mirror of
https://github.com/hwchase17/langchain.git
synced 2026-07-02 07:07:48 +00:00
f173c111fbd5e52aaa24bb20264a97d62885e662
95 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
c0714b5885 |
chore: bump pytest from 9.0.3 to 9.1.1 in /libs/model-profiles (#38311)
Bumps [pytest](https://github.com/pytest-dev/pytest) from 9.0.3 to 9.1.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pytest-dev/pytest/releases">pytest's releases</a>.</em></p> <blockquote> <h2>9.1.1</h2> <h1>pytest 9.1.1 (2026-06-19)</h1> <h2>Bug fixes</h2> <ul> <li><a href="https://redirect.github.com/pytest-dev/pytest/issues/14220">#14220</a>: Fixed a logic bug in <code>pytest.RaisesGroup</code> which would might cause it to display incorrect "It matches <!-- raw HTML omitted -->FooError()<!-- raw HTML omitted --> which was paired with <!-- raw HTML omitted -->BarError<!-- raw HTML omitted -->" messages.</li> <li><a href="https://redirect.github.com/pytest-dev/pytest/issues/14591">#14591</a>: Fixed a regression in pytest 9.1.0 which caused overriding a parametrized fixture with an indirect <!-- raw HTML omitted --><a href="https://github.com/pytest"><code>@pytest</code></a>.mark.parametrize<!-- raw HTML omitted --> to fail with "duplicate parametrization of '<fixture name>'".</li> <li><a href="https://redirect.github.com/pytest-dev/pytest/issues/14606">#14606</a>: Fixed <code>list-item</code> typing errors from mypy in <code>@pytest.mark.parametrize <pytest.mark.parametrize ref></code> <code>argvalues</code> parameter.</li> <li><a href="https://redirect.github.com/pytest-dev/pytest/issues/14608">#14608</a>: Fixed a regression in pytest 9.1.0 where <code>conftest.py</code> files located in <code><invocation dir>/test*</code> were no longer loaded as initial conftests when invoked without arguments. This could cause certain hooks (like <code>pytest_addoption</code>) in these files to not fire.</li> </ul> <h2>9.1.0</h2> <h1>pytest 9.1.0 (2026-06-13)</h1> <h2>Removals and backward incompatible breaking changes</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14533">#14533</a>: When using <code>--doctest-modules</code>, autouse fixtures with <code>module</code>, <code>package</code> or <code>session</code> scope that are defined inline in Python test modules (not plugins or conftests) will now possibly execute twice.</p> <p>If this is undesirable, move the fixture definition to a <code>conftest.py</code> file if possible.</p> <p>Technical explanation for those interested: When using <!-- raw HTML omitted -->--doctest-modules<!-- raw HTML omitted -->, pytest possibly collects Python modules twice, once as <code>pytest.Module</code> and once as a <code>DoctestModule</code> (depending on the configuration). Due to improvements in pytest's fixture implementation, if e.g. the <code>DoctestModule</code> collects a fixture, it is now visible to it only, and not to the <code>Module</code>. This means that both need to register the fixtures independently.</p> </li> </ul> <h2>Deprecations (removal in next major release)</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/10819">#10819</a>: Added a deprecation warning for class-scoped fixtures defined as instance methods (without <code>@classmethod</code>). Such fixtures set attributes on a different instance than the test methods use, leading to unexpected behavior. Use <code>@classmethod</code> decorator instead -- by <code>yastcher</code>.</p> <p>See <code>10819</code> and <code>14011</code>.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/12882">#12882</a>: Calling <code>request.getfixturevalue() <pytest.FixtureRequest.getfixturevalue></code> during teardown to request a fixture that was not already requested is now deprecated and will become an error in pytest 10.</p> <p>See <code>dynamic-fixture-request-during-teardown</code> for details.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13409">#13409</a>: Using non-<code>~collections.abc.Collection</code> iterables (such as generators, iterators, or custom iterable objects) for the <code>argvalues</code> parameter in <code>@pytest.mark.parametrize <pytest.mark.parametrize ref></code> and <code>metafunc.parametrize <pytest.Metafunc.parametrize></code> is now deprecated.</p> <p>These iterables get exhausted after the first iteration, leading to tests getting unexpectedly skipped in cases such as running <code>pytest.main()</code> multiple times, using class-level parametrize decorators, or collecting tests multiple times.</p> <p>See <code>parametrize-iterators</code> for details and suggestions.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13946">#13946</a>: The private <code>config.inicfg</code> attribute is now deprecated. Use <code>config.getini() <pytest.Config.getini></code> to access configuration values instead.</p> <p>See <code>config-inicfg</code> for more details.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14004">#14004</a>: Passing <code>baseid</code> to <code>~pytest.FixtureDef</code> or <code>nodeid</code> strings to fixture registration APIs is now deprecated. These are internal pytest APIs that are used by some plugins.</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
cd349b7158 |
chore: bump langsmith from 0.8.5 to 0.8.18 in /libs/model-profiles (#38309)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.8.5 to 0.8.18. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's releases</a>.</em></p> <blockquote> <h2>v0.8.18</h2> <h2>What's Changed</h2> <ul> <li>chore(deps-dev): bump vitest from 3.2.4 to 3.2.6 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3002">langchain-ai/langsmith-sdk#3002</a></li> <li>chore(deps): bump pyjwt from 2.12.1 to 2.13.0 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3030">langchain-ai/langsmith-sdk#3030</a></li> <li>chore(deps): bump python-multipart from 0.0.27 to 0.0.31 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3036">langchain-ai/langsmith-sdk#3036</a></li> <li>chore(deps): bump aiohttp from 3.14.0 to 3.14.1 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3037">langchain-ai/langsmith-sdk#3037</a></li> <li>chore(deps): bump cryptography from 46.0.7 to 48.0.1 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3038">langchain-ai/langsmith-sdk#3038</a></li> <li>chore(deps): bump starlette from 1.0.1 to 1.3.1 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3039">langchain-ai/langsmith-sdk#3039</a></li> <li>chore(deps-dev): bump langchain-anthropic from 1.4.4 to 1.4.6 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3044">langchain-ai/langsmith-sdk#3044</a></li> <li>chore(deps): bump the npm_and_yarn group across 4 directories with 4 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3046">langchain-ai/langsmith-sdk#3046</a></li> <li>chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3060">langchain-ai/langsmith-sdk#3060</a></li> <li>test(python): fix integration assertions for updated attachment error message by <a href="https://github.com/QuentinBrosse"><code>@QuentinBrosse</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3061">langchain-ai/langsmith-sdk#3061</a></li> <li>chore: reconcile bumpversion config and mandate release process for agents by <a href="https://github.com/QuentinBrosse"><code>@QuentinBrosse</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3062">langchain-ai/langsmith-sdk#3062</a></li> <li>release(py): 0.8.18 by <a href="https://github.com/QuentinBrosse"><code>@QuentinBrosse</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3063">langchain-ai/langsmith-sdk#3063</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.17...v0.8.18">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.17...v0.8.18</a></p> <h2>v0.8.17</h2> <h2>What's Changed</h2> <ul> <li>feat: expose the resources from the generated openapi client in the langsmith client by <a href="https://github.com/sineha-mani"><code>@sineha-mani</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3018">langchain-ai/langsmith-sdk#3018</a></li> <li>feat(js): port <code>isTracingEnabled</code> utility from Python by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3032">langchain-ai/langsmith-sdk#3032</a></li> <li>Add sandbox mount support to JS SDK by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3010">langchain-ai/langsmith-sdk#3010</a></li> <li>release(js): bump