses).
It also fixes a few places where `dict` must be replaced by
`builtins.dict` until the `dict()` method is removed.

---------

Co-authored-by: Mason Daugherty <github@mdrxy.com>
2026-06-08 14:11:05 -04:00
Mason Daugherty
f9f11527f6 fix(standard-tests): serialize BytesIO bodies in VCR cassettes (#37963)
The custom VCR serializer pipes the cassette dict through
`yaml.safe_dump`, which raises on stream objects — so any request with
an `io.BytesIO` body (multipart/file-upload endpoints) couldn't be
recorded. A new `_coerce_bytesio` helper walks the cassette and replaces
each `BytesIO` with its raw bytes before dumping.
2026-06-08 11:17:12 -04:00
langchain-model-profile-bot[bot]
4bd3b6ab64 chore(model-profiles): refresh model profile data (#37958)
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.

🤖 Generated by the `refresh_model_profiles` workflow.

Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
2026-06-08 10:09:26 -04:00
dependabot[bot]
8fed1dd641 chore: bump pyarrow from 21.0.0 to 23.0.1 in /libs/langchain_v1 (#37930)
Bumps [pyarrow](https://github.com/apache/arrow) from 21.0.0 to 23.0.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/apache/arrow/releases">pyarrow's
releases</a>.</em></p>
<blockquote>
<h2>Apache Arrow 23.0.1</h2>
<p>Release Notes URL: <a
href="https://arrow.apache.org/release/23.0.1.html">https://arrow.apache.org/release/23.0.1.html</a></p>
<h2>Apache Arrow 23.0.1 RC0</h2>
<p>Release Notes: Release Candidate: 23.0.1 RC0</p>
<h2>Apache Arrow 23.0.0</h2>
<p>Release Notes URL: <a
href="https://arrow.apache.org/release/23.0.0.html">https://arrow.apache.org/release/23.0.0.html</a></p>
<h2>Apache Arrow 23.0.0 RC2</h2>
<p>Release Notes: Release Candidate: 23.0.0 RC2</p>
<h2>Apache Arrow 22.0.0</h2>
<p>Release Notes URL: <a
href="https://arrow.apache.org/release/22.0.0.html">https://arrow.apache.org/release/22.0.0.html</a></p>
<h2>Apache Arrow 22.0.0 RC1</h2>
<p>Release Notes: Release Candidate: 22.0.0 RC1</p>
<h2>Apache Arrow 22.0.0 RC0</h2>
<p>Release Notes: Release Candidate: 22.0.0 RC0</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="82a374e5f3"><code>82a374e</code></a>
MINOR: [Release] Update versions for 23.0.1</li>
<li><a
href="c1ae37c4a5"><code>c1ae37c</code></a>
MINOR: [Release] Update .deb/.rpm changelogs for 23.0.1</li>
<li><a
href="8f6e55736f"><code>8f6e557</code></a>
MINOR: [Release] Update CHANGELOG.md for 23.0.1</li>
<li><a
href="4e16a1aeed"><code>4e16a1a</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49159">GH-49159</a>:
[C++][Gandiva] Detect overflow in repeat() (<a
href="https://redirect.github.com/apache/arrow/issues/49160">#49160</a>)</li>
<li><a
href="985621dbfc"><code>985621d</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/48817">GH-48817</a>
[R][C++] Bump C++20 in R build infrastructure (<a
href="https://redirect.github.com/apache/arrow/issues/48819">#48819</a>)</li>
<li><a
href="1bea06ad4e"><code>1bea06a</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49024">GH-49024</a>:
[CI] Update Debian version in <code>.env</code> (<a
href="https://redirect.github.com/apache/arrow/issues/49032">#49032</a>)</li>
<li><a
href="147bcd6d8f"><code>147bcd6</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49156">GH-49156</a>:
[Python] Require GIL for string comparison (<a
href="https://redirect.github.com/apache/arrow/issues/49161">#49161</a>)</li>
<li><a
href="e4f922b162"><code>e4f922b</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49138">GH-49138</a>:
[Packaging][Python] Remove nightly cython install from manylinux
wh...</li>
<li><a
href="f9376e4721"><code>f9376e4</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49003">GH-49003</a>:
[C++] Don't consider <code>out_of_range</code> an error in float parsing
(<a
href="https://redirect.github.com/apache/arrow/issues/49095">#49095</a>)</li>
<li><a
href="ab2c0ad6b2"><code>ab2c0ad</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49044">GH-49044</a>:
[CI][Python] Fix test_download_tzdata_on_windows by adding
required...</li>
<li>Additional commits viewable in <a
href="https://github.com/apache/arrow/compare/apache-arrow-21.0.0...apache-arrow-23.0.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pyarrow&package-manager=uv&previous-version=21.0.0&new-version=23.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: John Kennedy <65985482+jkennedyvz@users.noreply.github.com>
2026-06-07 20:20:00 +00:00
langchain-model-profile-bot[bot]
9fa4d7b6a1 chore(model-profiles): refresh model profile data (#37936)
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.

