Mason Daugherty
7e81d09f2a
chore(deps): bump pytest to 9.0.3 ( #36801 )
...
CVE-2025-71176 (medium severity)
All are dev-only (test dependency group) — no impact on published
packages.
### Why syrupy was also bumped
syrupy 4.x (`<5.0.0`) constrains pytest to `<9.0.0`, blocking the CVE
fix. Widening to `<6.0.0` allows syrupy 5.x which supports pytest 9.x.
2026-04-15 21:46:40 -06:00
ccurme
00919ba4bb
release(openai): 1.1.13 ( #36729 )
2026-04-14 16:55:47 -04:00
John Kennedy
0f4f3f74c8
chore: pygments>=2.20.0 across all packages (CVE-2026-4539) ( #36385 )
...
## Summary
Bumps `pygments` to `>=2.20.0` across all 21 affected packages to
address [CVE-2026-4539](https://github.com/advisories/GHSA-XXXX ) — ReDoS
via inefficient GUID regex in Pygments.
- **Severity:** Low
- **Fixed in:** 2.20.0 (was 2.19.2)
- **Change:** Added `pygments>=2.20.0` to `constraint-dependencies` in
`[tool.uv]` for each package, then ran `uv lock --upgrade-package
pygments` to regenerate lock files.
Closes Dependabot alerts #3435–#3455.
## Release Note
Patch deps
### Test Plan
- [x] CI Green 🙏
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-03-30 23:26:59 -04:00
ccurme
ad574fce0d
fix(openai): bump min core version ( #36180 )
2026-03-23 14:45:33 -04:00
ccurme
6d07ef28a7
release(openai): 1.1.12 ( #36178 )
2026-03-23 13:06:19 -04:00
ccurme
fcca6e2dc4
fix(openai): bump min core version ( #35705 )
2026-03-09 18:52:13 -04:00
ccurme
637145012d
release(openai): 1.1.11 ( #35703 )
2026-03-09 16:22:23 -04:00
ccurme
6fe7845cd1
release(openai): 1.1.10 ( #35292 )
2026-02-17 12:55:21 -05:00
ccurme
8f1bc0d3ae
feat(openai): support automatic server-side compaction ( #35212 )
2026-02-17 10:48:52 -05:00
Tune
68a14844b5
fix(nomic,openai,perplexity): update pillow version to >= 12.1.1, <13.0.0 ( #35254 )
...
Updates the minimum Pillow version to address CVE-2026-25990 (HIGH
severity out-of-bounds write vulnerability affecting versions 10.3.0
through 12.1.0).
Changes:
langchain-nomic: pillow>=10.3.0,<13.0.0 → pillow>=12.1.1,<13.0.0
langchain-openai: pillow>=10.3.0,<13.0.0 → pillow>=12.1.1,<13.0.0
langchain-perplexity: pillow>=10.3.0,<13.0.0 → pillow>=12.1.1,<13.0.0
Safety: This is a minimum version bump within the existing constraint
range (<13.0.0), so no breaking changes are introduced.
CVE Details:
CVE-2026-25990: An out-of-bounds write may be triggered when loading a
specially crafted PSD image
Affected versions: 10.3.0 to <12.1.1
Fixed in: 12.1.1
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-25990
** Claude Helped me write this nice message **
The original findings was thanks to a Trivy scan
---------
Co-authored-by: Mason Daugherty <mason@langchain.dev >
2026-02-16 23:17:32 -05:00
dependabot[bot]
6ac12b330a
chore: bump pillow from 11.3.0 to 12.1.1 in /libs/partners/openai ( #35177 )
...
