mirror of
https://github.com/hwchase17/langchain.git
synced 2026-03-18 11:07:36 +00:00
68a14844b5
Updates the minimum Pillow version to address CVE-2026-25990 (HIGH severity out-of-bounds write vulnerability affecting versions 10.3.0 through 12.1.0). Changes: langchain-nomic: pillow>=10.3.0,<13.0.0 → pillow>=12.1.1,<13.0.0 langchain-openai: pillow>=10.3.0,<13.0.0 → pillow>=12.1.1,<13.0.0 langchain-perplexity: pillow>=10.3.0,<13.0.0 → pillow>=12.1.1,<13.0.0 Safety: This is a minimum version bump within the existing constraint range (<13.0.0), so no breaking changes are introduced. CVE Details: CVE-2026-25990: An out-of-bounds write may be triggered when loading a specially crafted PSD image Affected versions: 10.3.0 to <12.1.1 Fixed in: 12.1.1 Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-25990 ** Claude Helped me write this nice message ** The original findings was thanks to a Trivy scan --------- Co-authored-by: Mason Daugherty <mason@langchain.dev>
123 lines
3.8 KiB
TOML
123 lines
3.8 KiB
TOML
[build-system]
|
|
requires = ["hatchling"]
|
|
build-backend = "hatchling.build"
|
|
|
|
[project]
|
|
name = "langchain-nomic"
|
|
version = "1.0.1"
|
|
description = "An integration package connecting Nomic and LangChain"
|
|
license = { text = "MIT" }
|
|
readme = "README.md"
|
|
classifiers = [
|
|
"Development Status :: 5 - Production/Stable",
|
|
"Intended Audience :: Developers",
|
|
"License :: OSI Approved :: MIT License",
|
|
"Programming Language :: Python :: 3",
|
|
"Programming Language :: Python :: 3.10",
|
|
"Programming Language :: Python :: 3.11",
|
|
"Programming Language :: Python :: 3.12",
|
|
"Programming Language :: Python :: 3.13",
|
|
"Programming Language :: Python :: 3.14",
|
|
"Topic :: Scientific/Engineering :: Artificial Intelligence",
|
|
]
|
|
requires-python = ">=3.10.0,<4.0.0"
|
|
dependencies = [
|
|
"langchain-core>=1.0.0,<2.0.0",
|
|
"nomic>=3.5.3,<4.0.0",
|
|
"pillow>=12.1.1,<13.0.0",
|
|
]
|
|
|
|
[project.urls]
|
|
Homepage = "https://docs.langchain.com/oss/python/integrations/providers/nomic"
|
|
Documentation = "https://reference.langchain.com/python/integrations/langchain_nomic/"
|
|
Repository = "https://github.com/langchain-ai/langchain"
|
|
Issues = "https://github.com/langchain-ai/langchain/issues"
|
|
Changelog = "https://github.com/langchain-ai/langchain/releases?q=%22langchain-nomic%22"
|
|
Twitter = "https://x.com/LangChain"
|
|
Slack = "https://www.langchain.com/join-community"
|
|
Reddit = "https://www.reddit.com/r/LangChain/"
|
|
|
|
[dependency-groups]
|
|
test = [
|
|
"pytest>=7.3.0,<8.0.0",
|
|
"pytest-mock>=3.10.0,<4.0.0",
|
|
"pytest-watcher>=0.3.4,<1.0.0",
|
|
"pytest-asyncio>=0.21.1,<1.0.0",
|
|
"pytest-benchmark",
|
|
"freezegun>=1.2.2,<2.0.0",
|
|
"syrupy>=4.0.2,<5.0.0",
|
|
"langchain-core",
|
|
"langchain-tests",
|
|
]
|
|
test_integration = []
|
|
lint = ["ruff>=0.13.1,<0.14.0"]
|
|
typing = [
|
|
"mypy>=1.18.1,<1.19.0",
|
|
"langchain-core"
|
|
]
|
|
dev = ["langchain-core"]
|
|
|
|
[tool.uv.sources]
|
|
langchain-core = { path = "../../core", editable = true }
|
|
langchain-tests = { path = "../../standard-tests", editable = true }
|
|
|
|
[tool.ruff.format]
|
|
docstring-code-format = true
|
|
|
|
[tool.ruff.lint]
|
|
select = ["ALL"]
|
|
ignore = [
|
|
"COM812", # Messes with the formatter
|
|
"ISC001", # Messes with the formatter
|
|
"PERF203", # Rarely useful
|
|
"S112", # Rarely useful
|
|
"RUF012", # Doesn't play well with Pydantic
|
|
"SLF001", # Private member access
|
|
|
|
# TODO
|
|
"PLR0913",
|
|
]
|
|
unfixable = ["B028"] # People should intentionally tune the stacklevel
|
|
|
|
[tool.ruff.lint.pydocstyle]
|
|
convention = "google"
|
|
ignore-var-parameters = true # ignore missing documentation for *args and **kwargs parameters
|
|
|
|
[tool.ruff.lint.flake8-tidy-imports]
|
|
ban-relative-imports = "all"
|
|
|
|
[tool.mypy]
|
|
disallow_untyped_defs = "True"
|
|
|
|
[tool.coverage.run]
|
|
omit = ["tests/*"]
|
|
|
|
[tool.pytest.ini_options]
|
|
# --strict-markers will raise errors on unknown marks.
|
|
# https://docs.pytest.org/en/7.1.x/how-to/mark.html#raising-errors-on-unknown-marks
|
|
#
|
|
# https://docs.pytest.org/en/7.1.x/reference/reference.html
|
|
# --strict-config any warnings encountered while parsing the `pytest`
|
|
# section of the configuration file raise errors.
|
|
#
|
|
# https://github.com/tophat/syrupy
|
|
# --snapshot-warn-unused Prints a warning on unused snapshots rather than fail the test suite.
|
|
addopts = "--snapshot-warn-unused --strict-markers --strict-config --durations=5"
|
|
# Registering custom markers.
|
|
# https://docs.pytest.org/en/7.1.x/example/markers.html#registering-markers
|
|
markers = [
|
|
"requires: mark tests as requiring a specific library",
|
|
"compile: mark placeholder test used to compile integration tests without running them",
|
|
]
|
|
asyncio_mode = "auto"
|
|
|
|
[tool.ruff.lint.extend-per-file-ignores]
|
|
"tests/**/*.py" = [
|
|
"S101", # Tests need assertions
|
|
"S311", # Standard pseudo-random generators are not suitable for cryptographic purposes
|
|
"PLR2004",
|
|
]
|
|
"scripts/*.py" = [
|
|
"INP001", # Not a package
|
|
]
|