🤖 Generated by the `refresh_model_profiles` workflow.

Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
2026-06-07 16:16:29 -04:00
dependabot[bot]
ad8c0fc4cc chore: bump pyarrow from 22.0.0 to 23.0.1 in /libs/partners/nomic (#37931)
Bumps [pyarrow](https://github.com/apache/arrow) from 22.0.0 to 23.0.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/apache/arrow/releases">pyarrow's
releases</a>.</em></p>
<blockquote>
<h2>Apache Arrow 23.0.1</h2>
<p>Release Notes URL: <a
href="https://arrow.apache.org/release/23.0.1.html">https://arrow.apache.org/release/23.0.1.html</a></p>
<h2>Apache Arrow 23.0.1 RC0</h2>
<p>Release Notes: Release Candidate: 23.0.1 RC0</p>
<h2>Apache Arrow 23.0.0</h2>
<p>Release Notes URL: <a
href="https://arrow.apache.org/release/23.0.0.html">https://arrow.apache.org/release/23.0.0.html</a></p>
<h2>Apache Arrow 23.0.0 RC2</h2>
<p>Release Notes: Release Candidate: 23.0.0 RC2</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="82a374e5f3"><code>82a374e</code></a>
MINOR: [Release] Update versions for 23.0.1</li>
<li><a
href="c1ae37c4a5"><code>c1ae37c</code></a>
MINOR: [Release] Update .deb/.rpm changelogs for 23.0.1</li>
<li><a
href="8f6e55736f"><code>8f6e557</code></a>
MINOR: [Release] Update CHANGELOG.md for 23.0.1</li>
<li><a
href="4e16a1aeed"><code>4e16a1a</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49159">GH-49159</a>:
[C++][Gandiva] Detect overflow in repeat() (<a
href="https://redirect.github.com/apache/arrow/issues/49160">#49160</a>)</li>
<li><a
href="985621dbfc"><code>985621d</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/48817">GH-48817</a>
[R][C++] Bump C++20 in R build infrastructure (<a
href="https://redirect.github.com/apache/arrow/issues/48819">#48819</a>)</li>
<li><a
href="1bea06ad4e"><code>1bea06a</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49024">GH-49024</a>:
[CI] Update Debian version in <code>.env</code> (<a
href="https://redirect.github.com/apache/arrow/issues/49032">#49032</a>)</li>
<li><a
href="147bcd6d8f"><code>147bcd6</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49156">GH-49156</a>:
[Python] Require GIL for string comparison (<a
href="https://redirect.github.com/apache/arrow/issues/49161">#49161</a>)</li>
<li><a
href="e4f922b162"><code>e4f922b</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49138">GH-49138</a>:
[Packaging][Python] Remove nightly cython install from manylinux
wh...</li>
<li><a
href="f9376e4721"><code>f9376e4</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49003">GH-49003</a>:
[C++] Don't consider <code>out_of_range</code> an error in float parsing
(<a
href="https://redirect.github.com/apache/arrow/issues/49095">#49095</a>)</li>
<li><a
href="ab2c0ad6b2"><code>ab2c0ad</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49044">GH-49044</a>:
[CI][Python] Fix test_download_tzdata_on_windows by adding
required...</li>
<li>Additional commits viewable in <a
href="https://github.com/apache/arrow/compare/apache-arrow-22.0.0...apache-arrow-23.0.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pyarrow&package-manager=uv&previous-version=22.0.0&new-version=23.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-07 13:15:04 -07:00
dependabot[bot]
2ef987bf7d chore: bump pyarrow from 21.0.0 to 23.0.1 in /libs/langchain (#37929)
Bumps [pyarrow](https://github.com/apache/arrow) from 21.0.0 to 23.0.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/apache/arrow/releases">pyarrow's
releases</a>.</em></p>
<blockquote>
<h2>Apache Arrow 23.0.1</h2>
<p>Release Notes URL: <a
href="https://arrow.apache.org/release/23.0.1.html">https://arrow.apache.org/release/23.0.1.html</a></p>
<h2>Apache Arrow 23.0.1 RC0</h2>
<p>Release Notes: Release Candidate: 23.0.1 RC0</p>
<h2>Apache Arrow 23.0.0</h2>
<p>Release Notes URL: <a
href="https://arrow.apache.org/release/23.0.0.html">https://arrow.apache.org/release/23.0.0.html</a></p>
<h2>Apache Arrow 23.0.0 RC2</h2>
<p>Release Notes: Release Candidate: 23.0.0 RC2</p>
<h2>Apache Arrow 22.0.0</h2>
<p>Release Notes URL: <a
href="https://arrow.apache.org/release/22.0.0.html">https://arrow.apache.org/release/22.0.0.html</a></p>
<h2>Apache Arrow 22.0.0 RC1</h2>
<p>Release Notes: Release Candidate: 22.0.0 RC1</p>
<h2>Apache Arrow 22.0.0 RC0</h2>
<p>Release Notes: Release Candidate: 22.0.0 RC0</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="82a374e5f3"><code>82a374e</code></a>
MINOR: [Release] Update versions for 23.0.1</li>
<li><a
href="c1ae37c4a5"><code>c1ae37c</code></a>
MINOR: [Release] Update .deb/.rpm changelogs for 23.0.1</li>
<li><a
href="8f6e55736f"><code>8f6e557</code></a>
MINOR: [Release] Update CHANGELOG.md for 23.0.1</li>
<li><a
href="4e16a1aeed"><code>4e16a1a</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49159">GH-49159</a>:
[C++][Gandiva] Detect overflow in repeat() (<a
href="https://redirect.github.com/apache/arrow/issues/49160">#49160</a>)</li>
<li><a
href="985621dbfc"><code>985621d</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/48817">GH-48817</a>
[R][C++] Bump C++20 in R build infrastructure (<a
href="https://redirect.github.com/apache/arrow/issues/48819">#48819</a>)</li>
<li><a
href="1bea06ad4e"><code>1bea06a</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49024">GH-49024</a>:
[CI] Update Debian version in <code>.env</code> (<a
href="https://redirect.github.com/apache/arrow/issues/49032">#49032</a>)</li>
<li><a
href="147bcd6d8f"><code>147bcd6</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49156">GH-49156</a>:
[Python] Require GIL for string comparison (<a
href="https://redirect.github.com/apache/arrow/issues/49161">#49161</a>)</li>
<li><a
href="e4f922b162"><code>e4f922b</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49138">GH-49138</a>:
[Packaging][Python] Remove nightly cython install from manylinux
wh...</li>
<li><a
href="f9376e4721"><code>f9376e4</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49003">GH-49003</a>:
[C++] Don't consider <code>out_of_range</code> an error in float parsing
(<a
href="https://redirect.github.com/apache/arrow/issues/49095">#49095</a>)</li>
<li><a
href="ab2c0ad6b2"><code>ab2c0ad</code></a>
<a
href="https://redirect.github.com/apache/arrow/issues/49044">GH-49044</a>:
[CI][Python] Fix test_download_tzdata_on_windows by adding
required...</li>
<li>Additional commits viewable in <a
href="https://github.com/apache/arrow/compare/apache-arrow-21.0.0...apache-arrow-23.0.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pyarrow&package-manager=uv&previous-version=21.0.0&new-version=23.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-07 13:14:58 -07:00
Mason Daugherty
cdafe607af release(perplexity): 1.3.2 (#37925) langchain-perplexity==1.3.2 2026-06-05 15:18:01 -04:00
rbuchmayer-pplx
1be54cc0e1 fix(perplexity): serialize ToolMessage and AIMessage.tool_calls (#37911)
Fixes #37912

