github/langchain
1
0
Fork 0
mirror of https://github.com/hwchase17/langchain.git synced 2026-04-04 19:35:08 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
bdfd4462ac89f909fce97663ab17fc312544c17e
langchain/libs/core/pyproject.toml
John Kennedy 0f4f3f74c8 chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385) 
## Summary

Bumps `pygments` to `>=2.20.0` across all 21 affected packages to
address [CVE-2026-4539](https://github.com/advisories/GHSA-XXXX) — ReDoS
via inefficient GUID regex in Pygments.

- **Severity:** Low
- **Fixed in:** 2.20.0 (was 2.19.2)
- **Change:** Added `pygments>=2.20.0` to `constraint-dependencies` in
`[tool.uv]` for each package, then ran `uv lock --upgrade-package
pygments` to regenerate lock files.

Closes Dependabot alerts #3435–#3455.

## Release Note
Patch deps

### Test Plan
 - [x] CI Green 🙏

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-30 23:26:59 -04:00

153 lines
4.9 KiB
TOML
Raw Blame History

[build-system]
requires = ["hatchling"]
build-backend = "hatchling.build"
[project]
name = "langchain-core"
description = "Building applications with LLMs through composability"
license = {text = "MIT"}
readme = "README.md"
classifiers = [
"Development Status :: 5 - Production/Stable",
"Intended Audience :: Developers",
"License :: OSI Approved :: MIT License",
"Programming Language :: Python :: 3",
"Programming Language :: Python :: 3.10",
"Programming Language :: Python :: 3.11",
"Programming Language :: Python :: 3.12",
"Programming Language :: Python :: 3.13",
"Programming Language :: Python :: 3.14",
"Topic :: Scientific/Engineering :: Artificial Intelligence",
"Topic :: Software Development :: Libraries :: Python Modules",
]
version = "1.2.23"
requires-python = ">=3.10.0,<4.0.0"
dependencies = [
"langsmith>=0.3.45,<1.0.0",
"tenacity!=8.4.0,>=8.1.0,<10.0.0",
"jsonpatch>=1.33.0,<2.0.0",
"PyYAML>=5.3.0,<7.0.0",
"typing-extensions>=4.7.0,<5.0.0",
"packaging>=23.2.0",
"pydantic>=2.7.4,<3.0.0",
"uuid-utils>=0.12.0,<1.0",
]
[project.urls]
Homepage = "https://docs.langchain.com/"
Documentation = "https://reference.langchain.com/python/langchain_core/"
Repository = "https://github.com/langchain-ai/langchain"
Issues = "https://github.com/langchain-ai/langchain/issues"
Changelog = "https://github.com/langchain-ai/langchain/releases?q=%22langchain-core%3D%3D1%22"
Twitter = "https://x.com/LangChain"
Slack = "https://www.langchain.com/join-community"
Reddit = "https://www.reddit.com/r/LangChain/"
[dependency-groups]
lint = ["ruff>=0.15.0,<0.16.0"]
typing = [
"mypy>=1.19.1,<1.20.0",
"types-pyyaml>=6.0.12.2,<7.0.0.0",
"types-requests>=2.28.11.5,<3.0.0.0",
"langchain-text-splitters",
]
dev = [
"jupyter>=1.0.0,<2.0.0",
"setuptools>=67.6.1,<83.0.0",
"grandalf>=0.8.0,<1.0.0",
]
test = [
"pytest>=8.0.0,<10.0.0",
"freezegun>=1.2.2,<2.0.0",
"pytest-mock>=3.10.0,<4.0.0",
"syrupy>=4.0.2,<6.0.0",
"pytest-watcher>=0.3.4,<1.0.0",
"pytest-asyncio>=0.21.1,<2.0.0",
"grandalf>=0.8.0,<1.0.0",
"responses>=0.25.0,<1.0.0",
"pytest-socket>=0.7.0,<1.0.0",
"pytest-xdist<4.0.0,>=3.6.1",
"blockbuster>=1.5.18,<1.6.0",
"numpy>=1.26.4; python_version<'3.13'",
"numpy>=2.1.0; python_version>='3.13'",
"langchain-tests",
"pytest-benchmark",
"pytest-codspeed",
]
test_integration = []
[tool.uv]
constraint-dependencies = ["pygments>=2.20.0"]
[tool.uv.sources]
langchain-tests = { path = "../standard-tests" }
langchain-text-splitters = { path = "../text-splitters" }
[tool.mypy]
plugins = ["pydantic.mypy"]
strict = true
enable_error_code = "deprecated"
# TODO: activate for 'strict' checking
disallow_any_generics = false
[tool.ruff.format]
docstring-code-format = true
[tool.ruff.lint]
select = [ "ALL",]
ignore = [
"C90", # McCabe complexity
"COM812", # Messes with the formatter
"CPY", # No copyright
"FIX002", # Line contains TODO
"PERF203", # Rarely useful
"PLR09", # Too many something (arg, statements, etc)
"TD002", # Missing author in TODO
"TD003", # Missing issue link in TODO
# TODO rules
"ANN401", # No Any types
"BLE", # Blind exceptions
"ERA", # No commented-out code
]
unfixable = [
"B028", # People should intentionally tune the stacklevel
]
flake8-annotations.allow-star-arg-any = true
flake8-annotations.mypy-init-return = true
flake8-builtins.ignorelist = ["id", "input", "type"]
flake8-type-checking.runtime-evaluated-base-classes = [ "pydantic.BaseModel", "langchain_core.load.serializable.Serializable", "langchain_core.runnables.base.RunnableSerializable", "langchain_core.language_models.base.BaseLanguageModel", "langchain_core.outputs.generation.Generation", "langchain_core.tools.base.BaseTool",]
pep8-naming.classmethod-decorators = [ "classmethod", "langchain_core.utils.pydantic.pre_init", "pydantic.field_validator", "pydantic.v1.root_validator",]
[tool.ruff.lint.flake8-tidy-imports]
ban-relative-imports = "all"
[tool.ruff.lint.pydocstyle]
convention = "google"
ignore-var-parameters = true # ignore missing documentation for *args and **kwargs parameters
[tool.ruff.lint.per-file-ignores]
"langchain_core/utils/mustache.py" = [ "PLW0603",]
"langchain_core/sys_info.py" = [ "T201",]
"tests/unit_tests/test_tools.py" = [ "ARG",]
"tests/**" = [ "D1", "PLR2004", "S", "SLF",]
"scripts/**" = [ "INP", "S", "T201",]
[tool.coverage.run]
omit = [ "tests/*",]
[tool.pytest.ini_options]
addopts = "--snapshot-warn-unused --strict-markers --strict-config --durations=5"
markers = [
"requires: mark tests as requiring a specific library",
"compile: mark placeholder test used to compile integration tests without running them",
]
asyncio_mode = "auto"
asyncio_default_fixture_loop_scope = "function"
filterwarnings = [ "ignore::langchain_core._api.beta_decorator.LangChainBetaWarning",]
Reference in New Issue View Git Blame Copy Permalink