mirror of
https://github.com/hwchase17/langchain.git
synced 2026-07-01 22:59:06 +00:00
872047429f7e1669a7b7ffc6fa362164e62310dd
9326 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
872047429f |
chore: bump bleach from 6.3.0 to 6.4.0 in /libs/core (#38198)
Bumps [bleach](https://github.com/mozilla/bleach) from 6.3.0 to 6.4.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/mozilla/bleach/blob/main/CHANGES">bleach's changelog</a>.</em></p> <blockquote> <h2>Version 6.4.0 (June 5th, 2026)</h2> <p><strong>NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future releases including for security issues.</strong> See issue: <code><https://github.com/mozilla/bleach/issues/698></code>__</p> <p><strong>Backwards incompatible changes</strong></p> <ul> <li>Dropped support for pypy 3.10. (<a href="https://redirect.github.com/mozilla/bleach/issues/764">#764</a>)</li> </ul> <p><strong>Security fixes</strong></p> <ul> <li> <p>Fix bug 2023812 / GHSA-8rfp-98v4-mmr6.</p> <p>Fix XSS issue with sanitize_uri_value where disallowed schemes with Unicode invisible characters wouldn't be rejected.</p> <p>For example::</p> <p>import bleach payload1 = '<!-- raw HTML omitted -->Click<!-- raw HTML omitted -->' result1 = bleach.clean(payload1) print(repr(result1))</p> <p>outputs::</p> <p>'<!-- raw HTML omitted -->Click<!-- raw HTML omitted -->'</p> <p>See the advisory for details.</p> </li> <li> <p>Fix GHSA-gj48-438w-jh9v.</p> <p>Fix issue where URI sanitization wasn't happening in formaction attributes.</p> <p>See the advisory for details.</p> </li> </ul> <p><strong>Bug fixes</strong></p> <ul> <li> <p>Add support for pypy 3.11. (<a href="https://redirect.github.com/mozilla/bleach/issues/764">#764</a>)</p> </li> <li> <p>Drop version max in tinycss2 pin. (<a href="https://redirect.github.com/mozilla/bleach/issues/772">#772</a>)</p> <p>This removes one of the things we had to keep checking and updating. Users now own the responsibility for correctness with the version of tinycss2 they're using.</p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
b856e33eb6 |
chore: bump torch from 2.9.1 to 2.12.1 in /libs/text-splitters (#38231)
Bumps [torch](https://github.com/pytorch/pytorch) from 2.9.1 to 2.12.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pytorch/pytorch/releases">torch's releases</a>.</em></p> <blockquote> <h2>PyTorch 2.12.1 Release, bug fix release</h2> <p>This release is meant to fix the following regressions and silent correctness issues:</p> <h2>Regression fixes</h2> <ul> <li>Fix nondeterministic outputs in test_batch_invariance with FLASH_ATTN on NVIDIA B200 GPUs (<a href="https://redirect.github.com/pytorch/pytorch/issues/181248">#181248</a>), fixed by updating Triton to 3.7.1 (<a href="https://redirect.github.com/pytorch/pytorch/pull/186814">#186814</a>)</li> <li>Fix illegal memory access in the Triton convolution2d_bwd_weight kernel on B100/B200 (sm100) GPUs (<a href="https://redirect.github.com/pytorch/pytorch/issues/187081">#187081</a>), fixed by updating Triton to 3.7.1 (<a href="https://redirect.github.com/pytorch/pytorch/pull/186814">#186814</a>)</li> <li>Fix fill_ on byte-dtype views with misaligned storage offset (<a href="https://redirect.github.com/pytorch/pytorch/pull/186821">#186821</a>)</li> </ul> <h2>Releng / Build</h2> <ul> <li>Drop CPython 3.13t from the binary build matrix (<a href="https://redirect.github.com/pytorch/pytorch/pull/182951">#182951</a>)</li> </ul> <h1>PyTorch 2.12.0 Release Notes</h1> <ul> <li><a href="https://github.com/pytorch/pytorch/blob/HEAD/#highlights">Highlights</a></li> <li><a href="https://github.com/pytorch/pytorch/blob/HEAD/#backwards-incompatible-changes">Backwards Incompatible Changes</a></li> <li><a href="https://github.com/pytorch/pytorch/blob/HEAD/#deprecations">Deprecations</a></li> <li><a href="https://github.com/pytorch/pytorch/blob/HEAD/#new-features">New Features</a></li> <li><a href="https://github.com/pytorch/pytorch/blob/HEAD/#improvements">Improvements</a></li> <li><a href="https://github.com/pytorch/pytorch/blob/HEAD/#bug-fixes">Bug fixes</a></li> <li><a href="https://github.com/pytorch/pytorch/blob/HEAD/#performance">Performance</a></li> <li><a href="https://github.com/pytorch/pytorch/blob/HEAD/#documentation">Documentation</a></li> <li><a href="https://github.com/pytorch/pytorch/blob/HEAD/#developers">Developers</a></li> <li><a href="https://github.com/pytorch/pytorch/blob/HEAD/#security">Security</a></li> </ul> <h1>Highlights</h1> <!-- raw HTML omitted --> <p>For more details about these highlighted features, you can look at the release blogpost. Below are the full release notes for this release.</p> <h1>Backwards Incompatible Changes</h1> <h2>Build Frontend</h2> <ul> <li> <p>Strengthened SVE compile checks in <code>FindARM.cmake</code>, which may reject previously accepted but incorrect SVE configurations (<a href="https://redirect.github.com/pytorch/pytorch/pull/176646">#176646</a>)</p> <p>Source builds that enable SVE now validate the compiler configuration more strictly. If a build previously passed with an incomplete or mismatched SVE setup, it may now fail during CMake configuration instead of later in compilation. Update the compiler/toolchain flags so they accurately describe the target SVE support, or disable SVE for that build.</p> </li> <li> <p>Updated the minimum CUDA version required to build PyTorch from source to CUDA 12.6 (<a href="https://redirect.github.com/pytorch/pytorch/pull/178925">#178925</a>)</p> <p>Building PyTorch from source with CUDA versions older than 12.6 is no longer supported. Users building custom binaries should install CUDA 12.6 or newer and make sure <code>CUDA_HOME</code> points to that installation.</p> <p>Version 2.11:</p> <pre lang="bash"><code>CUDA_HOME=/usr/local/cuda-12.4 python setup.py develop </code></pre> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
ff4a32fb01 |
chore: bump pytest from 9.0.3 to 9.1.0 in /libs/text-splitters (#38232)
Bumps [pytest](https://github.com/pytest-dev/pytest) from 9.0.3 to 9.1.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pytest-dev/pytest/releases">pytest's releases</a>.</em></p> <blockquote> <h2>9.1.0</h2> <h1>pytest 9.1.0 (2026-06-13)</h1> <h2>Removals and backward incompatible breaking changes</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14533">#14533</a>: When using <code>--doctest-modules</code>, autouse fixtures with <code>module</code>, <code>package</code> or <code>session</code> scope that are defined inline in Python test modules (not plugins or conftests) will now possibly execute twice.</p> <p>If this is undesirable, move the fixture definition to a <code>conftest.py</code> file if possible.</p> <p>Technical explanation for those interested: When using <!-- raw HTML omitted -->--doctest-modules<!-- raw HTML omitted -->, pytest possibly collects Python modules twice, once as <code>pytest.Module</code> and once as a <code>DoctestModule</code> (depending on the configuration). Due to improvements in pytest's fixture implementation, if e.g. the <code>DoctestModule</code> collects a fixture, it is now visible to it only, and not to the <code>Module</code>. This means that both need to register the fixtures independently.</p> </li> </ul> <h2>Deprecations (removal in next major release)</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/10819">#10819</a>: Added a deprecation warning for class-scoped fixtures defined as instance methods (without <code>@classmethod</code>). Such fixtures set attributes on a different instance than the test methods use, leading to unexpected behavior. Use <code>@classmethod</code> decorator instead -- by <code>yastcher</code>.</p> <p>See <code>10819</code> and <code>14011</code>.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/12882">#12882</a>: Calling <code>request.getfixturevalue() <pytest.FixtureRequest.getfixturevalue></code> during teardown to request a fixture that was not already requested is now deprecated and will become an error in pytest 10.</p> <p>See <code>dynamic-fixture-request-during-teardown</code> for details.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13409">#13409</a>: Using non-<code>~collections.abc.Collection</code> iterables (such as generators, iterators, or custom iterable objects) for the <code>argvalues</code> parameter in <code>@pytest.mark.parametrize <pytest.mark.parametrize ref></code> and <code>metafunc.parametrize <pytest.Metafunc.parametrize></code> is now deprecated.</p> <p>These iterables get exhausted after the first iteration, leading to tests getting unexpectedly skipped in cases such as running <code>pytest.main()</code> multiple times, using class-level parametrize decorators, or collecting tests multiple times.</p> <p>See <code>parametrize-iterators</code> for details and suggestions.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13946">#13946</a>: The private <code>config.inicfg</code> attribute is now deprecated. Use <code>config.getini() <pytest.Config.getini></code> to access configuration values instead.</p> <p>See <code>config-inicfg</code> for more details.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14004">#14004</a>: Passing <code>baseid</code> to <code>~pytest.FixtureDef</code> or <code>nodeid</code> strings to fixture registration APIs is now deprecated. These are internal pytest APIs that are used by some plugins.</p> <p>Use the <code>node</code> parameter instead for fixture scoping. This enables more robust node-based matching instead of string prefix matching. If you've used <code>nodeid=None</code>, pass <code>node=session</code> instead.</p> <p>This will be removed in pytest 10.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14335">#14335</a>: The method of configuring hooks using markers, deprecated since pytest 7.2, is now scheduled to be removed in pytest 10. See <code>hook-markers</code> for more details.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14434">#14434</a>: The <code>--pastebin</code> option is now deprecated.</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
554136ee21 |
chore: bump pytest from 9.0.3 to 9.1.0 in /libs/standard-tests (#38234)
Bumps [pytest](https://github.com/pytest-dev/pytest) from 9.0.3 to 9.1.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pytest-dev/pytest/releases">pytest's releases</a>.</em></p> <blockquote> <h2>9.1.0</h2> <h1>pytest 9.1.0 (2026-06-13)</h1> <h2>Removals and backward incompatible breaking changes</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14533">#14533</a>: When using <code>--doctest-modules</code>, autouse fixtures with <code>module</code>, <code>package</code> or <code>session</code> scope that are defined inline in Python test modules (not plugins or conftests) will now possibly execute twice.</p> <p>If this is undesirable, move the fixture definition to a <code>conftest.py</code> file if possible.</p> <p>Technical explanation for those interested: When using <!-- raw HTML omitted -->--doctest-modules<!-- raw HTML omitted -->, pytest possibly collects Python modules twice, once as <code>pytest.Module</code> and once as a <code>DoctestModule</code> (depending on the configuration). Due to improvements in pytest's fixture implementation, if e.g. the <code>DoctestModule</code> collects a fixture, it is now visible to it only, and not to the <code>Module</code>. This means that both need to register the fixtures independently.</p> </li> </ul> <h2>Deprecations (removal in next major release)</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/10819">#10819</a>: Added a deprecation warning for class-scoped fixtures defined as instance methods (without <code>@classmethod</code>). Such fixtures set attributes on a different instance than the test methods use, leading to unexpected behavior. Use <code>@classmethod</code> decorator instead -- by <code>yastcher</code>.</p> <p>See <code>10819</code> and <code>14011</code>.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/12882">#12882</a>: Calling <code>request.getfixturevalue() <pytest.FixtureRequest.getfixturevalue></code> during teardown to request a fixture that was not already requested is now deprecated and will become an error in pytest 10.</p> <p>See <code>dynamic-fixture-request-during-teardown</code> for details.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13409">#13409</a>: Using non-<code>~collections.abc.Collection</code> iterables (such as generators, iterators, or custom iterable objects) for the <code>argvalues</code> parameter in <code>@pytest.mark.parametrize <pytest.mark.parametrize ref></code> and <code>metafunc.parametrize <pytest.Metafunc.parametrize></code> is now deprecated.</p> <p>These iterables get exhausted after the first iteration, leading to tests getting unexpectedly skipped in cases such as running <code>pytest.main()</code> multiple times, using class-level parametrize decorators, or collecting tests multiple times.</p> <p>See <code>parametrize-iterators</code> for details and suggestions.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13946">#13946</a>: The private <code>config.inicfg</code> attribute is now deprecated. Use <code>config.getini() <pytest.Config.getini></code> to access configuration values instead.</p> <p>See <code>config-inicfg</code> for more details.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14004">#14004</a>: Passing <code>baseid</code> to <code>~pytest.FixtureDef</code> or <code>nodeid</code> strings to fixture registration APIs is now deprecated. These are internal pytest APIs that are used by some plugins.</p> <p>Use the <code>node</code> parameter instead for fixture scoping. This enables more robust node-based matching instead of string prefix matching. If you've used <code>nodeid=None</code>, pass <code>node=session</code> instead.</p> <p>This will be removed in pytest 10.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14335">#14335</a>: The method of configuring hooks using markers, deprecated since pytest 7.2, is now scheduled to be removed in pytest 10. See <code>hook-markers</code> for more details.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14434">#14434</a>: The <code>--pastebin</code> option is now deprecated.</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
1137d2dc09 |
chore: bump jupyter-server from 2.18.0 to 2.20.0 in /libs/text-splitters (#38250)