`ChatPerplexity._convert_message_to_dict` raises `TypeError` on
`ToolMessage` and drops `AIMessage.tool_calls`, which breaks
tool-message round-trips through `ChatPerplexity` — a client-side
tool-calling loop, or a shared message history across providers via
`RunnableWithFallbacks`.

Repro:

```python
from langchain_perplexity import ChatPerplexity
from langchain_core.messages import ToolMessage

ChatPerplexity(model="sonar")._convert_message_to_dict(
    ToolMessage(content="result", tool_call_id="call_1")
)
# TypeError: Got unknown type content='result' tool_call_id='call_1'
```

An `AIMessage` carrying `tool_calls` also serializes to `{"role":
"assistant", "content": ...}` with the `tool_calls` silently dropped.

This brings the converter to parity with `langchain-openai`: serialize
`tool_calls` / `invalid_tool_calls`, send `content` as `null` when
tool_calls are present, and add a `tool`-role branch for `ToolMessage`.

How I verified: added unit tests for the `ToolMessage` and
`AIMessage.tool_calls` / `invalid_tool_calls` cases; the perplexity
package unit tests, lint, and format all pass.

Scope: translating these to the Responses (Agent) API's `function_call`
/ `function_call_output` input items is a separate follow-up; this PR is
the Chat Completions serialization parity fix.

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: Mason Daugherty <mason@langchain.dev>
Co-authored-by: Mason Daugherty <github@mdrxy.com>
2026-06-05 15:14:42 -04:00
Mason Daugherty
1d09011b1d ci(infra): gate PyPI publish on prior-partner tests (#37923)
The `🚀 Publish to PyPI` job no longer starts until `🔄 Test prior
partners against new core` finishes. Previously that dependency was
commented out, so a core release could publish to PyPI in parallel
with—or before—the integration tests that install the new unreleased
core against already-published partner packages, defeating their purpose
as a pre-publish gate.

## Changes
- Add `test-prior-published-packages-against-new-core` to the `publish`
job's `needs`, so publishing blocks on those partner integration tests
completing.
- The existing `if: ${{ !cancelled() && !failure() }}` guard is
unchanged: publish proceeds only if the gate **succeeded or was
skipped**, and fails closed if the partner tests fail. For non-core
releases the partner-test job short-circuits with `exit 0`, so this adds
no friction outside `libs/core` releases.
2026-06-05 11:01:12 -04:00
Mason Daugherty
a401351e12 release(core): 1.4.1 (#37922) langchain-core==1.4.1 2026-06-05 10:49:33 -04:00
Mason Daugherty
053c368ba4 fix(core): remove Bedrock prevalidation from load (#37909)
Removes the built-in Bedrock class init validator from `load` so Bedrock
kwargs such as `base_url` and `endpoint_url` are no longer specially
rejected during deserialization.

This keeps provider-specific SSRF policy out of core; callers should
continue to avoid untrusted manifests or use restrictive
`allowed_objects`.

Verified with `make format`, `make lint`, and the focused serialization
load unit tests.

AI-assisted contribution by Open SWE.

Made by [Open SWE](https://openswe.vercel.app)

---------

Co-authored-by: open-swe[bot] <215916821+open-swe[bot]@users.noreply.github.com>
2026-06-05 10:46:57 -04:00
langchain-model-profile-bot[bot]
0993edba86 chore(model-profiles): refresh model profile data (#37916)
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.

🤖 Generated by the `refresh_model_profiles` workflow.

Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
2026-06-05 10:37:10 -04:00
dependabot[bot]
6f7c8f5445 chore: bump starlette from 0.49.1 to 1.0.1 in /libs/langchain (#37899)
Bumps [starlette](https://github.com/Kludex/starlette) from 0.49.1 to
1.0.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/Kludex/starlette/releases">starlette's
releases</a>.</em></p>
<blockquote>
<h2>Version 1.0.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Ignore malformed <code>Host</code> header when constructing
<code>request.url</code> by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3279">Kludex/starlette#3279</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/starlette/compare/1.0.0...1.0.1">https://github.com/Kludex/starlette/compare/1.0.0...1.0.1</a></p>
<h2>Version 1.0.0</h2>
<p>Starlette 1.0 is here! 🎉</p>
<p>After nearly eight years since its creation, Starlette has reached
its first stable release.</p>
<p>A special thank you to <a
href="https://github.com/lovelydinosaur"><code>@​lovelydinosaur</code></a>,
the creator of Starlette, Uvicorn, HTTPX and MkDocs, whose work helped
to lay the foundation for the modern async Python ecosystem. 🙏</p>
<p>Thank you to <a
href="https://github.com/adriangb"><code>@​adriangb</code></a>, <a
href="https://github.com/graingert"><code>@​graingert</code></a>, <a
href="https://github.com/agronholm"><code>@​agronholm</code></a>, <a
href="https://github.com/florimondmanca"><code>@​florimondmanca</code></a>,
<a href="https://github.com/aminalaee"><code>@​aminalaee</code></a>, <a
href="https://github.com/tiangolo"><code>@​tiangolo</code></a>, <a
href="https://github.com/alex-oleshkevich"><code>@​alex-oleshkevich</code></a>,
<a href="https://github.com/abersheeran"><code>@​abersheeran</code></a>,
and <a href="https://github.com/uSpike"><code>@​uSpike</code></a> for
helping make Starlette what it is today. And to all my sponsors -
especially <a
href="https://github.com/tiangolo"><code>@​tiangolo</code></a>, <a
href="https://github.com/huggingface"><code>@​huggingface</code></a>,
and <a
href="https://github.com/elevenlabs"><code>@​elevenlabs</code></a> -
thank you for your support!</p>
<p>Thank you to all <a
href="https://github.com/encode/starlette/graphs/contributors">290+
contributors</a> who have shaped Starlette over the years! ❤️</p>
<p>Read more on the <a
href="https://marcelotryle.com/blog/2026/03/22/starlette-10-is-here/">blog
post</a>.</p>
<p>Check out the full release notes at <a
href="https://www.starlette.io/release-notes/#100-march-22-2026">https://www.starlette.io/release-notes/#100-march-22-2026</a></p>
<hr />
<p><strong>Full Changelog</strong>: <a
href="https://github.com/encode/starlette/compare/1.0.0rc1...1.0.0">https://github.com/encode/starlette/compare/1.0.0rc1...1.0.0</a></p>
<h2>Version 1.0.0rc1</h2>
<p>We're ready! 🚀</p>
<p>The first release candidate for Starlette 1.0 is here! After years on
ZeroVer, we're finally making the jump.</p>
<p>This release removes all deprecated features marked for 1.0.0, along
with some last-minute bug fixes.</p>
<p>A special thank you to <a
href="https://github.com/lovelydinosaur"><code>@​lovelydinosaur</code></a>,
the creator of Starlette, Uvicorn, HTTPX and MkDocs, whose work helped
to lay the foundation for the modern async Python ecosystem. 🙏</p>
<p>Thank you to <a
href="https://github.com/adriangb"><code>@​adriangb</code></a>, <a
href="https://github.com/graingert"><code>@​graingert</code></a>, <a
href="https://github.com/agronholm"><code>@​agronholm</code></a>, <a
href="https://github.com/florimondmanca"><code>@​florimondmanca</code></a>,
<a href="https://github.com/aminalaee"><code>@​aminalaee</code></a>, <a
href="https://github.com/tiangolo"><code>@​tiangolo</code></a>, <a
href="https://github.com/alex-oleshkevich"><code>@​alex-oleshkevich</code></a>,
and <a
href="https://github.com/abersheeran"><code>@​abersheeran</code></a> for
helping make Starlette what it is today. And to all my sponsors -
especially <a
href="https://github.com/tiangolo"><code>@​tiangolo</code></a>, <a
href="https://github.com/huggingface"><code>@​huggingface</code></a>,
and <a
href="https://github.com/elevenlabs"><code>@​elevenlabs</code></a> -
thank you for your support!</p>
<p>Thank you to all <a
href="https://github.com/encode/starlette/graphs/contributors">290+
contributors</a> who have shaped Starlette over the years!</p>
<p>Check out the full release notes at <a
href="https://www.starlette.io/release-notes/#100rc1-february-23-2026">https://www.starlette.io/release-notes/#100rc1-february-23-2026</a></p>
<hr />
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/starlette/compare/0.52.1...1.0.0rc1">https://github.com/Kludex/starlette/compare/0.52.1...1.0.0rc1</a></p>
<h2>Version 0.52.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Only use <code>typing_extensions</code> in older Python versions by
<a href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3109">Kludex/starlette#3109</a></li>
</ul>
<hr />
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/Kludex/starlette/blob/main/docs/release-notes.md">starlette's
changelog</a>.</em></p>
<blockquote>
<h2>1.0.1 (May 21, 2026)</h2>
<h4>Fixed</h4>
<ul>
<li>Ignore malformed <code>Host</code> header when constructing
<code>request.url</code> <a
href="https://redirect.github.com/encode/starlette/pull/3279">#3279</a>.</li>
</ul>
<h2>1.0.0 (March 22, 2026)</h2>
<p>Starlette 1.0 is here!</p>
<p>After nearly eight years since its creation, Starlette has reached
its first stable release.
Thank you to everyone who tested the release candidate and reported
issues.</p>
<p>You can read more on the <a
href="https://marcelotryle.com/blog/2026/03/22/starlette-10-is-here/">blog
post</a>.</p>
<h4>Added</h4>
<ul>
<li>Track session access and modification in
<code>SessionMiddleware</code> <a
href="https://redirect.github.com/encode/starlette/pull/3166">#3166</a>.</li>
</ul>
<h4>Fixed</h4>
<ul>
<li>Handle websocket denial responses in <code>StreamingResponse</code>
and <code>FileResponse</code> <a
href="https://redirect.github.com/encode/starlette/pull/3189">#3189</a>.</li>
<li>Use <code>bytearray</code> for field accumulation in
<code>FormParser</code> <a
href="https://redirect.github.com/encode/starlette/pull/3179">#3179</a>.</li>
<li>Move <code>parser.finalize()</code> inside try/except in
<code>MultiPartParser.parse()</code> <a
href="https://redirect.github.com/encode/starlette/pull/3153">#3153</a>.</li>
</ul>
<h2>1.0.0rc1 (February 23, 2026)</h2>
<p>We're ready! I'm thrilled to announce the first release candidate for
Starlette 1.0.</p>
<p>Starlette was created in June 2018 by Tom Christie, and has been on
ZeroVer for years. Today, it's downloaded
almost <a href="https://pypistats.org/packages/starlette">10 million
times a day</a>, serves as the foundation for FastAPI,
and has inspired many other frameworks. In the age of AI, Starlette
continues to play an important role as a
dependency of the Python MCP SDK.</p>
<p>This release focuses on removing deprecated features that were marked
for removal in 1.0.0, along with some
last minute bug fixes. It's a release candidate, so we can gather
feedback from the community before the final
1.0.0 release soon.</p>
<p>A huge thank you to all the contributors who have helped make
Starlette what it is today.
In particular, I'd like to recognize:</p>
<ul>
<li><a href="https://github.com/lovelydinosaur">Kim Christie</a> - The
original creator of Starlette, Uvicorn, and MkDocs, and the
current maintainer of HTTPX. Kim's work helped lay the foundation for
the modern async Python ecosystem.</li>
<li><a href="https://github.com/adriangb">Adrian Garcia Badaracco</a> -
One of the smartest people I know, whom I have the pleasure of working
with at Pydantic.</li>
<li><a href="https://github.com/graingert">Thomas Grainger</a> - My
async teacher, always ready to help with questions.</li>
<li><a href="https://github.com/agronholm">Alex Grönholm</a> - Another
async mentor, always prompt to help with questions.</li>
<li><a href="https://github.com/florimondmanca">Florimond Manca</a> -
Always present in the early days of both Starlette and Uvicorn, and
helped a lot in the ecosystem.</li>
<li><a href="https://github.com/aminalaee">Amin Alaee</a> - Contributed
a lot with file-related PRs.</li>
