From 38d127a35423ed51a352dad31a7158bff8f17aea Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Tue, 30 Dec 2025 20:01:21 +0000 Subject: [PATCH] chore(deps): update dependency langchain to v1.2.3 [security] (#2248) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [langchain](https://redirect.github.com/langchain-ai/langchainjs/tree/main/libs/langchain/) ([source](https://redirect.github.com/langchain-ai/langchainjs)) | [`1.0.2` → `1.2.3`](https://renovatebot.com/diffs/npm/langchain/1.0.2/1.2.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/langchain/1.2.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/langchain/1.0.2/1.2.3?slim=true) | ### GitHub Vulnerability Alerts #### [CVE-2025-68665](https://redirect.github.com/langchain-ai/langchainjs/security/advisories/GHSA-r399-636x-v7f6) ## Context A serialization injection vulnerability exists in LangChain JS's `toJSON()` method (and subsequently when string-ifying objects using `JSON.stringify()`. The method did not escape objects with `'lc'` keys when serializing free-form data in kwargs. The `'lc'` key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. ### Attack surface The core vulnerability was in `Serializable.toJSON()`: this method failed to escape user-controlled objects containing `'lc'` keys within kwargs (e.g., `additional_kwargs`, `metadata`, `response_metadata`). When this unescaped data was later deserialized via `load()`, the injected structures were treated as legitimate LangChain objects rather than plain user data. This escaping bug enabled several attack vectors: 1. **Injection via user data**: Malicious LangChain object structures could be injected through user-controlled fields like `metadata`, `additional_kwargs`, or `response_metadata` 2. **Secret extraction**: Injected secret structures could extract environment variables when `secretsFromEnv` was enabled (which had no explicit default, effectively defaulting to `true` behavior) 3. **Class instantiation via import maps**: Injected constructor structures could instantiate any class available in the provided import maps with attacker-controlled parameters **Note on import maps:** Classes must be explicitly included in import maps to be instantiatable. The core import map includes standard types (messages, prompts, documents), and users can extend this via `importMap` and `optionalImportsMap` options. This architecture naturally limits the attack surface—an `allowedObjects` parameter is not necessary because users control which classes are available through the import maps they provide. **Security hardening:** This patch fixes the escaping bug in `toJSON()` and introduces new restrictive defaults in `load()`: `secretsFromEnv` now explicitly defaults to `false`, and a `maxDepth` parameter protects against DoS via deeply nested structures. JSDoc security warnings have been added to all import map options. ## Who is affected? Applications are vulnerable if they: 1. **Serialize untrusted data via `JSON.stringify()` on Serializable objects, then deserialize with `load()`** — Trusting your own serialization output makes you vulnerable if user-controlled data (e.g., from LLM responses, metadata fields, or user inputs) contains `'lc'` key structures. 2. **Deserialize untrusted data with `load()`** — Directly deserializing untrusted data that may contain injected `'lc'` structures. 