Bumps [pillow](https://github.com/python-pillow/Pillow ) from 11.3.0 to
12.1.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/python-pillow/Pillow/releases ">pillow's
releases</a>.</em></p>
<blockquote>
<h2>12.1.1</h2>
<p><a
href="https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html ">https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html </a></p>
<h2>Dependencies</h2>
<ul>
<li>Patch libavif for svt-av1 4.0 compatibility <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9413 ">#9413</a>
[<a href="https://github.com/hugovk "><code>@hugovk</code></a>]</li>
</ul>
<h2>Other changes</h2>
<ul>
<li>Fix OOB Write with invalid tile extents <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9427 ">#9427</a>
[<a
href="https://github.com/radarhere "><code>@radarhere</code></a>]</li>
</ul>
<h2>12.1.0</h2>
<p><a
href="https://pillow.readthedocs.io/en/stable/releasenotes/12.1.0.html ">https://pillow.readthedocs.io/en/stable/releasenotes/12.1.0.html </a></p>
<h2>Deprecations</h2>
<ul>
<li>Deprecate getdata(), in favour of new get_flattened_data() <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9292 ">#9292</a>
[<a
href="https://github.com/radarhere "><code>@radarhere</code></a>]</li>
</ul>
<h2>Documentation</h2>
<ul>
<li>Specify APNG duration type when opening <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9368 ">#9368</a>
[<a
href="https://github.com/radarhere "><code>@radarhere</code></a>]</li>
<li>Added release notes for <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9350 ">#9350</a>
<a
href="https://redirect.github.com/python-pillow/Pillow/issues/9366 ">#9366</a>
[<a
href="https://github.com/radarhere "><code>@radarhere</code></a>]</li>
<li>Update ImageMorph documentation <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9349 ">#9349</a>
[<a
href="https://github.com/radarhere "><code>@radarhere</code></a>]</li>
<li>Docs: update major bump cadence <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9334 ">#9334</a>
[<a href="https://github.com/hugovk "><code>@hugovk</code></a>]</li>
<li>Add release notes for <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9070 ">#9070</a>
<a
href="https://redirect.github.com/python-pillow/Pillow/issues/9320 ">#9320</a>
[<a
href="https://github.com/radarhere "><code>@radarhere</code></a>]</li>
<li>Updated Ubuntu version <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9306 ">#9306</a>
[<a
href="https://github.com/radarhere "><code>@radarhere</code></a>]</li>
<li>Update macOS tested Pillow versions <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9265 ">#9265</a>
[<a
href="https://github.com/radarhere "><code>@radarhere</code></a>]</li>
</ul>
<h2>Dependencies</h2>
<ul>
<li>Update harfbuzz to 12.3.0 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9355 ">#9355</a>
[<a
href="https://github.com/radarhere "><code>@radarhere</code></a>]</li>
<li>Update xz to 5.8.2 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9343 ">#9343</a>
[<a
href="https://github.com/radarhere "><code>@radarhere</code></a>]</li>
<li>Updated libjpeg-turbo to 3.1.3 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9333 ">#9333</a>
[<a
href="https://github.com/radarhere "><code>@radarhere</code></a>]</li>
<li>Updated zlib-ng to 2.3.2 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9324 ">#9324</a>
[<a
href="https://github.com/radarhere "><code>@radarhere</code></a>]</li>
<li>Updated libpng to 1.6.53 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9325 ">#9325</a>
[<a
href="https://github.com/radarhere "><code>@radarhere</code></a>]</li>
<li>Update actions/checkout action to v6 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9323 ">#9323</a>
[@<a href="https://github.com/apps/renovate ">renovate[bot]</a>]</li>
<li>Update dependency mypy to v1.19.0 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9322 ">#9322</a>
[@<a href="https://github.com/apps/renovate ">renovate[bot]</a>]</li>
<li>Updated libpng to 1.6.51 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9305 ">#9305</a>
[<a
href="https://github.com/radarhere "><code>@radarhere</code></a>]</li>
<li>Updated brotli to 1.2.0 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9284 ">#9284</a>
[<a
href="https://github.com/radarhere "><code>@radarhere</code></a>]</li>
<li>Update libimagequant to 4.4.1 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9301 ">#9301</a>
[<a
href="https://github.com/radarhere "><code>@radarhere</code></a>]</li>
