Update langchain ecosystem and transitive dependencies

.github/workflows/tests.yml

@@ -135,14 +135,12 @@ jobs:
         if: always()
         run: |
           # Ignore CVEs with no available fix:
-          # - CVE-2025-67221: orjson DoS via deeply nested JSON (no fix available)
-          # - CVE-2026-0994: protobuf DoS via json_format.ParseDict (no fix available)
+          # - CVE-2026-4539: pygments ReDoS in AdlLexer (no fix available)
           # Use --skip-editable to ignore local packages not on PyPI
           # Use uvx to run pip-audit in an isolated environment
           uvx pip-audit --strict --desc \
             --skip-editable \
-            --ignore-vuln CVE-2025-67221 \
-            --ignore-vuln CVE-2026-0994
+            --ignore-vuln CVE-2026-4539
         working-directory: ${{ matrix.component }}
 
       - name: Generate test summary

common/pyproject.toml

@@ -6,21 +6,20 @@ authors = [{ name = "Trail of Bits", email = "opensource@trailofbits.com" }]
 license = "AGPL-3.0-only"
 requires-python = ">=3.12,<3.13"
 dependencies = [
-    "pydantic-settings ~=2.7.1",
+    "pydantic-settings ~=2.10.1",
     "pymongo ~=4.10.1",
     "redis ~=5.2.1",
-    "langchain-core ~=0.3.81",
-    "langchain-openai ~=0.3.30",
-    "langchain ~=0.3.27",
-    "langfuse ~=2.59.2",
+    "langchain-core ~=1.2.21",
+    "langchain-openai ~=1.1.0",
+    "langchain ~=1.2.0",
     "six ~=1.17.0",
 ]
 
 [project.optional-dependencies]
 full = [
     "protobuf>=5.0",
-    # openlit 1.36.6+ breaks langgraph ToolNode: https://github.com/openlit/openlit/issues/986
-    "openlit >=1.36.0,<1.36.6",
+    "openlit ~=1.38.0",
+    "langfuse ~=4.0.1",
 ]
 
 

common/src/buttercup/common/llm.py

@@ -5,11 +5,11 @@
 from typing import Any
 
 import requests
-from langchain.callbacks.base import BaseCallbackHandler
+from langchain_core.callbacks import BaseCallbackHandler
 from langchain_core.language_models import BaseChatModel
 from langchain_core.runnables import ConfigurableField, Runnable
 from langchain_openai.chat_models import ChatOpenAI
-from langfuse.callback import CallbackHandler
+from langfuse.langchain import CallbackHandler
 from pydantic import SecretStr
 
 logger = logging.getLogger(__name__)
@@ -80,11 +80,7 @@ def get_langfuse_callbacks() -> list[BaseCallbackHandler]:
     """Get Langchain callbacks for monitoring LLM calls with LangFuse, if available."""
     if is_langfuse_available():
         try:
-            langfuse_handler = CallbackHandler(
-                public_key=os.getenv("LANGFUSE_PUBLIC_KEY"),
-                secret_key=os.getenv("LANGFUSE_SECRET_KEY"),
-                host=os.getenv("LANGFUSE_HOST"),
-            )
+            langfuse_handler = CallbackHandler()
             if langfuse_auth_check():
                 logger.info("Tracing with LangFuse enabled")
                 return [langfuse_handler]

fuzzer/pyproject.toml

@@ -8,7 +8,7 @@ requires-python = ">=3.12,<3.13"
 dependencies = [
     "common[full]",
     "redis ~=5.2.1",
-    "pydantic-settings ~=2.7.1",
+    "pydantic-settings ~=2.10.1",
     "beautifulsoup4 ~=4.13.3",
     "lxml ~=5.3.1",
     "cxxfilt>=0.3.0",

orchestrator/pyproject.toml

@@ -11,7 +11,7 @@ dependencies = [
     "common[full]",
     "fastapi ~=0.128.0",
     "pydantic ~=2.11.0",
-    "pydantic-settings ~=2.7.1",
+    "pydantic-settings ~=2.10.1",
     "python-dateutil ~=2.9.0",
     "pyyaml ~=6.0.1",
     "requests ~=2.32.3",

patcher/pyproject.toml

@@ -8,12 +8,12 @@ license = "AGPL-3.0-only"
 requires-python = ">=3.12,<3.13"
 dependencies = [
     "common[full]",
-    "langchain-community ~=0.3.27",
-    "langgraph ~=0.6.6",
-    "langgraph-checkpoint >=3.0.0",
-    "openai ~=1.100.2",
+    "langchain-community ~=0.4.0",
+    "langgraph ~=1.0.10",
+    "langgraph-checkpoint >=4.0.0",
+    "openai >=1.109.1",
     "program-model",
-    "pydantic-settings ~=2.7.1",
+    "pydantic-settings ~=2.10.1",
     "python-dotenv ~=1.0.1",
     "unidiff ~=0.7.5",
 ]

seed-gen/pyproject.toml

@@ -14,7 +14,7 @@ dependencies = [
     "program-model",
     "numpy ~=2.2.3",
     "rapidfuzz ~=3.12.2",
-    "langgraph ~=0.6.6",
+    "langgraph ~=1.0.10",
     "python-dotenv ~=1.0.1",
 ]
 requires-python = ">=3.12,<3.13"

seed-gen/src/buttercup/seed_gen/task.py

@@ -12,9 +12,9 @@
 from buttercup.common.project_yaml import ProjectYaml
 from buttercup.program_model.codequery import CodeQueryPersistent
 from buttercup.program_model.utils.common import Function, TypeDefinition
-from langchain.prompts import ChatPromptTemplate
 from langchain_core.language_models import BaseChatModel
 from langchain_core.messages import BaseMessage, ToolMessage
+from langchain_core.prompts import ChatPromptTemplate
 from langchain_core.tools import BaseTool, tool
 from langchain_core.tools.base import InjectedToolCallId
 from langgraph.graph import add_messages