Bumps [jupyter-server](https://github.com/jupyter-server/jupyter_server) from 2.18.0 to 2.20.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/jupyter-server/jupyter_server/releases">jupyter-server's releases</a>.</em></p> <blockquote> <h2>v2.20.0</h2> <h2>2.20.0</h2> <p>(<a href="https://github.com/jupyter-server/jupyter_server/compare/v2.19.0...333e700119ee0bcc0b5fcd4c158213d7c275c778">Full Changelog</a>)</p> <h3>Security fixes</h3> <ul> <li>CVE-2026-44727 <a href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-fcw5-x6j4-ccmp">GHSA-fcw5-x6j4-ccmp</a></li> </ul> <h3>Enhancements made</h3> <ul> <li>Fix confusing terminal output when using ServerApp.ip=0.0.0.0 <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1643">#1643</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Add a toggle to enable curve encryption for all kernels that support it <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1638">#1638</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/ianthomas23"><code>@ianthomas23</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> </ul> <h3>Bugs fixed</h3> <ul> <li>Grab the port from <code>bind_sockets</code> in case its different <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1651">#1651</a> (<a href="https://github.com/choldgraf"><code>@choldgraf</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Maintenance and upkeep improvements</h3> <ul> <li>Fix <code>test_authorizer</code> having a spurious comma in params <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1664">#1664</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Add a reminder to merge GHSA before release <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1659">#1659</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Exclude problematic <code>pywinpty</code> 3.0.4 version <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1658">#1658</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>ci: explicitly pass base-setup inputs to fix strict validation failures <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1626">#1626</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/Copilot"><code>@Copilot</code></a>)</li> </ul> <h3>Documentation improvements</h3> <ul> <li>Align docs for curve encryption with latest JEP version <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1660">#1660</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Remove PGP key from docs <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1653">#1653</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Contributors to this release</h3> <p>The following people contributed discussions, new ideas, code and documentation contributions, and review. See <a href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our definition of contributors</a>.</p> <p>(<a href="https://github.com/jupyter-server/jupyter_server/graphs/contributors?from=2026-05-29&to=2026-06-17&type=c">GitHub contributors page for this release</a>)</p> <p><a href="https://github.com/Carreau"><code>@Carreau</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3ACarreau+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/choldgraf"><code>@choldgraf</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Acholdgraf+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/Copilot"><code>@Copilot</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3ACopilot+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/ianthomas23"><code>@ianthomas23</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Aianthomas23+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/krassowski"><code>@krassowski</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Akrassowski+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/minrk"><code>@minrk</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Aminrk+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/Yann-P"><code>@Yann-P</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3AYann-P+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>)</p> <h2>v2.19.0</h2> <h2>2.19.0</h2> <p>(<a href="https://github.com/jupyter-server/jupyter_server/compare/v2.18.2...664e2255c71efe963f397b9f803dbcf503b5a920">Full Changelog</a>)</p> <h3>Enhancements made</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jupyter-server/jupyter_server/blob/main/CHANGELOG.md">jupyter-server's changelog</a>.</em></p> <blockquote> <h2>2.20.0</h2> <p>(<a href="https://github.com/jupyter-server/jupyter_server/compare/v2.19.0...333e700119ee0bcc0b5fcd4c158213d7c275c778">Full Changelog</a>)</p> <h3>Enhancements made</h3> <ul> <li>Fix confusing terminal output when using ServerApp.ip=0.0.0.0 <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1643">#1643</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Add a toggle to enable curve encryption for all kernels that support it <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1638">#1638</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/ianthomas23"><code>@ianthomas23</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> </ul> <h3>Bugs fixed</h3> <ul> <li>Grab the port from <code>bind_sockets</code> in case its different <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1651">#1651</a> (<a href="https://github.com/choldgraf"><code>@choldgraf</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Maintenance and upkeep improvements</h3> <ul> <li>Fix <code>test_authorizer</code> having a spurious comma in params <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1664">#1664</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Add a reminder to merge GHSA before release <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1659">#1659</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Exclude problematic <code>pywinpty</code> 3.0.4 version <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1658">#1658</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>ci: explicitly pass base-setup inputs to fix strict validation failures <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1626">#1626</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/Copilot"><code>@Copilot</code></a>)</li> </ul> <h3>Documentation improvements</h3> <ul> <li>Align docs for curve encryption with latest JEP version <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1660">#1660</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Remove PGP key from docs <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1653">#1653</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Contributors to this release</h3> <p>The following people contributed discussions, new ideas, code and documentation contributions, and review. See <a href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our definition of contributors</a>.</p> <p>(<a href="https://github.com/jupyter-server/jupyter_server/graphs/contributors?from=2026-05-29&to=2026-06-17&type=c">GitHub contributors page for this release</a>)</p> <p><a href="https://github.com/Carreau"><code>@Carreau</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3ACarreau+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/choldgraf"><code>@choldgraf</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Acholdgraf+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/Copilot"><code>@Copilot</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3ACopilot+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/ianthomas23"><code>@ianthomas23</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Aianthomas23+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/krassowski"><code>@krassowski</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Akrassowski+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/minrk"><code>@minrk</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Aminrk+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/Yann-P"><code>@Yann-P</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3AYann-P+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>)</p> <!-- raw HTML omitted --> <h2>2.19.0</h2> <p>(<a href="https://github.com/jupyter-server/jupyter_server/compare/v2.18.2...664e2255c71efe963f397b9f803dbcf503b5a920">Full Changelog</a>)</p> <h3>Enhancements made</h3> <ul> <li>Return <code>unresolved</code> stanza when kernel scope is unavailable for <code>resolvePath</code> (instead of failing with 404) <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1641">#1641</a> (<a href="https://github.com/MUFFANUJ"><code>@MUFFANUJ</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Bugs fixed</h3> <ul> <li>Recreate notary store on failure to prevent save deadlock and data loss <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1640">#1640</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> </ul> <h3>Maintenance and upkeep improvements</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
386f8b5ab3 |
chore: bump jupyter-server from 2.18.0 to 2.20.0 in /libs/langchain (#38251)
Bumps [jupyter-server](https://github.com/jupyter-server/jupyter_server) from 2.18.0 to 2.20.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/jupyter-server/jupyter_server/releases">jupyter-server's releases</a>.</em></p> <blockquote> <h2>v2.20.0</h2> <h2>2.20.0</h2> <p>(<a href="https://github.com/jupyter-server/jupyter_server/compare/v2.19.0...333e700119ee0bcc0b5fcd4c158213d7c275c778">Full Changelog</a>)</p> <h3>Security fixes</h3> <ul> <li>CVE-2026-44727 <a href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-fcw5-x6j4-ccmp">GHSA-fcw5-x6j4-ccmp</a></li> </ul> <h3>Enhancements made</h3> <ul> <li>Fix confusing terminal output when using ServerApp.ip=0.0.0.0 <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1643">#1643</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Add a toggle to enable curve encryption for all kernels that support it <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1638">#1638</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/ianthomas23"><code>@ianthomas23</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> </ul> <h3>Bugs fixed</h3> <ul> <li>Grab the port from <code>bind_sockets</code> in case its different <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1651">#1651</a> (<a href="https://github.com/choldgraf"><code>@choldgraf</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Maintenance and upkeep improvements</h3> <ul> <li>Fix <code>test_authorizer</code> having a spurious comma in params <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1664">#1664</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Add a reminder to merge GHSA before release <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1659">#1659</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Exclude problematic <code>pywinpty</code> 3.0.4 version <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1658">#1658</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>ci: explicitly pass base-setup inputs to fix strict validation failures <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1626">#1626</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/Copilot"><code>@Copilot</code></a>)</li> </ul> <h3>Documentation improvements</h3> <ul> <li>Align docs for curve encryption with latest JEP version <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1660">#1660</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Remove PGP key from docs <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1653">#1653</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Contributors to this release</h3> <p>The following people contributed discussions, new ideas, code and documentation contributions, and review. See <a href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our definition of contributors</a>.</p> <p>(<a href="https://github.com/jupyter-server/jupyter_server/graphs/contributors?from=2026-05-29&to=2026-06-17&type=c">GitHub contributors page for this release</a>)</p> <p><a href="https://github.com/Carreau"><code>@Carreau</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3ACarreau+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/choldgraf"><code>@choldgraf</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Acholdgraf+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/Copilot"><code>@Copilot</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3ACopilot+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/ianthomas23"><code>@ianthomas23</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Aianthomas23+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/krassowski"><code>@krassowski</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Akrassowski+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/minrk"><code>@minrk</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Aminrk+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/Yann-P"><code>@Yann-P</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3AYann-P+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>)</p> <h2>v2.19.0</h2> <h2>2.19.0</h2> <p>(<a href="https://github.com/jupyter-server/jupyter_server/compare/v2.18.2...664e2255c71efe963f397b9f803dbcf503b5a920">Full Changelog</a>)</p> <h3>Enhancements made</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jupyter-server/jupyter_server/blob/main/CHANGELOG.md">jupyter-server's changelog</a>.</em></p> <blockquote> <h2>2.20.0</h2> <p>(<a href="https://github.com/jupyter-server/jupyter_server/compare/v2.19.0...333e700119ee0bcc0b5fcd4c158213d7c275c778">Full Changelog</a>)</p> <h3>Enhancements made</h3> <ul> <li>Fix confusing terminal output when using ServerApp.ip=0.0.0.0 <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1643">#1643</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Add a toggle to enable curve encryption for all kernels that support it <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1638">#1638</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/ianthomas23"><code>@ianthomas23</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> </ul> <h3>Bugs fixed</h3> <ul> <li>Grab the port from <code>bind_sockets</code> in case its different <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1651">#1651</a> (<a href="https://github.com/choldgraf"><code>@choldgraf</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Maintenance and upkeep improvements</h3> <ul> <li>Fix <code>test_authorizer</code> having a spurious comma in params <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1664">#1664</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Add a reminder to merge GHSA before release <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1659">#1659</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Exclude problematic <code>pywinpty</code> 3.0.4 version <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1658">#1658</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>ci: explicitly pass base-setup inputs to fix strict validation failures <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1626">#1626</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/Copilot"><code>@Copilot</code></a>)</li> </ul> <h3>Documentation improvements</h3> <ul> <li>Align docs for curve encryption with latest JEP version <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1660">#1660</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Remove PGP key from docs <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1653">#1653</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Contributors to this release</h3> <p>The following people contributed discussions, new ideas, code and documentation contributions, and review. See <a href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our definition of contributors</a>.</p> <p>(<a href="https://github.com/jupyter-server/jupyter_server/graphs/contributors?from=2026-05-29&to=2026-06-17&type=c">GitHub contributors page for this release</a>)</p> <p><a href="https://github.com/Carreau"><code>@Carreau</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3ACarreau+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/choldgraf"><code>@choldgraf</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Acholdgraf+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/Copilot"><code>@Copilot</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3ACopilot+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/ianthomas23"><code>@ianthomas23</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Aianthomas23+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/krassowski"><code>@krassowski</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Akrassowski+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/minrk"><code>@minrk</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Aminrk+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/Yann-P"><code>@Yann-P</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3AYann-P+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>)</p> <!-- raw HTML omitted --> <h2>2.19.0</h2> <p>(<a href="https://github.com/jupyter-server/jupyter_server/compare/v2.18.2...664e2255c71efe963f397b9f803dbcf503b5a920">Full Changelog</a>)</p> <h3>Enhancements made</h3> <ul> <li>Return <code>unresolved</code> stanza when kernel scope is unavailable for <code>resolvePath</code> (instead of failing with 404) <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1641">#1641</a> (<a href="https://github.com/MUFFANUJ"><code>@MUFFANUJ</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Bugs fixed</h3> <ul> <li>Recreate notary store on failure to prevent save deadlock and data loss <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1640">#1640</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> </ul> <h3>Maintenance and upkeep improvements</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
