Commit Graph

180 Commits

Author SHA1 Message Date
dependabot[bot]
24d0b3791a chore: bump tornado from 6.5.6 to 6.5.7 in /libs/core (#38184)
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.6 to
6.5.7.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's
changelog</a>.</em></p>
<blockquote>
<h1>Release notes</h1>
<p>.. toctree::
:maxdepth: 2</p>
<p>releases/v6.5.7
releases/v6.5.6
releases/v6.5.5
releases/v6.5.4
releases/v6.5.3
releases/v6.5.2
releases/v6.5.1
releases/v6.5.0
releases/v6.4.2
releases/v6.4.1
releases/v6.4.0
releases/v6.3.3
releases/v6.3.2
releases/v6.3.1
releases/v6.3.0
releases/v6.2.0
releases/v6.1.0
releases/v6.0.4
releases/v6.0.3
releases/v6.0.2
releases/v6.0.1
releases/v6.0.0
releases/v5.1.1
releases/v5.1.0
releases/v5.0.2
releases/v5.0.1
releases/v5.0.0
releases/v4.5.3
releases/v4.5.2
releases/v4.5.1
releases/v4.5.0
releases/v4.4.3
releases/v4.4.2
releases/v4.4.1
releases/v4.4.0
releases/v4.3.0
releases/v4.2.1
releases/v4.2.0
releases/v4.1.0
releases/v4.0.2
releases/v4.0.1
releases/v4.0.0
releases/v3.2.2
releases/v3.2.1</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="48fc2d43d1"><code>48fc2d4</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3633">#3633</a>
from bdarnell/curl-reset-65</li>
<li><a
href="4ae1ddd142"><code>4ae1ddd</code></a>
Release notes and version bump for 6.5.7</li>
<li><a
href="3154caabc9"><code>3154caa</code></a>
curl_httpclient: Reset the curl object before putting it on the
freelist</li>
<li><a
href="7d869c0739"><code>7d869c0</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3631">#3631</a>
from bdarnell/cve-links</li>
<li><a
href="288241f681"><code>288241f</code></a>
docs: Use the correct link syntax</li>
<li><a
href="8da981c0f6"><code>8da981c</code></a>
docs: Add CVE links to 6.5.6 release notes</li>
<li>See full diff in <a
href="https://github.com/tornadoweb/tornado/compare/v6.5.6...v6.5.7">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-18 15:27:10 -04:00
dependabot[bot]
872047429f chore: bump bleach from 6.3.0 to 6.4.0 in /libs/core (#38198)
Bumps [bleach](https://github.com/mozilla/bleach) from 6.3.0 to 6.4.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/mozilla/bleach/blob/main/CHANGES">bleach's
changelog</a>.</em></p>
<blockquote>
<h2>Version 6.4.0 (June 5th, 2026)</h2>
<p><strong>NOTE: 2026-06-05: Bleach is no longer maintained. There will
be no future
releases including for security issues.</strong>
See issue:
<code>&lt;https://github.com/mozilla/bleach/issues/698&gt;</code>__</p>
<p><strong>Backwards incompatible changes</strong></p>
<ul>
<li>Dropped support for pypy 3.10. (<a
href="https://redirect.github.com/mozilla/bleach/issues/764">#764</a>)</li>
</ul>
<p><strong>Security fixes</strong></p>
<ul>
<li>
<p>Fix bug 2023812 / GHSA-8rfp-98v4-mmr6.</p>
<p>Fix XSS issue with sanitize_uri_value where disallowed schemes with
Unicode invisible characters wouldn't be rejected.</p>
<p>For example::</p>
<p>import bleach
payload1 = '<!-- raw HTML omitted -->Click<!-- raw HTML omitted -->'
result1 = bleach.clean(payload1)
print(repr(result1))</p>
<p>outputs::</p>
<p>'<!-- raw HTML omitted -->Click<!-- raw HTML omitted -->'</p>
<p>See the advisory for details.</p>
</li>
<li>
<p>Fix GHSA-gj48-438w-jh9v.</p>
<p>Fix issue where URI sanitization wasn't happening in formaction
attributes.</p>
<p>See the advisory for details.</p>
</li>
</ul>
<p><strong>Bug fixes</strong></p>
<ul>
<li>
<p>Add support for pypy 3.11. (<a
href="https://redirect.github.com/mozilla/bleach/issues/764">#764</a>)</p>
</li>
<li>
<p>Drop version max in tinycss2 pin. (<a
href="https://redirect.github.com/mozilla/bleach/issues/772">#772</a>)</p>
<p>This removes one of the things we had to keep checking and updating.
Users
now own the responsibility for correctness with the version of tinycss2
they're using.</p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="f0355a7af0"><code>f0355a7</code></a>
fix: fix last release date in CHANGES</li>
<li><a
href="ae4e8a2670"><code>ae4e8a2</code></a>
chore: bleach 6.4.0 and final release</li>
<li><a
href="970df58e9f"><code>970df58</code></a>
fix: uri-sanitization in formaction attributes</li>
<li><a
href="7c4867c323"><code>7c4867c</code></a>
fix: xss bypass in allowed protocol test using unicode invisible
characters</li>
<li><a
href="913ab75992"><code>913ab75</code></a>
fix: reduce redundancy in workflow jobs</li>
<li><a
href="218c15af45"><code>218c15a</code></a>
fix: rework pip caching</li>
<li><a
href="4f0b097bf8"><code>4f0b097</code></a>
fix: fix tox platform restrictions</li>
<li><a
href="e95a79d07b"><code>e95a79d</code></a>
chore: update pytest</li>
<li><a
href="91539d4e80"><code>91539d4</code></a>
Bump actions/cache from 5.0.3 to 5.0.4</li>
<li><a
href="cd47b4ce49"><code>cd47b4c</code></a>
fix: handle left-angle-bracket that's not a tag (<a
href="https://redirect.github.com/mozilla/bleach/issues/733">#733</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/mozilla/bleach/compare/v6.3.0...v6.4.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=bleach&package-manager=uv&previous-version=6.3.0&new-version=6.4.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-18 15:25:35 -04:00
Nick Hollon
94ea96d542 release(core): 1.4.8 (#38254) 2026-06-18 15:23:00 -04:00
Nick Hollon
221f934f9d fix(core): preserve usage token details in v3 streaming events (#38021)
`stream_events(version="v3")` / `astream_events(version="v3")` drops
`input_token_details` and `output_token_details` from the usage metadata
on the assembled message and the `on_llm_end` payload: the conversion to
the protocol `UsageInfo` shape copied only the flat token counts.

Providers fold cached tokens into `input_tokens` and break them out in
`input_token_details`, so tracers (e.g. LangSmith) price every input
token at the uncached rate on the v3 path, inflating reported cost for
prompt-cached runs (cache reads bill at roughly a tenth of the base
input rate). The v2 events path and `astream` aggregation preserve the
details and report correctly; reasoning-token breakdowns in
`output_token_details` are lost the same way.

The detail breakdowns now live on the wire type itself:
`input_token_details` / `output_token_details` were added to `UsageInfo`
in `langchain-protocol` 0.0.17 (alongside `InputTokenDetails` /
`OutputTokenDetails`), so core imports `UsageInfo` directly instead of
carrying a local subclass. The v3 usage accumulator threads the details
through end to end, shallow-copying the nested dicts (`_isolate_usage`)
so later accumulator mutation cannot leak into already-emitted events.
Since native provider converters share `build_message_finish`, this also
covers provider-native v3 streams.

Verified against a live claude-sonnet-4-6 call with a cached prompt: v3
`on_llm_end` usage now matches v2, with `cache_read` / `cache_creation`
intact. Requires `langchain-protocol>=0.0.17` (core pin bumped
accordingly).
2026-06-16 10:04:55 -04:00
dependabot[bot]
7bae1118c2 chore: bump tornado from 6.5.5 to 6.5.6 in /libs/core (#38115)
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.5 to
6.5.6.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's
changelog</a>.</em></p>
<blockquote>
<h1>Release notes</h1>
<p>.. toctree::
:maxdepth: 2</p>
<p>releases/v6.5.7
releases/v6.5.6
releases/v6.5.5
releases/v6.5.4
releases/v6.5.3
releases/v6.5.2
releases/v6.5.1
releases/v6.5.0
releases/v6.4.2
releases/v6.4.1
releases/v6.4.0
releases/v6.3.3
releases/v6.3.2
releases/v6.3.1
releases/v6.3.0
releases/v6.2.0
releases/v6.1.0
releases/v6.0.4
releases/v6.0.3
releases/v6.0.2
releases/v6.0.1
releases/v6.0.0
releases/v5.1.1
releases/v5.1.0
releases/v5.0.2
releases/v5.0.1
releases/v5.0.0
releases/v4.5.3
releases/v4.5.2
releases/v4.5.1
releases/v4.5.0
releases/v4.4.3
releases/v4.4.2
releases/v4.4.1
releases/v4.4.0
releases/v4.3.0
releases/v4.2.1
releases/v4.2.0
releases/v4.1.0
releases/v4.0.2
releases/v4.0.1
releases/v4.0.0
releases/v3.2.2
releases/v3.2.1</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="aba2569f7e"><code>aba2569</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3626">#3626</a>
from bdarnell/fixes-656</li>
<li><a
href="a24b260e0d"><code>a24b260</code></a>
httpclient_test: Accept an additional error message variant</li>
<li><a
href="a74240a702"><code>a74240a</code></a>
Release notes and version bump for 6.5.6.</li>
<li><a
href="e8fc7edb23"><code>e8fc7ed</code></a>
simple_httpclient: Strip auth headers on cross-origin redirects</li>
<li><a
href="96dc88c2a0"><code>96dc88c</code></a>
speedups: validate mask length</li>
<li><a
href="ff808b33ad"><code>ff808b3</code></a>
http1connection: Enforce max_body_size in _GzipMessageDelegate</li>
<li><a
href="ede4e37f93"><code>ede4e37</code></a>
auth: Correctly parse check_authentication response</li>
<li><a
href="1c178bef88"><code>1c178be</code></a>
Remove obsolete curl force_timeout workaround</li>
<li><a
href="c99d55bb6c"><code>c99d55b</code></a>
Replace deprecated pycurl IOCTLFUNCTION callback with SEEKFUNCTION</li>
<li><a
href="27614316ef"><code>2761431</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3587">#3587</a>
from bdarnell/fix-link</li>
<li>Additional commits viewable in <a
href="https://github.com/tornadoweb/tornado/compare/v6.5.5...v6.5.6">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=tornado&package-manager=uv&previous-version=6.5.5&new-version=6.5.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-12 15:04:00 -04:00
Mason Daugherty
4108c0738c release(core): 1.4.7 (#38111)
Bumps `langchain-core` to `1.4.7` for the next patch release and updates
downstream minimum `langchain-core` requirements so package locks
resolve against the new core version.

This also refreshes the runnable snapshots that embed `lc_versions`
metadata so the version consistency check continues to validate
checked-in artifacts.

Validated with `python libs/core/scripts/check_version.py`, `uv lock
--check` across package lockfiles, and the core runnable tests that own
the updated snapshots with local LangSmith tracing env disabled.
2026-06-12 14:54:25 -04:00
Mason Daugherty
05cc55f1bc release(core): 1.4.6 (#38061) 2026-06-11 02:58:40 -04:00
Christophe Bornet
1de100f278 chore(infra): bump mypy to 2.1 and unify type-check config across the monorepo (#36470)
Originally a narrow bump of mypy to `1.20` in four packages. Expanded to
get the whole monorepo onto a single, current mypy and a consistent
type-check configuration, so contributors no longer hit different mypy
versions and divergent behavior depending on which package they touch.

### What changed

- **Unified the mypy pin to `>=2.1.0,<2.2.0`** in every mypy-using
package (6 libs + 14 partners), replacing the previously scattered pins
(`1.10`/`1.17`/`1.18`/`1.19`/`1.20`, with assorted upper bounds).
- **Unified the `[tool.mypy]` base per tier:**
- libs: `plugins = ["pydantic.mypy"]`, `strict = true`,
`enable_error_code = "deprecated"`, `warn_unreachable = true`
  - partners: `disallow_untyped_defs = true`
- Normalized style (`disallow_untyped_defs = "True"` string → bool,
quote/key consistency).
- **Fixed the 20 real errors** mypy 2.1 surfaces: `redundant-cast` from
improved narrowing (`core`, `langchain-classic`), a `var-annotated` for
`_LOGGED`, a return-type widening in `langchain-groq`'s
`_convert_from_v1_to_groq` (it can legitimately return a bare `str`),
and stale `type-arg`/`unused-ignore` in `langchain-model-profiles`
tests.

### Deliberate non-uniformity (documented inline in the relevant
`pyproject.toml`s)

Going fully byte-identical would surface ~196 additional errors that are
*not* real bugs, so two settings are kept package-appropriate:

- **`warn_unreachable`** is enabled on every strict lib **except
`core`**, where it false-flags intentional defensive code — including
the SSRF / IP-policy guards in `_security/` — as unreachable.
- **`pydantic.mypy` plugin** is used only on `anthropic` and
`perplexity` (their code is authored against it and reports ~99/~132
errors without it). It is *not* added to the other partners, where it
only flags the public alias constructor API (e.g. `ChatGroq(model=...)`)
in tests rather than finding bugs.
- **`ollama`** is left on its `ty` type checker; it does not use mypy.

---------

Co-authored-by: Mason Daugherty <github@mdrxy.com>
2026-06-11 00:24:59 -04:00
Mason Daugherty
8ac91e3f5f hotfix(core): bump lockfile(s) (#38032) 2026-06-10 17:05:23 -04:00
Mason Daugherty
c15cfe21b6 release(core): 1.4.3 (#37991) 2026-06-09 16:27:57 -04:00
Mason Daugherty
e096992984 release(core): 1.4.2 (#37968) 2026-06-08 14:16:11 -04:00
Mason Daugherty
a401351e12 release(core): 1.4.1 (#37922) 2026-06-05 10:49:33 -04:00
Mason Daugherty
95c6a8aa76 chore(core): bump uuid-utils to 0.16.0 (#37699)
Refresh `langchain-core`'s lockfile so the dev/CI environment resolves
`uuid-utils` to a release that ships free-threading wheels (`cp313t`,
`cp314t`). Unblocks `pip install` on Python 3.14 free-threaded builds —
previously the lock pinned `0.14.1`, which had no FT wheel and forced an
sdist build. Related to #34870.
2026-05-26 16:38:34 +00:00
Mason Daugherty
ebc1880444 release(standard-tests): 1.1.9 (#37609) 2026-05-21 13:22:16 -05:00
dependabot[bot]
8cead6b77a chore: bump idna from 3.11 to 3.15 in /libs/core (#37539)
Bumps [idna](https://github.com/kjd/idna) from 3.11 to 3.15.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/kjd/idna/blob/master/HISTORY.md">idna's
changelog</a>.</em></p>
<blockquote>
<h2>3.15 (2026-05-12)</h2>
<ul>
<li>Enforce DNS-length cap on individual labels early in
<code>check_label</code>,
short-circuiting contextual-rule processing for oversized input
while staying compatible with UTS 46 usage.</li>
<li>Tidy core helpers: hoist bidi category sets to module-level
frozensets (avoiding per-codepoint list construction), simplify
length checks, and reuse the shared <code>_unicode_dots_re</code> from
<code>idna.core</code> in the codec module.</li>
<li>Use <code>raise ... from err</code> for proper exception chaining
and
switch internal string formatting to f-strings.</li>
<li>Allow <code>flit_core</code> 4.x in the build backend.</li>
<li>Expand the ruff lint set (flake8-bugbear, flake8-simplify,
pyupgrade, perflint) and apply the surfaced fixes; pin lint CI
to Python 3.14.</li>
<li>Add Dependabot configuration for GitHub Actions.</li>
<li>Convert README and HISTORY from reStructuredText to Markdown.</li>
<li>Reference CVE-2026-45409 for the 3.14 advisory in place of the
initial GHSA identifier.</li>
</ul>
<p>Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for
contributions to this release.</p>
<h2>3.14 (2026-05-10)</h2>
<ul>
<li>Removed opportunity to process long inputs into quadratic
time by rejecting oversize inputs up-front. Closes a bypass
of the CVE-2024-3651 mitigation. [CVE-2026-45409]</li>
</ul>
<p>Thanks to Stan Ulbrych for reporting the issue.</p>
<h2>3.13 (2026-04-22)</h2>
<ul>
<li>Correct classification error for codepoint U+A7F1</li>
</ul>
<h2>3.12 (2026-04-21)</h2>
<ul>
<li>Update to Unicode 17.0.0.</li>
<li>Issue a deprecation warning for the transitional argument.</li>
<li>Added lazy-loading to provide some performance improvements.</li>
<li>Removed vestiges of code related to Python 2 support, including
segmentation of data structures specific to Jython.</li>
</ul>
<p>Thanks to Rodrigo Nogueira for contributions to this release.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="af30a092e1"><code>af30a09</code></a>
Release 3.15</li>
<li><a
href="30314d4628"><code>30314d4</code></a>
Pre-release 3.15rc0</li>
<li><a
href="05d4b219aa"><code>05d4b21</code></a>
Merge pull request <a
href="https://redirect.github.com/kjd/idna/issues/237">#237</a> from
kjd/convert-docs-to-markdown</li>
<li><a
href="2987fdba19"><code>2987fdb</code></a>
Convert README and HISTORY from reStructuredText to Markdown</li>
<li><a
href="59fa8002d5"><code>59fa800</code></a>
Merge pull request <a
href="https://redirect.github.com/kjd/idna/issues/236">#236</a> from
kjd/dependabot/github_actions/actions-f3e34333ea</li>
<li><a
href="def69834ce"><code>def6983</code></a>
Merge branch 'master' into
dependabot/github_actions/actions-f3e34333ea</li>
<li><a
href="bbd8004a79"><code>bbd8004</code></a>
Merge pull request <a
href="https://redirect.github.com/kjd/idna/issues/234">#234</a> from
StanFromIreland/patch-1</li>
<li><a
href="edd07c0502"><code>edd07c0</code></a>
Bump github/codeql-action from 3.35.2 to 4.35.2 in the actions
group</li>
<li><a
href="5557db030c"><code>5557db0</code></a>
Merge branch 'master' into patch-1</li>
<li><a
href="f11746cf49"><code>f11746c</code></a>
Merge pull request <a
href="https://redirect.github.com/kjd/idna/issues/235">#235</a> from
StanFromIreland/patch-2</li>
<li>Additional commits viewable in <a
href="https://github.com/kjd/idna/compare/v3.11...v3.15">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=idna&package-manager=uv&previous-version=3.11&new-version=3.15)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-19 14:33:58 -05:00
Mason Daugherty
c7daed8c0f hotfix: bump lockfiles (#37508) 2026-05-18 16:18:26 -05:00
dependabot[bot]
ca4823eb7a chore: bump langsmith from 0.7.31 to 0.8.0 in /libs/core (#37395)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from
0.7.31 to 0.8.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's
releases</a>.</em></p>
<blockquote>
<h2>v0.8.0</h2>
<h2>What's Changed</h2>
<ul>
<li>feat(js,py): JS 0.6.0, Py 0.8.0 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2831">langchain-ai/langsmith-sdk#2831</a></li>
<li>release(js): 0.6.0 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2832">langchain-ai/langsmith-sdk#2832</a></li>
<li>release(py): 0.8.0 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2833">langchain-ai/langsmith-sdk#2833</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.38...v0.8.0">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.38...v0.8.0</a></p>
<h2>v0.7.38</h2>
<h2>What's Changed</h2>
<ul>
<li>feat(js): add tracing of opencode by <a
href="https://github.com/dqbd"><code>@​dqbd</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2776">langchain-ai/langsmith-sdk#2776</a></li>
<li>chore(js): Remove types/uuid by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2814">langchain-ai/langsmith-sdk#2814</a></li>
<li>docs(sandbox): document default idle TTL of 10 minutes by <a
href="https://github.com/DanielKneipp"><code>@​DanielKneipp</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2788">langchain-ai/langsmith-sdk#2788</a></li>
<li>ci(py): Bump pytest timeout to 2m by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2815">langchain-ai/langsmith-sdk#2815</a></li>
<li>chore(deps-dev): bump the js-minor-and-patch group across 1
directory with 4 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2803">langchain-ai/langsmith-sdk#2803</a></li>
<li>chore(deps): update sphinx-autobuild requirement from &gt;=2024 to
&gt;=2024.10.3 in /python by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2809">langchain-ai/langsmith-sdk#2809</a></li>
<li>chore(deps): update myst-nb requirement from &gt;=1.1.1 to
&gt;=1.4.0 in /python by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2810">langchain-ai/langsmith-sdk#2810</a></li>
<li>chore(deps-dev): bump types-pyyaml from 6.0.12.20250915 to
6.0.12.20260408 in /python by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2812">langchain-ai/langsmith-sdk#2812</a></li>
<li>chore(deps-dev): bump <code>@​langchain/openai</code> from 0.5.18 to
0.6.17 in /js by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2806">langchain-ai/langsmith-sdk#2806</a></li>
<li>chore(deps): bump the py-minor-and-patch group across 1 directory
with 18 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2808">langchain-ai/langsmith-sdk#2808</a></li>
<li>feat(py): Adds strands OTEL exporter by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2817">langchain-ai/langsmith-sdk#2817</a></li>
<li>chore(js): Switch to oxfmt and oxlint by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2819">langchain-ai/langsmith-sdk#2819</a></li>
<li>fix(py): fix RunTree ValidationError when inputs or outputs is a
Pydantic BaseModel by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2820">langchain-ai/langsmith-sdk#2820</a></li>
<li>chore: add apac support by <a
href="https://github.com/joaquin-borggio-lc"><code>@​joaquin-borggio-lc</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2821">langchain-ai/langsmith-sdk#2821</a></li>
<li>fix(js): Pull Claude Agent SDK subagent runs from transcript, add
tool span for subagents, merge message blocks by id by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2816">langchain-ai/langsmith-sdk#2816</a></li>
<li>release(js): 0.5.26 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2824">langchain-ai/langsmith-sdk#2824</a></li>
<li>release(py): 0.7.38 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2825">langchain-ai/langsmith-sdk#2825</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.37...v0.7.38">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.37...v0.7.38</a></p>
<h2>v0.7.37</h2>
<h2>What's Changed</h2>
<ul>
<li>perf(js): Offload serialize to worker thread at flush time by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2781">langchain-ai/langsmith-sdk#2781</a></li>
<li>release(js): 0.5.24 by <a
href="https://github.com/emil-lc"><code>@​emil-lc</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2790">langchain-ai/langsmith-sdk#2790</a></li>
<li>chore(js): Fix perf test flagging by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2792">langchain-ai/langsmith-sdk#2792</a></li>
<li>feat(js,python): Adds hub model config and provider to schemas by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2793">langchain-ai/langsmith-sdk#2793</a></li>
<li>fix(js): minor test improvements by <a
href="https://github.com/christian-bromann"><code>@​christian-bromann</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2429">langchain-ai/langsmith-sdk#2429</a></li>
<li>fix(js): Include auth headers on info requests by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2800">langchain-ai/langsmith-sdk#2800</a></li>
<li>release(js): 0.5.25 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2801">langchain-ai/langsmith-sdk#2801</a></li>
<li>fix(python): flush both tracing_queue and compressed_traces in
flush() by <a
href="https://github.com/angus-langchain"><code>@​angus-langchain</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2796">langchain-ai/langsmith-sdk#2796</a></li>
<li>chore(deps): bump postcss from 8.5.8 to 8.5.10 in
/js/internal/environment_tests/test-exports-vite in the npm_and_yarn
group across 1 directory by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2791">langchain-ai/langsmith-sdk#2791</a></li>
<li>chore(deps-dev): bump google-adk from 1.10.0 to 1.28.1 in /python by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2794">langchain-ai/langsmith-sdk#2794</a></li>
<li>fix(python): flush pending traces during Client.cleanup() by <a
href="https://github.com/angus-langchain"><code>@​angus-langchain</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2799">langchain-ai/langsmith-sdk#2799</a></li>
<li>fix(py): Fix concurrency for multiple Claude Agent SDK sessions by
<a href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in
<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2795">langchain-ai/langsmith-sdk#2795</a></li>
<li>release(py): 0.7.37 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2802">langchain-ai/langsmith-sdk#2802</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.36...v0.7.37">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.36...v0.7.37</a></p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="cf01c873d5"><code>cf01c87</code></a>
release(py): 0.8.0 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2833">#2833</a>)</li>
<li><a
href="fd049c8464"><code>fd049c8</code></a>
release(js): 0.6.0 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2832">#2832</a>)</li>
<li><a
href="092a8866c4"><code>092a886</code></a>
feat(js,py): JS 0.6.0, Py 0.8.0 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2831">#2831</a>)</li>
<li><a
href="ff180c0423"><code>ff180c0</code></a>
release(py): 0.7.38 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2825">#2825</a>)</li>
<li><a
href="d9de3ca801"><code>d9de3ca</code></a>
release(js): 0.5.26 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2824">#2824</a>)</li>
<li><a
href="1428394831"><code>1428394</code></a>
fix(js): Pull Claude Agent SDK subagent runs from transcript, add tool
span f...</li>
<li><a
href="838e957d80"><code>838e957</code></a>
chore: add apac support (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2821">#2821</a>)</li>
<li><a
href="003f22a768"><code>003f22a</code></a>
fix(py): fix RunTree ValidationError when inputs or outputs is a
Pydantic Bas...</li>
<li><a
href="8f5ef27c2d"><code>8f5ef27</code></a>
chore(js): Switch to oxfmt and oxlint (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2819">#2819</a>)</li>
<li><a
href="9873633c9f"><code>9873633</code></a>
feat(py): Adds strands OTEL exporter (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2817">#2817</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.31...v0.8.0">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-15 17:22:32 -07:00
dependabot[bot]
e8ca09d54e chore: bump jupyter-server from 2.17.0 to 2.18.0 in /libs/core (#37354)
Bumps [jupyter-server](https://github.com/jupyter-server/jupyter_server)
from 2.17.0 to 2.18.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/jupyter-server/jupyter_server/releases">jupyter-server's
releases</a>.</em></p>
<blockquote>
<h2>v2.18.0</h2>
<h2>2.18.0</h2>
<p>(<a
href="https://github.com/jupyter-server/jupyter_server/compare/v2.17.0...49b34392feaa97735b3b777e3baf8f22f2a14ed8">Full
Changelog</a>)</p>
<h3>Security patches</h3>
<ul>
<li>CVE-2026-40110 <a
href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p">https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p</a></li>
<li>CVE-2025-61669 <a
href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w">https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w</a></li>
<li>CVE-2026-40934 <a
href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f">https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f</a></li>
<li>CVE-2026-35397 <a
href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3">https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3</a></li>
</ul>
<h3>API and Breaking Changes</h3>
<ul>
<li>Add query param to sanitize HTML in GET /nbconvert/html <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1618">#1618</a>
(<a href="https://github.com/Yann-P"><code>@​Yann-P</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
</ul>
<h3>Enhancements made</h3>
<ul>
<li>Update handlers.py to fix ioloop blockers(sync file operations) <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1617">#1617</a>
(<a
href="https://github.com/zolyfarkas-fb"><code>@​zolyfarkas-fb</code></a>,
<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Add resolvePath API for resolving kernel-relative paths <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1331">#1331</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/blink1073"><code>@​blink1073</code></a>)</li>
</ul>
<h3>Bugs fixed</h3>
<ul>
<li>Move check origin into a util function and add it to websocket <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1630">#1630</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/Yann-P"><code>@​Yann-P</code></a>)</li>
<li>Fix flaky test_restart_kernel by unsticking nudge() after
port-changing restart <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1628">#1628</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/claude"><code>@​claude</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Try to fix flaky test &quot;test_restart_kernel&quot; <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1625">#1625</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Fix potential unraisable pytest error <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1624">#1624</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>fix: use %s placeholders in HTTPError to prevent Tornado from
doubling % in gateway URLs <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1620">#1620</a>
(<a
href="https://github.com/terminalchai"><code>@​terminalchai</code></a>,
<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/ptch314"><code>@​ptch314</code></a>)</li>
<li>Fix three file descriptor leaks in kernel connection lifecycle (<a
href="https://redirect.github.com/jupyter-server/jupyter_server/issues/1506">#1506</a>)
<a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1619">#1619</a>
(<a href="https://github.com/tonyx93"><code>@​tonyx93</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Use web.HTTPError for kernel restart failures <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1616">#1616</a>
(<a href="https://github.com/YDawn"><code>@​YDawn</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Handle EADDRINUSE and EACCES in _bind_http_server_tcp <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1613">#1613</a>
(<a href="https://github.com/YDawn"><code>@​YDawn</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Use st_birthtime for file created timestamp on macOS/BSD <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1594">#1594</a>
(<a href="https://github.com/ktaletsk"><code>@​ktaletsk</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Fix double write when refusing hidden files in contents handler <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1585">#1585</a>
(<a href="https://github.com/Krish-876"><code>@​Krish-876</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Close all sockets in _find_http_port explicitly <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1584">#1584</a>
(<a
href="https://github.com/MaryushSoroka"><code>@​MaryushSoroka</code></a>,
<a href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Fix writing on remote file systems with attribute cache <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1574">#1574</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>Add IdentityProvider.cookie_secret_hook <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1569">#1569</a>
(<a href="https://github.com/emin63"><code>@​emin63</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>fix context pollution <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1561">#1561</a>
(<a href="https://github.com/dualc"><code>@​dualc</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>Fix gateway cookie handling <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1558">#1558</a>
(<a
href="https://github.com/kevin-bates"><code>@​kevin-bates</code></a>, <a
href="https://github.com/RRosio"><code>@​RRosio</code></a>, <a
href="https://github.com/lresende"><code>@​lresende</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>fix connection exception cause high cpu load <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1484">#1484</a>
(<a href="https://github.com/dualc"><code>@​dualc</code></a>, <a
href="https://github.com/lresende"><code>@​lresende</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
</ul>
<h3>Maintenance and upkeep improvements</h3>
<ul>
<li>Start to test on Python 3.13 and 3.14 <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1623">#1623</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Bump actions/create-github-app-token from 2 to 3 in the actions
