Defer `langsmith` and tracer imports in `callbacks/manager.py` and
`runnables/config.py` from module-level to function-level.
These imports pull in the full `langsmith` package (~132ms) at import
time but are only used inside `_configure()`, `trace_as_chain_group()`,
`_set_config_context()`, and `set_config_context()` — none of which run
during module initialization.
## Summary
- Replace `claude-3-5-haiku-20241022` and `claude-3-7-sonnet-20250219`
with `claude-haiku-4-5-20251001` and `claude-sonnet-4-5-20250929`
respectively
- Both models were retired by Anthropic on February 19, 2026, causing
all anthropic integration tests to fail
- Updates integration tests, a unit test, and docstring examples in
`langchain-core`
See:
https://platform.claude.com/docs/en/docs/resources/model-deprecations
- Schedules the `refresh_model_profiles` workflow to run daily at 08:00
UTC (manual trigger available).
- Adds a job summary step that reports whether a PR was created/updated
or skipped because profiles were already up to date.
- Each run supersedes any stale PR from a previous run since the action
force-pushes to a fixed branch (`bot/refresh-model-profiles`).
- Sort model profiles alphabetically by model ID (the top-level
`_PROFILES` dictionary keys, e.g. `claude-3-5-haiku-20241022`,
`gpt-4o-mini`) before writing `_profiles.py`, so that regenerating
profiles only shows actual data changes in diffs — not random reordering
from the models.dev API response order
- Regenerate all 10 partner profile files with the new sorted ordering
The trailing comma regex in the profile generation script consumed the
closing `}` as part of its match, preventing nested closing braces from
getting their own trailing comma. This caused `ruff format` failures on
every generated `_profiles.py` file.
Switches to a lookahead (`(?=...)`) so the closing bracket is asserted
but not consumed, allowing each nesting level to independently receive
its trailing comma.
Fixes#35332.
Fix several docstring inaccuracies in langchain-core and update outdated
LangSmith URLs across three README files.
**Docstring fixes (libs/core):**
- `tap_output_iter`: docstring says "async iterator" but method accepts
sync `Iterator`
- `agenerate_from_stream`: docstring says "Iterator" but method accepts
`AsyncIterator`
- `BaseLLM.OutputType`: docstring says "input type" but property returns
output type
- Grammar: "or deprecated" → "or be deprecated", "relies" → "rely",
"whose the" → "whose"
**URL fixes (libs/core, libs/langchain, libs/langchain_v1):**
- Updated `smith.langchain.com` → `www.langchain.com/langsmith` (root
README already uses the correct URL)
Verified with `make lint` and `make format` in libs/core — no new issues
introduced. Changes are docs-only with no code logic impact.
*This PR was created with assistance from an AI coding tool.*
Bumps the langchain-deps group with 1 update in the /libs/langchain
directory: langchainhub.
Updates `langchainhub` from 0.1.18 to 0.1.21
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the other-deps group with 1 update in the /libs/text-splitters
directory: [transformers](https://github.com/huggingface/transformers).
Updates `transformers` from 5.1.0 to 5.2.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7d9754a051"><code>7d9754a</code></a>
Fix unprotected torch import (<a
href="https://redirect.github.com/huggingface/transformers/issues/44055">#44055</a>)</li>
<li><a
href="a0a3d294b6"><code>a0a3d29</code></a>
Fix peft conversion typo (<a
href="https://redirect.github.com/huggingface/transformers/issues/44053">#44053</a>)</li>
<li><a
href="2096db0aa1"><code>2096db0</code></a>
v5.2.0</li>
<li><a
href="73ecc5e314"><code>73ecc5e</code></a>
[fix][wip] GlmMoeDsa: try implement DSA (<a
href="https://redirect.github.com/huggingface/transformers/issues/43912">#43912</a>)</li>
<li><a
href="349e00c1a3"><code>349e00c</code></a>
Fix early image processor return not raising error (<a
href="https://redirect.github.com/huggingface/transformers/issues/43981">#43981</a>)</li>
<li><a
href="2bd902dbc4"><code>2bd902d</code></a>
Update assignee for generate in bug report template (<a
href="https://redirect.github.com/huggingface/transformers/issues/44042">#44042</a>)</li>
<li><a
href="2546978b80"><code>2546978</code></a>
Add a dim check mechanism in Transpose and fix qwen3_vl_moe weight
mapping (#...</li>
<li><a
href="08c4ad95d4"><code>08c4ad9</code></a>
fix(models): Unpack BitNet packed weights to fix CI failure (<a
href="https://redirect.github.com/huggingface/transformers/issues/43721">#43721</a>)</li>
<li><a
href="53f8a08290"><code>53f8a08</code></a>
SINQ quantization strategy integration (adapted for Transformers V5) (<a
href="https://redirect.github.com/huggingface/transformers/issues/43112">#43112</a>)</li>
<li><a
href="9a9231632e"><code>9a92316</code></a>
split out accelerator args builder method (<a
href="https://redirect.github.com/huggingface/transformers/issues/43987">#43987</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/huggingface/transformers/compare/v5.1.0...v5.2.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Updates the minimum Pillow version to address CVE-2026-25990 (HIGH
severity out-of-bounds write vulnerability affecting versions 10.3.0
through 12.1.0).
Changes:
langchain-nomic: pillow>=10.3.0,<13.0.0 → pillow>=12.1.1,<13.0.0
langchain-openai: pillow>=10.3.0,<13.0.0 → pillow>=12.1.1,<13.0.0
langchain-perplexity: pillow>=10.3.0,<13.0.0 → pillow>=12.1.1,<13.0.0
Safety: This is a minimum version bump within the existing constraint
range (<13.0.0), so no breaking changes are introduced.
CVE Details:
CVE-2026-25990: An out-of-bounds write may be triggered when loading a
specially crafted PSD image
Affected versions: 10.3.0 to <12.1.1
Fixed in: 12.1.1
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-25990
** Claude Helped me write this nice message **
The original findings was thanks to a Trivy scan
---------
Co-authored-by: Mason Daugherty <mason@langchain.dev>