94ea96d542 | release(core): 1.4.8 (#38254) | ||
|
|
15c38c8555 |
fix(langchain): switch summary format (#38171)
Part of https://github.com/langchain-ai/deepagents/issues/2873 --- `SummarizationMiddleware` now serializes the history passed to the summarizer with XML formatting so URL-backed multimodal content remains available in the prompt. The existing behavior avoided dumping raw message metadata into the token budget, but the prefix serialization path omitted image/audio/video URL blocks before the summary model saw them. ## Changes - Update `SummarizationMiddleware._create_summary` and `SummarizationMiddleware._acreate_summary` to call `get_buffer_string(..., format="xml")` for trimmed conversation history - Preserve URL-backed multimodal blocks in the summary prompt while still avoiding raw message metadata expansion - Add sync and async unit coverage with a prompt-capturing chat model to assert image URLs survive summarization input serialization --------- Co-authored-by: Mason Daugherty <mason@langchain.dev> Co-authored-by: Mason Daugherty <github@mdrxy.com> |
||
|
|
9ac8882a2c | refactor(langchain-classic): remove code for Python < 3.10 (#38194) | ||
|
|
6d389b1d1d |
chore(model-profiles): refresh model profile data (#38244)
Automated refresh of model profile data for all in-monorepo partner integrations via `langchain-profiles refresh`. 🤖 Generated by the `refresh_model_profiles` workflow. Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com> |
||
|
|
38f88cc5ec |
chore: bump langsmith from 0.8.14 to 0.8.16 in /libs/partners/huggingface (#38242)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.8.14 to 0.8.16. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's releases</a>.</em></p> <blockquote> <h2>v0.8.16</h2> <h2>What's Changed</h2> <ul> <li>feat(py): add sync/async conversion for Sandbox and SandboxClient [INF-0000] by <a href="https://github.com/ramon-langchain"><code>@ramon-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3019">langchain-ai/langsmith-sdk#3019</a></li> <li>fix(experiments): extract keys from wrapped evaluator function by <a href="https://github.com/shamikkarkhanis"><code>@shamikkarkhanis</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3014">langchain-ai/langsmith-sdk#3014</a></li> <li>chore: repoint <a href="mailto:support@langchain.dev">support@langchain.dev</a> mentions to the Support Portal by <a href="https://github.com/lutan-langchain"><code>@lutan-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3024">langchain-ai/langsmith-sdk#3024</a></li> <li>fix(python): derive create_child run id from start_time [LSDK-220] by <a href="https://github.com/harisaiharish"><code>@harisaiharish</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3027">langchain-ai/langsmith-sdk#3027</a></li> <li>chore: sync langsmith_api by <a href="https://github.com/langtions-bot"><code>@langtions-bot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3020">langchain-ai/langsmith-sdk#3020</a></li> <li>chore: js to 0.7.8 and py to 0.8.16 by <a href="https://github.com/shamikkarkhanis"><code>@shamikkarkhanis</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3029">langchain-ai/langsmith-sdk#3029</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/lutan-langchain"><code>@lutan-langchain</code></a> made their first contribution in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3024">langchain-ai/langsmith-sdk#3024</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.15...v0.8.16">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.15...v0.8.16</a></p> <h2>v0.8.15</h2> <h2>What's Changed</h2> <ul> <li>chore(js): exclude generated _openapi_client from linters and type-checker by <a href="https://github.com/KiewanVillatel"><code>@KiewanVillatel</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3015">langchain-ai/langsmith-sdk#3015</a></li> <li>chore: sync langsmith_api by <a href="https://github.com/langtions-bot"><code>@langtions-bot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3006">langchain-ai/langsmith-sdk#3006</a></li> <li>chore: protect JS openapi client in workflow by <a href="https://github.com/KiewanVillatel"><code>@KiewanVillatel</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3017">langchain-ai/langsmith-sdk#3017</a></li> <li>fix(js): deliver sandbox output callbacks across stream reconnects by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3022">langchain-ai/langsmith-sdk#3022</a></li> <li>fix(python): deliver sandbox output callbacks across stream reconnects by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3023">langchain-ai/langsmith-sdk#3023</a></li> <li>chore: bump JS to 0.7.7 and Python to 0.8.15 by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3025">langchain-ai/langsmith-sdk#3025</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.14...v0.8.15">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.14...v0.8.15</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
4fd5c1a204 |
chore: bump torch from 2.9.0 to 2.12.1 in /libs/partners/huggingface (#38240)
Bumps [torch](https://github.com/pytorch/pytorch) from 2.9.0 to 2.12.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pytorch/pytorch/releases">torch's releases</a>.</em></p> <blockquote> <h2>PyTorch 2.12.1 Release, bug fix release</h2> <p>This release is meant to fix the following regressions and silent correctness issues:</p> <h2>Regression fixes</h2> <ul> <li>Fix nondeterministic outputs in test_batch_invariance with FLASH_ATTN on NVIDIA B200 GPUs (<a href="https://redirect.github.com/pytorch/pytorch/issues/181248">#181248</a>), fixed by updating Triton to 3.7.1 (<a href="https://redirect.github.com/pytorch/pytorch/pull/186814">#186814</a>)</li> <li>Fix illegal memory access in the Triton convolution2d_bwd_weight kernel on B100/B200 (sm100) GPUs (<a href="https://redirect.github.com/pytorch/pytorch/issues/187081">#187081</a>), fixed by updating Triton to 3.7.1 (<a href="https://redirect.github.com/pytorch/pytorch/pull/186814">#186814</a>)</li> <li>Fix fill_ on byte-dtype views with misaligned storage offset (<a href="https://redirect.github.com/pytorch/pytorch/pull/186821">#186821</a>)</li> </ul> <h2>Releng / Build</h2> <ul> <li>Drop CPython 3.13t from the binary build matrix (<a href="https://redirect.github.com/pytorch/pytorch/pull/182951">#182951</a>)</li> </ul> <h1>PyTorch 2.12.0 Release Notes</h1> <ul> <li><a href="https://github.com/pytorch/pytorch/blob/HEAD/#highlights">Highlights</a></li> <li><a href="https://github.com/pytorch/pytorch/blob/HEAD/#backwards-incompatible-changes">Backwards Incompatible Changes</a></li> <li><a href="https://github.com/pytorch/pytorch/blob/HEAD/#deprecations">Deprecations</a></li> <li><a href="https://github.com/pytorch/pytorch/blob/HEAD/#new-features">New Features</a></li> <li><a href="https://github.com/pytorch/pytorch/blob/HEAD/#improvements">Improvements</a></li> <li><a href="https://github.com/pytorch/pytorch/blob/HEAD/#bug-fixes">Bug fixes</a></li> <li><a href="https://github.com/pytorch/pytorch/blob/HEAD/#performance">Performance</a></li> <li><a href="https://github.com/pytorch/pytorch/blob/HEAD/#documentation">Documentation</a></li> <li><a href="https://github.com/pytorch/pytorch/blob/HEAD/#developers">Developers</a></li> <li><a href="https://github.com/pytorch/pytorch/blob/HEAD/#security">Security</a></li> </ul> <h1>Highlights</h1> <!-- raw HTML omitted --> <p>For more details about these highlighted features, you can look at the release blogpost. Below are the full release notes for this release.</p> <h1>Backwards Incompatible Changes</h1> <h2>Build Frontend</h2> <ul> <li> <p>Strengthened SVE compile checks in <code>FindARM.cmake</code>, which may reject previously accepted but incorrect SVE configurations (<a href="https://redirect.github.com/pytorch/pytorch/pull/176646">#176646</a>)</p> <p>Source builds that enable SVE now validate the compiler configuration more strictly. If a build previously passed with an incomplete or mismatched SVE setup, it may now fail during CMake configuration instead of later in compilation. Update the compiler/toolchain flags so they accurately describe the target SVE support, or disable SVE for that build.</p> </li> <li> <p>Updated the minimum CUDA version required to build PyTorch from source to CUDA 12.6 (<a href="https://redirect.github.com/pytorch/pytorch/pull/178925">#178925</a>)</p> <p>Building PyTorch from source with CUDA versions older than 12.6 is no longer supported. Users building custom binaries should install CUDA 12.6 or newer and make sure <code>CUDA_HOME</code> points to that installation.</p> <p>Version 2.11:</p> <pre lang="bash"><code>CUDA_HOME=/usr/local/cuda-12.4 python setup.py develop </code></pre> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
f4fff781e8 |
chore: bump pytest from 9.0.3 to 9.1.0 in /libs/partners/huggingface (#38241)
Bumps [pytest](https://github.com/pytest-dev/pytest) from 9.0.3 to 9.1.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pytest-dev/pytest/releases">pytest's releases</a>.</em></p> <blockquote> <h2>9.1.0</h2> <h1>pytest 9.1.0 (2026-06-13)</h1> <h2>Removals and backward incompatible breaking changes</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14533">#14533</a>: When using <code>--doctest-modules</code>, autouse fixtures with <code>module</code>, <code>package</code> or <code>session</code> scope that are defined inline in Python test modules (not plugins or conftests) will now possibly execute twice.</p> <p>If this is undesirable, move the fixture definition to a <code>conftest.py</code> file if possible.</p> <p>Technical explanation for those interested: When using <!-- raw HTML omitted -->--doctest-modules<!-- raw HTML omitted -->, pytest possibly collects Python modules twice, once as <code>pytest.Module</code> and once as a <code>DoctestModule</code> (depending on the configuration). Due to improvements in pytest's fixture implementation, if e.g. the <code>DoctestModule</code> collects a fixture, it is now visible to it only, and not to the <code>Module</code>. This means that both need to register the fixtures independently.</p> </li> </ul> <h2>Deprecations (removal in next major release)</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/10819">#10819</a>: Added a deprecation warning for class-scoped fixtures defined as instance methods (without <code>@classmethod</code>). Such fixtures set attributes on a different instance than the test methods use, leading to unexpected behavior. Use <code>@classmethod</code> decorator instead -- by <code>yastcher</code>.</p> <p>See <code>10819</code> and <code>14011</code>.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/12882">#12882</a>: Calling <code>request.getfixturevalue() <pytest.FixtureRequest.getfixturevalue></code> during teardown to request a fixture that was not already requested is now deprecated and will become an error in pytest 10.</p> <p>See <code>dynamic-fixture-request-during-teardown</code> for details.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13409">#13409</a>: Using non-<code>~collections.abc.Collection</code> iterables (such as generators, iterators, or custom iterable objects) for the <code>argvalues</code> parameter in <code>@pytest.mark.parametrize <pytest.mark.parametrize ref></code> and <code>metafunc.parametrize <pytest.Metafunc.parametrize></code> is now deprecated.</p> <p>These iterables get exhausted after the first iteration, leading to tests getting unexpectedly skipped in cases such as running <code>pytest.main()</code> multiple times, using class-level parametrize decorators, or collecting tests multiple times.</p> <p>See <code>parametrize-iterators</code> for details and suggestions.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13946">#13946</a>: The private <code>config.inicfg</code> attribute is now deprecated. Use <code>config.getini() <pytest.Config.getini></code> to access configuration values instead.</p> <p>See <code>config-inicfg</code> for more details.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14004">#14004</a>: Passing <code>baseid</code> to <code>~pytest.FixtureDef</code> or <code>nodeid</code> strings to fixture registration APIs is now deprecated. These are internal pytest APIs that are used by some plugins.</p> <p>Use the <code>node</code> parameter instead for fixture scoping. This enables more robust node-based matching instead of string prefix matching. If you've used <code>nodeid=None</code>, pass <code>node=session</code> instead.</p> <p>This will be removed in pytest 10.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14335">#14335</a>: The method of configuring hooks using markers, deprecated since pytest 7.2, is now scheduled to be removed in pytest 10. See <code>hook-markers</code> for more details.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14434">#14434</a>: The <code>--pastebin</code> option is now deprecated.</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
286854c435 |
chore: bump pytest from 9.0.3 to 9.1.0 in /libs/partners/xai (#38239)