to 0.7.9 by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3035">langchain-ai/langsmith-sdk#3035</a></li> <li>Add sandbox mount support to Python SDK by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3009">langchain-ai/langsmith-sdk#3009</a></li> <li>docs: note that _openapi_client directories are auto-generated by <a href="https://github.com/KiewanVillatel"><code>@KiewanVillatel</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3034">langchain-ai/langsmith-sdk#3034</a></li> <li>fix: update JS SDK type declarations with skipLibCheck disabled by <a href="https://github.com/sineha-mani"><code>@sineha-mani</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3043">langchain-ai/langsmith-sdk#3043</a></li> <li>release(js): 0.7.10 by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3045">langchain-ai/langsmith-sdk#3045</a></li> <li>feat: adding python async for online evals by <a href="https://github.com/sineha-mani"><code>@sineha-mani</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3048">langchain-ai/langsmith-sdk#3048</a></li> <li>Add sandbox Git mount SDK helpers by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3040">langchain-ai/langsmith-sdk#3040</a></li> <li>fix: use insights tab in sdk report links [closes LSO-2936] by <a href="https://github.com/eric-langchain"><code>@eric-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3050">langchain-ai/langsmith-sdk#3050</a></li> <li>feat(client): warn when backend version is below minimum required by <a href="https://github.com/KiewanVillatel"><code>@KiewanVillatel</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3041">langchain-ai/langsmith-sdk#3041</a></li> <li>chore: bump _MIN_BACKEND_VERSION to 0.16.5rc1 by <a href="https://github.com/langtions-bot"><code>@langtions-bot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3053">langchain-ai/langsmith-sdk#3053</a></li> <li>fix(sandbox): use built-in gcp auth host matching by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3055">langchain-ai/langsmith-sdk#3055</a></li> <li>chore(python): py to 0.8.17 by <a href="https://github.com/sineha-mani"><code>@sineha-mani</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3056">langchain-ai/langsmith-sdk#3056</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/sineha-mani"><code>@sineha-mani</code></a> made their first contribution in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3018">langchain-ai/langsmith-sdk#3018</a></li> <li><a href="https://github.com/eric-langchain"><code>@eric-langchain</code></a> made their first contribution in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3050">langchain-ai/langsmith-sdk#3050</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.16...v0.8.17">https://github.com/langchain-ai/langsmith-sdk/compare/v0.8.16...v0.8.17</a></p> <h2>v0.8.16</h2> <h2>What's Changed</h2> <ul> <li>feat(py): add sync/async conversion for Sandbox and SandboxClient [INF-0000] by <a href="https://github.com/ramon-langchain"><code>@ramon-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3019">langchain-ai/langsmith-sdk#3019</a></li> <li>fix(experiments): extract keys from wrapped evaluator function by <a href="https://github.com/shamikkarkhanis"><code>@shamikkarkhanis</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3014">langchain-ai/langsmith-sdk#3014</a></li> <li>chore: repoint <a href="mailto:support@langchain.dev">support@langchain.dev</a> mentions to the Support Portal by <a href="https://github.com/lutan-langchain"><code>@lutan-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3024">langchain-ai/langsmith-sdk#3024</a></li> <li>fix(python): derive create_child run id from start_time [LSDK-220] by <a href="https://github.com/harisaiharish"><code>@harisaiharish</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3027">langchain-ai/langsmith-sdk#3027</a></li> <li>chore: sync langsmith_api by <a href="https://github.com/langtions-bot"><code>@langtions-bot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3020">langchain-ai/langsmith-sdk#3020</a></li> <li>chore: js to 0.7.8 and py to 0.8.16 by <a href="https://github.com/shamikkarkhanis"><code>@shamikkarkhanis</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3029">langchain-ai/langsmith-sdk#3029</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
879cad0676 | release(openai): 1.3.2 (#38130) | ||
|
|
9e6f58ba46 | hotfix(openai): switch version (#38123) | ||
|
|
8180a09dd7 | release(openai): 1.4.0 (#38120) | ||
|
|
63cc1f4e7d |
docs: refresh README installation and resources (#38119)
README installation examples now use `uv add` consistently, matching the repo's `uv`-based Python workflow. The top-level README also gets a cleaner quickstart and resource section with current links for docs, community, learning, and contribution guidance. ## Changes - Replaced `pip install` snippets with `uv add` across package quick install docs, including the Hugging Face extras and `sentence-transformers` upgrade examples. - Updated the top-level quickstart to show only `uv add langchain` and refreshed the example model to `openai:gpt-5.5`. - Pointed the LangGraph orchestration link at the LangGraph GitHub repository. - Consolidated top-level documentation and additional-resource links under a single `Resources` section covering docs, ecosystem overview, API reference, discussions, Academy, contributing, and the Code of Conduct. - Added LangChain Academy and Code of Conduct links to package README resource sections. |
||
|
|
86ce95afc2 |
test(core,langchain): update tests for explicit deserialization allowlists (#38118)
Core serialization tests now opt into the object allowlists they rely on instead of assuming default deserialization permits core objects. Compatibility tests that intentionally exercise deprecated runnable streaming and history APIs also suppress the expected deprecation warnings so they can keep covering those legacy paths cleanly. ## Changes - Updated serialization and prompt round-trip tests to pass `allowed_objects="core"` or targeted allowlists when loading `AIMessage`, prompt templates, structured prompts, runnable maps, and related core objects. - Adjusted secret-injection regression coverage to keep testing `secrets_from_env=True` behavior while explicitly allowing core deserialization paths. - Tightened prompt deserialization rejection tests so attribute-access payloads are loaded only through the specific prompt-template allowlist needed to reach validation. - Added module-level warning filters around legacy runnable compatibility coverage for `astream_log`, `astream_events(version="v1")`, and `RunnableWithMessageHistory`. - Bumped the `langchain` package's minimum `langgraph` dependency from `1.2.4` to `1.2.5`. ## Testing - Updated unit tests across core serialization, prompt, fake chat model, runnable history, and runnable event coverage. |
||
|
|
4108c0738c |
release(core): 1.4.7 (#38111)
Bumps `langchain-core` to `1.4.7` for the next patch release and updates downstream minimum `langchain-core` requirements so package locks resolve against the new core version. This also refreshes the runnable snapshots that embed `lc_versions` metadata so the version consistency check continues to validate checked-in artifacts. Validated with `python libs/core/scripts/check_version.py`, `uv lock --check` across package lockfiles, and the core runnable tests that own the updated snapshots with local LangSmith tracing env disabled. |
||
|
|
3bfb6a33e7 | release(langchain): 1.3.9 (#38104) | ||
|
|
f6d63bc9f3 | release(langchain): 1.3.8 (#38096) | ||
|
|
05cc55f1bc | release(core): 1.4.6 (#38061) | ||
|
|
1de100f278 |
chore(infra): bump mypy to 2.1 and unify type-check config across the monorepo (#36470)
