16427 Commits

Author SHA1 Message Date
langchain-oss-model-profiles[bot] cf2115a6cf chore(model-profiles): refresh model profile data (#38876)
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.

🤖 Generated by the [`refresh_model_profiles`
workflow](https://github.com/langchain-ai/langchain/blob/master/.github/workflows/refresh_model_profiles.yml).


## Summary of changes

**0 added · 1 removed · 32 changed** across 1 provider(s).

### openrouter

** 1 removed**
- `arcee-ai/coder-large`

**✏️ 32 changed**
- `deepseek/deepseek-chat-v3-0324`: max output tokens 16,384 → 65,536
- `deepseek/deepseek-v3.1-terminus`: max input tokens 163,840 → 131,072
- `deepseek/deepseek-v3.2`: max input tokens 131,072 → 163,840; max
output tokens 64,000 → 65,536
- `google/gemini-2.5-flash-image`: max output tokens 32,768 → 8,192
- `google/gemma-3-27b-it`: max output tokens 16,384 → 131,072
- `google/gemma-4-26b-a4b-it`: max output tokens 262,144 → 256,000
- `google/gemma-4-31b-it`: max output tokens 8,192 → 262,144
- `meta-llama/llama-3.1-8b-instruct`: max output tokens 16,384 → 131,072
- `meta-llama/llama-3.3-70b-instruct`: max output tokens 16,384 →
128,000
- `minimax/minimax-m2.7`: max output tokens 196,608 → 131,072
- `minimax/minimax-m3`: max output tokens 131,072 → 512,000
- `mistralai/mistral-nemo`: max output tokens 131,072 → 16,384
- `mistralai/mistral-small-3.2-24b-instruct`: max input tokens 128,000 →
131,072
- `moonshotai/kimi-k2-thinking`: max output tokens 100,352 → 262,144
- `moonshotai/kimi-k2.5`: max output tokens 256,000 → 262,144
- `openai/gpt-5.1-chat`: max output tokens 32,000 → 16,384
- `qwen/qwen3-30b-a3b-instruct-2507`: max input tokens 131,072 → 262,144
- `qwen/qwen3-next-80b-a3b-instruct`: max output tokens 16,384 → 262,144
- `qwen/qwen3-vl-235b-a22b-instruct`: max input tokens 262,144 →
131,072; max output tokens 16,384 → 32,768
- `qwen/qwen3.5-122b-a10b`: max output tokens 262,144 → 65,536
- `qwen/qwen3.5-35b-a3b`: max output tokens 81,920 → 262,144
- `qwen/qwen3.5-397b-a17b`: max input tokens 256,000 → 262,144; max
output tokens 64,000 → 65,536
- `qwen/qwen3.6-27b`: max output tokens 131,072 → 65,536
- `z-ai/glm-4.6`: max input tokens 200,000 → 202,752; max output tokens
16,384 → 131,072
- `z-ai/glm-4.7-flash`: max input tokens 202,752 → 200,000; max output
tokens 16,384 → 131,072
- …and 7 more

Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
2026-07-16 10:25:25 -04:00
ccurme a4538dbf07 docs(langchain): clarify ToolRetryMiddleware exception handling (#38884) 2026-07-16 09:33:16 -04:00
ccurme 185119f98e release(langchain): 1.3.14 (#38883) langchain==1.3.14 2026-07-16 09:25:11 -04:00
ccurme 0a3bde6431 fix(langchain): only retry retryable exceptions in ToolRetryMiddleware (#38845) 2026-07-16 09:17:39 -04:00
langchain-oss-model-profiles[bot] 7bf8fe2216 chore(model-profiles): refresh model profile data (#38856)
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.

🤖 Generated by the [`refresh_model_profiles`
workflow](https://github.com/langchain-ai/langchain/blob/master/.github/workflows/refresh_model_profiles.yml).


## Summary of changes

**2 added · 4 removed · 5 changed** across 1 provider(s).

### openrouter

** 2 added**
- `kwaipilot/kat-coder-air-v2.5` — 256,000 ctx, 80,000 out, tools
- `kwaipilot/kat-coder-pro-v2.5` — 256,000 ctx, 80,000 out, tools

** 4 removed**
- `liquid/lfm-2.5-1.2b-instruct:free`
- `liquid/lfm-2.5-1.2b-thinking:free`
- `openai/gpt-oss-120b:free`
- `sao10k/l3.1-70b-hanami-x1`

**✏️ 5 changed**
- `deepseek/deepseek-v4-flash`: max output tokens 384,000 → 65,536
- `google/gemma-4-31b-it`: max output tokens 262,144 → 8,192
- `google/gemma-4-31b-it:free`: max output tokens 8,192 → 32,768
- `qwen/qwen3.6-27b`: max output tokens 262,140 → 131,072
- `z-ai/glm-5.2`: max output tokens 131,072 → 128,000

Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
2026-07-15 06:56:48 -04:00
John Kennedy 22869321b2 fix: patch Dependabot dependency vulnerabilities (#38853)
## Summary

- remove obsolete aiohttp <3.14.0 constraints and resolve the xAI and
Fireworks locks to aiohttp 3.14.1
- set langchain-fireworks' runtime floor to aiohttp >=3.14.1
- constrain the langchain-classic lock to langchain 1.3.9, resolving
CVE-2026-55443

## Dependabot alerts

Resolves the patchable aiohttp and langchain alerts in the current
backlog.

The critical ChromaDB CVE-2026-45829 remains open because no patched
upstream version exists. It is tracked in
[SEC-969](https://linear.app/langchain/issue/SEC-969/critical-mitigate-unpatched-chromadb-cve-2026-45829).