<li><a href="https://github.com/tiangolo">Sebastián Ramírez</a> -
Maintains FastAPI upstream, and always in contact to help with upstream
issues.</li>
<li><a href="https://github.com/alex-oleshkevich">Alex Oleshkevich</a> -
Helped a lot on templates and many discussions.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="48f8e331b2"><code>48f8e33</code></a>
Version 1.0.1 (<a
href="https://redirect.github.com/Kludex/starlette/issues/3281">#3281</a>)</li>
<li><a
href="f078832be1"><code>f078832</code></a>
Remove Hugging Face sponsor block from docs (<a
href="https://redirect.github.com/Kludex/starlette/issues/3280">#3280</a>)</li>
<li><a
href="472951eba8"><code>472951e</code></a>
chore(deps): bump the github-actions group with 2 updates (<a
href="https://redirect.github.com/Kludex/starlette/issues/3277">#3277</a>)</li>
<li><a
href="764dab0dcf"><code>764dab0</code></a>
Ignore malformed <code>Host</code> header when constructing
<code>request.url</code> (<a
href="https://redirect.github.com/Kludex/starlette/issues/3279">#3279</a>)</li>
<li><a
href="19d08115ce"><code>19d0811</code></a>
Harden GitHub Actions workflows and Dependabot config (<a
href="https://redirect.github.com/Kludex/starlette/issues/3276">#3276</a>)</li>
<li><a
href="01f4637812"><code>01f4637</code></a>
chore(deps): bump idna from 3.10 to 3.15 (<a
href="https://redirect.github.com/Kludex/starlette/issues/3274">#3274</a>)</li>
<li><a
href="b8fa5140d2"><code>b8fa514</code></a>
docs: fix typos in TestClient docs and test_requests comment (<a
href="https://redirect.github.com/Kludex/starlette/issues/3266">#3266</a>)</li>
<li><a
href="e935b6b5d4"><code>e935b6b</code></a>
fix uvicorn domain (<a
href="https://redirect.github.com/Kludex/starlette/issues/3269">#3269</a>)</li>
<li><a
href="96af9521a7"><code>96af952</code></a>
Add 7-day cooldown for dependency resolution via uv exclude-newer (<a
href="https://redirect.github.com/Kludex/starlette/issues/3265">#3265</a>)</li>
<li><a
href="61e385bd6d"><code>61e385b</code></a>
Add zizmor GitHub Actions security analysis workflow (<a
href="https://redirect.github.com/Kludex/starlette/issues/3264">#3264</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/Kludex/starlette/compare/0.49.1...1.0.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=starlette&package-manager=uv&previous-version=0.49.1&new-version=1.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-04 15:52:20 -04:00
Mason Daugherty
586bcd46a1 docs(core): expand and link ModelProfile docstrings (#37904)
Rewrote the `ModelProfile` docstrings to point readers at canonical
docs. The class docstring now explains how profiles are accessed and
where the data comes from, and several terse field docstrings gain a
one-line clarification or a link to the relevant guide.
2026-06-04 15:43:22 -04:00
dependabot[bot]
9eab5237cc chore: bump requests from 2.34.0 to 2.34.2 in /libs/partners/xai (#37903)
Bumps [requests](https://github.com/psf/requests) from 2.34.0 to 2.34.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/psf/requests/releases">requests's
releases</a>.</em></p>
<blockquote>
<h2>v2.34.2</h2>
<h2>2.34.2 (2026-05-14)</h2>
<ul>
<li>Moved <code>headers</code> input type back to <code>Mapping</code>
to avoid invariance issues with <code>MutableMapping</code> and inferred
dict types. Users calling <code>Request.headers.update()</code> may need
to narrow typing in their code. (<a
href="https://redirect.github.com/psf/requests/issues/7441">#7441</a>)</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/psf/requests/blob/main/HISTORY.md#2342-2026-05-14">https://github.com/psf/requests/blob/main/HISTORY.md#2342-2026-05-14</a></p>
<h2>v2.34.1</h2>
<h2>2.34.1 (2026-05-13)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Widened <code>json</code> input type from <code>dict</code> and
<code>list</code> to <code>Mapping</code>
and <code>Sequence</code>. (<a
href="https://redirect.github.com/psf/requests/issues/7436">#7436</a>)</li>
<li>Changed <code>headers</code> input type to MutableMapping and
removed <code>None</code> from
<code>Request.headers</code> typing to improve handling for users. (<a
href="https://redirect.github.com/psf/requests/issues/7431">#7431</a>)</li>
<li><code>Response.reason</code> moved from <code>str | None</code> to
<code>str</code> to improve handling
for users. (<a
href="https://redirect.github.com/psf/requests/issues/7437">#7437</a>)</li>
<li>Fixed a bug where some bodies with custom <code>__getattr__</code>
implementations
weren't being properly detected as Iterables. (<a
href="https://redirect.github.com/psf/requests/issues/7433">#7433</a>)</li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/k223kim"><code>@​k223kim</code></a> made
their first contribution in <a
href="https://redirect.github.com/psf/requests/pull/7433">psf/requests#7433</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/psf/requests/blob/main/HISTORY.md#2341-2026-05-13">https://github.com/psf/requests/blob/main/HISTORY.md#2341-2026-05-13</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's
changelog</a>.</em></p>
<blockquote>
<h2>2.34.2 (2026-05-14)</h2>
<ul>
<li>Moved <code>headers</code> input type back to <code>Mapping</code>
to avoid invariance issues
with <code>MutableMapping</code> and inferred dict types. Users calling
<code>Request.headers.update()</code> may need to narrow typing in their
code. (<a
href="https://redirect.github.com/psf/requests/issues/7441">#7441</a>)</li>
</ul>
<h2>2.34.1 (2026-05-13)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Widened <code>json</code> input type from <code>dict</code> and
<code>list</code> to <code>Mapping</code>
and <code>Sequence</code>. (<a
href="https://redirect.github.com/psf/requests/issues/7436">#7436</a>)</li>
<li>Changed <code>headers</code> input type to MutableMapping and
removed <code>None</code> from
<code>Request.headers</code> typing to improve handling for users. (<a
href="https://redirect.github.com/psf/requests/issues/7431">#7431</a>)</li>
<li><code>Response.reason</code> moved from <code>str | None</code> to
<code>str</code> to improve handling
for users. (<a
href="https://redirect.github.com/psf/requests/issues/7437">#7437</a>)</li>
<li>Fixed a bug where some bodies with custom <code>__getattr__</code>
implementations
weren't being properly detected as Iterables. (<a
href="https://redirect.github.com/psf/requests/issues/7433">#7433</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="6e83187b8f"><code>6e83187</code></a>
v2.34.2</li>
<li><a
href="84d10f0be8"><code>84d10f0</code></a>
Move Request.headers back to Mapping (<a
href="https://redirect.github.com/psf/requests/issues/7441">#7441</a>)</li>
<li><a
href="b7b549b545"><code>b7b549b</code></a>
v2.34.1</li>
<li><a
href="e511bc7277"><code>e511bc7</code></a>
Fix mutability issues with headers input types (<a
href="https://redirect.github.com/psf/requests/issues/7431">#7431</a>)</li>
<li><a
href="5691f59613"><code>5691f59</code></a>
Update JsonType containers to read-based collections (<a
href="https://redirect.github.com/psf/requests/issues/7436">#7436</a>)</li>
<li><a
href="2144213c30"><code>2144213</code></a>
Constrain Response.reason to str (<a
href="https://redirect.github.com/psf/requests/issues/7437">#7437</a>)</li>
<li><a
href="6404f345e5"><code>6404f34</code></a>
Fix <code>prepare_body</code> stream detection for
<code>__getattr__</code>-based file wrappers (<a
href="https://redirect.github.com/psf/requests/issues/7">#7</a>...</li>
<li>See full diff in <a
href="https://github.com/psf/requests/compare/v2.34.0...v2.34.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=requests&package-manager=uv&previous-version=2.34.0&new-version=2.34.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-04 14:30:03 -04:00
Mason Daugherty
be2e8f70bc ci(infra): add exclude input to skip libs in scheduled integration tests (#37902) 2026-06-04 13:55:02 -04:00
Mason Daugherty
3b999176c8 test(langchain,partners): disable pytest-benchmark under xdist to silence PytestBenchmarkWarning (#37901)
Test targets run with `-n auto`, which makes `pytest-benchmark` (present
via `langchain-tests`) auto-disable itself and emit a
`PytestBenchmarkWarning` once per xdist worker. Passing
`--benchmark-disable` turns the plugin off explicitly so the warning
never fires, matching what `core` and `langchain_v1` already do.

