mirror of
https://github.com/hwchase17/langchain.git
synced 2026-07-01 22:59:06 +00:00
8a9de2a88285c4160357617a4de39fffca7fa99f
1752 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
40cf649486 |
chore: bump langsmith from 0.8.0 to 0.8.18 in /libs/core (#38319)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.8.0 to 0.8.18. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's releases</a>.</em></p> <blockquote> <h2>v0.8.18</h2> <h2>What's Changed</h2> <ul> <li>chore(deps-dev): bump vitest from 3.2.4 to 3.2.6 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3002">langchain-ai/langsmith-sdk#3002</a></li> <li>chore(deps): bump pyjwt from 2.12.1 to 2.13.0 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3030">langchain-ai/langsmith-sdk#3030</a></li> <li>chore(deps): bump python-multipart from 0.0.27 to 0.0.31 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3036">langchain-ai/langsmith-sdk#3036</a></li> <li>chore(deps): bump aiohttp from 3.14.0 to 3.14.1 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3037">langchain-ai/langsmith-sdk#3037</a></li> <li>chore(deps): bump cryptography from 46.0.7 to 48.0.1 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3038">langchain-ai/langsmith-sdk#3038</a></li> <li>chore(deps): bump starlette from 1.0.1 to 1.3.1 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3039">langchain-ai/langsmith-sdk#3039</a></li> <li>chore(deps-dev): bump langchain-anthropic from 1.4.4 to 1.4.6 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3044">langchain-ai/langsmith-sdk#3044</a></li> <li>chore(deps): bump the npm_and_yarn group across 4 directories with 4 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3046">langchain-ai/langsmith-sdk#3046</a></li> <li>chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3060">langchain-ai/langsmith-sdk#3060</a></li> <li>test(python): fix integration assertions for updated attachment error message by <a href="https://github.com/QuentinBrosse"><code>@QuentinBrosse</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3061">langchain-ai/langsmith-sdk#3061</a></li> <li>chore: reconcile bumpversion config and mandate release process for agents by <a href="https://github.com/QuentinBrosse"><code>@QuentinBrosse</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3062">langchain-ai/langsmith-sdk#3062</a></li> <li>release(py): 0.8.18 by <a href="https://github.com/QuentinBrosse"><code>@QuentinBrosse</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3063">langchain-ai/langsmith-sdk#3063</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.17...v0.8.18">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.17...v0.8.18</a></p> <h2>v0.8.17</h2> <h2>What's Changed</h2> <ul> <li>feat: expose the resources from the generated openapi client in the langsmith client by <a href="https://github.com/sineha-mani"><code>@sineha-mani</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3018">langchain-ai/langsmith-sdk#3018</a></li> <li>feat(js): port <code>isTracingEnabled</code> utility from Python by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3032">langchain-ai/langsmith-sdk#3032</a></li> <li>Add sandbox mount support to JS SDK by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3010">langchain-ai/langsmith-sdk#3010</a></li> <li>release(js): bump to 0.7.9 by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3035">langchain-ai/langsmith-sdk#3035</a></li> <li>Add sandbox mount support to Python SDK by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3009">langchain-ai/langsmith-sdk#3009</a></li> <li>docs: note that _openapi_client directories are auto-generated by <a href="https://github.com/KiewanVillatel"><code>@KiewanVillatel</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3034">langchain-ai/langsmith-sdk#3034</a></li> <li>fix: update JS SDK type declarations with skipLibCheck disabled by <a href="https://github.com/sineha-mani"><code>@sineha-mani</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3043">langchain-ai/langsmith-sdk#3043</a></li> <li>release(js): 0.7.10 by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3045">langchain-ai/langsmith-sdk#3045</a></li> <li>feat: adding python async for online evals by <a href="https://github.com/sineha-mani"><code>@sineha-mani</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3048">langchain-ai/langsmith-sdk#3048</a></li> <li>Add sandbox Git mount SDK helpers by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3040">langchain-ai/langsmith-sdk#3040</a></li> <li>fix: use insights tab in sdk report links [closes LSO-2936] by <a href="https://github.com/eric-langchain"><code>@eric-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3050">langchain-ai/langsmith-sdk#3050</a></li> <li>feat(client): warn when backend version is below minimum required by <a href="https://github.com/KiewanVillatel"><code>@KiewanVillatel</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3041">langchain-ai/langsmith-sdk#3041</a></li> <li>chore: bump _MIN_BACKEND_VERSION to 0.16.5rc1 by <a href="https://github.com/langtions-bot"><code>@langtions-bot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3053">langchain-ai/langsmith-sdk#3053</a></li> <li>fix(sandbox): use built-in gcp auth host matching by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3055">langchain-ai/langsmith-sdk#3055</a></li> <li>chore(python): py to 0.8.17 by <a href="https://github.com/sineha-mani"><code>@sineha-mani</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3056">langchain-ai/langsmith-sdk#3056</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/sineha-mani"><code>@sineha-mani</code></a> made their first contribution in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3018">langchain-ai/langsmith-sdk#3018</a></li> <li><a href="https://github.com/eric-langchain"><code>@eric-langchain</code></a> made their first contribution in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3050">langchain-ai/langsmith-sdk#3050</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.16...v0.8.17">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.16...v0.8.17</a></p> <h2>v0.8.16</h2> <h2>What's Changed</h2> <ul> <li>feat(py): add sync/async conversion for Sandbox and SandboxClient [INF-0000] by <a href="https://github.com/ramon-langchain"><code>@ramon-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3019">langchain-ai/langsmith-sdk#3019</a></li> <li>fix(experiments): extract keys from wrapped evaluator function by <a href="https://github.com/shamikkarkhanis"><code>@shamikkarkhanis</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3014">langchain-ai/langsmith-sdk#3014</a></li> <li>chore: repoint <a href="mailto:support@langchain.dev">support@langchain.dev</a> mentions to the Support Portal by <a href="https://github.com/lutan-langchain"><code>@lutan-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3024">langchain-ai/langsmith-sdk#3024</a></li> <li>fix(python): derive create_child run id from start_time [LSDK-220] by <a href="https://github.com/harisaiharish"><code>@harisaiharish</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3027">langchain-ai/langsmith-sdk#3027</a></li> <li>chore: sync langsmith_api by <a href="https://github.com/langtions-bot"><code>@langtions-bot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3020">langchain-ai/langsmith-sdk#3020</a></li> <li>chore: js to 0.7.8 and py to 0.8.16 by <a href="https://github.com/shamikkarkhanis"><code>@shamikkarkhanis</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3029">langchain-ai/langsmith-sdk#3029</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
c8989224b0 |
chore: bump jupyterlab from 4.5.7 to 4.5.9 in /libs/core (#38326)
Bumps [jupyterlab](https://github.com/jupyterlab/jupyterlab) from 4.5.7 to 4.5.9. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/jupyterlab/jupyterlab/releases">jupyterlab's releases</a>.</em></p> <blockquote> <h2>v4.5.9</h2> <h2>4.5.9</h2> <p>(<a href="https://github.com/jupyterlab/jupyterlab/compare/v4.5.8...26936727d7f197bab4f314ca50690cd162d50312">Full Changelog</a>)</p> <h3>Bugs fixed</h3> <ul> <li>Fix <code>jupyter labextension build</code> crash on <code>webpack ≥ 5.107</code> <a href="https://redirect.github.com/jupyterlab/jupyterlab/pull/19021">#19021</a> (<a href="https://github.com/Darshan808"><code>@Darshan808</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Backport PR <a href="https://redirect.github.com/jupyterlab/jupyterlab/issues/18992">#18992</a>: Fix hidden cells after moving collapsed headings <a href="https://redirect.github.com/jupyterlab/jupyterlab/pull/19016">#19016</a> (<a href="https://github.com/MUFFANUJ"><code>@MUFFANUJ</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Forbid relative URLs in extensionmanager <a href="https://redirect.github.com/jupyterlab/jupyterlab/pull/19013">#19013</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>)</li> <li>Fix XSS in extension manager's <code>homepage_url</code> <a href="https://redirect.github.com/jupyterlab/jupyterlab/pull/19003">#19003</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>)</li> <li>Fix toolbar popup row clipping in Safari <a href="https://redirect.github.com/jupyterlab/jupyterlab/pull/18998">#18998</a> (<a href="https://github.com/arun-357"><code>@arun-357</code></a>)</li> </ul> <h3>Contributors to this release</h3> <p>The following people contributed discussions, new ideas, code and documentation contributions, and review. See <a href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our definition of contributors</a>.</p> <p>(<a href="https://github.com/jupyterlab/jupyterlab/graphs/contributors?from=2026-06-04&to=2026-06-17&type=c">GitHub contributors page for this release</a>)</p> <p><a href="https://github.com/arun-357"><code>@arun-357</code></a> (<a href="https://github.com/search?q=repo%3Ajupyterlab%2Fjupyterlab+involves%3Aarun-357+updated%3A2026-06-04..