3. **Use LangGraph checkpoints** — Checkpoint serialization/deserialization paths may be affected. The most common attack vector is through **LLM response fields** like `additional_kwargs` or `response_metadata`, which can be controlled via prompt injection and then serialized/deserialized in streaming operations. ## Impact Attackers who control serialized data can extract environment variable secrets by injecting `{"lc": 1, "type": "secret", "id": ["ENV_VAR"]}` to load environment variables during deserialization (when `secretsFromEnv: true`). They can also instantiate classes with controlled parameters by injecting constructor structures to instantiate any class within the provided import maps with attacker-controlled parameters, potentially triggering side effects such as network calls or file operations. Key severity factors: - Affects the serialization path—applications trusting their own serialization output are vulnerable - Enables secret extraction when combined with `secretsFromEnv: true` - LLM responses in `additional_kwargs` can be controlled via prompt injection ## Exploit example ```typescript import { load } from "@​langchain/core/load"; // Attacker injects secret structure into user-controlled data const attackerPayload = JSON.stringify({ user_data: { lc: 1, type: "secret", id: ["OPENAI_API_KEY"], }, }); process.env.OPENAI_API_KEY = "sk-secret-key-12345"; // With secretsFromEnv: true, the secret is extracted const deserialized = await load(attackerPayload, { secretsFromEnv: true }); console.log(deserialized.user_data); // "sk-secret-key-12345" - SECRET LEAKED! ``` ## Security hardening changes This patch introduces the following changes to `load()`: 1. **`secretsFromEnv` default changed to `false`**: Disables automatic secret loading from environment variables. Secrets not found in `secretsMap` now throw an error instead of being loaded from `process.env`. This fail-safe behavior ensures missing secrets are caught immediately rather than silently continuing with `null`. 2. **New `maxDepth` parameter** (defaults to `50`): Protects against denial-of-service attacks via deeply nested JSON structures that could cause stack overflow. 3. **Escape mechanism in `toJSON()`**: User-controlled objects containing `'lc'` keys are now wrapped in `{"__lc_escaped__": {...}}` during serialization and unwrapped as plain data during deserialization. 4. **JSDoc security warnings**: All import map options (`importMap`, `optionalImportsMap`, `optionalImportEntrypoints`) now include security warnings about never populating them from user input. ## Migration guide ### No changes needed for most users If you're deserializing standard LangChain types (messages, documents, prompts) using the core import map, your code will work without changes: ```typescript import { load } from "@​langchain/core/load"; // Works with default settings const obj = await load(serializedData); ``` ### For secrets from environment `secretsFromEnv` now defaults to `false`, and missing secrets throw an error. If you need to load secrets: ```typescript import { load } from "@​langchain/core/load"; // Provide secrets explicitly (recommended) const obj = await load(serializedData, { secretsMap: { OPENAI_API_KEY: process.env.OPENAI_API_KEY }, }); // Or explicitly opt-in to load from env (only use with trusted data) const obj = await load(serializedData, { secretsFromEnv: true }); ``` > **Warning:** Only enable `secretsFromEnv` if you trust the serialized data. Untrusted data could extract any environment variable. > **Note:** If a secret reference is encountered but not found in `secretsMap` (and `secretsFromEnv` is `false` or the secret is not in the environment), an error is thrown. This fail-safe behavior ensures you're aware of missing secrets rather than silently receiving `null` values. ### For deeply nested structures If you have legitimate deeply nested data that exceeds the default depth limit of 50: ```typescript import { load } from "@​langchain/core/load"; const obj = await load(serializedData, { maxDepth: 100 }); ``` ### For custom import maps If you provide custom import maps, ensure they only contain trusted modules: ```typescript import { load } from "@​langchain/core/load"; import * as myModule from "./my-trusted-module"; // GOOD - explicitly include only trusted modules const obj = await load(serializedData, { importMap: { my_module: myModule }, }); // BAD - never populate from user input const obj = await load(serializedData, { importMap: userProvidedImports, // DANGEROUS! }); ``` --- ### Release Notes
langchain-ai/langchainjs (langchain) ### [`v1.2.3`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/%40langchain/anthropic%401.2.3) ##### Patch Changes - Updated dependencies \[[`0bade90`](https://redirect.github.com/langchain-ai/langchainjs/commit/0bade90ed47c7988ed86f1e695a28273c7b3df50), [`6c40d00`](https://redirect.github.com/langchain-ai/langchainjs/commit/6c40d00e926f377d249c2919549381522eac8ed1)]: - [@​langchain/core](https://redirect.github.com/langchain/core)@​1.1.4 ### [`v1.2.2`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/%40langchain/anthropic%401.2.2) ##### Patch Changes - [#​9520](https://redirect.github.com/langchain-ai/langchainjs/pull/9520) [`cc022b0`](https://redirect.github.com/langchain-ai/langchainjs/commit/cc022b0aab2c3959a5036b8d1b9d6ce0b547200e) Thanks [@​yukukotani](https://redirect.github.com/yukukotani)! - Includes cache creation/read tokens in input\_tokens of usage metadata - Updated dependencies \[[`bd2c46e`](https://redirect.github.com/langchain-ai/langchainjs/commit/bd2c46e09e661d9ac766c09e71bc6687d6fc811c), [`487378b`](https://redirect.github.com/langchain-ai/langchainjs/commit/487378bf14277659c8ca0ef06ea0f9836b818ff4), [`138e7fb`](https://redirect.github.com/langchain-ai/langchainjs/commit/138e7fb6280705457079863bedb238b16b322032)]: - [@​langchain/core](https://redirect.github.com/langchain/core)@​1.1.3 ### [`v1.2.1`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/%40langchain/anthropic%401.2.1) [Compare Source](https://redirect.github.com/langchain-ai/langchainjs/compare/langchain@1.2.0...langchain@1.2.1) ##### Patch Changes - Updated dependencies \[[`833f578`](https://redirect.github.com/langchain-ai/langchainjs/commit/833f57834dc3aa64e4cfdd7499f865b2ab41462a)]: - [@​langchain/core](https://redirect.github.com/langchain/core)@​1.1.2 ### [`v1.2.0`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/langchain%401.2.0) [Compare Source](https://redirect.github.com/langchain-ai/langchainjs/compare/langchain@1.1.6...langchain@1.2.0) ##### Minor Changes - [#​9651](https://redirect.github.com/langchain-ai/langchainjs/pull/9651) [`348c37c`](https://redirect.github.com/langchain-ai/langchainjs/commit/348c37c01a048c815fea1827c084878744e20742) Thanks [@​christian-bromann](https://redirect.github.com/christian-bromann)! - feat(langchain): allow to set strict tag manually in providerStrategy [#​9578](https://redirect.github.com/langchain-ai/langchainjs/issues/9578) ### [`v1.1.6`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/langchain%401.1.6) [Compare Source](https://redirect.github.com/langchain-ai/langchainjs/compare/langchain@1.1.5...langchain@1.1.6) ##### Patch Changes - [#​9586](https://redirect.github.com/langchain-ai/langchainjs/pull/9586) [`bc8e90f`](https://redirect.github.com/langchain-ai/langchainjs/commit/bc8e90f4f77d71f739c8faf3e6c22ab7e54ffc3c) Thanks [@​hntrl](https://redirect.github.com/hntrl)! - patch prompts created from runs fix - [#​9623](https://redirect.github.com/langchain-ai/langchainjs/pull/9623) [`ade8b8a`](https://redirect.github.com/langchain-ai/langchainjs/commit/ade8b8af0b32a9afd5c5a0bf6c4543d3cb7fd848) Thanks [@​christian-bromann](https://redirect.github.com/christian-bromann)! - fix(langchain): properly retrieve structured output from thinking block - [#​9637](https://redirect.github.com/langchain-ai/langchainjs/pull/9637) [`88bb788`](https://redirect.github.com/langchain-ai/langchainjs/commit/88bb7882fadf185bad927277810c682c2eee8d01) Thanks [@​christian-bromann](https://redirect.github.com/christian-bromann)! - fix(langchain): Prevent functions from being accidentally assignable to AgentMiddleware - [#​8964](https://redirect.github.com/langchain-ai/langchainjs/pull/8964) [`38ff1b5`](https://redirect.github.com/langchain-ai/langchainjs/commit/38ff1b55d353196b8af7f64f7b854b8f643e3de9) Thanks [@​jnjacobson](https://redirect.github.com/jnjacobson)! - add support for anyOf, allOf, oneOf in openapi conversion - [#​9640](https://redirect.github.com/langchain-ai/langchainjs/pull/9640) [`aa8c4f8`](https://redirect.github.com/langchain-ai/langchainjs/commit/aa8c4f867abe79b1c6de09a7b51a69163d0972aa) Thanks [@​christian-bromann](https://redirect.github.com/christian-bromann)! - fix(langchain): prevent summarization middleware from leaking streaming events - [#​9648](https://redirect.github.com/langchain-ai/langchainjs/pull/9648) [`29a8480`](https://redirect.github.com/langchain-ai/langchainjs/commit/29a8480799d4c3534892a29cef4a135c437deb9b) Thanks [@​christian-bromann](https://redirect.github.com/christian-bromann)! - fix(langchain): allow to set strict tag manually in providerStrategy [#​9578](https://redirect.github.com/langchain-ai/langchainjs/issues/9578) - [#​9630](https://redirect.github.com/langchain-ai/langchainjs/pull/9630) [`a2df2d4`](https://redirect.github.com/langchain-ai/langchainjs/commit/a2df2d422e040485da61120bbbda6ced543e578b) Thanks [@​nephix](https://redirect.github.com/nephix)! - fix(summary-middleware): use summaryPrefix or fall back to default prefix - Updated dependencies \[[`005c729`](https://redirect.github.com/langchain-ai/langchainjs/commit/005c72903bcdf090e0f4c58960c8c243481f9874), [`ab78246`](https://redirect.github.com/langchain-ai/langchainjs/commit/ab782462753e6c3ae5d55c0c251f795af32929d5), [`8cc81c7`](https://redirect.github.com/langchain-ai/langchainjs/commit/8cc81c7cee69530f7a6296c69123edbe227b2fce), [`f32e499`](https://redirect.github.com/langchain-ai/langchainjs/commit/f32e4991d0e707324e3f6af287a1ee87ab833b7e), [`a28d83d`](https://redirect.github.com/langchain-ai/langchainjs/commit/a28d83d49dd1fd31e67b52a44abc70f2cc2a2026), [`2e5ad70`](https://redirect.github.com/langchain-ai/langchainjs/commit/2e5ad70d16c1f13eaaea95336bbe2ec4a4a4954a), [`e456c66`](https://redirect.github.com/langchain-ai/langchainjs/commit/e456c661aa1ab8f1ed4a98c40616f5a13270e88e), [`1cfe603`](https://redirect.github.com/langchain-ai/langchainjs/commit/1cfe603e97d8711343ae5f1f5a75648e7bd2a16e)]: - [@​langchain/core](https://redirect.github.com/langchain/core)@​1.1.5 ### [`v1.1.5`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/langchain%401.1.5) [Compare Source](https://redirect.github.com/langchain-ai/langchainjs/compare/langchain@1.1.4...langchain@1.1.5) ##### Patch Changes - Updated dependencies \[[`0bade90`](https://redirect.github.com/langchain-ai/langchainjs/commit/0bade90ed47c7988ed86f1e695a28273c7b3df50), [`6c40d00`](https://redirect.github.com/langchain-ai/langchainjs/commit/6c40d00e926f377d249c2919549381522eac8ed1)]: - [@​langchain/core](https://redirect.github.com/langchain/core)@​1.1.4 ### [`v1.1.4`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/%40langchain/core%401.1.4) [Compare Source](https://redirect.github.com/langchain-ai/langchainjs/compare/langchain@1.1.3...langchain@1.1.4) ##### Patch Changes - [#​9575](https://redirect.github.com/langchain-ai/langchainjs/pull/9575) [`0bade90`](https://redirect.github.com/langchain-ai/langchainjs/commit/0bade90ed47c7988ed86f1e695a28273c7b3df50) Thanks [@​hntrl](https://redirect.github.com/hntrl)! - bin p-retry - [#​9574](https://redirect.github.com/langchain-ai/langchainjs/pull/9574) [`6c40d00`](https://redirect.github.com/langchain-ai/langchainjs/commit/6c40d00e926f377d249c2919549381522eac8ed1) Thanks [@​hntrl](https://redirect.github.com/hntrl)! - Revert "fix([@​langchain/core](https://redirect.github.com/langchain/core)): update and bundle dependencies ([#​9534](https://redirect.github.com/langchain-ai/langchainjs/issues/9534))" ### [`v1.1.3`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/%40langchain/core%401.1.3) [Compare Source](https://redirect.github.com/langchain-ai/langchainjs/compare/langchain@1.1.2...langchain@1.1.3) ##### Patch Changes - [#​9534](https://redirect.github.com/langchain-ai/langchainjs/pull/9534) [`bd2c46e`](https://redirect.github.com/langchain-ai/langchainjs/commit/bd2c46e09e661d9ac766c09e71bc6687d6fc811c) Thanks [@​christian-bromann](https://redirect.github.com/christian-bromann)! - fix([@​langchain/core](https://redirect.github.com/langchain/core)): update and bundle `p-retry`, `ansi-styles`, `camelcase` and `decamelize` dependencies - [#​9544](https://redirect.github.com/langchain-ai/langchainjs/pull/9544) [`487378b`](https://redirect.github.com/langchain-ai/langchainjs/commit/487378bf14277659c8ca0ef06ea0f9836b818ff4) Thanks [@​hntrl](https://redirect.github.com/hntrl)! - fix tool chunk concat behavior ([#​9450](https://redirect.github.com/langchain-ai/langchainjs/issues/9450)) - [#​9505](https://redirect.github.com/langchain-ai/langchainjs/pull/9505) [`138e7fb`](https://redirect.github.com/langchain-ai/langchainjs/commit/138e7fb6280705457079863bedb238b16b322032) Thanks [@​chosh-dev](https://redirect.github.com/chosh-dev)! - feat: replace btoa with toBase64Url for encoding in drawMermaidImage ### [`v1.1.2`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/%40langchain/core%401.1.2) [Compare Source](https://redirect.github.com/langchain-ai/langchainjs/compare/langchain@1.1.1...langchain@1.1.2) ##### Patch Changes - [#​9511](https://redirect.github.com/langchain-ai/langchainjs/pull/9511) [`833f578`](https://redirect.github.com/langchain-ai/langchainjs/commit/833f57834dc3aa64e4cfdd7499f865b2ab41462a) Thanks [@​dqbd](https://redirect.github.com/dqbd)! - allow parsing more partial JSON ### [`v1.1.1`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/%40langchain/core%401.1.1) ##### Patch Changes - [#​9495](https://redirect.github.com/langchain-ai/langchainjs/pull/9495) [`636b994`](https://redirect.github.com/langchain-ai/langchainjs/commit/636b99459bf843362298866211c63a7a15c2a319) Thanks [@​gsriram24](https://redirect.github.com/gsriram24)! - fix: use dynamic import for p-retry to support CommonJS environments - [#​9531](https://redirect.github.com/langchain-ai/langchainjs/pull/9531) [`38f0162`](https://redirect.github.com/langchain-ai/langchainjs/commit/38f0162b7b2db2be2c3a75ae468728adcb49fdfb) Thanks [@​hntrl](https://redirect.github.com/hntrl)! - add `extras` to tools ### [`v1.1.0`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/%40langchain/anthropic%401.1.0) ##### Minor Changes - [#​9424](https://redirect.github.com/langchain-ai/langchainjs/pull/9424) [`f17b2c9`](https://redirect.github.com/langchain-ai/langchainjs/commit/f17b2c9db047fab2d1db2d9aa791ec220cc9dd0a) Thanks [@​hntrl](https://redirect.github.com/hntrl)! - add support for `betas` param - [#​9424](https://redirect.github.com/langchain-ai/langchainjs/pull/9424) [`f17b2c9`](https://redirect.github.com/langchain-ai/langchainjs/commit/f17b2c9db047fab2d1db2d9aa791ec220cc9dd0a) Thanks [@​hntrl](https://redirect.github.com/hntrl)! - add support for native structured output ##### Patch Changes - [#​9424](https://redirect.github.com/langchain-ai/langchainjs/pull/9424) [`f17b2c9`](https://redirect.github.com/langchain-ai/langchainjs/commit/f17b2c9db047fab2d1db2d9aa791ec220cc9dd0a) Thanks [@​hntrl](https://redirect.github.com/hntrl)! - bump sdk version ### [`v1.0.6`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/langchain%401.0.6) [Compare Source](https://redirect.github.com/langchain-ai/langchainjs/compare/langchain@1.0.5...langchain@1.0.6) ##### Patch Changes - [#​9434](https://redirect.github.com/langchain-ai/langchainjs/pull/9434) [`f7cfece`](https://redirect.github.com/langchain-ai/langchainjs/commit/f7cfecec29bf0f121e1a8b0baface5327d731122) Thanks [@​deepansh946](https://redirect.github.com/deepansh946)! - Updated error handling behaviour of AgentNode ### [`v1.0.5`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/langchain%401.0.5) ##### Patch Changes - [#​9403](https://redirect.github.com/langchain-ai/langchainjs/pull/9403) [`944bf56`](https://redirect.github.com/langchain-ai/langchainjs/commit/944bf56ff0926e102c56a3073bfde6b751c97794) Thanks [@​christian-bromann](https://redirect.github.com/christian-bromann)! - improvements to toolEmulator middleware - [#​9388](https://redirect.github.com/langchain-ai/langchainjs/pull/9388) [`831168a`](https://redirect.github.com/langchain-ai/langchainjs/commit/831168a5450bff706a319842626214281204346d) Thanks [@​hntrl](https://redirect.github.com/hntrl)! - use `profile.maxInputTokens` in summarization middleware - [#​9393](https://redirect.github.com/langchain-ai/langchainjs/pull/9393) [`f1e2f9e`](https://redirect.github.com/langchain-ai/langchainjs/commit/f1e2f9eeb365bae78c8b5991ed41bfed58f25da6) Thanks [@​christian-bromann](https://redirect.github.com/christian-bromann)! - align context editing with summarization interface - [#​9427](https://redirect.github.com/langchain-ai/langchainjs/pull/9427) [`bad7aea`](https://redirect.github.com/langchain-ai/langchainjs/commit/bad7aea86d3f60616952104c34a33de9561867c7) Thanks [@​dqbd](https://redirect.github.com/dqbd)! - fix(langchain): add tool call contents and tool call ID to improve token count approximation - [#​9396](https://redirect.github.com/langchain-ai/langchainjs/pull/9396) [`ed6b581`](https://redirect.github.com/langchain-ai/langchainjs/commit/ed6b581e525cdf5d3b29abb1e17ca6169554c1b5) Thanks [@​christian-bromann](https://redirect.github.com/christian-bromann)! - rename exit behavior from throw to error ### [`v1.0.4`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/%40langchain/community%401.0.4) ##### Patch Changes - [#​9326](https://redirect.github.com/langchain-ai/langchainjs/pull/9326) [`3e0cab6`](https://redirect.github.com/langchain-ai/langchainjs/commit/3e0cab61b32fae271936770b822cb9644f68b637) Thanks [@​ayanyev](https://redirect.github.com/ayanyev)! - Milvus vector store client: ignore auto-calculated fields in collection schema during payload validation - Updated dependencies \[[`415cb0b`](https://redirect.github.com/langchain-ai/langchainjs/commit/415cb0bfd26207583befdb02367bd12a46b33d51), [`a2ad61e`](https://redirect.github.com/langchain-ai/langchainjs/commit/a2ad61e787a06a55a615f63589a65ada05927792), [`34c472d`](https://redirect.github.com/langchain-ai/langchainjs/commit/34c472d129c9c3d58042fad6479fd15e0763feaf)]: - [@​langchain/openai](https://redirect.github.com/langchain/openai)@​1.1.2 - [@​langchain/classic](https://redirect.github.com/langchain/classic)@​1.0.4 ### [`v1.0.3`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/%40langchain/google-gauth%401.0.3) ##### Patch Changes - Updated dependencies \[]: - [@​langchain/google-common](https://redirect.github.com/langchain/google-common)@​1.0.3
--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/googleapis/genai-toolbox). Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> --- .../quickstart/js/langchain/package-lock.json | 53 ++++--------------- 1 file changed, 10 insertions(+), 43 deletions(-) diff --git a/docs/en/getting-started/quickstart/js/langchain/package-lock.json b/docs/en/getting-started/quickstart/js/langchain/package-lock.json index 47d4df6311..a52001ef13 100644 --- a/docs/en/getting-started/quickstart/js/langchain/package-lock.json +++ b/docs/en/getting-started/quickstart/js/langchain/package-lock.json @@ -66,40 +66,6 @@ "node": ">=20" } }, - "node_modules/@langchain/core/node_modules/langsmith": { - "version": "0.4.2", - "resolved": "https://registry.npmjs.org/langsmith/-/langsmith-0.4.2.tgz", - "integrity": "sha512-BvBeFgSmR9esl8x5wsiDlALiHKKPybw2wE2Hh6x1tgSZki46H9c9KI9/06LARbPhyyDu/TZU7exfg6fnhdj1Qg==", - "license": "MIT", - "dependencies": { - "@types/uuid": "^10.0.0", - "chalk": "^4.1.2", - "console-table-printer": "^2.12.1", - "p-queue": "^6.6.2", - "semver": "^7.6.3", - "uuid": "^10.0.0" - }, - "peerDependencies": { - "@opentelemetry/api": "*", - "@opentelemetry/exporter-trace-otlp-proto": "*", - "@opentelemetry/sdk-trace-base": "*", - "openai": "*" - }, - "peerDependenciesMeta": { - "@opentelemetry/api": { - "optional": true - }, - "@opentelemetry/exporter-trace-otlp-proto": { - "optional": true - }, - "@opentelemetry/sdk-trace-base": { - "optional": true - }, - "openai": { - "optional": true - } - } - }, "node_modules/@langchain/google-genai": { "version": "2.1.3", "resolved": "https://registry.npmjs.org/@langchain/google-genai/-/google-genai-2.1.3.tgz", @@ -888,13 +854,14 @@ } }, "node_modules/langchain": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/langchain/-/langchain-1.0.2.tgz", - "integrity": "sha512-He/xvjVl8DHESvdaW6Dpyba72OaLCAfS2CyOm1aWrlJ4C38dKXyTIxphtld8hiii6MWX7qMSmu2EaUwWBx2STg==", + "version": "1.2.3", + "resolved": "https://registry.npmjs.org/langchain/-/langchain-1.2.3.tgz", + "integrity": "sha512-3k986xJuqg4az53JxV5LnGlOzIXF1d9Kq6Y9s7XjitvzhpsbFuTDV5/kiF4cx3pkNGyw0mUXC4tLz9RxucO0hw==", + "license": "MIT", "dependencies": { "@langchain/langgraph": "^1.0.0", "@langchain/langgraph-checkpoint": "^1.0.0", - "langsmith": "~0.3.74", + "langsmith": ">=0.4.0 <1.0.0", "uuid": "^10.0.0", "zod": "^3.25.76 || ^4" }, @@ -902,19 +869,19 @@ "node": ">=20" }, "peerDependencies": { - "@langchain/core": "^1.0.0" + "@langchain/core": "1.1.8" } }, "node_modules/langsmith": { - "version": "0.3.77", - "resolved": "https://registry.npmjs.org/langsmith/-/langsmith-0.3.77.tgz", - "integrity": "sha512-wbS/9IX/hOAsOEOtPj8kCS8H0tFHaelwQ97gTONRtIfoPPLd9MMUmhk0KQB5DdsGAI5abg966+f0dZ/B+YRRzg==", + "version": "0.4.3", + "resolved": "https://registry.npmjs.org/langsmith/-/langsmith-0.4.3.tgz", + "integrity": "sha512-vuBAagBZulXj0rpZhUTxmHhrYIBk53z8e2Q8ty4OHVkahN4ul7Im3OZxD9jsXZB0EuncK1xRYtY8J3BW4vj1zw==", + "license": "MIT", "dependencies": { "@types/uuid": "^10.0.0", "chalk": "^4.1.2", "console-table-printer": "^2.12.1", "p-queue": "^6.6.2", - "p-retry": "4", "semver": "^7.6.3", "uuid": "^10.0.0" },