## Changes
- Add `--benchmark-disable` to the `-n auto` test targets across
`langchain` (unit) and 14 partner packages' integration targets:
`anthropic`, `chroma`, `deepseek`, `exa`, `fireworks`, `groq`,
`huggingface`, `mistralai`, `nomic`, `ollama`, `openai`, `openrouter`,
`qdrant`, `xai`.
- Deliberately excluded `text-splitters` and `model-profiles`: their
`test` group doesn't install `pytest-benchmark`, so the flag would fail
with `unrecognized arguments`. Verified by importing the plugin under
each package's actual dependency group before editing.
2026-06-04 13:25:26 -04:00
Mason Daugherty
34af59c1a6 fix(partners): cap aiohttp below 3.14 for vcrpy compat (#37898)
aiohttp **3.14.0** (released 2026-06-01) removed
`aiohttp.streams.AsyncStreamReaderMixin`. The current release of `vcrpy`
(8.1.1) still subclasses it in its aiohttp stub:

```python
class MockStream(asyncio.StreamReader, streams.AsyncStreamReaderMixin):
```

As a result, the VCR fixture fails to import during test setup, and the
scheduled integration tests for the `fireworks` and `xai` partners error
out at `test_stream_time`:

```
AttributeError: module 'aiohttp.streams' has no attribute 'AsyncStreamReaderMixin'
```

