[Snyk] Security upgrade @langchain/community from 0.3.2 to 0.3.58#34
[Snyk] Security upgrade @langchain/community from 0.3.2 to 0.3.58#34christophebe wants to merge 1 commit intomainfrom
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-EXPREVAL-13508636
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| "js-yaml": "^4.1.0", | ||
| "langchain": ">=0.2.3 <0.4.0", | ||
| "langsmith": "~0.1.56", | ||
| "langchain": ">=0.2.3 <0.3.0 || >=0.3.4 <0.4.0", |
There was a problem hiding this comment.
Bug: Incompatible langchain version with upgraded @langchain/community
The upgraded @langchain/community version 0.3.58 requires langchain version >=0.2.3 <0.3.0 || >=0.3.4 <0.4.0, but the project has langchain version 0.3.2 installed. Version 0.3.2 falls in the excluded range between 0.3.0 and 0.3.4, causing npm to install a separate langchain version 0.3.36 specifically for @langchain/community. This results in two different versions of langchain in the dependency tree, which can cause type incompatibilities, behavioral differences, and increased bundle size when application code interacts with @langchain/community.
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonpackage-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-EXPREVAL-13508636
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution
Note
Upgrades
@langchain/communityto 0.3.58, bumps package version to 0.1.7, and updates the lockfile with numerous transitive dependency changes.@langchain/communityfrom0.3.2→0.3.58inpackage.json.0.1.7.package-lock.jsonwith many transitive updates/additions (e.g.,@langchain/weaviate,weaviate-client, newerlangsmith,zod), including replacement ofexpr-evalwithmath-expression-evaluator.Written by Cursor Bugbot for commit 75ddc2f. This will update automatically on new commits. Configure here.