group across 1 directory <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1621">#1621</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Bump brace-expansion from 1.1.12 to 1.1.13 <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1615">#1615</a>
(<a href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Fix package spec for jupytext <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1614">#1614</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>chore: update pre-commit hooks <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1607">#1607</a>
(<a href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>try to fix ci on windows <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1600">#1600</a>
(<a href="https://github.com/minrk"><code>@​minrk</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>run prerelease tests on 3.14 <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1599">#1599</a>
(<a href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Pin sphinx to an older version (&lt;9) to fix docs <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1597">#1597</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jupyter-server/jupyter_server/blob/main/CHANGELOG.md">jupyter-server's
changelog</a>.</em></p>
<blockquote>
<h2>2.18.0</h2>
<p>(<a
href="https://github.com/jupyter-server/jupyter_server/compare/v2.9.1...49b34392feaa97735b3b777e3baf8f22f2a14ed8">Full
Changelog</a>)</p>
<h3>API and Breaking Changes</h3>
<ul>
<li>Add query param to sanitize HTML in GET /nbconvert/html <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1618">#1618</a>
(<a href="https://github.com/Yann-P"><code>@​Yann-P</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
</ul>
<h3>Enhancements made</h3>
<ul>
<li>Update handlers.py to fix ioloop blockers(sync file operations) <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1617">#1617</a>
(<a
href="https://github.com/zolyfarkas-fb"><code>@​zolyfarkas-fb</code></a>,
<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Avoid redundant call to <code>_get_os_path</code> in
<code>_dir_model</code> <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1547">#1547</a>
(<a href="https://github.com/joeyutong"><code>@​joeyutong</code></a>, <a
href="https://github.com/vidartf"><code>@​vidartf</code></a>)</li>
<li>Allow specifying extra params to scrub from logs <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1538">#1538</a>
(<a href="https://github.com/jtpio"><code>@​jtpio</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/vidartf"><code>@​vidartf</code></a>)</li>
<li>Add a logger to the ExtensionPoint API <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1523">#1523</a>
(<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/vidartf"><code>@​vidartf</code></a>)</li>
<li>Allow user to update identity values <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1518">#1518</a>
(<a href="https://github.com/brichet"><code>@​brichet</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>If ServerApp.ip is ipv6 use [::1] as local_url <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1495">#1495</a>
(<a href="https://github.com/manics"><code>@​manics</code></a>, <a
href="https://github.com/afshin"><code>@​afshin</code></a>)</li>
<li>Better error message when starting kernel for session. <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1478">#1478</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/davidbrochart"><code>@​davidbrochart</code></a>,
<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Add a traitlet to disable recording HTTP request metrics <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1472">#1472</a>
(<a href="https://github.com/yuvipanda"><code>@​yuvipanda</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>prometheus: Expose 3 activity metrics <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1471">#1471</a>
(<a href="https://github.com/yuvipanda"><code>@​yuvipanda</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>Add prometheus info metrics listing server extensions + versions <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1470">#1470</a>
(<a href="https://github.com/yuvipanda"><code>@​yuvipanda</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>Add prometheus metric with version information <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1467">#1467</a>
(<a href="https://github.com/yuvipanda"><code>@​yuvipanda</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>Don't hide .so,.dylib files by default <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1457">#1457</a>
(<a href="https://github.com/nokados"><code>@​nokados</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>, <a
href="https://github.com/vidartf"><code>@​vidartf</code></a>)</li>
<li>Better hash format error message <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1442">#1442</a>
(<a href="https://github.com/fcollonval"><code>@​fcollonval</code></a>,
<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>Removing excessive logging from reading local files <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1420">#1420</a>
(<a href="https://github.com/lresende"><code>@​lresende</code></a>, <a
href="https://github.com/kevin-bates"><code>@​kevin-bates</code></a>)</li>
<li>Add async start hook to ExtensionApp API <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1417">#1417</a>
(<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/Darshan808"><code>@​Darshan808</code></a>, <a
href="https://github.com/bollwyvl"><code>@​bollwyvl</code></a>, <a
href="https://github.com/fcollonval"><code>@​fcollonval</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Do not include token in dashboard link, when available <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1406">#1406</a>
(<a href="https://github.com/minrk"><code>@​minrk</code></a>, <a
href="https://github.com/blink1073"><code>@​blink1073</code></a>)</li>
<li>Add an option to have authentication enabled for all endpoints by
default <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1392">#1392</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Wh1isper"><code>@​Wh1isper</code></a>, <a
href="https://github.com/blink1073"><code>@​blink1073</code></a>, <a
href="https://github.com/bollwyvl"><code>@​bollwyvl</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>, <a
href="https://github.com/yuvipanda"><code>@​yuvipanda</code></a>)</li>
<li>websockets: add configurations for ping interval and timeout <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1391">#1391</a>
(<a
href="https://github.com/oliver-sanders"><code>@​oliver-sanders</code></a>,
<a
href="https://github.com/blink1073"><code>@​blink1073</code></a>)</li>
<li>log extension import time at debug level unless it's actually slow
<a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1375">#1375</a>
(<a href="https://github.com/minrk"><code>@​minrk</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/yuvipanda"><code>@​yuvipanda</code></a>)</li>
<li>Add support for async Authorizers (part 2) <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1374">#1374</a>
(<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/blink1073"><code>@​blink1073</code></a>)</li>
<li>Support async Authorizers <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1373">#1373</a>
(<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/blink1073"><code>@​blink1073</code></a>)</li>
<li>Support get file(notebook) md5 <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1363">#1363</a>
(<a href="https://github.com/Wh1isper"><code>@​Wh1isper</code></a>, <a
href="https://github.com/blink1073"><code>@​blink1073</code></a>, <a
href="https://github.com/bollwyvl"><code>@​bollwyvl</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Update kernel env to reflect changes in session <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1354">#1354</a>
(<a href="https://github.com/blink1073"><code>@​blink1073</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Add resolvePath API for resolving kernel-relative paths <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1331">#1331</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/blink1073"><code>@​blink1073</code></a>)</li>
</ul>
<h3>Bugs fixed</h3>
<ul>
<li>Move check origin into a util function and add it to websocket <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1630">#1630</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/Yann-P"><code>@​Yann-P</code></a>)</li>
<li>Fix flaky test_restart_kernel by unsticking nudge() after
port-changing restart <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1628">#1628</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/claude"><code>@​claude</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Try to fix flaky test &quot;test_restart_kernel&quot; <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1625">#1625</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Fix potential unraisable pytest error <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1624">#1624</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>fix: use %s placeholders in HTTPError to prevent Tornado from
doubling % in gateway URLs <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1620">#1620</a>
(<a
href="https://github.com/terminalchai"><code>@​terminalchai</code></a>,
<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/ptch314"><code>@​ptch314</code></a>)</li>
<li>Fix three file descriptor leaks in kernel connection lifecycle (<a
href="https://redirect.github.com/jupyter-server/jupyter_server/issues/1506">#1506</a>)
<a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1619">#1619</a>
(<a href="https://github.com/tonyx93"><code>@​tonyx93</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Use web.HTTPError for kernel restart failures <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1616">#1616</a>
(<a href="https://github.com/YDawn"><code>@​YDawn</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Handle EADDRINUSE and EACCES in _bind_http_server_tcp <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1613">#1613</a>
(<a href="https://github.com/YDawn"><code>@​YDawn</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Use st_birthtime for file created timestamp on macOS/BSD <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1594">#1594</a>
(<a href="https://github.com/ktaletsk"><code>@​ktaletsk</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Fix double write when refusing hidden files in contents handler <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1585">#1585</a>
(<a href="https://github.com/Krish-876"><code>@​Krish-876</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Close all sockets in _find_http_port explicitly <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1584">#1584</a>
(<a
href="https://github.com/MaryushSoroka"><code>@​MaryushSoroka</code></a>,
<a href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Fix writing on remote file systems with attribute cache <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1574">#1574</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>Add IdentityProvider.cookie_secret_hook <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1569">#1569</a>
(<a href="https://github.com/emin63"><code>@​emin63</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="0ceed45a80"><code>0ceed45</code></a>
Publish 2.18.0</li>
<li><a
href="49b34392fe"><code>49b3439</code></a>
Move check origin into a util function and add it to websocket (<a
href="https://redirect.github.com/jupyter-server/jupyter_server/issues/1630">#1630</a>)</li>
<li><a
href="e2e08c845d"><code>e2e08c8</code></a>
Add test case for bad next URL format</li>
<li><a
href="624d6c0daf"><code>624d6c0</code></a>
Delete outdated patch code</li>
<li><a
href="d825b93d9c"><code>d825b93</code></a>
Apply suggestion from <a
href="https://github.com/minrk"><code>@​minrk</code></a></li>
<li><a
href="789fed081a"><code>789fed0</code></a>
patch open redirect in /login</li>
<li><a
href="2ee51eccf3"><code>2ee51ec</code></a>
fix(CVE-2026-35397): path traversal when target dir starts with root
dir</li>
<li><a
href="057869a327"><code>057869a</code></a>
Fix allow_origin_pat to do full matching instead of prefix matching</li>
<li><a
href="4862199a0f"><code>4862199</code></a>
Add resolvePath API for resolving kernel-relative paths</li>
<li><a
href="e31d51406d"><code>e31d514</code></a>
Bump actions/create-github-app-token from 2 to 3 in the actions group
across ...</li>
<li>Additional commits viewable in <a
href="https://github.com/jupyter-server/jupyter_server/compare/v2.17.0...v2.18.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=jupyter-server&package-manager=uv&previous-version=2.17.0&new-version=2.18.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-11 14:48:54 -07:00
dependabot[bot]
9b6af7fad8 chore: bump mistune from 3.1.4 to 3.2.1 in /libs/core (#37353)
Bumps [mistune](https://github.com/lepture/mistune) from 3.1.4 to 3.2.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/lepture/mistune/releases">mistune's
releases</a>.</em></p>
<blockquote>
<h2>v3.2.1</h2>
<h3>   🐞 Bug Fixes</h3>
<ul>
<li>Resolve Windows compatibility issues in file inclusion and tests  - 
by <a href="https://github.com/Yuki9814"><code>@​Yuki9814</code></a> <a
href="https://github.com/lepture/mistune/commit/2547102"><!-- raw HTML
omitted -->(25471)<!-- raw HTML omitted --></a></li>
<li>Escape html text  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/a3cb6e5"><!-- raw HTML
omitted -->(a3cb6)<!-- raw HTML omitted --></a></li>
<li>Update link reference  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/85eb54f"><!-- raw HTML
omitted -->(85eb5)<!-- raw HTML omitted --></a></li>
<li>Handle escaped dollar signs in inline math  -  by <a
href="https://github.com/saschabuehrle"><code>@​saschabuehrle</code></a>
in <a
href="https://redirect.github.com/lepture/mistune/issues/370">lepture/mistune#370</a>
<a href="https://github.com/lepture/mistune/commit/7bd5709"><!-- raw
HTML omitted -->(7bd57)<!-- raw HTML omitted --></a></li>
<li>Escape id of toc  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/04880a0"><!-- raw HTML
omitted -->(04880)<!-- raw HTML omitted --></a></li>
<li>Escape id of headings  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/2855622"><!-- raw HTML
omitted -->(28556)<!-- raw HTML omitted --></a></li>
<li>Remove double-encoding of image alt text  -  by <a
href="https://github.com/lawrence3699"><code>@​lawrence3699</code></a>
<a href="https://github.com/lepture/mistune/commit/0d6f3d8"><!-- raw
HTML omitted -->(0d6f3)<!-- raw HTML omitted --></a></li>
<li>Escape xml for math plugin  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/5fa092e"><!-- raw HTML
omitted -->(5fa09)<!-- raw HTML omitted --></a></li>
<li>Use strict regex for image's height and width  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/8d0cb75"><!-- raw HTML
omitted -->(8d0cb)<!-- raw HTML omitted --></a></li>
</ul>
<h5>    <a
href="https://github.com/lepture/mistune/compare/v3.2.0...v3.2.1">View
changes on GitHub</a></h5>
<h2>v3.2.0</h2>
<h3>   🚀 Features</h3>
<ul>
<li>Support footnotes that start on the next line.  -  by <a
href="https://github.com/kylechui"><code>@​kylechui</code></a> <a
href="https://github.com/lepture/mistune/commit/2677e2d"><!-- raw HTML
omitted -->(2677e)<!-- raw HTML omitted --></a></li>
<li>Properly handle code blocks inside footnotes.  -  by <a
href="https://github.com/kylechui"><code>@​kylechui</code></a> <a
href="https://github.com/lepture/mistune/commit/0516c9e"><!-- raw HTML
omitted -->(0516c)<!-- raw HTML omitted --></a></li>
<li>Support python 3.14  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/7e0eb65"><!-- raw HTML
omitted -->(7e0eb)<!-- raw HTML omitted --></a></li>
</ul>
<h3>   🐞 Bug Fixes</h3>
<ul>
<li>Render ref links and footnotes in footnotes.  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/bd90e44"><!-- raw HTML
omitted -->(bd90e)<!-- raw HTML omitted --></a></li>
<li>Render ref links in TOC.  -  by <a
href="https://github.com/lemon24"><code>@​lemon24</code></a> <a
href="https://github.com/lepture/mistune/commit/a0a0148"><!-- raw HTML
omitted -->(a0a01)<!-- raw HTML omitted --></a></li>
<li>Update typing for mypy upgrades  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/8d49cba"><!-- raw HTML
omitted -->(8d49c)<!-- raw HTML omitted --></a></li>
<li>Render correct html for footnotes  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/9b62204"><!-- raw HTML
omitted -->(9b622)<!-- raw HTML omitted --></a></li>
</ul>
<h5>    <a
href="https://github.com/lepture/mistune/compare/v3.1.4...v3.2.0">View
changes on GitHub</a></h5>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/lepture/mistune/blob/main/docs/changes.rst">mistune's
changelog</a>.</em></p>
<blockquote>
<h2>Version 3.2.1</h2>
<p><strong>Released on May 3, 2026</strong></p>
<ul>
<li>Escape link in <code>render_toc_ul</code>.</li>
<li>Escape text in math plugin.</li>
<li>Fix regex for math plugin.</li>
<li>Escape heading's ID attribute.</li>
<li>Fix <code>LINK_TITLE_RE</code> to prevent DoS.</li>
<li>Escape class attribute for admonition directive.</li>
<li>Remove double-encoding of image alt text.</li>
<li>Escape class attribute for image directive.</li>
<li>Fix width/height attribute for image directive.</li>
</ul>
<h2>Version 3.2.0</h2>
<p><strong>Released on Dec 23, 2025</strong></p>
<ul>
<li>Announce supports for python 3.14</li>
<li>Fix footnotes plugins for code blocks, ref links, blockquote and
etc.</li>
<li>Fix ref links in TOC.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="067f908610"><code>067f908</code></a>
chore: release 3.2.1</li>
<li><a
href="bf5503067a"><code>bf55030</code></a>
Merge pull request <a
href="https://redirect.github.com/lepture/mistune/issues/438">#438</a>
from saschabuehrle/fix/issue-370</li>
<li><a
href="8d0cb7539a"><code>8d0cb75</code></a>
fix: use strict regex for image's height and width</li>
<li><a
href="5fa092e305"><code>5fa092e</code></a>
fix: escape xml for math plugin</li>
<li><a
href="71ec9477eb"><code>71ec947</code></a>
Merge pull request <a
href="https://redirect.github.com/lepture/mistune/issues/440">#440</a>
from lawrence3699/fix/image-alt-double-encoding</li>
<li><a
href="0d6f3d8502"><code>0d6f3d8</code></a>
fix: remove double-encoding of image alt text</li>
<li><a
href="2855622d7f"><code>2855622</code></a>
fix: escape id of headings</li>
<li><a
href="04880a004c"><code>04880a0</code></a>
fix: escape id of toc</li>
<li><a
href="7bd5709671"><code>7bd5709</code></a>
fix: handle escaped dollar signs in inline math (fixes <a
href="https://redirect.github.com/lepture/mistune/issues/370">#370</a>)</li>
<li><a
href="85eb54ff17"><code>85eb54f</code></a>
fix: update link reference</li>
<li>Additional commits viewable in <a
href="https://github.com/lepture/mistune/compare/v3.1.4...v3.2.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=mistune&package-manager=uv&previous-version=3.1.4&new-version=3.2.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-11 14:48:48 -07:00
Nick Hollon
da380bccf8 chore(infra): merge v1.4 into master (#37350) 2026-05-11 11:39:25 -07:00
dependabot[bot]
2086b91c78 chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/core (#37329)
[//]: # (dependabot-start)
⚠️  **Dependabot is rebasing this PR** ⚠️ 

Rebasing might not happen immediately, so don't worry if this takes some
time.

Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.

---

[//]: # (dependabot-end)

Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/urllib3/urllib3/releases">urllib3's
releases</a>.</em></p>
<blockquote>
<h2>2.7.0</h2>
<h2>🚀 urllib3 is fundraising for HTTP/2 support</h2>
<p><a
href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3
is raising ~$40,000 USD</a> to release HTTP/2 support and ensure
long-term sustainable maintenance of the project after a sharp decline
in financial support. If your company or organization uses Python and
would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and
thousands of other projects <a
href="https://opencollective.com/urllib3">please consider contributing
financially</a> to ensure HTTP/2 support is developed sustainably and
maintained for the long-haul.</p>
<p>Thank you for your support.</p>
<h2>Security</h2>
<p>Addressed high-severity security issues. Impact was limited to
specific use cases detailed in the accompanying advisories; overall user
exposure was estimated to be marginal.</p>
<ul>
<li>
<p>Decompression-bomb safeguards of the streaming API were bypassed:</p>
<ol>
<li>When <code>HTTPResponse.drain_conn()</code> was called after the
response had been read and decompressed partially. (Reported by <a
href="https://github.com/Cycloctane"><code>@​Cycloctane</code></a>)</li>
<li>During the second <code>HTTPResponse.read(amt=N)</code> or
<code>HTTPResponse.stream(amt=N)</code> call when the response was
decompressed using the official <a
href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by
<a
href="https://github.com/kimkou2024"><code>@​kimkou2024</code></a>)</li>
</ol>
<p>See GHSA-mf9v-mfxr-j63j for details.</p>
</li>
<li>
<p>HTTP pools created using
<code>ProxyManager.connection_from_url</code> did not strip sensitive
headers specified in <code>Retry.remove_headers_on_redirect</code> when
redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a
href="https://github.com/christos-spearbit"><code>@​christos-spearbit</code></a>)</p>
</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Used <code>FutureWarning</code> instead of
<code>DeprecationWarning</code> for better visibility of existing
deprecation notices. Rescheduled the removal of deprecated features to
version 3.0. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li>
<li>Removed support for end-of-life Python 3.9. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li>
<li>Removed support for end-of-life PyPy3.10. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li>
<li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li>
</ul>
<h2>Bugfixes</h2>
<ul>
<li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was
ignoring decompressed data buffered from previous partial reads. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li>
<li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only
part of the response after a partial read when
<code>cache_content=True</code>. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li>
<li>Fixed <code>HTTPResponse.stream()</code> and
<code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>.
(<a
href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li>
<li>Updated <code>_TYPE_BODY</code> type alias to include missing
<code>Iterable[str]</code>, matching the documented and runtime behavior
of chunked request bodies. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li>
<li>Fixed <code>LocationParseError</code> when paths resembling
schemeless URIs were passed to
<code>HTTPConnectionPool.urlopen()</code>. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li>
<li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to
accept <code>memoryview</code> in addition to <code>bytearray</code>,
matching the <code>io.RawIOBase.readinto</code> contract and enabling
use with <code>io.BufferedReader</code> without type errors. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's
changelog</a>.</em></p>
<blockquote>
<h1>2.7.0 (2026-05-07)</h1>
<h2>Security</h2>
<p>Addressed high-severity security issues.
Impact was limited to specific use cases detailed in the accompanying
advisories; overall user exposure was estimated to be marginal.</p>
<ul>
<li>
<p>Decompression-bomb safeguards of the streaming API were bypassed:</p>
<ol>
<li>When <code>HTTPResponse.drain_conn()</code> was called after the
response had been
read and decompressed partially.</li>
<li>During the second <code>HTTPResponse.read(amt=N)</code> or
<code>HTTPResponse.stream(amt=N)</code> call when the response was
decompressed
using the official <code>Brotli
&lt;https://pypi.org/project/brotli/&gt;</code>__ library.</li>
</ol>
<p>See <code>GHSA-mf9v-mfxr-j63j
&lt;https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j&gt;</code>__
for details.</p>
</li>
<li>
<p>HTTP pools created using
<code>ProxyManager.connection_from_url</code> did not strip
sensitive headers specified in
<code>Retry.remove_headers_on_redirect</code> when
redirecting to a different host.
(<code>GHSA-qccp-gfcp-xxvc
&lt;https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc&gt;</code>__)</p>
</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Used <code>FutureWarning</code> instead of
<code>DeprecationWarning</code> for better
visibility of existing deprecation notices. Rescheduled the removal of
deprecated features to version 3.0.
(<code>[#3763](https://github.com/urllib3/urllib3/issues/3763)
&lt;https://github.com/urllib3/urllib3/issues/3763&gt;</code>__)</li>
<li>Removed support for end-of-life Python 3.9.
(<code>[#3720](https://github.com/urllib3/urllib3/issues/3720)
&lt;https://github.com/urllib3/urllib3/issues/3720&gt;</code>__)</li>
<li>Removed support for end-of-life PyPy3.10.
(<code>[#4979](https://github.com/urllib3/urllib3/issues/4979)
&lt;https://github.com/urllib3/urllib3/issues/4979&gt;</code>__)</li>
<li>Bumped the minimum supported pyOpenSSL version to 19.0.0.
(<code>[#3777](https://github.com/urllib3/urllib3/issues/3777)
&lt;https://github.com/urllib3/urllib3/issues/3777&gt;</code>__)</li>
</ul>
<h2>Bugfixes</h2>
<ul>
<li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was
ignoring decompressed
data buffered from previous partial reads.
(<code>[#3636](https://github.com/urllib3/urllib3/issues/3636)
&lt;https://github.com/urllib3/urllib3/issues/3636&gt;</code>__)</li>
<li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only
part of the
response after a partial read when <code>cache_content=True</code>.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="9a950b92d9"><code>9a950b9</code></a>
Release 2.7.0</li>
<li><a
href="5ec0de499b"><code>5ec0de4</code></a>
Merge commit from fork</li>
<li><a
href="2bdcc44d1e"><code>2bdcc44</code></a>
Merge commit from fork</li>
<li><a
href="f45b0df09d"><code>f45b0df</code></a>
Fix a misleading example for <code>ProxyManager</code> (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4970">#4970</a>)</li>
<li><a
href="577193ca02"><code>577193c</code></a>
Switch to nightly PyPy3.11 in CI for now (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4984">#4984</a>)</li>
<li><a
href="e90af45bb0"><code>e90af45</code></a>
Avoid infinite loop in <code>HTTPResponse.read_chunked</code> when
<code>amt=0</code> (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4974">#4974</a>)</li>
<li><a
href="67ed74fdae"><code>67ed74f</code></a>
Bump dev dependencies (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4972">#4972</a>)</li>
<li><a
href="3abd481097"><code>3abd481</code></a>
Upgrade mypy to version 1.20.2 (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4978">#4978</a>)</li>
<li><a
href="2b8725dfca"><code>2b8725d</code></a>
Drop support for EOL PyPy3.10 (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4979">#4979</a>)</li>
<li><a
href="2944b2a0a6"><code>2944b2a</code></a>
Upgrade <code>setup-chrome</code> and <code>setup-firefox</code> to fix
warnings (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4973">#4973</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=uv&previous-version=2.6.3&new-version=2.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-11 11:19:44 -07:00
dependabot[bot]
1662347879 chore: bump mistune from 3.1.4 to 3.2.1 in /libs/core (#37237)
Bumps [mistune](https://github.com/lepture/mistune) from 3.1.4 to 3.2.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/lepture/mistune/releases">mistune's
releases</a>.</em></p>
<blockquote>
<h2>v3.2.1</h2>
<h3>   🐞 Bug Fixes</h3>
<ul>
<li>Resolve Windows compatibility issues in file inclusion and tests  - 
by <a href="https://github.com/Yuki9814"><code>@​Yuki9814</code></a> <a
href="https://github.com/lepture/mistune/commit/2547102"><!-- raw HTML
omitted -->(25471)<!-- raw HTML omitted --></a></li>
<li>Escape html text  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/a3cb6e5"><!-- raw HTML
omitted -->(a3cb6)<!-- raw HTML omitted --></a></li>
<li>Update link reference  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/85eb54f"><!-- raw HTML
omitted -->(85eb5)<!-- raw HTML omitted --></a></li>
<li>Handle escaped dollar signs in inline math  -  by <a
href="https://github.com/saschabuehrle"><code>@​saschabuehrle</code></a>
in <a
href="https://redirect.github.com/lepture/mistune/issues/370">lepture/mistune#370</a>
<a href="https://github.com/lepture/mistune/commit/7bd5709"><!-- raw
HTML omitted -->(7bd57)<!-- raw HTML omitted --></a></li>
<li>Escape id of toc  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/04880a0"><!-- raw HTML
omitted -->(04880)<!-- raw HTML omitted --></a></li>
<li>Escape id of headings  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/2855622"><!-- raw HTML
omitted -->(28556)<!-- raw HTML omitted --></a></li>
<li>Remove double-encoding of image alt text  -  by <a
href="https://github.com/lawrence3699"><code>@​lawrence3699</code></a>
<a href="https://github.com/lepture/mistune/commit/0d6f3d8"><!-- raw
HTML omitted -->(0d6f3)<!-- raw HTML omitted --></a></li>
<li>Escape xml for math plugin  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/5fa092e"><!-- raw HTML
omitted -->(5fa09)<!-- raw HTML omitted --></a></li>
<li>Use strict regex for image's height and width  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/8d0cb75"><!-- raw HTML
omitted -->(8d0cb)<!-- raw HTML omitted --></a></li>
</ul>
<h5>    <a
href="https://github.com/lepture/mistune/compare/v3.2.0...v3.2.1">View
changes on GitHub</a></h5>
<h2>v3.2.0</h2>
<h3>   🚀 Features</h3>
<ul>
<li>Support footnotes that start on the next line.  -  by <a
href="https://github.com/kylechui"><code>@​kylechui</code></a> <a
href="https://github.com/lepture/mistune/commit/2677e2d"><!-- raw HTML
omitted -->(2677e)<!-- raw HTML omitted --></a></li>
<li>Properly handle code blocks inside footnotes.  -  by <a
href="https://github.com/kylechui"><code>@​kylechui</code></a> <a
href="https://github.com/lepture/mistune/commit/0516c9e"><!-- raw HTML
omitted -->(0516c)<!-- raw HTML omitted --></a></li>
<li>Support python 3.14  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/7e0eb65"><!-- raw HTML
omitted -->(7e0eb)<!-- raw HTML omitted --></a></li>
</ul>
<h3>   🐞 Bug Fixes</h3>
<ul>
<li>Render ref links and footnotes in footnotes.  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/bd90e44"><!-- raw HTML
omitted -->(bd90e)<!-- raw HTML omitted --></a></li>
<li>Render ref links in TOC.  -  by <a
href="https://github.com/lemon24"><code>@​lemon24</code></a> <a
href="https://github.com/lepture/mistune/commit/a0a0148"><!-- raw HTML
omitted -->(a0a01)<!-- raw HTML omitted --></a></li>
<li>Update typing for mypy upgrades  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/8d49cba"><!-- raw HTML
omitted -->(8d49c)<!-- raw HTML omitted --></a></li>
<li>Render correct html for footnotes  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/9b62204"><!-- raw HTML
omitted -->(9b622)<!-- raw HTML omitted --></a></li>
</ul>
<h5>    <a
href="https://github.com/lepture/mistune/compare/v3.1.4...v3.2.0">View
changes on GitHub</a></h5>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/lepture/mistune/blob/main/docs/changes.rst">mistune's
changelog</a>.</em></p>
<blockquote>
<h2>Version 3.2.1</h2>
<p><strong>Released on May 3, 2026</strong></p>
<ul>
<li>Escape link in <code>render_toc_ul</code>.</li>
<li>Escape text in math plugin.</li>
<li>Fix regex for math plugin.</li>
<li>Escape heading's ID attribute.</li>
<li>Fix <code>LINK_TITLE_RE</code> to prevent DoS.</li>
<li>Escape class attribute for admonition directive.</li>
<li>Remove double-encoding of image alt text.</li>
<li>Escape class attribute for image directive.</li>
<li>Fix width/height attribute for image directive.</li>
</ul>
<h2>Version 3.2.0</h2>
<p><strong>Released on Dec 23, 2025</strong></p>
<ul>
<li>Announce supports for python 3.14</li>
<li>Fix footnotes plugins for code blocks, ref links, blockquote and
etc.</li>
<li>Fix ref links in TOC.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="067f908610"><code>067f908</code></a>
chore: release 3.2.1</li>
<li><a
href="bf5503067a"><code>bf55030</code></a>
Merge pull request <a
href="https://redirect.github.com/lepture/mistune/issues/438">#438</a>
from saschabuehrle/fix/issue-370</li>
<li><a
href="8d0cb7539a"><code>8d0cb75</code></a>
fix: use strict regex for image's height and width</li>
<li><a
href="5fa092e305"><code>5fa092e</code></a>
fix: escape xml for math plugin</li>
<li><a
href="71ec9477eb"><code>71ec947</code></a>
Merge pull request <a
href="https://redirect.github.com/lepture/mistune/issues/440">#440</a>
from lawrence3699/fix/image-alt-double-encoding</li>
<li><a
href="0d6f3d8502"><code>0d6f3d8</code></a>
fix: remove double-encoding of image alt text</li>
<li><a
href="2855622d7f"><code>2855622</code></a>
fix: escape id of headings</li>
<li><a
href="04880a004c"><code>04880a0</code></a>
fix: escape id of toc</li>
<li><a
href="7bd5709671"><code>7bd5709</code></a>
fix: handle escaped dollar signs in inline math (fixes <a
href="https://redirect.github.com/lepture/mistune/issues/370">#370</a>)</li>
<li><a
href="85eb54ff17"><code>85eb54f</code></a>
fix: update link reference</li>
<li>Additional commits viewable in <a
href="https://github.com/lepture/mistune/compare/v3.1.4...v3.2.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=mistune&package-manager=uv&previous-version=3.1.4&new-version=3.2.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-07 13:07:44 -04:00
dependabot[bot]
2ca920cf82 chore: bump jupyter-server from 2.17.0 to 2.18.0 in /libs/core (#37204)
Bumps [jupyter-server](https://github.com/jupyter-server/jupyter_server)
from 2.17.0 to 2.18.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/jupyter-server/jupyter_server/releases">jupyter-server's
releases</a>.</em></p>
<blockquote>
<h2>v2.18.0</h2>
<h2>2.18.0</h2>
<p>(<a
href="https://github.com/jupyter-server/jupyter_server/compare/v2.17.0...49b34392feaa97735b3b777e3baf8f22f2a14ed8">Full
Changelog</a>)</p>
<h3>Security patches</h3>
<ul>
<li>CVE-2026-40110 <a
href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p">https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p</a></li>
<li>CVE-2025-61669 <a
href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w">https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w</a></li>
<li>CVE-2026-40934 <a
href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f">https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f</a></li>
<li>CVE-2026-35397 <a
href="https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3">https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3</a></li>
</ul>
<h3>API and Breaking Changes</h3>
<ul>
<li>Add query param to sanitize HTML in GET /nbconvert/html <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1618">#1618</a>
(<a href="https://github.com/Yann-P"><code>@​Yann-P</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
</ul>
<h3>Enhancements made</h3>
<ul>
<li>Update handlers.py to fix ioloop blockers(sync file operations) <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1617">#1617</a>
(<a
href="https://github.com/zolyfarkas-fb"><code>@​zolyfarkas-fb</code></a>,
<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Add resolvePath API for resolving kernel-relative paths <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1331">#1331</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/blink1073"><code>@​blink1073</code></a>)</li>
</ul>
<h3>Bugs fixed</h3>
<ul>
<li>Move check origin into a util function and add it to websocket <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1630">#1630</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/Yann-P"><code>@​Yann-P</code></a>)</li>
<li>Fix flaky test_restart_kernel by unsticking nudge() after
port-changing restart <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1628">#1628</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/claude"><code>@​claude</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Try to fix flaky test &quot;test_restart_kernel&quot; <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1625">#1625</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Fix potential unraisable pytest error <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1624">#1624</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>fix: use %s placeholders in HTTPError to prevent Tornado from
doubling % in gateway URLs <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1620">#1620</a>
(<a
href="https://github.com/terminalchai"><code>@​terminalchai</code></a>,
<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/ptch314"><code>@​ptch314</code></a>)</li>
<li>Fix three file descriptor leaks in kernel connection lifecycle (<a
href="https://redirect.github.com/jupyter-server/jupyter_server/issues/1506">#1506</a>)
<a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1619">#1619</a>
(<a href="https://github.com/tonyx93"><code>@​tonyx93</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Use web.HTTPError for kernel restart failures <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1616">#1616</a>
(<a href="https://github.com/YDawn"><code>@​YDawn</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Handle EADDRINUSE and EACCES in _bind_http_server_tcp <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1613">#1613</a>
(<a href="https://github.com/YDawn"><code>@​YDawn</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Use st_birthtime for file created timestamp on macOS/BSD <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1594">#1594</a>
(<a href="https://github.com/ktaletsk"><code>@​ktaletsk</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Fix double write when refusing hidden files in contents handler <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1585">#1585</a>
(<a href="https://github.com/Krish-876"><code>@​Krish-876</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Close all sockets in _find_http_port explicitly <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1584">#1584</a>
(<a
href="https://github.com/MaryushSoroka"><code>@​MaryushSoroka</code></a>,
<a href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Fix writing on remote file systems with attribute cache <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1574">#1574</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>Add IdentityProvider.cookie_secret_hook <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1569">#1569</a>
(<a href="https://github.com/emin63"><code>@​emin63</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>fix context pollution <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1561">#1561</a>
(<a href="https://github.com/dualc"><code>@​dualc</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>Fix gateway cookie handling <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1558">#1558</a>
(<a
href="https://github.com/kevin-bates"><code>@​kevin-bates</code></a>, <a
href="https://github.com/RRosio"><code>@​RRosio</code></a>, <a
href="https://github.com/lresende"><code>@​lresende</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>fix connection exception cause high cpu load <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1484">#1484</a>
(<a href="https://github.com/dualc"><code>@​dualc</code></a>, <a
href="https://github.com/lresende"><code>@​lresende</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
</ul>
<h3>Maintenance and upkeep improvements</h3>
<ul>
<li>Start to test on Python 3.13 and 3.14 <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1623">#1623</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Bump actions/create-github-app-token from 2 to 3 in the actions
group across 1 directory <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1621">#1621</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Bump brace-expansion from 1.1.12 to 1.1.13 <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1615">#1615</a>
(<a href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Fix package spec for jupytext <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1614">#1614</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>chore: update pre-commit hooks <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1607">#1607</a>
(<a href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>try to fix ci on windows <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1600">#1600</a>
(<a href="https://github.com/minrk"><code>@​minrk</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>run prerelease tests on 3.14 <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1599">#1599</a>
(<a href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Pin sphinx to an older version (&lt;9) to fix docs <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1597">#1597</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jupyter-server/jupyter_server/blob/main/CHANGELOG.md">jupyter-server's
changelog</a>.</em></p>
<blockquote>
<h2>2.18.0</h2>
<p>(<a
href="https://github.com/jupyter-server/jupyter_server/compare/v2.9.1...49b34392feaa97735b3b777e3baf8f22f2a14ed8">Full
Changelog</a>)</p>
<h3>API and Breaking Changes</h3>
<ul>
<li>Add query param to sanitize HTML in GET /nbconvert/html <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1618">#1618</a>
(<a href="https://github.com/Yann-P"><code>@​Yann-P</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
</ul>
<h3>Enhancements made</h3>
<ul>
<li>Update handlers.py to fix ioloop blockers(sync file operations) <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1617">#1617</a>
(<a
href="https://github.com/zolyfarkas-fb"><code>@​zolyfarkas-fb</code></a>,
<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Avoid redundant call to <code>_get_os_path</code> in
<code>_dir_model</code> <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1547">#1547</a>
(<a href="https://github.com/joeyutong"><code>@​joeyutong</code></a>, <a
href="https://github.com/vidartf"><code>@​vidartf</code></a>)</li>
<li>Allow specifying extra params to scrub from logs <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1538">#1538</a>
(<a href="https://github.com/jtpio"><code>@​jtpio</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/vidartf"><code>@​vidartf</code></a>)</li>
<li>Add a logger to the ExtensionPoint API <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1523">#1523</a>
(<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/vidartf"><code>@​vidartf</code></a>)</li>
<li>Allow user to update identity values <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1518">#1518</a>
(<a href="https://github.com/brichet"><code>@​brichet</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>If ServerApp.ip is ipv6 use [::1] as local_url <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1495">#1495</a>
(<a href="https://github.com/manics"><code>@​manics</code></a>, <a
href="https://github.com/afshin"><code>@​afshin</code></a>)</li>
<li>Better error message when starting kernel for session. <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1478">#1478</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/davidbrochart"><code>@​davidbrochart</code></a>,
<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Add a traitlet to disable recording HTTP request metrics <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1472">#1472</a>
(<a href="https://github.com/yuvipanda"><code>@​yuvipanda</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>prometheus: Expose 3 activity metrics <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1471">#1471</a>
(<a href="https://github.com/yuvipanda"><code>@​yuvipanda</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>Add prometheus info metrics listing server extensions + versions <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1470">#1470</a>
(<a href="https://github.com/yuvipanda"><code>@​yuvipanda</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>Add prometheus metric with version information <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1467">#1467</a>
(<a href="https://github.com/yuvipanda"><code>@​yuvipanda</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>Don't hide .so,.dylib files by default <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1457">#1457</a>
(<a href="https://github.com/nokados"><code>@​nokados</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>, <a
href="https://github.com/vidartf"><code>@​vidartf</code></a>)</li>
<li>Better hash format error message <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1442">#1442</a>
(<a href="https://github.com/fcollonval"><code>@​fcollonval</code></a>,
<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>Removing excessive logging from reading local files <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1420">#1420</a>
(<a href="https://github.com/lresende"><code>@​lresende</code></a>, <a
href="https://github.com/kevin-bates"><code>@​kevin-bates</code></a>)</li>
<li>Add async start hook to ExtensionApp API <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1417">#1417</a>
(<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/Darshan808"><code>@​Darshan808</code></a>, <a
href="https://github.com/bollwyvl"><code>@​bollwyvl</code></a>, <a
href="https://github.com/fcollonval"><code>@​fcollonval</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Do not include token in dashboard link, when available <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1406">#1406</a>
(<a href="https://github.com/minrk"><code>@​minrk</code></a>, <a
href="https://github.com/blink1073"><code>@​blink1073</code></a>)</li>
<li>Add an option to have authentication enabled for all endpoints by
default <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1392">#1392</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Wh1isper"><code>@​Wh1isper</code></a>, <a
href="https://github.com/blink1073"><code>@​blink1073</code></a>, <a
href="https://github.com/bollwyvl"><code>@​bollwyvl</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>, <a
href="https://github.com/yuvipanda"><code>@​yuvipanda</code></a>)</li>
<li>websockets: add configurations for ping interval and timeout <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1391">#1391</a>
(<a
href="https://github.com/oliver-sanders"><code>@​oliver-sanders</code></a>,
<a
href="https://github.com/blink1073"><code>@​blink1073</code></a>)</li>
<li>log extension import time at debug level unless it's actually slow
<a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1375">#1375</a>
(<a href="https://github.com/minrk"><code>@​minrk</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/yuvipanda"><code>@​yuvipanda</code></a>)</li>
<li>Add support for async Authorizers (part 2) <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1374">#1374</a>
(<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/blink1073"><code>@​blink1073</code></a>)</li>
<li>Support async Authorizers <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1373">#1373</a>
(<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/blink1073"><code>@​blink1073</code></a>)</li>
<li>Support get file(notebook) md5 <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1363">#1363</a>
(<a href="https://github.com/Wh1isper"><code>@​Wh1isper</code></a>, <a
href="https://github.com/blink1073"><code>@​blink1073</code></a>, <a
href="https://github.com/bollwyvl"><code>@​bollwyvl</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Update kernel env to reflect changes in session <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1354">#1354</a>
(<a href="https://github.com/blink1073"><code>@​blink1073</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Add resolvePath API for resolving kernel-relative paths <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1331">#1331</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/blink1073"><code>@​blink1073</code></a>)</li>
</ul>
<h3>Bugs fixed</h3>
<ul>
<li>Move check origin into a util function and add it to websocket <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1630">#1630</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/Yann-P"><code>@​Yann-P</code></a>)</li>
<li>Fix flaky test_restart_kernel by unsticking nudge() after
port-changing restart <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1628">#1628</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>, <a
href="https://github.com/claude"><code>@​claude</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Try to fix flaky test &quot;test_restart_kernel&quot; <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1625">#1625</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Fix potential unraisable pytest error <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1624">#1624</a>
(<a href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>fix: use %s placeholders in HTTPError to prevent Tornado from
doubling % in gateway URLs <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1620">#1620</a>
(<a
href="https://github.com/terminalchai"><code>@​terminalchai</code></a>,
<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/ptch314"><code>@​ptch314</code></a>)</li>
<li>Fix three file descriptor leaks in kernel connection lifecycle (<a
href="https://redirect.github.com/jupyter-server/jupyter_server/issues/1506">#1506</a>)
<a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1619">#1619</a>
(<a href="https://github.com/tonyx93"><code>@​tonyx93</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Use web.HTTPError for kernel restart failures <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1616">#1616</a>
(<a href="https://github.com/YDawn"><code>@​YDawn</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
<li>Handle EADDRINUSE and EACCES in _bind_http_server_tcp <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1613">#1613</a>
(<a href="https://github.com/YDawn"><code>@​YDawn</code></a>, <a
href="https://github.com/Zsailer"><code>@​Zsailer</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Use st_birthtime for file created timestamp on macOS/BSD <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1594">#1594</a>