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/Darshan808"><code>@Darshan808</code></a> (<a href="https://github.com/search?q=repo%3Ajupyterlab%2Fjupyterlab+involves%3ADarshan808+updated%3A2026-06-04..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/krassowski"><code>@krassowski</code></a> (<a href="https://github.com/search?q=repo%3Ajupyterlab%2Fjupyterlab+involves%3Akrassowski+updated%3A2026-06-04..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/MUFFANUJ"><code>@MUFFANUJ</code></a> (<a href="https://github.com/search?q=repo%3Ajupyterlab%2Fjupyterlab+involves%3AMUFFANUJ+updated%3A2026-06-04..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/Yann-P"><code>@Yann-P</code></a> (<a href="https://github.com/search?q=repo%3Ajupyterlab%2Fjupyterlab+involves%3AYann-P+updated%3A2026-06-04..2026-06-17&type=Issues">activity</a>)</p> <h2>v4.5.8</h2> <h2>4.5.8</h2> <p>(<a href="https://github.com/jupyterlab/jupyterlab/compare/v4.5.7...8d30d481fbab784096e04d85dfa3b0c36e77be2c">Full Changelog</a>)</p> <h3>Bugs fixed</h3> <ul> <li>Prevent dialog from hanging when <code>getValue()</code> throws <a href="https://redirect.github.com/jupyterlab/jupyterlab/pull/18938">#18938</a> (<a href="https://github.com/AliMahmoudDev"><code>@AliMahmoudDev</code></a>)</li> <li>Add <code>packaging</code> min version pin <a href="https://redirect.github.com/jupyterlab/jupyterlab/pull/18910">#18910</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Use CSS <code>anchor</code> for prompt overlay <a href="https://redirect.github.com/jupyterlab/jupyterlab/pull/18840">#18840</a> (<a href="https://github.com/CrafterKolyan"><code>@CrafterKolyan</code></a>)</li> </ul> <h3>Maintenance and upkeep improvements</h3> <ul> <li>Fix completer test failures on CI <a href="https://redirect.github.com/jupyterlab/jupyterlab/pull/18946">#18946</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Bump license webpack plugin <a href="https://redirect.github.com/jupyterlab/jupyterlab/pull/18929">#18929</a> (<a href="https://github.com/Darshan808"><code>@Darshan808</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Contributors to this release</h3> <p>The following people contributed discussions, new ideas, code and documentation contributions, and review. See <a href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our definition of contributors</a>.</p> <p>(<a href="https://github.com/jupyterlab/jupyterlab/graphs/contributors?from=2026-04-29&to=2026-06-04&type=c">GitHub contributors page for this release</a>)</p> <p><a href="https://github.com/AliMahmoudDev"><code>@AliMahmoudDev</code></a> (<a href="https://github.com/search?q=repo%3Ajupyterlab%2Fjupyterlab+involves%3AAliMahmoudDev+updated%3A2026-04-29..2026-06-04&type=Issues">activity</a>) | <a href="https://github.com/CrafterKolyan"><code>@CrafterKolyan</code></a> (<a href="https://github.com/search?q=repo%3Ajupyterlab%2Fjupyterlab+involves%3ACrafterKolyan+updated%3A2026-04-29..2026-06-04&type=Issues">activity</a>) | <a href="https://github.com/Darshan808"><code>@Darshan808</code></a> (<a href="https://github.com/search?q=repo%3Ajupyterlab%2Fjupyterlab+involves%3ADarshan808+updated%3A2026-04-29..2026-06-04&type=Issues">activity</a>) | <a href="https://github.com/krassowski"><code>@krassowski</code></a> (<a href="https://github.com/search?q=repo%3Ajupyterlab%2Fjupyterlab+involves%3Akrassowski+updated%3A2026-04-29..2026-06-04&type=Issues">activity</a>)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
73287990e8 |
chore: bump vcrpy from 8.1.1 to 8.2.1 in /libs/core (#38327)
Bumps [vcrpy](https://github.com/kevin1024/vcrpy) from 8.1.1 to 8.2.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/kevin1024/vcrpy/releases">vcrpy's releases</a>.</em></p> <blockquote> <h2>v8.2.1</h2> <h2>What's Changed</h2> <ul> <li><strong>SECURITY:</strong> Cassettes are now loaded with a safe YAML loader, preventing arbitrary code execution when a cassette from an untrusted source is loaded. Previously a crafted cassette containing a Python object tag (e.g. <code>!!python/object/apply:os.system</code>) would execute code on load, including via the normal <code>vcr.use_cassette()</code> path. Existing cassettes (including file-upload/streaming bodies) continue to load. Advisory: GHSA-rpj2-4hq8-938g — thanks <a href="https://github.com/RamiAltai"><code>@RamiAltai</code></a> and <a href="https://github.com/EQSTLab"><code>@EQSTLab</code></a> for the reports.</li> <li>Validate <code>record_mode</code> and raise a clear error on an invalid value (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/208">#208</a>)</li> <li>Recommend pytest-recording over the unmaintained pytest-vcr in the docs (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/986">#986</a>)</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/kevin1024/vcrpy/compare/v8.2.0...v8.2.1">https://github.com/kevin1024/vcrpy/compare/v8.2.0...v8.2.1</a></p> <h2>v8.2.0</h2> <h2>What's Changed</h2> <ul> <li>Add support for httpx 2.x (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/993">#993</a>) - thanks <a href="https://github.com/dsfaccini"><code>@dsfaccini</code></a></li> <li>Patch httpx transports instead of httpcore (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/972">#972</a>) - thanks <a href="https://github.com/seowalex"><code>@seowalex</code></a></li> <li>Fix aiohttp 3.14 compatibility: <code>AsyncStreamReaderMixin</code> removed and <code>ClientResponse</code> now requires <code>stream_writer</code> (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/995">#995</a>) - thanks <a href="https://github.com/dsfaccini"><code>@dsfaccini</code></a></li> <li>Account for modified requests when storing played cassettes, so <code>drop_unused_requests</code> honours <code>before_record_request</code> filtering (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/962">#962</a>) - thanks <a href="https://github.com/jamesbraza"><code>@jamesbraza</code></a></li> <li>Make the request URL available on <code>VCRHTTPResponse</code> (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/976">#976</a>) - thanks <a href="https://github.com/dAnjou"><code>@dAnjou</code></a></li> <li>Improve error message when a matching request has already been consumed (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/985">#985</a>) - thanks <a href="https://github.com/Polandia94"><code>@Polandia94</code></a></li> <li>Fix body check in <code>convert_body_to_unicode</code> to use an explicit type check (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/982">#982</a>) - thanks <a href="https://github.com/Polandia94"><code>@Polandia94</code></a></li> <li>Add env proxy cassette regression test (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/994">#994</a>) - thanks <a href="https://github.com/tine1117"><code>@tine1117</code></a></li> <li>Remove milestone references from docs (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/984">#984</a>) - thanks <a href="https://github.com/Polandia94"><code>@Polandia94</code></a></li> <li>CI: bump sphinx-rtd-theme from 3.0.2 to 3.1.0 (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/973">#973</a>)</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/kevin1024/vcrpy/compare/v8.1.1...v8.2.0">https://github.com/kevin1024/vcrpy/compare/v8.1.1...v8.2.0</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/kevin1024/vcrpy/blob/master/docs/changelog.rst">vcrpy's changelog</a>.</em></p> <blockquote> <h2>Changelog</h2> <p>All help in providing PRs to close out bug issues is appreciated. Even if that is providing a repo that fully replicates issues. We have very generous contributors that have added these to bug issues which meant another contributor picked up the bug and closed it out.</p> <ul> <li> <p>8.2.1</p> <ul> <li>SECURITY: Load cassettes with a safe YAML loader, preventing arbitrary code execution when a cassette from an untrusted source is loaded (GHSA-rpj2-4hq8-938g) - thanks <a href="https://github.com/RamiAltai"><code>@RamiAltai</code></a> and <a href="https://github.com/EQSTLab"><code>@EQSTLab</code></a></li> <li>Validate <code>record_mode</code> and raise a clear error on an invalid value (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/208">#208</a>)</li> <li>Recommend pytest-recording over the unmaintained pytest-vcr in the docs (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/986">#986</a>)</li> </ul> </li> <li> <p>8.2.0</p> <ul> <li>Add support for httpx 2.x (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/993">#993</a>) - thanks <a href="https://github.com/dsfaccini"><code>@dsfaccini</code></a></li> <li>Patch httpx transports instead of httpcore (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/972">#972</a>) - thanks <a href="https://github.com/seowalex"><code>@seowalex</code></a></li> <li>Fix aiohttp 3.14 compatibility: <code>AsyncStreamReaderMixin</code> removed and <code>ClientResponse</code> now requires <code>stream_writer</code> (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/995">#995</a>) - thanks <a href="https://github.com/dsfaccini"><code>@dsfaccini</code></a></li> <li>Account for modified requests when storing played cassettes, so <code>drop_unused_requests</code> honours <code>before_record_request</code> filtering (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/962">#962</a>) - thanks <a href="https://github.com/jamesbraza"><code>@jamesbraza</code></a></li> <li>Make the request URL available on <code>VCRHTTPResponse</code> (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/976">#976</a>) - thanks <a href="https://github.com/dAnjou"><code>@dAnjou</code></a></li> <li>Improve error message when a matching