Originally a narrow bump of mypy to `1.20` in four packages. Expanded to get the whole monorepo onto a single, current mypy and a consistent type-check configuration, so contributors no longer hit different mypy versions and divergent behavior depending on which package they touch. ### What changed - **Unified the mypy pin to `>=2.1.0,<2.2.0`** in every mypy-using package (6 libs + 14 partners), replacing the previously scattered pins (`1.10`/`1.17`/`1.18`/`1.19`/`1.20`, with assorted upper bounds). - **Unified the `[tool.mypy]` base per tier:** - libs: `plugins = ["pydantic.mypy"]`, `strict = true`, `enable_error_code = "deprecated"`, `warn_unreachable = true` - partners: `disallow_untyped_defs = true` - Normalized style (`disallow_untyped_defs = "True"` string → bool, quote/key consistency). - **Fixed the 20 real errors** mypy 2.1 surfaces: `redundant-cast` from improved narrowing (`core`, `langchain-classic`), a `var-annotated` for `_LOGGED`, a return-type widening in `langchain-groq`'s `_convert_from_v1_to_groq` (it can legitimately return a bare `str`), and stale `type-arg`/`unused-ignore` in `langchain-model-profiles` tests. ### Deliberate non-uniformity (documented inline in the relevant `pyproject.toml`s) Going fully byte-identical would surface ~196 additional errors that are *not* real bugs, so two settings are kept package-appropriate: - **`warn_unreachable`** is enabled on every strict lib **except `core`**, where it false-flags intentional defensive code — including the SSRF / IP-policy guards in `_security/` — as unreachable. - **`pydantic.mypy` plugin** is used only on `anthropic` and `perplexity` (their code is authored against it and reports ~99/~132 errors without it). It is *not* added to the other partners, where it only flags the public alias constructor API (e.g. `ChatGroq(model=...)`) in tests rather than finding bugs. - **`ollama`** is left on its `ty` type checker; it does not use mypy. --------- Co-authored-by: Mason Daugherty <github@mdrxy.com> |
||
|
|
904abb18b6 | release(model-profiles): 0.0.6 (#38057) | ||
|
|
43880362d8 |
feat(standard-tests): validate tool call chunks during streaming (#34707)
As a LangChain user streaming a tool-calling model, I expect each streamed chunk to expose structured `tool_call_chunk` content blocks so I can render or process tool calls live, instead of waiting for the final aggregated message. This adds `tool_call_streaming` to `ModelProfile` and uses it in the standard chat-model tool-calling tests. When a model profile opts in, `test_tool_calling` and `test_tool_calling_async` now validate that at least one streamed chunk includes a `tool_call_chunk` block via `content_blocks`, while preserving the existing final-message validation. This keeps the contract profile-gated so providers can opt in once their streaming chunk shape is verified. This PR opts in the providers verified by smoke testing with straightforward profile coverage: OpenAI, Anthropic, Fireworks, HuggingFace, OpenRouter, DeepSeek, and xAI. The generated profile artifacts are refreshed so runtime profiles expose the new capability flag. Perplexity Responses also passed the smoke test, but its current profile data is for the `sonar` family while the Responses smoke path used a routed model string. That profile strategy is left as follow-up. MistralAI currently streams `.tool_call_chunks`, but its content-block translator exposes a complete `tool_call` block instead of `tool_call_chunk`, so it also stays out of this flag until that integration is fixed. |
||
|
|
8ac91e3f5f | hotfix(core): bump lockfile(s) (#38032) | ||
|
|
3d3a4c27cc | release(langchain): 1.3.7 (#38024) | ||
|
|
e16386d3b2 | release(langchain): 1.3.6 (#38001) | ||
|
|
90b2f94583 | release(langchain): 1.3.5 (#37998) | ||
|
|
c0103c3d2c | hotfix(openai): min core dep (#37990) | ||
|
|
cfdbd799d6 |
chore: bump idna from 3.11 to 3.15 in /libs/model-profiles (#37538)
Bumps [idna](https://github.com/kjd/idna) from 3.11 to 3.15. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/kjd/idna/blob/master/HISTORY.md">idna's changelog</a>.</em></p> <blockquote> <h2>3.15 (2026-05-12)</h2> <ul> <li>Enforce DNS-length cap on individual labels early in <code>check_label</code>, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.</li> <li>Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared <code>_unicode_dots_re</code> from <code>idna.core</code> in the codec module.</li> <li>Use <code>raise ... from err</code> for proper exception chaining and switch internal string formatting to f-strings.</li> <li>Allow <code>flit_core</code> 4.x in the build backend.</li> <li>Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.</li> <li>Add Dependabot configuration for GitHub Actions.</li> <li>Convert README and HISTORY from reStructuredText to Markdown.</li> <li>Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.</li> </ul> <p>Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.</p> <h2>3.14 (2026-05-10)</h2> <ul> <li>Removed opportunity to process long inputs into quadratic time by rejecting oversize inputs up-front. Closes a bypass of the CVE-2024-3651 mitigation. [CVE-2026-45409]</li> </ul> <p>Thanks to Stan Ulbrych for reporting the issue.</p> <h2>3.13 (2026-04-22)</h2> <ul> <li>Correct classification error for codepoint U+A7F1</li> </ul> <h2>3.12 (2026-04-21)</h2> <ul> <li>Update to Unicode 17.0.0.</li> <li>Issue a deprecation warning for the transitional argument.</li> <li>Added lazy-loading to provide some performance improvements.</li> <li>Removed vestiges of code related to Python 2 support, including segmentation of data structures specific to Jython.</li> </ul> <p>Thanks to Rodrigo Nogueira for contributions to this release.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
6120400329 |
chore: bump the minor-and-patch group across 3 directories with 15 updates (#37515)
Bumps the minor-and-patch group with 10 updates in the /libs/model-profiles directory: | Package | From | To | | --- | --- | --- | | [pytest-cov](https://github.com/pytest-dev/pytest-cov) | `7.0.0` | `7.1.0` | | [syrupy](https://github.com/syrupy-project/syrupy) | `5.1.0` | `5.2.0` | | [ruff](https://github.com/astral-sh/ruff) | `0.15.5` | `0.15.13` | | [openai](https://github.com/openai/openai-python) | `2.26.0` | `2.37.0` | | [tiktoken](https://github.com/openai/tiktoken) | `0.12.0` | `0.13.0` | | [pydantic](https://github.com/pydantic/pydantic) | `2.12.3` | `2.13.4` | | [requests](https://github.com/psf/requests) | `2.33.0` | `2.34.2` | | [langsmith](https://github.com/langchain-ai/langsmith-sdk) | `0.8.0` | `0.8.5` | | [tenacity](https://github.com/jd/tenacity) | `9.1.2` | `9.1.4` | | [uuid-utils](https://github.com/aminalaee/uuid-utils) | `0.12.0` | `0.15.0` | Bumps the minor-and-patch group with 7 updates in the /libs/standard-tests directory: | Package | From | To | | --- | --- | --- | | [syrupy](https://github.com/syrupy-project/syrupy) | `5.1.0` | `5.2.0` | | [ruff](https://github.com/astral-sh/ruff) | `0.15.5` | `0.15.13` | | [pydantic](https://github.com/pydantic/pydantic) | `2.12.5` | `2.13.4` | | [langsmith](https://github.com/langchain-ai/langsmith-sdk) | `0.8.0` | `0.8.5` | | [tenacity](https://github.com/jd/tenacity) | `9.1.2` | `9.1.4` | | [uuid-utils](https://github.com/aminalaee/uuid-utils) | `0.12.0` | `0.15.0` | | [langchain-protocol](https://github.com/langchain-ai/agent-protocol) | `0.0.14` | `0.0.15` | Bumps the minor-and-patch group with 10 updates in the /libs/text-splitters directory: | Package | From | To | | --- | --- | --- | | [ruff](https://github.com/astral-sh/ruff) | `0.15.5` | `0.15.13` | | [tiktoken](https://github.com/openai/tiktoken) | `0.12.0` | `0.13.0` | | [pydantic](https://github.com/pydantic/pydantic) | `2.12.5` | `2.13.4` | | [types-requests](https://github.com/python/typeshed) | `2.32.4.20260107` | `2.33.0.20260518` | | [langsmith](https://github.com/langchain-ai/langsmith-sdk) | `0.8.0` | `0.8.5` | | [tenacity](https://github.com/jd/tenacity) | `9.1.2` | `9.1.4` | | [uuid-utils](https://github.com/aminalaee/uuid-utils) | `0.12.0` | `0.15.0` | | [spacy](https://github.com/explosion/spaCy) | `3.8.13` | `3.8.14` | | [transformers](https://github.com/huggingface/transformers) | `5.3.0` | `5.8.1` | | [sentence-transformers](https://github.com/huggingface/sentence-transformers) | `5.3.0` | `5.5.0` | Updates `pytest-cov` from 7.0.0 to 7.1.0 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pytest-dev/pytest-cov/blob/master/CHANGELOG.rst">pytest-cov's changelog</a>.</em></p> <blockquote> <h2>7.1.0 (2026-03-21)</h2> <ul> <li> <p>Fixed total coverage computation to always be consistent, regardless of reporting settings. Previously some reports could produce different total counts, and consequently can make --cov-fail-under behave different depending on reporting options. See <code>[#641](https://github.com/pytest-dev/pytest-cov/issues/641) <https://github.com/pytest-dev/pytest-cov/issues/641></code>_.