Bumps [pytest](https://github.com/pytest-dev/pytest) from 9.0.3 to 9.1.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pytest-dev/pytest/releases">pytest's releases</a>.</em></p> <blockquote> <h2>9.1.0</h2> <h1>pytest 9.1.0 (2026-06-13)</h1> <h2>Removals and backward incompatible breaking changes</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14533">#14533</a>: When using <code>--doctest-modules</code>, autouse fixtures with <code>module</code>, <code>package</code> or <code>session</code> scope that are defined inline in Python test modules (not plugins or conftests) will now possibly execute twice.</p> <p>If this is undesirable, move the fixture definition to a <code>conftest.py</code> file if possible.</p> <p>Technical explanation for those interested: When using <!-- raw HTML omitted -->--doctest-modules<!-- raw HTML omitted -->, pytest possibly collects Python modules twice, once as <code>pytest.Module</code> and once as a <code>DoctestModule</code> (depending on the configuration). Due to improvements in pytest's fixture implementation, if e.g. the <code>DoctestModule</code> collects a fixture, it is now visible to it only, and not to the <code>Module</code>. This means that both need to register the fixtures independently.</p> </li> </ul> <h2>Deprecations (removal in next major release)</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/10819">#10819</a>: Added a deprecation warning for class-scoped fixtures defined as instance methods (without <code>@classmethod</code>). Such fixtures set attributes on a different instance than the test methods use, leading to unexpected behavior. Use <code>@classmethod</code> decorator instead -- by <code>yastcher</code>.</p> <p>See <code>10819</code> and <code>14011</code>.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/12882">#12882</a>: Calling <code>request.getfixturevalue() <pytest.FixtureRequest.getfixturevalue></code> during teardown to request a fixture that was not already requested is now deprecated and will become an error in pytest 10.</p> <p>See <code>dynamic-fixture-request-during-teardown</code> for details.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13409">#13409</a>: Using non-<code>~collections.abc.Collection</code> iterables (such as generators, iterators, or custom iterable objects) for the <code>argvalues</code> parameter in <code>@pytest.mark.parametrize <pytest.mark.parametrize ref></code> and <code>metafunc.parametrize <pytest.Metafunc.parametrize></code> is now deprecated.</p> <p>These iterables get exhausted after the first iteration, leading to tests getting unexpectedly skipped in cases such as running <code>pytest.main()</code> multiple times, using class-level parametrize decorators, or collecting tests multiple times.</p> <p>See <code>parametrize-iterators</code> for details and suggestions.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13946">#13946</a>: The private <code>config.inicfg</code> attribute is now deprecated. Use <code>config.getini() <pytest.Config.getini></code> to access configuration values instead.</p> <p>See <code>config-inicfg</code> for more details.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14004">#14004</a>: Passing <code>baseid</code> to <code>~pytest.FixtureDef</code> or <code>nodeid</code> strings to fixture registration APIs is now deprecated. These are internal pytest APIs that are used by some plugins.</p> <p>Use the <code>node</code> parameter instead for fixture scoping. This enables more robust node-based matching instead of string prefix matching. If you've used <code>nodeid=None</code>, pass <code>node=session</code> instead.</p> <p>This will be removed in pytest 10.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14335">#14335</a>: The method of configuring hooks using markers, deprecated since pytest 7.2, is now scheduled to be removed in pytest 10. See <code>hook-markers</code> for more details.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14434">#14434</a>: The <code>--pastebin</code> option is now deprecated.</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
9a01a294bc |
chore: bump langsmith from 0.8.14 to 0.8.16 in /libs/partners/xai (#38238)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.8.14 to 0.8.16. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's releases</a>.</em></p> <blockquote> <h2>v0.8.16</h2> <h2>What's Changed</h2> <ul> <li>feat(py): add sync/async conversion for Sandbox and SandboxClient [INF-0000] by <a href="https://github.com/ramon-langchain"><code>@ramon-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3019">langchain-ai/langsmith-sdk#3019</a></li> <li>fix(experiments): extract keys from wrapped evaluator function by <a href="https://github.com/shamikkarkhanis"><code>@shamikkarkhanis</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3014">langchain-ai/langsmith-sdk#3014</a></li> <li>chore: repoint <a href="mailto:support@langchain.dev">support@langchain.dev</a> mentions to the Support Portal by <a href="https://github.com/lutan-langchain"><code>@lutan-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3024">langchain-ai/langsmith-sdk#3024</a></li> <li>fix(python): derive create_child run id from start_time [LSDK-220] by <a href="https://github.com/harisaiharish"><code>@harisaiharish</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3027">langchain-ai/langsmith-sdk#3027</a></li> <li>chore: sync langsmith_api by <a href="https://github.com/langtions-bot"><code>@langtions-bot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3020">langchain-ai/langsmith-sdk#3020</a></li> <li>chore: js to 0.7.8 and py to 0.8.16 by <a href="https://github.com/shamikkarkhanis"><code>@shamikkarkhanis</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3029">langchain-ai/langsmith-sdk#3029</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/lutan-langchain"><code>@lutan-langchain</code></a> made their first contribution in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3024">langchain-ai/langsmith-sdk#3024</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.15...v0.8.16">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.15...v0.8.16</a></p> <h2>v0.8.15</h2> <h2>What's Changed</h2> <ul> <li>chore(js): exclude generated _openapi_client from linters and type-checker by <a href="https://github.com/KiewanVillatel"><code>@KiewanVillatel</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3015">langchain-ai/langsmith-sdk#3015</a></li> <li>chore: sync langsmith_api by <a href="https://github.com/langtions-bot"><code>@langtions-bot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3006">langchain-ai/langsmith-sdk#3006</a></li> <li>chore: protect JS openapi client in workflow by <a href="https://github.com/KiewanVillatel"><code>@KiewanVillatel</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3017">langchain-ai/langsmith-sdk#3017</a></li> <li>fix(js): deliver sandbox output callbacks across stream reconnects by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3022">langchain-ai/langsmith-sdk#3022</a></li> <li>fix(python): deliver sandbox output callbacks across stream reconnects by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3023">langchain-ai/langsmith-sdk#3023</a></li> <li>chore: bump JS to 0.7.7 and Python to 0.8.15 by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3025">langchain-ai/langsmith-sdk#3025</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.14...v0.8.15">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.14...v0.8.15</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
33e4c456d7 |
chore: bump pytest from 9.0.3 to 9.1.0 in /libs/partners/chroma (#38237)
Bumps [pytest](https://github.com/pytest-dev/pytest) from 9.0.3 to 9.1.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pytest-dev/pytest/releases">pytest's releases</a>.</em></p> <blockquote> <h2>9.1.0</h2> <h1>pytest 9.1.0 (2026-06-13)</h1> <h2>Removals and backward incompatible breaking changes</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14533">#14533</a>: When using <code>--doctest-modules</code>, autouse fixtures with <code>module</code>, <code>package</code> or <code>session</code> scope that are defined inline in Python test modules (not plugins or conftests) will now possibly execute twice.</p> <p>If this is undesirable, move the fixture definition to a <code>conftest.py</code> file if possible.</p> <p>Technical explanation for those interested: When using <!-- raw HTML omitted -->--doctest-modules<!-- raw HTML omitted -->, pytest possibly collects Python modules twice, once as <code>pytest.Module</code> and once as a <code>DoctestModule</code> (depending on the configuration). Due to improvements in pytest's fixture implementation, if e.g. the <code>DoctestModule</code> collects a fixture, it is now visible to it only, and not to the <code>Module</code>. This means that both need to register the fixtures independently.</p> </li> </ul> <h2>Deprecations (removal in next major release)</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/10819">#10819</a>: Added a deprecation warning for class-scoped fixtures defined as instance methods (without <code>@classmethod</code>). Such fixtures set attributes on a different instance than the test methods use, leading to unexpected behavior. Use <code>@classmethod</code> decorator instead -- by <code>yastcher</code>.</p> <p>See <code>10819</code> and <code>14011</code>.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/12882">#12882</a>: Calling <code>request.getfixturevalue() <pytest.FixtureRequest.getfixturevalue></code> during teardown to request a fixture that was not already requested is now deprecated and will become an error in pytest 10.</p> <p>See <code>dynamic-fixture-request-during-teardown</code> for details.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13409">#13409</a>: Using non-<code>~collections.abc.Collection</code> iterables (such as generators, iterators, or custom iterable objects) for the <code>argvalues</code> parameter in <code>@pytest.mark.parametrize <pytest.mark.parametrize ref></code> and <code>metafunc.parametrize <pytest.Metafunc.parametrize></code> is now deprecated.</p> <p>These iterables get exhausted after the first iteration, leading to tests getting unexpectedly skipped in cases such as running <code>pytest.main()</code> multiple times, using class-level parametrize decorators, or collecting tests multiple times.</p> <p>See <code>parametrize-iterators</code> for details and suggestions.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13946">#13946</a>: The private <code>config.inicfg</code> attribute is now deprecated. Use <code>config.getini() <pytest.Config.getini></code> to access configuration values instead.</p> <p>See <code>config-inicfg</code> for more details.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14004">#14004</a>: Passing <code>baseid</code> to <code>~pytest.FixtureDef</code> or <code>nodeid</code> strings to fixture registration APIs is now deprecated. These are internal pytest APIs that are used by some plugins.</p> <p>Use the <code>node</code> parameter instead for fixture scoping. This enables more robust node-based matching instead of string prefix matching. If you've used <code>nodeid=None</code>, pass <code>node=session</code> instead.</p> <p>This will be removed in pytest 10.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14335">#14335</a>: The method of configuring hooks using markers, deprecated since pytest 7.2, is now scheduled to be removed in pytest 10. See <code>hook-markers</code> for more details.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14434">#14434</a>: The <code>--pastebin</code> option is now deprecated.</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
408dc88c8a |
chore: bump langsmith from 0.8.14 to 0.8.16 in /libs/partners/chroma (#38236)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.8.14 to 0.8.16. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's releases</a>.</em></p> <blockquote> <h2>v0.8.16</h2> <h2>What's Changed</h2> <ul> <li>feat(py): add sync/async conversion for Sandbox and SandboxClient [INF-0000] by <a href="https://github.com/ramon-langchain"><code>@ramon-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3019">langchain-ai/langsmith-sdk#3019</a></li> <li>fix(experiments): extract keys from wrapped evaluator function by <a href="https://github.com/shamikkarkhanis"><code>@shamikkarkhanis</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3014">langchain-ai/langsmith-sdk#3014</a></li> <li>chore: repoint <a href="mailto:support@langchain.dev">support@langchain.dev</a> mentions to the Support Portal by <a href="https://github.com/lutan-langchain"><code>@lutan-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3024">langchain-ai/langsmith-sdk#3024</a></li> <li>fix(python): derive create_child run id from start_time [LSDK-220] by <a href="https://github.com/harisaiharish"><code>@harisaiharish</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3027">langchain-ai/langsmith-sdk#3027</a></li> <li>chore: sync langsmith_api by <a href="https://github.com/langtions-bot"><code>@langtions-bot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3020">langchain-ai/langsmith-sdk#3020</a></li> <li>chore: js to 0.7.8 and py to 0.8.16 by <a href="https://github.com/shamikkarkhanis"><code>@shamikkarkhanis</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3029">langchain-ai/langsmith-sdk#3029</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/lutan-langchain"><code>@lutan-langchain</code></a> made their first contribution in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3024">langchain-ai/langsmith-sdk#3024</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.15...v0.8.16">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.15...v0.8.16</a></p> <h2>v0.8.15</h2> <h2>What's Changed</h2> <ul> <li>chore(js): exclude generated _openapi_client from linters and type-checker by <a href="https://github.com/KiewanVillatel"><code>@KiewanVillatel</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3015">langchain-ai/langsmith-sdk#3015</a></li> <li>chore: sync langsmith_api by <a href="https://github.com/langtions-bot"><code>@langtions-bot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3006">langchain-ai/langsmith-sdk#3006</a></li> <li>chore: protect JS openapi client in workflow by <a href="https://github.com/KiewanVillatel"><code>@KiewanVillatel</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3017">langchain-ai/langsmith-sdk#3017</a></li> <li>fix(js): deliver sandbox output callbacks across stream reconnects by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3022">langchain-ai/langsmith-sdk#3022</a></li> <li>fix(python): deliver sandbox output callbacks across stream reconnects by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3023">langchain-ai/langsmith-sdk#3023</a></li> <li>chore: bump JS to 0.7.7 and Python to 0.8.15 by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3025">langchain-ai/langsmith-sdk#3025</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.14...v0.8.15">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.14...v0.8.15</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
6f8d81576c |