request has already been consumed (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/985">#985</a>) - thanks <a href="https://github.com/Polandia94"><code>@Polandia94</code></a></li> <li>Fix body check in <code>convert_body_to_unicode</code> to use an explicit type check (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/982">#982</a>) - thanks <a href="https://github.com/Polandia94"><code>@Polandia94</code></a></li> <li>Add env proxy cassette regression test (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/994">#994</a>) - thanks <a href="https://github.com/tine1117"><code>@tine1117</code></a></li> <li>Remove milestone references from docs (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/984">#984</a>) - thanks <a href="https://github.com/Polandia94"><code>@Polandia94</code></a></li> <li>CI: bump sphinx-rtd-theme from 3.0.2 to 3.1.0 (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/973">#973</a>)</li> </ul> </li> <li> <p>8.1.1</p> <ul> <li>Fix sync requests in async contexts for HTTPX (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/965">#965</a>) - thanks <a href="https://github.com/seowalex"><code>@seowalex</code></a></li> <li>CI: bump peter-evans/create-pull-request from 7 to 8 (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/969">#969</a>)</li> </ul> </li> <li> <p>8.1.0</p> <ul> <li>Enable brotli decompression if available (via <code>brotli</code>, <code>brotlipy</code> or <code>brotlicffi</code>) (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/620">#620</a>) - thanks <a href="https://github.com/immerrr"><code>@immerrr</code></a></li> <li>Fix aiohttp allowing both <code>data</code> and <code>json</code> arguments when one is None (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/624">#624</a>) - thanks <a href="https://github.com/leorochael"><code>@leorochael</code></a></li> <li>Fix usage of io-like interface with VCR.py (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/906">#906</a>) - thanks <a href="https://github.com/tito"><code>@tito</code></a> and <a href="https://github.com/kevdevg"><code>@kevdevg</code></a></li> <li>Migrate to declarative Python package config (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/767">#767</a>) - thanks <a href="https://github.com/deronnax"><code>@deronnax</code></a></li> <li>Various linting fixes - thanks <a href="https://github.com/jairhenrique"><code>@jairhenrique</code></a></li> <li>CI: bump actions/checkout from 5 to 6 (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/955">#955</a>)</li> </ul> </li> <li> <p>8.0.0</p> <ul> <li>BREAKING: Drop support for Python 3.9 (major version bump) - thanks <a href="https://github.com/jairhenrique"><code>@jairhenrique</code></a></li> <li>BREAKING: Drop support for urllib3 < 2 - fixes CVE warnings from urllib3 1.x (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/926">#926</a>, <a href="https://redirect.github.com/kevin1024/vcrpy/issues/880">#880</a>) - thanks <a href="https://github.com/jairhenrique"><code>@jairhenrique</code></a></li> <li>New feature: <code>drop_unused_requests</code> option to remove unused interactions from cassettes (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/763">#763</a>) - thanks <a href="https://github.com/danielnsilva"><code>@danielnsilva</code></a></li> <li>Rewrite httpx support to patch httpcore instead of httpx (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/943">#943</a>) - thanks <a href="https://github.com/seowalex"><code>@seowalex</code></a> <ul> <li>Fixes <code>httpx.ResponseNotRead</code> exceptions (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/832">#832</a>, <a href="https://redirect.github.com/kevin1024/vcrpy/issues/834">#834</a>)</li> <li>Fixes <code>KeyError: 'follow_redirects'</code> (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/945">#945</a>)</li> <li>Adds support for custom httpx transports</li> </ul> </li> <li>Fix HTTPS proxy handling - proxy address no longer ends up in cassette URIs (<a href="https://redirect.github.com/kevin1024/vcrpy/issues/809">#809</a>, <a href="https://redirect.github.com/kevin1024/vcrpy/issues/914">#914</a>) - thanks <a href="https://github.com/alga"><code>@alga</code></a></li> <li>Fix <code>iscoroutinefunction</code> deprecation warning on Python 3.14 - thanks <a href="https://github.com/kloczek"><code>@kloczek</code></a></li> <li>Only log message if response is appended - thanks <a href="https://github.com/talfus-laddus"><code>@talfus-laddus</code></a></li> <li>Optimize urllib.parse calls - thanks <a href="https://github.com/Martin-Brunthaler"><code>@Martin-Brunthaler</code></a></li> <li>Fix CI for Ubuntu 24.04 - thanks <a href="https://github.com/hartwork"><code>@hartwork</code></a></li> <li>Various CI improvements: migrate to uv, update GitHub Actions - thanks <a href="https://github.com/jairhenrique"><code>@jairhenrique</code></a></li> <li>Various linting and test improvements - thanks <a href="https://github.com/jairhenrique"><code>@jairhenrique</code></a> and <a href="https://github.com/hartwork"><code>@hartwork</code></a></li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
15b0a4930b |
chore: bump jupyter-server from 2.18.0 to 2.20.0 in /libs/core (#38252)
Bumps [jupyter-server](https://github.com/jupyter-server/jupyter_server) from 2.18.0 to 2.20.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/jupyter-server/jupyter_server/releases">jupyter-server's releases</a>.</em></p> <blockquote> <h2>v2.20.0</h2> <h2>2.20.0</h2> <p>(<a href="https://github.com/jupyter-server/jupyter_server/compare/v2.19.0...333e700119ee0bcc0b5fcd4c158213d7c275c778">Full Changelog</a>)</p> <h3>Security fixes</h3> <ul> <li>CVE-2026-44727 <a href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-fcw5-x6j4-ccmp">GHSA-fcw5-x6j4-ccmp</a></li> </ul> <h3>Enhancements made</h3> <ul> <li>Fix confusing terminal output when using ServerApp.ip=0.0.0.0 <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1643">#1643</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Add a toggle to enable curve encryption for all kernels that support it <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1638">#1638</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/ianthomas23"><code>@ianthomas23</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> </ul> <h3>Bugs fixed</h3> <ul> <li>Grab the port from <code>bind_sockets</code> in case its different <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1651">#1651</a> (<a href="https://github.com/choldgraf"><code>@choldgraf</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Maintenance and upkeep improvements</h3> <ul> <li>Fix <code>test_authorizer</code> having a spurious comma in params <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1664">#1664</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Add a reminder to merge GHSA before release <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1659">#1659</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Exclude problematic <code>pywinpty</code> 3.0.4 version <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1658">#1658</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>ci: explicitly pass base-setup inputs to fix strict validation failures <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1626">#1626</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/Copilot"><code>@Copilot</code></a>)</li> </ul> <h3>Documentation improvements</h3> <ul> <li>Align docs for curve encryption with latest JEP version <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1660">#1660</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Remove PGP key from docs <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1653">#1653</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Contributors to this release</h3> <p>The following people contributed discussions, new ideas, code and documentation contributions, and review. See <a href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our definition of contributors</a>.</p> <p>(<a href="https://github.com/jupyter-server/jupyter_server/graphs/contributors?from=2026-05-29&to=2026-06-17&type=c">GitHub contributors page for this release</a>)</p> <p><a href="https://github.com/Carreau"><code>@Carreau</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3ACarreau+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/choldgraf"><code>@choldgraf</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Acholdgraf+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/Copilot"><code>@Copilot</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3ACopilot+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/ianthomas23"><code>@ianthomas23</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Aianthomas23+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/krassowski"><code>@krassowski</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Akrassowski+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/minrk"><code>@minrk</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Aminrk+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/Yann-P"><code>@Yann-P</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3AYann-P+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>)</p> <h2>v2.19.0</h2> <h2>2.19.0</h2> <p>(<a href="https://github.com/jupyter-server/jupyter_server/compare/v2.18.2...664e2255c71efe963f397b9f803dbcf503b5a920">Full Changelog</a>)</p> <h3>Enhancements made</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jupyter-server/jupyter_server/blob/main/CHANGELOG.md">jupyter-server's changelog</a>.