</p> </li> <li> <p>Improve handling of ResourceWarning from sqlite3.</p> <p>The plugin adds warning filter for sqlite3 <code>ResourceWarning</code> unclosed database (since 6.2.0). It checks if there is already existing plugin for this message by comparing filter regular expression. When filter is specified on command line the message is escaped and does not match an expected message. A check for an escaped regular expression is added to handle this case.</p> <p>With this fix one can suppress <code>ResourceWarning</code> from sqlite3 from command line::</p> <p>pytest -W "ignore:unclosed database in <sqlite3.Connection object at:ResourceWarning" ...</p> </li> <li> <p>Various improvements to documentation. Contributed by Art Pelling in <code>[#718](https://github.com/pytest-dev/pytest-cov/issues/718) <https://github.com/pytest-dev/pytest-cov/pull/718></code>_ and "vivodi" in <code>[#738](https://github.com/pytest-dev/pytest-cov/issues/738) <https://github.com/pytest-dev/pytest-cov/pull/738></code><em>. Also closed <code>[#736](https://github.com/pytest-dev/pytest-cov/issues/736) <https://github.com/pytest-dev/pytest-cov/issues/736></code></em>.</p> </li> <li> <p>Fixed some assertions in tests. Contributed by in Markéta Machová in <code>[#722](https://github.com/pytest-dev/pytest-cov/issues/722) <https://github.com/pytest-dev/pytest-cov/pull/722></code>_.</p> </li> <li> <p>Removed unnecessary coverage configuration copying (meant as a backup because reporting commands had configuration side-effects before coverage 5.0).</p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
abd9d4ce31 |
ci(infra): harden Dependabot version-bound preservation (#37510)
Dependabot has been stripping upper/lower bounds from internal `langchain-*` deps in partner `pyproject.toml` files (e.g. #37288 reduced `langchain-core>=1.3.2,<2.0.0` to bare `langchain-core`). Locks down the config so bumps preserve existing specifiers, and restores the bounds it already mangled across the monorepo. ## Changes - Add `versioning-strategy: increase` to every `uv` ecosystem block in `.github/dependabot.yml` so future bumps move the lower bound in place instead of rewriting the constraint. - Ignore workspace-internal packages (`langchain-core`, `langchain`, `langchain-classic`, `langchain-text-splitters`, `langchain-tests`, `langchain-model-profiles`) on every `uv` block — these are editable installs from local paths and their published constraints are hand-curated for release, not Dependabot's to bump. - Restore stripped bounds across all `libs/` packages — runtime `dependencies` and every dep group (`test`, `dev`, `test_integration`, `typing`, `lint`) — to `>=1.4.0,<2.0.0` for `langchain-core` and `>=1.0.0,<2.0.0` for the other internal packages. |
||
|
|
c7daed8c0f | hotfix: bump lockfiles (#37508) | ||
|
|
a57eccecbd |
chore: bump langsmith from 0.7.31 to 0.8.0 in /libs/model-profiles (#37382)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.7.31 to 0.8.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's releases</a>.</em></p> <blockquote> <h2>v0.8.0</h2> <h2>What's Changed</h2> <ul> <li>feat(js,py): JS 0.6.0, Py 0.8.0 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2831">langchain-ai/langsmith-sdk#2831</a></li> <li>release(js): 0.6.0 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2832">langchain-ai/langsmith-sdk#2832</a></li> <li>release(py): 0.8.0 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2833">langchain-ai/langsmith-sdk#2833</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.38...v0.8.0">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.38...v0.8.0</a></p> <h2>v0.7.38</h2> <h2>What's Changed</h2> <ul> <li>feat(js): add tracing of opencode by <a href="https://github.com/dqbd"><code>@dqbd</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2776">langchain-ai/langsmith-sdk#2776</a></li> <li>chore(js): Remove types/uuid by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2814">langchain-ai/langsmith-sdk#2814</a></li> <li>docs(sandbox): document default idle TTL of 10 minutes by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2788">langchain-ai/langsmith-sdk#2788</a></li> <li>ci(py): Bump pytest timeout to 2m by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2815">langchain-ai/langsmith-sdk#2815</a></li> <li>chore(deps-dev): bump the js-minor-and-patch group across 1 directory with 4 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2803">langchain-ai/langsmith-sdk#2803</a></li> <li>chore(deps): update sphinx-autobuild requirement from >=2024 to >=2024.10.3 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2809">langchain-ai/langsmith-sdk#2809</a></li> <li>chore(deps): update myst-nb requirement from >=1.1.1 to >=1.4.0 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2810">langchain-ai/langsmith-sdk#2810</a></li> <li>chore(deps-dev): bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2812">langchain-ai/langsmith-sdk#2812</a></li> <li>chore(deps-dev): bump <code>@langchain/openai</code> from 0.5.18 to 0.6.17 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2806">langchain-ai/langsmith-sdk#2806</a></li> <li>chore(deps): bump the py-minor-and-patch group across 1 directory with 18 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2808">langchain-ai/langsmith-sdk#2808</a></li> <li>feat(py): Adds strands OTEL exporter by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2817">langchain-ai/langsmith-sdk#2817</a></li> <li>chore(js): Switch to oxfmt and oxlint by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2819">langchain-ai/langsmith-sdk#2819</a></li> <li>fix(py): fix RunTree ValidationError when inputs or outputs is a Pydantic BaseModel by <a href="https://github.com/QuentinBrosse"><code>@QuentinBrosse</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2820">langchain-ai/langsmith-sdk#2820</a></li> <li>chore: add apac support by <a href="https://github.com/joaquin-borggio-lc"><code>@joaquin-borggio-lc</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2821">langchain-ai/langsmith-sdk#2821</a></li> <li>fix(js): Pull Claude Agent SDK subagent runs from transcript, add tool span for subagents, merge message blocks by id by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2816">langchain-ai/langsmith-sdk#2816</a></li> <li>release(js): 0.5.26 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2824">langchain-ai/langsmith-sdk#2824</a></li> <li>release(py): 0.7.38 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2825">langchain-ai/langsmith-sdk#2825</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.37...v0.7.38">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.37...v0.7.38</a></p> <h2>v0.7.37</h2> <h2>What's Changed</h2> <ul> <li>perf(js): Offload serialize to worker thread at flush time by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2781">langchain-ai/langsmith-sdk#2781</a></li> <li>release(js): 0.5.24 by <a href="https://github.com/emil-lc"><code>@emil-lc</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2790">langchain-ai/langsmith-sdk#2790</a></li> <li>chore(js): Fix perf test flagging by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2792">langchain-ai/langsmith-sdk#2792</a></li> <li>feat(js,python): Adds hub model config and provider to schemas by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2793">langchain-ai/langsmith-sdk#2793</a></li> <li>fix(js): minor test improvements by <a href="https://github.com/christian-bromann"><code>@christian-bromann</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2429">langchain-ai/langsmith-sdk#2429</a></li> <li>fix(js): Include auth headers on info requests by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2800">langchain-ai/langsmith-sdk#2800</a></li> <li>release(js): 0.5.25 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2801">langchain-ai/langsmith-sdk#2801</a></li> <li>fix(python): flush both tracing_queue and compressed_traces in flush() by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2796">langchain-ai/langsmith-sdk#2796</a></li> <li>chore(deps): bump postcss from 8.5.8 to 8.5.10 in /js/internal/environment_tests/test-exports-vite in the npm_and_yarn group across 1 directory by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2791">langchain-ai/langsmith-sdk#2791</a></li> <li>chore(deps-dev): bump google-adk from 1.10.0 to 1.28.1 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2794">langchain-ai/langsmith-sdk#2794</a></li> <li>fix(python): flush pending traces during Client.cleanup() by <a href="https://github.com/angus-langchain"><code>@angus-langchain</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2799">langchain-ai/langsmith-sdk#2799</a></li> <li>fix(py): Fix concurrency for multiple Claude Agent SDK sessions by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2795">langchain-ai/langsmith-sdk#2795</a></li> <li>release(py): 0.7.37 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2802">langchain-ai/langsmith-sdk#2802</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.36...v0.7.37">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.36...v0.7.37</a></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