chore: bump langsmith from 0.8.14 to 0.8.16 in /libs/partners/fireworks (#38235)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.8.14 to 0.8.16. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's releases</a>.</em></p> <blockquote> <h2>v0.8.16</h2> <h2>What's Changed</h2> <ul> <li>feat(py): add sync/async conversion for Sandbox and SandboxClient [INF-0000] by <a href="https://github.com/ramon-langchain"><code>@ramon-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3019">langchain-ai/langsmith-sdk#3019</a></li> <li>fix(experiments): extract keys from wrapped evaluator function by <a href="https://github.com/shamikkarkhanis"><code>@shamikkarkhanis</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3014">langchain-ai/langsmith-sdk#3014</a></li> <li>chore: repoint <a href="mailto:support@langchain.dev">support@langchain.dev</a> mentions to the Support Portal by <a href="https://github.com/lutan-langchain"><code>@lutan-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3024">langchain-ai/langsmith-sdk#3024</a></li> <li>fix(python): derive create_child run id from start_time [LSDK-220] by <a href="https://github.com/harisaiharish"><code>@harisaiharish</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3027">langchain-ai/langsmith-sdk#3027</a></li> <li>chore: sync langsmith_api by <a href="https://github.com/langtions-bot"><code>@langtions-bot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3020">langchain-ai/langsmith-sdk#3020</a></li> <li>chore: js to 0.7.8 and py to 0.8.16 by <a href="https://github.com/shamikkarkhanis"><code>@shamikkarkhanis</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3029">langchain-ai/langsmith-sdk#3029</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/lutan-langchain"><code>@lutan-langchain</code></a> made their first contribution in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3024">langchain-ai/langsmith-sdk#3024</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.15...v0.8.16">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.15...v0.8.16</a></p> <h2>v0.8.15</h2> <h2>What's Changed</h2> <ul> <li>chore(js): exclude generated _openapi_client from linters and type-checker by <a href="https://github.com/KiewanVillatel"><code>@KiewanVillatel</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3015">langchain-ai/langsmith-sdk#3015</a></li> <li>chore: sync langsmith_api by <a href="https://github.com/langtions-bot"><code>@langtions-bot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3006">langchain-ai/langsmith-sdk#3006</a></li> <li>chore: protect JS openapi client in workflow by <a href="https://github.com/KiewanVillatel"><code>@KiewanVillatel</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3017">langchain-ai/langsmith-sdk#3017</a></li> <li>fix(js): deliver sandbox output callbacks across stream reconnects by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3022">langchain-ai/langsmith-sdk#3022</a></li> <li>fix(python): deliver sandbox output callbacks across stream reconnects by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3023">langchain-ai/langsmith-sdk#3023</a></li> <li>chore: bump JS to 0.7.7 and Python to 0.8.15 by <a href="https://github.com/langchain-infra"><code>@langchain-infra</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3025">langchain-ai/langsmith-sdk#3025</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.14...v0.8.15">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.14...v0.8.15</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
fa322d49f4 |
chore: bump pytest from 9.0.3 to 9.1.0 in /libs/partners/fireworks (#38233)
Bumps [pytest](https://github.com/pytest-dev/pytest) from 9.0.3 to 9.1.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pytest-dev/pytest/releases">pytest's releases</a>.</em></p> <blockquote> <h2>9.1.0</h2> <h1>pytest 9.1.0 (2026-06-13)</h1> <h2>Removals and backward incompatible breaking changes</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14533">#14533</a>: When using <code>--doctest-modules</code>, autouse fixtures with <code>module</code>, <code>package</code> or <code>session</code> scope that are defined inline in Python test modules (not plugins or conftests) will now possibly execute twice.</p> <p>If this is undesirable, move the fixture definition to a <code>conftest.py</code> file if possible.</p> <p>Technical explanation for those interested: When using <!-- raw HTML omitted -->--doctest-modules<!-- raw HTML omitted -->, pytest possibly collects Python modules twice, once as <code>pytest.Module</code> and once as a <code>DoctestModule</code> (depending on the configuration). Due to improvements in pytest's fixture implementation, if e.g. the <code>DoctestModule</code> collects a fixture, it is now visible to it only, and not to the <code>Module</code>. This means that both need to register the fixtures independently.</p> </li> </ul> <h2>Deprecations (removal in next major release)</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/10819">#10819</a>: Added a deprecation warning for class-scoped fixtures defined as instance methods (without <code>@classmethod</code>). Such fixtures set attributes on a different instance than the test methods use, leading to unexpected behavior. Use <code>@classmethod</code> decorator instead -- by <code>yastcher</code>.</p> <p>See <code>10819</code> and <code>14011</code>.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/12882">#12882</a>: Calling <code>request.getfixturevalue() <pytest.FixtureRequest.getfixturevalue></code> during teardown to request a fixture that was not already requested is now deprecated and will become an error in pytest 10.</p> <p>See <code>dynamic-fixture-request-during-teardown</code> for details.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13409">#13409</a>: Using non-<code>~collections.abc.Collection</code> iterables (such as generators, iterators, or custom iterable objects) for the <code>argvalues</code> parameter in <code>@pytest.mark.parametrize <pytest.mark.parametrize ref></code> and <code>metafunc.parametrize <pytest.Metafunc.parametrize></code> is now deprecated.</p> <p>These iterables get exhausted after the first iteration, leading to tests getting unexpectedly skipped in cases such as running <code>pytest.main()</code> multiple times, using class-level parametrize decorators, or collecting tests multiple times.</p> <p>See <code>parametrize-iterators</code> for details and suggestions.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13946">#13946</a>: The private <code>config.inicfg</code> attribute is now deprecated. Use <code>config.getini() <pytest.Config.getini></code> to access configuration values instead.</p> <p>See <code>config-inicfg</code> for more details.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14004">#14004</a>: Passing <code>baseid</code> to <code>~pytest.FixtureDef</code> or <code>nodeid</code> strings to fixture registration APIs is now deprecated. These are internal pytest APIs that are used by some plugins.</p> <p>Use the <code>node</code> parameter instead for fixture scoping. This enables more robust node-based matching instead of string prefix matching. If you've used <code>nodeid=None</code>, pass <code>node=session</code> instead.</p> <p>This will be removed in pytest 10.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14335">#14335</a>: The method of configuring hooks using markers, deprecated since pytest 7.2, is now scheduled to be removed in pytest 10. See <code>hook-markers</code> for more details.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14434">#14434</a>: The <code>--pastebin</code> option is now deprecated.</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
138727c008 |
perf(core): memoize BaseTool.tool_call_schema subset model and cache model_json_schema (#38073)
|
||
|
|
ae1c9418b5 |
fix(langchain): detect provider strategy for dated gpt-5.2/gpt-5.4 snapshots (#38222)
Closes #38220 --- Users calling `create_agent(..., response_format=<schema>)` with an OpenAI model pinned to a dated snapshot (e.g. `gpt-5.4-2026-03-05`) were silently downgraded from native structured output (`ProviderStrategy`) to tool-calling (`ToolStrategy`). This changes runtime behavior: extra tool-call traces, different token usage, and no provider-side schema enforcement. The cause is in `_supports_provider_strategy`'s fallback patterns: the `gpt-5.2` and `gpt-5.4` base patterns terminated with `($|[/:])`, which — unlike their sibling families — rejected a trailing `-`, so OpenAI's `-YYYY-MM-DD` dated-snapshot suffix matched none of the patterns. The base patterns were deliberately strict to keep `gpt-5.2-pro`/`gpt-5.4-pro` blocked, so rather than allowing any trailing `-` (which would re-admit those `-pro` variants) this change adds an optional dated-snapshot group `(-\d{4}-\d{2}-\d{2})?`. Dated snapshots now resolve to `ProviderStrategy` while `-pro` variants stay blocked. Made by [Open SWE](https://openswe.vercel.app/agents/c5ebcb29-8ce5-dda0-73f6-198e49f0c36c) Co-authored-by: open-swe[bot] <open-swe@users.noreply.github.com> |
||
|
|
f88d4f0212 |
docs(anthropic): clarify prompt caching middleware docstring (#38206)
Updates the `AnthropicPromptCachingMiddleware` class docstring so it no longer implies the middleware itself tags the final message tail. It tags the system message and tool definitions and passes `cache_control` via `model_settings`; the chat model/provider applies the message-tail and provider-specific behavior. Docstring-only, no runtime change. Made by [Open SWE](https://openswe.vercel.app/agents/27913c08-b40c-015e-afee-cf66788b7f08) --------- Co-authored-by: open-swe[bot] <open-swe@users.noreply.github.com> |
||
|
|
e1fab4b9c6 |
chore(model-profiles): refresh model profile data (#38210)
Automated refresh of model profile data for all in-monorepo partner integrations via `langchain-profiles refresh`. 🤖 Generated by the `refresh_model_profiles` workflow. Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com> |
||
|
|
847312e0aa |
test(openai): vcr embedding raw equivalence tests (#38199)
The raw OpenAI embeddings equivalence checks were comparing live responses from two requests, which made them vulnerable to upstream numerical drift even when LangChain behavior had not changed. Recording those interactions keeps the regression coverage while preventing scheduled integration runs from failing due to backend variance. |
||
|
|
fc956c8680 |
style(core): fix style in langchain_core/_security (#38189)
Co-authored-by: Mason Daugherty <mason@langchain.dev> |
||
|
|
0fdcdad393 |
chore(model-profiles): refresh model profile data (#38191)
Automated refresh of model profile data for all in-monorepo partner integrations via `langchain-profiles refresh`. 🤖 Generated by the `refresh_model_profiles` workflow. Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com> |
||
|
|
221f934f9d |
fix(core): preserve usage token details in v3 streaming events (#38021)
`stream_events(version="v3")` / `astream_events(version="v3")` drops `input_token_details` and `output_token_details` from the usage metadata on the assembled message and the `on_llm_end` payload: the conversion to the protocol `UsageInfo` shape copied only the flat token counts. Providers fold cached tokens into `input_tokens` and break them out in `input_token_details`, so tracers (e.g. LangSmith) price every input token at the uncached rate on the v3 path, inflating reported cost for prompt-cached runs (cache reads bill at roughly a tenth of the base input rate). The v2 events path and `astream` aggregation preserve the details and report correctly; reasoning-token breakdowns in `output_token_details` are lost the same way. The detail breakdowns now live on the wire type itself: `input_token_details` / `output_token_details` were added to `UsageInfo` in `langchain-protocol` 0.0.17 (alongside `InputTokenDetails` / `OutputTokenDetails`), so core imports `UsageInfo` directly instead of carrying a local subclass. The v3 usage accumulator threads the details through end to end, shallow-copying the nested dicts (`_isolate_usage`) so later accumulator mutation cannot leak into already-emitted events. Since native provider converters share `build_message_finish`, this also covers provider-native v3 streams. Verified against a live claude-sonnet-4-6 call with a cached prompt: v3 `on_llm_end` usage now matches v2, with `cache_read` / `cache_creation` intact. Requires `langchain-protocol>=0.0.17` (core pin bumped accordingly). |
||
|
|
e19b56927b |
chore: bump tornado from 6.5.6 to 6.5.7 in /libs/partners/huggingface (#38177)
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.6 to 6.5.7. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's changelog</a>.</em></p> <blockquote> <h1>Release notes</h1> <p>.. toctree:: :maxdepth: 2</p> <p>releases/v6.5.7 releases/v6.5.6 releases/v6.5.5 releases/v6.5.4 releases/v6.5.3 releases/v6.5.2 releases/v6.5.1 releases/v6.5.0 releases/v6.4.2 releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
be2f96de81 |
chore: bump aiohttp from 3.14.0 to 3.14.1 in /libs/partners/huggingface (#38178)
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/langchain/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
5d044cd326 |
chore(langchain): improve typing in tests (#38163)
Co-authored-by: Mason Daugherty <github@mdrxy.com> Co-authored-by: Mason Daugherty <mason@langchain.dev> |
||
|
|
5f0abc1152 |
chore: bump pyjwt from 2.12.1 to 2.13.0 in /libs/langchain (#38169)
Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.12.1 to 2.13.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/jpadilla/pyjwt/releases">pyjwt's releases</a>.</em></p> <blockquote> <h2>2.13.0</h2> <h1>PyJWT 2.13.0 — Security Release</h1> <p>This release bundles five security fixes plus three additional hardening / spec-compliance changes. We recommend all users upgrade.</p> <h2>Security</h2> <ul> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx"><code>GHSA-xgmm-8j9v-c9wx</code></a> — JWK JSON accepted as HMAC secret (algorithm confusion).</strong> <code>HMACAlgorithm.prepare_key</code> previously rejected PEM- and SSH-formatted asymmetric keys but did not catch a JWK passed as a raw JSON string. In a verifier configured with both symmetric and asymmetric algorithms in <code>algorithms=[…]</code> and a raw-JSON JWK as the key, an attacker could forge HS256 tokens using the JWK text as the HMAC secret. The guard has been extended to reject any JWK-shaped JSON. <em>Reported by <a href="https://github.com/aradona91"><code>@aradona91</code></a>.</em></p> </li> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f"><code>GHSA-jq35-7prp-9v3f</code></a> — Algorithm allow-list bypass with <code>PyJWK</code> / <code>PyJWKClient</code>.</strong> When verifying with a <code>PyJWK</code>, the caller's <code>algorithms=[…]</code> allow-list was checked against the token header <code>alg</code> as a string only; actual verification used the algorithm bound to the <code>PyJWK</code>. An attacker who controlled a registered JWKS key could sign with one algorithm and advertise another on the header. PyJWT now requires the token header <code>alg</code> to match the <code>PyJWK</code>'s algorithm before verification. <em>Reported by <a href="https://github.com/sushi-gif"><code>@sushi-gif</code></a>.</em></p> </li> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39"><code>GHSA-w7vc-732c-9m39</code></a> — DoS via base64 decode of unused payload segment when <code>b64=false</code>.</strong> For detached-payload JWS (<code>b64=false</code>), the compact-form payload segment was base64-decoded before being discarded in favor of the caller-supplied <code>detached_payload</code>. An attacker could inflate the unused segment to force CPU + memory cost without holding a valid signature. The segment is now required to be empty per RFC 7515 Appendix F, and is no longer decoded. <em>Reported by <a href="https://github.com/thesmartshadow"><code>@thesmartshadow</code></a>.</em></p> </li> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4"><code>GHSA-993g-76c3-p5m4</code></a> — <code>PyJWKClient</code> accepts non-HTTP(S) URIs.</strong> <code>PyJWKClient.fetch_data</code> passed its URI to <code>urllib.request.urlopen</code>, which by default also handles <code>file://</code>, <code>ftp://</code>, and <code>data:</code> schemes. An application that fed an attacker-influenced URI into <code>PyJWKClient</code> could be coerced into reading local files or reaching other unintended schemes. <code>PyJWKClient</code> now rejects any URI whose scheme isn't <code>http</code> or <code>https</code>. <em>Reported by <a href="https://github.com/KEIJOT"><code>@KEIJOT</code></a>.</em></p> </li> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8"><code>GHSA-fhv5-28vv-h8m8</code></a> — <code>PyJWKClient</code> cache wiped on fetch error.</strong> A <code>finally</code>-block <code>put(jwk_set=None)</code> cleared the JWK Set cache whenever a fetch raised, turning a transient JWKS-endpoint outage into application-wide auth failure. The cache write was moved into the success path; transient errors no longer evict valid cached keys. <em>Reported by <a href="https://github.com/eddieran"><code>@eddieran</code></a>.</em></p> </li> </ul> <h2>Fixed</h2> <ul> <li>Reject empty HMAC keys outright in <code>HMACAlgorithm.prepare_key</code> with <code>InvalidKeyError</code> instead of accepting them with only a warning. Defends against the <code>os.getenv("JWT_SECRET", "")</code> footgun. <em>Thanks to <a href="https://github.com/SnailSploit"><code>@SnailSploit</code></a> and <a href="https://github.com/spartan8806"><code>@spartan8806</code></a> for the reports.</em></li> <li>Forward per-call <code>options</code> (including <code>enforce_minimum_key_length</code>) from <code>PyJWT.decode</code> through to <code>PyJWS._verify_signature</code>. The option was previously silently dropped between the two layers, so it only took effect when set on the <code>PyJWT</code> instance. <em>Thanks to <a href="https://github.com/WLUB"><code>@WLUB</code></a> for the report.</em></li> <li><strong>RFC 7797 §3 compliance for <code>b64=false</code>:</strong> the encoder now auto-adds <code>"b64"</code> to <code>crit</code>, and the decoder rejects tokens that set <code>b64=false</code> without listing it in <code>crit</code>. <em>Thanks to <a href="https://github.com/MachineLearning-Nerd"><code>@MachineLearning-Nerd</code></a> for the report.</em></li> </ul> <h2>Changed</h2> <ul> <li>Migrate the <code>dev</code>, <code>docs</code>, and <code>tests</code> package extras to dependency groups, by <a href="https://github.com/kurtmckee"><code>@kurtmckee</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1152">#1152</a>.</li> </ul> <h2>Upgrade notes</h2> <p>Most fixes are invisible to correctly-configured callers. A few behavioral changes you may encounter:</p> <ul> <li><strong>Empty HMAC keys now raise.</strong> If your app passed <code>""</code> or <code>b""</code> as a secret (often via a missing env var, e.g. <code>os.getenv("JWT_SECRET", "")</code>), <code>encode</code>/<code>decode</code> will now raise <code>InvalidKeyError</code>. This is the intended behavior — fix the configuration.</li> <li><strong><code>PyJWK</code> decoding now requires the token's <code>alg</code> to match the JWK's algorithm.</strong> Previously a mismatch was silently honored if the header <code>alg</code> appeared in the allow-list. Tokens that relied on this mismatch will now fail with <code>InvalidAlgorithmError</code>.</li> <li><strong><code>PyJWKClient</code> now rejects non-HTTP(S) URIs at construction time.</strong> Tests or dev environments that fetched JWKS from <code>file://</code> URIs need to switch to a local HTTP server or load the JWKS by other means (e.g. construct <code>PyJWKSet.from_dict(...)</code> directly).</li> <li><strong><code>b64=false</code> tokens are now strictly RFC 7515 / 7797 compliant.</strong> Tokens with a non-empty compact-form payload segment, or that omit <code>"b64"</code> from <code>crit</code>, will be rejected. PyJWT-produced tokens always satisfy both invariants, so round-trips through PyJWT are unaffected.</li> <li><strong><code>enforce_minimum_key_length</code> set per-call now takes effect.</strong> Callers who passed <code>options={"enforce_minimum_key_length": True}</code> to <code>jwt.decode()</code> previously got no enforcement; they will now get <code>InvalidKeyError</code> on undersized keys, as documented.</li> </ul> <p><strong>Full changelog:</strong> <a href="https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0">https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst">pyjwt's changelog</a>.</em></p> <blockquote> <h2><code>v2.13.0 <https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0></code>__</h2> <p>Security</p> <pre><code> - Reject JWK JSON documents passed as raw HMAC secrets in ``HMACAlgorithm.prepare_key`` to close an algorithm-confusion gap that the existing PEM/SSH guard did not cover. Reported by @aradona91 in `GHSA-xgmm-8j9v-c9wx <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx>`__. - Bind the JWT header ``alg`` to ``PyJWK.algorithm_name`` during verification so the caller's ``algorithms=[...]`` allow-list cannot be bypassed when decoding with a ``PyJWK`` / ``PyJWKClient`` key. Reported by @sushi-gif in `GHSA-jq35-7prp-9v3f <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f>`__. - Reject non-``http(s)`` URI schemes in ``PyJWKClient`` so attacker- influenced URIs cannot read local files or reach unintended schemes via urllib's default ``file://`` / ``ftp://`` / ``data:`` handlers. Reported by @KEIJOT in `GHSA-993g-76c3-p5m4 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4>`__. - Preserve the cached JWK Set on fetch errors in ``PyJWKClient.fetch_data``. The previous ``finally``-block ``put(None)`` pattern cleared the cache on any transient outage, turning one bad JWKS request into application- wide auth failure. Reported by @eddieran in `GHSA-fhv5-28vv-h8m8 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8>`__. - Skip the unconditional base64 decode of the compact-form payload segment when ``b64=false`` is set in the protected header, and require that segment to be empty (RFC 7515 Appendix F detached form). Closes an unauthenticated DoS amplifier. Reported by @thesmartshadow in `GHSA-w7vc-732c-9m39 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39>`__. <p>Fixed</p> <pre><code> - Reject empty HMAC keys outright in ``HMACAlgorithm.prepare_key`` with ``InvalidKeyError`` instead of accepting them with only a warning. Thanks to @SnailSploit and @spartan8806 for independently flagging the footgun. - Forward per-call ``options`` (including ``enforce_minimum_key_length``) from ``PyJWT.decode`` through to ``PyJWS._verify_signature`` so the option actually takes effect when set at the call site rather than only on the ``PyJWT`` instance. Thanks to @WLUB for the report. - RFC 7797 §3 compliance for ``b64=false``: the encoder now auto-adds ``&quot;b64&quot;`` to the ``crit`` header parameter, and the decoder rejects tokens that set ``b64=false`` without listing it in ``crit``. Thanks to @MachineLearning-Nerd for the report. Changed </code></pre> <ul> <li>Migrate the <code>dev</code>, <code>docs</code>, and <code>tests</code> package extras to dependency groups by <a href="https://github.com/kurtmckee"><code>@kurtmckee</code></a> in <code>[#1152](https://github.com/jpadilla/pyjwt/issues/1152) &lt;https://github.com/jpadilla/pyjwt/pull/1152&gt;</code>__ </code></pre></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
86add86562 |
chore: bump pyjwt from 2.12.0 to 2.13.0 in /libs/langchain_v1 (#38168)
Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.12.0 to 2.13.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/jpadilla/pyjwt/releases">pyjwt's releases</a>.</em></p> <blockquote> <h2>2.13.0</h2> <h1>PyJWT 2.13.0 — Security Release</h1> <p>This release bundles five security fixes plus three additional hardening / spec-compliance changes. We recommend all users upgrade.</p> <h2>Security</h2> <ul> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx"><code>GHSA-xgmm-8j9v-c9wx</code></a> — JWK JSON accepted as HMAC secret (algorithm confusion).</strong> <code>HMACAlgorithm.prepare_key</code> previously rejected PEM- and SSH-formatted asymmetric keys but did not catch a JWK passed as a raw JSON string. In a verifier configured with both symmetric and asymmetric algorithms in <code>algorithms=[…]</code> and a raw-JSON JWK as the key, an attacker could forge HS256 tokens using the JWK text as the HMAC secret. The guard has been extended to reject any JWK-shaped JSON. <em>Reported by <a href="https://github.com/aradona91"><code>@aradona91</code></a>.</em></p> </li> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f"><code>GHSA-jq35-7prp-9v3f</code></a> — Algorithm allow-list bypass with <code>PyJWK</code> / <code>PyJWKClient</code>.</strong> When verifying with a <code>PyJWK</code>, the caller's <code>algorithms=[…]</code> allow-list was checked against the token header <code>alg</code> as a string only; actual verification used the algorithm bound to the <code>PyJWK</code>. An attacker who controlled a registered JWKS key could sign with one algorithm and advertise another on the header. PyJWT now requires the token header <code>alg</code> to match the <code>PyJWK</code>'s algorithm before verification. <em>Reported by <a href="https://github.com/sushi-gif"><code>@sushi-gif</code></a>.</em></p> </li> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39"><code>GHSA-w7vc-732c-9m39</code></a> — DoS via base64 decode of unused payload segment when <code>b64=false</code>.</strong> For detached-payload JWS (<code>b64=false</code>), the compact-form payload segment was base64-decoded before being discarded in favor of the caller-supplied <code>detached_payload</code>. An attacker could inflate the unused segment to force CPU + memory cost without holding a valid signature. The segment is now required to be empty per RFC 7515 Appendix F, and is no longer decoded. <em>Reported by <a href="https://github.com/thesmartshadow"><code>@thesmartshadow</code></a>.</em></p> </li> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4"><code>GHSA-993g-76c3-p5m4</code></a> — <code>PyJWKClient</code> accepts non-HTTP(S) URIs.</strong> <code>PyJWKClient.fetch_data</code> passed its URI to <code>urllib.request.urlopen</code>, which by default also handles <code>file://</code>, <code>ftp://</code>, and <code>data:</code> schemes. An application that fed an attacker-influenced URI into <code>PyJWKClient</code> could be coerced into reading local files or reaching other unintended schemes. <code>PyJWKClient</code> now rejects any URI whose scheme isn't <code>http</code> or <code>https</code>. <em>Reported by <a href="https://github.com/KEIJOT"><code>@KEIJOT</code></a>.</em></p> </li> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8"><code>GHSA-fhv5-28vv-h8m8</code></a> — <code>PyJWKClient</code> cache wiped on fetch error.</strong> A <code>finally</code>-block <code>put(jwk_set=None)</code> cleared the JWK Set cache whenever a fetch raised, turning a transient JWKS-endpoint outage into application-wide auth failure. The cache write was moved into the success path; transient errors no longer evict valid cached keys. <em>Reported by <a href="https://github.com/eddieran"><code>@eddieran</code></a>.</em></p> </li> </ul> <h2>Fixed</h2> <ul> <li>Reject empty HMAC keys outright in <code>HMACAlgorithm.prepare_key</code> with <code>InvalidKeyError</code> instead of accepting them with only a warning. Defends against the <code>os.getenv("JWT_SECRET", "")</code> footgun. <em>Thanks to <a href="https://github.com/SnailSploit"><code>@SnailSploit</code></a> and <a href="https://github.com/spartan8806"><code>@spartan8806</code></a> for the reports.</em></li> <li>Forward per-call <code>options</code> (including <code>enforce_minimum_key_length</code>) from <code>PyJWT.decode</code> through to <code>PyJWS._verify_signature</code>. The option was previously silently dropped between the two layers, so it only took effect when set on the <code>PyJWT</code> instance. <em>Thanks to <a href="https://github.com/WLUB"><code>@WLUB</code></a> for the report.</em></li> <li><strong>RFC 7797 §3 compliance for <code>b64=false</code>:</strong> the encoder now auto-adds <code>"b64"</code> to <code>crit</code>, and the decoder rejects tokens that set <code>b64=false</code> without listing it in <code>crit</code>. <em>Thanks to <a href="https://github.com/MachineLearning-Nerd"><code>@MachineLearning-Nerd</code></a> for the report.</em></li> </ul> <h2>Changed</h2> <ul> <li>Migrate the <code>dev</code>, <code>docs</code>, and <code>tests</code> package extras to dependency groups, by <a href="https://github.com/kurtmckee"><code>@kurtmckee</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1152">#1152</a>.</li> </ul> <h2>Upgrade notes</h2> <p>Most fixes are invisible to correctly-configured callers. A few behavioral changes you may encounter:</p> <ul> <li><strong>Empty HMAC keys now raise.</strong> If your app passed <code>""</code> or <code>b""</code> as a secret (often via a missing env var, e.g. <code>os.getenv("JWT_SECRET", "")</code>), <code>encode</code>/<code>decode</code> will now raise <code>InvalidKeyError</code>. This is the intended behavior — fix the configuration.</li> <li><strong><code>PyJWK</code> decoding now requires the token's <code>alg</code> to match the JWK's algorithm.</strong> Previously a mismatch was silently honored if the header <code>alg</code> appeared in the allow-list. Tokens that relied on this mismatch will now fail with <code>InvalidAlgorithmError</code>.</li> <li><strong><code>PyJWKClient</code> now rejects non-HTTP(S) URIs at construction time.</strong> Tests or dev environments that fetched JWKS from <code>file://</code> URIs need to switch to a local HTTP server or load the JWKS by other means (e.g. construct <code>PyJWKSet.from_dict(...)</code> directly).</li> <li><strong><code>b64=false</code> tokens are now strictly RFC 7515 / 7797 compliant.</strong> Tokens with a non-empty compact-form payload segment, or that omit <code>"b64"</code> from <code>crit</code>, will be rejected. PyJWT-produced tokens always satisfy both invariants, so round-trips through PyJWT are unaffected.</li> <li><strong><code>enforce_minimum_key_length</code> set per-call now takes effect.</strong> Callers who passed <code>options={"enforce_minimum_key_length": True}</code> to <code>jwt.decode()</code> previously got no enforcement; they will now get <code>InvalidKeyError</code> on undersized keys, as documented.