mirror of
https://github.com/hwchase17/langchain.git
synced 2026-05-14 19:05:21 +00:00
0f4f3f74c8
## Summary Bumps `pygments` to `>=2.20.0` across all 21 affected packages to address [CVE-2026-4539](https://github.com/advisories/GHSA-XXXX) — ReDoS via inefficient GUID regex in Pygments. - **Severity:** Low - **Fixed in:** 2.20.0 (was 2.19.2) - **Change:** Added `pygments>=2.20.0` to `constraint-dependencies` in `[tool.uv]` for each package, then ran `uv lock --upgrade-package pygments` to regenerate lock files. Closes Dependabot alerts #3435–#3455. ## Release Note Patch deps ### Test Plan - [x] CI Green 🙏 Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
140 lines
4.0 KiB
TOML
140 lines
4.0 KiB
TOML
[build-system]
|
|
requires = ["hatchling"]
|
|
build-backend = "hatchling.build"
|
|
|
|
[project]
|
|
name = "langchain-qdrant"
|
|
version = "1.1.0"
|
|
description = "An integration package connecting Qdrant and LangChain"
|
|
license = { text = "MIT" }
|
|
readme = "README.md"
|
|
classifiers = [
|
|
"Development Status :: 5 - Production/Stable",
|
|
"Intended Audience :: Developers",
|
|
"License :: OSI Approved :: MIT License",
|
|
"Programming Language :: Python :: 3",
|
|
"Programming Language :: Python :: 3.10",
|
|
"Programming Language :: Python :: 3.11",
|
|
"Programming Language :: Python :: 3.12",
|
|
"Programming Language :: Python :: 3.13",
|
|
"Programming Language :: Python :: 3.14",
|
|
"Topic :: Scientific/Engineering :: Artificial Intelligence",
|
|
]
|
|
requires-python = ">=3.10.0,<4.0.0"
|
|
dependencies = [
|
|
"qdrant-client>=1.15.1,<2.0.0",
|
|
"pydantic>=2.7.4,<3.0.0",
|
|
"langchain-core>=1.2.21,<2.0.0",
|
|
]
|
|
|
|
[project.urls]
|
|
Homepage = "https://docs.langchain.com/oss/python/integrations/providers/qdrant"
|
|
Documentation = "https://reference.langchain.com/python/integrations/langchain_qdrant/"
|
|
Repository = "https://github.com/langchain-ai/langchain"
|
|
Issues = "https://github.com/langchain-ai/langchain/issues"
|
|
Changelog = "https://github.com/langchain-ai/langchain/releases?q=%22langchain-qdrant%22"
|
|
Twitter = "https://x.com/LangChain"
|
|
Slack = "https://www.langchain.com/join-community"
|
|
Reddit = "https://www.reddit.com/r/LangChain/"
|
|
|
|
[project.optional-dependencies]
|
|
fastembed = [
|
|
"fastembed>=0.3.3,<1.0.0; python_version < \"3.13\" and python_version >= \"3.9\"",
|
|
]
|
|
|
|
[dependency-groups]
|
|
test = [
|
|
"pytest>=7.3.0,<8.0.0",
|
|
"pytest-mock>=3.10.0,<4.0.0",
|
|
"pytest-watcher>=0.3.4,<1.0.0",
|
|
"pytest-asyncio>=0.21.1,<1.0.0",
|
|
"pytest-socket>=0.7.0,<1.0.0",
|
|
"pytest-benchmark",
|
|
"freezegun>=1.2.2,<2.0.0",
|
|
"syrupy>=4.0.2,<5.0.0",
|
|
"requests>=2.31.0,<3.0.0",
|
|
"langchain-core",
|
|
"langchain-tests",
|
|
]
|
|
test_integration = []
|
|
lint = ["ruff>=0.13.1,<0.14.0"]
|
|
dev = ["langchain-core"]
|
|
typing = [
|
|
"mypy>=1.10.0,<2.0.0",
|
|
"simsimd>=6.0.0,<7.0.0",
|
|
"langchain-core"
|
|
]
|
|
|
|
# CVE-2026-25990: pillow < 12.1.1 is vulnerable to out-of-bounds write when loading PSD images.
|
|
# fastembed 0.7.x caps pillow<12.0. Override to pull in the fix for the lockfile.
|
|
# Remove this override once fastembed releases a version that allows pillow>=12.1.1.
|
|
[tool.uv]
|
|
override-dependencies = ["pillow>=12.1.1"]
|
|
constraint-dependencies = ["pygments>=2.20.0"]
|
|
|
|
[tool.uv.sources]
|
|
langchain-core = { path = "../../core", editable = true }
|
|
langchain-tests = { path = "../../standard-tests", editable = true }
|
|
|
|
[tool.ruff.format]
|
|
docstring-code-format = true
|
|
|
|
[tool.ruff.lint]
|
|
select = ["ALL"]
|
|
ignore = [
|
|
"COM812", # Messes with the formatter
|
|
"ISC001", # Messes with the formatter
|
|
"PERF203", # Rarely useful
|
|
"S112", # Rarely useful
|
|
"RUF012", # Doesn't play well with Pydantic
|
|
"SLF001", # Private member access
|
|
"PLR0913", # Function has too many arguments
|
|
"C901", # Complex functions
|
|
"TC003",
|
|
|
|
# TODO"
|
|
"ANN401",
|
|
"ARG002",
|
|
"D100",
|
|
"D102",
|
|
"D104",
|
|
]
|
|
unfixable = ["B028"] # People should intentionally tune the stacklevel
|
|
|
|
[tool.ruff.lint.pydocstyle]
|
|
convention = "google"
|
|
ignore-var-parameters = true # ignore missing documentation for *args and **kwargs parameters
|
|
|
|
[tool.ruff.lint.flake8-tidy-imports]
|
|
ban-relative-imports = "all"
|
|
|
|
[tool.mypy]
|
|
disallow_untyped_defs = true
|
|
|
|
[tool.coverage.run]
|
|
omit = ["tests/*"]
|
|
|
|
[tool.pytest.ini_options]
|
|
addopts = "--snapshot-warn-unused --strict-markers --strict-config --durations=5"
|
|
markers = [
|
|
"requires: mark tests as requiring a specific library",
|
|
"compile: mark placeholder test used to compile integration tests without running them",
|
|
]
|
|
asyncio_mode = "auto"
|
|
|
|
[tool.ruff.lint.extend-per-file-ignores]
|
|
"tests/**/*.py" = [
|
|
"S101", # Tests need assertions
|
|
"S311", # Standard pseudo-random generators are not suitable for cryptographic purposes
|
|
"PT011",
|
|
"PLR2004",
|
|
|
|
# TODO
|
|
"PLC0415",
|
|
"PT012",
|
|
"D",
|
|
]
|
|
"scripts/*.py" = [
|
|
"INP001", # Not a package
|
|
]
|