## Verification

-  for xAI, Fireworks, and langchain-classic
- xAI unit tests: 38 passed
- Fireworks unit tests: 129 passed (with local FIREWORKS_API_BASE
removed to avoid snapshot pollution)
- imported vcrpy's aiohttp stub under aiohttp 3.14.1 in both partner
environments
2026-07-14 21:57:41 +00:00
dependabot[bot] d260c52059 chore: bump soupsieve from 2.8 to 2.8.4 in /libs/core (#38750)
Bumps [soupsieve](https://github.com/facelessuser/soupsieve) from 2.8 to
2.8.4.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/facelessuser/soupsieve/releases">soupsieve's
releases</a>.</em></p>
<blockquote>
<h2>2.8.4</h2>
<ul>
<li><strong>FIX</strong>: Fix another inefficient attribute pattern (<a
href="https://github.com/mauriceng98"><code>@​mauriceng98</code></a>).</li>
<li><strong>FIX</strong>: Limit total number of selectors processed in a
pattern to prevent massive selector requests (<a
href="https://github.com/mauriceng98"><code>@​mauriceng98</code></a>).</li>
</ul>
<h2>2.8.3</h2>
<ul>
<li><strong>FIX</strong>: Fix inefficient attribute pattern.</li>
</ul>
<h2>2.8.2</h2>
<ul>
<li><strong>FIX</strong>: Ensure custom selectors or namespace
dictionaries reject non-string keys (<a
href="https://github.com/mundanevision20"><code>@​mundanevision20</code></a>).</li>
<li><strong>FIX</strong>: Fix handling of <code>:in-range</code> and
<code>:out-of-range</code> with end of year weeks (<a
href="https://github.com/mundanevision20"><code>@​mundanevision20</code></a>).</li>
<li><strong>FIX</strong>: Fix a potential infinite loop in the pretty
printing debug function (<a
href="https://github.com/mundanevision20"><code>@​mundanevision20</code></a>).</li>
</ul>
<h2>2.8.1</h2>
<ul>
<li><strong>FIX</strong>: Changes in tests to accommodate latest Python
HTML parser changes.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/28108ab805818c832d9568142a99844fd95a0d39"><code>28108ab</code></a>
Limit excessive selectors</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/ef188721d6cc95641e99297b3a26ac17b7dfcfa7"><code>ef18872</code></a>
Fix test for Windows</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/eb4397618709186c109400448c6043b728217dc3"><code>eb43976</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/3a661b23b20e92b49b4683f0227c26c9d765267f"><code>3a661b2</code></a>
Fix typo in pseudo-classes.md (<a
href="https://redirect.github.com/facelessuser/soupsieve/issues/294">#294</a>)</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/0cb533d83bfc445c7c6321742a21f612305fc8ba"><code>0cb533d</code></a>
Update hatchling version requirement in pyproject.toml (<a
href="https://redirect.github.com/facelessuser/soupsieve/issues/290">#290</a>)</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/5aedc4180468e724aff46ddb3f738d35a3a9f724"><code>5aedc41</code></a>
Update doc theme</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/d7c47842a4f8d168243af96b62b9ad7fb84a2038"><code>d7c4784</code></a>
Attribute pattern fix (<a
href="https://redirect.github.com/facelessuser/soupsieve/issues/289">#289</a>)</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/09e106dc0fd6579c0327801fdcceb380ff60170e"><code>09e106d</code></a>
Fix grammar</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/09b27696ada6f07523a077950ce73da45579d524"><code>09b2769</code></a>
Update docs</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/c6e80fcab9ca4d3eaa61913778263e82bcecca1f"><code>c6e80fc</code></a>
Various fixes by <a
href="https://github.com/mundanevision20"><code>@​mundanevision20</code></a>
(<a
href="https://redirect.github.com/facelessuser/soupsieve/issues/288">#288</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/facelessuser/soupsieve/compare/2.8...2.8.4">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-14 11:47:53 -07:00
ccurme ceb1e4e652 feat(langchain): ToolErrorMiddleware (#38781) 2026-07-14 09:02:35 -04:00
dependabot[bot] 2f29107ed0 chore: bump soupsieve from 2.8 to 2.8.4 in /libs/langchain (#38749)
Bumps [soupsieve](https://github.com/facelessuser/soupsieve) from 2.8 to
2.8.4.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/facelessuser/soupsieve/releases">soupsieve's
releases</a>.</em></p>
<blockquote>
<h2>2.8.4</h2>
<ul>
<li><strong>FIX</strong>: Fix another inefficient attribute pattern (<a
href="https://github.com/mauriceng98"><code>@​mauriceng98</code></a>).</li>
<li><strong>FIX</strong>: Limit total number of selectors processed in a
pattern to prevent massive selector requests (<a
href="https://github.com/mauriceng98"><code>@​mauriceng98</code></a>).</li>
</ul>
<h2>2.8.3</h2>
<ul>
<li><strong>FIX</strong>: Fix inefficient attribute pattern.</li>
</ul>
<h2>2.8.2</h2>
<ul>
<li><strong>FIX</strong>: Ensure custom selectors or namespace
dictionaries reject non-string keys (<a
href="https://github.com/mundanevision20"><code>@​mundanevision20</code></a>).</li>
<li><strong>FIX</strong>: Fix handling of <code>:in-range</code> and
<code>:out-of-range</code> with end of year weeks (<a
href="https://github.com/mundanevision20"><code>@​mundanevision20</code></a>).</li>
<li><strong>FIX</strong>: Fix a potential infinite loop in the pretty
printing debug function (<a
href="https://github.com/mundanevision20"><code>@​mundanevision20</code></a>).</li>
</ul>
<h2>2.8.1</h2>
<ul>
<li><strong>FIX</strong>: Changes in tests to accommodate latest Python
HTML parser changes.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/28108ab805818c832d9568142a99844fd95a0d39"><code>28108ab</code></a>
Limit excessive selectors</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/ef188721d6cc95641e99297b3a26ac17b7dfcfa7"><code>ef18872</code></a>
Fix test for Windows</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/eb4397618709186c109400448c6043b728217dc3"><code>eb43976</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/3a661b23b20e92b49b4683f0227c26c9d765267f"><code>3a661b2</code></a>
Fix typo in pseudo-classes.md (<a
href="https://redirect.github.com/facelessuser/soupsieve/issues/294">#294</a>)</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/0cb533d83bfc445c7c6321742a21f612305fc8ba"><code>0cb533d</code></a>
Update hatchling version requirement in pyproject.toml (<a
href="https://redirect.github.com/facelessuser/soupsieve/issues/290">#290</a>)</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/5aedc4180468e724aff46ddb3f738d35a3a9f724"><code>5aedc41</code></a>
Update doc theme</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/d7c47842a4f8d168243af96b62b9ad7fb84a2038"><code>d7c4784</code></a>
Attribute pattern fix (<a
href="https://redirect.github.com/facelessuser/soupsieve/issues/289">#289</a>)</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/09e106dc0fd6579c0327801fdcceb380ff60170e"><code>09e106d</code></a>
Fix grammar</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/09b27696ada6f07523a077950ce73da45579d524"><code>09b2769</code></a>
Update docs</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/c6e80fcab9ca4d3eaa61913778263e82bcecca1f"><code>c6e80fc</code></a>
Various fixes by <a
href="https://github.com/mundanevision20"><code>@​mundanevision20</code></a>
(<a
href="https://redirect.github.com/facelessuser/soupsieve/issues/288">#288</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/facelessuser/soupsieve/compare/2.8...2.8.4">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=soupsieve&package-manager=uv&previous-version=2.8&new-version=2.8.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-13 23:41:34 -07:00
dependabot[bot] 6cd44e0d43 chore: bump soupsieve from 2.8 to 2.8.4 in /libs/text-splitters (#38748)
Bumps [soupsieve](https://github.com/facelessuser/soupsieve) from 2.8 to
2.8.4.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/facelessuser/soupsieve/releases">soupsieve's
releases</a>.</em></p>
<blockquote>
<h2>2.8.4</h2>
<ul>
<li><strong>FIX</strong>: Fix another inefficient attribute pattern (<a
href="https://github.com/mauriceng98"><code>@​mauriceng98</code></a>).</li>
<li><strong>FIX</strong>: Limit total number of selectors processed in a
pattern to prevent massive selector requests (<a
href="https://github.com/mauriceng98"><code>@​mauriceng98</code></a>).</li>
</ul>
<h2>2.8.3</h2>
<ul>
<li><strong>FIX</strong>: Fix inefficient attribute pattern.</li>
</ul>
<h2>2.8.2</h2>
<ul>
<li><strong>FIX</strong>: Ensure custom selectors or namespace
dictionaries reject non-string keys (<a
href="https://github.com/mundanevision20"><code>@​mundanevision20</code></a>).</li>
<li><strong>FIX</strong>: Fix handling of <code>:in-range</code> and
<code>:out-of-range</code> with end of year weeks (<a
href="https://github.com/mundanevision20"><code>@​mundanevision20</code></a>).</li>
<li><strong>FIX</strong>: Fix a potential infinite loop in the pretty
printing debug function (<a
href="https://github.com/mundanevision20"><code>@​mundanevision20</code></a>).</li>
</ul>
<h2>2.8.1</h2>
<ul>
<li><strong>FIX</strong>: Changes in tests to accommodate latest Python
HTML parser changes.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/28108ab805818c832d9568142a99844fd95a0d39"><code>28108ab</code></a>
Limit excessive selectors</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/ef188721d6cc95641e99297b3a26ac17b7dfcfa7"><code>ef18872</code></a>
Fix test for Windows</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/eb4397618709186c109400448c6043b728217dc3"><code>eb43976</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/3a661b23b20e92b49b4683f0227c26c9d765267f"><code>3a661b2</code></a>
Fix typo in pseudo-classes.md (<a
href="https://redirect.github.com/facelessuser/soupsieve/issues/294">#294</a>)</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/0cb533d83bfc445c7c6321742a21f612305fc8ba"><code>0cb533d</code></a>
Update hatchling version requirement in pyproject.toml (<a
href="https://redirect.github.com/facelessuser/soupsieve/issues/290">#290</a>)</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/5aedc4180468e724aff46ddb3f738d35a3a9f724"><code>5aedc41</code></a>
Update doc theme</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/d7c47842a4f8d168243af96b62b9ad7fb84a2038"><code>d7c4784</code></a>
Attribute pattern fix (<a
href="https://redirect.github.com/facelessuser/soupsieve/issues/289">#289</a>)</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/09e106dc0fd6579c0327801fdcceb380ff60170e"><code>09e106d</code></a>
Fix grammar</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/09b27696ada6f07523a077950ce73da45579d524"><code>09b2769</code></a>
Update docs</li>
<li><a
href="https://github.com/facelessuser/soupsieve/commit/c6e80fcab9ca4d3eaa61913778263e82bcecca1f"><code>c6e80fc</code></a>
Various fixes by <a
href="https://github.com/mundanevision20"><code>@​mundanevision20</code></a>
(<a
href="https://redirect.github.com/facelessuser/soupsieve/issues/288">#288</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/facelessuser/soupsieve/compare/2.8...2.8.4">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=soupsieve&package-manager=uv&previous-version=2.8&new-version=2.8.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-13 23:41:29 -07:00
dependabot[bot] 4e57abd4ce chore: bump nltk from 3.9.4 to 3.10.0 in /libs/text-splitters (#38747)
Bumps [nltk](https://github.com/nltk/nltk) from 3.9.4 to 3.10.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nltk/nltk/releases">nltk's
releases</a>.</em></p>
<blockquote>
<h2>v3.10.0-rc1</h2>
<h2>What's Changed</h2>
<ul>
<li>CHILDES corpus reader: lazy loading (fixes <a
href="https://redirect.github.com/nltk/nltk/issues/1340">#1340</a>) by
<a href="https://github.com/nschneid"><code>@​nschneid</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1341">nltk/nltk#1341</a></li>
<li>Stanseg by <a
href="https://github.com/casperlehmann"><code>@​casperlehmann</code></a>
in <a
href="https://redirect.github.com/nltk/nltk/pull/1350">nltk/nltk#1350</a></li>
<li>Add optional CCG semantics computation by <a
href="https://github.com/tanin47"><code>@​tanin47</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1321">nltk/nltk#1321</a></li>
<li>address of free software foundation updated by <a
href="https://github.com/Lightyagami1"><code>@​Lightyagami1</code></a>
in <a
href="https://redirect.github.com/nltk/nltk/pull/1347">nltk/nltk#1347</a></li>
<li>Added a verification for empty tokens by <a
href="https://github.com/gnardari"><code>@​gnardari</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1353">nltk/nltk#1353</a></li>
<li>use data.load for vader lexicon by <a
href="https://github.com/afgiel"><code>@​afgiel</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1303">nltk/nltk#1303</a></li>
<li>Ensure that proper exceptions are caught correctly by <a
href="https://github.com/pombredanne"><code>@​pombredanne</code></a> in
<a
href="https://redirect.github.com/nltk/nltk/pull/1343">nltk/nltk#1343</a></li>
<li>Reset CCGVar everytime we invoke lexicon.fromstring() and skip the
unicode test because it fails on python2.7 by <a
href="https://github.com/tanin47"><code>@​tanin47</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1354">nltk/nltk#1354</a></li>
<li>Add tanin as an author :) by <a
href="https://github.com/tanin47"><code>@​tanin47</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1355">nltk/nltk#1355</a></li>
<li>framenet.py: remove unnecessary str() call that causes problems for
names with Unicode characters by <a
href="https://github.com/nschneid"><code>@​nschneid</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1360">nltk/nltk#1360</a></li>
<li>remove <code>u</code> because it doesn't work in Python 3.0 to 3.2
by <a href="https://github.com/tanin47"><code>@​tanin47</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1362">nltk/nltk#1362</a></li>
<li>moved the import for dispersion_plot out of the else block by <a
href="https://github.com/dennisobrien"><code>@​dennisobrien</code></a>
in <a
href="https://redirect.github.com/nltk/nltk/pull/1364">nltk/nltk#1364</a></li>
<li>Raise warning for infinite recursion by <a
href="https://github.com/alvations"><code>@​alvations</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1365">nltk/nltk#1365</a></li>
<li>Patch None TypeError in align_blocks() by <a
href="https://github.com/alvations"><code>@​alvations</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1366">nltk/nltk#1366</a></li>
<li>Safer try-except for catching infinite recursion by <a
href="https://github.com/alvations"><code>@​alvations</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1368">nltk/nltk#1368</a></li>
<li>Collections refactor by <a
href="https://github.com/nschneid"><code>@​nschneid</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1382">nltk/nltk#1382</a></li>
<li>Handles fringe cases in BLEU by <a
href="https://github.com/alvations"><code>@​alvations</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1383">nltk/nltk#1383</a></li>
<li>Allow specifying substitution cost in edit distance by <a
href="https://github.com/dnc1994"><code>@​dnc1994</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1386">nltk/nltk#1386</a></li>
<li>Pl196x fixes by <a
href="https://github.com/pkasprzyk"><code>@​pkasprzyk</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1359">nltk/nltk#1359</a></li>
<li>Docs/ngrams by <a
href="https://github.com/ColCarroll"><code>@​ColCarroll</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1403">nltk/nltk#1403</a></li>
<li>Fix conll.py by <a
href="https://github.com/germanferrero"><code>@​germanferrero</code></a>
in <a
href="https://redirect.github.com/nltk/nltk/pull/1402">nltk/nltk#1402</a></li>
<li>Aline by <a
href="https://github.com/geoffbacon"><code>@​geoffbacon</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1407">nltk/nltk#1407</a></li>
<li>Handle empty files in a corpus by <a
href="https://github.com/alexisdimi"><code>@​alexisdimi</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1411">nltk/nltk#1411</a></li>
<li>fixed bug: StackDecoder would throw exception if it's unable to
finish… by <a href="https://github.com/hikui"><code>@​hikui</code></a>
in <a
href="https://redirect.github.com/nltk/nltk/pull/1405">nltk/nltk#1405</a></li>
<li>add hikui to authors by <a
href="https://github.com/hikui"><code>@​hikui</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1412">nltk/nltk#1412</a></li>
<li>removes download-cache pip flag from tox config by <a
href="https://github.com/fievelk"><code>@​fievelk</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1415">nltk/nltk#1415</a></li>
<li>Added three tokenizers, one detokenizer and two tokenizer-related
word/char list corpora by <a
href="https://github.com/alvations"><code>@​alvations</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1282">nltk/nltk#1282</a></li>
<li>Much faster Vader sentiment tagging by <a
href="https://github.com/georgeberry"><code>@​georgeberry</code></a> in
<a
href="https://redirect.github.com/nltk/nltk/pull/1409">nltk/nltk#1409</a></li>
<li>Fixes doctest in is_cjk() and REPP tokenizer wrapper by <a
href="https://github.com/alvations"><code>@​alvations</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1420">nltk/nltk#1420</a></li>
<li>Fixed doctest for UnicharsCorpusReader and
NonbreakingPrefixesCorpusReader by <a
href="https://github.com/alvations"><code>@​alvations</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1422">nltk/nltk#1422</a></li>
<li>Updated senna version in docstring by <a
href="https://github.com/alvations"><code>@​alvations</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1431">nltk/nltk#1431</a></li>
<li>Removes Python 2.6 and Python 3.1-3.3 code, Improves Python 3.5
syntax by <a href="https://github.com/adamn"><code>@​adamn</code></a> in
<a
href="https://redirect.github.com/nltk/nltk/pull/1429">nltk/nltk#1429</a></li>
<li>Cleanup by <a
href="https://github.com/dimazest"><code>@​dimazest</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1432">nltk/nltk#1432</a></li>
<li>Fix zero division &amp; log(0) in PunktTrainer._col_log_likelihood
by <a
href="https://github.com/mrecachinas"><code>@​mrecachinas</code></a> in
<a
href="https://redirect.github.com/nltk/nltk/pull/1247">nltk/nltk#1247</a></li>
<li>Update stanford_segmenter.py by <a
href="https://github.com/janissl"><code>@​janissl</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1444">nltk/nltk#1444</a></li>
<li>explained data format for constructor by <a
href="https://github.com/drevicko"><code>@​drevicko</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1450">nltk/nltk#1450</a></li>
<li>Use a more efficient idiom for flattening nested lists by <a
href="https://github.com/rmalouf"><code>@​rmalouf</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1447">nltk/nltk#1447</a></li>
<li>improved documentation of load_array() by <a
href="https://github.com/drevicko"><code>@​drevicko</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1452">nltk/nltk#1452</a></li>
<li>changed &quot;list or iterator&quot; to &quot;sequence&quot; by <a
href="https://github.com/drevicko"><code>@​drevicko</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1453">nltk/nltk#1453</a></li>
<li>Deal gracefully with degenerate cases. by <a
href="https://github.com/drevicko"><code>@​drevicko</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1454">nltk/nltk#1454</a></li>
<li>deal with (hopefully) all degenerate cases by <a
href="https://github.com/drevicko"><code>@​drevicko</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1455">nltk/nltk#1455</a></li>
<li>Enable unordered comparison for gaac clustering by <a
href="https://github.com/alvations"><code>@​alvations</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1456">nltk/nltk#1456</a></li>
<li>Rewrite porter.py by <a
href="https://github.com/ExplodingCabbage"><code>@​ExplodingCabbage</code></a>
in <a
href="https://redirect.github.com/nltk/nltk/pull/1261">nltk/nltk#1261</a></li>
<li>Update naivebayes.py by <a
href="https://github.com/andyreagan"><code>@​andyreagan</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1461">nltk/nltk#1461</a></li>
<li>Fixes bug where download status not returned. by <a
href="https://github.com/nsfabina"><code>@​nsfabina</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1468">nltk/nltk#1468</a></li>
<li>Use lcon and rcon variables in conllned() when trace is False -
Issue <a