</em></p> <blockquote> <h2>2.20.0</h2> <p>(<a href="https://github.com/jupyter-server/jupyter_server/compare/v2.19.0...333e700119ee0bcc0b5fcd4c158213d7c275c778">Full Changelog</a>)</p> <h3>Enhancements made</h3> <ul> <li>Fix confusing terminal output when using ServerApp.ip=0.0.0.0 <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1643">#1643</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> <li>Add a toggle to enable curve encryption for all kernels that support it <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1638">#1638</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/ianthomas23"><code>@ianthomas23</code></a>, <a href="https://github.com/minrk"><code>@minrk</code></a>)</li> </ul> <h3>Bugs fixed</h3> <ul> <li>Grab the port from <code>bind_sockets</code> in case its different <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1651">#1651</a> (<a href="https://github.com/choldgraf"><code>@choldgraf</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Maintenance and upkeep improvements</h3> <ul> <li>Fix <code>test_authorizer</code> having a spurious comma in params <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1664">#1664</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>Add a reminder to merge GHSA before release <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1659">#1659</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Exclude problematic <code>pywinpty</code> 3.0.4 version <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1658">#1658</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> <li>ci: explicitly pass base-setup inputs to fix strict validation failures <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1626">#1626</a> (<a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/Copilot"><code>@Copilot</code></a>)</li> </ul> <h3>Documentation improvements</h3> <ul> <li>Align docs for curve encryption with latest JEP version <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1660">#1660</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> <li>Remove PGP key from docs <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1653">#1653</a> (<a href="https://github.com/Yann-P"><code>@Yann-P</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Contributors to this release</h3> <p>The following people contributed discussions, new ideas, code and documentation contributions, and review. See <a href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our definition of contributors</a>.</p> <p>(<a href="https://github.com/jupyter-server/jupyter_server/graphs/contributors?from=2026-05-29&to=2026-06-17&type=c">GitHub contributors page for this release</a>)</p> <p><a href="https://github.com/Carreau"><code>@Carreau</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3ACarreau+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/choldgraf"><code>@choldgraf</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Acholdgraf+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/Copilot"><code>@Copilot</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3ACopilot+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/ianthomas23"><code>@ianthomas23</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Aianthomas23+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/krassowski"><code>@krassowski</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Akrassowski+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/minrk"><code>@minrk</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3Aminrk+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>) | <a href="https://github.com/Yann-P"><code>@Yann-P</code></a> (<a href="https://github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+involves%3AYann-P+updated%3A2026-05-29..2026-06-17&type=Issues">activity</a>)</p> <!-- raw HTML omitted --> <h2>2.19.0</h2> <p>(<a href="https://github.com/jupyter-server/jupyter_server/compare/v2.18.2...664e2255c71efe963f397b9f803dbcf503b5a920">Full Changelog</a>)</p> <h3>Enhancements made</h3> <ul> <li>Return <code>unresolved</code> stanza when kernel scope is unavailable for <code>resolvePath</code> (instead of failing with 404) <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1641">#1641</a> (<a href="https://github.com/MUFFANUJ"><code>@MUFFANUJ</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>, <a href="https://github.com/krassowski"><code>@krassowski</code></a>)</li> </ul> <h3>Bugs fixed</h3> <ul> <li>Recreate notary store on failure to prevent save deadlock and data loss <a href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1640">#1640</a> (<a href="https://github.com/krassowski"><code>@krassowski</code></a>, <a href="https://github.com/Carreau"><code>@Carreau</code></a>)</li> </ul> <h3>Maintenance and upkeep improvements</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
24d0b3791a |
chore: bump tornado from 6.5.6 to 6.5.7 in /libs/core (#38184)
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.6 to 6.5.7. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's changelog</a>.</em></p> <blockquote> <h1>Release notes</h1> <p>.. toctree:: :maxdepth: 2</p> <p>releases/v6.5.7 releases/v6.5.6 releases/v6.5.5 releases/v6.5.4 releases/v6.5.3 releases/v6.5.2 releases/v6.5.1 releases/v6.5.0 releases/v6.4.2 releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
872047429f |
chore: bump bleach from 6.3.0 to 6.4.0 in /libs/core (#38198)
Bumps [bleach](https://github.com/mozilla/bleach) from 6.3.0 to 6.4.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/mozilla/bleach/blob/main/CHANGES">bleach's changelog</a>.</em></p> <blockquote> <h2>Version 6.4.0 (June 5th, 2026)</h2> <p><strong>NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future releases including for security issues.</strong> See issue: <code><https://github.com/mozilla/bleach/issues/698></code>__</p> <p><strong>Backwards incompatible changes</strong></p> <ul> <li>Dropped support for pypy 3.10. (<a href="https://redirect.github.com/mozilla/bleach/issues/764">#764</a>)</li> </ul> <p><strong>Security fixes</strong></p> <ul> <li> <p>Fix bug 2023812 / GHSA-8rfp-98v4-mmr6.</p> <p>Fix XSS issue with sanitize_uri_value where disallowed schemes with Unicode invisible characters wouldn't be rejected.</p> <p>For example::</p> <p>import bleach payload1 = '<!-- raw HTML omitted -->Click<!-- raw HTML omitted -->' result1 = bleach.clean(payload1) print(repr(result1))</p> <p>outputs::</p> <p>'<!-- raw HTML omitted -->Click<!-- raw HTML omitted -->'</p> <p>See the advisory for details.</p> </li> <li> <p>Fix GHSA-gj48-438w-jh9v.</p> <p>Fix issue where URI sanitization wasn't happening in formaction attributes.</p> <p>See the advisory for details.</p> </li> </ul> <p><strong>Bug fixes</strong></p> <ul> <li> <p>Add support for pypy 3.11. (<a href="https://redirect.github.com/mozilla/bleach/issues/764">#764</a>)</p> </li> <li> <p>Drop version max in tinycss2 pin. (<a href="https://redirect.github.com/mozilla/bleach/issues/772">#772</a>)</p> <p>This removes one of the things we had to keep checking and updating. Users now own the responsibility for correctness with the version of tinycss2 they're using.</p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
94ea96d542 | release(core): 1.4.8 (#38254) | ||
|
|
9ac8882a2c | refactor(langchain-classic): remove code for Python < 3.10 (#38194) | ||
|
|
138727c008 |
perf(core): memoize BaseTool.tool_call_schema subset model and cache model_json_schema (#38073)
|
||
|
|
fc956c8680 |
style(core): fix style in langchain_core/_security (#38189)
Co-authored-by: Mason Daugherty <mason@langchain.dev> |
||
|
|
221f934f9d |
fix(core): preserve usage token details in v3 streaming events (#38021)
`stream_events(version="v3")` / `astream_events(version="v3")` drops `input_token_details` and `output_token_details` from the usage metadata on the assembled message and the `on_llm_end` payload: the conversion to the protocol `UsageInfo` shape copied only the flat token counts. Providers fold cached tokens into `input_tokens` and break them out in `input_token_details`, so tracers (e.g. LangSmith) price every input token at the uncached rate on the v3 path, inflating reported cost for prompt-cached runs (cache reads bill at roughly a tenth of the base input rate). The v2 events path and `astream` aggregation preserve the details and report correctly; reasoning-token breakdowns in `output_token_details` are lost the same way. The detail breakdowns now live on the wire type itself: `input_token_details` / `output_token_details` were added to `UsageInfo` in `langchain-protocol` 0.0.17 (alongside `InputTokenDetails` / `OutputTokenDetails`), so core imports `UsageInfo` directly instead of carrying a local subclass. The v3 usage accumulator threads the details through end to end, shallow-copying the nested dicts (`_isolate_usage`) so later accumulator mutation cannot leak into already-emitted events. Since native provider converters share `build_message_finish`, this also covers provider-native v3 streams. Verified against a live claude-sonnet-4-6 call with a cached prompt: v3 `on_llm_end` usage now matches v2, with `cache_read` / `cache_creation` intact. Requires `langchain-protocol>=0.0.17` (core pin bumped accordingly). |
||
|
|
afff89a9f7 |
fix(core): disallow_any_generics (#38156)
Co-authored-by: Mason Daugherty <github@mdrxy.com> |
||
|
|
62f255980d |
chore(core): add mypy warn_unreachable (#38109)
Enables mypy's `warn_unreachable` rule for `langchain-core`, bringing it
in line with the other strict libraries in the monorepo. Previously this
rule was intentionally disabled by a code comment, because under mypy
2.x it false-flags intentional defensive runtime checks — most notably
the SSRF / IP-policy guards in `langchain_core/_security/` — as
unreachable.
This PR resolves all of those warnings without deleting or
blanket-ignoring the defensive guards, so contributors get
unreachable-code coverage going forward and accidental dead code is
caught in CI.
