Mend Renovate
38d127a354
chore(deps): update dependency langchain to v1.2.3 [security] ( #2248 )
...
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/ ) |
[Confidence](https://docs.renovatebot.com/merge-confidence/ ) |
|---|---|---|---|
|
[langchain](https://redirect.github.com/langchain-ai/langchainjs/tree/main/libs/langchain/ )
([source](https://redirect.github.com/langchain-ai/langchainjs )) |
[`1.0.2` →
`1.2.3`](https://renovatebot.com/diffs/npm/langchain/1.0.2/1.2.3 ) |
|
|
### GitHub Vulnerability Alerts
####
[CVE-2025-68665](https://redirect.github.com/langchain-ai/langchainjs/security/advisories/GHSA-r399-636x-v7f6 )
## Context
A serialization injection vulnerability exists in LangChain JS's
`toJSON()` method (and subsequently when string-ifying objects using
`JSON.stringify()`. The method did not escape objects with `'lc'` keys
when serializing free-form data in kwargs. The `'lc'` key is used
internally by LangChain to mark serialized objects. When user-controlled
data contains this key structure, it is treated as a legitimate
LangChain object during deserialization rather than plain user data.
### Attack surface
The core vulnerability was in `Serializable.toJSON()`: this method
failed to escape user-controlled objects containing `'lc'` keys within
kwargs (e.g., `additional_kwargs`, `metadata`, `response_metadata`).
When this unescaped data was later deserialized via `load()`, the
injected structures were treated as legitimate LangChain objects rather
than plain user data.
This escaping bug enabled several attack vectors:
1. **Injection via user data**: Malicious LangChain object structures
could be injected through user-controlled fields like `metadata`,
`additional_kwargs`, or `response_metadata`
2. **Secret extraction**: Injected secret structures could extract
environment variables when `secretsFromEnv` was enabled (which had no
explicit default, effectively defaulting to `true` behavior)
3. **Class instantiation via import maps**: Injected constructor
structures could instantiate any class available in the provided import
maps with attacker-controlled parameters
**Note on import maps:** Classes must be explicitly included in import
maps to be instantiatable. The core import map includes standard types
(messages, prompts, documents), and users can extend this via
`importMap` and `optionalImportsMap` options. This architecture
naturally limits the attack surface—an `allowedObjects` parameter is not
necessary because users control which classes are available through the
import maps they provide.
**Security hardening:** This patch fixes the escaping bug in `toJSON()`
and introduces new restrictive defaults in `load()`: `secretsFromEnv`
now explicitly defaults to `false`, and a `maxDepth` parameter protects
against DoS via deeply nested structures. JSDoc security warnings have
been added to all import map options.
## Who is affected?
Applications are vulnerable if they:
1. **Serialize untrusted data via `JSON.stringify()` on Serializable
objects, then deserialize with `load()`** — Trusting your own
serialization output makes you vulnerable if user-controlled data (e.g.,
from LLM responses, metadata fields, or user inputs) contains `'lc'` key
structures.
2. **Deserialize untrusted data with `load()`** — Directly deserializing
untrusted data that may contain injected `'lc'` structures.
3. **Use LangGraph checkpoints** — Checkpoint
serialization/deserialization paths may be affected.
The most common attack vector is through **LLM response fields** like
`additional_kwargs` or `response_metadata`, which can be controlled via
prompt injection and then serialized/deserialized in streaming
operations.
## Impact
Attackers who control serialized data can extract environment variable
secrets by injecting `{"lc": 1, "type": "secret", "id": ["ENV_VAR"]}` to
load environment variables during deserialization (when `secretsFromEnv:
true`). They can also instantiate classes with controlled parameters by
injecting constructor structures to instantiate any class within the
provided import maps with attacker-controlled parameters, potentially
triggering side effects such as network calls or file operations.
Key severity factors:
- Affects the serialization path—applications trusting their own
serialization output are vulnerable
- Enables secret extraction when combined with `secretsFromEnv: true`
- LLM responses in `additional_kwargs` can be controlled via prompt
injection
## Exploit example
```typescript
import { load } from "@​langchain/core/load";
// Attacker injects secret structure into user-controlled data
const attackerPayload = JSON.stringify({
user_data: {
lc: 1,
type: "secret",
id: ["OPENAI_API_KEY"],
},
});
process.env.OPENAI_API_KEY = "sk-secret-key-12345";
// With secretsFromEnv: true, the secret is extracted
const deserialized = await load(attackerPayload, { secretsFromEnv: true });
console.log(deserialized.user_data); // "sk-secret-key-12345" - SECRET LEAKED!
```
## Security hardening changes
This patch introduces the following changes to `load()`:
1. **`secretsFromEnv` default changed to `false`**: Disables automatic
secret loading from environment variables. Secrets not found in
`secretsMap` now throw an error instead of being loaded from
`process.env`. This fail-safe behavior ensures missing secrets are
caught immediately rather than silently continuing with `null`.
2. **New `maxDepth` parameter** (defaults to `50`): Protects against
denial-of-service attacks via deeply nested JSON structures that could
cause stack overflow.
3. **Escape mechanism in `toJSON()`**: User-controlled objects
containing `'lc'` keys are now wrapped in `{"__lc_escaped__": {...}}`
during serialization and unwrapped as plain data during deserialization.
4. **JSDoc security warnings**: All import map options (`importMap`,
`optionalImportsMap`, `optionalImportEntrypoints`) now include security
warnings about never populating them from user input.
## Migration guide
### No changes needed for most users
If you're deserializing standard LangChain types (messages, documents,
prompts) using the core import map, your code will work without changes:
```typescript
import { load } from "@​langchain/core/load";
// Works with default settings
const obj = await load(serializedData);
```
### For secrets from environment
`secretsFromEnv` now defaults to `false`, and missing secrets throw an
error. If you need to load secrets:
```typescript
import { load } from "@​langchain/core/load";
// Provide secrets explicitly (recommended)
const obj = await load(serializedData, {
secretsMap: { OPENAI_API_KEY: process.env.OPENAI_API_KEY },
});
// Or explicitly opt-in to load from env (only use with trusted data)
const obj = await load(serializedData, { secretsFromEnv: true });
```
> **Warning:** Only enable `secretsFromEnv` if you trust the serialized
data. Untrusted data could extract any environment variable.
> **Note:** If a secret reference is encountered but not found in
`secretsMap` (and `secretsFromEnv` is `false` or the secret is not in
the environment), an error is thrown. This fail-safe behavior ensures
you're aware of missing secrets rather than silently receiving `null`
values.
### For deeply nested structures
If you have legitimate deeply nested data that exceeds the default depth
limit of 50:
```typescript
import { load } from "@​langchain/core/load";
const obj = await load(serializedData, { maxDepth: 100 });
```
### For custom import maps
If you provide custom import maps, ensure they only contain trusted
modules:
```typescript
import { load } from "@​langchain/core/load";
import * as myModule from "./my-trusted-module";
// GOOD - explicitly include only trusted modules
const obj = await load(serializedData, {
importMap: { my_module: myModule },
});
// BAD - never populate from user input
const obj = await load(serializedData, {
importMap: userProvidedImports, // DANGEROUS!
});
```
---
### Release Notes
<details>
<summary>langchain-ai/langchainjs (langchain)</summary>
###
[`v1.2.3`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/%40langchain/anthropic%401.2.3 )
##### Patch Changes
- Updated dependencies
\[[`0bade90`](0bade90ed46c40d00e92https://redirect.github.com/langchain/core )@​1.1.4
###
[`v1.2.2`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/%40langchain/anthropic%401.2.2 )
##### Patch Changes
-
[#​9520](https://redirect.github.com/langchain-ai/langchainjs/pull/9520 )
[`cc022b0`](cc022b0aabhttps://redirect.github.com/yukukotani )! -
Includes cache creation/read tokens in input\_tokens of usage metadata
- Updated dependencies
\[[`bd2c46e`](bd2c46e09e487378bf14138e7fb628https://redirect.github.com/langchain/core )@​1.1.3
###
[`v1.2.1`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/%40langchain/anthropic%401.2.1 )
[Compare
Source](https://redirect.github.com/langchain-ai/langchainjs/compare/langchain@1.2.0...langchain@1.2.1 )
##### Patch Changes
- Updated dependencies
\[[`833f578`](833f57834dhttps://redirect.github.com/langchain/core )@​1.1.2
###
[`v1.2.0`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/langchain%401.2.0 )
[Compare
Source](https://redirect.github.com/langchain-ai/langchainjs/compare/langchain@1.1.6...langchain@1.2.0 )
##### Minor Changes
-
[#​9651](https://redirect.github.com/langchain-ai/langchainjs/pull/9651 )
[`348c37c`](348c37c01ahttps://redirect.github.com/christian-bromann )!
