Open
Conversation
Upgrade the LangChain/LangGraph ecosystem to address CVE-2026-27794 (langgraph-checkpoint deserialization RCE) and CVE-2026-26013 (langchain-core SSRF in token counting). Package upgrades: - langchain-core: 0.3.x -> 1.2.17 - langchain: 0.3.x -> 1.2.10 - langchain-openai: 0.3.x -> 1.1.9 - langchain-community: 0.3.x -> 0.4.1 - langgraph: 0.6.x -> 1.0.10 - langgraph-checkpoint: 3.x -> 4.0.1 - langfuse: 2.59.x -> 3.14.5 - pydantic-settings: 2.7.x -> 2.10.1 - openlit: <1.36.6 -> >=1.36.8 (ToolNode fix in PR #991) - openai: 1.100.x -> 1.109.x (patcher) Code changes: - common/llm.py: Update imports for langchain 1.x and langfuse 3.x - seed-gen/task.py: Use langchain_core.prompts instead of langchain.prompts - Move langfuse to common[full] optional dep (avoids protobuf conflict with fuzzer_runner's OSS-Fuzz protobuf==3.20.3 constraint) - Add uv override-dependencies for openlit's stale langchain<0.4.0 pin Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
hbrodin
requested review from
evandowning,
michaelbrownuc,
ret2libc and
reytchison
as code owners
- common/llm.py: Remove secret_key and host args from langfuse 3.x CallbackHandler (reads from env vars automatically via get_client) - seed-gen/task.py: Fix import sort order after langchain_core.prompts move Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Collaborator
Author
|
I tested with libpng and the correct patch seems to be generated. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
langchain<0.4.0pinlangchain.callbacks.base->langchain_core.callbacks,langchain.prompts->langchain_core.prompts)common[full]optional dep to avoid protobuf conflict with fuzzer_runner's OSS-Fuzzprotobuf==3.20.3constraintDependabot alert #88 (protobuf CVE in fuzzer_runner) is not addressed — it's pinned to 3.20.3 for OSS-Fuzz compatibility and the vulnerable JSON parsing feature is not used.
Test plan
create_react_agent— functional but should migrate tolangchain.agents.create_agentin a follow-up)🤖 Generated with Claude Code