</li> </ul> <p><strong>Full changelog:</strong> <a href="https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0">https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0</a></p> <h2>2.12.1</h2> <h2>What's Changed</h2> <ul> <li>Add typing_extensions dependency for Python < 3.11 by <a href="https://github.com/jpadilla"><code>@jpadilla</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1151">jpadilla/pyjwt#1151</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/jpadilla/pyjwt/compare/2.12.0...2.12.1">https://github.com/jpadilla/pyjwt/compare/2.12.0...2.12.1</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst">pyjwt's changelog</a>.</em></p> <blockquote> <h2><code>v2.13.0 <https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0></code>__</h2> <p>Security</p> <pre><code> - Reject JWK JSON documents passed as raw HMAC secrets in ``HMACAlgorithm.prepare_key`` to close an algorithm-confusion gap that the existing PEM/SSH guard did not cover. Reported by @aradona91 in `GHSA-xgmm-8j9v-c9wx <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx>`__. - Bind the JWT header ``alg`` to ``PyJWK.algorithm_name`` during verification so the caller's ``algorithms=[...]`` allow-list cannot be bypassed when decoding with a ``PyJWK`` / ``PyJWKClient`` key. Reported by @sushi-gif in `GHSA-jq35-7prp-9v3f <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f>`__. - Reject non-``http(s)`` URI schemes in ``PyJWKClient`` so attacker- influenced URIs cannot read local files or reach unintended schemes via urllib's default ``file://`` / ``ftp://`` / ``data:`` handlers. Reported by @KEIJOT in `GHSA-993g-76c3-p5m4 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4>`__. - Preserve the cached JWK Set on fetch errors in ``PyJWKClient.fetch_data``. The previous ``finally``-block ``put(None)`` pattern cleared the cache on any transient outage, turning one bad JWKS request into application- wide auth failure. Reported by @eddieran in `GHSA-fhv5-28vv-h8m8 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8>`__. - Skip the unconditional base64 decode of the compact-form payload segment when ``b64=false`` is set in the protected header, and require that segment to be empty (RFC 7515 Appendix F detached form). Closes an unauthenticated DoS amplifier. Reported by @thesmartshadow in `GHSA-w7vc-732c-9m39 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39>`__. <p>Fixed</p> <pre><code> - Reject empty HMAC keys outright in ``HMACAlgorithm.prepare_key`` with ``InvalidKeyError`` instead of accepting them with only a warning. Thanks to @SnailSploit and @spartan8806 for independently flagging the footgun. - Forward per-call ``options`` (including ``enforce_minimum_key_length``) from ``PyJWT.decode`` through to ``PyJWS._verify_signature`` so the option actually takes effect when set at the call site rather than only on the ``PyJWT`` instance. Thanks to @WLUB for the report. - RFC 7797 §3 compliance for ``b64=false``: the encoder now auto-adds ``&quot;b64&quot;`` to the ``crit`` header parameter, and the decoder rejects tokens that set ``b64=false`` without listing it in ``crit``. Thanks to @MachineLearning-Nerd for the report. Changed </code></pre> <ul> <li>Migrate the <code>dev</code>, <code>docs</code>, and <code>tests</code> package extras to dependency groups by <a href="https://github.com/kurtmckee"><code>@kurtmckee</code></a> in <code>[#1152](https://github.com/jpadilla/pyjwt/issues/1152) &lt;https://github.com/jpadilla/pyjwt/pull/1152&gt;</code>__</li> </ul> <p><code>v2.12.1 &lt;https://github.com/jpadilla/pyjwt/compare/2.12.0...2.12.1&gt;</code>__ </tr></table> </code></pre></p> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
d517bf52e8 |
chore: bump pyjwt from 2.12.0 to 2.13.0 in /libs/partners/nomic (#38167)
Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.12.0 to 2.13.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/jpadilla/pyjwt/releases">pyjwt's releases</a>.</em></p> <blockquote> <h2>2.13.0</h2> <h1>PyJWT 2.13.0 — Security Release</h1> <p>This release bundles five security fixes plus three additional hardening / spec-compliance changes. We recommend all users upgrade.</p> <h2>Security</h2> <ul> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx"><code>GHSA-xgmm-8j9v-c9wx</code></a> — JWK JSON accepted as HMAC secret (algorithm confusion).</strong> <code>HMACAlgorithm.prepare_key</code> previously rejected PEM- and SSH-formatted asymmetric keys but did not catch a JWK passed as a raw JSON string. In a verifier configured with both symmetric and asymmetric algorithms in <code>algorithms=[…]</code> and a raw-JSON JWK as the key, an attacker could forge HS256 tokens using the JWK text as the HMAC secret. The guard has been extended to reject any JWK-shaped JSON. <em>Reported by <a href="https://github.com/aradona91"><code>@aradona91</code></a>.</em></p> </li> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f"><code>GHSA-jq35-7prp-9v3f</code></a> — Algorithm allow-list bypass with <code>PyJWK</code> / <code>PyJWKClient</code>.</strong> When verifying with a <code>PyJWK</code>, the caller's <code>algorithms=[…]</code> allow-list was checked against the token header <code>alg</code> as a string only; actual verification used the algorithm bound to the <code>PyJWK</code>. An attacker who controlled a registered JWKS key could sign with one algorithm and advertise another on the header. PyJWT now requires the token header <code>alg</code> to match the <code>PyJWK</code>'s algorithm before verification. <em>Reported by <a href="https://github.com/sushi-gif"><code>@sushi-gif</code></a>.</em></p> </li> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39"><code>GHSA-w7vc-732c-9m39</code></a> — DoS via base64 decode of unused payload segment when <code>b64=false</code>.</strong> For detached-payload JWS (<code>b64=false</code>), the compact-form payload segment was base64-decoded before being discarded in favor of the caller-supplied <code>detached_payload</code>. An attacker could inflate the unused segment to force CPU + memory cost without holding a valid signature. The segment is now required to be empty per RFC 7515 Appendix F, and is no longer decoded. <em>Reported by <a href="https://github.com/thesmartshadow"><code>@thesmartshadow</code></a>.</em></p> </li> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4"><code>GHSA-993g-76c3-p5m4</code></a> — <code>PyJWKClient</code> accepts non-HTTP(S) URIs.</strong> <code>PyJWKClient.fetch_data</code> passed its URI to <code>urllib.request.urlopen</code>, which by default also handles <code>file://</code>, <code>ftp://</code>, and <code>data:</code> schemes. An application that fed an attacker-influenced URI into <code>PyJWKClient</code> could be coerced into reading local files or reaching other unintended schemes. <code>PyJWKClient</code> now rejects any URI whose scheme isn't <code>http</code> or <code>https</code>. <em>Reported by <a href="https://github.com/KEIJOT"><code>@KEIJOT</code></a>.</em></p> </li> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8"><code>GHSA-fhv5-28vv-h8m8</code></a> — <code>PyJWKClient</code> cache wiped on fetch error.</strong> A <code>finally</code>-block <code>put(jwk_set=None)</code> cleared the JWK Set cache whenever a fetch raised, turning a transient JWKS-endpoint outage into application-wide auth failure. The cache write was moved into the success path; transient errors no longer evict valid cached keys. <em>Reported by <a href="https://github.com/eddieran"><code>@eddieran</code></a>.</em></p> </li> </ul> <h2>Fixed</h2> <ul> <li>Reject empty HMAC keys outright in <code>HMACAlgorithm.prepare_key</code> with <code>InvalidKeyError</code> instead of accepting them with only a warning. Defends against the <code>os.getenv("JWT_SECRET", "")</code> footgun. <em>Thanks to <a href="https://github.com/SnailSploit"><code>@SnailSploit</code></a> and <a href="https://github.com/spartan8806"><code>@spartan8806</code></a> for the reports.</em></li> <li>Forward per-call <code>options</code> (including <code>enforce_minimum_key_length</code>) from <code>PyJWT.decode</code> through to <code>PyJWS._verify_signature</code>. The option was previously silently dropped between the two layers, so it only took effect when set on the <code>PyJWT</code> instance. <em>Thanks to <a href="https://github.com/WLUB"><code>@WLUB</code></a> for the report.</em></li> <li><strong>RFC 7797 §3 compliance for <code>b64=false</code>:</strong> the encoder now auto-adds <code>"b64"</code> to <code>crit</code>, and the decoder rejects tokens that set <code>b64=false</code> without listing it in <code>crit</code>. <em>Thanks to <a href="https://github.com/MachineLearning-Nerd"><code>@MachineLearning-Nerd</code></a> for the report.</em></li> </ul> <h2>Changed</h2> <ul> <li>Migrate the <code>dev</code>, <code>docs</code>, and <code>tests</code> package extras to dependency groups, by <a href="https://github.com/kurtmckee"><code>@kurtmckee</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1152">#1152</a>.</li> </ul> <h2>Upgrade notes</h2> <p>Most fixes are invisible to correctly-configured callers. A few behavioral changes you may encounter:</p> <ul> <li><strong>Empty HMAC keys now raise.</strong> If your app passed <code>""</code> or <code>b""</code> as a secret (often via a missing env var, e.g. <code>os.getenv("JWT_SECRET", "")</code>), <code>encode</code>/<code>decode</code> will now raise <code>InvalidKeyError</code>. This is the intended behavior — fix the configuration.</li> <li><strong><code>PyJWK</code> decoding now requires the token's <code>alg</code> to match the JWK's algorithm.</strong> Previously a mismatch was silently honored if the header <code>alg</code> appeared in the allow-list. Tokens that relied on this mismatch will now fail with <code>InvalidAlgorithmError</code>.</li> <li><strong><code>PyJWKClient</code> now rejects non-HTTP(S) URIs at construction time.</strong> Tests or dev environments that fetched JWKS from <code>file://</code> URIs need to switch to a local HTTP server or load the JWKS by other means (e.g. construct <code>PyJWKSet.from_dict(...)</code> directly).</li> <li><strong><code>b64=false</code> tokens are now strictly RFC 7515 / 7797 compliant.</strong> Tokens with a non-empty compact-form payload segment, or that omit <code>"b64"</code> from <code>crit</code>, will be rejected. PyJWT-produced tokens always satisfy both invariants, so round-trips through PyJWT are unaffected.</li> <li><strong><code>enforce_minimum_key_length</code> set per-call now takes effect.</strong> Callers who passed <code>options={"enforce_minimum_key_length": True}</code> to <code>jwt.decode()</code> previously got no enforcement; they will now get <code>InvalidKeyError</code> on undersized keys, as documented.</li> </ul> <p><strong>Full changelog:</strong> <a href="https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0">https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0</a></p> <h2>2.12.1</h2> <h2>What's Changed</h2> <ul> <li>Add typing_extensions dependency for Python < 3.11 by <a href="https://github.com/jpadilla"><code>@jpadilla</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1151">jpadilla/pyjwt#1151</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/jpadilla/pyjwt/compare/2.12.0...2.12.1">https://github.com/jpadilla/pyjwt/compare/2.12.0...2.12.1</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst">pyjwt's changelog</a>.</em></p> <blockquote> <h2><code>v2.13.0 <https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0></code>__</h2> <p>Security</p> <pre><code> - Reject JWK JSON documents passed as raw HMAC secrets in ``HMACAlgorithm.prepare_key`` to close an algorithm-confusion gap that the existing PEM/SSH guard did not cover. Reported by @aradona91 in `GHSA-xgmm-8j9v-c9wx <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx>`__. - Bind the JWT header ``alg`` to ``PyJWK.algorithm_name`` during verification so the caller's ``algorithms=[...]`` allow-list cannot be bypassed when decoding with a ``PyJWK`` / ``PyJWKClient`` key. Reported by @sushi-gif in `GHSA-jq35-7prp-9v3f <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f>`__. - Reject non-``http(s)`` URI schemes in ``PyJWKClient`` so attacker- influenced URIs cannot read local files or reach unintended schemes via urllib's default ``file://`` / ``ftp://`` / ``data:`` handlers. Reported by @KEIJOT in `GHSA-993g-76c3-p5m4 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4>`__. - Preserve the cached JWK Set on fetch errors in ``PyJWKClient.fetch_data``. The previous ``finally``-block ``put(None)`` pattern cleared the cache on any transient outage, turning one bad JWKS request into application- wide auth failure. Reported by @eddieran in `GHSA-fhv5-28vv-h8m8 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8>`__. - Skip the unconditional base64 decode of the compact-form payload segment when ``b64=false`` is set in the protected header, and require that segment to be empty (RFC 7515 Appendix F detached form). Closes an unauthenticated DoS amplifier. Reported by @thesmartshadow in `GHSA-w7vc-732c-9m39 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39>`__. <p>Fixed</p> <pre><code> - Reject empty HMAC keys outright in ``HMACAlgorithm.prepare_key`` with ``InvalidKeyError`` instead of accepting them with only a warning. Thanks to @SnailSploit and @spartan8806 for independently flagging the footgun. - Forward per-call ``options`` (including ``enforce_minimum_key_length``) from ``PyJWT.decode`` through to ``PyJWS._verify_signature`` so the option actually takes effect when set at the call site rather than only on the ``PyJWT`` instance. Thanks to @WLUB for the report. - RFC 7797 §3 compliance for ``b64=false``: the encoder now auto-adds ``&quot;b64&quot;`` to the ``crit`` header parameter, and the decoder rejects tokens that set ``b64=false`` without listing it in ``crit``. Thanks to @MachineLearning-Nerd for the report. Changed </code></pre> <ul> <li>Migrate the <code>dev</code>, <code>docs</code>, and <code>tests</code> package extras to dependency groups by <a href="https://github.com/kurtmckee"><code>@kurtmckee</code></a> in <code>[#1152](https://github.com/jpadilla/pyjwt/issues/1152) &lt;https://github.com/jpadilla/pyjwt/pull/1152&gt;</code>__</li> </ul> <p><code>v2.12.1 &lt;https://github.com/jpadilla/pyjwt/compare/2.12.0...2.12.1&gt;</code>__ </tr></table> </code></pre></p> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
6e36e511d6 | chore(standard-tests): cleanup mypy conf (#38166) | ||
|
|
afff89a9f7 |
fix(core): disallow_any_generics (#38156)
Co-authored-by: Mason Daugherty <github@mdrxy.com> |
||
|
|
b247e572b1 |
chore(model-profiles): refresh model profile data (#38160)
Automated refresh of model profile data for all in-monorepo partner integrations via `langchain-profiles refresh`. 🤖 Generated by the `refresh_model_profiles` workflow. Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com> |
||
|
|
62f255980d |
chore(core): add mypy warn_unreachable (#38109)
Enables mypy's `warn_unreachable` rule for `langchain-core`, bringing it
in line with the other strict libraries in the monorepo. Previously this
rule was intentionally disabled by a code comment, because under mypy
2.x it false-flags intentional defensive runtime checks — most notably
the SSRF / IP-policy guards in `langchain_core/_security/` — as
unreachable.
