Skip to content

fix(deps): vuln langchain (major → 1.3.9) [POCs/OP-gcp-microservices-demo-sandbox/src/shoppingassistantservice]#48

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/major/pip/shoppingassistantservice/2-1783383471
Open

fix(deps): vuln langchain (major → 1.3.9) [POCs/OP-gcp-microservices-demo-sandbox/src/shoppingassistantservice]#48
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/major/pip/shoppingassistantservice/2-1783383471

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor

Summary: Critical-severity security update — 1 package upgraded (MAJOR changes included)

Manifests changed:

  • POCs/OP-gcp-microservices-demo-sandbox/src/shoppingassistantservice (pip)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
langchain 0.1.17 1.3.9 major Direct 2 CRITICAL, 1 HIGH, 4 MEDIUM, 1 LOW

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

  • Review the changelog/release notes for breaking changes
  • Test thoroughly in a staging environment
  • Update any code that depends on changed APIs
  • Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (3 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
langchain PYSEC-2024-115 critical - 0.1.17 c2a3021bb0c5f54649d380b42a0684ca5778c255 -
langchain CVE-2024-8309 critical - 0.1.17 - -
langchain GHSA-3644-q5cj-c5c7 HIGH LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning 0.1.17 0.3.30 -
ℹ️ Other Vulnerabilities (5)
Package CVE Severity Summary Unsafe Version Fixed In Case
langchain GHSA-gr75-jv2w-4656 MODERATE LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders 0.1.17 1.3.9 -
langchain GHSA-3hjh-jh2h-vrg6 MODERATE Denial of service in langchain-community 0.1.17 0.2.5 -
langchain CVE-2024-2965 MODERATE - 0.1.17 - -
langchain PYSEC-2024-118 MODERATE - 0.1.17 73c42306745b0831aa6fe7fe4eeb70d2c2d87a82 -
langchain GHSA-45pg-36p6-83v9 LOW Langchain SQL Injection vulnerability 0.1.17 0.2.0 -

Review Checklist

Extra review is recommended for this update:

  • Review changes for compatibility with your code
  • Check release notes for breaking changes
  • Run integration tests to verify service behavior
  • Test in staging environment before production
  • Monitor key metrics after deployment
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@gh-worker-campaigns-3e9aa4

gh-worker-campaigns-3e9aa4 Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed

Lockfile regeneration failed during rebase onto main. Your branch was not updated. You may need to rebase and regenerate lockfiles manually.

Error details

child workflow execution error (type: engraver.Engraver_AllManagersWorkflow, workflowID: 019f5dbf-2df4-73da-a333-818f48983af0_57, runID: 019f5dbf-4e20-7138-b70b-9980b79cb8c8, initiatedEventID: 57, startedEventID: 58): custom action(s) failed and produced no changes: [registry.ddbuild.io/images/engraver-custom-action:update-uv-lockfile]


Auto-Rebase · Add no-auto-rebase to opt out

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants