Open
Conversation
It's often helpful to commit this file
Bumps the uv group with 4 updates in the / directory: [cryptography](https://github.com/pyca/cryptography), [langchain-core](https://github.com/langchain-ai/langchain), [pillow](https://github.com/python-pillow/Pillow) and [protobuf](https://github.com/protocolbuffers/protobuf). Updates `cryptography` from 46.0.3 to 46.0.5 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@46.0.3...46.0.5) Updates `langchain-core` from 1.2.7 to 1.2.11 - [Release notes](https://github.com/langchain-ai/langchain/releases) - [Commits](langchain-ai/langchain@langchain-core==1.2.7...langchain-core==1.2.11) Updates `pillow` from 12.1.0 to 12.1.1 - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](python-pillow/Pillow@12.1.0...12.1.1) Updates `protobuf` from 6.33.4 to 6.33.5 - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Commits](https://github.com/protocolbuffers/protobuf/commits) --- updated-dependencies: - dependency-name: cryptography dependency-version: 46.0.5 dependency-type: indirect dependency-group: uv - dependency-name: langchain-core dependency-version: 1.2.11 dependency-type: indirect dependency-group: uv - dependency-name: pillow dependency-version: 12.1.1 dependency-type: indirect dependency-group: uv - dependency-name: protobuf dependency-version: 6.33.5 dependency-type: indirect dependency-group: uv ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the uv group with 4 updates in the / directory: [cryptography](https://github.com/pyca/cryptography), [langchain-core](https://github.com/langchain-ai/langchain), [pillow](https://github.com/python-pillow/Pillow) and [protobuf](https://github.com/protocolbuffers/protobuf). Updates `cryptography` from 46.0.3 to 46.0.5 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's changelog</a>.</em></p> <blockquote> <p>46.0.5 - 2026-02-10</p> <pre><code> * An attacker could create a malicious public key that reveals portions of your private key when using certain uncommon elliptic curves (binary curves). This version now includes additional security checks to prevent this attack. This issue only affects binary elliptic curves, which are rarely used in real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab and Atuin Automated Vulnerability Discovery Engine** for reporting the issue. **CVE-2026-26007** * Support for ``SECT*`` binary elliptic curves is deprecated and will be removed in the next release. <p>.. v46-0-4:</p> <p>46.0.4 - 2026-01-27<br /> </code></pre></p> <ul> <li><code>Dropped support for win_arm64 wheels</code>_.</li> <li>Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.</li> </ul> <p>.. _v46-0-3:</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pyca/cryptography/commit/06e120e682cb200e3f7050c02f0bcdac90c4c6ad"><code>06e120e</code></a> bump version for 46.0.5 release (<a href="https://redirect.github.com/pyca/cryptography/issues/14289">#14289</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c"><code>0eebb9d</code></a> EC check key on cofactor > 1 (<a href="https://redirect.github.com/pyca/cryptography/issues/14287">#14287</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/bedf6e186b814f69a3f54f51252c23a71d44ed2e"><code>bedf6e1</code></a> fix openssl version on 46 branch (<a href="https://redirect.github.com/pyca/cryptography/issues/14220">#14220</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/e6f44fc8e6391f05d719fb9d369692325b87a471"><code>e6f44fc</code></a> bump for 46.0.4 and drop win arm64 due to CI issues (<a href="https://redirect.github.com/pyca/cryptography/issues/14217">#14217</a>)</li> <li>See full diff in <a href="https://github.com/pyca/cryptography/compare/46.0.3...46.0.5">compare view</a></li> </ul> </details> <br /> Updates `langchain-core` from 1.2.7 to 1.2.11 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.2.11</h2> <p>Changes since langchain-core==1.2.10</p> <p>release(core): 1.2.11 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35144">#35144</a>) fix(openai): sanitize urls when counting tokens in images (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35143">#35143</a>) chore(core): clean up docstring mismatch and redundant logic in langchain-core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35064">#35064</a>) fix(core): replace bare except with Exception in tracer (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35138">#35138</a>)</p> <h2>langchain-core==1.2.10</h2> <p>Changes since langchain-core==1.2.9</p> <p>release(core): 1.2.10 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35136">#35136</a>) chore(deps): bump the langchain-deps group across 3 directories with 40 updates (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35129">#35129</a>) chore(deps): bump the langchain-deps group across 3 directories with 11 updates (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35121">#35121</a>) feat(core): add ContextOverflowError, raise in anthropic and openai (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35099">#35099</a>) feat(model-profiles): add <code>text_inputs</code> and <code>text_outputs</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35084">#35084</a>) feat(core): count tokens from tool schemas in <code>count_tokens_approximately</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35098">#35098</a>) docs(core): add missing <code>name</code> docstring for <code>RunnableSerializable</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35088">#35088</a>)</p> <h2>langchain-core==1.2.9</h2> <p>Changes since langchain-core==1.2.8</p> <p>release(core): 1.2.9 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35025">#35025</a>) fix(core): adjust cap when scaling approximate token counts (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35017">#35017</a>) revert: precompile hex color regex pattern at module level (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35016">#35016</a>) chore: add <code>make type</code> target (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35015">#35015</a>) revert: "chore: add typing target in <code>Makefile</code>" (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35013">#35013</a>) chore: add typing target in <code>Makefile</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35012">#35012</a>) fix(core): apply cap when scaling approximate token counts (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35005">#35005</a>) feat(core): allow scaling by reported usage when counting tokens approximately (<a href="https://redirect.github.com/langchain-ai/langchain/issues/34996">#34996</a>) test(core): increase <code>delta_time</code> for flaky test (<a href="https://redirect.github.com/langchain-ai/langchain/issues/34982">#34982</a>) chore: enrich <code>pyproject.toml</code> files (<a href="https://redirect.github.com/langchain-ai/langchain/issues/34980">#34980</a>)</p> <h2>langchain-core==1.2.8</h2> <p>Changes since langchain-core==1.2.7</p> <p>release(core): 1.2.8 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/34975">#34975</a>) docs(core): add examples for <code>pretty_repr</code>, <code>pretty_print</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/34968">#34968</a>) docs(core): use proper admonition for <code>get_buffer_string</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/34967">#34967</a>) docs: add usage examples to core classes (<a href="https://redirect.github.com/langchain-ai/langchain/issues/34841">#34841</a>) chore(core): fix docstring format (<a href="https://redirect.github.com/langchain-ai/langchain/issues/34966">#34966</a>) chore(deps): bump the uv group across 20 directories with 3 updates (<a href="https://redirect.github.com/langchain-ai/langchain/issues/34941">#34941</a>) docs: add example to create_message function docstring (<a href="https://redirect.github.com/langchain-ai/langchain/issues/34851">#34851</a>) docs(core): clarify <a href="https://github.com/tool"><code>@tool</code></a> decorator argument and return type requirements (<a href="https://redirect.github.com/langchain-ai/langchain/issues/34860">#34860</a>) fix(core): fix nested mustache variable extraction and update docs (<a href="https://redirect.github.com/langchain-ai/langchain/issues/34872">#34872</a>) fix(core): allow base model annotations for empty model (<a href="https://redirect.github.com/langchain-ai/langchain/issues/34932">#34932</a>) chore: upgrade urllib3 to 2.6.3 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/34940">#34940</a>) fix(core): prevent crash in ParrotFakeChatModel when messages list is empty (<a href="https://redirect.github.com/langchain-ai/langchain/issues/34943">#34943</a>) fix(core): google docstring parsing with no arguments/reserved arguments (<a href="https://redirect.github.com/langchain-ai/langchain/issues/34861">#34861</a>) test(core): add tests for approximate token counting with multimodal messages (<a href="https://redirect.github.com/langchain-ai/langchain/issues/34898">#34898</a>)</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/langchain-ai/langchain/commit/524e1dab5e7c8229bd78be3c13ab38ac93a6216b"><code>524e1da</code></a> release(core): 1.2.11 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35144">#35144</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565"><code>2b4b1dc</code></a> fix(openai): sanitize urls when counting tokens in images (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35143">#35143</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/0493b276e0be31d4f48d9d0ba5fcbce7fdded38f"><code>0493b27</code></a> fix(anthropic): support effort="max" and remove beta headers (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35141">#35141</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/a5f22e7cb18a05ed057028797a7d0d79cd509b0d"><code>a5f22e7</code></a> chore(core): clean up docstring mismatch and redundant logic in langchain-cor...</li> <li><a href="https://github.com/langchain-ai/langchain/commit/97ee14c179f703473a6ec6ee24179ea756a5698f"><code>97ee14c</code></a> fix(core): replace bare except with Exception in tracer (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35138">#35138</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/990e8076e1d61a0c8ced4d83607685bd71e23687"><code>990e807</code></a> release(standard-tests): release 1.1.5 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35139">#35139</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/74dffca3d89effdb62da567d1ff6d160c9ad5354"><code>74dffca</code></a> release(langchain): 1.2.10 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35137">#35137</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/f41e0493336698e9a3e25e6e238786dfc8af91ba"><code>f41e049</code></a> release(core): 1.2.10 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35136">#35136</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/de05838fca46eb6c2f67064da3a59f5e84818e9a"><code>de05838</code></a> chore(deps): bump the langchain-deps group across 3 directories with 40 updat...</li> <li><a href="https://github.com/langchain-ai/langchain/commit/d6e86aa748ae173857732ee1f7114a06ff8f4231"><code>d6e86aa</code></a> chore(deps): bump the other-deps group across 3 directories with 12 updates (...</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langchain/compare/langchain-core==1.2.7...langchain-core==1.2.11">compare view</a></li> </ul> </details> <br /> Updates `pillow` from 12.1.0 to 12.1.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/python-pillow/Pillow/releases">pillow's releases</a>.</em></p> <blockquote> <h2>12.1.1</h2> <p><a href="https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html">https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html</a></p> <h2>Dependencies</h2> <ul> <li>Patch libavif for svt-av1 4.0 compatibility <a href="https://redirect.github.com/python-pillow/Pillow/issues/9413">#9413</a> [<a href="https://github.com/hugovk"><code>@hugovk</code></a>]</li> </ul> <h2>Other changes</h2> <ul> <li>Fix OOB Write with invalid tile extents <a href="https://redirect.github.com/python-pillow/Pillow/issues/9427">#9427</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/python-pillow/Pillow/commit/5158d98c807e719c5938aa3886913ef0ea6814e9"><code>5158d98</code></a> 12.1.1 version bump</li> <li><a href="https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa"><code>9000313</code></a> Fix OOB Write with invalid tile extents (<a href="https://redirect.github.com/python-pillow/Pillow/issues/9427">#9427</a>)</li> <li><a href="https://github.com/python-pillow/Pillow/commit/cd0111849fb32c40860e3ee3d57b9b1cee4260cf"><code>cd01118</code></a> Patch libavif for svt-av1 4.0 compatibility</li> <li>See full diff in <a href="https://github.com/python-pillow/Pillow/compare/12.1.0...12.1.1">compare view</a></li> </ul> </details> <br /> Updates `protobuf` from 6.33.4 to 6.33.5 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/protocolbuffers/protobuf/releases">protobuf's releases</a>.</em></p> <blockquote> <h2>Protocol Buffers v34.0-rc1</h2> <h1>Announcements</h1> <ul> <li><strong>This version includes breaking changes to: C++, Objective-C, PHP, Python.</strong></li> <li>[Bazel] Remove deprecated ProtoInfo.transitive_imports. Use equivalent transitive_sources instead (<a href="https://github.com/protocolbuffers/protobuf/commit/0a5c2f6b633c1e5259f566cb42d30fe347b8aadb">https://github.com/protocolbuffers/protobuf/commit/0a5c2f6b633c1e5259f566cb42d30fe347b8aadb</a>)</li> <li>[C++] Make generator headers private (<a href="https://github.com/protocolbuffers/protobuf/commit/3a2af3510f0d454dbe3e4dc281674b61c4d20b9e">https://github.com/protocolbuffers/protobuf/commit/3a2af3510f0d454dbe3e4dc281674b61c4d20b9e</a>)</li> <li>[C++] Add a debug check that the target of CopyFrom is not a descendant of the source. (<a href="https://github.com/protocolbuffers/protobuf/commit/7a7589823d2cfaaf7994b050e98d5d553bc9b1c1">https://github.com/protocolbuffers/protobuf/commit/7a7589823d2cfaaf7994b050e98d5d553bc9b1c1</a>)</li> <li>[C++] Add [[nodiscard]] to many APIs. (<a href="https://github.com/protocolbuffers/protobuf/commit/a70115f33f9af2c4b2202c800b84837e7fe0d738">https://github.com/protocolbuffers/protobuf/commit/a70115f33f9af2c4b2202c800b84837e7fe0d738</a>)</li> <li>[C++] Make the arena-enabled constructors of <code>RepeatedField</code>, <code>RepeatedPtrField</code>, and <code>Map</code> private. (<a href="https://github.com/protocolbuffers/protobuf/commit/ef890c3d0c79398c70e047fe5dd893f460ba2336">https://github.com/protocolbuffers/protobuf/commit/ef890c3d0c79398c70e047fe5dd893f460ba2336</a>)</li> <li>[C++] Remove deprecated FieldDescriptor::label() in OSS. Use is_repeated() or is_required() instead (<a href="https://github.com/protocolbuffers/protobuf/commit/b76faa921fdd244f374c7be0bddd4050fc42c292">https://github.com/protocolbuffers/protobuf/commit/b76faa921fdd244f374c7be0bddd4050fc42c292</a>)</li> <li>[C++] Removes proto2::util::MessageDifferencer::AddIgnoreCriteria that takes a raw pointer as an argument in favor of the overload that takes a unique_ptr. Remove macro PROTOBUF_FUTURE_REMOVE_ADD_IGNORE_CRITERIA (<a href="https://github.com/protocolbuffers/protobuf/commit/b115358c64127896fed88b8b5ef5d91d86d8cbae">https://github.com/protocolbuffers/protobuf/commit/b115358c64127896fed88b8b5ef5d91d86d8cbae</a>)</li> <li>[C++] Remove deprecated FieldDescriptor::has_optional_keyword() in OSS. Use is_repeated() or has_presence() instead (<a href="https://github.com/protocolbuffers/protobuf/commit/68346ec9348e932664e58c3ecdcd1478f95233a8">https://github.com/protocolbuffers/protobuf/commit/68346ec9348e932664e58c3ecdcd1478f95233a8</a>)</li> <li>[C++] Remove AddUnusedImportTrackFile() and ClearUnusedImportTrackFiles(). Remove PROTOBUF_FUTURE_RENAME_ADD_UNUSED_IMPORT (<a href="https://github.com/protocolbuffers/protobuf/commit/837a2cd1d6c75402b2503ffe7cd8aeaf25868536">https://github.com/protocolbuffers/protobuf/commit/837a2cd1d6c75402b2503ffe7cd8aeaf25868536</a>)</li> <li>[C++] Remove deprecated FieldDescriptor::is_optional() in OSS. Use (!is_required() && !is_repeated()) instead (<a href="https://github.com/protocolbuffers/protobuf/commit/9dbc5d479a8e453921485d8d3de47fb3c005f1af">https://github.com/protocolbuffers/protobuf/commit/9dbc5d479a8e453921485d8d3de47fb3c005f1af</a>)</li> <li>[C++] Remove deprecated UseDeprecatedLegacyJsonFieldConflicts() (<a href="https://github.com/protocolbuffers/protobuf/commit/c301c2ca286327a21c50c0c4cd877afc9c655b00">https://github.com/protocolbuffers/protobuf/commit/c301c2ca286327a21c50c0c4cd877afc9c655b00</a>)</li> <li>[C++] All entity names have length limit (2afb0dc)</li> <li>[ObjC] Remove <code>generate_minimal_imports</code> generation option warning (<a href="https://github.com/protocolbuffers/protobuf/commit/45b1297fdaad5a9436d0e207422168c38dc45ac4">https://github.com/protocolbuffers/protobuf/commit/45b1297fdaad5a9436d0e207422168c38dc45ac4</a>)</li> <li>[ObjC] Fix nullability annotations on some <code>GPB*Dictionary</code> types. (<a href="https://github.com/protocolbuffers/protobuf/commit/ea67d6d26a48478a567c404679e3bb99cf230d50">https://github.com/protocolbuffers/protobuf/commit/ea67d6d26a48478a567c404679e3bb99cf230d50</a>)</li> <li>[ObjC] Remove <code>-[GPBFieldDescriptor optional]</code> (<a href="https://github.com/protocolbuffers/protobuf/commit/3414dc151eb4dcbdb2ca952e2589993bf7af75c4">https://github.com/protocolbuffers/protobuf/commit/3414dc151eb4dcbdb2ca952e2589993bf7af75c4</a>)</li> <li>[Other] Remove deprecated flag for enabling MSVC support (<a href="https://github.com/protocolbuffers/protobuf/commit/97c979be6e0907e1051bee62584dac4594e73fa7">https://github.com/protocolbuffers/protobuf/commit/97c979be6e0907e1051bee62584dac4594e73fa7</a>)</li> <li>[PHP] Remove deprecated PHP APIs (<a href="https://github.com/protocolbuffers/protobuf/commit/9c45014099a4f7004fab6dd1278de2f4f2a393c5">https://github.com/protocolbuffers/protobuf/commit/9c45014099a4f7004fab6dd1278de2f4f2a393c5</a>)</li> <li>[PHP] Remove deprecated PHP APIs FieldDescriptor getLabel, use IsRepeated or isRequired instead. (<a href="https://github.com/protocolbuffers/protobuf/commit/42081219920c6fad17ba6ddd1e28d111bcfb3345">https://github.com/protocolbuffers/protobuf/commit/42081219920c6fad17ba6ddd1e28d111bcfb3345</a>, <a href="https://github.com/protocolbuffers/protobuf/commit/cd76e675b14d00dda5623b30835d2bc7105fccc6">https://github.com/protocolbuffers/protobuf/commit/cd76e675b14d00dda5623b30835d2bc7105fccc6</a>, <a href="https://github.com/protocolbuffers/protobuf/commit/42081219920c6fad17ba6ddd1e28d111bcfb3345">https://github.com/protocolbuffers/protobuf/commit/42081219920c6fad17ba6ddd1e28d111bcfb3345</a>)</li> <li>[PHP] Add PHP typehints for setters and remove redundant GPBUtil checks (<a href="https://redirect.github.com/protocolbuffers/protobuf/pull/25296">protocolbuffers/protobuf#25296</a>) (<a href="https://github.com/protocolbuffers/protobuf/commit/aee03b78929c02461a5f9d8e136a2a016359b0cd">https://github.com/protocolbuffers/protobuf/commit/aee03b78929c02461a5f9d8e136a2a016359b0cd</a>)</li> <li>[PHP] support default values for editions/proto2 (<a href="https://redirect.github.com/protocolbuffers/protobuf/pull/25161">protocolbuffers/protobuf#25161</a>) (<a href="https://github.com/protocolbuffers/protobuf/commit/b01099d56350551bae3da88b97bf3027274c9f17">https://github.com/protocolbuffers/protobuf/commit/b01099d56350551bae3da88b97bf3027274c9f17</a>)</li> <li>[Python] Raise errors in OSS when assign bool to int/enum field in Python Proto. (<a href="https://github.com/protocolbuffers/protobuf/commit/5b116fe2f14f49dd0cc3b76089983717f211025c">https://github.com/protocolbuffers/protobuf/commit/5b116fe2f14f49dd0cc3b76089983717f211025c</a>)</li> <li>[Python] Remove float_format/double_format from python proto text_format (<a href="https://github.com/protocolbuffers/protobuf/commit/e4854a186e0bfa867d5bfa5cd850608a948fd488">https://github.com/protocolbuffers/protobuf/commit/e4854a186e0bfa867d5bfa5cd850608a948fd488</a>)</li> <li>[Python] Raise TypeError when convert non-timedelta to Duration, or convert non-datetime to Timestamp in python proto. (Original code may raise ArributeError) (<a href="https://github.com/protocolbuffers/protobuf/commit/00aaca1b4d98954bc2933d7c8a5379ba6088124c">https://github.com/protocolbuffers/protobuf/commit/00aaca1b4d98954bc2933d7c8a5379ba6088124c</a>)</li> <li>[Python] Remove float_precision from python proto json_format (<a href="https://github.com/protocolbuffers/protobuf/commit/f027f1fcd52b9d080b7ee79f4024f53cf54e0dc5">https://github.com/protocolbuffers/protobuf/commit/f027f1fcd52b9d080b7ee79f4024f53cf54e0dc5</a>)</li> <li>[Python] Remove deprecated FieldDescriptor::label() in OSS. Use is_repeated() or is_required() instead (<a href="https://github.com/protocolbuffers/protobuf/commit/b76faa921fdd244f374c7be0bddd4050fc42c292">https://github.com/protocolbuffers/protobuf/commit/b76faa921fdd244f374c7be0bddd4050fc42c292</a>)</li> <li>[Python] Remove deprecated FieldDescriptor.label (<a href="https://github.com/protocolbuffers/protobuf/commit/0a8ff55518ea5874478ad5b26515b31d186045a9">https://github.com/protocolbuffers/protobuf/commit/0a8ff55518ea5874478ad5b26515b31d186045a9</a>)</li> <li>[Python] Remove deprecated UseDeprecatedLegacyJsonFieldConflicts() (<a href="https://github.com/protocolbuffers/protobuf/commit/c301c2ca286327a21c50c0c4cd877afc9c655b00">https://github.com/protocolbuffers/protobuf/commit/c301c2ca286327a21c50c0c4cd877afc9c655b00</a>)</li> <li><a href="https://protobuf.dev/news/">Protobuf News</a> may include additional announcements or pre-announcements for upcoming changes.</li> <li><a href="https://protobuf.dev/support/migration/">Migration Guide</a> may include additional guidance for breaking changes.</li> </ul> <h1>Bazel</h1> <ul> <li>Fix: cc_toolchain should prefer protoc when prebuilt flag is flipped. (<a href="https://redirect.github.com/protocolbuffers/protobuf/issues/25168">#25168</a>) (<a href="https://github.com/protocolbuffers/protobuf/commit/8c857c3a1c6a106b0a096f1c9fa504bfaca035a9">https://github.com/protocolbuffers/protobuf/commit/8c857c3a1c6a106b0a096f1c9fa504bfaca035a9</a>)</li> <li>Breaking change: Remove deprecated ProtoInfo.transitive_imports. Use equivalent transitive_sources instead (<a href="https://github.com/protocolbuffers/protobuf/commit/0a5c2f6b633c1e5259f566cb42d30fe347b8aadb">https://github.com/protocolbuffers/protobuf/commit/0a5c2f6b633c1e5259f566cb42d30fe347b8aadb</a>)</li> <li>Feat(bazel): wire up prebuilt protoc toolchain (<a href="https://redirect.github.com/protocolbuffers/protobuf/issues/24115">#24115</a>) (<a href="https://github.com/protocolbuffers/protobuf/commit/cc23698b486e690ea2eb873cc7596a87c74a3ba6">https://github.com/protocolbuffers/protobuf/commit/cc23698b486e690ea2eb873cc7596a87c74a3ba6</a>)</li> <li>Migrate <code>proto_descriptor_set</code> (<a href="https://redirect.github.com/protocolbuffers/protobuf/issues/23369">#23369</a>) (<a href="https://github.com/protocolbuffers/protobuf/commit/8d4dfdd39a7a242a9ed631a6ab2192c57dd9b9c8">https://github.com/protocolbuffers/protobuf/commit/8d4dfdd39a7a242a9ed631a6ab2192c57dd9b9c8</a>)</li> </ul> <h1>Compiler</h1> <ul> <li>Ruby codegen: support generation of rbs files (<a href="https://redirect.github.com/protocolbuffers/protobuf/issues/15633">#15633</a>) (<a href="https://github.com/protocolbuffers/protobuf/commit/6ebdf851ba78728f0aa145d38454ed9a316fb08d">https://github.com/protocolbuffers/protobuf/commit/6ebdf851ba78728f0aa145d38454ed9a316fb08d</a>)</li> <li>Avoid collision name problems between a message named <code>Xyz</code> and a direct sibling enum named <code>XyzView</code> (<a href="https://github.com/protocolbuffers/protobuf/commit/eba53e8f172b273d679759a72ce4250131ee3df1">https://github.com/protocolbuffers/protobuf/commit/eba53e8f172b273d679759a72ce4250131ee3df1</a>)</li> <li>Generalizing and implementing ValidateFeatureSupport for both Options and Features during proto parsing (<a href="https://github.com/protocolbuffers/protobuf/commit/ed3c57114d8e2b47cca7697ddaa50c1b3762a6b0">https://github.com/protocolbuffers/protobuf/commit/ed3c57114d8e2b47cca7697ddaa50c1b3762a6b0</a>)</li> <li>Fix a bug with custom features outside of the <code>pb</code> package. (<a href="https://github.com/protocolbuffers/protobuf/commit/872d3ce7a4da00d7dcec33ced20cfe45235935e8">https://github.com/protocolbuffers/protobuf/commit/872d3ce7a4da00d7dcec33ced20cfe45235935e8</a>)</li> <li>Fix import option handling when include_imports isn't set. (<a href="https://github.com/protocolbuffers/protobuf/commit/9ef9e80afd9bc8379d578fe67e5ab0738728c04e">https://github.com/protocolbuffers/protobuf/commit/9ef9e80afd9bc8379d578fe67e5ab0738728c04e</a>)</li> <li>Fix a bug in STRICT check of namespaced enums to properly check for 'reserved 1 to max' (<a href="https://github.com/protocolbuffers/protobuf/commit/1229d4adba24c0952ab85ce96bc7b7f8a1fe6d0f">https://github.com/protocolbuffers/protobuf/commit/1229d4adba24c0952ab85ce96bc7b7f8a1fe6d0f</a>)</li> <li>Prevent accidental stripping of <code>debug_redact</code> options via import option. (<a href="https://github.com/protocolbuffers/protobuf/commit/f58b098bffa7ca4045ef7773b09151a6af5d0c28">https://github.com/protocolbuffers/protobuf/commit/f58b098bffa7ca4045ef7773b09151a6af5d0c28</a>)</li> </ul> <h1>C++</h1> <ul> <li>Add EnumerateEnumValues function. (<a href="https://github.com/protocolbuffers/protobuf/commit/397d5d99db274b379d1384814074bf7df39d32f7">https://github.com/protocolbuffers/protobuf/commit/397d5d99db274b379d1384814074bf7df39d32f7</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/protocolbuffers/protobuf/commits">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/react-agent/network/alerts). </details>
Bumps the uv group with 2 updates in the / directory: [langgraph](https://github.com/langchain-ai/langgraph) and [orjson](https://github.com/ijl/orjson). Updates `langgraph` from 1.0.6 to 1.0.10rc1 - [Release notes](https://github.com/langchain-ai/langgraph/releases) - [Commits](langchain-ai/langgraph@1.0.6...1.0.10rc1) Updates `orjson` from 3.11.5 to 3.11.6 - [Release notes](https://github.com/ijl/orjson/releases) - [Changelog](https://github.com/ijl/orjson/blob/master/CHANGELOG.md) - [Commits](ijl/orjson@3.11.5...3.11.6) --- updated-dependencies: - dependency-name: langgraph dependency-version: 1.0.10rc1 dependency-type: direct:production dependency-group: uv - dependency-name: orjson dependency-version: 3.11.6 dependency-type: indirect dependency-group: uv ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the uv group with 2 updates in the / directory: [langgraph](https://github.com/langchain-ai/langgraph) and [orjson](https://github.com/ijl/orjson). Updates `langgraph` from 1.0.6 to 1.0.10rc1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langgraph/releases">langgraph's releases</a>.</em></p> <blockquote> <h2>langgraph==1.0.10rc1</h2> <p>Changes since 1.0.9</p> <ul> <li>release: Candidate (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6947">#6947</a>)</li> <li>Merge commit from fork</li> <li>chore: add tests to confirm expected subgraph persistence behavior (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6943">#6943</a>)</li> <li>fix(langgraph): correct ParentCommand bubbling when checkpoint_ns includes numeric task segments (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6864">#6864</a>)</li> <li>chore: add <code>make type</code> target for type checking (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6748">#6748</a>)</li> </ul> <h2>langgraph==1.0.9</h2> <p>Changes since 1.0.8</p> <ul> <li>release: langgraph + prebuilt (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6875">#6875</a>)</li> <li>fix: sequential interrupt handling w/ functional API (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6863">#6863</a>)</li> <li>chore: state_updated_at sort by (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6857">#6857</a>)</li> <li>chore: bump orjson (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6852">#6852</a>)</li> <li>chore: conformance testing (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6842">#6842</a>)</li> <li>chore(deps): bump the all-dependencies group in /libs/langgraph with 6 updates (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6815">#6815</a>)</li> <li>chore(deps): bump protobuf from 6.33.4 to 6.33.5 in /libs/langgraph (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6833">#6833</a>)</li> <li>chore(deps): bump cryptography from 46.0.3 to 46.0.5 in /libs/langgraph (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6837">#6837</a>)</li> <li>chore(deps): bump nbconvert from 7.16.6 to 7.17.0 in /libs/langgraph (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6832">#6832</a>)</li> <li>chore: server runtime type (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6774">#6774</a>)</li> <li>refactor: replace bare except with BaseException in AsyncQueue (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6765">#6765</a>)</li> </ul> <h2>langgraph==1.0.8</h2> <p>Changes since 1.0.7</p> <ul> <li>release(langgraph): 1.0.8 (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6757">#6757</a>)</li> <li>chore: shallow copy futures (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6755">#6755</a>)</li> <li>fix: pydantic messages double streaming (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6753">#6753</a>)</li> <li>chore(deps-dev): bump ruff from 0.14.7 to 0.14.11 in /libs/sdk-py (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6673">#6673</a>)</li> <li>chore: Omit lock when using connection pool (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6734">#6734</a>)</li> <li>docs: enhance <code>Runtime</code> and <code>ToolRuntime</code> class descriptions for clarity (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6689">#6689</a>)</li> <li>docs: add clarity to use of <code>thread_id</code> (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6515">#6515</a>)</li> <li>docs: add docstrings to <code>add_node</code> overloads (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6514">#6514</a>)</li> <li>docs: update notebook links and add archival notices for examples (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6720">#6720</a>)</li> <li>release(cli): 0.4.12 (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6716">#6716</a>)</li> </ul> <h2>langgraph-prebuilt==1.0.8</h2> <p>Changes since prebuilt==1.0.7</p> <ul> <li>release: langgraph + prebuilt (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6875">#6875</a>)</li> <li>fix: inject ToolRuntime for dynamically registered tools (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6874">#6874</a>)</li> <li>chore: bump orjson (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6852">#6852</a>)</li> <li>chore(deps): bump langchain-core from 1.2.12 to 1.2.13 in /libs/prebuilt in the all-dependencies group (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6849">#6849</a>)</li> <li>chore: conformance testing (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6842">#6842</a>)</li> <li>chore(deps): bump the all-dependencies group in /libs/prebuilt with 3 updates (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6810">#6810</a>)</li> <li>chore: server runtime type (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6774">#6774</a>)</li> <li>docs(prebuilt): update warning for <code>create_react_agent</code> (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6760">#6760</a>)</li> <li>release(langgraph): 1.0.8 (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6757">#6757</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/langchain-ai/langgraph/commit/a04ec5d6f00fa6583b2d98dfe789da741204b767"><code>a04ec5d</code></a> release: Candidate (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6947">#6947</a>)</li> <li><a href="https://github.com/langchain-ai/langgraph/commit/50df7d423abebcb5a192f0a59c2952c68cb0df8c"><code>50df7d4</code></a> Merge commit from fork</li> <li><a href="https://github.com/langchain-ai/langgraph/commit/c4a4a4647343d802d0ab909439806076bae15bd6"><code>c4a4a46</code></a> chore: add tests to confirm expected subgraph persistence behavior (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6943">#6943</a>)</li> <li><a href="https://github.com/langchain-ai/langgraph/commit/f178eb821e52906e1705c9cc02533bb88854b409"><code>f178eb8</code></a> fix(langgraph): correct ParentCommand bubbling when checkpoint_ns includes nu...</li> <li><a href="https://github.com/langchain-ai/langgraph/commit/48167d7fec9c25228426c92ba83d8650b77de0f3"><code>48167d7</code></a> chore(deps): bump the all-dependencies group in /libs/cli with 2 updates (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6920">#6920</a>)</li> <li><a href="https://github.com/langchain-ai/langgraph/commit/806878a421458e99f9882e666ff35a41ad1bb561"><code>806878a</code></a> chore(deps): bump the all-dependencies group in /libs/checkpoint-postgres wit...</li> <li><a href="https://github.com/langchain-ai/langgraph/commit/8087e6a42c62c2049a5fb3f99372a8c601d07e08"><code>8087e6a</code></a> docs(sdk-py): update auth docstrings to default-deny pattern (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6933">#6933</a>)</li> <li><a href="https://github.com/langchain-ai/langgraph/commit/8fbdb144876ec9ca75943c7addb452a2bb634304"><code>8fbdb14</code></a> release(sdk-py): 0.3.9 (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6932">#6932</a>)</li> <li><a href="https://github.com/langchain-ai/langgraph/commit/5093802f319119be674c02269f9874df04558419"><code>5093802</code></a> chore(deps): bump the all-dependencies group in /libs/checkpoint with 2 updat...</li> <li><a href="https://github.com/langchain-ai/langgraph/commit/b89ef60b91e019c3cb4422af1e3cc216804ccb20"><code>b89ef60</code></a> feat(sdk-py): add extract parameter to threads.search() (<a href="https://redirect.github.com/langchain-ai/langgraph/issues/6880">#6880</a>)</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langgraph/compare/1.0.6...1.0.10rc1">compare view</a></li> </ul> </details> <br /> Updates `orjson` from 3.11.5 to 3.11.6 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/ijl/orjson/releases">orjson's releases</a>.</em></p> <blockquote> <h2>3.11.6</h2> <h3>Changed</h3> <ul> <li>orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).</li> <li>Drop support for Python 3.9.</li> <li>ABI compatibility with CPython 3.15 alpha 5.</li> <li>Build now depends on Rust 1.89 or later instead of 1.85.</li> </ul> <h3>Fixed</h3> <ul> <li>Fix sporadic crash serializing deeply nested <code>list</code> of <code>dict</code>.</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/ijl/orjson/blob/master/CHANGELOG.md">orjson's changelog</a>.</em></p> <blockquote> <h2>3.11.6 - 2026-01-29</h2> <h3>Changed</h3> <ul> <li>orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).</li> <li>Drop support for Python 3.9.</li> <li>ABI compatibility with CPython 3.15 alpha 5.</li> <li>Build now depends on Rust 1.89 or later instead of 1.85.</li> </ul> <h3>Fixed</h3> <ul> <li>Fix sporadic crash serializing deeply nested <code>list</code> of <code>dict</code>.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ijl/orjson/commit/ec02024c3837255064f248c0d2d331319b75e9ad"><code>ec02024</code></a> 3.11.6</li> <li><a href="https://github.com/ijl/orjson/commit/d58168733189f82b3fd0c058dff73e05d09202e6"><code>d581687</code></a> build, clippy misc</li> <li><a href="https://github.com/ijl/orjson/commit/4105b29b2275f200f6fae01349bef02ccf1bc2e2"><code>4105b29</code></a> writer::num</li> <li><a href="https://github.com/ijl/orjson/commit/62bb185b70785ded49c79c26f8c9781f1e6fe370"><code>62bb185</code></a> Fix sporadic crash on serializing object close</li> <li><a href="https://github.com/ijl/orjson/commit/d860078a973f44401265c5c4ad12a7dbe4f839ad"><code>d860078</code></a> PyRef idiom refactors</li> <li><a href="https://github.com/ijl/orjson/commit/343ae2f148197918aba9f8562db42c364620e4b8"><code>343ae2f</code></a> Deserializer, Utf8Buffer</li> <li><a href="https://github.com/ijl/orjson/commit/7835f58d1c56947d1cf7a18acdfc07a2bca9b0f2"><code>7835f58</code></a> PyBytesRef and other input refactor</li> <li><a href="https://github.com/ijl/orjson/commit/71e0516424ce1e11613eb1780f18e8cde83989fd"><code>71e0516</code></a> PyStrRef</li> <li><a href="https://github.com/ijl/orjson/commit/1096df42dc585fde837ed0c930a346f5ef7dbb94"><code>1096df4</code></a> MSRV 1.89</li> <li><a href="https://github.com/ijl/orjson/commit/b718e75b8ba18a707c2b44b6de14d52547573771"><code>b718e75</code></a> Drop support for python3.9</li> <li>Additional commits viewable in <a href="https://github.com/ijl/orjson/compare/3.11.5...3.11.6">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/react-agent/network/alerts). </details>
Bumps the uv group with 1 update in the / directory: [requests](https://github.com/psf/requests). Updates `requests` from 2.32.5 to 2.33.0 - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.32.5...v2.33.0) --- updated-dependencies: - dependency-name: requests dependency-version: 2.33.0 dependency-type: indirect dependency-group: uv ... Signed-off-by: dependabot[bot] <support@github.com>
#37) Bumps the uv group with 1 update in the / directory: [requests](https://github.com/psf/requests). Updates `requests` from 2.32.5 to 2.33.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/psf/requests/releases">requests's releases</a>.</em></p> <blockquote> <h2>v2.33.0</h2> <h2>2.33.0 (2026-03-25)</h2> <p><strong>Announcements</strong></p> <ul> <li>📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at <a href="https://redirect.github.com/psf/requests/issues/7271">#7271</a>. Give it a try, and report any gaps or feedback you may have in the issue. 📣</li> </ul> <p><strong>Security</strong></p> <ul> <li>CVE-2026-25645 <code>requests.utils.extract_zipped_paths</code> now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.</li> </ul> <p><strong>Improvements</strong></p> <ul> <li>Migrated to a PEP 517 build system using setuptools. (<a href="https://redirect.github.com/psf/requests/issues/7012">#7012</a>)</li> </ul> <p><strong>Bugfixes</strong></p> <ul> <li>Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (<a href="https://redirect.github.com/psf/requests/issues/7205">#7205</a>)</li> </ul> <p><strong>Deprecations</strong></p> <ul> <li>Dropped support for Python 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/7196">#7196</a>)</li> </ul> <p><strong>Documentation</strong></p> <ul> <li>Various typo fixes and doc improvements.</li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/M0d3v1"><code>@M0d3v1</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/6865">psf/requests#6865</a></li> <li><a href="https://github.com/aminvakil"><code>@aminvakil</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/7220">psf/requests#7220</a></li> <li><a href="https://github.com/E8Price"><code>@E8Price</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/6960">psf/requests#6960</a></li> <li><a href="https://github.com/mitre88"><code>@mitre88</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/7244">psf/requests#7244</a></li> <li><a href="https://github.com/magsen"><code>@magsen</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/6553">psf/requests#6553</a></li> <li><a href="https://github.com/Rohan5commit"><code>@Rohan5commit</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/7227">psf/requests#7227</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25">https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's changelog</a>.</em></p> <blockquote> <h2>2.33.0 (2026-03-25)</h2> <p><strong>Announcements</strong></p> <ul> <li>📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at <a href="https://redirect.github.com/psf/requests/issues/7271">#7271</a>. Give it a try, and report any gaps or feedback you may have in the issue. 📣</li> </ul> <p><strong>Security</strong></p> <ul> <li>CVE-2026-25645 <code>requests.utils.extract_zipped_paths</code> now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.</li> </ul> <p><strong>Improvements</strong></p> <ul> <li>Migrated to a PEP 517 build system using setuptools. (<a href="https://redirect.github.com/psf/requests/issues/7012">#7012</a>)</li> </ul> <p><strong>Bugfixes</strong></p> <ul> <li>Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (<a href="https://redirect.github.com/psf/requests/issues/7205">#7205</a>)</li> </ul> <p><strong>Deprecations</strong></p> <ul> <li>Dropped support for Python 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/7196">#7196</a>)</li> </ul> <p><strong>Documentation</strong></p> <ul> <li>Various typo fixes and doc improvements.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/psf/requests/commit/bc04dfd6dad4cb02cd92f5daa81eb562d280a761"><code>bc04dfd</code></a> v2.33.0</li> <li><a href="https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7"><code>66d21cb</code></a> Merge commit from fork</li> <li><a href="https://github.com/psf/requests/commit/8b9bc8fc0f63be84602387913c4b689f19efd028"><code>8b9bc8f</code></a> Move badges to top of README (<a href="https://redirect.github.com/psf/requests/issues/7293">#7293</a>)</li> <li><a href="https://github.com/psf/requests/commit/e331a288f369973f5de0ec8901c94cae4fa87286"><code>e331a28</code></a> Remove unused extraction call (<a href="https://redirect.github.com/psf/requests/issues/7292">#7292</a>)</li> <li><a href="https://github.com/psf/requests/commit/753fd08c5eacce0aa0df73fe47e49525c67e0a29"><code>753fd08</code></a> docs: fix FAQ grammar in httplib2 example</li> <li><a href="https://github.com/psf/requests/commit/774a0b837a194ee885d4fdd9ca947900cc3daf71"><code>774a0b8</code></a> docs(socks): same block as other sections</li> <li><a href="https://github.com/psf/requests/commit/9c72a41bec8597f948c9d8caa5dc3f12273b3303"><code>9c72a41</code></a> Bump github/codeql-action from 4.33.0 to 4.34.1</li> <li><a href="https://github.com/psf/requests/commit/ebf71906798ec82f34e07d3168f8b8aecaf8a3be"><code>ebf7190</code></a> Bump github/codeql-action from 4.32.0 to 4.33.0</li> <li><a href="https://github.com/psf/requests/commit/0e4ae38f0c93d4f92a96c774bd52c069d12a4798"><code>0e4ae38</code></a> docs: exclude Response.is_permanent_redirect from API docs (<a href="https://redirect.github.com/psf/requests/issues/7244">#7244</a>)</li> <li><a href="https://github.com/psf/requests/commit/d568f47278492e630cc990a259047c67991d007a"><code>d568f47</code></a> docs: clarify Quickstart POST example (<a href="https://redirect.github.com/psf/requests/issues/6960">#6960</a>)</li> <li>Additional commits viewable in <a href="https://github.com/psf/requests/compare/v2.32.5...v2.33.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/react-agent/network/alerts). </details>
- Add top-level `permissions: contents: read` to integration-tests.yml and unit-tests.yml - SHA-pin codespell-project/actions-codespell@v2 → 406322ec52dd7b488e48c1c4b82e2a8b3a1bf630 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
## Summary - Add top-level `permissions: contents: read` to `integration-tests.yml` and `unit-tests.yml` (Rule 1 compliance) - SHA-pin `codespell-project/actions-codespell@v2` → `406322ec52dd7b488e48c1c4b82e2a8b3a1bf630` in both usages in `unit-tests.yml` (Rule 6 compliance) ## Test plan - [ ] CI passes on this branch - [x] Code scanning alerts for missing permissions are resolved after merge
Bumps the uv group with 1 update in the / directory: [langchain-core](https://github.com/langchain-ai/langchain). Updates `langchain-core` from 1.2.11 to 1.2.22 - [Release notes](https://github.com/langchain-ai/langchain/releases) - [Commits](langchain-ai/langchain@langchain-core==1.2.11...langchain-core==1.2.22) --- updated-dependencies: - dependency-name: langchain-core dependency-version: 1.2.22 dependency-type: indirect dependency-group: uv ... Signed-off-by: dependabot[bot] <support@github.com>
…rectory (#39) Bumps the uv group with 1 update in the / directory: [langchain-core](https://github.com/langchain-ai/langchain). Updates `langchain-core` from 1.2.11 to 1.2.22 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.2.22</h2> <p>Changes since langchain-core==1.2.21</p> <p>release(core): 1.2.22 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36201">#36201</a>) fix(core): validate paths in <code>prompt.save</code> and <code>load_prompt</code>, deprecate methods (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36200">#36200</a>)</p> <h2>langchain-core==1.2.21</h2> <p>Changes since langchain-core==1.2.20</p> <p>release(core): 1.2.21 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36179">#36179</a>) fix(core,model-profiles): add missing <code>ModelProfile</code> fields, warn on schema drift (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36129">#36129</a>) chore(core): remove stale blockbuster allowlist for deleted context module (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36168">#36168</a>) ci: suppress pytest streaming output in CI (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36092">#36092</a>)</p> <h2>langchain-core==1.2.20</h2> <p>Changes since langchain-core==1.2.19</p> <p>release(core): 1.2.20 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36085">#36085</a>) fix(core): trace invocation params in metadata (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36080">#36080</a>) feat: Add LangSmith integration metadata to create_agent and init_chat_model (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35810">#35810</a>) feat(core): harden anti-ssrf (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35960">#35960</a>) ci: avoid unnecessary dep installs in lint targets (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36046">#36046</a>) docs(core): document <code>base_url</code> in mermaid api (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35961">#35961</a>) chore: bump orjson from 3.11.5 to 3.11.6 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35805">#35805</a>) chore: housekeeping (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35850">#35850</a>)</p> <h2>langchain-core==1.2.19</h2> <p>Changes since langchain-core==1.2.18</p> <p>release(core): 1.2.19 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35832">#35832</a>) chore(core): move BaseCrossEncoder to langchain-core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35809">#35809</a>) chore: bump tornado from 6.5.2 to 6.5.5 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35775">#35775</a>)</p> <h2>langchain-core==1.2.18</h2> <p>Changes since langchain-core==1.2.17</p> <p>release(core): 1.2.18 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35704">#35704</a>) fix(core): fix double backticks in deprecation docstring for alternative_import (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35658">#35658</a>) fix(core): preserve default_factory when generating tool call schema (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35550">#35550</a>) feat(openai): support tool search (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35582">#35582</a>) chore: bump the minor-and-patch group across 3 directories with 7 updates (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35605">#35605</a>)</p> <h2>langchain-core==1.2.17</h2> <p>Changes since langchain-core==1.2.16</p> <p>release(core): 1.2.17 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35527">#35527</a>) fix(core): extract usage metadata from serialized tracer message outputs (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35526">#35526</a>) chore: bump the langchain-deps group across 3 directories with 7 updates (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35513">#35513</a>) chore: bump the langchain-deps group across 3 directories with 14 updates (<a href="https://redirect.github.com/langchain-ai/langchain/issues/35441">#35441</a>)</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/langchain-ai/langchain/commit/d22df94537e4267f72dc1bbfc8e3849baf20d9f7"><code>d22df94</code></a> release(core): 1.2.22 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36201">#36201</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c"><code>27add91</code></a> fix(core): validate paths in <code>prompt.save</code> and <code>load_prompt</code>, deprecate metho...</li> <li><a href="https://github.com/langchain-ai/langchain/commit/7563fceb40ce31165524f3f57ec65e487c02b1a7"><code>7563fce</code></a> chore(model-profiles): refresh model profile data (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36195">#36195</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/3e64c255b84b283b3a65216b19b9838734258c96"><code>3e64c25</code></a> chore: use repo permissions instead of org membership for maintainer override...</li> <li><a href="https://github.com/langchain-ai/langchain/commit/1778b082ecd64a9dedd48674d874ca1bfcbe4c7d"><code>1778b08</code></a> chore(partners): bump <code>langchain-core</code> min to <code>1.2.21</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36183">#36183</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/ad574fce0d52740c249b0db7bde871d779ffb93d"><code>ad574fc</code></a> fix(openai): bump min core version (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36180">#36180</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/19f81cf6f1d73f7adf156491ba0617497a526b8c"><code>19f81cf</code></a> release(core): 1.2.21 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36179">#36179</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/6d07ef28a7023dc7b832fe52862f7a6fc0a187f3"><code>6d07ef2</code></a> release(openai): 1.1.12 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36178">#36178</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/2f64d80cc65091985873c339ca76a59af7baf739"><code>2f64d80</code></a> fix(core,model-profiles): add missing <code>ModelProfile</code> fields, warn on schema d...</li> <li><a href="https://github.com/langchain-ai/langchain/commit/5ffece5c033365baf4a3df52ffed5c6bfbed27ee"><code>5ffece5</code></a> chore(core): remove stale blockbuster allowlist for deleted context module (#...</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langchain/compare/langchain-core==1.2.11...langchain-core==1.2.22">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/react-agent/network/alerts). </details>
Bumps the uv group with 1 update in the / directory: [cryptography](https://github.com/pyca/cryptography). Updates `cryptography` from 46.0.5 to 46.0.6 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@46.0.5...46.0.6) --- updated-dependencies: - dependency-name: cryptography dependency-version: 46.0.6 dependency-type: indirect dependency-group: uv ... Signed-off-by: dependabot[bot] <support@github.com>
…ctory (#41) Bumps the uv group with 1 update in the / directory: [cryptography](https://github.com/pyca/cryptography). Updates `cryptography` from 46.0.5 to 46.0.6 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's changelog</a>.</em></p> <blockquote> <p>46.0.6 - 2026-03-25</p> <pre><code> * **SECURITY ISSUE**: Fixed a bug where name constraints were not applied to peer names during verification when the leaf certificate contains a wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug, including those used by the Web PKI. Credit to **Oleh Konko (1seal)** for reporting the issue. **CVE-2026-34073** <p>.. _v46-0-5:<br /> </code></pre></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pyca/cryptography/commit/91d728897bdad30cd5c79a2b23e207f1f050d587"><code>91d7288</code></a> Cherry-pick <a href="https://redirect.github.com/pyca/cryptography/issues/14542">#14542</a> (<a href="https://redirect.github.com/pyca/cryptography/issues/14543">#14543</a>)</li> <li>See full diff in <a href="https://github.com/pyca/cryptography/compare/46.0.5...46.0.6">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/react-agent/network/alerts). </details>
pyjwt < 2.12.0 accepts unknown `crit` header extensions. Transitive via langgraph-api -> pyjwt (dev-only path). Strategy: constraint-dependencies (C). Remove once langgraph-api requires pyjwt>=2.12.0 upstream.
## Security Alert Patch Resolves 1 Dependabot security alert in the high severity tier. ### Packages Updated | Package | Old Constraint | New Constraint | Strategy | Scope | CVEs Resolved | |---------|---------------|----------------|----------|-------|---------------| | PyJWT | (unconstrained, resolved 2.10.1) | `>=2.12.0` (resolved 2.12.1) | C — constraint | dev-only | CVE-2026-32597 | Strategy C = `[tool.uv.constraint-dependencies]` override — valid because PyJWT is dev-only (transitive via `langgraph-cli[inmem]` → `langgraph-api` → `pyjwt`). ### CVE Details - **[CVE-2026-32597](https://nvd.nist.gov/vuln/detail/CVE-2026-32597)** / [GHSA-752w-5fwx-jx9f](GHSA-752w-5fwx-jx9f): PyJWT accepts unknown `crit` header extensions — versions < 2.12.0 are vulnerable. ### Removal Condition The `constraint-dependencies` entry can be removed once `langgraph-api` releases a version that requires `pyjwt>=2.12.0` upstream. ### Linear Tickets No matching Linear tickets found for the resolved CVEs. ### Verification - [x] Lockfile updated — resolved version is now 2.12.1 - [x] Linters pass (`ruff check`) - [ ] Tests pass (CI) 🤖 Submitted by langster-patch
--- updated-dependencies: - dependency-name: aiohttp dependency-version: 3.13.4 dependency-type: indirect dependency-group: uv ... Signed-off-by: dependabot[bot] <support@github.com>
…s 1 directory (#43) [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/react-agent/network/alerts). </details>
Bumps the uv group with 2 updates in the / directory: [cryptography](https://github.com/pyca/cryptography) and [langchain-core](https://github.com/langchain-ai/langchain). Updates `cryptography` from 46.0.6 to 46.0.7 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@46.0.6...46.0.7) Updates `langchain-core` from 1.2.22 to 1.2.28 - [Release notes](https://github.com/langchain-ai/langchain/releases) - [Commits](langchain-ai/langchain@langchain-core==1.2.22...langchain-core==1.2.28) --- updated-dependencies: - dependency-name: cryptography dependency-version: 46.0.7 dependency-type: indirect dependency-group: uv - dependency-name: langchain-core dependency-version: 1.2.28 dependency-type: indirect dependency-group: uv ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the uv group with 2 updates in the / directory: [cryptography](https://github.com/pyca/cryptography) and [langchain-core](https://github.com/langchain-ai/langchain). Updates `cryptography` from 46.0.6 to 46.0.7 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's changelog</a>.</em></p> <blockquote> <p>46.0.7 - 2026-04-07</p> <pre><code> * **SECURITY ISSUE**: Fixed an issue where non-contiguous buffers could be passed to APIs that accept Python buffers, which could lead to buffer overflow. **CVE-2026-39892** * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.6. <p>.. _v46-0-6:<br /> </code></pre></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pyca/cryptography/commit/622d672e429a7cff836a23c5903683dbec1901f5"><code>622d672</code></a> 46.0.7 release (<a href="https://redirect.github.com/pyca/cryptography/issues/14602">#14602</a>)</li> <li>See full diff in <a href="https://github.com/pyca/cryptography/compare/46.0.6...46.0.7">compare view</a></li> </ul> </details> <br /> Updates `langchain-core` from 1.2.22 to 1.2.28 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langchain/releases">langchain-core's releases</a>.</em></p> <blockquote> <h2>langchain-core==1.2.28</h2> <p>Changes since langchain-core==1.2.27</p> <p>release(core): release 1.2.28 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36614">#36614</a>) fix(core): add more sanitization to templates (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36612">#36612</a>)</p> <h2>langchain-core==1.2.27</h2> <p>Changes since langchain-core==1.2.26</p> <p>release(core): 1.2.27 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36586">#36586</a>) fix(core): handle symlinks in deprecated prompt save path (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36585">#36585</a>) chore: add comment explaining <code>pygments>=2.20.0</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36570">#36570</a>)</p> <p>Credit to Jeff Ponte (<a href="https://github.com/JDP-Security"><code>@JDP-Security</code></a>) for reporting the symlink resolution issue in <a href="https://redirect.github.com/langchain-ai/langchain/issues/36585">#36585</a>.</p> <h2>langchain-core==1.2.26</h2> <p>Changes since langchain-core==1.2.25</p> <p>release(core): 1.2.26 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36511">#36511</a>) fix(core): add init validator and serialization mappings for Bedrock models (<a href="https://redirect.github.com/langchain-ai/langchain/issues/34510">#34510</a>) feat(core): add <code>ChatBaseten</code> to serializable mapping (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36510">#36510</a>) chore(core): drop <code>gpt-3.5-turbo</code> from docstrings (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36497">#36497</a>) fix(core): correct parameter names in filter_messages docstring example (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36462">#36462</a>)</p> <h2>langchain-core==1.2.25</h2> <p>Changes since langchain-core==1.2.24</p> <p>release(core): 1.2.25 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36473">#36473</a>) fix(core): harden check for txt files in deprecated prompt loading functions (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36471">#36471</a>) fix(core): fixed typos in the documentation (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36459">#36459</a>)</p> <p>Credit to Jeff Ponte (<a href="https://github.com/JDP-Security"><code>@JDP-Security</code></a>) for reporting the symlink resolution issue resolved in <a href="https://redirect.github.com/langchain-ai/langchain/issues/36471">#36471</a>.</p> <h2>langchain-core==1.2.24</h2> <p>Changes since langchain-core==1.2.23</p> <p>release(core): 1.2.24 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36434">#36434</a>) feat(core): impute placeholder filenames for OpenAI file inputs (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36433">#36433</a>) chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36385">#36385</a>) fix(core): add "computer" to _WellKnownOpenAITools (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36261">#36261</a>)</p> <h2>langchain-core==1.2.23</h2> <p>Changes since langchain-core==1.2.22</p> <p>release(core): 1.2.23 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36323">#36323</a>) revert: Revert "fix(core): trace invocation params in metadata" (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36322">#36322</a>) chore: bump requests from 2.32.5 to 2.33.0 in /libs/core (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36243">#36243</a>)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/langchain-ai/langchain/commit/dd7c3eb3a4acfc834b038ec9dbde94478c66776e"><code>dd7c3eb</code></a> release(core): release 1.2.28 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36614">#36614</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258"><code>af2ed47</code></a> fix(core): add more sanitization to templates (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36612">#36612</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/7e5858d8078124f98f10102da21414689467c132"><code>7e5858d</code></a> release(standard-tests): 1.1.6 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36610">#36610</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/fe99cb29123b704a90f5c8587a757def3b1471e0"><code>fe99cb2</code></a> fix(standard-tests): update standard tests for sandbox backends (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36036">#36036</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/65bbd47cb2721c51ef8638f9e7da35247c4bfdde"><code>65bbd47</code></a> chore(model-profiles): refresh model profile data (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36596">#36596</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/64864041168606535dfbd39055c0dca3dd61b5ba"><code>6486404</code></a> release(core): 1.2.27 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36586">#36586</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/7629c747260cbaed7ca55466d5b9e1b520a7de77"><code>7629c74</code></a> fix(core): handle symlinks in deprecated prompt save path (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36585">#36585</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/ce21bf469d7493f4716bc30feb15a5b3f16ebe1e"><code>ce21bf4</code></a> ci: convert working-directory to validated dropdown (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36575">#36575</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/b8698eacbd2960c7e3195018f42992bf2c9d69c7"><code>b8698ea</code></a> release(ollama): 1.1.0 (<a href="https://redirect.github.com/langchain-ai/langchain/issues/36574">#36574</a>)</li> <li><a href="https://github.com/langchain-ai/langchain/commit/3beba77e2e23d498fda07f9b8d6ba00aabfaf69f"><code>3beba77</code></a> feat(ollama): support <code>response_format</code> (<a href="https://redirect.github.com/langchain-ai/langchain/issues/34612">#34612</a>)</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langchain/compare/langchain-core==1.2.22...langchain-core==1.2.28">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/react-agent/network/alerts). </details>
Bumps the uv group with 1 update in the / directory: [pillow](https://github.com/python-pillow/Pillow). Updates `pillow` from 12.1.1 to 12.2.0 - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](python-pillow/Pillow@12.1.1...12.2.0) --- updated-dependencies: - dependency-name: pillow dependency-version: 12.2.0 dependency-type: indirect dependency-group: uv ... Signed-off-by: dependabot[bot] <support@github.com>
… 1 directory (#45) Bumps the uv group with 1 update in the / directory: [pillow](https://github.com/python-pillow/Pillow). Updates `pillow` from 12.1.1 to 12.2.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/python-pillow/Pillow/releases">pillow's releases</a>.</em></p> <blockquote> <h2>12.2.0</h2> <p><a href="https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html">https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html</a></p> <h2>Documentation</h2> <ul> <li>Update 12.2.0 release notes <a href="https://redirect.github.com/python-pillow/Pillow/issues/9522">#9522</a> [<a href="https://github.com/hugovk"><code>@hugovk</code></a>]</li> <li>Add loader plugins: AMOS abk, Atari Degas, 40+ more obscure formats via Netpbm <a href="https://redirect.github.com/python-pillow/Pillow/issues/9482">#9482</a> [<a href="https://github.com/bitplane"><code>@bitplane</code></a>]</li> <li>Update Python versions <a href="https://redirect.github.com/python-pillow/Pillow/issues/9515">#9515</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Jeffrey A. Clark -> Jeffrey 'Alex' Clark <a href="https://redirect.github.com/python-pillow/Pillow/issues/9513">#9513</a> [<a href="https://github.com/aclark4life"><code>@aclark4life</code></a>]</li> <li>Add release notes for <a href="https://redirect.github.com/python-pillow/Pillow/issues/9394">#9394</a>, <a href="https://redirect.github.com/python-pillow/Pillow/issues/9419">#9419</a> and <a href="https://redirect.github.com/python-pillow/Pillow/issues/9456">#9456</a> <a href="https://redirect.github.com/python-pillow/Pillow/issues/9467">#9467</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Add Amiga Workbench .info loader to 3rd party plugins list <a href="https://redirect.github.com/python-pillow/Pillow/issues/9459">#9459</a> [<a href="https://github.com/bitplane"><code>@bitplane</code></a>]</li> <li>Merge PFM documentation into PPM <a href="https://redirect.github.com/python-pillow/Pillow/issues/9434">#9434</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Update macOS tested Pillow versions <a href="https://redirect.github.com/python-pillow/Pillow/issues/9431">#9431</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Fix CVE number <a href="https://redirect.github.com/python-pillow/Pillow/issues/9430">#9430</a> [<a href="https://github.com/hugovk"><code>@hugovk</code></a>]</li> </ul> <h2>Dependencies</h2> <ul> <li>Update xz to 5.8.3 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9523">#9523</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Update libjpeg-turbo to 3.1.4.1 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9507">#9507</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Update libpng to 1.6.56 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9499">#9499</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Update freetype to 2.14.3 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9485">#9485</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Updated libavif to 1.4.1 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9479">#9479</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Updated harfbuzz to 13.2.1 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9461">#9461</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Update Ghostscript to 10.7.0 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9469">#9469</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Update harfbuzz to 13.0.1 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9453">#9453</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Update libavif to 1.4.0 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9460">#9460</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Update freetype to 2.14.2 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9449">#9449</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Update actions/download-artifact action to v8 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9451">#9451</a> [@<a href="https://github.com/apps/renovate">renovate[bot]</a>]</li> <li>Updated libpng to 1.6.55 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9425">#9425</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> </ul> <h2>Testing</h2> <ul> <li>Cleanup .spider extension in the same test where it is added <a href="https://redirect.github.com/python-pillow/Pillow/issues/9517">#9517</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Run tests in parallel via tox for 3.5x speedup <a href="https://redirect.github.com/python-pillow/Pillow/issues/9516">#9516</a> [<a href="https://github.com/hugovk"><code>@hugovk</code></a>]</li> <li>Enable colour in CI logs <a href="https://redirect.github.com/python-pillow/Pillow/issues/9486">#9486</a> [<a href="https://github.com/hugovk"><code>@hugovk</code></a>]</li> <li>Update Ghostscript to 10.7.0 <a href="https://redirect.github.com/python-pillow/Pillow/issues/9469">#9469</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Simplify TGA test code <a href="https://redirect.github.com/python-pillow/Pillow/issues/9477">#9477</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Update tests to check for ValueError when encoding an empty image <a href="https://redirect.github.com/python-pillow/Pillow/issues/9464">#9464</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Upgrade CI from <code>macos-15-intel</code> to <code>macos-26-intel</code> <a href="https://redirect.github.com/python-pillow/Pillow/issues/9454">#9454</a> [<a href="https://github.com/hugovk"><code>@hugovk</code></a>]</li> <li>Add check-case-conflict hook <a href="https://redirect.github.com/python-pillow/Pillow/issues/9446">#9446</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Specify platform when pulling docker image <a href="https://redirect.github.com/python-pillow/Pillow/issues/9440">#9440</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>GHA: Cache libavif and webp builds for Ubuntu <a href="https://redirect.github.com/python-pillow/Pillow/issues/9437">#9437</a> [<a href="https://github.com/hugovk"><code>@hugovk</code></a>]</li> <li>Update macOS tested Pillow versions <a href="https://redirect.github.com/python-pillow/Pillow/issues/9431">#9431</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> </ul> <h2>Other changes</h2> <ul> <li>Check calloc return value <a href="https://redirect.github.com/python-pillow/Pillow/issues/9527">#9527</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> <li>Check all allocs in the Arrow tree <a href="https://redirect.github.com/python-pillow/Pillow/issues/9488">#9488</a> [<a href="https://github.com/wiredfool"><code>@wiredfool</code></a>]</li> <li>Reject non-numeric elements inside list coords <a href="https://redirect.github.com/python-pillow/Pillow/issues/9526">#9526</a> [<a href="https://github.com/hugovk"><code>@hugovk</code></a>]</li> <li>Move variable declaration inside define <a href="https://redirect.github.com/python-pillow/Pillow/issues/9525">#9525</a> [<a href="https://github.com/radarhere"><code>@radarhere</code></a>]</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/python-pillow/Pillow/commit/3c41c095064200a02672d89cc5ff629eaf4b0d4f"><code>3c41c09</code></a> 12.2.0 version bump</li> <li><a href="https://github.com/python-pillow/Pillow/commit/cdaa29eb520291c4f1fb50fb71ae46502d41e460"><code>cdaa29e</code></a> Check calloc return value (<a href="https://redirect.github.com/python-pillow/Pillow/issues/9527">#9527</a>)</li> <li><a href="https://github.com/python-pillow/Pillow/commit/585b2f5a780722c8a5bfffb3a40f7f42e8a205be"><code>585b2f5</code></a> Check calloc return value</li> <li><a href="https://github.com/python-pillow/Pillow/commit/ecf011ea15991d4cebacd946e58270cc30b0f2c1"><code>ecf011e</code></a> Check all allocs in the Arrow tree (<a href="https://redirect.github.com/python-pillow/Pillow/issues/9488">#9488</a>)</li> <li><a href="https://github.com/python-pillow/Pillow/commit/cf6de8ca9b23e714aa5310e1c791eda66fc0b670"><code>cf6de8c</code></a> Reject non-numeric elements inside list coords (<a href="https://redirect.github.com/python-pillow/Pillow/issues/9526">#9526</a>)</li> <li><a href="https://github.com/python-pillow/Pillow/commit/ffdcede6516b28d9667c92929854023d17048b64"><code>ffdcede</code></a> Update 12.2.0 release notes (<a href="https://redirect.github.com/python-pillow/Pillow/issues/9522">#9522</a>)</li> <li><a href="https://github.com/python-pillow/Pillow/commit/7929d7760fe5a307ba5ae6eabdf70ae4486b147c"><code>7929d77</code></a> Added security release notes (<a href="https://redirect.github.com/python-pillow/Pillow/issues/149">#149</a>)</li> <li><a href="https://github.com/python-pillow/Pillow/commit/c4f7aa5dfb4dbd1242978ac235e01b9934ec6d3c"><code>c4f7aa5</code></a> Added security release notes</li> <li><a href="https://github.com/python-pillow/Pillow/commit/22cdb5f2e4b15250c06563b1124ac1667342712f"><code>22cdb5f</code></a> Move variable declaration inside define (<a href="https://redirect.github.com/python-pillow/Pillow/issues/9525">#9525</a>)</li> <li><a href="https://github.com/python-pillow/Pillow/commit/fc15b3b01899408ec989d7804c5283e13802d057"><code>fc15b3b</code></a> Resize tall images vertically first (<a href="https://redirect.github.com/python-pillow/Pillow/issues/9524">#9524</a>)</li> <li>Additional commits viewable in <a href="https://github.com/python-pillow/Pillow/compare/12.1.1...12.2.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/react-agent/network/alerts). </details>
Bumps the uv group with 2 updates in the / directory: [pytest](https://github.com/pytest-dev/pytest) and [langsmith](https://github.com/langchain-ai/langsmith-sdk). Updates `pytest` from 9.0.2 to 9.0.3 - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](pytest-dev/pytest@9.0.2...9.0.3) Updates `langsmith` from 0.6.4 to 0.7.31 - [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases) - [Commits](langchain-ai/langsmith-sdk@v0.6.4...v0.7.31) --- updated-dependencies: - dependency-name: pytest dependency-version: 9.0.3 dependency-type: direct:development dependency-group: uv - dependency-name: langsmith dependency-version: 0.7.31 dependency-type: indirect dependency-group: uv ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the uv group with 2 updates in the / directory: [pytest](https://github.com/pytest-dev/pytest) and [langsmith](https://github.com/langchain-ai/langsmith-sdk). Updates `pytest` from 9.0.2 to 9.0.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pytest-dev/pytest/releases">pytest's releases</a>.</em></p> <blockquote> <h2>9.0.3</h2> <h1>pytest 9.0.3 (2026-04-07)</h1> <h2>Bug fixes</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/12444">#12444</a>: Fixed <code>pytest.approx</code> which now correctly takes into account <code>~collections.abc.Mapping</code> keys order to compare them.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13634">#13634</a>: Blocking a <code>conftest.py</code> file using the <code>-p no:</code> option is now explicitly disallowed.</p> <p>Previously this resulted in an internal assertion failure during plugin loading.</p> <p>Pytest now raises a clear <code>UsageError</code> explaining that conftest files are not plugins and cannot be disabled via <code>-p</code>.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13734">#13734</a>: Fixed crash when a test raises an exceptiongroup with <code>__tracebackhide__ = True</code>.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14195">#14195</a>: Fixed an issue where non-string messages passed to <!-- raw HTML omitted -->unittest.TestCase.subTest()<!-- raw HTML omitted --> were not printed.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14343">#14343</a>: Fixed use of insecure temporary directory (CVE-2025-71176).</p> </li> </ul> <h2>Improved documentation</h2> <ul> <li><a href="https://redirect.github.com/pytest-dev/pytest/issues/13388">#13388</a>: Clarified documentation for <code>-p</code> vs <code>PYTEST_PLUGINS</code> plugin loading and fixed an incorrect <code>-p</code> example.</li> <li><a href="https://redirect.github.com/pytest-dev/pytest/issues/13731">#13731</a>: Clarified that capture fixtures (e.g. <code>capsys</code> and <code>capfd</code>) take precedence over the <code>-s</code> / <code>--capture=no</code> command-line options in <code>Accessing captured output from a test function <accessing-captured-output></code>.</li> <li><a href="https://redirect.github.com/pytest-dev/pytest/issues/14088">#14088</a>: Clarified that the default <code>pytest_collection</code> hook sets <code>session.items</code> before it calls <code>pytest_collection_finish</code>, not after.</li> <li><a href="https://redirect.github.com/pytest-dev/pytest/issues/14255">#14255</a>: TOML integer log levels must be quoted: Updating reference documentation.</li> </ul> <h2>Contributor-facing changes</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/12689">#12689</a>: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible <a href="https://app.codecov.io/gh/pytest-dev/pytest/tests">on the web interface</a>.</p> <p>-- by <code>aleguy02</code></p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pytest-dev/pytest/commit/a7d58d7a21b78581e636bbbdea13c66ad1657c1e"><code>a7d58d7</code></a> Prepare release version 9.0.3</li> <li><a href="https://github.com/pytest-dev/pytest/commit/089d98199c253d8f89a040243bc4f2aa6cd5ab22"><code>089d981</code></a> Merge pull request <a href="https://redirect.github.com/pytest-dev/pytest/issues/14366">#14366</a> from bluetech/revert-14193-backport</li> <li><a href="https://github.com/pytest-dev/pytest/commit/8127eaf4ab7f6b2fdd0dc1b38343ec97aeef05ac"><code>8127eaf</code></a> Revert "Fix: assertrepr_compare respects dict insertion order (<a href="https://redirect.github.com/pytest-dev/pytest/issues/14050">#14050</a>) (<a href="https://redirect.github.com/pytest-dev/pytest/issues/14193">#14193</a>)"</li> <li><a href="https://github.com/pytest-dev/pytest/commit/99a7e6029e7a6e8d53e5df114b1346e035370241"><code>99a7e60</code></a> Merge pull request <a href="https://redirect.github.com/pytest-dev/pytest/issues/14363">#14363</a> from pytest-dev/patchback/backports/9.0.x/95d8423bd...</li> <li><a href="https://github.com/pytest-dev/pytest/commit/ddee02a578da30dd43aedc39c1c1f1aaadfcee95"><code>ddee02a</code></a> Merge pull request <a href="https://redirect.github.com/pytest-dev/pytest/issues/14343">#14343</a> from bluetech/cve-2025-71176-simple</li> <li><a href="https://github.com/pytest-dev/pytest/commit/74eac6916fee34726cb194f16c516e96fbd29619"><code>74eac69</code></a> doc: Update training info (<a href="https://redirect.github.com/pytest-dev/pytest/issues/14298">#14298</a>) (<a href="https://redirect.github.com/pytest-dev/pytest/issues/14301">#14301</a>)</li> <li><a href="https://github.com/pytest-dev/pytest/commit/f92dee777cfdb77d1c43633d02766ddf1f07c869"><code>f92dee7</code></a> Merge pull request <a href="https://redirect.github.com/pytest-dev/pytest/issues/14267">#14267</a> from pytest-dev/patchback/backports/9.0.x/d6fa26c62...</li> <li><a href="https://github.com/pytest-dev/pytest/commit/7ee58acc8777c31ac6cf388d01addf5a414a7439"><code>7ee58ac</code></a> Merge pull request <a href="https://redirect.github.com/pytest-dev/pytest/issues/12378">#12378</a> from Pierre-Sassoulas/fix-implicit-str-concat-and-d...</li> <li><a href="https://github.com/pytest-dev/pytest/commit/37da870d37e3a2f5177cae075c7b9ae279432bf8"><code>37da870</code></a> Merge pull request <a href="https://redirect.github.com/pytest-dev/pytest/issues/14259">#14259</a> from mitre88/patch-4 (<a href="https://redirect.github.com/pytest-dev/pytest/issues/14268">#14268</a>)</li> <li><a href="https://github.com/pytest-dev/pytest/commit/c34bfa3b7acb65b594707c714f1d8461b0304eed"><code>c34bfa3</code></a> Add explanation for string context diffs (<a href="https://redirect.github.com/pytest-dev/pytest/issues/14257">#14257</a>) (<a href="https://redirect.github.com/pytest-dev/pytest/issues/14266">#14266</a>)</li> <li>Additional commits viewable in <a href="https://github.com/pytest-dev/pytest/compare/9.0.2...9.0.3">compare view</a></li> </ul> </details> <br /> Updates `langsmith` from 0.6.4 to 0.7.31 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/langchain-ai/langsmith-sdk/releases">langsmith's releases</a>.</em></p> <blockquote> <h2>v0.7.31</h2> <h2>What's Changed</h2> <ul> <li>chore(deps-dev): bump langchain-core from 1.2.23 to 1.2.28 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2692">langchain-ai/langsmith-sdk#2692</a></li> <li>chore(deps-dev): bump <code>@anthropic-ai/sdk</code> from 0.82.0 to 0.84.0 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2684">langchain-ai/langsmith-sdk#2684</a></li> <li>chore(deps): bump cryptography from 46.0.6 to 46.0.7 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2693">langchain-ai/langsmith-sdk#2693</a></li> <li>chore(deps-dev): bump <code>@anthropic-ai/sdk</code> from 0.84.0 to 0.85.0 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2700">langchain-ai/langsmith-sdk#2700</a></li> <li>feat(py): Tag OpenAI Agent Python SDK runs with ls_agent_type by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2699">langchain-ai/langsmith-sdk#2699</a></li> <li>feat(js): Adds ls_agent_type metadata to AI SDK runs by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2701">langchain-ai/langsmith-sdk#2701</a></li> <li>chore(deps-dev): bump types-tqdm from 4.67.3.20260303 to 4.67.3.20260408 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2710">langchain-ai/langsmith-sdk#2710</a></li> <li>chore(deps): bump pnpm/action-setup from 5 to 6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2705">langchain-ai/langsmith-sdk#2705</a></li> <li>chore(deps): bump the py-minor-and-patch group across 1 directory with 10 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2711">langchain-ai/langsmith-sdk#2711</a></li> <li>chore(deps-dev): bump <code>@anthropic-ai/sdk</code> from 0.85.0 to 0.86.0 in /js by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2702">langchain-ai/langsmith-sdk#2702</a></li> <li>chore(deps): bump actions/github-script from 8 to 9 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2706">langchain-ai/langsmith-sdk#2706</a></li> <li>chore(deps-dev): bump the js-minor-and-patch group across 1 directory with 7 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2712">langchain-ai/langsmith-sdk#2712</a></li> <li>chore(deps-dev): bump types-psutil from 7.2.2.20260130 to 7.2.2.20260408 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2709">langchain-ai/langsmith-sdk#2709</a></li> <li>chore(deps-dev): bump rich from 14.3.3 to 15.0.0 in /python by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2708">langchain-ai/langsmith-sdk#2708</a></li> <li>feat: Filter kwargs from new token events by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2714">langchain-ai/langsmith-sdk#2714</a></li> <li>release(py): 0.7.31 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2716">langchain-ai/langsmith-sdk#2716</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.30...v0.7.31">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.30...v0.7.31</a></p> <h2>v0.7.30</h2> <h2>What's Changed</h2> <ul> <li>feat(python): add service feature to sandbox by <a href="https://github.com/DanielKneipp"><code>@DanielKneipp</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2665">langchain-ai/langsmith-sdk#2665</a></li> <li>fix(js): Fix prototype pollution bug in anonymizers by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2690">langchain-ai/langsmith-sdk#2690</a></li> <li>release(js): 0.5.18 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2691">langchain-ai/langsmith-sdk#2691</a></li> <li>chore(js/sandbox): suppress warning log by <a href="https://github.com/hntrl"><code>@hntrl</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2694">langchain-ai/langsmith-sdk#2694</a></li> <li>feat(js): Add metadata to Claude Agent SDK JS tracing by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2695">langchain-ai/langsmith-sdk#2695</a></li> <li>fix(py): Fix run tree memory leak by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2696">langchain-ai/langsmith-sdk#2696</a></li> <li>release(py): 0.7.30 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2698">langchain-ai/langsmith-sdk#2698</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.29...v0.7.30">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.29...v0.7.30</a></p> <h2>v0.7.29</h2> <h2>What's Changed</h2> <ul> <li>release(js): 0.5.17 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2681">langchain-ai/langsmith-sdk#2681</a></li> <li>feat(py): Fix race condition around Claude Agent SDK instrumentation by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2685">langchain-ai/langsmith-sdk#2685</a></li> <li>release(py): 0.7.29 by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2686">langchain-ai/langsmith-sdk#2686</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.28...v0.7.29">https://github.com/langchain-ai/langsmith-sdk/compare/v0.7.28...v0.7.29</a></p> <h2>v0.7.28</h2> <h2>What's Changed</h2> <ul> <li>feat(py): Support subagent tracing in Claude Agents SDK, fix usage and duplicate messages by <a href="https://github.com/jacoblee93"><code>@jacoblee93</code></a> in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2670">langchain-ai/langsmith-sdk#2670</a></li> <li>chore(deps-dev): bump the py-minor-and-patch group across 1 directory with 11 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2677">langchain-ai/langsmith-sdk#2677</a></li> <li>chore(deps-dev): bump the js-minor-and-patch group across 1 directory with 8 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2667">langchain-ai/langsmith-sdk#2667</a></li> <li>chore(deps): bump pnpm/action-setup from 4 to 5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/langchain-ai/langsmith-sdk/pull/2658">langchain-ai/langsmith-sdk#2658</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/langchain-ai/langsmith-sdk/commit/c434999d05c00334efeba88b8bbd2de9f3afbef6"><code>c434999</code></a> release(py): 0.7.31 (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2716">#2716</a>)</li> <li><a href="https://github.com/langchain-ai/langsmith-sdk/commit/47d7c4a783333e716395d802e7632f1f1b4744d3"><code>47d7c4a</code></a> feat: Filter kwargs from new token events (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2714">#2714</a>)</li> <li><a href="https://github.com/langchain-ai/langsmith-sdk/commit/3c57445b543c9a2f86db52024ea2c998bfc2ffab"><code>3c57445</code></a> chore(deps-dev): bump rich from 14.3.3 to 15.0.0 in /python (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2708">#2708</a>)</li> <li><a href="https://github.com/langchain-ai/langsmith-sdk/commit/2be6cd01a2b6e35e811488d3561e7b0b57b06f63"><code>2be6cd0</code></a> chore(deps-dev): bump types-psutil from 7.2.2.20260130 to 7.2.2.20260408 in /...</li> <li><a href="https://github.com/langchain-ai/langsmith-sdk/commit/b8b6ca32d43c919c07a4e13c99a83bcaab8accb0"><code>b8b6ca3</code></a> chore(deps-dev): bump the js-minor-and-patch group across 1 directory with 7 ...</li> <li><a href="https://github.com/langchain-ai/langsmith-sdk/commit/9897cb33da7698291637f268edd833ca3e1adde6"><code>9897cb3</code></a> chore(deps): bump actions/github-script from 8 to 9 (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2706">#2706</a>)</li> <li><a href="https://github.com/langchain-ai/langsmith-sdk/commit/572c0184285747e027a796e03ea6c9ba171e09a6"><code>572c018</code></a> chore(deps-dev): bump <code>@anthropic-ai/sdk</code> from 0.85.0 to 0.86.0 in /js (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2702">#2702</a>)</li> <li><a href="https://github.com/langchain-ai/langsmith-sdk/commit/57447524c88b6bba2775161aa449da32fb8e5c42"><code>5744752</code></a> chore(deps): bump the py-minor-and-patch group across 1 directory with 10 upd...</li> <li><a href="https://github.com/langchain-ai/langsmith-sdk/commit/960cae7f490e9ccbe428e6b56c8047bdb7b942a5"><code>960cae7</code></a> chore(deps): bump pnpm/action-setup from 5 to 6 (<a href="https://redirect.github.com/langchain-ai/langsmith-sdk/issues/2705">#2705</a>)</li> <li><a href="https://github.com/langchain-ai/langsmith-sdk/commit/9370e7670abf7f8f9a36fbb72250bcfd2f91e7c6"><code>9370e76</code></a> chore(deps-dev): bump types-tqdm from 4.67.3.20260303 to 4.67.3.20260408 in /...</li> <li>Additional commits viewable in <a href="https://github.com/langchain-ai/langsmith-sdk/compare/v0.6.4...v0.7.31">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/langchain-ai/react-agent/network/alerts). </details>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.