The bulk of the change is mechanical: a targeted `# type:
ignore[unreachable]` on each defensive `else`/error branch that mypy
considers unreachable but that we deliberately keep as a runtime guard
against unexpected input. A few changes are more substantive and worth a
closer look:
- **`coro_with_context` (`runnables/utils.py`) — behavior change on
Python < 3.11.** The pre-3.11 path is rewritten to always route through
`context.run(asyncio.create_task, coro)`, so the supplied context is
reliably propagated to the task. Previously, on 3.10 the helper returned
the bare coroutine (run in the caller's context) when
`create_task=False`, and dropped the context entirely when
`create_task=True`. The new behavior matches 3.11+. The `create_task`
parameter is now inert but retained for signature compatibility. All
callers `await` the result, so returning a `Task` rather than a
coroutine is transparent.
- **`_create_template_from_message_type` (`prompts/chat.py`) — signature
widening.** This private helper's `template` parameter now accepts
`bool` inside the list, accurately reflecting the existing `["{var}",
is_optional]` placeholder form. No public-API impact.
- **`PydanticOutputFunctionsParser`
(`output_parsers/openai_functions.py`).** The `pydantic_schema` field is
typed as `TypeBaseModel` (which covers both v1 and v2 model classes,
unlike the prior annotation), and the `args_only` parse path now
dispatches explicitly on `BaseModel` vs `BaseModelV1` rather than
duck-typing via `hasattr`. This also yields clearer errors for
unsupported / dict schemas.
- **`_security/_policy.py`.** Loop variables are renamed so mypy can
narrow their types, which lets the old `# type: ignore[assignment]`
comments be dropped. The IP-blocklist logic is unchanged.
---------
Co-authored-by: Mason Daugherty <mason@langchain.dev>
Co-authored-by: Mason Daugherty <github@mdrxy.com>
|
||
|
|
63cc1f4e7d |
docs: refresh README installation and resources (#38119)
README installation examples now use `uv add` consistently, matching the repo's `uv`-based Python workflow. The top-level README also gets a cleaner quickstart and resource section with current links for docs, community, learning, and contribution guidance. ## Changes - Replaced `pip install` snippets with `uv add` across package quick install docs, including the Hugging Face extras and `sentence-transformers` upgrade examples. - Updated the top-level quickstart to show only `uv add langchain` and refreshed the example model to `openai:gpt-5.5`. - Pointed the LangGraph orchestration link at the LangGraph GitHub repository. - Consolidated top-level documentation and additional-resource links under a single `Resources` section covering docs, ecosystem overview, API reference, discussions, Academy, contributing, and the Code of Conduct. - Added LangChain Academy and Code of Conduct links to package README resource sections. |
||
|
|
86ce95afc2 |
test(core,langchain): update tests for explicit deserialization allowlists (#38118)
Core serialization tests now opt into the object allowlists they rely on instead of assuming default deserialization permits core objects. Compatibility tests that intentionally exercise deprecated runnable streaming and history APIs also suppress the expected deprecation warnings so they can keep covering those legacy paths cleanly. ## Changes - Updated serialization and prompt round-trip tests to pass `allowed_objects="core"` or targeted allowlists when loading `AIMessage`, prompt templates, structured prompts, runnable maps, and related core objects. - Adjusted secret-injection regression coverage to keep testing `secrets_from_env=True` behavior while explicitly allowing core deserialization paths. - Tightened prompt deserialization rejection tests so attribute-access payloads are loaded only through the specific prompt-template allowlist needed to reach validation. - Added module-level warning filters around legacy runnable compatibility coverage for `astream_log`, `astream_events(version="v1")`, and `RunnableWithMessageHistory`. - Bumped the `langchain` package's minimum `langgraph` dependency from `1.2.4` to `1.2.5`. ## Testing - Updated unit tests across core serialization, prompt, fake chat model, runnable history, and runnable event coverage. |
||
|
|
7bae1118c2 |
chore: bump tornado from 6.5.5 to 6.5.6 in /libs/core (#38115)
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.5 to 6.5.6. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's changelog</a>.</em></p> <blockquote> <h1>Release notes</h1> <p>.. toctree:: :maxdepth: 2</p> <p>releases/v6.5.7 releases/v6.5.6 releases/v6.5.5 releases/v6.5.4 releases/v6.5.3 releases/v6.5.2 releases/v6.5.1 releases/v6.5.0 releases/v6.4.2 releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
4108c0738c |
release(core): 1.4.7 (#38111)
Bumps `langchain-core` to `1.4.7` for the next patch release and updates downstream minimum `langchain-core` requirements so package locks resolve against the new core version. This also refreshes the runnable snapshots that embed `lc_versions` metadata so the version consistency check continues to validate checked-in artifacts. Validated with `python libs/core/scripts/check_version.py`, `uv lock --check` across package lockfiles, and the core runnable tests that own the updated snapshots with local LangSmith tracing env disabled. |
||
|
|
8837163917 |
fix(core,partners): rename package version trace metadata (#38110)
Package-version trace metadata now uses the LangChain-owned `metadata["lc_versions"]` convention instead of the user-owned `metadata["versions"]` key. Metadata merging is narrowed so only `lc_versions` accumulates nested package-version entries, while generic nested metadata keeps normal last-writer-wins behavior. ## Changes - Renamed `BaseLanguageModel._add_version()` trace metadata from `versions` to `lc_versions`, including docstrings and the non-dict replacement warning. - Scoped `_merge_metadata_dicts()` nested-map accumulation to only `lc_versions`; duplicate package entries remain last-writer-wins and `lc_versions` mappings are copied defensively. - Preserved user-owned `metadata["versions"]` semantics by keeping it out of package-version tracking and generic nested metadata merging. - Updated runnable snapshots and partner package metadata assertions across Anthropic, DeepSeek, Fireworks, Groq, Hugging Face, MistralAI, Ollama, OpenAI, OpenRouter, Perplexity, and xAI to expect `lc_versions`. ## Testing - Added/adjusted core tests for `lc_versions` accumulation, duplicate package overwrite behavior, non-dict `lc_versions` replacement, defensive copying, and `metadata["versions"]` last-writer-wins behavior. - Ran focused core and partner metadata tests plus Ruff checks for changed areas. |
||
|
|
0392b6bae4 |
fix(core): fix Pydantic v1 support in tools/runnable (#33698)
`BaseTool.args_schema` is documented as accepting a Pydantic v1 model, but several code paths assumed v2 and raised when handed a v1 schema (e.g. an `AttributeError` from calling `model_json_schema()`/`model_fields` on a v1 model). This affected anyone using a v1 `args_schema`, and anyone composing runnables whose input/output schema is a v1 model. This PR makes the tool/runnable schema-derivation code version-agnostic. ## Type contract `TypeBaseModel` (and `PydanticBaseModel`) now include `pydantic.v1.BaseModel`, so the type honestly reflects what tools and runnables already accept at runtime. The public schema accessors (`Runnable.get_input_schema`/`get_output_schema` and the `input_schema`/`output_schema` properties) return `TypeBaseModel`. ## Version-agnostic helpers Added to `langchain_core.utils.pydantic`, each dispatching on the model's Pydantic version so callers don't have to: - `model_json_schema(model)` — JSON schema for either version. - `model_validate(model, obj)` — validation for either version. - `get_fields(model)` — field map for either version (existing helper, now used consistently). Internally, direct `.model_json_schema()` / `.model_fields` calls are replaced with these helpers (or with `get_input_jsonschema()` / `get_output_jsonschema()`). ## Behavior change worth a close look When deriving a schema from a v1 model (in `RunnableParallel`, `RunnableAssign`, and `RunnableSequence` output schemas), a **required** v1 field is now correctly carried over as required. Previously the v1 path read the field's `default` — which is `None` for a required v1 field — and silently turned required fields into optional/nullable ones; `default_factory` fields were dropped entirely. The new `_get_schema_field_definition` helper translates a v1 `ModelField` faithfully (required → `...`, factory preserved) and dispatches explicitly on the field type. --------- Co-authored-by: Mason Daugherty <mason@langchain.dev> Co-authored-by: Mason Daugherty <github@mdrxy.com> |