Only these two partners are affected because their SDKs use `aiohttp`,
so VCR loads its aiohttp stub; partners on `httpx` (e.g. `anthropic`,
`openai`) are unaffected.

This is an upstream incompatibility tracked at kevin1024/vcrpy#995, with
a fix in kevin1024/vcrpy#996 that has not yet been released.

Until a fixed `vcrpy` ships, this caps `aiohttp<3.14.0` via `[tool.uv]
constraint-dependencies` (the same mechanism already used for the
`pygments` CVE pin) in both packages. Using a constraint rather than
tightening the published `aiohttp>=3.9.1,<4.0.0` range means the change
only affects local/CI resolution — the package metadata users install
against is untouched. Both lockfiles re-resolve to `aiohttp` 3.13.5,
which still provides the removed attribute. A code comment points back
to the upstream fix so the pin can be removed once it lands.
2026-06-04 10:44:21 -04:00
langchain-model-profile-bot[bot]
414d7b8e94 chore(model-profiles): refresh model profile data (#37895)
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.

🤖 Generated by the `refresh_model_profiles` workflow.

Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
2026-06-04 10:31:52 -04:00
John Kennedy
bae485bd5e chore: bump dependencies (#37892)
## Summary
- Bump `langsmith` in `libs/partners/huggingface/uv.lock` from 0.7.31 to
0.8.9
- Bump `langchain-classic` in `libs/langchain_v1/uv.lock` from 1.0.0 to
1.0.7
- Bump transitive `langsmith` in `libs/langchain_v1/uv.lock` from 0.8.0
to 0.8.9

## Notes
- The open Chroma alert currently has no patched version in GitHub
Dependabot metadata. `chromadb` is already at 1.5.9 on `master`, and
PyPI shows 1.5.9 as the latest available release.

## Testing
- `uv lock --check` in `libs/partners/huggingface`
- `uv lock --check` in `libs/langchain_v1`
- `uv lock --check` in `libs/partners/chroma`
- `git diff --check`
2026-06-03 20:29:57 -07:00
dependabot[bot]
1a2dcdeee9 chore: bump aiohttp from 3.13.4 to 3.14.0 in /libs/langchain_v1 (#37888)
[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=aiohttp&package-manager=uv&previous-version=3.13.4&new-version=3.14.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: John Kennedy <65985482+jkennedyvz@users.noreply.github.com>
2026-06-04 03:05:18 +00:00
dependabot[bot]
dca3138e59 chore: bump aiohttp from 3.13.5 to 3.14.0 in /libs/partners/xai (#37887)
[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=aiohttp&package-manager=uv&previous-version=3.13.5&new-version=3.14.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-03 20:00:02 -07:00
dependabot[bot]
e9f4182988 chore: bump aiohttp from 3.13.4 to 3.14.0 in /libs/langchain (#37889)
[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=aiohttp&package-manager=uv&previous-version=3.13.4&new-version=3.14.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-03 20:00:00 -07:00