83f3aaaa7a |
chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/model-profiles (#37325)
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.7.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially. (Reported by <a href="https://github.com/Cycloctane"><code>@Cycloctane</code></a>)</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <a href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by <a href="https://github.com/kimkou2024"><code>@kimkou2024</code></a>)</li> </ol> <p>See GHSA-mf9v-mfxr-j63j for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a href="https://github.com/christos-spearbit"><code>@christos-spearbit</code></a>)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li> <li>Removed support for end-of-life Python 3.9. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li> <li>Removed support for end-of-life PyPy3.10. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li> <li>Fixed <code>HTTPResponse.stream()</code> and <code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li> <li>Updated <code>_TYPE_BODY</code> type alias to include missing <code>Iterable[str]</code>, matching the documented and runtime behavior of chunked request bodies. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li> <li>Fixed <code>LocationParseError</code> when paths resembling schemeless URIs were passed to <code>HTTPConnectionPool.urlopen()</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li> <li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to accept <code>memoryview</code> in addition to <code>bytearray</code>, matching the <code>io.RawIOBase.readinto</code> contract and enabling use with <code>io.BufferedReader</code> without type errors. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.7.0 (2026-05-07)</h1> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially.</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <code>Brotli <https://pypi.org/project/brotli/></code>__ library.</li> </ol> <p>See <code>GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j></code>__ for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (<code>GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc></code>__)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<code>[#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763></code>__)</li> <li>Removed support for end-of-life Python 3.9. (<code>[#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720></code>__)</li> <li>Removed support for end-of-life PyPy3.10. (<code>[#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979></code>__)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<code>[#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777></code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<code>[#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636></code>__)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
fa4e609b61 |
chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/model-profiles (#37254)
Bumps [langchain-core](https://github.com/langchain-ai/langchain) from 1.3.2 to 1.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.3.3</h2> <p>Changes since langchain-core==1.3.2</p> <p>release(core): 1.3.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37198">#37198</a>) fix(core): set deprecation <code>since</code> to 1.3.3 to match release (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37200">#37200</a>) fix(core, langchain): harden <code>load()</code> against untrusted manifests (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37197">#37197</a>) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37109">#37109</a>) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37129">#37129</a>) fix(core): preserve structured <code>inputs</code> on tool runs in tracers (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37108">#37108</a>) release(perplexity): 1.2.0 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37091">#37091</a>) chore(docs): update x handle references (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37081">#37081</a>) fix(core): make <code>removal</code> optional in <code>warn_deprecated</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/37056">#37056</a>) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36663">#36663</a>) chore(core): mark stream_v2/astream_v2 as beta (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36992">#36992</a>)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
46a6cb1c90 |
chore: bump types-toml from 0.10.8.20240310 to 0.10.8.20260408 in /libs/model-profiles (#37124)
Bumps [types-toml](https://github.com/python/typeshed) from 0.10.8.20240310 to 0.10.8.20260408. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/python/typeshed/commits">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
cc5a5371a9 | release(fireworks): 1.2.1 (#37113) | ||
|
|
38553c3f2d | release(perplexity): 1.2.0 (#37091) | ||
|
|
ba897ffa7e |
chore(docs): update x handle references (#37081)
## Description Updates package metadata and README badges so LangChain social links point to the new `@langchain_oss` X handle. This was completed with AI-agent assistance. ## Test Plan - [ ] Validate README badges and package metadata links point to `https://x.com/langchain_oss` _Opened collaboratively by Mason Daugherty and open-swe._ --------- Co-authored-by: open-swe[bot] <open-swe@users.noreply.github.com> Co-authored-by: Mason Daugherty <61371264+mdrxy@users.noreply.github.com> |
||
|
|
7a4594b682 |
fix(anthropic): restore cache_control on non-direct subclasses (#37057)
Closes #37042 --- `AnthropicPromptCachingMiddleware` was unconditionally setting top-level `cache_control` in `model_settings` for any `ChatAnthropic` subclass. That field is direct-Anthropic-API only — `ChatAnthropicBedrock` (which subclasses `ChatAnthropic` and passed the existing `isinstance` gate) errored with `cache_control: Extra inputs are not permitted`. Investigating that surfaced a related regression: PR #35967 also deleted the block-level `cache_control` injection in `_get_request_payload`, which silently disabled caching entirely for non-direct subclasses (Bedrock had been falling back to in-block breakpoints). This restores both paths. ## Changes - Add `_is_direct_anthropic_llm_type` predicate that allowlists `_llm_type == "anthropic-chat"`. Both the middleware's `_supports_automatic_caching` and the new branch in `ChatAnthropic._get_request_payload` route through it, so any subclass that overrides `_llm_type` (Bedrock today, future direct-API variants tomorrow) is treated as non-direct by default. Replaces the prior substring-matching denylist on `"bedrock"`/`"vertex"`. - Restore `_collect_code_execution_tool_ids`, `_is_code_execution_related_block`, and a new `_apply_cache_control_to_last_eligible_block` helper in `chat_models`. For non-direct subclasses, `_get_request_payload` now pops `cache_control` from kwargs and walks messages newest-to-oldest, attaching the breakpoint to the last block that isn't `code_execution`-related (Anthropic forbids breakpoints on those). - Emit `UserWarning` when `cache_control` is requested but every candidate block is `code_execution`-related — previously a silent drop. - `AnthropicPromptCachingMiddleware._apply_caching` now sets the top-level `cache_control` only when `_supports_automatic_caching(request.model)`. System-message and tool-definition breakpoints continue to apply for all `ChatAnthropic` subclasses, since those are accepted by every transport. - Note: `ChatAnthropicVertex` does not subclass `ChatAnthropic` (it lives in `langchain-google-vertexai` and ships its own `_get_request_payload`), so the chat-models changes here only affect Bedrock. The middleware-side gate covers Vertex implicitly via the `isinstance(request.model, ChatAnthropic)` check that already excludes it. |