href="https://redirect.github.com/nltk/nltk/issues/1474">#1474</a> by <a
href="https://github.com/timleslie"><code>@​timleslie</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1475">nltk/nltk#1475</a></li>
<li>Use shutil.copyfileobj for unzipping by <a
href="https://github.com/ikorolev93"><code>@​ikorolev93</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1478">nltk/nltk#1478</a></li>
<li>Fixing Chen&amp;Cherry method 6 smoothing in BLEU score by <a
href="https://github.com/alvations"><code>@​alvations</code></a> in <a
href="https://redirect.github.com/nltk/nltk/pull/1477">nltk/nltk#1477</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/nltk/nltk/blob/develop/ChangeLog">nltk's
changelog</a>.</em></p>
<blockquote>
<p>Version 3.10.0 2026-06-11</p>
<ul>
<li>Enforce the stricter <code>nltk.pathsec</code> security policy by
default</li>
<li>Document the new security model and migration guidance</li>
<li>Harden resource loading against path traversal and
SSRF/DNS-rebinding</li>
<li>Harden downloader path handling and block XML entity expansion</li>
<li>Close remaining corpus-reader security edge cases</li>
<li>Replace unsafe <code>exec()</code> usage in the utility CLI</li>
<li>Warn on unpickling user-provided pickles</li>
<li>Add HuggingFace datasets integration
(<code>nltk.huggingface</code>)</li>
<li>Align TnT with Brants (2000) specifications</li>
<li>Fix PorterStemmer irregular-form lowercasing in NLTK mode</li>
<li>Fix TransitionParser sparse index dtype for scikit-learn 1.9</li>
<li>Fix TextCat tie handling</li>
<li>Fix WordNet object comparisons for incompatible types</li>
<li>Cache WordNet max depth lazily for
<code>lch_similarity()</code></li>
<li>Fix CCG variable direction, substitution, and type-raising bugs</li>
<li>Fix Jaro similarity for single-character and empty-string cases</li>
<li>Improve CI and release-maintenance workflows</li>
</ul>
<p>Thanks to the following contributors to 3.10.0:
13rac1, alvations, bowiechen, devesh-2002, ekaf, elias-ba,
haosenwang1018, HyperPS, ihitamandal, jancallewaert, jhnwnstd,
JuanIMartinezB, Lemm1, LinZiyuu, Mr-Neutr0n, PastelStorm,
scruge1, Syzygy2048, ylwango613, yzhaoinuw</p>
<p>Version 3.9.4 2026-03-24</p>
<ul>
<li>Support Python 3.14</li>
<li>Fix bug in Levenshtein distance when substitution_cost &gt; 2</li>
<li>Fix bug in Treebank detokeniser re quote ordering</li>
<li>Fix bug in Jaro similarity for empty strings</li>
<li>Several security enhancements</li>
<li>Fix GHSA-rf74-v2fm-23pw: unbounded recursion in
JSONTaggedDecoder</li>
<li>Implement TextTiling vocabulary introduction method (Hearst
1997)</li>
<li>Fix ALINE feature matrix errors and add comprehensive tests</li>
<li>Support multiple VerbNet versions, fix longid/shortid regex for
VerbNet ids</li>
<li>Let downloader fallback to md5 when sha256 is unavailable</li>
<li>Several other minor bugfixes and code cleanups</li>
</ul>
<p>Thanks to the following contributors to 3.9.4:
Min-Yen Kan, Eric Kafe, Emily Voss, bowiechen, Hrudhai01,
jancallewaert, Mr-Neutr0n, pollak.peter89, ylwango613,</p>
<p>Version 3.9.3 2026-02-21</p>
<ul>
<li>Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (<a
href="https://redirect.github.com/nltk/nltk/issues/3468">#3468</a>)</li>
<li>Block path traversal/arbitrary reads in nltk.data for protocol-less
refs (<a
href="https://redirect.github.com/nltk/nltk/issues/3467">#3467</a>)</li>
<li>Block path traversal/abs paths in corpus readers and FS pointers (<a
href="https://redirect.github.com/nltk/nltk/issues/3479">#3479</a>, <a
href="https://redirect.github.com/nltk/nltk/issues/3480">#3480</a>)</li>
<li>Validate external StanfordSegmenter JARs using SHA256 (<a
href="https://redirect.github.com/nltk/nltk/issues/3477">#3477</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/nltk/nltk/commit/bd49f9011d7dc8c6a36b3c4ae71f04060c9b3fb9"><code>bd49f90</code></a>
allow escaped brackets in Tree.fromstring (<a
href="https://redirect.github.com/nltk/nltk/issues/3694">#3694</a>)</li>
<li><a
href="https://github.com/nltk/nltk/commit/27b8ad6cd50a484590cb9409e5d2a891ab56e16c"><code>27b8ad6</code></a>
don't crash chomsky_normal_form on terminals with siblings (<a
href="https://redirect.github.com/nltk/nltk/issues/3693">#3693</a>)</li>
<li><a
href="https://github.com/nltk/nltk/commit/52227d2afe764648864e59c851e991cf1d6cb77e"><code>52227d2</code></a>
Use os.name for Windows path handling (<a
href="https://redirect.github.com/nltk/nltk/issues/3605">#3605</a>)</li>
<li><a
href="https://github.com/nltk/nltk/commit/06c0e2cc94f763d43320812ee9d2a7b6bff68f9b"><code>06c0e2c</code></a>
Avoid RIBES zero division on empty inputs (<a
href="https://redirect.github.com/nltk/nltk/issues/3604">#3604</a>)</li>
<li><a
href="https://github.com/nltk/nltk/commit/a167389c027a02a9d1f019630ed827f4069b3353"><code>a167389</code></a>
Treat missing unzip output as stale (<a
href="https://redirect.github.com/nltk/nltk/issues/3607">#3607</a>)</li>
<li><a
href="https://github.com/nltk/nltk/commit/c94c967a332e19af0a022db51467ee2baf6ccfeb"><code>c94c967</code></a>
Fix EOF empty document bug in IEER corpus reader (<a
href="https://redirect.github.com/nltk/nltk/issues/3648">#3648</a>)</li>
<li><a
href="https://github.com/nltk/nltk/commit/94a259c815370df66f98460f22478030e2954913"><code>94a259c</code></a>
Enforce restrictive primitive type checking in pathsec wrappers (<a
href="https://redirect.github.com/nltk/nltk/issues/3692">#3692</a>)</li>
<li><a
href="https://github.com/nltk/nltk/commit/5ac475d2ab95ea95d2890c745a05e5275137fb98"><code>5ac475d</code></a>
fix(security): isolate Stanford Java options and clean temp files (<a
href="https://redirect.github.com/nltk/nltk/issues/3683">#3683</a>)</li>
<li><a
href="https://github.com/nltk/nltk/commit/986f26e71bf22ee392a5e87285ee8398284aef2b"><code>986f26e</code></a>
ci(deps): bump the github-actions group with 3 updates (<a
href="https://redirect.github.com/nltk/nltk/issues/3691">#3691</a>)</li>
<li><a
href="https://github.com/nltk/nltk/commit/f26b3753038d937b68145daf15e9636f8451053c"><code>f26b375</code></a>
fix(security): prevent pickle RCE in TransitionParser model loading
(CWE-502)...</li>
<li>Additional commits viewable in <a
href="https://github.com/nltk/nltk/compare/3.9.4...v3.10.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=nltk&package-manager=uv&previous-version=3.9.4&new-version=3.10.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-13 23:41:23 -07:00
dependabot[bot] 3e983cb8f9 chore: bump mistune from 3.2.1 to 3.3.0 in /libs/text-splitters (#38826)
Bumps [mistune](https://github.com/lepture/mistune) from 3.2.1 to 3.3.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/lepture/mistune/releases">mistune's
releases</a>.</em></p>
<blockquote>
<h2>v3.3.0</h2>
<h3>   🐞 Bug Fixes</h3>
<ul>
<li>Resolve O(n^2) DoS in parse_link_text (CWE-400)  -  by
<strong>bhanugoudm041</strong> <a
href="https://github.com/lepture/mistune/commit/b6b499d"><!-- raw HTML
omitted -->(b6b49)<!-- raw HTML omitted --></a></li>
<li>Resolve O(n^2) DoS in parse_link_text (CWE-400)-Type
handling/testing done  -  by <strong>bhanugoudm041</strong> <a
href="https://github.com/lepture/mistune/commit/b3af85d"><!-- raw HTML
omitted -->(b3af8)<!-- raw HTML omitted --></a></li>
<li><strong>block</strong>: Avoid quadratic ref link scans  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/2b04d7b"><!-- raw HTML
omitted -->(2b04d)<!-- raw HTML omitted --></a></li>
<li><strong>cli</strong>: Add entrypoint and utf-8 output  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/2f2449d"><!-- raw HTML
omitted -->(2f244)<!-- raw HTML omitted --></a></li>
<li><strong>directives</strong>: Constrain include targets  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/1bef343"><!-- raw HTML
omitted -->(1bef3)<!-- raw HTML omitted --></a></li>
<li><strong>formatting</strong>: Avoid quadratic marker scans  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/96d0f57"><!-- raw HTML
omitted -->(96d0f)<!-- raw HTML omitted --></a></li>
<li><strong>image</strong>: Validate figure width option  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/e3e51de"><!-- raw HTML
omitted -->(e3e51)<!-- raw HTML omitted --></a></li>
<li><strong>inline</strong>: Avoid bracket parsing DoS  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/25f2503"><!-- raw HTML
omitted -->(25f25)<!-- raw HTML omitted --></a></li>
<li><strong>math</strong>: Reject currency patterns and cross-line
matches in inline math  -  by <a
href="https://github.com/geopanther"><code>@​geopanther</code></a> <a
href="https://github.com/lepture/mistune/commit/566e173"><!-- raw HTML
omitted -->(566e1)<!-- raw HTML omitted --></a></li>
<li><strong>math</strong>: Support display and backtick math  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/1141eec"><!-- raw HTML
omitted -->(1141e)<!-- raw HTML omitted --></a></li>
<li><strong>renderer</strong>: Render plugin list and table nodes  -  by
<a href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/614b019"><!-- raw HTML
omitted -->(614b0)<!-- raw HTML omitted --></a></li>
<li><strong>renderer</strong>: Block encoded unsafe URL schemes  -  by
<a href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/c7101fc"><!-- raw HTML
omitted -->(c7101)<!-- raw HTML omitted --></a></li>
<li><strong>toc</strong>: Avoid generated id collisions  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/c4093c4"><!-- raw HTML
omitted -->(c4093)<!-- raw HTML omitted --></a></li>
</ul>
<h3>   🏎 Performance</h3>
<ul>
<li>Improve performance  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/bf95c32"><!-- raw HTML
omitted -->(bf95c)<!-- raw HTML omitted --></a></li>
</ul>
<h5>    <a
href="https://github.com/lepture/mistune/compare/v3.2.1...v3.3.0">View
changes on GitHub</a></h5>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/lepture/mistune/blob/main/docs/changes.rst">mistune's
changelog</a>.</em></p>
<blockquote>
<h2>Version 3.3.0</h2>
<p><strong>Released on Jun 21, 2026</strong></p>
<ul>
<li>Improve CommonMark compatibility and parser performance.</li>
<li>Add command line entrypoint with UTF-8 output.</li>
<li>Support display and backtick math.</li>
<li>Render plugin list and table nodes in Markdown renderer.</li>
<li>Escape leading block markers in Markdown renderer.</li>
<li>Fix RST renderer for block quotes nested in lists.</li>
<li>Avoid generated heading ID collisions in TOC.</li>
<li>Harden URL, image, figure, and include directive handling.</li>
<li>Fix quadratic scans in inline links, reference links, and formatting
markers.</li>
<li>Fix math escaping, currency pattern matching, and cross-line
matching.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/lepture/mistune/commit/15c3b79325125272263d7d42492ec8f757447191"><code>15c3b79</code></a>
chore: release 3.3.0</li>
<li><a
href="https://github.com/lepture/mistune/commit/bdc01ade171c7c2cd1099e2531ddf8c275a2f64c"><code>bdc01ad</code></a>
tests: increase run time on pypy</li>
<li><a
href="https://github.com/lepture/mistune/commit/7cf181483e6201184bcecdbae13225d45ebab4c4"><code>7cf1814</code></a>
tests: increase run time for pypy</li>
<li><a
href="https://github.com/lepture/mistune/commit/6dfdc3dae490c7a21499ff1063f4dd9b7357d4c5"><code>6dfdc3d</code></a>
tests: add more tests</li>
<li><a
href="https://github.com/lepture/mistune/commit/17c50f6c0572027c1dad2c2501e7c97cea0b0b43"><code>17c50f6</code></a>
chore: fix mypy issues</li>
<li><a
href="https://github.com/lepture/mistune/commit/63abe4b8e9adccc711c953e6727400ee7ba1084c"><code>63abe4b</code></a>
chore: use ruff check and format</li>
<li><a
href="https://github.com/lepture/mistune/commit/e6c1b184461beab8887c7375621c64dffaf652c5"><code>e6c1b18</code></a>
chore: resolve mypy issues</li>
<li><a
href="https://github.com/lepture/mistune/commit/dcf89020c1ee697b2267387064b3e4580e0b83c5"><code>dcf8902</code></a>
test(math): cover escaped math output</li>
<li><a
href="https://github.com/lepture/mistune/commit/c4093c4742ed0d10d9332fb8edb455869b7b581b"><code>c4093c4</code></a>
fix(toc): avoid generated id collisions</li>
<li><a
href="https://github.com/lepture/mistune/commit/e3e51de9cf0a72dc30191248dccf22087c57f046"><code>e3e51de</code></a>
fix(image): validate figure width option</li>
<li>Additional commits viewable in <a
href="https://github.com/lepture/mistune/compare/v3.2.1...v3.3.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=mistune&package-manager=uv&previous-version=3.2.1&new-version=3.3.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-14 00:40:10 -04:00
dependabot[bot] 0076f37716 chore: bump vcrpy from 8.2.1 to 8.3.0 in /libs/standard-tests (#38827)
Bumps [vcrpy](https://github.com/kevin1024/vcrpy) from 8.2.1 to 8.3.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/kevin1024/vcrpy/releases">vcrpy's
releases</a>.</em></p>
<blockquote>
<h2>v8.3.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Add support for niquests (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/980">#980</a>)
— thanks <a
href="https://github.com/ionelmc"><code>@​ionelmc</code></a></li>
<li>Recording now fails fast if a request or response contains a Python
object the safe YAML loader (introduced in 8.2.1) couldn't read back,
instead of writing a cassette that breaks on replay. The error shows
exactly how to register the object if you need it (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/1007">#1007</a>,
<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/1009">#1009</a>)
— thanks <a
href="https://github.com/Polandia94"><code>@​Polandia94</code></a></li>
<li>New
<code>vcr.serializers.yamlserializer.with_custom_tags(...)</code> builds
a YAML serializer supporting custom Python object tags on both record
and replay, registered per VCR instance via
<code>register_serializer</code> (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/1007">#1007</a>,
<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/1009">#1009</a>)
— thanks <a
href="https://github.com/Polandia94"><code>@​Polandia94</code></a></li>
<li>Clearer error when a cassette contains an unsupported YAML tag, and
the stale git.io migration link is gone (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/1007">#1007</a>,
<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/1008">#1008</a>)
— thanks <a
href="https://github.com/gaoflow"><code>@​gaoflow</code></a></li>
<li>Fix stale keep-alive connection reuse across cassettes; unpin
werkzeug (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/1001">#1001</a>)</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/kevin1024/vcrpy/compare/v8.2.1...v8.3.0">https://github.com/kevin1024/vcrpy/compare/v8.2.1...v8.3.0</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/kevin1024/vcrpy/blob/master/docs/changelog.rst">vcrpy's
changelog</a>.</em></p>
<blockquote>
<h2>Changelog</h2>
<p>All help in providing PRs to close out bug issues is appreciated.
Even if that is providing a repo that fully replicates issues. We have
very generous contributors that have added these to bug issues which
meant another contributor picked up the bug and closed it out.</p>
<ul>
<li>
<p>8.3.0</p>
<ul>
<li>Add support for niquests (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/980">#980</a>)
- thanks <a
href="https://github.com/ionelmc"><code>@​ionelmc</code></a></li>
<li>Refuse to record a cassette containing a Python object the safe YAML
loader could not read back, so recording fails fast instead of producing
a cassette that breaks on replay (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/1007">#1007</a>,
<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/1009">#1009</a>)
- thanks <a
href="https://github.com/Polandia94"><code>@​Polandia94</code></a></li>
<li>Add <code>vcr.serializers.yamlserializer.with_custom_tags</code> to
build a YAML serializer supporting custom Python object tags on both
record and replay, registered per VCR instance via
<code>register_serializer</code> (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/1007">#1007</a>,
<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/1009">#1009</a>)
- thanks <a
href="https://github.com/Polandia94"><code>@​Polandia94</code></a></li>
<li>Clearer error when a cassette contains an unsupported YAML tag, and
remove the stale git.io migration link (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/1007">#1007</a>,
<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/1008">#1008</a>)
- thanks <a
href="https://github.com/gaoflow"><code>@​gaoflow</code></a></li>
<li>Fix stale keep-alive connection reuse across cassettes; unpin
werkzeug (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/1001">#1001</a>)</li>
</ul>
</li>
<li>
<p>8.2.1</p>
<ul>
<li>SECURITY: Load cassettes with a safe YAML loader, preventing
arbitrary code execution when a cassette from an untrusted source is
loaded (GHSA-rpj2-4hq8-938g) - thanks <a
href="https://github.com/RamiAltai"><code>@​RamiAltai</code></a> and <a
href="https://github.com/EQSTLab"><code>@​EQSTLab</code></a></li>
<li>Validate <code>record_mode</code> and raise a clear error on an
invalid value (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/208">#208</a>)</li>
<li>Recommend pytest-recording over the unmaintained pytest-vcr in the
docs (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/986">#986</a>)</li>
</ul>
</li>
<li>
<p>8.2.0</p>
<ul>
<li>Add support for httpx 2.x (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/993">#993</a>)
- thanks <a
href="https://github.com/dsfaccini"><code>@​dsfaccini</code></a></li>
<li>Patch httpx transports instead of httpcore (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/972">#972</a>)
- thanks <a
href="https://github.com/seowalex"><code>@​seowalex</code></a></li>
<li>Fix aiohttp 3.14 compatibility: <code>AsyncStreamReaderMixin</code>
removed and <code>ClientResponse</code> now requires
<code>stream_writer</code> (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/995">#995</a>)
- thanks <a
href="https://github.com/dsfaccini"><code>@​dsfaccini</code></a></li>
<li>Account for modified requests when storing played cassettes, so
<code>drop_unused_requests</code> honours
<code>before_record_request</code> filtering (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/962">#962</a>)
- thanks <a
href="https://github.com/jamesbraza"><code>@​jamesbraza</code></a></li>
<li>Make the request URL available on <code>VCRHTTPResponse</code> (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/976">#976</a>)
- thanks <a
href="https://github.com/dAnjou"><code>@​dAnjou</code></a></li>
<li>Improve error message when a matching request has already been
consumed (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/985">#985</a>)
- thanks <a
href="https://github.com/Polandia94"><code>@​Polandia94</code></a></li>
<li>Fix body check in <code>convert_body_to_unicode</code> to use an
explicit type check (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/982">#982</a>)
- thanks <a
href="https://github.com/Polandia94"><code>@​Polandia94</code></a></li>
<li>Add env proxy cassette regression test (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/994">#994</a>)
- thanks <a
href="https://github.com/tine1117"><code>@​tine1117</code></a></li>
<li>Remove milestone references from docs (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/984">#984</a>)
- thanks <a
href="https://github.com/Polandia94"><code>@​Polandia94</code></a></li>
<li>CI: bump sphinx-rtd-theme from 3.0.2 to 3.1.0 (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/973">#973</a>)</li>
</ul>
</li>
<li>
<p>8.1.1</p>
<ul>
<li>Fix sync requests in async contexts for HTTPX (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/965">#965</a>)
- thanks <a
href="https://github.com/seowalex"><code>@​seowalex</code></a></li>
<li>CI: bump peter-evans/create-pull-request from 7 to 8 (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/969">#969</a>)</li>
</ul>
</li>
<li>
<p>8.1.0</p>
<ul>
<li>Enable brotli decompression if available (via <code>brotli</code>,
<code>brotlipy</code> or <code>brotlicffi</code>) (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/620">#620</a>)
- thanks <a
href="https://github.com/immerrr"><code>@​immerrr</code></a></li>
<li>Fix aiohttp allowing both <code>data</code> and <code>json</code>
arguments when one is None (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/624">#624</a>)