||
|
|
5d20596d73 |
style(core,langchain,langchain-classic,partners): replace double backticks in docstrings (#38095)
Standardizes inline code markup in Python docstrings and comments by replacing Sphinx-style double backticks with single-backtick Markdown. The cleanup keeps existing code fences intact while aligning inline references with the repo's docstring convention. ## Changes - Converted inline code references in core prompt-loading docs and LangSmith tracer comments, including `..`, `allow_dangerous_paths`, and inheritable metadata keys. - Normalized agent-related docstrings and comments around `wrap_model_call`, `ExtendedModelResponse`, `Command`, `create_structured_chat_agent`, and `DockerExecutionPolicy`. - Updated partner package docstrings for inline references such as `json_schema`, `ToolCall`, `apply_patch_call_output`, OpenRouter content block keys, and Perplexity tool-call serialization. - Cleaned test and helper docstrings that referenced command separators, fake `resource` modules, stream event names, and xdist rate-limit environment variables. |
||
|
|
05cc55f1bc | release(core): 1.4.6 (#38061) | ||
|
|
948f6cc58c |
feat(core,partners): add package version tracking to tracing metadata (#35295)
Following on the heels of #35293 TODO: - Packages outside of this repo (e.g. LiteLLM, Nvidia, Google, AWS) --- ## Summary Surface partner package versions in `metadata.versions` on LangSmith traces. Mirrors the JS SDK's `_addVersion()` pattern ([langchainjs#10106](https://github.com/langchain-ai/langchainjs/pull/10106)). Each model constructor records its package version via `_add_version()` on `BaseLanguageModel`. The version dict accumulates through the class hierarchy — `langchain-core` is added in `BaseLanguageModel.model_post_init`, `langchain-openai` in `BaseChatOpenAI._set_openai_chat_version`, and each leaf partner in its uniquely-named `model_validator`. Traces end up with: ```json { "metadata": { "versions": { "langchain-core": "1.4.5", "langchain-openai": "1.3.0", "langchain-xai": "1.2.2" } } } ``` ### Changes - `BaseLanguageModel._add_version(pkg, version)` — appends to `self.metadata["versions"]`; accepts any `Mapping` type; emits a warning if a non-mapping value is found and replaced - `BaseLanguageModel.model_post_init` — adds `langchain-core` version; calls `super()` for MRO safety - `_merge_metadata_dicts` — one-level-deep (non-recursive) merge for nested dict metadata keys - `CallbackManager.add_metadata` — uses `_merge_metadata_dicts` instead of flat `dict.update()` so nested metadata dicts (like `versions`) coexist rather than clobber - `merge_configs` — uses `_merge_metadata_dicts` for config merging **Partners:** - Each now calls `self._add_version("langchain-<pkg>", __version__)` ### Design decisions - **Constructor-based, not `_get_ls_params`-based** — versions flow through `self.metadata` (local metadata on traces), not through `LangSmithParams`. This matches JS and makes child-class version inheritance automatic (no merge/clobber issues). - **`versions` is local (non-inheritable) metadata** — `self.metadata` is passed to `CallbackManager.configure` as `local_metadata` (`add_metadata(..., inherit=False)`), so `versions` is attached **once per chat-model run** and is **not** propagated to child runs or duplicated onto every streaming chunk. This is intentionally the opposite of the inheritable-per-chunk metadata that #36588 was reducing for performance — `versions` does not regress that path. - **`add_metadata` deep-merge is a correctness fix, not just for versions** — previously `add_metadata`/`merge_configs` did a flat top-level `dict.update`/spread, so any nested metadata dict baked into a config (e.g. via `.with_config({"metadata": {...}})`) would be wholly replaced when a caller also passed `metadata`. `_merge_metadata_dicts` merges one level deep so user-provided `config.metadata.versions` and model-set `versions` coexist instead of clobbering. The merge runs once per `configure` (not per chunk), so it is off the streaming hot path. - **One level deep only** — `_merge_metadata_dicts` is deliberately *not* a recursive deep merge; values nested more than one level are last-writer-wins. This covers the `versions` case without the ambiguity/cost of arbitrary-depth merging. - **Warn on non-dict `metadata["versions"]`** — if a user sets `metadata={"versions": "some-string"}`, `_add_version` emits a warning and replaces the value with the version dict rather than silently discarding user data or crashing. This is a soft breaking change for anyone who previously stored non-dict values at this key. ### Follow-ups (tracked separately, out of scope here) - JS `mergeConfigs` still flat-spreads nested metadata, so `metadata.versions` can still clobber on the JS side until an equivalent deep-merge lands. --- Made by [Open SWE](https://openswe.vercel.app) --------- Co-authored-by: open-swe[bot] <open-swe@users.noreply.github.com> |
||
|
|
86428c63ac |
fix(core,openai): normalize v1 streamed tool calls (#35983)
OpenAI Chat Completions streaming has a v1 normalization gap when tool
calls are streamed.
When users opt into `output_version="v1"`, `.content_blocks` is expected
to be the normalized cross-provider view of the message. For OpenAI Chat
Completions streams, though, chunks still carry raw string `content`
plus side-channel `tool_call_chunks` / `tool_calls`.
Practically, an OpenAI stream chunk can look like this internally:
```python
AIMessageChunk(
content="",
tool_call_chunks=[
{
"name": "get_weather",
"args": '{"location": "SF"}',
"id": "call_123",
"index": 0,
"type": "tool_call_chunk",
}
],
response_metadata={"model_provider": "openai", "output_version": "v1"},
)
```
That is not already-normalized v1 content like this:
```python
AIMessageChunk(
content=[
{
"type": "tool_call_chunk",
"name": "get_weather",
"args": '{"location": "SF"}',
"id": "call_123",
"index": 0,
}
],
)
```
Because `.content_blocks` currently short-circuits solely on
`output_version="v1"`, it can return the raw string/empty list directly
instead of running the OpenAI translator that incorporates
`tool_call_chunks` / `tool_calls` into normalized v1 blocks.
In practice, a streamed OpenAI tool call can be parsed successfully into
`tool_calls`, but still be missing from the final aggregated
`.content_blocks`. Downstream code that consumes the v1 block interface
then sees no `tool_call` block and must know to inspect OpenAI-specific
chunk fields instead.
User story:
> As a LangChain user streaming OpenAI Chat Completions with bound tools
and `output_version="v1"`, I need the final aggregated message's
`.content_blocks` to include normalized `tool_call` blocks, so that code
written against the v1 content-block interface handles streamed tool
calls consistently across providers.
Expected final aggregated view:
```python
message.content_blocks == [
{
"type": "tool_call",
"name": "get_weather",
"args": {"location": "SF"},
"id": "call_123",
}
]
```
Root causes:
1. The usage-only Chat Completions chunk uses `content=[]` in v1 mode
while normal streaming chunks use `content=""`, creating inconsistent
content types during chunk aggregation.
2. `AIMessage.content_blocks` and `AIMessageChunk.content_blocks` treat
any `output_version="v1"` message as already-normalized, even when
`content` is still raw string content from Chat Completions.
3. Content-bearing OpenAI stream chunks do not carry
`output_version="v1"`, so the final merged chunk may not reliably take
the v1 normalization path.
Changes:
- Keep usage-only Chat Completions chunks as `content=""` instead of
overriding to `[]`, so streaming chunks merge consistently.
- Propagate `output_version="v1"` to content-bearing chunks.
- Only short-circuit v1 `.content_blocks` when `content` is already a
list of blocks; otherwise fall through to the provider translator.
- Add regression tests covering string-content v1 fallback, usage-only
chunk content consistency, and streamed tool calls appearing as
normalized final v1 blocks.
|
||
|
|
1de100f278 |
chore(infra): bump mypy to 2.1 and unify type-check config across the monorepo (#36470)
Originally a narrow bump of mypy to `1.20` in four packages. Expanded to get the whole monorepo onto a single, current mypy and a consistent type-check configuration, so contributors no longer hit different mypy versions and divergent behavior depending on which package they touch. ### What changed - **Unified the mypy pin to `>=2.1.0,<2.2.0`** in every mypy-using package (6 libs + 14 partners), replacing the previously scattered pins (`1.10`/`1.17`/`1.18`/`1.19`/`1.20`, with assorted upper bounds). - **Unified the `[tool.mypy]` base per tier:** - libs: `plugins = ["pydantic.mypy"]`, `strict = true`, `enable_error_code = "deprecated"`, `warn_unreachable = true` - partners: `disallow_untyped_defs = true` - Normalized style (`disallow_untyped_defs = "True"` string → bool, quote/key consistency). - **Fixed the 20 real errors** mypy 2.1 surfaces: `redundant-cast` from improved narrowing (`core`, `langchain-classic`), a `var-annotated` for `_LOGGED`, a return-type widening in `langchain-groq`'s `_convert_from_v1_to_groq` (it can legitimately return a bare `str`), and stale `type-arg`/`unused-ignore` in `langchain-model-profiles` tests. ### Deliberate non-uniformity (documented inline in the relevant `pyproject.toml`s) Going fully byte-identical would surface ~196 additional errors that are *not* real bugs, so two settings are kept package-appropriate: - **`warn_unreachable`** is enabled on every strict lib **except `core`**, where it false-flags intentional defensive code — including the SSRF / IP-policy guards in `_security/` — as unreachable. - **`pydantic.mypy` plugin** is used only on `anthropic` and `perplexity` (their code is authored against it and reports ~99/~132 errors without it). It is *not* added to the other partners, where it only flags the public alias constructor API (e.g. `ChatGroq(model=...)`) in tests rather than finding bugs. - **`ollama`** is left on its `ty` type checker; it does not use mypy. --------- Co-authored-by: Mason Daugherty <github@mdrxy.com> |
||
|
|
030ec6010b | release(core): 1.4.5 (#38056) | ||
|
|
43880362d8 |
feat(standard-tests): validate tool call chunks during streaming (#34707)
As a LangChain user streaming a tool-calling model, I expect each streamed chunk to expose structured `tool_call_chunk` content blocks so I can render or process tool calls live, instead of waiting for the final aggregated message. This adds `tool_call_streaming` to `ModelProfile` and uses it in the standard chat-model tool-calling tests. When a model profile opts in, `test_tool_calling` and `test_tool_calling_async` now validate that at least one streamed chunk includes a `tool_call_chunk` block via `content_blocks`, while preserving the existing final-message validation. This keeps the contract profile-gated so providers can opt in once their streaming chunk shape is verified. This PR opts in the providers verified by smoke testing with straightforward profile coverage: OpenAI, Anthropic, Fireworks, HuggingFace, OpenRouter, DeepSeek, and xAI. The generated profile artifacts are refreshed so runtime profiles expose the new capability flag. Perplexity Responses also passed the smoke test, but its current profile data is for the `sonar` family while the Responses smoke path used a routed model string. That profile strategy is left as follow-up. MistralAI currently streams `.tool_call_chunks`, but its content-block translator exposes a complete `tool_call` block instead of `tool_call_chunk`, so it also stays out of this flag until that integration is fixed. |
||
|
|
7cc9d0c84d |
fix(core): async tracer on_chat_model_start fallback in sync context (#35233)
Fixes #30870 When an `AsyncBaseTracer` with `_schema_format="original"` (the default) is used with sync `llm.invoke()`, the `on_chat_model_start` to `on_llm_start` fallback doesn't fire. The async handler returns a coroutine instead of raising `NotImplementedError` synchronously, so it bypasses the existing fallback logic and lands in `_run_coros`, which only logs the error generically. This fallback already works for sync handlers in sync context and async handlers in async context. This PR closes the gap for async handlers in sync context. |
||
|
|
6b9e22dbbc |
fix(langchain): tighten structured output model fallbacks (#38042)
Provider-native structured output fallback detection now uses bounded model-name patterns instead of broad substring checks, reducing false positives for unrelated model IDs. The model examples and test fixtures across OpenAI/OpenRouter-facing code were refreshed around current OpenAI model families while preserving shipped defaults. ## Changes - Tightened `FALLBACK_MODELS_WITH_STRUCTURED_OUTPUT` from loose string fragments to regex patterns, with `_supports_provider_strategy` matching full model-name segments instead of arbitrary substrings. - Expanded structured-output fallback coverage for newer OpenAI, Anthropic, and xAI/Grok model families, including `gpt-5.x`, newer Claude 4/5-style names, and `grok-build`. - Reused `_attempt_infer_model_provider` in provider tool search routing so `_provider_from_model_name` follows the same provider inference behavior as `init_chat_model`. - Suppressed irrelevant provider-inference deprecation warnings during provider tool search registry lookup. - Refreshed OpenAI, Azure OpenAI, OpenRouter, core metadata, and example model references from older fixtures like `gpt-4`, `gpt-4o`, `o1`, and `o4-mini` to current test/profile models such as `gpt-5.5`, `gpt-5-nano`, and `gpt-4.1-mini`. - Removed outdated OpenAI test assumptions around legacy `o1` behavior and narrowed legacy structured-output checks to explicitly legacy model names. |
||
|
|
8ac91e3f5f | hotfix(core): bump lockfile(s) (#38032) | ||
|
|
2e832c23d4 | release(core): 1.4.4 (#38031) | ||
|
|
f89f4c5afe |
fix(core): support content block tokens in callbacks (#34739)
Supersedes #34727 Closes #30703 Related: * langchain-ai/langchain-google#1460 * langchain-ai/langchain-google#1501 Fixing this at the `langchain-core` callback layer instead of normalizing inside individual provider integrations, so structured streaming content is preserved consistently. --- Models are increasingly streaming structured content blocks instead of plain text tokens. For example, Gemini 3 can stream text as content-block lists, and Anthropic/tool-use flows can also produce non-text message content. Today those values already reach `on_llm_new_token`, but the callback API still advertises `token: str`, which makes custom callbacks, tracers, and streaming helpers assume every streamed value is text. User story: as a LangChain user building a streaming callback for chat models with tool calls, reasoning/thinking blocks, or provider-specific structured content, I need `on_llm_new_token` to accept the same content shape that chat model chunks can actually emit, so my callback can observe the stream without providers flattening or dropping non-text data. Fixing this in `langchain-core` makes the existing runtime behavior explicit at the shared callback boundary. Normalizing content blocks inside each provider would duplicate logic, produce inconsistent behavior across integrations, and in some cases lose required provider metadata such as Gemini thought signatures. ## Changes - Update the callback contract so streamed tokens can be either plain text or structured content blocks - Carry structured streamed content through tracing and event/log streaming paths without forcing provider data into text too early - Keep built-in text-oriented streaming callbacks working by converting structured tokens only at the display/queue boundary - Drop the now-incorrect `cast("str", ...)` on streamed content in `BaseChatModel` so the producer side matches the widened callback signature instead of asserting a string it doesn't always have (no runtime change — `cast` is erased) - Align Anthropic and Mistral content typing with the structured content shapes already used by chat model messages - Update callback tests to reflect that not every streamed value is text ## Compatibility No runtime behavior change: no producer emits anything it wasn't already emitting, and widening a parameter type is safe for existing callers and handlers that pass or receive `str`. The one caveat is downstream code that subclasses a callback handler or tracer and overrides `on_llm_new_token` with a `token: str` annotation — under strict type checking that override is now narrower than the base and will be flagged as incompatible with the supertype. Such code still runs unchanged; the fix is to widen the annotation to match. |
||
|
|
720dfd3b09 |
chore(core): improve typing of Runnable __or__ (#34530)
`Runnable.__or__`, `Runnable.__ror__`, and their `RunnableSequence` and
`StructuredPrompt` overrides previously erased composition types: the
right-hand operand was typed `Runnable[Any, Other]`, so piping two
runnables together always produced `RunnableSerializable[Input, Any]`.
Type information was lost at every `|`, which is why chains so often
needed a `chain: Runnable = ...` annotation just to recover usable
inference.
This adds `@overload`s so the `Output` of one step flows into the
`Input` of the next and the composed result carries the real `Output`
type through. `Runnable[int, str] | Runnable[str, float]` now infers
`RunnableSerializable[int, float]` instead of `[int, Any]`.
`coerce_to_runnable` gains overloads so a `Mapping` resolves to
`RunnableParallel` while everything else stays a `Runnable`. As a
knock-on effect, dozens of now-unnecessary `: Runnable` annotations were
dropped from the test suite.
Runtime behavior is unchanged — this is a typing-only change.
## Impact on type-checked code
Most users will simply get better inference. Two changes can require a
small adjustment if you run a type checker (`mypy`, `pyright`):
### Stricter operand matching in `|`
The right-hand side of `|` is now typed `Runnable[Output, Other]` rather
than `Runnable[Any, Other]`, so the right operand's declared **input**
must match the left operand's **output**. This is more accurate, but it
surfaces a common pattern that was previously silent: piping a step that
outputs a plain `dict` into a step whose declared input is a more
specific type (for example a `TypedDict`). It still works at runtime;
the checker now reports an `[operator]` error.
If you hit this, narrow the boundary with a `cast` (or an explicit
annotation):
```python
from typing import Any, cast
from langchain_core.runnables import Runnable
# upstream outputs a dict; downstream declares a narrower input type
chain = cast("Runnable[Any, MyInput]", upstream) | downstream
```
### `list` → `Sequence` on `RunnableEach` / `map()`
`Runnable.map()` and the `invoke` / `ainvoke` methods of `RunnableEach`
now accept `Sequence[Input]` instead of `list[Input]`. Callers are
unaffected — a `list` is a `Sequence`, and tuples or other sequences now
type-check too. The only thing to adjust: if you **subclass**
`RunnableEach` (or `RunnableEachBase`) and override these methods with a
`list[...]` parameter, widen the annotation to `Sequence[...]` so the
override stays compatible with the base signature.