(<a href="https://github.com/ktaletsk"><code>@​ktaletsk</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Fix double write when refusing hidden files in contents handler <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1585">#1585</a>
(<a href="https://github.com/Krish-876"><code>@​Krish-876</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Close all sockets in _find_http_port explicitly <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1584">#1584</a>
(<a
href="https://github.com/MaryushSoroka"><code>@​MaryushSoroka</code></a>,
<a href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
<li>Fix writing on remote file systems with attribute cache <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1574">#1574</a>
(<a href="https://github.com/krassowski"><code>@​krassowski</code></a>,
<a href="https://github.com/Zsailer"><code>@​Zsailer</code></a>)</li>
<li>Add IdentityProvider.cookie_secret_hook <a
href="https://redirect.github.com/jupyter-server/jupyter_server/pull/1569">#1569</a>
(<a href="https://github.com/emin63"><code>@​emin63</code></a>, <a
href="https://github.com/minrk"><code>@​minrk</code></a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="0ceed45a80"><code>0ceed45</code></a>
Publish 2.18.0</li>
<li><a
href="49b34392fe"><code>49b3439</code></a>
Move check origin into a util function and add it to websocket (<a
href="https://redirect.github.com/jupyter-server/jupyter_server/issues/1630">#1630</a>)</li>
<li><a
href="e2e08c845d"><code>e2e08c8</code></a>
Add test case for bad next URL format</li>
<li><a
href="624d6c0daf"><code>624d6c0</code></a>
Delete outdated patch code</li>
<li><a
href="d825b93d9c"><code>d825b93</code></a>
Apply suggestion from <a
href="https://github.com/minrk"><code>@​minrk</code></a></li>
<li><a
href="789fed081a"><code>789fed0</code></a>
patch open redirect in /login</li>
<li><a
href="2ee51eccf3"><code>2ee51ec</code></a>
fix(CVE-2026-35397): path traversal when target dir starts with root
dir</li>
<li><a
href="057869a327"><code>057869a</code></a>
Fix allow_origin_pat to do full matching instead of prefix matching</li>
<li><a
href="4862199a0f"><code>4862199</code></a>
Add resolvePath API for resolving kernel-relative paths</li>
<li><a
href="e31d51406d"><code>e31d514</code></a>
Bump actions/create-github-app-token from 2 to 3 in the actions group
across ...</li>
<li>Additional commits viewable in <a
href="https://github.com/jupyter-server/jupyter_server/compare/v2.17.0...v2.18.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=jupyter-server&package-manager=uv&previous-version=2.17.0&new-version=2.18.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-05 16:41:09 -04:00
Nick Hollon
5039dfec1f release(core): 1.3.3 (#37198) 2026-05-05 15:00:01 -04:00
dependabot[bot]
8eb3bec99f chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (#37109)
Bumps [notebook](https://github.com/jupyter/notebook) from 7.5.0 to
7.5.6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/jupyter/notebook/releases">notebook's
releases</a>.</em></p>
<blockquote>
<h2>v7.5.6</h2>
<h2>7.5.6</h2>
<p>(<a
href="https://github.com/jupyter/notebook/compare/@jupyter-notebook/application-extension@7.5.5...2e642f0cb10be314ba5d97d709cffe41bf992d9e">Full
Changelog</a>)</p>
<h3>Security patches</h3>
<ul>
<li>CVE-2026-42557 <a
href="https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-mqcg-5x36-vfcg">https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-mqcg-5x36-vfcg</a></li>
<li>CVE-2026-40171 <a
href="https://github.com/jupyter/notebook/security/advisories/GHSA-rch3-82jr-f9w9">https://github.com/jupyter/notebook/security/advisories/GHSA-rch3-82jr-f9w9</a></li>
</ul>
<h3>Maintenance and upkeep improvements</h3>
<ul>
<li>Update to JupyterLab v4.5.7 <a
href="https://redirect.github.com/jupyter/notebook/pull/7902">#7902</a>
(<a href="https://github.com/jtpio"><code>@​jtpio</code></a>)</li>
</ul>
<h3>Documentation improvements</h3>
<ul>
<li>docs: Fix broken links in troubleshooting and migration docs <a
href="https://redirect.github.com/jupyter/notebook/pull/7824">#7824</a>
(<a
href="https://github.com/RamiNoodle733"><code>@​RamiNoodle733</code></a>)</li>
</ul>
<h3>Contributors to this release</h3>
<p>The following people contributed discussions, new ideas, code and
documentation contributions, and review.
See <a
href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our
definition of contributors</a>.</p>
<p>(<a
href="https://github.com/jupyter/notebook/graphs/contributors?from=2026-03-11&amp;to=2026-04-30&amp;type=c">GitHub
contributors page for this release</a>)</p>
<p><a href="https://github.com/jtpio"><code>@​jtpio</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Ajtpio+updated%3A2026-03-11..2026-04-30&amp;type=Issues">activity</a>)
| <a
href="https://github.com/RamiNoodle733"><code>@​RamiNoodle733</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3ARamiNoodle733+updated%3A2026-03-11..2026-04-30&amp;type=Issues">activity</a>)</p>
<h2>v7.5.5</h2>
<h2>7.5.5</h2>
<p>(<a
href="https://github.com/jupyter/notebook/compare/@jupyter-notebook/application-extension@7.5.4...4f8438b0c67dc4f010bf8cd052da4f16e2ed3828">Full
Changelog</a>)</p>
<h3>Maintenance and upkeep improvements</h3>
<ul>
<li>Update to JupyterLab v4.5.6 <a
href="https://redirect.github.com/jupyter/notebook/pull/7861">#7861</a>
(<a href="https://github.com/jtpio"><code>@​jtpio</code></a>)</li>
<li>[7.5.x] Drop Python 3.9 on CI <a
href="https://redirect.github.com/jupyter/notebook/pull/7860">#7860</a>
(<a href="https://github.com/jtpio"><code>@​jtpio</code></a>)</li>
<li>Fix check links <a
href="https://redirect.github.com/jupyter/notebook/pull/7857">#7857</a>
(<a href="https://github.com/jtpio"><code>@​jtpio</code></a>)</li>
</ul>
<h3>Contributors to this release</h3>
<p>The following people contributed discussions, new ideas, code and
documentation contributions, and review.
See <a
href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our
definition of contributors</a>.</p>
<p>(<a
href="https://github.com/jupyter/notebook/graphs/contributors?from=2026-02-24&amp;to=2026-03-11&amp;type=c">GitHub
contributors page for this release</a>)</p>
<p><a href="https://github.com/jtpio"><code>@​jtpio</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Ajtpio+updated%3A2026-02-24..2026-03-11&amp;type=Issues">activity</a>)</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jupyter/notebook/blob/@jupyter-notebook/tree@7.5.6/CHANGELOG.md">notebook's
changelog</a>.</em></p>
<blockquote>
<h2>7.5.6</h2>
<p>(<a
href="https://github.com/jupyter/notebook/compare/@jupyter-notebook/application-extension@7.5.5...2e642f0cb10be314ba5d97d709cffe41bf992d9e">Full
Changelog</a>)</p>
<h3>Maintenance and upkeep improvements</h3>
<ul>
<li>Update to JupyterLab v4.5.7 <a
href="https://redirect.github.com/jupyter/notebook/pull/7902">#7902</a>
(<a href="https://github.com/jtpio"><code>@​jtpio</code></a>)</li>
</ul>
<h3>Documentation improvements</h3>
<ul>
<li>docs: Fix broken links in troubleshooting and migration docs <a
href="https://redirect.github.com/jupyter/notebook/pull/7824">#7824</a>
(<a
href="https://github.com/RamiNoodle733"><code>@​RamiNoodle733</code></a>)</li>
</ul>
<h3>Contributors to this release</h3>
<p>The following people contributed discussions, new ideas, code and
documentation contributions, and review.
See <a
href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our
definition of contributors</a>.</p>
<p>(<a
href="https://github.com/jupyter/notebook/graphs/contributors?from=2026-03-11&amp;to=2026-04-30&amp;type=c">GitHub
contributors page for this release</a>)</p>
<p><a href="https://github.com/jtpio"><code>@​jtpio</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Ajtpio+updated%3A2026-03-11..2026-04-30&amp;type=Issues">activity</a>)
| <a
href="https://github.com/RamiNoodle733"><code>@​RamiNoodle733</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3ARamiNoodle733+updated%3A2026-03-11..2026-04-30&amp;type=Issues">activity</a>)</p>
<!-- raw HTML omitted -->
<h2>7.5.5</h2>
<p>(<a
href="https://github.com/jupyter/notebook/compare/@jupyter-notebook/application-extension@7.5.4...4f8438b0c67dc4f010bf8cd052da4f16e2ed3828">Full
Changelog</a>)</p>
<h3>Maintenance and upkeep improvements</h3>
<ul>
<li>Update to JupyterLab v4.5.6 <a
href="https://redirect.github.com/jupyter/notebook/pull/7861">#7861</a>
(<a href="https://github.com/jtpio"><code>@​jtpio</code></a>)</li>
<li>[7.5.x] Drop Python 3.9 on CI <a
href="https://redirect.github.com/jupyter/notebook/pull/7860">#7860</a>
(<a href="https://github.com/jtpio"><code>@​jtpio</code></a>)</li>
<li>Fix check links <a
href="https://redirect.github.com/jupyter/notebook/pull/7857">#7857</a>
(<a href="https://github.com/jtpio"><code>@​jtpio</code></a>)</li>
</ul>
<h3>Contributors to this release</h3>
<p>The following people contributed discussions, new ideas, code and
documentation contributions, and review.
See <a
href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our
definition of contributors</a>.</p>
<p>(<a
href="https://github.com/jupyter/notebook/graphs/contributors?from=2026-02-24&amp;to=2026-03-11&amp;type=c">GitHub
contributors page for this release</a>)</p>
<p><a href="https://github.com/jtpio"><code>@​jtpio</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Ajtpio+updated%3A2026-02-24..2026-03-11&amp;type=Issues">activity</a>)</p>
<h2>7.5.4</h2>
<p>(<a
href="https://github.com/jupyter/notebook/compare/@jupyter-notebook/application-extension@7.5.3...e5d8418b706fcefd4208bb61c22399dd3123555b">Full
Changelog</a>)</p>
<h3>Maintenance and upkeep improvements</h3>
<ul>
<li>Update to JupyterLab v4.5.5 <a
href="https://redirect.github.com/jupyter/notebook/pull/7842">#7842</a>
(<a href="https://github.com/jtpio"><code>@​jtpio</code></a>)</li>
<li>Fix PyO3 CI failure with Python 3.15 <a
href="https://redirect.github.com/jupyter/notebook/pull/7836">#7836</a>
(<a href="https://github.com/jtpio"><code>@​jtpio</code></a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="1ab2d2b992"><code>1ab2d2b</code></a>
Publish 7.5.6</li>
<li><a
href="50e5222c96"><code>50e5222</code></a>
Merge commit from fork</li>
<li><a
href="2e642f0cb1"><code>2e642f0</code></a>
Update to JupyterLab v4.5.7 (<a
href="https://redirect.github.com/jupyter/notebook/issues/7902">#7902</a>)</li>
<li><a
href="4b93f98b5a"><code>4b93f98</code></a>
Backport PR <a
href="https://redirect.github.com/jupyter/notebook/issues/7824">#7824</a>:
docs: Fix broken links in troubleshooting and migration do...</li>
<li><a
href="9a2c88fe64"><code>9a2c88f</code></a>
Publish 7.5.5</li>
<li><a
href="4f8438b0c6"><code>4f8438b</code></a>
Update to JupyterLab v4.5.6 (<a
href="https://redirect.github.com/jupyter/notebook/issues/7861">#7861</a>)</li>
<li><a
href="f78fcfada8"><code>f78fcfa</code></a>
Backport PR <a
href="https://redirect.github.com/jupyter/notebook/issues/7857">#7857</a>:
Fix check links (<a
href="https://redirect.github.com/jupyter/notebook/issues/7858">#7858</a>)</li>
<li><a
href="9e4cf2a445"><code>9e4cf2a</code></a>
[7.5.x] Drop Python 3.9 on CI (<a
href="https://redirect.github.com/jupyter/notebook/issues/7860">#7860</a>)</li>
<li><a
href="ecc3aaf1bb"><code>ecc3aaf</code></a>
Publish 7.5.4</li>
<li><a
href="e5d8418b70"><code>e5d8418</code></a>
Update to JupyterLab v4.5.5 (<a
href="https://redirect.github.com/jupyter/notebook/issues/7842">#7842</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/jupyter/notebook/compare/@jupyter-notebook/tree@7.5.0...@jupyter-notebook/tree@7.5.6">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=notebook&package-manager=uv&previous-version=7.5.0&new-version=7.5.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-01 10:13:25 -04:00
dependabot[bot]
bf715fac07 chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (#37129)
Bumps [types-pyyaml](https://github.com/python/typeshed) from
6.0.12.20250915 to 6.0.12.20260408.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/python/typeshed/commits">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=types-pyyaml&package-manager=uv&previous-version=6.0.12.20250915&new-version=6.0.12.20260408)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-01 10:12:27 -04:00
Mason Daugherty
38553c3f2d release(perplexity): 1.2.0 (#37091) 2026-04-29 17:54:27 -04:00
Nick Hollon
fa0f0d8efa release(core): 1.3.2 (#36990) 2026-04-24 11:46:25 -04:00
Nick Hollon
9ce72eba9f feat(core): add content-block-centric streaming (v2) (#36834) 2026-04-24 11:36:17 -04:00
ccurme
3f382a9e20 release(core): 1.3.1 (#36972) 2026-04-23 14:50:43 -04:00
dependabot[bot]
1442b41042 chore: bump nbconvert from 7.17.0 to 7.17.1 in /libs/core (#36923)
Bumps [nbconvert](https://github.com/jupyter/nbconvert) from 7.17.0 to
7.17.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/jupyter/nbconvert/releases">nbconvert's
releases</a>.</em></p>
<blockquote>
<h2>v7.17.1</h2>
<h2>7.17.1</h2>
<p>This is a security release, fixing two CVEs:</p>
<ul>
<li><a
href="https://github.com/jupyter/nbconvert/security/advisories/GHSA-4c99-qj7h-p3vg">CVE-2026-39377</a></li>
<li><a
href="https://github.com/jupyter/nbconvert/security/advisories/GHSA-7jqv-fw35-gmx9">CVE-2026-39378</a></li>
</ul>
<p>(full advisories will be published seven days after release, on
2026-04-14).</p>
<p>(<a
href="https://github.com/jupyter/nbconvert/compare/v7.17.0...b3b6ec01f872e9af8fd1769eb9cf1889c720ecf3">Full
Changelog</a>)</p>
<h3>Enhancements made</h3>
<ul>
<li>Allow configureable WebPDF JavaScript processing timeout <a
href="https://redirect.github.com/jupyter/nbconvert/pull/2250">#2250</a>
(<a href="https://github.com/timkpaine"><code>@​timkpaine</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
</ul>
<h3>Bugs fixed</h3>
<ul>
<li>Fix <code>PermissionError</code> when checking template paths on
shared filesystems <a
href="https://redirect.github.com/jupyter/nbconvert/pull/2252">#2252</a>
(<a href="https://github.com/ctcjab"><code>@​ctcjab</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Tweak webpdf template logic to fix duplicate extension problem <a
href="https://redirect.github.com/jupyter/nbconvert/pull/2249">#2249</a>
(<a href="https://github.com/timkpaine"><code>@​timkpaine</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
</ul>
<h3>Maintenance and upkeep improvements</h3>
<ul>
<li>specify python version for pre <a
href="https://redirect.github.com/jupyter/nbconvert/pull/2276">#2276</a>
(<a href="https://github.com/minrk"><code>@​minrk</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
</ul>
<h3>Contributors to this release</h3>
<p>The following people contributed discussions, new ideas, code and
documentation contributions, and review.
See <a
href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our
definition of contributors</a>.</p>
<p>(<a
href="https://github.com/jupyter/nbconvert/graphs/contributors?from=2026-01-29&amp;to=2026-04-08&amp;type=c">GitHub
contributors page for this release</a>)</p>
<p><a href="https://github.com/akhmerov"><code>@​akhmerov</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Aakhmerov+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/bollwyvl"><code>@​bollwyvl</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Abollwyvl+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/Carreau"><code>@​Carreau</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3ACarreau+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/ctcjab"><code>@​ctcjab</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Actcjab+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a
href="https://github.com/davidbrochart"><code>@​davidbrochart</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Adavidbrochart+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/Ken-B"><code>@​Ken-B</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3AKen-B+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/krassowski"><code>@​krassowski</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Akrassowski+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/mgeier"><code>@​mgeier</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Amgeier+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/minrk"><code>@​minrk</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Aminrk+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/mpacer"><code>@​mpacer</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Ampacer+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/MSeal"><code>@​MSeal</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3AMSeal+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a
href="https://github.com/SylvainCorlay"><code>@​SylvainCorlay</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3ASylvainCorlay+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/takluyver"><code>@​takluyver</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Atakluyver+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/timkpaine"><code>@​timkpaine</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Atimkpaine+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jupyter/nbconvert/blob/main/CHANGELOG.md">nbconvert's
changelog</a>.</em></p>
<blockquote>
<h2>7.17.1</h2>
<p>This is a security release, fixing two CVEs:</p>
<ul>
<li><a
href="https://github.com/jupyter/nbconvert/security/advisories/GHSA-4c99-qj7h-p3vg">CVE-2026-39377</a></li>
<li><a
href="https://github.com/jupyter/nbconvert/security/advisories/GHSA-7jqv-fw35-gmx9">CVE-2026-39378</a></li>
</ul>
<p>(full advisories will be published seven days after release, on
2026-04-14).</p>
<p>(<a
href="https://github.com/jupyter/nbconvert/compare/v7.17.0...b3b6ec01f872e9af8fd1769eb9cf1889c720ecf3">Full
Changelog</a>)</p>
<h3>Enhancements made</h3>
<ul>
<li>Allow configureable WebPDF JavaScript processing timeout <a
href="https://redirect.github.com/jupyter/nbconvert/pull/2250">#2250</a>
(<a href="https://github.com/timkpaine"><code>@​timkpaine</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
</ul>
<h3>Bugs fixed</h3>
<ul>
<li>Fix <code>PermissionError</code> when checking template paths on
shared filesystems <a
href="https://redirect.github.com/jupyter/nbconvert/pull/2252">#2252</a>
(<a href="https://github.com/ctcjab"><code>@​ctcjab</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
<li>Tweak webpdf template logic to fix duplicate extension problem <a
href="https://redirect.github.com/jupyter/nbconvert/pull/2249">#2249</a>
(<a href="https://github.com/timkpaine"><code>@​timkpaine</code></a>, <a
href="https://github.com/Carreau"><code>@​Carreau</code></a>)</li>
</ul>
<h3>Maintenance and upkeep improvements</h3>
<ul>
<li>specify python version for pre <a
href="https://redirect.github.com/jupyter/nbconvert/pull/2276">#2276</a>
(<a href="https://github.com/minrk"><code>@​minrk</code></a>, <a
href="https://github.com/krassowski"><code>@​krassowski</code></a>)</li>
</ul>
<h3>Contributors to this release</h3>
<p>The following people contributed discussions, new ideas, code and
documentation contributions, and review.
See <a
href="https://github-activity.readthedocs.io/en/latest/use/#how-does-this-tool-define-contributions-in-the-reports">our
definition of contributors</a>.</p>
<p>(<a
href="https://github.com/jupyter/nbconvert/graphs/contributors?from=2026-01-29&amp;to=2026-04-08&amp;type=c">GitHub
contributors page for this release</a>)</p>
<p><a href="https://github.com/akhmerov"><code>@​akhmerov</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Aakhmerov+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/bollwyvl"><code>@​bollwyvl</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Abollwyvl+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/Carreau"><code>@​Carreau</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3ACarreau+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/ctcjab"><code>@​ctcjab</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Actcjab+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a
href="https://github.com/davidbrochart"><code>@​davidbrochart</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Adavidbrochart+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/Ken-B"><code>@​Ken-B</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3AKen-B+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/krassowski"><code>@​krassowski</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Akrassowski+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/mgeier"><code>@​mgeier</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Amgeier+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/minrk"><code>@​minrk</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Aminrk+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/mpacer"><code>@​mpacer</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Ampacer+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/MSeal"><code>@​MSeal</code></a> (<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3AMSeal+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a
href="https://github.com/SylvainCorlay"><code>@​SylvainCorlay</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3ASylvainCorlay+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/takluyver"><code>@​takluyver</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Atakluyver+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)
| <a href="https://github.com/timkpaine"><code>@​timkpaine</code></a>
(<a
href="https://github.com/search?q=repo%3Ajupyter%2Fnbconvert+involves%3Atimkpaine+updated%3A2026-01-29..2026-04-08&amp;type=Issues">activity</a>)</p>
<!-- raw HTML omitted -->
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="78ed30837a"><code>78ed308</code></a>
Publish 7.17.1</li>
<li><a
href="f090a64606"><code>f090a64</code></a>
ruff format</li>
<li><a
href="b3b6ec01f8"><code>b3b6ec0</code></a>
chore: update pre-commit hooks (<a
href="https://redirect.github.com/jupyter/nbconvert/issues/2277">#2277</a>)</li>
<li><a
href="be4841f7da"><code>be4841f</code></a>
ignore silly security lint in tests</li>
<li><a
href="26d57b2958"><code>26d57b2</code></a>
fix type annotation on Lexer</li>
<li><a
href="0e6b8ccabf"><code>0e6b8cc</code></a>
Merge commit from fork</li>
<li><a
href="ba5e5cdd73"><code>ba5e5cd</code></a>
Merge commit from fork</li>
<li><a
href="1db0c88d86"><code>1db0c88</code></a>
Specify python version for pre (<a
href="https://redirect.github.com/jupyter/nbconvert/issues/2276">#2276</a>)</li>
<li><a
href="7473fc3037"><code>7473fc3</code></a>
chore: update pre-commit hooks (<a
href="https://redirect.github.com/jupyter/nbconvert/issues/2242">#2242</a>)</li>
<li><a
href="4322f7f290"><code>4322f7f</code></a>
Bump the actions group across 1 directory with 2 updates (<a
href="https://redirect.github.com/jupyter/nbconvert/issues/2273">#2273</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/jupyter/nbconvert/compare/v7.17.0...v7.17.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=nbconvert&package-manager=uv&previous-version=7.17.0&new-version=7.17.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-21 15:11:27 -04:00
dependabot[bot]
9bd63b4ac8 chore: bump langsmith from 0.7.13 to 0.7.31 in /libs/core (#36813)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from
0.7.13 to 0.7.31.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's
releases</a>.</em></p>
<blockquote>
<h2>v0.7.31</h2>
<h2>What's Changed</h2>
<ul>
<li>chore(deps-dev): bump langchain-core from 1.2.23 to 1.2.28 in
/python by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2692">langchain-ai/langsmith-sdk#2692</a></li>
<li>chore(deps-dev): bump <code>@​anthropic-ai/sdk</code> from 0.82.0 to
0.84.0 in /js by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2684">langchain-ai/langsmith-sdk#2684</a></li>
<li>chore(deps): bump cryptography from 46.0.6 to 46.0.7 in /python by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2693">langchain-ai/langsmith-sdk#2693</a></li>
<li>chore(deps-dev): bump <code>@​anthropic-ai/sdk</code> from 0.84.0 to
0.85.0 in /js by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2700">langchain-ai/langsmith-sdk#2700</a></li>
<li>feat(py): Tag OpenAI Agent Python SDK runs with ls_agent_type by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2699">langchain-ai/langsmith-sdk#2699</a></li>
<li>feat(js): Adds ls_agent_type metadata to AI SDK runs by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2701">langchain-ai/langsmith-sdk#2701</a></li>
<li>chore(deps-dev): bump types-tqdm from 4.67.3.20260303 to
4.67.3.20260408 in /python by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2710">langchain-ai/langsmith-sdk#2710</a></li>
<li>chore(deps): bump pnpm/action-setup from 5 to 6 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2705">langchain-ai/langsmith-sdk#2705</a></li>
<li>chore(deps): bump the py-minor-and-patch group across 1 directory
with 10 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2711">langchain-ai/langsmith-sdk#2711</a></li>
<li>chore(deps-dev): bump <code>@​anthropic-ai/sdk</code> from 0.85.0 to
0.86.0 in /js by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2702">langchain-ai/langsmith-sdk#2702</a></li>
<li>chore(deps): bump actions/github-script from 8 to 9 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2706">langchain-ai/langsmith-sdk#2706</a></li>
<li>chore(deps-dev): bump the js-minor-and-patch group across 1
directory with 7 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2712">langchain-ai/langsmith-sdk#2712</a></li>
<li>chore(deps-dev): bump types-psutil from 7.2.2.20260130 to
7.2.2.20260408 in /python by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2709">langchain-ai/langsmith-sdk#2709</a></li>
<li>chore(deps-dev): bump rich from 14.3.3 to 15.0.0 in /python by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2708">langchain-ai/langsmith-sdk#2708</a></li>
<li>feat: Filter kwargs from new token events by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2714">langchain-ai/langsmith-sdk#2714</a></li>
<li>release(py): 0.7.31 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2716">langchain-ai/langsmith-sdk#2716</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.30...v0.7.31">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.30...v0.7.31</a></p>
<h2>v0.7.30</h2>
<h2>What's Changed</h2>
<ul>
<li>feat(python): add service feature to sandbox by <a
href="https://github.com/DanielKneipp"><code>@​DanielKneipp</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2665">langchain-ai/langsmith-sdk#2665</a></li>
<li>fix(js): Fix prototype pollution bug in anonymizers by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2690">langchain-ai/langsmith-sdk#2690</a></li>
<li>release(js): 0.5.18 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2691">langchain-ai/langsmith-sdk#2691</a></li>
<li>chore(js/sandbox): suppress warning log by <a
href="https://github.com/hntrl"><code>@​hntrl</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2694">langchain-ai/langsmith-sdk#2694</a></li>
<li>feat(js): Add metadata to Claude Agent SDK JS tracing by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2695">langchain-ai/langsmith-sdk#2695</a></li>
<li>fix(py): Fix run tree memory leak by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2696">langchain-ai/langsmith-sdk#2696</a></li>
<li>release(py): 0.7.30 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2698">langchain-ai/langsmith-sdk#2698</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.29...v0.7.30">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.29...v0.7.30</a></p>
<h2>v0.7.29</h2>
<h2>What's Changed</h2>
<ul>
<li>release(js): 0.5.17 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2681">langchain-ai/langsmith-sdk#2681</a></li>
<li>feat(py): Fix race condition around Claude Agent SDK instrumentation
by <a href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2685">langchain-ai/langsmith-sdk#2685</a></li>
<li>release(py): 0.7.29 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2686">langchain-ai/langsmith-sdk#2686</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.28...v0.7.29">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.28...v0.7.29</a></p>
<h2>v0.7.28</h2>
<h2>What's Changed</h2>
<ul>
<li>feat(py): Support subagent tracing in Claude Agents SDK, fix usage
and duplicate messages by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2670">langchain-ai/langsmith-sdk#2670</a></li>
<li>chore(deps-dev): bump the py-minor-and-patch group across 1
directory with 11 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2677">langchain-ai/langsmith-sdk#2677</a></li>
<li>chore(deps-dev): bump the js-minor-and-patch group across 1
directory with 8 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2667">langchain-ai/langsmith-sdk#2667</a></li>
<li>chore(deps): bump pnpm/action-setup from 4 to 5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2658">langchain-ai/langsmith-sdk#2658</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="c434999d05"><code>c434999</code></a>
release(py): 0.7.31 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2716">#2716</a>)</li>
<li><a
href="47d7c4a783"><code>47d7c4a</code></a>
feat: Filter kwargs from new token events (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2714">#2714</a>)</li>
<li><a
href="3c57445b54"><code>3c57445</code></a>
chore(deps-dev): bump rich from 14.3.3 to 15.0.0 in /python (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2708">#2708</a>)</li>
<li><a
href="2be6cd01a2"><code>2be6cd0</code></a>
chore(deps-dev): bump types-psutil from 7.2.2.20260130 to 7.2.2.20260408
in /...</li>
<li><a
href="b8b6ca32d4"><code>b8b6ca3</code></a>
chore(deps-dev): bump the js-minor-and-patch group across 1 directory
with 7 ...</li>
<li><a
href="9897cb33da"><code>9897cb3</code></a>
chore(deps): bump actions/github-script from 8 to 9 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2706">#2706</a>)</li>
<li><a
href="572c018428"><code>572c018</code></a>
chore(deps-dev): bump <code>@​anthropic-ai/sdk</code> from 0.85.0 to
0.86.0 in /js (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2702">#2702</a>)</li>
<li><a
href="57447524c8"><code>5744752</code></a>
chore(deps): bump the py-minor-and-patch group across 1 directory with
10 upd...</li>
<li><a
href="960cae7f49"><code>960cae7</code></a>
chore(deps): bump pnpm/action-setup from 5 to 6 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2705">#2705</a>)</li>
<li><a
href="9370e7670a"><code>9370e76</code></a>
chore(deps-dev): bump types-tqdm from 4.67.3.20260303 to 4.67.3.20260408
in /...</li>
<li>Additional commits viewable in <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.13...v0.7.31">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-17 12:53:51 -06:00
Eugene Yurtsev
c87cd04927 release(core): release 1.3.0 (#36851)
xRelease 1.3.0
2026-04-17 14:42:01 +00:00
Eugene Yurtsev
af0e174ef7 release(core): 1.3.0a3 (#36829)
release 1.3.0a3
2026-04-16 15:37:28 -04:00
Jacob Lee
c04e05feb1 feat(core): Add chat model and LLM invocation params to traceable metadata (#36771)
Equivalent to: https://github.com/langchain-ai/langchainjs/pull/10711/

---------

Co-authored-by: Eugene Yurtsev <eyurtsev@gmail.com>
2026-04-16 18:30:54 +00:00
Mason Daugherty
7e81d09f2a chore(deps): bump pytest to 9.0.3 (#36801)
CVE-2025-71176 (medium severity)

All are dev-only (test dependency group) — no impact on published
packages.

### Why syrupy was also bumped

syrupy 4.x (`<5.0.0`) constrains pytest to `<9.0.0`, blocking the CVE
fix. Widening to `<6.0.0` allows syrupy 5.x which supports pytest 9.x.
2026-04-15 21:46:40 -06:00
dependabot[bot]
87ca15da86 chore: bump pytest from 9.0.2 to 9.0.3 in /libs/core (#36719)
Bumps [pytest](https://github.com/pytest-dev/pytest) from 9.0.2 to
9.0.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pytest-dev/pytest/releases">pytest's
releases</a>.</em></p>
<blockquote>
<h2>9.0.3</h2>
<h1>pytest 9.0.3 (2026-04-07)</h1>
<h2>Bug fixes</h2>
<ul>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/12444">#12444</a>:
Fixed <code>pytest.approx</code> which now correctly takes into account
<code>~collections.abc.Mapping</code> keys order to compare them.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13634">#13634</a>:
Blocking a <code>conftest.py</code> file using the <code>-p no:</code>
option is now explicitly disallowed.</p>
<p>Previously this resulted in an internal assertion failure during
plugin loading.</p>
<p>Pytest now raises a clear <code>UsageError</code> explaining that
conftest files are not plugins and cannot be disabled via
<code>-p</code>.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13734">#13734</a>:
Fixed crash when a test raises an exceptiongroup with
<code>__tracebackhide__ = True</code>.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/14195">#14195</a>:
Fixed an issue where non-string messages passed to <!-- raw HTML omitted
-->unittest.TestCase.subTest()<!-- raw HTML omitted --> were not
printed.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/14343">#14343</a>:
Fixed use of insecure temporary directory (CVE-2025-71176).</p>
</li>
</ul>
<h2>Improved documentation</h2>
<ul>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13388">#13388</a>:
Clarified documentation for <code>-p</code> vs
<code>PYTEST_PLUGINS</code> plugin loading and fixed an incorrect
<code>-p</code> example.</li>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13731">#13731</a>:
Clarified that capture fixtures (e.g. <code>capsys</code> and
<code>capfd</code>) take precedence over the <code>-s</code> /
<code>--capture=no</code> command-line options in <code>Accessing
captured output from a test function
&lt;accessing-captured-output&gt;</code>.</li>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/14088">#14088</a>:
Clarified that the default <code>pytest_collection</code> hook sets
<code>session.items</code> before it calls
<code>pytest_collection_finish</code>, not after.</li>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/14255">#14255</a>:
TOML integer log levels must be quoted: Updating reference
documentation.</li>
</ul>
<h2>Contributor-facing changes</h2>
<ul>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/12689">#12689</a>:
The test reports are now published to Codecov from GitHub Actions.
The test statistics is visible <a
href="https://app.codecov.io/gh/pytest-dev/pytest/tests">on the web
interface</a>.</p>
<p>-- by <code>aleguy02</code></p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="a7d58d7a21"><code>a7d58d7</code></a>
Prepare release version 9.0.3</li>
<li><a
href="089d98199c"><code>089d981</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/14366">#14366</a>
from bluetech/revert-14193-backport</li>
<li><a
href="8127eaf4ab"><code>8127eaf</code></a>
Revert &quot;Fix: assertrepr_compare respects dict insertion order (<a
href="https://redirect.github.com/pytest-dev/pytest/issues/14050">#14050</a>)
(<a
href="https://redirect.github.com/pytest-dev/pytest/issues/14193">#14193</a>)&quot;</li>
<li><a
href="99a7e6029e"><code>99a7e60</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/14363">#14363</a>
from pytest-dev/patchback/backports/9.0.x/95d8423bd...</li>
<li><a
href="ddee02a578"><code>ddee02a</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/14343">#14343</a>
from bluetech/cve-2025-71176-simple</li>
<li><a
href="74eac6916f"><code>74eac69</code></a>
doc: Update training info (<a
href="https://redirect.github.com/pytest-dev/pytest/issues/14298">#14298</a>)
(<a
href="https://redirect.github.com/pytest-dev/pytest/issues/14301">#14301</a>)</li>
<li><a
href="f92dee777c"><code>f92dee7</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/14267">#14267</a>
from pytest-dev/patchback/backports/9.0.x/d6fa26c62...</li>
<li><a
href="7ee58acc87"><code>7ee58ac</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/12378">#12378</a>
from Pierre-Sassoulas/fix-implicit-str-concat-and-d...</li>
<li><a
href="37da870d37"><code>37da870</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/14259">#14259</a>
from mitre88/patch-4 (<a
href="https://redirect.github.com/pytest-dev/pytest/issues/14268">#14268</a>)</li>
<li><a
href="c34bfa3b7a"><code>c34bfa3</code></a>
Add explanation for string context diffs (<a
href="https://redirect.github.com/pytest-dev/pytest/issues/14257">#14257</a>)
(<a
href="https://redirect.github.com/pytest-dev/pytest/issues/14266">#14266</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/pytest-dev/pytest/compare/9.0.2...9.0.3">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-14 17:33:13 +00:00
Eugene Yurtsev
8182d6302d release(core): 1.3.0.a2 (#36698)
release 1.3.0a2
2026-04-13 10:13:48 -04:00
Eugene Yurtsev
9ee4617fba release(core): 1.3.0a1 (#36656)
1.3.0a1 release
2026-04-10 11:58:34 -04:00
Eugene Yurtsev
dd7c3eb3a4 release(core): release 1.2.28 (#36614)
release 1.27.8
2026-04-08 14:15:50 -04:00
ccurme
6486404116 release(core): 1.2.27 (#36586) 2026-04-07 10:52:46 -04:00
Mason Daugherty
0a1d290ac2 release(core): 1.2.26 (#36511) 2026-04-03 19:27:36 -04:00
ccurme
e89afedfec release(core): 1.2.25 (#36473) 2026-04-02 18:36:14 -04:00
ccurme
b3dff4a04c release(core): 1.2.24 (#36434) 2026-04-01 15:57:16 -04:00
John Kennedy
0f4f3f74c8 chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385)
## Summary

Bumps `pygments` to `>=2.20.0` across all 21 affected packages to
address [CVE-2026-4539](https://github.com/advisories/GHSA-XXXX) — ReDoS
via inefficient GUID regex in Pygments.

- **Severity:** Low
- **Fixed in:** 2.20.0 (was 2.19.2)
- **Change:** Added `pygments>=2.20.0` to `constraint-dependencies` in
`[tool.uv]` for each package, then ran `uv lock --upgrade-package
pygments` to regenerate lock files.

Closes Dependabot alerts #3435–#3455.

## Release Note
Patch deps

### Test Plan
 - [x] CI Green 🙏

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-30 23:26:59 -04:00
ccurme
d48364130d release(core): 1.2.23 (#36323) 2026-03-27 19:25:21 -04:00
dependabot[bot]
2aeeb58ef1 chore: bump requests from 2.32.5 to 2.33.0 in /libs/core (#36243)
Bumps [requests](https://github.com/psf/requests) from 2.32.5 to 2.33.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/psf/requests/releases">requests's
releases</a>.</em></p>
<blockquote>
<h2>v2.33.0</h2>
<h2>2.33.0 (2026-03-25)</h2>
<p><strong>Announcements</strong></p>
<ul>
<li>📣 Requests is adding inline types. If you have a typed code base
that uses Requests, please take a look at <a
href="https://redirect.github.com/psf/requests/issues/7271">#7271</a>.
Give it a try, and report any gaps or feedback you may have in the
issue. 📣</li>
</ul>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2026-25645 <code>requests.utils.extract_zipped_paths</code> now
extracts contents to a non-deterministic location to prevent malicious
file replacement. This does not affect default usage of Requests, only
applications calling the utility function directly.</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Migrated to a PEP 517 build system using setuptools. (<a
href="https://redirect.github.com/psf/requests/issues/7012">#7012</a>)</li>
</ul>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed an issue where an empty netrc entry could cause malformed
authentication to be applied to Requests on Python 3.11+. (<a
href="https://redirect.github.com/psf/requests/issues/7205">#7205</a>)</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Dropped support for Python 3.9 following its end of support. (<a
href="https://redirect.github.com/psf/requests/issues/7196">#7196</a>)</li>
</ul>
<p><strong>Documentation</strong></p>
<ul>
<li>Various typo fixes and doc improvements.</li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/M0d3v1"><code>@​M0d3v1</code></a> made
their first contribution in <a
href="https://redirect.github.com/psf/requests/pull/6865">psf/requests#6865</a></li>
<li><a href="https://github.com/aminvakil"><code>@​aminvakil</code></a>
made their first contribution in <a
href="https://redirect.github.com/psf/requests/pull/7220">psf/requests#7220</a></li>
<li><a href="https://github.com/E8Price"><code>@​E8Price</code></a> made
their first contribution in <a
href="https://redirect.github.com/psf/requests/pull/6960">psf/requests#6960</a></li>
<li><a href="https://github.com/mitre88"><code>@​mitre88</code></a> made
their first contribution in <a
href="https://redirect.github.com/psf/requests/pull/7244">psf/requests#7244</a></li>
<li><a href="https://github.com/magsen"><code>@​magsen</code></a> made
their first contribution in <a
href="https://redirect.github.com/psf/requests/pull/6553">psf/requests#6553</a></li>
<li><a
href="https://github.com/Rohan5commit"><code>@​Rohan5commit</code></a>
made their first contribution in <a
href="https://redirect.github.com/psf/requests/pull/7227">psf/requests#7227</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25">https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's
changelog</a>.</em></p>
<blockquote>
<h2>2.33.0 (2026-03-25)</h2>
<p><strong>Announcements</strong></p>
<ul>
<li>📣 Requests is adding inline types. If you have a typed code base
that
uses Requests, please take a look at <a
href="https://redirect.github.com/psf/requests/issues/7271">#7271</a>.
Give it a try, and report
any gaps or feedback you may have in the issue. 📣</li>
</ul>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2026-25645 <code>requests.utils.extract_zipped_paths</code> now
extracts
contents to a non-deterministic location to prevent malicious file
replacement. This does not affect default usage of Requests, only
applications calling the utility function directly.</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Migrated to a PEP 517 build system using setuptools. (<a
href="https://redirect.github.com/psf/requests/issues/7012">#7012</a>)</li>
</ul>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed an issue where an empty netrc entry could cause
malformed authentication to be applied to Requests on
Python 3.11+. (<a
href="https://redirect.github.com/psf/requests/issues/7205">#7205</a>)</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Dropped support for Python 3.9 following its end of support. (<a
href="https://redirect.github.com/psf/requests/issues/7196">#7196</a>)</li>
</ul>
<p><strong>Documentation</strong></p>
<ul>
<li>Various typo fixes and doc improvements.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="bc04dfd6da"><code>bc04dfd</code></a>
v2.33.0</li>
<li><a
href="66d21cb07b"><code>66d21cb</code></a>
Merge commit from fork</li>
<li><a
href="8b9bc8fc0f"><code>8b9bc8f</code></a>
Move badges to top of README (<a
href="https://redirect.github.com/psf/requests/issues/7293">#7293</a>)</li>
<li><a
href="e331a288f3"><code>e331a28</code></a>
Remove unused extraction call (<a
href="https://redirect.github.com/psf/requests/issues/7292">#7292</a>)</li>
<li><a
href="753fd08c5e"><code>753fd08</code></a>
docs: fix FAQ grammar in httplib2 example</li>
<li><a
href="774a0b837a"><code>774a0b8</code></a>
docs(socks): same block as other sections</li>
<li><a
href="9c72a41bec"><code>9c72a41</code></a>
Bump github/codeql-action from 4.33.0 to 4.34.1</li>
<li><a
href="ebf7190679"><code>ebf7190</code></a>
Bump github/codeql-action from 4.32.0 to 4.33.0</li>
<li><a
href="0e4ae38f0c"><code>0e4ae38</code></a>
docs: exclude Response.is_permanent_redirect from API docs (<a
href="https://redirect.github.com/psf/requests/issues/7244">#7244</a>)</li>
<li><a
href="d568f47278"><code>d568f47</code></a>
docs: clarify Quickstart POST example (<a
href="https://redirect.github.com/psf/requests/issues/6960">#6960</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/psf/requests/compare/v2.32.5...v2.33.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=requests&package-manager=uv&previous-version=2.32.5&new-version=2.33.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-26 22:33:21 -07:00
ccurme
d22df94537 release(core): 1.2.22 (#36201) 2026-03-24 14:45:30 -04:00
ccurme
19f81cf6f1 release(core): 1.2.21 (#36179) 2026-03-23 13:57:14 -04:00
ccurme
c4abc91ed9 release(core): 1.2.20 (#36085) 2026-03-18 13:31:33 -04:00