- thanks <a
href="https://github.com/leorochael"><code>@​leorochael</code></a></li>
<li>Fix usage of io-like interface with VCR.py (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/906">#906</a>)
- thanks <a href="https://github.com/tito"><code>@​tito</code></a> and
<a href="https://github.com/kevdevg"><code>@​kevdevg</code></a></li>
<li>Migrate to declarative Python package config (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/767">#767</a>)
- thanks <a
href="https://github.com/deronnax"><code>@​deronnax</code></a></li>
<li>Various linting fixes - thanks <a
href="https://github.com/jairhenrique"><code>@​jairhenrique</code></a></li>
<li>CI: bump actions/checkout from 5 to 6 (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/955">#955</a>)</li>
</ul>
</li>
<li>
<p>8.0.0</p>
<ul>
<li>BREAKING: Drop support for Python 3.9 (major version bump) - thanks
<a
href="https://github.com/jairhenrique"><code>@​jairhenrique</code></a></li>
<li>BREAKING: Drop support for urllib3 &lt; 2 - fixes CVE warnings from
urllib3 1.x (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/926">#926</a>,
<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/880">#880</a>)
- thanks <a
href="https://github.com/jairhenrique"><code>@​jairhenrique</code></a></li>
<li>New feature: <code>drop_unused_requests</code> option to remove
unused interactions from cassettes (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/763">#763</a>)
- thanks <a
href="https://github.com/danielnsilva"><code>@​danielnsilva</code></a></li>
<li>Rewrite httpx support to patch httpcore instead of httpx (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/943">#943</a>)
- thanks <a
href="https://github.com/seowalex"><code>@​seowalex</code></a>
<ul>
<li>Fixes <code>httpx.ResponseNotRead</code> exceptions (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/832">#832</a>,
<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/834">#834</a>)</li>
<li>Fixes <code>KeyError: 'follow_redirects'</code> (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/945">#945</a>)</li>
<li>Adds support for custom httpx transports</li>
</ul>
</li>
<li>Fix HTTPS proxy handling - proxy address no longer ends up in
cassette URIs (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/809">#809</a>,
<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/914">#914</a>)
- thanks <a href="https://github.com/alga"><code>@​alga</code></a></li>
</ul>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/kevin1024/vcrpy/commit/c599974b31f3e510df9b98e61513fe6889a50db0"><code>c599974</code></a>
Release v8.3.0</li>
<li><a
href="https://github.com/kevin1024/vcrpy/commit/68cbe595bacfc75fe5cc4ac620a04e4333b1f167"><code>68cbe59</code></a>
Show how to register a custom object in the cassette-not-saved
error</li>
<li><a
href="https://github.com/kevin1024/vcrpy/commit/7a898b54c9b9e47a689987e7b4fffe334d986675"><code>7a898b5</code></a>
Refuse to record cassettes the safe YAML loader can't read back (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/1012">#1012</a>)</li>
<li><a
href="https://github.com/kevin1024/vcrpy/commit/1421b3636226a0774c2b4766fe848289e6b45c23"><code>1421b36</code></a>
fix: show descriptive error when cassette contains unsupported YAML tags
(<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/1008">#1008</a>)</li>
<li><a
href="https://github.com/kevin1024/vcrpy/commit/b1fb62bf474d27be3ccafdc6bc1b8a7a1c5c4b8d"><code>b1fb62b</code></a>
Merge pull request <a
href="https://redirect.github.com/kevin1024/vcrpy/issues/1000">#1000</a>
from kevin1024/dependabot/pre_commit/https-/github.c...</li>
<li><a
href="https://github.com/kevin1024/vcrpy/commit/9e741174c7a8e306f882001e0e7f8b1f7c3bd288"><code>9e74117</code></a>
Fix stale keep-alive connection reuse; unpin werkzeug (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/1001">#1001</a>)</li>
<li><a
href="https://github.com/kevin1024/vcrpy/commit/30a721d400b55ced25f5d8a612b8a1ae01240160"><code>30a721d</code></a>
Loosen up some things to allow vcrpy to work with niquests (<a
href="https://redirect.github.com/kevin1024/vcrpy/issues/980">#980</a>)</li>
<li><a
href="https://github.com/kevin1024/vcrpy/commit/393e349ad56e2de2b558cf92782c10ca14b024ec"><code>393e349</code></a>
build(deps): bump <a
href="https://github.com/astral-sh/ruff-pre-commit">https://github.com/astral-sh/ruff-pre-commit</a></li>
<li>See full diff in <a
href="https://github.com/kevin1024/vcrpy/compare/v8.2.1...v8.3.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=vcrpy&package-manager=uv&previous-version=8.2.1&new-version=8.3.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-14 00:40:04 -04:00
dependabot[bot] b255847eb4 chore: bump langsmith from 0.9.5 to 0.10.2 in /libs/partners/fireworks (#38830)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from
0.9.5 to 0.10.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's
releases</a>.</em></p>
<blockquote>
<h2>v0.10.2</h2>
<h2>What's Changed</h2>
<ul>
<li>release(js): 0.8.1 by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3185">langchain-ai/langsmith-sdk#3185</a></li>
<li>refactor(voice): move span attribute setters onto TranslatedSpan by
<a
href="https://github.com/carolinedivittorio"><code>@​carolinedivittorio</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3179">langchain-ai/langsmith-sdk#3179</a></li>
<li>feat: add SmithDB by-key path to add_runs_to_annotation_queue (runs=
param) [LSDK-287] by <a
href="https://github.com/ayoung19"><code>@​ayoung19</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3077">langchain-ai/langsmith-sdk#3077</a></li>
<li>refactor(livekit + pipecat): Refactor for clarity by <a
href="https://github.com/carolinedivittorio"><code>@​carolinedivittorio</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3187">langchain-ai/langsmith-sdk#3187</a></li>
<li>feat(py): re-export OpenAPI client exceptions from langsmith package
by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3188">langchain-ai/langsmith-sdk#3188</a></li>
<li>release(python): bump py version to 0.10.2 by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3189">langchain-ai/langsmith-sdk#3189</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/ayoung19"><code>@​ayoung19</code></a>
made their first contribution in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3077">langchain-ai/langsmith-sdk#3077</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.10.1...v0.10.2">https://github.com/langchain-ai/langsmith-sdk/compare/v0.10.1...v0.10.2</a></p>
<h2>v0.10.1</h2>
<h2>What's Changed</h2>
<ul>
<li>fix: bound voice streaming audio buffers by <a
href="https://github.com/jkennedyvz"><code>@​jkennedyvz</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3169">langchain-ai/langsmith-sdk#3169</a></li>
<li>fix: escape insights report html repr by <a
href="https://github.com/corridor-security"><code>@​corridor-security</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3176">langchain-ai/langsmith-sdk#3176</a></li>
<li>chore: bump _MIN_BACKEND_VERSION to 0.16.12rc1 by <a
href="https://github.com/langtions-bot"><code>@​langtions-bot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3178">langchain-ai/langsmith-sdk#3178</a></li>
<li>Fix URL Path Injection via Unencoded Resource Names in Python
Sandbox Client (Sync) by <a
href="https://github.com/corridor-security"><code>@​corridor-security</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3177">langchain-ai/langsmith-sdk#3177</a></li>
<li>feat(js): expose openapi client error classes by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3181">langchain-ai/langsmith-sdk#3181</a></li>
<li>release(py): 0.10.1 by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3184">langchain-ai/langsmith-sdk#3184</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/corridor-security"><code>@​corridor-security</code></a>[bot]
made their first contribution in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3176">langchain-ai/langsmith-sdk#3176</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.10.0...v0.10.1">https://github.com/langchain-ai/langsmith-sdk/compare/v0.10.0...v0.10.1</a></p>
<h2>v0.10.0</h2>
<h2>What's Changed</h2>
<ul>
<li>chore: sync langsmith_api by <a
href="https://github.com/langtions-bot"><code>@​langtions-bot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3152">langchain-ai/langsmith-sdk#3152</a></li>
<li>release(js): bump JS SDK to 0.7.16 by <a
href="https://github.com/sineha-mani"><code>@​sineha-mani</code></a> in
<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3160">langchain-ai/langsmith-sdk#3160</a></li>
<li>feat: expose OTel-safe metadata helpers [closes LSDK-262] by <a
href="https://github.com/open-swe"><code>@​open-swe</code></a>[bot] in
<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3091">langchain-ai/langsmith-sdk#3091</a></li>
<li>feat(integrations): helpers to build LangSmith run URLs from OTel
spans [LSDK-273] by <a
href="https://github.com/harisaiharish"><code>@​harisaiharish</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3142">langchain-ai/langsmith-sdk#3142</a></li>
<li>fix(python): remove projects accessor from AsyncClient by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3163">langchain-ai/langsmith-sdk#3163</a></li>
<li>chore: sync langsmith_api by <a
href="https://github.com/langtions-bot"><code>@​langtions-bot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3162">langchain-ai/langsmith-sdk#3162</a></li>
<li>feat(js): Extends wrapAnthropic JS wrapper to support Claude Managed
Agents methods by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3155">langchain-ai/langsmith-sdk#3155</a></li>
<li>release(js): 0.7.17 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3166">langchain-ai/langsmith-sdk#3166</a></li>
<li>feat(client): expose threads and traces resource accessors on Python
and JS clients by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3164">langchain-ai/langsmith-sdk#3164</a></li>
<li>ci: freeze pnpm environment test installs by <a
href="https://github.com/jkennedyvz"><code>@​jkennedyvz</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3168">langchain-ai/langsmith-sdk#3168</a></li>
<li>Quote sandbox client URL path segments by <a
href="https://github.com/langsmith-fleet"><code>@​langsmith-fleet</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3167">langchain-ai/langsmith-sdk#3167</a></li>
<li>release(js): 0.8.0 by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3171">langchain-ai/langsmith-sdk#3171</a></li>
<li>release(py): 0.10.0 by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3170">langchain-ai/langsmith-sdk#3170</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/langsmith-fleet"><code>@​langsmith-fleet</code></a>[bot]
made their first contribution in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3167">langchain-ai/langsmith-sdk#3167</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.9.8...v0.10.0">https://github.com/langchain-ai/langsmith-sdk/compare/v0.9.8...v0.10.0</a></p>
<h2>v0.9.8</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/687fc8d527a28504432f52bd08c75f2894c209fe"><code>687fc8d</code></a>
release(python): bump py version to 0.10.2 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3189">#3189</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/08cbc910be1b91f4a2714a158b32fa3a56bf7040"><code>08cbc91</code></a>
feat(py): re-export OpenAPI client exceptions from langsmith package (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3188">#3188</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/d309be59b951dc3b3796753b25908c029bead7d8"><code>d309be5</code></a>
refactor(livekit + pipecat): Refactor for clarity (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3187">#3187</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/2e61f5418458fa559943da2ce274dfcd231cf074"><code>2e61f54</code></a>
feat: add SmithDB by-key path to add_runs_to_annotation_queue (runs=
param) [...</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/fab828a2b074aab98bc22d73c569ece2435e17ae"><code>fab828a</code></a>
refactor(voice): move span attribute setters onto TranslatedSpan (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3179">#3179</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/2f7709cdaaf6626a22daefa9fecef712abf3e39c"><code>2f7709c</code></a>
release(js): 0.8.1 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3185">#3185</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/6388e488ba28f8b18e18e34a3452f4a7e0c755aa"><code>6388e48</code></a>
release(py): 0.10.1 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3184">#3184</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/de74fb8f42bb632257de19f22d18a41c7d5a59b0"><code>de74fb8</code></a>
feat(js): expose openapi client error classes (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3181">#3181</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/6c0729a9bc00ab49a804b57731a423714b879a0e"><code>6c0729a</code></a>
Fix URL Path Injection via Unencoded Resource Names in Python Sandbox
Client ...</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/996073e478d6960b189d5a12d1f4f5adda9d7272"><code>996073e</code></a>
chore: bump _MIN_BACKEND_VERSION to 0.16.12rc1 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3178">#3178</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.9.5...v0.10.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=langsmith&package-manager=uv&previous-version=0.9.5&new-version=0.10.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-13 17:58:55 -04:00
dependabot[bot] dde88cdb49 chore: bump langsmith from 0.9.5 to 0.10.2 in /libs/partners/huggingface (#38829)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from
0.9.5 to 0.10.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's
releases</a>.</em></p>
<blockquote>
<h2>v0.10.2</h2>
<h2>What's Changed</h2>
<ul>
<li>release(js): 0.8.1 by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3185">langchain-ai/langsmith-sdk#3185</a></li>
<li>refactor(voice): move span attribute setters onto TranslatedSpan by
<a
href="https://github.com/carolinedivittorio"><code>@​carolinedivittorio</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3179">langchain-ai/langsmith-sdk#3179</a></li>
<li>feat: add SmithDB by-key path to add_runs_to_annotation_queue (runs=
param) [LSDK-287] by <a
href="https://github.com/ayoung19"><code>@​ayoung19</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3077">langchain-ai/langsmith-sdk#3077</a></li>
<li>refactor(livekit + pipecat): Refactor for clarity by <a
href="https://github.com/carolinedivittorio"><code>@​carolinedivittorio</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3187">langchain-ai/langsmith-sdk#3187</a></li>
<li>feat(py): re-export OpenAPI client exceptions from langsmith package
by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3188">langchain-ai/langsmith-sdk#3188</a></li>
<li>release(python): bump py version to 0.10.2 by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3189">langchain-ai/langsmith-sdk#3189</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/ayoung19"><code>@​ayoung19</code></a>
made their first contribution in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3077">langchain-ai/langsmith-sdk#3077</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.10.1...v0.10.2">https://github.com/langchain-ai/langsmith-sdk/compare/v0.10.1...v0.10.2</a></p>
<h2>v0.10.1</h2>
<h2>What's Changed</h2>
<ul>
<li>fix: bound voice streaming audio buffers by <a
href="https://github.com/jkennedyvz"><code>@​jkennedyvz</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3169">langchain-ai/langsmith-sdk#3169</a></li>
<li>fix: escape insights report html repr by <a
href="https://github.com/corridor-security"><code>@​corridor-security</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3176">langchain-ai/langsmith-sdk#3176</a></li>
<li>chore: bump _MIN_BACKEND_VERSION to 0.16.12rc1 by <a
href="https://github.com/langtions-bot"><code>@​langtions-bot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3178">langchain-ai/langsmith-sdk#3178</a></li>
<li>Fix URL Path Injection via Unencoded Resource Names in Python
Sandbox Client (Sync) by <a
href="https://github.com/corridor-security"><code>@​corridor-security</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3177">langchain-ai/langsmith-sdk#3177</a></li>
<li>feat(js): expose openapi client error classes by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3181">langchain-ai/langsmith-sdk#3181</a></li>
<li>release(py): 0.10.1 by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3184">langchain-ai/langsmith-sdk#3184</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/corridor-security"><code>@​corridor-security</code></a>[bot]
made their first contribution in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3176">langchain-ai/langsmith-sdk#3176</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.10.0...v0.10.1">https://github.com/langchain-ai/langsmith-sdk/compare/v0.10.0...v0.10.1</a></p>
<h2>v0.10.0</h2>
<h2>What's Changed</h2>
<ul>
<li>chore: sync langsmith_api by <a
href="https://github.com/langtions-bot"><code>@​langtions-bot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3152">langchain-ai/langsmith-sdk#3152</a></li>
<li>release(js): bump JS SDK to 0.7.16 by <a
href="https://github.com/sineha-mani"><code>@​sineha-mani</code></a> in
<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3160">langchain-ai/langsmith-sdk#3160</a></li>
<li>feat: expose OTel-safe metadata helpers [closes LSDK-262] by <a
href="https://github.com/open-swe"><code>@​open-swe</code></a>[bot] in
<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3091">langchain-ai/langsmith-sdk#3091</a></li>
<li>feat(integrations): helpers to build LangSmith run URLs from OTel
spans [LSDK-273] by <a
href="https://github.com/harisaiharish"><code>@​harisaiharish</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3142">langchain-ai/langsmith-sdk#3142</a></li>
<li>fix(python): remove projects accessor from AsyncClient by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3163">langchain-ai/langsmith-sdk#3163</a></li>
<li>chore: sync langsmith_api by <a
href="https://github.com/langtions-bot"><code>@​langtions-bot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3162">langchain-ai/langsmith-sdk#3162</a></li>
<li>feat(js): Extends wrapAnthropic JS wrapper to support Claude Managed
Agents methods by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3155">langchain-ai/langsmith-sdk#3155</a></li>
<li>release(js): 0.7.17 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3166">langchain-ai/langsmith-sdk#3166</a></li>
<li>feat(client): expose threads and traces resource accessors on Python
and JS clients by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3164">langchain-ai/langsmith-sdk#3164</a></li>
<li>ci: freeze pnpm environment test installs by <a
href="https://github.com/jkennedyvz"><code>@​jkennedyvz</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3168">langchain-ai/langsmith-sdk#3168</a></li>
<li>Quote sandbox client URL path segments by <a
href="https://github.com/langsmith-fleet"><code>@​langsmith-fleet</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3167">langchain-ai/langsmith-sdk#3167</a></li>
<li>release(js): 0.8.0 by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3171">langchain-ai/langsmith-sdk#3171</a></li>
<li>release(py): 0.10.0 by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3170">langchain-ai/langsmith-sdk#3170</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/langsmith-fleet"><code>@​langsmith-fleet</code></a>[bot]
made their first contribution in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3167">langchain-ai/langsmith-sdk#3167</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.9.8...v0.10.0">https://github.com/langchain-ai/langsmith-sdk/compare/v0.9.8...v0.10.0</a></p>
<h2>v0.9.8</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/687fc8d527a28504432f52bd08c75f2894c209fe"><code>687fc8d</code></a>
release(python): bump py version to 0.10.2 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3189">#3189</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/08cbc910be1b91f4a2714a158b32fa3a56bf7040"><code>08cbc91</code></a>