---------
Co-authored-by: Mason Daugherty <github@mdrxy.com>
|
||
|
|
a063ec26dd |
chore(core): fix some any generics (#34545)
Co-authored-by: Mason Daugherty <github@mdrxy.com> |
||
|
|
8bc96308d0 |
fix(core): accept sequence tool error content (#38005)
`handle_tool_error` callables can now return structured message content as any valid sequence, not just a mutable `list`. Valid structured sequences are normalized to the `ToolMessage` content shape at the tool output boundary, while invalid content still falls back to stringification. ## Changes - Widened `ToolExceptionHandlerOutput` from `list[str | dict[str, Any]]` to `Sequence[MessageContentBlock]` so handlers returning `list[dict[str, Any]]` or tuple content blocks type-check cleanly. - Added `_normalize_message_content` to validate structured message content and convert valid non-string sequences to the `list` shape expected by `ToolMessage`. - Preserved existing stringification behavior for invalid structured content blocks instead of treating failed normalization as `None`. - Removed the now-unused `_is_message_content_type` helper; output formatting validates content directly through `_normalize_message_content`. |
||
|
|
0f1b291f42 |
fix(core): type structured tool error handler output (#38003)
`handle_tool_error` callables can already return structured message content at runtime, but the public typing only allowed strings. The tool error handling API now reflects the existing output formatting path, including clearer docs for how handled errors become `ToolMessage(status="error")` results. |
||
|
|
ac18ef5871 |
docs(core): document multimodal handling in get_buffer_string (#37994)
Clarifies how `get_buffer_string` treats multimodal message content across output formats. The docs now make the default prefix format's text-only behavior explicit and point users to XML when they need structured multimodal block representations. This behavior may change in future iterations |
||
|
|
c15cfe21b6 | release(core): 1.4.3 (#37991) | ||
|
|
0f45b2c285 |
feat(openai): support apply_patch built-in tool (#37157)
[Docs](https://github.com/langchain-ai/docs/pull/4370) Fixes #37031 Adds support for OpenAI Responses API `apply_patch` built-in tool. This PR: - Adds `apply_patch` to the OpenAI well-known tools list so `bind_tools([{"type": "apply_patch"}])` works. - Preserves `apply_patch_call` and `apply_patch_call_output` items when converting OpenAI Responses API outputs into LangChain `AIMessage.content`. - Preserves the same item types in streaming `AIMessageChunk` conversion. - Supports round-trip input conversion for `apply_patch_call` and `apply_patch_call_output`. - Adds unit tests for core tool passthrough, non-streaming conversion, streaming conversion, and round-trip input conversion. ## Testing - `cd libs/core && uv run --group test pytest tests/unit_tests/utils/test_function_calling.py -k "apply_patch" -vv` - `cd libs/partners/openai && uv run --group test pytest tests/unit_tests/chat_models/test_base.py -k "apply_patch" -vv` - `cd libs/core && uv run --all-groups ruff check langchain_core/utils/function_calling.py tests/unit_tests/utils/test_function_calling.py` - `cd libs/partners/openai && uv run --all-groups ruff check langchain_openai/chat_models/base.py tests/unit_tests/chat_models/test_base.py` --------- Co-authored-by: Mason Daugherty <github@mdrxy.com> Co-authored-by: Mason Daugherty <mason@langchain.dev> |
||
|
|
e096992984 | release(core): 1.4.2 (#37968) | ||
|
|
74c23741b0 |
feat(core): deprecate problematic dict() method (#31685)
`dict()` is a problematic method name as it clashes with the builtin `dict` used as a type annotation. This PR replaces it with an `asdict` method (inspired by dataclasses). It also fixes a few places where `dict` must be replaced by `builtins.dict` until the `dict()` method is removed. --------- Co-authored-by: Mason Daugherty <github@mdrxy.com> |
||
|
|
a401351e12 | release(core): 1.4.1 (#37922) | ||
|
|
053c368ba4 |
fix(core): remove Bedrock prevalidation from load (#37909)
Removes the built-in Bedrock class init validator from `load` so Bedrock kwargs such as `base_url` and `endpoint_url` are no longer specially rejected during deserialization. This keeps provider-specific SSRF policy out of core; callers should continue to avoid untrusted manifests or use restrictive `allowed_objects`. Verified with `make format`, `make lint`, and the focused serialization load unit tests. AI-assisted contribution by Open SWE. Made by [Open SWE](https://openswe.vercel.app) --------- Co-authored-by: open-swe[bot] <215916821+open-swe[bot]@users.noreply.github.com> |
||
|
|
586bcd46a1 |
docs(core): expand and link ModelProfile docstrings (#37904)
Rewrote the `ModelProfile` docstrings to point readers at canonical docs. The class docstring now explains how profiles are accessed and where the data comes from, and several terse field docstrings gain a one-line clarification or a link to the relevant guide. |
||
|
|
133887180e | release(anthropic): 1.4.4 (#37757) | ||
|
|
95c6a8aa76 |
chore(core): bump uuid-utils to 0.16.0 (#37699)
Refresh `langchain-core`'s lockfile so the dev/CI environment resolves `uuid-utils` to a release that ships free-threading wheels (`cp313t`, `cp314t`). Unblocks `pip install` on Python 3.14 free-threaded builds — previously the lock pinned `0.14.1`, which had no FT wheel and forced an sdist build. Related to #34870. |
||
|
|
aef86c476d |
chore(infra): bump langchain-tests floor to 1.1.9 (#37610)
Bumps the `langchain-tests` minimum across the monorepo from `1.0.0` to `1.1.9` and adds a partner-level `Makefile` so partner lockfiles can be regenerated in one command, matching the existing convention under `libs/`. |
||
|
|
ebc1880444 | release(standard-tests): 1.1.9 (#37609) | ||
|
|
8cead6b77a |
chore: bump idna from 3.11 to 3.15 in /libs/core (#37539)
Bumps [idna](https://github.com/kjd/idna) from 3.11 to 3.15. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/kjd/idna/blob/master/HISTORY.md">idna's changelog</a>.</em></p> <blockquote> <h2>3.15 (2026-05-12)</h2> <ul> <li>Enforce DNS-length cap on individual labels early in <code>check_label</code>, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.</li> <li>Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared <code>_unicode_dots_re</code> from <code>idna.core</code> in the codec module.</li> <li>Use <code>raise ... from err</code> for proper exception chaining and switch internal string formatting to f-strings.</li> <li>Allow <code>flit_core</code> 4.x in the build backend.</li> <li>Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.</li> <li>Add Dependabot configuration for GitHub Actions.</li> <li>Convert README and HISTORY from reStructuredText to Markdown.</li> <li>Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.</li> </ul> <p>Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.</p> <h2>3.14 (2026-05-10)</h2> <ul> <li>Removed opportunity to process long inputs into quadratic time by rejecting oversize inputs up-front. Closes a bypass of the CVE-2024-3651 mitigation. [CVE-2026-45409]</li> </ul> <p>Thanks to Stan Ulbrych for reporting the issue.</p> <h2>3.13 (2026-04-22)</h2> <ul> <li>Correct classification error for codepoint U+A7F1</li> </ul> <h2>3.12 (2026-04-21)</h2> <ul> <li>Update to Unicode 17.0.0.</li> <li>Issue a deprecation warning for the transitional argument.</li> <li>Added lazy-loading to provide some performance improvements.</li> <li>Removed vestiges of code related to Python 2 support, including segmentation of data structures specific to Jython.</li> </ul> <p>Thanks to Rodrigo Nogueira for contributions to this release.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
abd9d4ce31 |
ci(infra): harden Dependabot version-bound preservation (#37510)
Dependabot has been stripping upper/lower bounds from internal `langchain-*` deps in partner `pyproject.toml` files (e.g. #37288 reduced `langchain-core>=1.3.2,<2.0.0` to bare `langchain-core`). Locks down the config so bumps preserve existing specifiers, and restores the bounds it already mangled across the monorepo. ## Changes - Add `versioning-strategy: increase` to every `uv` ecosystem block in `.github/dependabot.yml` so future bumps move the lower bound in place instead of rewriting the constraint. - Ignore workspace-internal packages (`langchain-core`, `langchain`, `langchain-classic`, `langchain-text-splitters`, `langchain-tests`, `langchain-model-profiles`) on every `uv` block — these are editable installs from local paths and their published constraints are hand-curated for release, not Dependabot's to bump. - Restore stripped bounds across all `libs/` packages — runtime `dependencies` and every dep group (`test`, `dev`, `test_integration`, `typing`, `lint`) — to `>=1.4.0,<2.0.0` for `langchain-core` and `>=1.0.0,<2.0.0` for the other internal packages. |
||
|
|
c7daed8c0f | hotfix: bump lockfiles (#37508) |