||
|
|
a70e7ab80e | release(openai): 1.2.1 (#36995) | ||
|
|
9ce72eba9f | feat(core): add content-block-centric streaming (v2) (#36834) | ||
|
|
7b09eb7bda |
fix(fireworks): honor max_retries (#36973)
`ChatFireworks.max_retries` silently did nothing. The old code assigned the value to a `ChatCompletionV2` sub-object rather than the base client, and the pinned Fireworks SDK (0.13.0–0.19.20) never honors its own `_max_retries` attribute on the base client either. Since the Stainless-generated 1.x SDK that does implement retries is still pre-release (1.0.1a63 at time of writing), retry responsibility is ported to the LangChain side until the pin can be bumped. |
||
|
|
bb77a4229f | release(openai): 1.2.0 (#36961) | ||
|
|
e85c418cfa |
chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/model-profiles (#36798)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.6.3 to 0.7.31. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's releases</a>.</em></p> <blockquote> <h2>v0.7.31</h2> <h2>What's Changed</h2> <ul> <li>chore(deps-dev): bump langchain-core from 1.2.23 to 1.2.28 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2692">langchain-ai/langsmith-sdk#2692</a></li> <li>chore(deps-dev): bump <code>@anthropic-ai/sdk</code> from 0.82.0 to 0.84.0 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2684">langchain-ai/langsmith-sdk#2684</a></li> <li>chore(deps): bump cryptography from 46.0.6 to 46.0.7 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2693">langchain-ai/langsmith-sdk#2693</a></li> <li>chore(deps-dev): bump <code>@anthropic-ai/sdk</code> from 0.84.0 to 0.85.0 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2700">langchain-ai/langsmith-sdk#2700</a></li> <li>feat(py): Tag OpenAI Agent Python SDK runs with ls_agent_type by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2699">langchain-ai/langsmith-sdk#2699</a></li> <li>feat(js): Adds ls_agent_type metadata to AI SDK runs by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2701">langchain-ai/langsmith-sdk#2701</a></li> <li>chore(deps-dev): bump types-tqdm from 4.67.3.20260303 to 4.67.3.20260408 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2710">langchain-ai/langsmith-sdk#2710</a></li> <li>chore(deps): bump pnpm/action-setup from 5 to 6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2705">langchain-ai/langsmith-sdk#2705</a></li> <li>chore(deps): bump the py-minor-and-patch group across 1 directory with 10 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2711">langchain-ai/langsmith-sdk#2711</a></li> <li>chore(deps-dev): bump <code>@anthropic-ai/sdk</code> from 0.85.0 to 0.86.0 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2702">langchain-ai/langsmith-sdk#2702</a></li> <li>chore(deps): bump actions/github-script from 8 to 9 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2706">langchain-ai/langsmith-sdk#2706</a></li> <li>chore(deps-dev): bump the js-minor-and-patch group across 1 directory with 7 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2712">langchain-ai/langsmith-sdk#2712</a></li> <li>chore(deps-dev): bump types-psutil from 7.2.2.20260130 to 7.2.2.20260408 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2709">langchain-ai/langsmith-sdk#2709</a></li> <li>chore(deps-dev): bump rich from 14.3.3 to 15.0.0 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2708">langchain-ai/langsmith-sdk#2708</a></li> <li>feat: Filter kwargs from new token events by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2714">langchain-ai/langsmith-sdk#2714</a></li> <li>release(py): 0.7.31 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2716">langchain-ai/langsmith-sdk#2716</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.30...v0.7.31">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.30...v0.7.31</a></p> <h2>v0.7.30</h2> <h2>What's Changed</h2> <ul> <li>feat(python): add service feature to sandbox by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2665">langchain-ai/langsmith-sdk#2665</a></li> <li>fix(js): Fix prototype pollution bug in anonymizers by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2690">langchain-ai/langsmith-sdk#2690</a></li> <li>release(js): 0.5.18 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2691">langchain-ai/langsmith-sdk#2691</a></li> <li>chore(js/sandbox): suppress warning log by <a href="https://github.com/hntrl"><code>@hntrl</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2694">langchain-ai/langsmith-sdk#2694</a></li> <li>feat(js): Add metadata to Claude Agent SDK JS tracing by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2695">langchain-ai/langsmith-sdk#2695</a></li> <li>fix(py): Fix run tree memory leak by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2696">langchain-ai/langsmith-sdk#2696</a></li> <li>release(py): 0.7.30 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2698">langchain-ai/langsmith-sdk#2698</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.29...v0.7.30">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.29...v0.7.30</a></p> <h2>v0.7.29</h2> <h2>What's Changed</h2> <ul> <li>release(js): 0.5.17 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2681">langchain-ai/langsmith-sdk#2681</a></li> <li>feat(py): Fix race condition around Claude Agent SDK instrumentation by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2685">langchain-ai/langsmith-sdk#2685</a></li> <li>release(py): 0.7.29 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2686">langchain-ai/langsmith-sdk#2686</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.28...v0.7.29">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.28...v0.7.29</a></p> <h2>v0.7.28</h2> <h2>What's Changed</h2> <ul> <li>feat(py): Support subagent tracing in Claude Agents SDK, fix usage and duplicate messages by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2670">langchain-ai/langsmith-sdk#2670</a></li> <li>chore(deps-dev): bump the py-minor-and-patch group across 1 directory with 11 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2677">langchain-ai/langsmith-sdk#2677</a></li> <li>chore(deps-dev): bump the js-minor-and-patch group across 1 directory with 8 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2667">langchain-ai/langsmith-sdk#2667</a></li> <li>chore(deps): bump pnpm/action-setup from 4 to 5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2658">langchain-ai/langsmith-sdk#2658</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/langchain-ai/langsmith-sdk/commits/v0.7.31">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
7e81d09f2a |
chore(deps): bump pytest to 9.0.3 (#36801)
CVE-2025-71176 (medium severity) All are dev-only (test dependency group) — no impact on published packages. ### Why syrupy was also bumped syrupy 4.x (`<5.0.0`) constrains pytest to `<9.0.0`, blocking the CVE fix. Widening to `<6.0.0` allows syrupy 5.x which supports pytest 9.x. |
||
|
|
db149ff291 |
chore: bump pytest from 9.0.2 to 9.0.3 in /libs/model-profiles (#36716)