feat(py): re-export OpenAPI client exceptions from langsmith package (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3188">#3188</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/d309be59b951dc3b3796753b25908c029bead7d8"><code>d309be5</code></a>
refactor(livekit + pipecat): Refactor for clarity (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3187">#3187</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/2e61f5418458fa559943da2ce274dfcd231cf074"><code>2e61f54</code></a>
feat: add SmithDB by-key path to add_runs_to_annotation_queue (runs=
param) [...</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/fab828a2b074aab98bc22d73c569ece2435e17ae"><code>fab828a</code></a>
refactor(voice): move span attribute setters onto TranslatedSpan (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3179">#3179</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/2f7709cdaaf6626a22daefa9fecef712abf3e39c"><code>2f7709c</code></a>
release(js): 0.8.1 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3185">#3185</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/6388e488ba28f8b18e18e34a3452f4a7e0c755aa"><code>6388e48</code></a>
release(py): 0.10.1 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3184">#3184</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/de74fb8f42bb632257de19f22d18a41c7d5a59b0"><code>de74fb8</code></a>
feat(js): expose openapi client error classes (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3181">#3181</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/6c0729a9bc00ab49a804b57731a423714b879a0e"><code>6c0729a</code></a>
Fix URL Path Injection via Unencoded Resource Names in Python Sandbox
Client ...</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/996073e478d6960b189d5a12d1f4f5adda9d7272"><code>996073e</code></a>
chore: bump _MIN_BACKEND_VERSION to 0.16.12rc1 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3178">#3178</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.9.5...v0.10.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=langsmith&package-manager=uv&previous-version=0.9.5&new-version=0.10.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-13 17:58:26 -04:00
dependabot[bot] b27f55498f chore: bump transformers from 5.3.0 to 5.5.0 in /libs/partners/huggingface (#38828)
Bumps [transformers](https://github.com/huggingface/transformers) from
5.3.0 to 5.5.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/huggingface/transformers/releases">transformers's
releases</a>.</em></p>
<blockquote>
<h1>Release v5.5.0</h1>
<!-- raw HTML omitted -->
<h2>New Model additions</h2>
<h3>Gemma4</h3>
<p><a
href="https://github.com/huggingface/transformers/blob/HEAD/INSET_PAPER_LINK">Gemma
4</a> is a multimodal model with pretrained and instruction-tuned
variants, available in 1B, 13B, and 27B parameters. The architecture is
mostly the same as the previous Gemma versions. The key differences are
a vision processor that can output images of fixed token budget and a
spatial 2D RoPE to encode vision-specific information across height and
width axis.</p>
<!-- raw HTML omitted -->
<p>You can find all the original Gemma 4 checkpoints under the <a
href="https://huggingface.co/collections/google/gemma-4-release-67c6c6f89c4f76621268bb6d">Gemma
4</a> release.</p>
<p>The key difference from previous Gemma releases is the new design to
process <strong>images of different sizes</strong> using a
<strong>fixed-budget number of tokens</strong>. Unlike many models that
squash every image into a fixed square (like 224×224), Gemma 4 keeps the
image's natural aspect ratio while making it the right size. There a a
couple constraints to follow:</p>
<ul>
<li>The total number of pixels must fit within a patch budget</li>
<li>Both height and width must be divisible by <strong>48</strong> (=
patch size 16 × pooling kernel 3)</li>
</ul>
<blockquote>
<p>[!IMPORTANT]
Gemma 4 does <strong>not</strong> apply the standard ImageNet mean/std
normalization that many other vision models use. The model's own patch
embedding layer handles the final scaling internally (shifting values to
the [-1, 1] range).</p>
</blockquote>
<p>The number of &quot;soft tokens&quot; (aka vision tokens) an image
processor can produce is configurable. The supported options are
outlined below and the default is <strong>280 soft tokens</strong> per
image.</p>
<table>
<thead>
<tr>
<th align="center">Soft Tokens</th>
<th align="center">Patches (before pooling)</th>
<th align="center">Approx. Image Area</th>
</tr>
</thead>
<tbody>
<tr>
<td align="center">70</td>
<td align="center">630</td>
<td align="center">~161K pixels</td>
</tr>
<tr>
<td align="center">140</td>
<td align="center">1,260</td>
<td align="center">~323K pixels</td>
</tr>
<tr>
<td align="center"><strong>280</strong></td>
<td align="center"><strong>2,520</strong></td>
<td align="center"><strong>~645K pixels</strong></td>
</tr>
<tr>
<td align="center">560</td>
<td align="center">5,040</td>
<td align="center">~1.3M pixels</td>
</tr>
<tr>
<td align="center">1,120</td>
<td align="center">10,080</td>
<td align="center">~2.6M pixels</td>
</tr>
</tbody>
</table>
<p>To encode positional information for each patch in the image, Gemma 4
uses a learned 2D position embedding table. The position table stores up
to 10,240 positions per axis, which allows the model to handle very
large images. Each position is a learned vector of the same dimensions
as the patch embedding. The 2D RoPE which Gemma 4 uses independently
rotate half the attention head dimensions for the x-axis and the other
half for the y-axis. This allows the model to understand spatial
relationships like &quot;above,&quot; &quot;below,&quot; &quot;left
of,&quot; and &quot;right of.&quot;</p>
<h3>NomicBERT</h3>
<p>NomicBERT is a BERT-inspired encoder model that applies Rotary
Position Embeddings (RoPE) to create reproducible long context text
embeddings. It is the first fully reproducible, open-source text
embedding model with 8192 context length that outperforms both OpenAI
Ada-002 and OpenAI text-embedding-3-small on short-context MTEB and long
context LoCo benchmarks. The model generates dense vector embeddings for
various tasks including search, clustering, and classification using
specific instruction prefixes.</p>
<p><strong>Links:</strong> <a
href="https://huggingface.co/docs/transformers/main/en/model_doc/nomic_bert">Documentation</a>
| <a href="https://arxiv.org/abs/2402.01613">Paper</a></p>
<ul>
<li>Internalise the NomicBERT model (<a
href="https://redirect.github.com/huggingface/transformers/issues/43067">#43067</a>)
by <a href="https://github.com/ed22699"><code>@​ed22699</code></a> in <a
href="https://redirect.github.com/huggingface/transformers/pull/43067">#43067</a></li>
</ul>
<h3>MusicFlamingo</h3>
<p>Music Flamingo is a fully open large audio–language model designed
for robust understanding and reasoning over music. It builds upon the
Audio Flamingo 3 architecture by including Rotary Time Embeddings
(RoTE), which injects temporal position information to enable the model
to handle audio sequences up to 20 minutes. The model features a unified
audio encoder across speech, sound, and music with special sound
boundary tokens for improved audio sequence modeling.</p>
<p><strong>Links:</strong> <a
href="https://huggingface.co/docs/transformers/main/en/model_doc/musicflamingo">Documentation</a>
| <a href="https://huggingface.co/papers/2511.10289">Paper</a></p>
<ul>
<li>Add Music Flamingo (<a
href="https://redirect.github.com/huggingface/transformers/issues/43538">#43538</a>)
by <a href="https://github.com/lashahub"><code>@​lashahub</code></a> in
<a
href="https://redirect.github.com/huggingface/transformers/pull/43538">#43538</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/huggingface/transformers/commit/c1c34249fa27deefbd4a377dfbf883a39baf5c6d"><code>c1c3424</code></a>
update</li>
<li><a
href="https://github.com/huggingface/transformers/commit/20bff6865a756a074f5b893b57f0ae438b25ec46"><code>20bff68</code></a>
update release workflow</li>
<li><a
href="https://github.com/huggingface/transformers/commit/89564412a56ae6581f8aa48a533a835860dc9f43"><code>8956441</code></a>
v5.5.0</li>
<li><a
href="https://github.com/huggingface/transformers/commit/5135e5efa7203cd23aac0866de12dfeef038422d"><code>5135e5e</code></a>
casually dropping the most capable open weights on the planet (<a
href="https://redirect.github.com/huggingface/transformers/issues/45192">#45192</a>)</li>
<li><a
href="https://github.com/huggingface/transformers/commit/a594e09e3924120f1f5508e7d81946bf3504df2b"><code>a594e09</code></a>
Internalise the NomicBERT model (<a
href="https://redirect.github.com/huggingface/transformers/issues/43067">#43067</a>)</li>
<li><a
href="https://github.com/huggingface/transformers/commit/4932e9721e230bea915341e7f04db32885b6c6af"><code>4932e97</code></a>
Fix resized LM head weights being overwritten by post_init (<a
href="https://redirect.github.com/huggingface/transformers/issues/45079">#45079</a>)</li>
<li><a
href="https://github.com/huggingface/transformers/commit/57e84139542c8c297873f35fcd25f66ffcf132ae"><code>57e8413</code></a>
[Qwen3.5 MoE] Add _tp_plan to ForConditionalGeneration (<a
href="https://redirect.github.com/huggingface/transformers/issues/45124">#45124</a>)</li>
<li><a
href="https://github.com/huggingface/transformers/commit/b10552e99dc4974b30126995baea455df43f8476"><code>b10552e</code></a>
Fix TypeError: 'NoneType' object is not iterable in
GenerationMixin.generate ...</li>
<li><a
href="https://github.com/huggingface/transformers/commit/423f2a31d2bd05bdc1dc30dd938389edaa998fde"><code>423f2a3</code></a>
fix(models): Fix dtype mismatch in SwitchTransformers and
TimmWrapperModel (#...</li>
<li><a
href="https://github.com/huggingface/transformers/commit/ade7a05a42bf53b183bb78c181743be063c5ff14"><code>ade7a05</code></a>
Generalize gemma vision mask to videos (<a
href="https://redirect.github.com/huggingface/transformers/issues/45185">#45185</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/huggingface/transformers/compare/v5.3.0...v5.5.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=transformers&package-manager=uv&previous-version=5.3.0&new-version=5.5.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-13 17:58:17 -04:00
dependabot[bot] 3d4426d427 chore: bump langsmith from 0.9.5 to 0.10.2 in /libs/partners/chroma (#38831)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from
0.9.5 to 0.10.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's
releases</a>.</em></p>
<blockquote>
<h2>v0.10.2</h2>
<h2>What's Changed</h2>
<ul>
<li>release(js): 0.8.1 by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3185">langchain-ai/langsmith-sdk#3185</a></li>
<li>refactor(voice): move span attribute setters onto TranslatedSpan by
<a
href="https://github.com/carolinedivittorio"><code>@​carolinedivittorio</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3179">langchain-ai/langsmith-sdk#3179</a></li>
<li>feat: add SmithDB by-key path to add_runs_to_annotation_queue (runs=
param) [LSDK-287] by <a
href="https://github.com/ayoung19"><code>@​ayoung19</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3077">langchain-ai/langsmith-sdk#3077</a></li>
<li>refactor(livekit + pipecat): Refactor for clarity by <a
href="https://github.com/carolinedivittorio"><code>@​carolinedivittorio</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3187">langchain-ai/langsmith-sdk#3187</a></li>
<li>feat(py): re-export OpenAPI client exceptions from langsmith package
by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3188">langchain-ai/langsmith-sdk#3188</a></li>
<li>release(python): bump py version to 0.10.2 by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3189">langchain-ai/langsmith-sdk#3189</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/ayoung19"><code>@​ayoung19</code></a>
made their first contribution in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3077">langchain-ai/langsmith-sdk#3077</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.10.1...v0.10.2">https://github.com/langchain-ai/langsmith-sdk/compare/v0.10.1...v0.10.2</a></p>
<h2>v0.10.1</h2>
<h2>What's Changed</h2>
<ul>
<li>fix: bound voice streaming audio buffers by <a
href="https://github.com/jkennedyvz"><code>@​jkennedyvz</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3169">langchain-ai/langsmith-sdk#3169</a></li>
<li>fix: escape insights report html repr by <a
href="https://github.com/corridor-security"><code>@​corridor-security</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3176">langchain-ai/langsmith-sdk#3176</a></li>
<li>chore: bump _MIN_BACKEND_VERSION to 0.16.12rc1 by <a
href="https://github.com/langtions-bot"><code>@​langtions-bot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3178">langchain-ai/langsmith-sdk#3178</a></li>
<li>Fix URL Path Injection via Unencoded Resource Names in Python
Sandbox Client (Sync) by <a
href="https://github.com/corridor-security"><code>@​corridor-security</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3177">langchain-ai/langsmith-sdk#3177</a></li>
<li>feat(js): expose openapi client error classes by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3181">langchain-ai/langsmith-sdk#3181</a></li>
<li>release(py): 0.10.1 by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3184">langchain-ai/langsmith-sdk#3184</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/corridor-security"><code>@​corridor-security</code></a>[bot]
made their first contribution in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3176">langchain-ai/langsmith-sdk#3176</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.10.0...v0.10.1">https://github.com/langchain-ai/langsmith-sdk/compare/v0.10.0...v0.10.1</a></p>
<h2>v0.10.0</h2>
<h2>What's Changed</h2>
<ul>
<li>chore: sync langsmith_api by <a
href="https://github.com/langtions-bot"><code>@​langtions-bot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3152">langchain-ai/langsmith-sdk#3152</a></li>
<li>release(js): bump JS SDK to 0.7.16 by <a
href="https://github.com/sineha-mani"><code>@​sineha-mani</code></a> in
<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3160">langchain-ai/langsmith-sdk#3160</a></li>
<li>feat: expose OTel-safe metadata helpers [closes LSDK-262] by <a
href="https://github.com/open-swe"><code>@​open-swe</code></a>[bot] in
<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3091">langchain-ai/langsmith-sdk#3091</a></li>
<li>feat(integrations): helpers to build LangSmith run URLs from OTel
spans [LSDK-273] by <a
href="https://github.com/harisaiharish"><code>@​harisaiharish</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3142">langchain-ai/langsmith-sdk#3142</a></li>
<li>fix(python): remove projects accessor from AsyncClient by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3163">langchain-ai/langsmith-sdk#3163</a></li>
<li>chore: sync langsmith_api by <a
href="https://github.com/langtions-bot"><code>@​langtions-bot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3162">langchain-ai/langsmith-sdk#3162</a></li>
<li>feat(js): Extends wrapAnthropic JS wrapper to support Claude Managed
Agents methods by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3155">langchain-ai/langsmith-sdk#3155</a></li>
<li>release(js): 0.7.17 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3166">langchain-ai/langsmith-sdk#3166</a></li>
<li>feat(client): expose threads and traces resource accessors on Python
and JS clients by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3164">langchain-ai/langsmith-sdk#3164</a></li>
<li>ci: freeze pnpm environment test installs by <a
href="https://github.com/jkennedyvz"><code>@​jkennedyvz</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3168">langchain-ai/langsmith-sdk#3168</a></li>
<li>Quote sandbox client URL path segments by <a
href="https://github.com/langsmith-fleet"><code>@​langsmith-fleet</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3167">langchain-ai/langsmith-sdk#3167</a></li>
<li>release(js): 0.8.0 by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3171">langchain-ai/langsmith-sdk#3171</a></li>
<li>release(py): 0.10.0 by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3170">langchain-ai/langsmith-sdk#3170</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/langsmith-fleet"><code>@​langsmith-fleet</code></a>[bot]
made their first contribution in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3167">langchain-ai/langsmith-sdk#3167</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.9.8...v0.10.0">https://github.com/langchain-ai/langsmith-sdk/compare/v0.9.8...v0.10.0</a></p>
<h2>v0.9.8</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/687fc8d527a28504432f52bd08c75f2894c209fe"><code>687fc8d</code></a>
release(python): bump py version to 0.10.2 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3189">#3189</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/08cbc910be1b91f4a2714a158b32fa3a56bf7040"><code>08cbc91</code></a>
feat(py): re-export OpenAPI client exceptions from langsmith package (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3188">#3188</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/d309be59b951dc3b3796753b25908c029bead7d8"><code>d309be5</code></a>
refactor(livekit + pipecat): Refactor for clarity (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3187">#3187</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/2e61f5418458fa559943da2ce274dfcd231cf074"><code>2e61f54</code></a>
feat: add SmithDB by-key path to add_runs_to_annotation_queue (runs=
param) [...</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/fab828a2b074aab98bc22d73c569ece2435e17ae"><code>fab828a</code></a>
refactor(voice): move span attribute setters onto TranslatedSpan (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3179">#3179</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/2f7709cdaaf6626a22daefa9fecef712abf3e39c"><code>2f7709c</code></a>
release(js): 0.8.1 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3185">#3185</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/6388e488ba28f8b18e18e34a3452f4a7e0c755aa"><code>6388e48</code></a>
release(py): 0.10.1 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3184">#3184</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/de74fb8f42bb632257de19f22d18a41c7d5a59b0"><code>de74fb8</code></a>
feat(js): expose openapi client error classes (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3181">#3181</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/6c0729a9bc00ab49a804b57731a423714b879a0e"><code>6c0729a</code></a>
Fix URL Path Injection via Unencoded Resource Names in Python Sandbox
Client ...</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/996073e478d6960b189d5a12d1f4f5adda9d7272"><code>996073e</code></a>
chore: bump _MIN_BACKEND_VERSION to 0.16.12rc1 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3178">#3178</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.9.5...v0.10.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=langsmith&package-manager=uv&previous-version=0.9.5&new-version=0.10.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-13 17:58:05 -04:00
dependabot[bot] 0f27cf9dac chore: bump langsmith from 0.9.5 to 0.10.2 in /libs/partners/xai (#38832)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from
0.9.5 to 0.10.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's
releases</a>.</em></p>
<blockquote>
<h2>v0.10.2</h2>
<h2>What's Changed</h2>
<ul>
<li>release(js): 0.8.1 by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3185">langchain-ai/langsmith-sdk#3185</a></li>
<li>refactor(voice): move span attribute setters onto TranslatedSpan by
<a
href="https://github.com/carolinedivittorio"><code>@​carolinedivittorio</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3179">langchain-ai/langsmith-sdk#3179</a></li>
<li>feat: add SmithDB by-key path to add_runs_to_annotation_queue (runs=
param) [LSDK-287] by <a
href="https://github.com/ayoung19"><code>@​ayoung19</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3077">langchain-ai/langsmith-sdk#3077</a></li>
<li>refactor(livekit + pipecat): Refactor for clarity by <a
href="https://github.com/carolinedivittorio"><code>@​carolinedivittorio</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3187">langchain-ai/langsmith-sdk#3187</a></li>
<li>feat(py): re-export OpenAPI client exceptions from langsmith package