- feat(langchain): allow to set strict tag manually in providerStrategy
[#​9578](https://redirect.github.com/langchain-ai/langchainjs/issues/9578 )
###
[`v1.1.6`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/langchain%401.1.6 )
[Compare
Source](https://redirect.github.com/langchain-ai/langchainjs/compare/langchain@1.1.5...langchain@1.1.6 )
##### Patch Changes
-
[#​9586](https://redirect.github.com/langchain-ai/langchainjs/pull/9586 )
[`bc8e90f`](bc8e90f4f7https://redirect.github.com/hntrl )! - patch
prompts created from runs fix
-
[#​9623](https://redirect.github.com/langchain-ai/langchainjs/pull/9623 )
[`ade8b8a`](ade8b8af0bhttps://redirect.github.com/christian-bromann )!
- fix(langchain): properly retrieve structured output from thinking
block
-
[#​9637](https://redirect.github.com/langchain-ai/langchainjs/pull/9637 )
[`88bb788`](88bb7882fahttps://redirect.github.com/christian-bromann )!
- fix(langchain): Prevent functions from being accidentally assignable
to AgentMiddleware
-
[#​8964](https://redirect.github.com/langchain-ai/langchainjs/pull/8964 )
[`38ff1b5`](38ff1b55d3https://redirect.github.com/jnjacobson )! -
add support for anyOf, allOf, oneOf in openapi conversion
-
[#​9640](https://redirect.github.com/langchain-ai/langchainjs/pull/9640 )
[`aa8c4f8`](aa8c4f867ahttps://redirect.github.com/christian-bromann )!
- fix(langchain): prevent summarization middleware from leaking
streaming events
-
[#​9648](https://redirect.github.com/langchain-ai/langchainjs/pull/9648 )
[`29a8480`](29a8480799https://redirect.github.com/christian-bromann )!
- fix(langchain): allow to set strict tag manually in providerStrategy
[#​9578](https://redirect.github.com/langchain-ai/langchainjs/issues/9578 )
-
[#​9630](https://redirect.github.com/langchain-ai/langchainjs/pull/9630 )
[`a2df2d4`](a2df2d422ehttps://redirect.github.com/nephix )! -
fix(summary-middleware): use summaryPrefix or fall back to default
prefix
- Updated dependencies
\[[`005c729`](005c72903bab782462758cc81c7ceef32e4991d0a28d83d49d2e5ad70d16e456c661aa1cfe603e97https://redirect.github.com/langchain/core )@​1.1.5
###
[`v1.1.5`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/langchain%401.1.5 )
[Compare
Source](https://redirect.github.com/langchain-ai/langchainjs/compare/langchain@1.1.4...langchain@1.1.5 )
##### Patch Changes
- Updated dependencies
\[[`0bade90`](0bade90ed46c40d00e92https://redirect.github.com/langchain/core )@​1.1.4
###
[`v1.1.4`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/%40langchain/core%401.1.4 )
[Compare
Source](https://redirect.github.com/langchain-ai/langchainjs/compare/langchain@1.1.3...langchain@1.1.4 )
##### Patch Changes
-
[#​9575](https://redirect.github.com/langchain-ai/langchainjs/pull/9575 )
[`0bade90`](0bade90ed4https://redirect.github.com/hntrl )! - bin p-retry
-
[#​9574](https://redirect.github.com/langchain-ai/langchainjs/pull/9574 )
[`6c40d00`](6c40d00e92https://redirect.github.com/hntrl )! - Revert
"fix([@​langchain/core](https://redirect.github.com/langchain/core )):
update and bundle dependencies
([#​9534](https://redirect.github.com/langchain-ai/langchainjs/issues/9534 ))"
###
[`v1.1.3`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/%40langchain/core%401.1.3 )
[Compare
Source](https://redirect.github.com/langchain-ai/langchainjs/compare/langchain@1.1.2...langchain@1.1.3 )
##### Patch Changes
-
[#​9534](https://redirect.github.com/langchain-ai/langchainjs/pull/9534 )
[`bd2c46e`](bd2c46e09ehttps://redirect.github.com/christian-bromann )!
-
fix([@​langchain/core](https://redirect.github.com/langchain/core )):
update and bundle `p-retry`, `ansi-styles`, `camelcase` and `decamelize`
dependencies
-
[#​9544](https://redirect.github.com/langchain-ai/langchainjs/pull/9544 )
[`487378b`](487378bf14https://redirect.github.com/hntrl )! - fix tool
chunk concat behavior
([#​9450](https://redirect.github.com/langchain-ai/langchainjs/issues/9450 ))
-
[#​9505](https://redirect.github.com/langchain-ai/langchainjs/pull/9505 )
[`138e7fb`](138e7fb628https://redirect.github.com/chosh-dev )! -
feat: replace btoa with toBase64Url for encoding in drawMermaidImage
###
[`v1.1.2`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/%40langchain/core%401.1.2 )
[Compare
Source](https://redirect.github.com/langchain-ai/langchainjs/compare/langchain@1.1.1...langchain@1.1.2 )
##### Patch Changes
-
[#​9511](https://redirect.github.com/langchain-ai/langchainjs/pull/9511 )
[`833f578`](833f57834dhttps://redirect.github.com/dqbd )! - allow parsing
more partial JSON
###
[`v1.1.1`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/%40langchain/core%401.1.1 )
##### Patch Changes
-
[#​9495](https://redirect.github.com/langchain-ai/langchainjs/pull/9495 )
[`636b994`](636b99459bhttps://redirect.github.com/gsriram24 )! -
fix: use dynamic import for p-retry to support CommonJS environments
-
[#​9531](https://redirect.github.com/langchain-ai/langchainjs/pull/9531 )
[`38f0162`](38f0162b7bhttps://redirect.github.com/hntrl )! - add
`extras` to tools
###
[`v1.1.0`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/%40langchain/anthropic%401.1.0 )
##### Minor Changes
-
[#​9424](https://redirect.github.com/langchain-ai/langchainjs/pull/9424 )
[`f17b2c9`](f17b2c9db0https://redirect.github.com/hntrl )! - add support
for `betas` param
-
[#​9424](https://redirect.github.com/langchain-ai/langchainjs/pull/9424 )
[`f17b2c9`](f17b2c9db0https://redirect.github.com/hntrl )! - add support
for native structured output
##### Patch Changes
-
[#​9424](https://redirect.github.com/langchain-ai/langchainjs/pull/9424 )
[`f17b2c9`](f17b2c9db0https://redirect.github.com/hntrl )! - bump sdk
version
###
[`v1.0.6`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/langchain%401.0.6 )
[Compare
Source](https://redirect.github.com/langchain-ai/langchainjs/compare/langchain@1.0.5...langchain@1.0.6 )
##### Patch Changes
-
[#​9434](https://redirect.github.com/langchain-ai/langchainjs/pull/9434 )
[`f7cfece`](f7cfecec29https://redirect.github.com/deepansh946 )! -
Updated error handling behaviour of AgentNode
###
[`v1.0.5`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/langchain%401.0.5 )
##### Patch Changes
-
[#​9403](https://redirect.github.com/langchain-ai/langchainjs/pull/9403 )
[`944bf56`](944bf56ff0https://redirect.github.com/christian-bromann )!
- improvements to toolEmulator middleware
-
[#​9388](https://redirect.github.com/langchain-ai/langchainjs/pull/9388 )
[`831168a`](831168a545https://redirect.github.com/hntrl )! - use
`profile.maxInputTokens` in summarization middleware
-
[#​9393](https://redirect.github.com/langchain-ai/langchainjs/pull/9393 )
[`f1e2f9e`](f1e2f9eeb3https://redirect.github.com/christian-bromann )!
- align context editing with summarization interface
-
[#​9427](https://redirect.github.com/langchain-ai/langchainjs/pull/9427 )
[`bad7aea`](bad7aea86dhttps://redirect.github.com/dqbd )! -
fix(langchain): add tool call contents and tool call ID to improve token
count approximation
-
[#​9396](https://redirect.github.com/langchain-ai/langchainjs/pull/9396 )
[`ed6b581`](ed6b581e52https://redirect.github.com/christian-bromann )!
- rename exit behavior from throw to error
###
[`v1.0.4`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/%40langchain/community%401.0.4 )
##### Patch Changes
-
[#​9326](https://redirect.github.com/langchain-ai/langchainjs/pull/9326 )
[`3e0cab6`](3e0cab61b3https://redirect.github.com/ayanyev )! - Milvus
vector store client: ignore auto-calculated fields in collection schema
during payload validation
- Updated dependencies
\[[`415cb0b`](415cb0bfd2a2ad61e78734c472d129https://redirect.github.com/langchain/openai )@​1.1.2
-
[@​langchain/classic](https://redirect.github.com/langchain/classic )@​1.0.4
###
[`v1.0.3`](https://redirect.github.com/langchain-ai/langchainjs/releases/tag/%40langchain/google-gauth%401.0.3 )
##### Patch Changes
- Updated dependencies \[]:
-
[@​langchain/google-common](https://redirect.github.com/langchain/google-common )@​1.0.3
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/ ).
View the [repository job
log](https://developer.mend.io/github/googleapis/genai-toolbox ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi42Ni4xNCIsInVwZGF0ZWRJblZlciI6IjQyLjY2LjE0IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com >
2025-12-30 12:01:21 -08:00
dependabot[bot]
0baffff3b5
chore(deps): bump @langchain/core and @langchain/google-genai in /docs/en/getting-started/quickstart/js/langchain ( #2232 )
...
Bumps [@langchain/core](https://github.com/langchain-ai/langchainjs ) to
1.1.8 and updates ancestor dependency
[@langchain/google-genai](https://github.com/langchain-ai/langchainjs ).
These dependencies need to be updated together.
Updates `@langchain/core` from 1.1.0 to 1.1.8
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/langchain-ai/langchainjs/releases "><code>@langchain/core</code>'s
releases</a>.</em></p>
<blockquote>
<h2><code>@langchain/core</code><a
href="https://github.com/1 "><code>@1</code></a>.1.8</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/langchain-ai/langchainjs/pull/9707 ">#9707</a>
<a
href="e5063f9c6ehttps://github.com/hntrl "><code>@hntrl</code></a>! -
add security hardening for <code>load</code></p>
</li>
<li>
<p><a
href="https://redirect.github.com/langchain-ai/langchainjs/pull/9684 ">#9684</a>
<a
href="89966470e8https://github.com/christian-bromann "><code>@christian-bromann</code></a>!
- fix(core): document purpose of name in base message</p>
</li>
</ul>
<h2><code>@langchain/core</code><a
href="https://github.com/1 "><code>@1</code></a>.1.6</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/langchain-ai/langchainjs/pull/9668 ">#9668</a>
<a
href="a7b2a7db5ehttps://github.com/bracesproul "><code>@bracesproul</code></a>! -
fix: Cannot merge two undefined objects error</p>
</li>
<li>
<p><a
href="https://redirect.github.com/langchain-ai/langchainjs/pull/9657 ">#9657</a>
<a
href="a496c5fc64https://github.com/dqbd "><code>@dqbd</code></a>! -
fix(core): avoid writing to TransformStream in
EventStreamCallbackHandler when underlying ReadableStream is closed</p>
</li>
<li>
<p><a
href="https://redirect.github.com/langchain-ai/langchainjs/pull/9658 ">#9658</a>
<a
href="1da1325aeahttps://github.com/dqbd "><code>@dqbd</code></a>! -
fix(core): ensure streaming test chat models respect AbortSignal</p>
</li>
</ul>
<h2><code>@langchain/core</code><a
href="https://github.com/1 "><code>@1</code></a>.1.5</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/langchain-ai/langchainjs/pull/9641 ">#9641</a>
<a
href="005c72903bhttps://github.com/christian-bromann "><code>@christian-bromann</code></a>!
- fix(community/core): various security fixes</p>
</li>
<li>
<p><a
href="https://redirect.github.com/langchain-ai/langchainjs/pull/7907 ">#7907</a>
<a
href="ab78246275https://github.com/jasonphillips "><code>@jasonphillips</code></a>!
- fix(core): handle subgraph nesting better in graph_mermaid</p>
</li>
<li>
<p><a
href="https://redirect.github.com/langchain-ai/langchainjs/pull/9589 ">#9589</a>
<a
href="8cc81c7ceehttps://github.com/nathannewyen "><code>@nathannewyen</code></a>!
- test(core): add test for response_metadata in streamEvents</p>
</li>
<li>
<p><a
href="https://redirect.github.com/langchain-ai/langchainjs/pull/9644 ">#9644</a>
<a
href="f32e4991d0https://github.com/hntrl "><code>@hntrl</code></a>! -
add bindTools to FakeListChatModel</p>
</li>
<li>
<p><a
href="https://redirect.github.com/langchain-ai/langchainjs/pull/9508 ">#9508</a>
<a
href="a28d83d49dhttps://github.com/shubham-021 "><code>@shubham-021</code></a>! -
Fix toFormattedString() to properly display nested objects in tool call
arguments instead of [object Object]</p>
</li>
<li>
<p><a
href="https://redirect.github.com/langchain-ai/langchainjs/pull/9165 ">#9165</a>
<a
href="2e5ad70d16https://github.com/pawel-twardziak "><code>@pawel-twardziak</code></a>!
- fix(mcp-adapters): preserve timeout from RunnableConfig in MCP tool
calls</p>
</li>
<li>
<p><a
href="https://redirect.github.com/langchain-ai/langchainjs/pull/9647 ">#9647</a>
<a
href="e456c661aahttps://github.com/hntrl "><code>@hntrl</code></a>! -
handle missing parent runs in tracer to prevent LangSmith 400 errors</p>
</li>
<li>
<p><a
href="https://redirect.github.com/langchain-ai/langchainjs/pull/9597 ">#9597</a>
<a
href="1cfe603e97https://github.com/hntrl "><code>@hntrl</code></a>! -
use uuid7 for run ids</p>
</li>
</ul>
<h2><code>@langchain/core</code><a
href="https://github.com/1 "><code>@1</code></a>.1.4</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/langchain-ai/langchainjs/pull/9575 ">#9575</a>
<a
href="0bade90ed4https://github.com/hntrl "><code>@hntrl</code></a>! -
bin p-retry</p>
</li>
<li>
<p><a
href="https://redirect.github.com/langchain-ai/langchainjs/pull/9574 ">#9574</a>
<a
href="6c40d00e92https://github.com/hntrl "><code>@hntrl</code></a>! -
Revert "fix(<code>@langchain/core</code>): update and bundle
dependencies (<a
href="https://redirect.github.com/langchain-ai/langchainjs/issues/9534 ">#9534</a>)"</p>
</li>
</ul>
<h2><code>@langchain/core</code><a
href="https://github.com/1 "><code>@1</code></a>.1.3</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/langchain-ai/langchainjs/pull/9534 ">#9534</a>
<a
href="bd2c46e09ehttps://github.com/christian-bromann "><code>@christian-bromann</code></a>!
- fix(<code>@langchain/core</code>): update and bundle
<code>p-retry</code>, <code>ansi-styles</code>, <code>camelcase</code>
and <code>decamelize</code> dependencies</p>
</li>
<li>
<p><a
href="https://redirect.github.com/langchain-ai/langchainjs/pull/9544 ">#9544</a>
<a
href="487378bf14https://github.com/hntrl "><code>@hntrl</code></a>! -
fix tool chunk concat behavior (<a
href="https://redirect.github.com/langchain-ai/langchainjs/issues/9450 ">#9450</a>)</p>
</li>
<li>
<p><a
href="https://redirect.github.com/langchain-ai/langchainjs/pull/9505 ">#9505</a>
<a
href="138e7fb628https://github.com/chosh-dev "><code>@chosh-dev</code></a>! -
feat: replace btoa with toBase64Url for encoding in drawMermaidImage</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="de32b32b0bhttps://redirect.github.com/langchain-ai/langchainjs/issues/9697 ">#9697</a>)</li>
<li><a
href="e5063f9c6ehttps://redirect.github.com/langchain-ai/langchainjs/issues/9707 ">#9707</a>)</li>
<li><a
href="8b3e611a6chttps://redirect.github.com/langchain-ai/langchainjs/issues/9698 ">#9698</a>)</li>
<li><a
href="89966470e8https://redirect.github.com/langchain-ai/langchainjs/issues/9684 ">#9684</a>)</li>
<li><a
href="8df6264efehttps://redirect.github.com/langchain-ai/langchainjs/issues/9676 ">#9676</a>)</li>
<li><a
href="df9c42b3abhttps://redirect.github.com/langchain-ai/langchainjs/issues/9686 ">#9686</a>)</li>
<li><a
href="4ea3a52f86https://redirect.github.com/langchain-ai/langchainjs/issues/9696 ">#9696</a>)</li>
<li><a
href="ffb24026cdhttps://redirect.github.com/langchain-ai/langchainjs/issues/9673 ">#9673</a>)</li>
<li><a
href="8d2982bb942b36431babhttps://github.com/langchain-ai/langchainjs/compare/@langchain/aws@1.1.0...@langchain/core@1.1.8 ">compare
view</a></li>
</ul>
</details>
<br />
Updates `@langchain/google-genai` from 2.0.0 to 2.1.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/langchain-ai/langchainjs/releases "><code>@langchain/google-genai</code>'s
releases</a>.</em></p>
<blockquote>
<h2><code>@langchain/google-genai</code><a
href="https://github.com/2 "><code>@2</code></a>.1.3</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="e5063f9c6e89966470e8https://github.com/1 "><code>@1</code></a>.1.8</li>
</ul>
</li>
</ul>
<h2><code>@langchain/google-genai</code><a
href="https://github.com/2 "><code>@2</code></a>.1.1</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="a7b2a7db5ea496c5fc641da1325aeahttps://github.com/1 "><code>@1</code></a>.1.6</li>
</ul>
</li>
</ul>
<h2><code>@langchain/google-genai</code><a
href="https://github.com/2 "><code>@2</code></a>.1.0</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/langchain-ai/langchainjs/pull/8327 ">#8327</a>
<a
href="89a79097achttps://github.com/caspherola "><code>@caspherola</code></a>! -
support of adding custom headers on ChatGoogleGenerativeAI <a
href="https://redirect.github.com/langchain-ai/langchainjs/issues/6648 ">#6648</a></p>
</li>
<li>
<p><a
href="https://redirect.github.com/langchain-ai/langchainjs/pull/9584 ">#9584</a>
<a
href="f4ef9a1dc9https://github.com/encodedz "><code>@encodedz</code></a>! - safe
access around custom content parts</p>
</li>
<li>
<p><a
href="https://redirect.github.com/langchain-ai/langchainjs/pull/9583 ">#9583</a>
<a
href="5b27f38581https://github.com/maslo55555 "><code>@maslo55555</code></a>! -
fix(google-genai): support custom agent names in createAgent</p>
</li>
<li>
<p>Updated dependencies [<a
href="005c72903bab782462758cc81c7ceef32e4991d0a28d83d49d2e5ad70d16e456c661aa1cfe603e97https://github.com/1 "><code>@1</code></a>.1.5</li>
</ul>
</li>
</ul>
<h2><code>@langchain/google-genai</code><a
href="https://github.com/2 "><code>@2</code></a>.0.4</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="0bade90ed46c40d00e92https://github.com/1 "><code>@1</code></a>.1.4</li>
</ul>
</li>
</ul>
<h2><code>@langchain/google-genai</code><a
href="https://github.com/2 "><code>@2</code></a>.0.3</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="bd2c46e09e487378bf14138e7fb628https://github.com/1 "><code>@1</code></a>.1.3</li>
</ul>
</li>
</ul>
<h2><code>@langchain/google-genai</code><a
href="https://github.com/2 "><code>@2</code></a>.0.2</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="833f57834dhttps://github.com/1 "><code>@1</code></a>.1.2</li>
</ul>
</li>
</ul>
<h2><code>@langchain/google-genai</code><a
href="https://github.com/2 "><code>@2</code></a>.0.1</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="636b99459b38f0162b7bhttps://github.com/1 "><code>@1</code></a>.1.1</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/langchain-ai/langchainjs/commits/@langchain/google-genai@2.1.3 ">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/googleapis/genai-toolbox/network/alerts ).
</details>
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-30 10:22:00 -08:00
dependabot[bot]
271f39d4b9
chore(deps): bump jws from 4.0.0 to 4.0.1 in /docs/en/getting-started/quickstart/js/langchain ( #2118 )
...
Bumps [jws](https://github.com/brianloveswords/node-jws ) from 4.0.0 to
4.0.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/brianloveswords/node-jws/releases ">jws's
releases</a>.</em></p>
<blockquote>
<h2>v4.0.1</h2>
<h3>Changed</h3>
<ul>
<li>Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now
require
that a non empty secret is provided (via opts.secret, opts.privateKey or
opts.key)
when using HMAC algorithms.</li>
<li>Upgrading JWA version to 2.0.1, addressing a compatibility issue for
Node >= 25.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/auth0/node-jws/blob/master/CHANGELOG.md ">jws's
changelog</a>.</em></p>
<blockquote>
<h2>[4.0.1]</h2>
<h3>Changed</h3>
<ul>
<li>Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now
require
that a non empty secret is provided (via opts.secret, opts.privateKey or
opts.key)
when using HMAC algorithms.</li>
<li>Upgrading JWA version to 2.0.1, adressing a compatibility issue for
Node >= 25.</li>
</ul>
<h2>[3.2.3]</h2>
<h3>Changed</h3>
<ul>
<li>Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now
require
that a non empty secret is provided (via opts.secret, opts.privateKey or
opts.key)
when using HMAC algorithms.</li>
<li>Upgrading JWA version to 1.4.2, adressing a compatibility issue for
Node >= 25.</li>
</ul>
<h2>[3.0.0]</h2>
<h3>Changed</h3>
<ul>
<li><strong>BREAKING</strong>: <code>jwt.verify</code> now requires an
<code>algorithm</code> parameter, and
<code>jws.createVerify</code> requires an <code>algorithm</code> option.
The <code>"alg"</code> field
signature headers is ignored. This mitigates a critical security flaw
in the library which would allow an attacker to generate signatures with
arbitrary contents that would be accepted by <code>jwt.verify</code>.
See
<a
href="https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ ">https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ </a>
for details.</li>
</ul>
<h2><a
href="https://github.com/brianloveswords/node-jws/compare/v1.0.1...v2.0.0 ">2.0.0</a>
- 2015-01-30</h2>
<h3>Changed</h3>
<ul>
<li>
<p><strong>BREAKING</strong>: Default payload encoding changed from
<code>binary</code> to
<code>utf8</code>. <code>utf8</code> is a is a more sensible default
than <code>binary</code> because
many payloads, as far as I can tell, will contain user-facing
strings that could be in any language. (<!-- raw HTML omitted
-->[6b6de48]<!-- raw HTML omitted -->)</p>
</li>
<li>
<p>Code reorganization, thanks [<a
href="https://github.com/fearphage "><code>@fearphage</code></a>]! (<!--
raw HTML omitted --><a
href="https://github.com/brianloveswords/node-jws/commit/7880050 ">7880050</a><!--
raw HTML omitted -->)</p>
</li>
</ul>
<h3>Added</h3>
<ul>
<li>Option in all relevant methods for <code>encoding</code>. For those
few users
that might be depending on a <code>binary</code> encoding of the
messages, this
is for them. (<!-- raw HTML omitted -->[6b6de48]<!-- raw HTML omitted
-->)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="34c45b2c0449bc39b1f5d42350ccab5cb007cf82f9a2e1c8c6b9fb8d30e9https://redirect.github.com/brianloveswords/node-jws/issues/102 ">#102</a>
from auth0/SRE-57-Upload-opslevel-yaml</li>
<li><a
href="95b75ee56c8857ee7762https://redirect.github.com/brianloveswords/node-jws/issues/96 ">#96</a>)</li>
<li>See full diff in <a
href="https://github.com/brianloveswords/node-jws/compare/v4.0.0...v4.0.1 ">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~julien.wollscheid ">julien.wollscheid</a>, a
new releaser for jws since your current version.</p>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores )
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/googleapis/genai-toolbox/network/alerts ).
</details>
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com >
2025-12-17 11:32:09 -08:00
Mend Renovate