Bumps [pytest](https://github.com/pytest-dev/pytest) from 9.0.2 to 9.0.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pytest-dev/pytest/releases">pytest's releases</a>.</em></p> <blockquote> <h2>9.0.3</h2> <h1>pytest 9.0.3 (2026-04-07)</h1> <h2>Bug fixes</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/12444">#12444</a>: Fixed <code>pytest.approx</code> which now correctly takes into account <code>~collections.abc.Mapping</code> keys order to compare them.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13634">#13634</a>: Blocking a <code>conftest.py</code> file using the <code>-p no:</code> option is now explicitly disallowed.</p> <p>Previously this resulted in an internal assertion failure during plugin loading.</p> <p>Pytest now raises a clear <code>UsageError</code> explaining that conftest files are not plugins and cannot be disabled via <code>-p</code>.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13734">#13734</a>: Fixed crash when a test raises an exceptiongroup with <code>__tracebackhide__ = True</code>.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14195">#14195</a>: Fixed an issue where non-string messages passed to <!-- raw HTML omitted -->unittest.TestCase.subTest()<!-- raw HTML omitted --> were not printed.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14343">#14343</a>: Fixed use of insecure temporary directory (CVE-2025-71176).</p> </li> </ul> <h2>Improved documentation</h2> <ul> <li><a href="https://redirect.github.com/pytest-dev/pytest/issues/13388">#13388</a>: Clarified documentation for <code>-p</code> vs <code>PYTEST_PLUGINS</code> plugin loading and fixed an incorrect <code>-p</code> example.</li> <li><a href="https://redirect.github.com/pytest-dev/pytest/issues/13731">#13731</a>: Clarified that capture fixtures (e.g. <code>capsys</code> and <code>capfd</code>) take precedence over the <code>-s</code> / <code>--capture=no</code> command-line options in <code>Accessing captured output from a test function <accessing-captured-output></code>.</li> <li><a href="https://redirect.github.com/pytest-dev/pytest/issues/14088">#14088</a>: Clarified that the default <code>pytest_collection</code> hook sets <code>session.items</code> before it calls <code>pytest_collection_finish</code>, not after.</li> <li><a href="https://redirect.github.com/pytest-dev/pytest/issues/14255">#14255</a>: TOML integer log levels must be quoted: Updating reference documentation.</li> </ul> <h2>Contributor-facing changes</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/12689">#12689</a>: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible <a href="https://app.codecov.io/gh/pytest-dev/pytest/tests">on the web interface</a>.</p> <p>-- by <code>aleguy02</code></p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
555bdfbade |
chore: add comment explaining pygments>=2.20.0 (#36570)
|
||
|
|
0a1d290ac2 | release(core): 1.2.26 (#36511) | ||
|
|
0f4f3f74c8 |
chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385)
## Summary Bumps `pygments` to `>=2.20.0` across all 21 affected packages to address [CVE-2026-4539](https://github.com/advisories/GHSA-XXXX) — ReDoS via inefficient GUID regex in Pygments. - **Severity:** Low - **Fixed in:** 2.20.0 (was 2.19.2) - **Change:** Added `pygments>=2.20.0` to `constraint-dependencies` in `[tool.uv]` for each package, then ran `uv lock --upgrade-package pygments` to regenerate lock files. Closes Dependabot alerts #3435–#3455. ## Release Note Patch deps ### Test Plan - [x] CI Green 🙏 Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|
|
106070de92 |
chore: bump requests from 2.32.5 to 2.33.0 in /libs/model-profiles (#36240)
Bumps [requests](https://github.com/psf/requests) from 2.32.5 to 2.33.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/psf/requests/releases">requests's releases</a>.</em></p> <blockquote> <h2>v2.33.0</h2> <h2>2.33.0 (2026-03-25)</h2> <p><strong>Announcements</strong></p> <ul> <li>📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at <a href="https://redirect.github.com/psf/requests/issues/7271">#7271</a>. Give it a try, and report any gaps or feedback you may have in the issue. 📣</li> </ul> <p><strong>Security</strong></p> <ul> <li>CVE-2026-25645 <code>requests.utils.extract_zipped_paths</code> now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.</li> </ul> <p><strong>Improvements</strong></p> <ul> <li>Migrated to a PEP 517 build system using setuptools. (<a href="https://redirect.github.com/psf/requests/issues/7012">#7012</a>)</li> </ul> <p><strong>Bugfixes</strong></p> <ul> <li>Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (<a href="https://redirect.github.com/psf/requests/issues/7205">#7205</a>)</li> </ul> <p><strong>Deprecations</strong></p> <ul> <li>Dropped support for Python 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/7196">#7196</a>)</li> </ul> <p><strong>Documentation</strong></p> <ul> <li>Various typo fixes and doc improvements.</li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/M0d3v1"><code>@M0d3v1</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/6865">psf/requests#6865</a></li> <li><a href="https://github.com/aminvakil"><code>@aminvakil</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/7220">psf/requests#7220</a></li> <li><a href="https://github.com/E8Price"><code>@E8Price</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/6960">psf/requests#6960</a></li> <li><a href="https://github.com/mitre88"><code>@mitre88</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/7244">psf/requests#7244</a></li> <li><a href="https://github.com/magsen"><code>@magsen</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/6553">psf/requests#6553</a></li> <li><a href="https://github.com/Rohan5commit"><code>@Rohan5commit</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/7227">psf/requests#7227</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25">https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's changelog</a>.</em></p> <blockquote> <h2>2.33.0 (2026-03-25)</h2> <p><strong>Announcements</strong></p> <ul> <li>📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at <a href="https://redirect.github.com/psf/requests/issues/7271">#7271</a>. Give it a try, and report any gaps or feedback you may have in the issue. 📣</li> </ul> <p><strong>Security</strong></p> <ul> <li>CVE-2026-25645 <code>requests.utils.extract_zipped_paths</code> now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.</li> </ul> <p><strong>Improvements</strong></p> <ul> <li>Migrated to a PEP 517 build system using setuptools. (<a href="https://redirect.github.com/psf/requests/issues/7012">#7012</a>)</li> </ul> <p><strong>Bugfixes</strong></p> <ul> <li>Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (<a href="https://redirect.github.com/psf/requests/issues/7205">#7205</a>)</li> </ul> <p><strong>Deprecations</strong></p> <ul> <li>Dropped support for Python 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/7196">#7196</a>)</li> </ul> <p><strong>Documentation</strong></p> <ul> <li>Various typo fixes and doc improvements.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
1778b082ec |
chore(partners): bump langchain-core min to 1.2.21 (#36183)
Bump the minimum `langchain-core` dependency to `>=1.2.21` across all 14 partner packages in the monorepo. Aligns partner lower bounds with the latest core release so consumers pick up recent fixes (notably the `ModelProfile` schema drift fix from core 1.2.21). |
||
|
|
2f64d80cc6 |
fix(core,model-profiles): add missing ModelProfile fields, warn on schema drift (#36129)
PR #35788 added 7 new fields to the `langchain-profiles` CLI output (`name`, `status`, `release_date`, `last_updated`, `open_weights`, `attachment`, `temperature`) but didn't update `ModelProfile` in `langchain-core`. Partner packages like `langchain-aws` that set `extra="forbid"` on their Pydantic models hit `extra_forbidden` validation errors when Pydantic encountered undeclared TypedDict keys at construction time. This adds the missing fields, makes `ModelProfile` forward-compatible, provides a base-class hook so partners can stop duplicating model-profile validator boilerplate, migrates all in-repo partners to the new hook, and adds runtime + CI-time warnings for schema drift. ## Changes ### `langchain-core` - Add `__pydantic_config__ = ConfigDict(extra="allow")` to `ModelProfile` so unknown profile keys pass Pydantic validation even on models with `extra="forbid"` — forward-compatibility for when the CLI schema evolves ahead of core - Declare the 7 missing fields on `ModelProfile`: `name`, `status`, `release_date`, `last_updated`, `open_weights` (metadata) and `attachment`, `temperature` (capabilities) - Add `_warn_unknown_profile_keys()` in `model_profile.py` — emits a `UserWarning` when a profile dict contains keys not in `ModelProfile`, suggesting a core upgrade. Wrapped in a bare `except` so introspection failures never crash model construction - Add `BaseChatModel._resolve_model_profile()` hook that returns `None` by default. Partners can override this single method instead of redefining the full `_set_model_profile` validator — the base validator calls it automatically - Add `BaseChatModel._check_profile_keys` as a separate `model_validator` that calls `_warn_unknown_profile_keys`. Uses a distinct method name so partner overrides of `_set_model_profile` don't inadvertently suppress the check ### `langchain-profiles` CLI - Add `_warn_undeclared_profile_keys()` to the CLI (`cli.py`), called after merging augmentations in `refresh()` — warns at profile-generation time (not just runtime) when emitted keys aren't declared in `ModelProfile`. Gracefully skips if `langchain-core` isn't installed - Add guard test `test_model_data_to_profile_keys_subset_of_model_profile` in model-profiles — feeds a fully-populated model dict to `_model_data_to_profile()` and asserts every emitted key exists in `ModelProfile.