by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3188">langchain-ai/langsmith-sdk#3188</a></li>
<li>release(python): bump py version to 0.10.2 by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3189">langchain-ai/langsmith-sdk#3189</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/ayoung19"><code>@​ayoung19</code></a>
made their first contribution in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3077">langchain-ai/langsmith-sdk#3077</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.10.1...v0.10.2">https://github.com/langchain-ai/langsmith-sdk/compare/v0.10.1...v0.10.2</a></p>
<h2>v0.10.1</h2>
<h2>What's Changed</h2>
<ul>
<li>fix: bound voice streaming audio buffers by <a
href="https://github.com/jkennedyvz"><code>@​jkennedyvz</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3169">langchain-ai/langsmith-sdk#3169</a></li>
<li>fix: escape insights report html repr by <a
href="https://github.com/corridor-security"><code>@​corridor-security</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3176">langchain-ai/langsmith-sdk#3176</a></li>
<li>chore: bump _MIN_BACKEND_VERSION to 0.16.12rc1 by <a
href="https://github.com/langtions-bot"><code>@​langtions-bot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3178">langchain-ai/langsmith-sdk#3178</a></li>
<li>Fix URL Path Injection via Unencoded Resource Names in Python
Sandbox Client (Sync) by <a
href="https://github.com/corridor-security"><code>@​corridor-security</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3177">langchain-ai/langsmith-sdk#3177</a></li>
<li>feat(js): expose openapi client error classes by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3181">langchain-ai/langsmith-sdk#3181</a></li>
<li>release(py): 0.10.1 by <a
href="https://github.com/KiewanVillatel"><code>@​KiewanVillatel</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3184">langchain-ai/langsmith-sdk#3184</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/corridor-security"><code>@​corridor-security</code></a>[bot]
made their first contribution in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3176">langchain-ai/langsmith-sdk#3176</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.10.0...v0.10.1">https://github.com/langchain-ai/langsmith-sdk/compare/v0.10.0...v0.10.1</a></p>
<h2>v0.10.0</h2>
<h2>What's Changed</h2>
<ul>
<li>chore: sync langsmith_api by <a
href="https://github.com/langtions-bot"><code>@​langtions-bot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3152">langchain-ai/langsmith-sdk#3152</a></li>
<li>release(js): bump JS SDK to 0.7.16 by <a
href="https://github.com/sineha-mani"><code>@​sineha-mani</code></a> in
<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3160">langchain-ai/langsmith-sdk#3160</a></li>
<li>feat: expose OTel-safe metadata helpers [closes LSDK-262] by <a
href="https://github.com/open-swe"><code>@​open-swe</code></a>[bot] in
<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3091">langchain-ai/langsmith-sdk#3091</a></li>
<li>feat(integrations): helpers to build LangSmith run URLs from OTel
spans [LSDK-273] by <a
href="https://github.com/harisaiharish"><code>@​harisaiharish</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3142">langchain-ai/langsmith-sdk#3142</a></li>
<li>fix(python): remove projects accessor from AsyncClient by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3163">langchain-ai/langsmith-sdk#3163</a></li>
<li>chore: sync langsmith_api by <a
href="https://github.com/langtions-bot"><code>@​langtions-bot</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3162">langchain-ai/langsmith-sdk#3162</a></li>
<li>feat(js): Extends wrapAnthropic JS wrapper to support Claude Managed
Agents methods by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3155">langchain-ai/langsmith-sdk#3155</a></li>
<li>release(js): 0.7.17 by <a
href="https://github.com/jacoblee93"><code>@​jacoblee93</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3166">langchain-ai/langsmith-sdk#3166</a></li>
<li>feat(client): expose threads and traces resource accessors on Python
and JS clients by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3164">langchain-ai/langsmith-sdk#3164</a></li>
<li>ci: freeze pnpm environment test installs by <a
href="https://github.com/jkennedyvz"><code>@​jkennedyvz</code></a> in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3168">langchain-ai/langsmith-sdk#3168</a></li>
<li>Quote sandbox client URL path segments by <a
href="https://github.com/langsmith-fleet"><code>@​langsmith-fleet</code></a>[bot]
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3167">langchain-ai/langsmith-sdk#3167</a></li>
<li>release(js): 0.8.0 by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3171">langchain-ai/langsmith-sdk#3171</a></li>
<li>release(py): 0.10.0 by <a
href="https://github.com/QuentinBrosse"><code>@​QuentinBrosse</code></a>
in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3170">langchain-ai/langsmith-sdk#3170</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/langsmith-fleet"><code>@​langsmith-fleet</code></a>[bot]
made their first contribution in <a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/3167">langchain-ai/langsmith-sdk#3167</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.9.8...v0.10.0">https://github.com/langchain-ai/langsmith-sdk/compare/v0.9.8...v0.10.0</a></p>
<h2>v0.9.8</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/687fc8d527a28504432f52bd08c75f2894c209fe"><code>687fc8d</code></a>
release(python): bump py version to 0.10.2 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3189">#3189</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/08cbc910be1b91f4a2714a158b32fa3a56bf7040"><code>08cbc91</code></a>
feat(py): re-export OpenAPI client exceptions from langsmith package (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3188">#3188</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/d309be59b951dc3b3796753b25908c029bead7d8"><code>d309be5</code></a>
refactor(livekit + pipecat): Refactor for clarity (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3187">#3187</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/2e61f5418458fa559943da2ce274dfcd231cf074"><code>2e61f54</code></a>
feat: add SmithDB by-key path to add_runs_to_annotation_queue (runs=
param) [...</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/fab828a2b074aab98bc22d73c569ece2435e17ae"><code>fab828a</code></a>
refactor(voice): move span attribute setters onto TranslatedSpan (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3179">#3179</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/2f7709cdaaf6626a22daefa9fecef712abf3e39c"><code>2f7709c</code></a>
release(js): 0.8.1 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3185">#3185</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/6388e488ba28f8b18e18e34a3452f4a7e0c755aa"><code>6388e48</code></a>
release(py): 0.10.1 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3184">#3184</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/de74fb8f42bb632257de19f22d18a41c7d5a59b0"><code>de74fb8</code></a>
feat(js): expose openapi client error classes (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3181">#3181</a>)</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/6c0729a9bc00ab49a804b57731a423714b879a0e"><code>6c0729a</code></a>
Fix URL Path Injection via Unencoded Resource Names in Python Sandbox
Client ...</li>
<li><a
href="https://github.com/langchain-ai/langsmith-sdk/commit/996073e478d6960b189d5a12d1f4f5adda9d7272"><code>996073e</code></a>
chore: bump _MIN_BACKEND_VERSION to 0.16.12rc1 (<a
href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/3178">#3178</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.9.5...v0.10.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=langsmith&package-manager=uv&previous-version=0.9.5&new-version=0.10.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-13 17:58:00 -04:00
dependabot[bot] 00c0f69dc0 chore: bump mistune from 3.2.1 to 3.3.0 in /libs/langchain (#38782)
Bumps [mistune](https://github.com/lepture/mistune) from 3.2.1 to 3.3.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/lepture/mistune/releases">mistune's
releases</a>.</em></p>
<blockquote>
<h2>v3.3.0</h2>
<h3>   🐞 Bug Fixes</h3>
<ul>
<li>Resolve O(n^2) DoS in parse_link_text (CWE-400)  -  by
<strong>bhanugoudm041</strong> <a
href="https://github.com/lepture/mistune/commit/b6b499d"><!-- raw HTML
omitted -->(b6b49)<!-- raw HTML omitted --></a></li>
<li>Resolve O(n^2) DoS in parse_link_text (CWE-400)-Type
handling/testing done  -  by <strong>bhanugoudm041</strong> <a
href="https://github.com/lepture/mistune/commit/b3af85d"><!-- raw HTML
omitted -->(b3af8)<!-- raw HTML omitted --></a></li>
<li><strong>block</strong>: Avoid quadratic ref link scans  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/2b04d7b"><!-- raw HTML
omitted -->(2b04d)<!-- raw HTML omitted --></a></li>
<li><strong>cli</strong>: Add entrypoint and utf-8 output  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/2f2449d"><!-- raw HTML
omitted -->(2f244)<!-- raw HTML omitted --></a></li>
<li><strong>directives</strong>: Constrain include targets  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/1bef343"><!-- raw HTML
omitted -->(1bef3)<!-- raw HTML omitted --></a></li>
<li><strong>formatting</strong>: Avoid quadratic marker scans  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/96d0f57"><!-- raw HTML
omitted -->(96d0f)<!-- raw HTML omitted --></a></li>
<li><strong>image</strong>: Validate figure width option  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/e3e51de"><!-- raw HTML
omitted -->(e3e51)<!-- raw HTML omitted --></a></li>
<li><strong>inline</strong>: Avoid bracket parsing DoS  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/25f2503"><!-- raw HTML
omitted -->(25f25)<!-- raw HTML omitted --></a></li>
<li><strong>math</strong>: Reject currency patterns and cross-line
matches in inline math  -  by <a
href="https://github.com/geopanther"><code>@​geopanther</code></a> <a
href="https://github.com/lepture/mistune/commit/566e173"><!-- raw HTML
omitted -->(566e1)<!-- raw HTML omitted --></a></li>
<li><strong>math</strong>: Support display and backtick math  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/1141eec"><!-- raw HTML
omitted -->(1141e)<!-- raw HTML omitted --></a></li>
<li><strong>renderer</strong>: Render plugin list and table nodes  -  by
<a href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/614b019"><!-- raw HTML
omitted -->(614b0)<!-- raw HTML omitted --></a></li>
<li><strong>renderer</strong>: Block encoded unsafe URL schemes  -  by
<a href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/c7101fc"><!-- raw HTML
omitted -->(c7101)<!-- raw HTML omitted --></a></li>
<li><strong>toc</strong>: Avoid generated id collisions  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/c4093c4"><!-- raw HTML
omitted -->(c4093)<!-- raw HTML omitted --></a></li>
</ul>
<h3>   🏎 Performance</h3>
<ul>
<li>Improve performance  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/bf95c32"><!-- raw HTML
omitted -->(bf95c)<!-- raw HTML omitted --></a></li>
</ul>
<h5>    <a
href="https://github.com/lepture/mistune/compare/v3.2.1...v3.3.0">View
changes on GitHub</a></h5>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/lepture/mistune/blob/main/docs/changes.rst">mistune's
changelog</a>.</em></p>
<blockquote>
<h2>Version 3.3.0</h2>
<p><strong>Released on Jun 21, 2026</strong></p>
<ul>
<li>Improve CommonMark compatibility and parser performance.</li>
<li>Add command line entrypoint with UTF-8 output.</li>
<li>Support display and backtick math.</li>
<li>Render plugin list and table nodes in Markdown renderer.</li>
<li>Escape leading block markers in Markdown renderer.</li>
<li>Fix RST renderer for block quotes nested in lists.</li>
<li>Avoid generated heading ID collisions in TOC.</li>
<li>Harden URL, image, figure, and include directive handling.</li>
<li>Fix quadratic scans in inline links, reference links, and formatting
markers.</li>
<li>Fix math escaping, currency pattern matching, and cross-line
matching.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/lepture/mistune/commit/15c3b79325125272263d7d42492ec8f757447191"><code>15c3b79</code></a>
chore: release 3.3.0</li>
<li><a
href="https://github.com/lepture/mistune/commit/bdc01ade171c7c2cd1099e2531ddf8c275a2f64c"><code>bdc01ad</code></a>
tests: increase run time on pypy</li>
<li><a
href="https://github.com/lepture/mistune/commit/7cf181483e6201184bcecdbae13225d45ebab4c4"><code>7cf1814</code></a>
tests: increase run time for pypy</li>
<li><a
href="https://github.com/lepture/mistune/commit/6dfdc3dae490c7a21499ff1063f4dd9b7357d4c5"><code>6dfdc3d</code></a>
tests: add more tests</li>
<li><a
href="https://github.com/lepture/mistune/commit/17c50f6c0572027c1dad2c2501e7c97cea0b0b43"><code>17c50f6</code></a>
chore: fix mypy issues</li>
<li><a
href="https://github.com/lepture/mistune/commit/63abe4b8e9adccc711c953e6727400ee7ba1084c"><code>63abe4b</code></a>
chore: use ruff check and format</li>
<li><a
href="https://github.com/lepture/mistune/commit/e6c1b184461beab8887c7375621c64dffaf652c5"><code>e6c1b18</code></a>
chore: resolve mypy issues</li>
<li><a
href="https://github.com/lepture/mistune/commit/dcf89020c1ee697b2267387064b3e4580e0b83c5"><code>dcf8902</code></a>
test(math): cover escaped math output</li>
<li><a
href="https://github.com/lepture/mistune/commit/c4093c4742ed0d10d9332fb8edb455869b7b581b"><code>c4093c4</code></a>
fix(toc): avoid generated id collisions</li>
<li><a
href="https://github.com/lepture/mistune/commit/e3e51de9cf0a72dc30191248dccf22087c57f046"><code>e3e51de</code></a>
fix(image): validate figure width option</li>
<li>Additional commits viewable in <a
href="https://github.com/lepture/mistune/compare/v3.2.1...v3.3.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=mistune&package-manager=uv&previous-version=3.2.1&new-version=3.3.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-13 13:26:15 -04:00
dependabot[bot] b2dede4f3e chore: bump mistune from 3.2.1 to 3.3.0 in /libs/core (#38783)
Bumps [mistune](https://github.com/lepture/mistune) from 3.2.1 to 3.3.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/lepture/mistune/releases">mistune's
releases</a>.</em></p>
<blockquote>
<h2>v3.3.0</h2>
<h3>   🐞 Bug Fixes</h3>
<ul>
<li>Resolve O(n^2) DoS in parse_link_text (CWE-400)  -  by
<strong>bhanugoudm041</strong> <a
href="https://github.com/lepture/mistune/commit/b6b499d"><!-- raw HTML
omitted -->(b6b49)<!-- raw HTML omitted --></a></li>
<li>Resolve O(n^2) DoS in parse_link_text (CWE-400)-Type
handling/testing done  -  by <strong>bhanugoudm041</strong> <a
href="https://github.com/lepture/mistune/commit/b3af85d"><!-- raw HTML
omitted -->(b3af8)<!-- raw HTML omitted --></a></li>
<li><strong>block</strong>: Avoid quadratic ref link scans  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/2b04d7b"><!-- raw HTML
omitted -->(2b04d)<!-- raw HTML omitted --></a></li>
<li><strong>cli</strong>: Add entrypoint and utf-8 output  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/2f2449d"><!-- raw HTML
omitted -->(2f244)<!-- raw HTML omitted --></a></li>
<li><strong>directives</strong>: Constrain include targets  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/1bef343"><!-- raw HTML
omitted -->(1bef3)<!-- raw HTML omitted --></a></li>
<li><strong>formatting</strong>: Avoid quadratic marker scans  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/96d0f57"><!-- raw HTML
omitted -->(96d0f)<!-- raw HTML omitted --></a></li>
<li><strong>image</strong>: Validate figure width option  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/e3e51de"><!-- raw HTML
omitted -->(e3e51)<!-- raw HTML omitted --></a></li>
<li><strong>inline</strong>: Avoid bracket parsing DoS  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/25f2503"><!-- raw HTML
omitted -->(25f25)<!-- raw HTML omitted --></a></li>
<li><strong>math</strong>: Reject currency patterns and cross-line
matches in inline math  -  by <a
href="https://github.com/geopanther"><code>@​geopanther</code></a> <a
href="https://github.com/lepture/mistune/commit/566e173"><!-- raw HTML
omitted -->(566e1)<!-- raw HTML omitted --></a></li>
<li><strong>math</strong>: Support display and backtick math  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/1141eec"><!-- raw HTML
omitted -->(1141e)<!-- raw HTML omitted --></a></li>
<li><strong>renderer</strong>: Render plugin list and table nodes  -  by
<a href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/614b019"><!-- raw HTML
omitted -->(614b0)<!-- raw HTML omitted --></a></li>
<li><strong>renderer</strong>: Block encoded unsafe URL schemes  -  by
<a href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/c7101fc"><!-- raw HTML
omitted -->(c7101)<!-- raw HTML omitted --></a></li>
<li><strong>toc</strong>: Avoid generated id collisions  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/c4093c4"><!-- raw HTML
omitted -->(c4093)<!-- raw HTML omitted --></a></li>
</ul>
<h3>   🏎 Performance</h3>
<ul>
<li>Improve performance  -  by <a
href="https://github.com/lepture"><code>@​lepture</code></a> <a
href="https://github.com/lepture/mistune/commit/bf95c32"><!-- raw HTML
omitted -->(bf95c)<!-- raw HTML omitted --></a></li>
</ul>
<h5>    <a
href="https://github.com/lepture/mistune/compare/v3.2.1...v3.3.0">View
changes on GitHub</a></h5>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/lepture/mistune/blob/main/docs/changes.rst">mistune's
changelog</a>.</em></p>
<blockquote>
<h2>Version 3.3.0</h2>
<p><strong>Released on Jun 21, 2026</strong></p>
<ul>
<li>Improve CommonMark compatibility and parser performance.</li>
<li>Add command line entrypoint with UTF-8 output.</li>
<li>Support display and backtick math.</li>
<li>Render plugin list and table nodes in Markdown renderer.</li>
<li>Escape leading block markers in Markdown renderer.</li>
<li>Fix RST renderer for block quotes nested in lists.</li>
<li>Avoid generated heading ID collisions in TOC.</li>
<li>Harden URL, image, figure, and include directive handling.</li>
<li>Fix quadratic scans in inline links, reference links, and formatting
markers.</li>
<li>Fix math escaping, currency pattern matching, and cross-line
matching.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/lepture/mistune/commit/15c3b79325125272263d7d42492ec8f757447191"><code>15c3b79</code></a>
chore: release 3.3.0</li>
<li><a
href="https://github.com/lepture/mistune/commit/bdc01ade171c7c2cd1099e2531ddf8c275a2f64c"><code>bdc01ad</code></a>
tests: increase run time on pypy</li>
<li><a
href="https://github.com/lepture/mistune/commit/7cf181483e6201184bcecdbae13225d45ebab4c4"><code>7cf1814</code></a>
tests: increase run time for pypy</li>
<li><a
href="https://github.com/lepture/mistune/commit/6dfdc3dae490c7a21499ff1063f4dd9b7357d4c5"><code>6dfdc3d</code></a>
tests: add more tests</li>
<li><a
href="https://github.com/lepture/mistune/commit/17c50f6c0572027c1dad2c2501e7c97cea0b0b43"><code>17c50f6</code></a>
chore: fix mypy issues</li>
<li><a
href="https://github.com/lepture/mistune/commit/63abe4b8e9adccc711c953e6727400ee7ba1084c"><code>63abe4b</code></a>
chore: use ruff check and format</li>
<li><a
href="https://github.com/lepture/mistune/commit/e6c1b184461beab8887c7375621c64dffaf652c5"><code>e6c1b18</code></a>
chore: resolve mypy issues</li>
<li><a
href="https://github.com/lepture/mistune/commit/dcf89020c1ee697b2267387064b3e4580e0b83c5"><code>dcf8902</code></a>
test(math): cover escaped math output</li>
<li><a
href="https://github.com/lepture/mistune/commit/c4093c4742ed0d10d9332fb8edb455869b7b581b"><code>c4093c4</code></a>
fix(toc): avoid generated id collisions</li>
<li><a
href="https://github.com/lepture/mistune/commit/e3e51de9cf0a72dc30191248dccf22087c57f046"><code>e3e51de</code></a>
fix(image): validate figure width option</li>
<li>Additional commits viewable in <a
href="https://github.com/lepture/mistune/compare/v3.2.1...v3.3.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=mistune&package-manager=uv&previous-version=3.2.1&new-version=3.3.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-13 13:26:06 -04:00
langchain-oss-model-profiles[bot] fb274a9ab4 chore(model-profiles): refresh model profile data (#38821)
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.

🤖 Generated by the [`refresh_model_profiles`
workflow](https://github.com/langchain-ai/langchain/blob/master/.github/workflows/refresh_model_profiles.yml).


## Summary of changes

**0 added · 0 removed · 5 changed** across 2 provider(s).

<details>
<summary>huggingface</summary>

**✏️ 1 changed**
- `stepfun-ai/Step-3.7-Flash`: added video input

</details>

<details>
<summary>openrouter</summary>

**✏️ 4 changed**
- `google/gemini-3-pro-image`: last updated `2026-06-18` → `2026-05-28`;
display name `Nano Banana Pro (Gemini 3 Pro Image)` → `Nano Banana Pro`;
release date `2026-06-18` → `2026-05-28`
- `google/gemini-3.1-flash-image`: last updated `2026-06-18` →
`2026-05-28`; display name `Nano Banana 2 (Gemini 3.1 Flash Image)` →
`Nano Banana 2`; release date `2026-06-18` → `2026-05-28`
- `z-ai/glm-4.6`: max input tokens 202,752 → 200,000; max output tokens
131,072 → 16,384
- `z-ai/glm-5.2`: max output tokens 128,000 → 131,072

</details>

Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
2026-07-13 09:28:19 -04:00
langchain-oss-model-profiles[bot] 233e02a822 chore(model-profiles): refresh model profile data (#38810)
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.

🤖 Generated by the [`refresh_model_profiles`
workflow](https://github.com/langchain-ai/langchain/blob/master/.github/workflows/refresh_model_profiles.yml).


## Summary of changes

**0 added · 1 removed · 1 changed** across 1 provider(s).

### openrouter

** 1 removed**
- `meta-llama/llama-3-8b-instruct`

**✏️ 1 changed**
- `z-ai/glm-5.2`: max output tokens 131,072 → 128,000

Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
2026-07-12 17:59:19 -04:00
langchain-oss-model-profiles[bot] a8fd0da2b7 chore(model-profiles): refresh model profile data (#38797)
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.

🤖 Generated by the [`refresh_model_profiles`
workflow](https://github.com/langchain-ai/langchain/blob/master/.github/workflows/refresh_model_profiles.yml).


## Summary of changes

**1 added · 1 removed · 2 changed** across 2 provider(s).

<details>
<summary>openai</summary>

** 1 added**
- `gpt-realtime-2.1` — 128,000 ctx, 32,000 out, text+image+audio+pdf in,
reasoning, tools

</details>

<details>
<summary>openrouter</summary>

** 1 removed**
- `arcee-ai/trinity-mini`

**✏️ 2 changed**
- `deepseek/deepseek-v4-flash`: max output tokens 65,536 → 384,000
- `z-ai/glm-5.2`: max output tokens 101,376 → 131,072

</details>

Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
2026-07-11 18:01:26 -04:00
ccurme 42f8f79293 release(langchain): 1.3.13 (#38787) langchain==1.3.13 2026-07-10 18:53:07 -04:00
ccurme 7327e84d6f feat(langchain): add meta extra and support langchain-meta in init_chat_model (#38786) 2026-07-10 18:46:45 -04:00
Mason Daugherty 1c6bfc8f60 release(openai): 1.3.5 (#38785)
Prepared with AI-agent assistance.
langchain-openai==1.3.5
2026-07-10 14:47:52 -04:00
Mason Daugherty 4717cfc83b feat(openai): support explicit prompt caching (#38762)
`ChatOpenAI` now supports OpenAI explicit prompt-cache options and
content-block breakpoints, and exposes cache-write token counts through
`input_token_details["cache_creation"]`.
[(Docs)](https://developers.openai.com/api/docs/guides/prompt-caching?prompt-cache-api=responses#prompt-cache-breakpoints)

---

OpenAI users can now configure explicit prompt caching through
`ChatOpenAI` without cache controls being dropped when messages are
converted for the Responses API.

The change preserves `prompt_cache_breakpoint` on text, image, and file
content blocks; forwards request-level cache options and legacy
retention settings; and reports `cache_write_tokens` as `cache_creation`
usage metadata, including priority and flex service-tier variants. It
also raises the minimum OpenAI SDK version to 2.45.0 so the integration
can rely on the SDK's current prompt-caching schemas instead of
compatibility normalization.

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-10 14:11:10 -04:00
langchain-oss-model-profiles[bot] 2f527debdd chore(model-profiles): refresh model profile data (#38774)
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.

🤖 Generated by the [`refresh_model_profiles`
workflow](https://github.com/langchain-ai/langchain/blob/master/.github/workflows/refresh_model_profiles.yml).


## Summary of changes

**11 added · 4 removed · 44 changed** across 2 provider(s).

<details>
<summary>openai</summary>

** 4 added**
- `gpt-5.6` — 1,050,000 ctx, 128,000 out, text+image+pdf in, reasoning,
tools
- `gpt-5.6-luna` — 1,050,000 ctx, 128,000 out, text+image+pdf in,
reasoning, tools
- `gpt-5.6-sol` — 1,050,000 ctx, 128,000 out, text+image+pdf in,
reasoning, tools
- `gpt-5.6-terra` — 1,050,000 ctx, 128,000 out, text+image+pdf in,
reasoning, tools

</details>

<details>
<summary>openrouter</summary>

** 7 added**
- `cognitivecomputations/dolphin-mistral-24b-venice-edition` — 128,000
ctx, 8,192 out
- `openai/gpt-5.6-luna` — 1,050,000 ctx, 128,000 out, text+image+pdf in,
reasoning, tools
- `openai/gpt-5.6-luna-pro` — 1,050,000 ctx, 128,000 out, text+image+pdf
in, reasoning, tools
- `openai/gpt-5.6-sol` — 1,050,000 ctx, 128,000 out, text+image+pdf in,
reasoning, tools
- `openai/gpt-5.6-sol-pro` — 1,050,000 ctx, 128,000 out, text+image+pdf
in, reasoning, tools
- `openai/gpt-5.6-terra` — 1,050,000 ctx, 128,000 out, text+image+pdf
in, reasoning, tools
- `openai/gpt-5.6-terra-pro` — 1,050,000 ctx, 128,000 out,
text+image+pdf in, reasoning, tools

** 4 removed**
- `google/gemini-2.5-flash-lite-preview-09-2025`
- `liquid/lfm-2-24b-a2b`
- `poolside/laguna-xs.2`
- `poolside/laguna-xs.2:free`

**✏️ 44 changed**
- `anthracite-org/magnum-v4-72b`: max input tokens 16,384 → 32,768
- `baidu/ernie-4.5-vl-424b-a47b`: max input tokens 123,000 → 131,072
- `deepseek/deepseek-chat`: max input tokens 128,000 → 131,072
- `deepseek/deepseek-r1`: max input tokens 64,000 → 163,840
- `deepseek/deepseek-r1-distill-llama-70b`: max input tokens 8,192 →
128,000
- `deepseek/deepseek-v3.2`: max input tokens 128,000 → 131,072
- `google/gemini-3.1-pro-preview-customtools`: max input tokens
1,048,576 → 1,048,756
- `google/gemma-4-26b-a4b-it:free`: max input tokens 131,072 → 262,144
- `meta-llama/llama-3.2-1b-instruct`: max input tokens 60,000 → 131,072
- `meta-llama/llama-3.3-70b-instruct:free`: max input tokens 65,536 →
131,072
- `meta-llama/llama-4-scout`: max input tokens 327,680 → 10,000,000
- `microsoft/wizardlm-2-8x22b`: max input tokens 65,535 → 65,536
- `minimax/minimax-m2.5`: max input tokens 196,608 → 204,800
- `minimax/minimax-m2.7`: max input tokens 196,608 → 204,800
- `minimax/minimax-m3`: max input tokens 524,288 → 1,048,576; max output
tokens 512,000 → 131,072
- `moonshotai/kimi-k2.5`: max input tokens 256,000 → 262,144
- `moonshotai/kimi-k2.7-code`: max output tokens 16,384 → 262,144
- `nvidia/nemotron-3-super-120b-a12b`: max input tokens 262,144 →
1,000,000
- `nvidia/nemotron-3-super-120b-a12b:free`: max input tokens 262,144 →
1,000,000
- `nvidia/nemotron-3-ultra-550b-a55b`: max input tokens 262,144 →
1,000,000
- `poolside/laguna-m.1`: last updated `2026-04-28` → `2026-06-13`
- `poolside/laguna-m.1:free`: last updated `2026-04-28` → `2026-06-13`
- `qwen/qwen-2.5-72b-instruct`: max input tokens 32,768 → 131,072
- `qwen/qwen-2.5-7b-instruct`: max input tokens 32,768 → 131,072
- `qwen/qwen-2.5-coder-32b-instruct`: max input tokens 32,768 → 128,000
- …and 19 more

</details>

Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
2026-07-10 10:24:05 -04:00
Radhakrishnan Pachyappan a07356f839 fix(anthropic): add advisor_ prefix to builtin tool recognition (#38686) 2026-07-09 22:18:52 -04:00
Mason Daugherty 8107ff4065 release(fireworks): 1.4.4 (#38753) langchain-fireworks==1.4.4 2026-07-09 13:45:31 -04:00
Mason Daugherty ea24fb1e13 fix(fireworks): report cached prompt token usage (#38751)
Closes #38648

`langchain-fireworks` now reports Fireworks cached prompt tokens in
`AIMessage.usage_metadata.input_token_details.cache_read` and no longer
crashes when combining nested token usage from batched `generate()`
calls.

---

Fireworks can return nested token usage details when prompt caching is
involved, including cached prompt token counts. Batched `generate()`
calls were crashing when those nested dictionaries were combined, and
regular chat results did not expose the cached-token breakdown in the
standard LangChain usage metadata shape.

This updates `ChatFireworks` so nested token usage is merged safely and
cached prompt tokens are reported as `input_token_details.cache_read`.
Users and downstream tracing systems can now distinguish cached
Fireworks input tokens from regular input tokens instead of treating the
full prompt as uncached input.

Thanks to @abcgco for the original report and recursive merge fix in
#38646, and to @abhi-0203 for independently identifying the same nested
`token_usage` failure in #38735. This PR builds on that work by using
the recursive merge approach and extending the fix to normalize cached
prompt tokens into standard usage metadata for tracing and cost
reporting.

Co-authored-by: Andrei Boldyrev <abcgco@gmail.com>
2026-07-09 13:39:38 -04:00
Mason Daugherty a4294f9a39 chore(deps): refresh lockfiles (#38746) 2026-07-09 12:43:43 -04:00
langchain-oss-model-profiles[bot] d73ba5b70b chore(model-profiles): refresh model profile data (#38739)
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.

🤖 Generated by the [`refresh_model_profiles`
workflow](https://github.com/langchain-ai/langchain/blob/master/.github/workflows/refresh_model_profiles.yml).


## Summary of changes

**3 added · 1 removed · 4 changed** across 2 provider(s).

<details>
<summary>openrouter</summary>

** 2 added**
- `x-ai/grok-4.5` — 500,000 ctx, 500,000 out, text+image+pdf in,
reasoning, tools
- `~x-ai/grok-latest` — 500,000 ctx, 1,000,000 out, text+image+pdf in,
reasoning, tools

** 1 removed**
- `switchpoint/router`

**✏️ 4 changed**
- `deepseek/deepseek-v4-flash`: max output tokens 16,384 → 65,536
- `tencent/hy3`: max input tokens 202,752 → 262,144
- `x-ai/grok-build-0.1`: added PDF input
- `z-ai/glm-5.2`: max output tokens 32,768 → 1,048,576

</details>

<details>
<summary>xai</summary>

** 1 added**
- `grok-4.5` — 500,000 ctx, 500,000 out, text+image+pdf in, reasoning,
tools

</details>

Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
2026-07-09 12:12:22 -04:00
ccurme bc1540084b release(openai): 1.3.4 (#38731) langchain-openai==1.3.4 2026-07-08 18:51:10 -04:00
ccurme 123d83282a release(langchain): 1.3.12 (#38730) langchain==1.3.12 2026-07-08 18:34:51 -04:00
Naomi fa0114511b fix(openai): suppress Pydantic serializer warning on structured output parsed field (#37727) 2026-07-08 18:28:39 -04:00
Mason Daugherty af3de98c4a docs(infra): clarify uv.lock step in release process guide (#38729)
## What

The release process guide in `AGENTS.md` and `CLAUDE.md` instructs the
reader to "keep only the package-version line if `uv lock` touches
unrelated entries." This is vague — it doesn't explain *why* unrelated
entries appear or *what* the offending lines look like.

## Why

When you bump a package's version in `pyproject.toml` and run `uv lock`
from the package directory, the lockfile diff can include unrelated
changes such as environment-dependent marker lines (e.g.
`typing-extensions` losing a `python_full_version < '3.11'` marker)
caused by a different local Python version resolving the environment.
These are artifacts of the machine running the lock, not intentional
dependency changes, and should not be committed.

## Change

Replaced the vague instruction with a precise one:

> `uv.lock` — run `uv lock` from the package directory. If the diff
includes unrelated changes (e.g. environment-dependent marker lines from
a different local Python version), revert them and keep only the
`version = "..."` line for the package being released

This came up during the langchain-core/langchain release on July 8,
where the original instruction was flagged as questionable and traced
back via git blame to commit 917f1a62 (PR #38683).
2026-07-08 16:16:37 -04:00
ccurme 1c3a4186cf release(core): 1.4.9 (#38728) langchain-core==1.4.9 2026-07-08 15:58:21 -04:00
Christophe Bornet 1619f3d3d0 chore(standard-tests): fix some typings detected by ty (#38707) 2026-07-08 15:32:47 -04:00
Anush a6f0369eca chore(qdrant): bump fastembed to latest (#38726)
This PR updates the optional `fastembed` dependency in
`langchain-qdrant` to the latest version (`0.8.0`).

This also removes the temporary Pillow override that was needed for
`fastembed@0.7.x`, since the new release no longer caps Pillow below the
patched version.
2026-07-08 14:24:06 -04:00
ccurme fca0a977a6 fix(langchain): propagate interrupts through ToolRetryMiddleware (#38722) 2026-07-08 11:16:42 -04:00
langchain-oss-model-profiles[bot] 874bada42f chore(model-profiles): refresh model profile data (#38712)
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.

🤖 Generated by the [`refresh_model_profiles`
workflow](https://github.com/langchain-ai/langchain/blob/master/.github/workflows/refresh_model_profiles.yml).


## Summary of changes

**2 added · 2 removed · 6 changed** across 1 provider(s).

### openrouter

** 2 added**
- `aion-labs/aion-3.0` — 131,072 ctx, 32,768 out, reasoning, tools
- `aion-labs/aion-3.0-mini` — 131,072 ctx, 32,768 out, reasoning, tools

** 2 removed**
- `aion-labs/aion-1.0`
- `aion-labs/aion-1.0-mini`

**✏️ 6 changed**
- `aion-labs/aion-2.0`: added tool calling
- `anthropic/claude-opus-4.8`: added temperature control
- `nex-agi/nex-n2-pro`: added tool calling
- `thedrummer/rocinante-12b`: max input tokens 32,768 → 65,536; max
output tokens 32,768 → 65,536; added structured output
- `z-ai/glm-5.2`: max output tokens 131,072 → 32,768
- `~anthropic/claude-opus-latest`: added temperature control

Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
2026-07-08 10:08:48 -04:00
langchain-oss-model-profiles[bot] 6e51a7e48b chore(model-profiles): refresh model profile data (#38699)
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.

🤖 Generated by the [`refresh_model_profiles`
workflow](https://github.com/langchain-ai/langchain/blob/master/.github/workflows/refresh_model_profiles.yml).


## Summary of changes

**4 added · 0 removed · 1 changed** across 2 provider(s).

<details>
<summary>huggingface</summary>

** 1 added**
- `openai/gpt-oss-20b` — 131,072 ctx, 32,768 out, reasoning, tools

</details>

<details>
<summary>openrouter</summary>

** 3 added**
- `nex-agi/nex-n2-mini` — 262,144 ctx, 262,144 out, text+image in,
reasoning, tools
- `tencent/hy3` — 202,752 ctx, 131,072 out, reasoning, tools
- `tencent/hy3:free` — 262,144 ctx, 262,144 out, reasoning, tools

**✏️ 1 changed**
- `meta-llama/llama-3.2-3b-instruct`: max input tokens 80,000 → 131,072;
max output tokens 80,000 → 131,072; added structured output

</details>

Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
2026-07-07 11:40:47 -04:00
Mohammad Mohtashim 2d8100c4fa fix(langchain-classic): fix Chain.save() regression from dict-to-model_dump migration (#35667)
Fixes #35665

---

Fixes a regression introduced in #33035 where `Chain.save()` stopped
working for chain types that support saving, including `LLMChain`.

`Chain.save()` now calls `self.model_dump()`, but the `_type` injection
still lived in the deprecated `dict()` override. As a result, serialized
chains no longer included `_type`, and `save()` always raised the "does
not support saving" error.

This moves the override to `model_dump()` so saved chain output includes
`_type` again. Pydantic v2's `dict()` method delegates to
`model_dump()`, so existing `dict()` callers continue to get the same
serialized shape.
2026-07-06 12:15:21 -04:00
Mason Daugherty b08c3913fb test(openai): skip Codex VCR tests before cassette setup (#38690)
Codex integration tests need to be skipped in CI whenever VCR is not in
playback mode, but the setup-time skip ran too late: `pytest-recording`
could already try to open a cassette and hit the missing on-disk OAuth
token first. Moving the skip to collection time marks the matching Codex
tests before cassette setup while keeping the existing VCR-token fake
for playback runs.

## Changes
- Add a `pytest_collection_modifyitems` hook that marks Codex chat-model
integration tests as skipped in CI unless VCR is replaying existing
cassettes.
- Scope collection-time matching to the local chat-model
integration-test directory so same-named modules collected elsewhere are
not skipped accidentally.
- Keep the OAuth-token fake path active for VCR playback by preserving
`_fake_codex_oauth_token` behavior when `record_mode` is `none`.
2026-07-06 11:29:03 -04:00
langchain-oss-model-profiles[bot] 83386b56e1 chore(model-profiles): refresh model profile data (#38689)
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.

🤖 Generated by the [`refresh_model_profiles`
workflow](https://github.com/langchain-ai/langchain/blob/master/.github/workflows/refresh_model_profiles.yml).


## Summary of changes

**0 added · 10 removed · 12 changed** across 2 provider(s).

<details>
<summary>anthropic</summary>

** 10 removed**
- `claude-3-5-sonnet-20240620`
- `claude-3-5-sonnet-20241022`
- `claude-3-7-sonnet-20250219`
- `claude-3-haiku-20240307`
- `claude-3-opus-20240229`
- `claude-3-sonnet-20240229`
- `claude-opus-4-0`
- `claude-opus-4-20250514`
- `claude-sonnet-4-0`
- `claude-sonnet-4-20250514`

**✏️ 10 changed**
- `claude-fable-5`: release date `2026-06-09` → `2026-06-07`
- `claude-opus-4-1`: status unset → `deprecated`
- `claude-opus-4-1-20250805`: status unset → `deprecated`
- `claude-opus-4-5-20251101`: release date `2025-11-01` → `2025-11-24`
- `claude-opus-4-6`: release date `2026-02-05` → `2026-02-04`
- `claude-opus-4-7`: release date `2026-04-16` → `2026-04-14`
- `claude-sonnet-4-5`: max input tokens 200,000 → 1,000,000
- `claude-sonnet-4-5-20250929`: max input tokens 200,000 → 1,000,000
- `claude-sonnet-4-6`: max output tokens 64,000 → 128,000
- `claude-sonnet-5`: release date `2026-06-30` → `2026-06-29`

</details>

<details>
<summary>openrouter</summary>

**✏️ 2 changed**
- `openai/gpt-oss-20b`: display name `gpt-oss-20b` → `GPT OSS 20B`
- `z-ai/glm-5.2`: max input tokens 1,024,000 → 1,048,576; max output
tokens 128,000 → 131,072

</details>

---------

Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
Co-authored-by: Mason Daugherty <github@mdrxy.com>
2026-07-06 10:09:28 -04:00
Ülgen Sarıkavak 701cc0e6bb test(deps): Include Python 3.14 in integration test matrix (#34993)
Relates to #34441

Adds Python 3.14 to integration test matrix, hoping to contribute to the
official support of Python 3.14

---------

Co-authored-by: Mason Daugherty <github@mdrxy.com>
2026-07-06 01:58:33 -04:00
Yashodip More a586e9044c fix(langchain): avoid shared process-group kill in shell middleware (#36359)
Fixes #36358

---

**Summary**
This PR fixes a process termination safety bug in ShellToolMiddleware
where cleanup could kill the caller process group when
create_process_group is False.

**Why this change**
When the shell child is started without a dedicated process group, it
can share the parent group. The existing cleanup path used group kill
unconditionally, which could terminate unrelated processes including the
caller. This is a high-impact availability risk.

**What changed**

Updated shell session kill logic to use group kill only when the child
is in a different process group than the caller.
Added safe fallback to child-only kill when both share the same process
group.
Added regression tests for both scenarios:
Shared process group: no group kill, child-only kill.
Dedicated process group: existing group kill behavior is preserved.

**Validation**

Targeted new tests passed.
Full shell tool unit test file passed.

AI assistance disclosure
This contribution was prepared with assistance from an AI coding agent.
I reviewed, validated, and finalized the proposed changes and test
coverage before submission.

**Areas for careful review**

Process-group detection behavior on Linux and other POSIX environments.
Any implications for existing timeout and shutdown flows in shell
middleware.
Whether additional integration-level coverage is desirable for process
cleanup behavior.

---------

Co-authored-by: Mason Daugherty <github@mdrxy.com>
2026-07-05 23:51:57 -04:00
Balaji Seshadri fd822b07c0 fix(text-splitters): restore lazy imports for heavy optional dependencies (#35469)
## Summary

- Moves `nltk`, `spacy`, `sentence-transformers`, and `konlpy` imports
back inside class constructors/functions so they are only loaded when
the respective splitter is actually instantiated
- Adds a subprocess-based regression test to verify no heavy packages
are imported at `langchain_text_splitters` load time

## Why

PR #32325 moved these optional dependency imports to module-level
`try/except` blocks (to satisfy ruff's `PLC0415` rule). Since
`__init__.py` imports all four splitter modules, this caused `import
langchain_text_splitters` to eagerly load all optional heavy packages,
resulting in:

- A PyTorch NVML warning (`UserWarning: Can't initialize NVML`) on
non-GPU machines
- A ~650MB memory spike on import (74MB → 736MB), vs ~50MB in 0.3.x

The fix restores the lazy import pattern with `# noqa: PLC0415` to
suppress the linter rule, which is the correct trade-off when a
dependency has high instantiation cost.

## Review notes

- The `PLC0415` suppressions are intentional — these are optional heavy
dependencies that should never be loaded unless the user explicitly
instantiates the splitter class
- The regression test uses a subprocess for proper isolation (the test
file itself imports `langchain_text_splitters` at the top, so
`sys.modules` checks within the same process would not reflect a clean
import state)

Fixes #35437.

> **AI disclaimer:** This PR was developed with assistance from Claude
Code (Anthropic AI).

---------

Co-authored-by: AshwathB-debug <ashwathbalaji04@gmail.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Mason Daugherty <github@mdrxy.com>
2026-07-05 23:19:16 -04:00
Divy yadav 1840b73209 fix(core): improve langsmith loader error messages (#35648)
`LangSmithLoader.lazy_load()` now raises a `ValueError` with a
descriptive message when a configured `content_key` cannot be resolved
against an example's inputs — whether a key along the path is missing or
the path runs into a non-mapping value. Previously the missing-key case
raised a bare `KeyError` and the non-mapping case raised a `TypeError`,
depending on the payload. Callers that caught `KeyError` or `TypeError`
around `lazy_load()` to detect a misconfigured `content_key` should now
catch `ValueError`.

---

Improve `LangSmithLoader` error handling by surfacing clearer exceptions
for conflicting client configuration and invalid nested `content_key`
paths. Valid loader behavior is unchanged; this only improves
invalid-input diagnostics.

When a `content_key` cannot be resolved against an example's inputs,
`lazy_load()` now raises a `ValueError` whose message names the full
path, the offending key, and where traversal stopped — instead of a bare
`KeyError` (missing key) or an opaque `TypeError` (path running into a
non-mapping value, e.g. a leaf string).

---------

Co-authored-by: Divy Yadav <yadavdipu296@gmai.com>
Co-authored-by: Mason Daugherty <github@mdrxy.com>
Co-authored-by: Mason Daugherty <mason@langchain.dev>
2026-07-05 22:21:50 -04:00