This PR resolves all of those warnings without deleting or
blanket-ignoring the defensive guards, so contributors get
unreachable-code coverage going forward and accidental dead code is
caught in CI.
The bulk of the change is mechanical: a targeted `# type:
ignore[unreachable]` on each defensive `else`/error branch that mypy
considers unreachable but that we deliberately keep as a runtime guard
against unexpected input. A few changes are more substantive and worth a
closer look:
- **`coro_with_context` (`runnables/utils.py`) — behavior change on
Python < 3.11.** The pre-3.11 path is rewritten to always route through
`context.run(asyncio.create_task, coro)`, so the supplied context is
reliably propagated to the task. Previously, on 3.10 the helper returned
the bare coroutine (run in the caller's context) when
`create_task=False`, and dropped the context entirely when
`create_task=True`. The new behavior matches 3.11+. The `create_task`
parameter is now inert but retained for signature compatibility. All
callers `await` the result, so returning a `Task` rather than a
coroutine is transparent.
- **`_create_template_from_message_type` (`prompts/chat.py`) — signature
widening.** This private helper's `template` parameter now accepts
`bool` inside the list, accurately reflecting the existing `["{var}",
is_optional]` placeholder form. No public-API impact.
- **`PydanticOutputFunctionsParser`
(`output_parsers/openai_functions.py`).** The `pydantic_schema` field is
typed as `TypeBaseModel` (which covers both v1 and v2 model classes,
unlike the prior annotation), and the `args_only` parse path now
dispatches explicitly on `BaseModel` vs `BaseModelV1` rather than
duck-typing via `hasattr`. This also yields clearer errors for
unsupported / dict schemas.
- **`_security/_policy.py`.** Loop variables are renamed so mypy can
narrow their types, which lets the old `# type: ignore[assignment]`
comments be dropped. The IP-blocklist logic is unchanged.
---------
Co-authored-by: Mason Daugherty <mason@langchain.dev>
Co-authored-by: Mason Daugherty <github@mdrxy.com>
|
||
|
|
eb39d0c046 |
chore(model-profiles): refresh model profile data (#38133)
Automated refresh of model profile data for all in-monorepo partner integrations via `langchain-profiles refresh`. 🤖 Generated by the `refresh_model_profiles` workflow. Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com> |
||
|
|
879cad0676 | release(openai): 1.3.2 (#38130) | ||
|
|
37b339f8c4 |
fix(openai): build Codex async headers off the event loop in _agenerate (#38129)
The Codex `_astream` path was reworked to build its auth headers from an async-fetched token, but `_agenerate` was left on the old "prime the cache, then read it back synchronously" approach. That sync read still went through `_FileChatGPTOAuthTokenProvider.get_token`, which acquires a thread lock and a cross-process file lock on every call — blocking the event loop even when the token is already warm. Both async paths now build headers the same way, so neither touches sync `get_token` on the loop. ## Changes - `_ChatOpenAICodex._agenerate` now fetches the token via `aget_token`, builds the Codex headers off-loop, and hands them to `_get_request_payload` through the private `_codex_headers` kwarg — eliminating the synchronous token read (and its lock acquisition) that previously ran on the event loop inside `super()._agenerate`. - Replaced the duplicated `"_codex_headers"` string literal across `_agenerate`, `_astream`, and `_get_request_payload` with a `_CODEX_HEADERS_KWARG` module constant, documenting that the kwarg is popped before the payload reaches the SDK. - Documented the deliberate `is not None` check in `_get_request_payload`: an explicitly-built empty header dict (accountless token with `originator=None`) is honored as-is rather than falling back to the blocking sync read. |
||
|
|
11429a9e1c |
fix(openai): avoid sync token reads in Codex streaming (#38128)
Codex streaming now builds request headers from the async token path instead of refreshing asynchronously and later reading the token synchronously during payload construction. That keeps `_ChatOpenAICodex._astream` off the sync token path while preserving the `ChatGPT-Account-Id` and `originator` headers needed by Codex requests. |
||
|
|
454e19588c | hotfix(openai): skip Codex live integration tests in CI (#38124) | ||
|
|
9e6f58ba46 | hotfix(openai): switch version (#38123) | ||
|
|
bf7b0180f2 |
refactor(openai): mark Codex OAuth classes private (#38122)
- Mark the Codex OAuth model/token helper classes private with leading underscores - Remove `_ChatOpenAICodex` from package-level public exports - Keep a once-per-process runtime warning that use is experimental/unofficial and must comply with applicable OpenAI account, workspace, plan, terms, policies, rate limits, and safeguards |
||
|
|
8180a09dd7 | release(openai): 1.4.0 (#38120) | ||
|
|
6c2b70e60e |
feat(openai): add ChatGPT OAuth-backed ChatOpenAICodex chat model (#37569)
[Docs](https://github.com/langchain-ai/docs/pull/4115) Adds a new `ChatOpenAICodex` chat model and a small `chatgpt_oauth` module so users can authenticate with their ChatGPT subscription (OAuth 2.0 Authorization Code Flow with PKCE) and route Responses-API requests to the ChatGPT Codex backend at `https://chatgpt.com/backend-api/codex`. Login and token persistence live behind a refresh-aware `ChatGPTOAuthTokenProvider` protocol so they stay decoupled from model invocation. The existing API-key `ChatOpenAI` behavior is untouched. By default the file-backed provider writes to `~/.langchain/chatgpt-auth.json` to avoid stomping on Codex CLI / VS Code sessions at `~/.codex/auth.json`. No new required dependencies are introduced (uses stdlib + `httpx`). ```python from langchain_openai import ChatOpenAICodex from langchain_openai.chatgpt_oauth import login_chatgpt login_chatgpt() model = ChatOpenAICodex(model="gpt-5.5") response = model.invoke("hello") ``` _Opened collaboratively by Mason Daugherty and open-swe._ --------- Co-authored-by: open-swe[bot] <open-swe@users.noreply.github.com> Co-authored-by: Mason Daugherty <61371264+mdrxy@users.noreply.github.com> Co-authored-by: Mason Daugherty <github@mdrxy.com> Co-authored-by: Mason Daugherty <mason@langchain.dev> |
||
|
|
63cc1f4e7d |
docs: refresh README installation and resources (#38119)
README installation examples now use `uv add` consistently, matching the repo's `uv`-based Python workflow. The top-level README also gets a cleaner quickstart and resource section with current links for docs, community, learning, and contribution guidance. ## Changes - Replaced `pip install` snippets with `uv add` across package quick install docs, including the Hugging Face extras and `sentence-transformers` upgrade examples. - Updated the top-level quickstart to show only `uv add langchain` and refreshed the example model to `openai:gpt-5.5`. - Pointed the LangGraph orchestration link at the LangGraph GitHub repository. - Consolidated top-level documentation and additional-resource links under a single `Resources` section covering docs, ecosystem overview, API reference, discussions, Academy, contributing, and the Code of Conduct. - Added LangChain Academy and Code of Conduct links to package README resource sections. |
||
|
|
86ce95afc2 |
test(core,langchain): update tests for explicit deserialization allowlists (#38118)
Core serialization tests now opt into the object allowlists they rely on instead of assuming default deserialization permits core objects. Compatibility tests that intentionally exercise deprecated runnable streaming and history APIs also suppress the expected deprecation warnings so they can keep covering those legacy paths cleanly. ## Changes - Updated serialization and prompt round-trip tests to pass `allowed_objects="core"` or targeted allowlists when loading `AIMessage`, prompt templates, structured prompts, runnable maps, and related core objects. - Adjusted secret-injection regression coverage to keep testing `secrets_from_env=True` behavior while explicitly allowing core deserialization paths. - Tightened prompt deserialization rejection tests so attribute-access payloads are loaded only through the specific prompt-template allowlist needed to reach validation. - Added module-level warning filters around legacy runnable compatibility coverage for `astream_log`, `astream_events(version="v1")`, and `RunnableWithMessageHistory`. - Bumped the `langchain` package's minimum `langgraph` dependency from `1.2.4` to `1.2.5`. ## Testing - Updated unit tests across core serialization, prompt, fake chat model, runnable history, and runnable event coverage. |
||
|
|
8b7979c0a0 |
chore: bump tornado from 6.5.5 to 6.5.6 in /libs/partners/huggingface (#38113)
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.5 to 6.5.6. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's changelog</a>.</em></p> <blockquote> <h1>Release notes</h1> <p>.. toctree:: :maxdepth: 2</p> <p>releases/v6.5.7 releases/v6.5.6 releases/v6.5.5 releases/v6.5.4 releases/v6.5.3 releases/v6.5.2 releases/v6.5.1 releases/v6.5.0 releases/v6.4.2 releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
f8fef83dc8 |
chore: bump tornado from 6.5.5 to 6.5.6 in /libs/text-splitters (#38112)
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.5 to 6.5.6. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's changelog</a>.</em></p> <blockquote> <h1>Release notes</h1> <p>.. toctree:: :maxdepth: 2</p> <p>releases/v6.5.7 releases/v6.5.6 releases/v6.5.5 releases/v6.5.4 releases/v6.5.3 releases/v6.5.2 releases/v6.5.1 releases/v6.5.0 releases/v6.4.2 releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |