Issue: openapi-schema-pydantic vulnerability

[trover97]

Issue you'd like to raise.

Hi!
Can you change the version of pydantic in the dependencies? There is a vulnerability in this version, because it depends on pydantic. I can't install new versions of langchain because they don't pass the security check on my PC.
kuimono/openapi-schema-pydantic#31
https://nvd.nist.gov/vuln/detail/CVE-2021-29510

Suggestion:

Remove openapi-schema-pydantic from dependency?!

[mjspeck]

It looks like openapi-schema-pydantic is not being maintained anymore, making this suggestion all the more important. On top of the security issue, it would also just be nice to be able to start using pydantic 2.0.

There seem to be two other options:

• The easiest thing could be to just change to this library as it's a forked version that is still maintained.
• Another option would be for someone (i.e. langchain) to take over maintenance of the project on PyPI and update it: https://peps.python.org/pep-0541/#how-to-request-a-name-transfer

[dosubot]

Hi, @trover97! I'm Dosu, and I'm helping the LangChain team manage their backlog. I wanted to let you know that we are marking this issue as stale.

From what I understand, you raised a concern about a vulnerability in the pydantic version used in the openapi-schema-pydantic package. mjspeck suggested two options to address this issue: either changing to a forked version that is still maintained or finding someone to take over maintenance of the project and update it. You gave a thumbs up to this suggestion.

Before we close this issue, we wanted to check if it is still relevant to the latest version of the LangChain repository. If it is, please let us know by commenting on the issue. Otherwise, feel free to close the issue yourself, or it will be automatically closed in 7 days.

Thank you for your contribution to the LangChain repository!

[eyurtsev]

openapi-schema-pydantic has been an optional dependency for a while. The CVE also comes from pydantic, so presumably controllable by the user in terms of determining which version of pydantic to use.