<li>Update zlib-ng to 2.3.1, except on manylinux2014 aarch64 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9312 ">#9312</a>
[<a
href="https://github.com/radarhere "><code>@radarhere</code></a>]</li>
<li>Updated harfbuzz to 12.2.0 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9289 ">#9289</a>
[<a
href="https://github.com/radarhere "><code>@radarhere</code></a>]</li>
<li>Update github-actions <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9277 ">#9277</a>
[@<a href="https://github.com/apps/renovate ">renovate[bot]</a>]</li>
</ul>
<h2>Testing</h2>
<ul>
<li>Replace pre-commit with prek <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9360 ">#9360</a>
[<a href="https://github.com/hugovk "><code>@hugovk</code></a>]</li>
<li>Test PyQt6 on Python 3.14 on Windows <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9353 ">#9353</a>
[<a
href="https://github.com/radarhere "><code>@radarhere</code></a>]</li>
<li>Test 32-bit Windows on Windows Server 2022 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9345 ">#9345</a>
[<a
href="https://github.com/radarhere "><code>@radarhere</code></a>]</li>
<li>Correct variable type <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9335 ">#9335</a>
[<a
href="https://github.com/radarhere "><code>@radarhere</code></a>]</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="5158d98c809000313cc5https://redirect.github.com/python-pillow/Pillow/issues/9427 ">#9427</a>)</li>
<li><a
href="cd0111849f46f45f674dc9ac097edbhttps://redirect.github.com/python-pillow/Pillow/issues/9291 ">#9291</a>)</li>
<li><a
href="3baedf2648https://redirect.github.com/python-pillow/Pillow/issues/9292 ">#9292</a>)</li>
<li><a
href="b51a036685https://redirect.github.com/python-pillow/Pillow/issues/9368 ">#9368</a>)</li>
<li><a
href="8d08e31533https://redirect.github.com/python-pillow/Pillow/issues/9348 ">#9348</a>
(<a
href="https://redirect.github.com/python-pillow/Pillow/issues/9369 ">#9369</a>)</li>
<li><a
href="432707ea81https://redirect.github.com/python-pillow/Pillow/issues/9348 ">#9348</a></li>
<li><a
href="2d589107fbhttps://github.com/python-pillow/Pillow/compare/11.3.0...12.1.1 ">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores )
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts ).
</details>
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: ccurme <chester.curme@gmail.com >
2026-02-11 12:04:18 -08:00
ccurme
031a3395ba
release(openai): 1.1.9 ( #35145 )
2026-02-10 15:48:33 -05:00
ccurme
c5aee74614
release(openai): 1.1.8 ( #35097 )
2026-02-09 10:21:57 -05:00
Mason Daugherty
5c018f5cd1
chore: enrich pyproject.toml files ( #34980 )
2026-02-02 13:07:05 -05:00
John Kennedy
c5834cc028
chore: upgrade urllib3 to 2.6.3 ( #34940 )
2026-01-31 16:30:17 -05:00
Mason Daugherty
3d687ea8fb
chore: update twitter URLs ( #34736 )
2026-01-13 01:54:11 -05:00
Mason Daugherty
18c25e9f10
chore: ban relative imports on all packages ( #34691 )
2026-01-09 17:02:24 -05:00
ccurme
25bb36de81
release(openai): 1.1.7 ( #34640 )
2026-01-07 14:34:23 -05:00
ccurme
e9f7cd3e0e
release(openai): 1.1.6: update max input tokens for gpt-5 series ( #34419 )
2025-12-18 12:49:59 -05:00
ccurme
5c94e47d14
release(openai): 1.1.5 ( #34409 )
2025-12-17 14:04:37 -05:00
Mason Daugherty
37d8666276
release(openai): 1.1.4 ( #34395 )
2025-12-16 14:55:18 -05:00
Mason Daugherty
d0b13e926d
release(openai): 1.1.3 ( #34325 )
2025-12-12 15:18:02 -05:00
ccurme
373ad8ac2c
release(openai): 1.1.2 ( #34302 )
2025-12-11 16:20:57 -05:00
ccurme
b5efafe80c
release(openai): 1.1.1 ( #34252 )
2025-12-08 09:23:13 -05:00
ccurme
eb0545a173
release: (integration packages) 1.1 ( #34087 )
2025-11-24 09:13:01 -05:00
Mason Daugherty
8a3bb73c05
release(openai): 1.0.3 ( #33981 )
...
- Respect 300k token limit for embeddings API requests #33668
- fix create_agent / response_format for Responses API #33939
- fix response.incomplete event is not handled when using
stream_mode=['messages'] #33871
2025-11-14 19:18:50 -05:00
Mason Daugherty
e023201d42
style: some cleanup ( #33857 )
2025-11-06 23:50:46 -05:00
ccurme
61196a8280
release(openai): 1.0.2 ( #33769 )
2025-10-31 14:21:32 -04:00
ccurme
2222470f69
release(openai): 1.0.1 ( #33624 )
2025-10-21 11:37:47 -04:00
Mason Daugherty
64e6798a39
chore: update pyproject.toml url entries ( #33587 )
2025-10-17 17:16:55 -04:00
ccurme
4d623133a5
release(openai): 1.0.0 ( #33578 )
2025-10-17 11:25:25 -04:00
ccurme
3152d25811
fix: support python 3.14 in various projects ( #33575 )
...
Co-authored-by: cbornet <cbornet@hotmail.com >
Co-authored-by: Mason Daugherty <mason@langchain.dev >
2025-10-17 11:06:23 -04:00
Nuno Campos
0788461abd
feat(openai): Add openai moderation middleware ( #33492 )
2025-10-15 13:59:49 -04:00
Mason Daugherty
31eeb50ce0
chore: drop UP045 ( #33362 )
...
Python 3.9 EOL
2025-10-08 21:17:53 -04:00
Mason Daugherty
cda336295f
chore: enrich pyproject.toml files with links to new references, others ( #33343 )
2025-10-07 16:17:14 -04:00
Mason Daugherty
8bcdfbb24e
chore: clean up pyproject.toml files, use core a7 ( #33334 )
2025-10-07 10:49:04 -04:00
ccurme
aa442bc52f
release(openai): 1.0.0a4 ( #33316 )
2025-10-07 09:25:05 -04:00
Mason Daugherty
90e4d944ac
chore(infra): pdm -> hatchling ( #33289 )
2025-10-05 23:52:52 -04:00
Mason Daugherty
8e7cd85431
style: drop target-version = "py39" for OpenAI, Anthropic, HuggingFace ( #33287 )
2025-10-06 03:29:34 +00:00
Mason Daugherty
eaa6dcce9e
release: v1.0.0 ( #32567 )
...
Co-authored-by: Mohammad Mohtashim <45242107+keenborder786@users.noreply.github.com >
Co-authored-by: Caspar Broekhuizen <caspar@langchain.dev >
Co-authored-by: ccurme <chester.curme@gmail.com >
Co-authored-by: Christophe Bornet <cbornet@hotmail.com >
Co-authored-by: Eugene Yurtsev <eyurtsev@gmail.com >
Co-authored-by: Sadra Barikbin <sadraqazvin1@yahoo.com >
Co-authored-by: Vadym Barda <vadim.barda@gmail.com >
2025-10-02 10:49:42 -04:00
ccurme
740842485c
fix(openai): bump min core version ( #33188 )
...
Required for new tests added in
https://github.com/langchain-ai/langchain/pull/32541 and
https://github.com/langchain-ai/langchain/pull/33183 .
2025-10-01 11:01:15 -04:00
ccurme
aac69839a9
release(openai): 0.3.34 ( #33169 )
2025-09-30 16:48:39 -04:00
ccurme
64141072a3
feat(openai): support openai sdk 2.0 ( #33168 )
2025-09-30 16:34:00 -04:00
ccurme
839a18e112
fix(openai): remove __future__.annotations import from test files ( #33144 )
...
Breaks schema conversion in places.
2025-09-29 16:23:32 +00:00
Mason Daugherty
986302322f
docs: more standardization ( #33124 )
2025-09-25 20:46:20 -04:00
Christophe Bornet
eaf8dce7c2
chore: bump ruff version to 0.13 ( #33043 )
...
Co-authored-by: Mason Daugherty <mason@langchain.dev >
2025-09-25 12:27:39 -04:00
Mason Daugherty
b92b394804
style: repo linting pass ( #33089 )
...
enable docstring-code-format
2025-09-24 15:25:55 -04:00
Mason Daugherty
2e9291cdd7
fix: lift openai version constraints across packages ( #33088 )
...
re: #33038 and https://github.com/openai/openai-python/issues/2644
2025-09-24 15:25:10 -04:00
Mason Daugherty
7ddc798f95
fix(openai): pin upper bound to prevent Pydantic 2.7.0 issues ( #33038 )
...
https://github.com/openai/openai-python/issues/2644
2025-09-21 00:27:03 -04:00
Mason Daugherty
781db9d892
chore: update pyproject.toml files, remove codespell ( #33028 )
...
- Removes Codespell from deps, docs, and `Makefile`s
- Python version requirements in all `pyproject.toml` files now use the
`~=` (compatible release) specifier
- All dependency groups and main dependencies now use explicit lower and
upper bounds, reducing potential for breaking changes
2025-09-20 22:09:33 -04:00
