Skip to content

Update langchain ecosystem and transitive dependencies#490

Merged
hbrodin merged 4 commits intomainfrom
chore/update-dependencies
Mar 27, 2026
Merged

Update langchain ecosystem and transitive dependencies#490
hbrodin merged 4 commits intomainfrom
chore/update-dependencies

Conversation

@hbrodin
Copy link
Copy Markdown
Collaborator

@hbrodin hbrodin commented Mar 26, 2026

Summary

  • Update langchain ecosystem to 1.x (langchain-core, langgraph, langchain-community, langchain-openai)
  • Update langfuse to 4.x and adjust imports for compatibility
  • Bump transitive dependencies (orjson, PyJWT, pyasn1, pydantic-settings, openai, openlit)
  • Move langfuse to common[full] optional deps to avoid protobuf conflict with clusterfuzz in fuzzer_runner

Test plan

  • cd common && uv run pytest
  • cd orchestrator && uv run pytest
  • cd patcher && uv run pytest
  • cd seed-gen && uv run pytest
  • cd fuzzer && uv run pytest
  • Deploy to staging and verify LLM calls work end-to-end

🤖 Generated with Claude Code

@hbrodin @claude
build(deps): update langchain ecosystem and transitive dependencies
d182307 
Upgrade dependencies across all components:

- langchain-core: 0.3.x -> 1.2.21
- langgraph: 0.6.x -> 1.0.10+
- langgraph-checkpoint: 3.x -> 4.0.1
- langchain: 0.3.x -> 1.2.x, langchain-openai: 0.3.x -> 1.1.x,
  langchain-community: 0.3.x -> 0.4.x (ecosystem alignment)
- langfuse: 2.59.x -> 4.0.1 (compat with langchain 1.x)
- openlit: 1.36.x -> 1.38.x (remove langgraph ToolNode workaround)
- pydantic-settings: 2.7.x -> 2.10.x (langchain-community requirement)
- openai: 1.100.x -> 1.109.x (langchain-openai requirement)
- orjson: 3.11.5 -> 3.11.7
- PyJWT: 2.10.1 -> 2.12.1
- pyasn1: 0.6.2 -> 0.6.3

Code changes for langchain 1.x compatibility:
- common/llm.py: update imports for langchain-core and langfuse 4.x
- seed-gen/task.py: update langchain.prompts -> langchain_core.prompts
- Move langfuse to common[full] optional deps to avoid protobuf
  conflict with clusterfuzz in fuzzer_runner

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
hbrodin and others added 2 commits March 26, 2026 11:01
@hbrodin @claude
fix(ci): fix import sorting and ignore unfixed pygments CVE
a576eb7 
- Sort imports in seed-gen/task.py to satisfy ruff I001
- Add CVE-2026-4539 (pygments ReDoS, no fix available) to pip-audit
  ignore list in CI workflow

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@hbrodin @claude
fix(ci): remove stale pip-audit ignores for orjson and protobuf
79a4386 
CVE-2025-67221 (orjson) and CVE-2026-0994 (protobuf) are fixed in the
versions now pinned in our lockfiles (orjson 3.11.7, protobuf 6.33.5).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
ret2libc
ret2libc approved these changes Mar 26, 2026
View reviewed changes
@hbrodin @claude
refactor: move langfuse import to top level in llm.py
df8dd58 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@hbrodin hbrodin merged commit 385ea5c into main Mar 27, 2026
30 of 31 checks passed
@hbrodin hbrodin deleted the chore/update-dependencies branch March 27, 2026 08:33
@hbrodin hbrodin mentioned this pull request Mar 27, 2026
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ret2libc ret2libc ret2libc approved these changes

@evandowning evandowning Awaiting requested review from evandowning evandowning is a code owner

@reytchison reytchison Awaiting requested review from reytchison reytchison is a code owner

@michaelbrownuc michaelbrownuc Awaiting requested review from michaelbrownuc michaelbrownuc is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hbrodin @ret2libc