__annotations__`. CI fails before any release if someone adds a CLI field without updating the TypedDict ### Partner packages - Migrate all 10 in-repo partners to the `_resolve_model_profile()` hook, replacing duplicated `@model_validator` / `_set_model_profile` overrides: anthropic, deepseek, fireworks, groq, huggingface, mistralai, openai (base + azure), openrouter, perplexity, xai - Anthropic retains custom logic (context-1m beta → `max_input_tokens` override); all others reduce to a one-liner - Add `pr_lint.yml` scope for the new `model-profiles` package |
||
|
|
faadc1f3ce |
ci: suppress pytest streaming output in CI (#36092)
Reduce CI log noise by suppressing pytest's per-test dot/verbose streaming output. The `_test.yml` workflow now passes `PYTEST_EXTRA=-q` to `make test`, which overrides the default verbosity with quiet mode — failures still print in full, but the thousands of `.......` progress lines are gone. Local `make test` is unaffected since `PYTEST_EXTRA` defaults empty. ## Changes - Add `PYTEST_EXTRA ?=` variable to all 21 package Makefiles and inject it into each `test` target's pytest invocation - Pass `PYTEST_EXTRA=-q` in `_test.yml` for both the main test step and the min-version retest step |
||
|
|
07fa576de1 |
ci: avoid unnecessary dep installs in lint targets (#36046)
CI lint jobs use `uv run --all-groups` for all tools, but ruff doesn't need dependency resolution — only mypy does. By splitting into `UV_RUN_LINT` (ruff) and `UV_RUN_TYPE` (mypy), the CI-facing targets run ruff with `--group lint` only, giving fast-fail feedback before mypy triggers the full environment sync. For packages where source code only conditionally imports heavy deps (text-splitters, huggingface), `lint_package` also overrides `UV_RUN_TYPE` to `--group lint --group typing`, skipping the ~3.5GB `test_integration` download entirely. `lint_tests` keeps `--all-groups` since test code legitimately imports those deps. Additionally, `lint_imports.sh` was inconsistently wired — most packages had the script but weren't calling it. ## Changes **Makefile optimization** - Introduce `UV_RUN_LINT` and `UV_RUN_TYPE` Make variables, both defaulting to `uv run --all-groups`. For `lint_package` and `lint_tests`, `UV_RUN_LINT` is overridden to `uv run --group lint` so ruff runs instantly without syncing heavy deps - For `text-splitters` and `huggingface`, override `UV_RUN_TYPE` on `lint_package` to `uv run --group lint --group typing` — mypy runs without downloading torch, CUDA, spacy, etc. **mypy config for lean groups** - Add `transformers` and `transformers.*` to `ignore_missing_imports` in `text-splitters` pyproject.toml (conditional `try/except` import, same treatment as existing `konlpy`/`nltk` entries) - Add `torch`, `torch.*`, `langchain_community`, `langchain_community.*` to `ignore_missing_imports` in `huggingface` pyproject.toml - Add dual `# type: ignore[unreachable, unused-ignore]` in `text-splitters/base.py` to handle the `PreTrainedTokenizerBase` isinstance check that behaves differently depending on whether transformers is installed **lint_imports.sh consistency** - Add `./scripts/lint_imports.sh` to the lint recipe in every package that wasn't calling it (standard-tests, model-profiles, all 15 partners), and create the script for the two packages missing it entirely (`model-profiles`, `openrouter`) - Update all `lint_imports.sh` scripts to allow `from langchain.agents` and `from langchain.tools` imports (legitimate v1 middleware dependencies used by `langchain-anthropic` and `langchain-openai`) |
||
|
|
32db242227 |
fix(model-profiles): use posix-compatible substitution in makefile (#35957)
The `refresh_model_profiles` CI workflow has been failing daily since
the `refresh-profiles` Makefile target was added. `make` runs recipes
with `/bin/sh`, which is dash on Ubuntu CI runners — and
`${var//pattern/replacement}` is a bash-only construct that dash rejects
with `Bad substitution`.
## Changes
- Replace bash-ism `$${partner//-/_}` with POSIX-compatible `$$(echo
"$${partner}" | tr '-' '_')` in the `refresh-profiles` target's
`data_dir` construction
|
||
|
|
0157621224 | chore: bump orjson from 3.11.5 to 3.11.6 in /libs/model-profiles (#35857) | ||
|
|
5d9568b5f5 |
feat(model-profiles): new fields + Makefile target (#35788)
Extract additional fields from models.dev into `_model_data_to_profile`: `name`, `status`, `release_date`, `last_updated`, `open_weights`, `attachment`, `temperature` Move the model profile refresh logic from an inline bash script in the GitHub Actions workflow into a `make refresh-profiles` target in `libs/model-profiles/Makefile`. This makes it runnable locally with a single command and keeps the provider map in one place instead of duplicated between CI and developer docs. |
||
|
|
5e4a4cd5f8 |
chore: bump langgraph from 1.0.8 to 1.0.10rc1 in /libs/model-profiles (#35611)
Bumps [langgraph](https://github.com/langchain-ai/langgraph) from 1.0.8 to 1.0.10rc1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langgraph/releases">langgraph's releases</a>.</em></p> <blockquote> <h2>langgraph==1.0.10rc1</h2> <p>Changes since 1.0.9</p> <ul> <li>release: Candidate (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6947">#6947</a>)</li> <li>Merge commit from fork</li> <li>chore: add tests to confirm expected subgraph persistence behavior (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6943">#6943</a>)</li> <li>fix(langgraph): correct ParentCommand bubbling when checkpoint_ns includes numeric task segments (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6864">#6864</a>)</li> <li>chore: add <code>make type</code> target for type checking (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6748">#6748</a>)</li> </ul> <h2>langgraph==1.0.9</h2> <p>Changes since 1.0.8</p> <ul> <li>release: langgraph + prebuilt (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6875">#6875</a>)</li> <li>fix: sequential interrupt handling w/ functional API (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6863">#6863</a>)</li> <li>chore: state_updated_at sort by (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6857">#6857</a>)</li> <li>chore: bump orjson (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6852">#6852</a>)</li> <li>chore: conformance testing (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6842">#6842</a>)</li> <li>chore(deps): bump the all-dependencies group in /libs/langgraph with 6 updates (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6815">#6815</a>)</li> <li>chore(deps): bump protobuf from 6.33.4 to 6.33.5 in /libs/langgraph (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6833">#6833</a>)</li> <li>chore(deps): bump cryptography from 46.0.3 to 46.0.5 in /libs/langgraph (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6837">#6837</a>)</li> <li>chore(deps): bump nbconvert from 7.16.6 to 7.17.0 in /libs/langgraph (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6832">#6832</a>)</li> <li>chore: server runtime type (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6774">#6774</a>)</li> <li>refactor: replace bare except with BaseException in AsyncQueue (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6765">#6765</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |