refactor deprecated langchain imports and restrict file uploader

[bonilokesh]

Updated imports to use langchain-openai and langchain-community compatible with v0.1.0+. Added type=['pdf'] restriction to Streamlit uploader to prevent non-PDF errors.

Summary by CodeRabbit

• New Features

  • Added file type validation to accept only PDF uploads.

• Bug Fixes

  • Added validation requiring a PDF file before processing can begin.

• Chores

  • Updated core dependencies to latest versions for improved performance and stability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR updates project dependencies to newer versions (langchain, streamlit, openai, and others) and refactors imports to use langchain_openai and langchain_community packages. Additionally, the app now validates that uploaded files are PDFs and includes a guard clause to prevent processing without a PDF.

Changes

Cohort / File(s)	Summary
Dependency Version Updates requirements.txt	Major version bumps: langchain (0.0.184 → 1.1.0), streamlit (1.18.1 → 1.40.1), openai (0.27.6 → 1.54.3), faiss-cpu (1.7.4 → 1.9.0), altair (4 → 5.4.1), tiktoken (0.4.0 → 0.8.0). Minor updates: python-dotenv (1.0.0 → 1.0.1). New additions: langchain-openai 1.1.0, langchain-community 0.4.1.
Import Migration & Input Validation app.py	Switched imports from old langchain packages to langchain_openai and langchain_community. Added PDF type constraint to file uploader. Implemented guard clause requiring PDF uploads before processing; wrapped processing logic in conditional else block with warning message for missing PDFs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• Dependency compatibility verification: Langchain major version bump (0.0.184 → 1.1.0) and openai version jump (0.27.6 → 1.54.3) warrant checking for breaking API changes in core functionality (ChatOpenAI, ConversationalRetrievalChain, memory setup)
• Import correctness: Verify langchain_openai and langchain_community modules are properly integrated and compatible with existing code patterns
• Guard clause logic: Confirm the conditional flow and warning message display work as intended

Poem

🐰 Hops of joy! Dependencies so new and spry,
Langchain and OpenAI upgraded to the sky!
PDFs now validated with guard clauses tight,
Old imports fade as new ones come to light. ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately and concisely summarizes the two main changes: refactoring deprecated langchain imports and restricting the file uploader to PDFs.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

app.py (1)

5-5: Remove extra space before comma.

The import statement has an unnecessary space before the comma.

Apply this diff to fix the spacing:

-from langchain_openai import OpenAIEmbeddings , ChatOpenAI
+from langchain_openai import OpenAIEmbeddings, ChatOpenAI

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dc0155b and 8d2fbee.

📒 Files selected for processing (2)

• app.py (4 hunks)
• requirements.txt (1 hunks)

🔇 Additional comments (3)

app.py (3)

40-42: LGTM!

The comment clearly documents the migration to langchain_openai, making the change more maintainable.

---

88-88: LGTM!

The type=['pdf'] restriction prevents users from uploading non-PDF files, improving the user experience and preventing downstream errors.

---

90-105: LGTM!

The validation guard properly prevents processing when no files are uploaded, and the processing logic is correctly structured within the else block.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Update warning message to reflect multiple file support.

The warning message says "a pdf file" but the uploader accepts multiple files (accept_multiple_files=True). The message should be more accurate.

Apply this diff to improve the message:

             if not pdf_docs:
-                st.warning("Please upload a pdf file first.")
+                st.warning("Please upload at least one PDF file first.")

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if not pdf_docs:
	st.warning("Please upload a pdf file first.")
	if not pdf_docs:
	st.warning("Please upload at least one PDF file first.")

🤖 Prompt for AI Agents

In app.py around lines 90-91, the warning text "Please upload a pdf file first."
is inaccurate because the uploader accepts multiple files; update the message to
reflect plural/multiple-file support (for example: "Please upload at least one
PDF file." or "Please upload one or more PDF files.") so users understand they
can upload multiple PDFs.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash

packages=(
  "langchain==1.1.0"
  "python-dotenv==1.0.1"
  "streamlit==1.40.1"
  "openai==1.54.3"
  "faiss-cpu==1.9.0"
  "altair==5.4.1"
  "tiktoken==0.8.0"
  "langchain-openai==1.1.0"
  "langchain-community==0.4.1"
)

echo "=== Checking PyPI for specified versions ==="
for package in "${packages[@]}"; do
  pkg_name=$(echo "$package" | cut -d'=' -f1)
  pkg_version=$(echo "$package" | cut -d'=' -f3)
  
  # Query PyPI JSON API
  response=$(curl -s "https://pypi.org/pypi/$pkg_name/json")
  
  if echo "$response" | jq -e ".releases[\"$pkg_version\"]" > /dev/null 2>&1; then
    echo "✓ $package exists on PyPI"
  else
    echo "✗ $package NOT FOUND on PyPI"
    echo "  Available versions nearby:"
    echo "$response" | jq -r '.releases | keys[]' | grep -E "^${pkg_version%.*}\." | head -5
  fi
done

Repository: alejandro-ao/ask-multiple-pdfs

Length of output: 204

---

🏁 Script executed:

#!/bin/bash

# Search codebase for usage of critical packages (openai, langchain)
echo "=== Checking codebase for openai and langchain usage ==="

# Find Python files
echo "Files using openai:"
rg -l "from openai|import openai" --type py 2>/dev/null || echo "No files found"

echo ""
echo "Files using langchain:"
rg -l "from langchain|import langchain" --type py 2>/dev/null || echo "No files found"

Repository: alejandro-ao/ask-multiple-pdfs

Length of output: 204

---

🌐 Web query:

openai python package version 1.54.3 breaking changes release notes

💡 Result:

Short answer: There are no breaking changes in openai Python v1.54.3 — the release (2024-11-06) contains a single bug fix: redacting sensitive headers in logs. [1]

Source:

• Changelog for v1.54.3 (release notes). [1]

---

🌐 Web query:

langchain version 1.1.0 breaking changes migration guide

💡 Result:

Short answer: There should be no breaking changes you must adapt to when moving from LangChain 1.0.x → 1.1.0 (minor releases are non‑breaking per LangChain’s release policy). See steps and checks below.

What to do when upgrading to 1.1.0

• Confirm release notes / changelog for 1.1.0 and scan for any listed "breaking changes" specific to packages you use. [1][3]
• Verify runtime requirements (Node/Python) — many v1+ docs note minimum Node 20 / Node 18 dropped for JS packages; ensure your environment meets those requirements. [1]
• Check imports and package names: legacy functionality was moved to @langchain/classic and some legacy APIs were removed — update imports to core/new packages where applicable. [1]
• Run your test suite and CI; fix any deprecations/errors. If you rely on community integrations, review @langchain/community notes (community packages can have independent breaking changes). [2]
• If you hit an issue, consult the LangChain migration guide and changelog for the exact breaking item and suggested replacement. [1][3]

Key references

• LangChain v1 migration / breaking-changes notes (JS/Python docs). [1]
• LangChain release policy (minor releases are non‑breaking; community packages may differ). [2]
• LangChain changelog / 1.0 announcement (for context about legacy moves and removed deprecated APIs). [3]

If you want, tell me:

• which language (Python or JS/TS) and current exact version you’re upgrading from → I’ll produce a focused diff-style migration checklist for your codebase.

---

🌐 Web query:

PyPI langchain 1.1.0 release date package version

💡 Result:

langchain 1.1.0 on PyPI was published (uploaded) on November 24, 2025. [1]

Sources
[1] PyPI — langchain 1.1.0 (file metadata: upload date Nov 24, 2025).

---

🌐 Web query:

openai python package 0.27.6 to 1.x breaking changes migration

💡 Result:

Short summary of the breaking changes and how to migrate from openai Python 0.27.6-style code to openai>=1.0.x

Key changes

• The old top-level resource classes (openai.Completion, openai.ChatCompletion, openai.Embedding, openai.File, openai.Image, openai.Model, etc.) were removed in v1+. Calls must go through an OpenAI client instance. [1][2]
• API surface reorganized: e.g. chat completion calls moved from openai.ChatCompletion.create(...) to client.chat.completions.create(...). Embeddings, files, images, models follow the same pattern (client.embeddings.create(...), client.files.create(...), client.images.generate(...) or client.responses.create(...) depending on API used). [1][2]
• OpenAI provides an automatic code migration helper: openai migrate (CLI) to update many code patterns. Alternatively pin to the old release (pip install openai==0.28) if you cannot migrate immediately. [1][2]

Minimal migration examples

• Old (pre-1.0)
  from openai import api_key
  response = openai.ChatCompletion.create(model="gpt-4o", messages=[...])

• New (v1+)
  from openai import OpenAI
  client = OpenAI() # reads OPENAI_API_KEY from env by default
  response = client.chat.completions.create(model="gpt-4o", messages=[...]).

• Embeddings old -> new
  old: openai.Embedding.create(input=txt, model="text-embedding-ada-002")
  new: client = OpenAI(); client.embeddings.create(input=txt, model="text-embedding-ada-002")

• Files (fine-tune) old -> new
  old: openai.File.create(file=open(...), purpose="fine-tune")
  new: client.files.create(file=open(...), purpose="fine-tune")

Practical steps

1. Try the automatic migration: run openai migrate in your project root (back up first). [1][2]
2. If you prefer manual migration, replace top-level openai.XYZ.create(...) with client.xyz.create(...) and create client = OpenAI(...) (or use the environment variable default). Update import from import openai to from openai import OpenAI where appropriate. [1][2]
3. Run tests and update any response-field accesses — some response shapes changed; consult API docs or error messages. If needed, pin to v0.28 (pip install openai==0.28) until you finish migration. [1][2]

References

• Migration / error guidance (examples and suggested migration command). [1]
• openai-python repository discussions/issues describing removed top-level resources and client-based API (see linked migration discussion). [2]

If you want, I can: (a) run the official migration CLI on a code snippet you paste, (b) convert a specific file/class from your repo (paste code), or (c) produce a quick search-and-replace script to help automate the changes.

---

🌐 Web query:

streamlit 1.40.1 security vulnerabilities CVE

💡 Result:

Short answer: There are no known CVEs that specifically affect Streamlit version 1.40.1 itself. The main reported CVE for Streamlit core is CVE-2024-42474 (path traversal via the static-file-sharing feature) which affected versions < 1.37.0 and was fixed in 1.37.0 — therefore 1.40.1 is not vulnerable to that issue. [1][2]

Notes:

• There are high‑severity RCE CVEs reported in related projects (e.g., streamlit‑geospatial: CVE-2024-41119 / CVE-2024-41113) — those affect that addon/project, not core Streamlit 1.40.1; check whether you use those packages. [3]

Sources:

• NVD / CVE-2024-42474 (Streamlit path traversal; fixed in 1.37.0). [1]
• OSV / CVE-2024-42474 summary. [2]
• Advisory reporting RCEs in streamlit‑geospatial (CVE-2024-41119 / CVE-2024-41113). [3]

If you’d like, I can: (a) scan a requirements.txt/installed packages list for vulnerable versions, or (b) fetch the Streamlit 1.40.1 release notes and full GitHub security advisories. Which do you prefer?

---

🌐 Web query:

faiss-cpu 1.9.0 security advisories

💡 Result:

I found no public security advisories or CVEs specific to faiss-cpu 1.9.0. Security scanners (Snyk) list no direct vulnerabilities for 1.9.0.post1, and Safety DB shows no known security vulnerabilities for recent faiss-cpu releases. [1][2]

If you need, I can:

• search the GitHub Security Advisories/GHSA feed and NVD for any overlooked entries, or
• check a specific vulnerability database (NVD, GitHub Advisory, OSV) and report back with links and dates.

---

🌐 Web query:

langchain-community 0.4.1 breaking changes

💡 Result:

Summary: The libs/community v0.4.1 release (Oct 27, 2025) does not introduce broad API breaking changes, but it deprecates the Azure Blob Storage loaders — this is the only item in the release notes that can break existing code using those loaders. [1][2]

Sources:

• Release notes for libs/community v0.4.1 (shows "Deprecated azure blob storage loaders"). [1]
• LangChain release policy noting @langchain/community can have breaking changes in patch/minor releases because it contains community third‑party integrations. [2]

References:
[1] GitHub — langchain-ai/langchain-community Releases: libs/community/v0.4.1.
[2] LangChain release policy / docs (stability notes for @langchain/community).

---

Major version update for openai (0.27.6 → 1.54.3) requires code migration; verify breaking API changes are handled.

The jump from openai 0.27.6 to 1.54.3 introduces breaking changes that go beyond a simple version bump:

• Removed: Top-level resource classes (openai.ChatCompletion, openai.Embedding, openai.File, openai.Image, etc.)
• Required migration pattern: Replace openai.ChatCompletion.create(...) with client = OpenAI(); client.chat.completions.create(...) (same pattern for embeddings, files, images, etc.)
• Tooling: OpenAI provides a migration CLI (openai migrate) to help automate code updates.

Additionally:

• langchain 1.1.0 is a minor release (non-breaking per LangChain policy), though langchain-community 0.4.1 deprecates Azure Blob Storage loaders—verify your code doesn't depend on those.
• streamlit 1.40.1 and faiss-cpu 1.9.0 have no known CVEs in these versions.
• Action: Verify that all openai API calls have been refactored to use the client instance pattern before merging.

🤖 Prompt for AI Agents

In requirements.txt lines 1-10 the openai dependency was bumped from 0.27.6 to
1.54.3 which contains breaking API changes; update all code to use the new
client-instance pattern (e.g., instantiate OpenAI() and call
client.chat.completions.create, client.embeddings.create,
client.images.generate, etc.) instead of top-level calls like
openai.ChatCompletion.create or openai.Embedding.create, and run the OpenAI
migration CLI (openai migrate) to catch automated fixes; also scan code for any
usages of deprecated langchain-community Azure Blob loaders and replace or
remove them if present.