Skip to content

chore(deps): upgrade LangChain to v1.x to fix security vulnerabilities#10

Open
vmuno wants to merge 1 commit intomainfrom
chore/upgrade-langchain-dependencies
Open

chore(deps): upgrade LangChain to v1.x to fix security vulnerabilities#10
vmuno wants to merge 1 commit intomainfrom
chore/upgrade-langchain-dependencies

Conversation

@vmuno
Copy link
Copy Markdown
Contributor

@vmuno vmuno commented Apr 22, 2026

Description:

Summary

Upgrades LangChain dependencies from 0.3.x to 1.x to fix two security vulnerabilities:

  • GHSA-r399-636x-v7f6 — Serialization injection enabling secret extraction (high)
  • GHSA-fw9q-39r9-c252 — LangSmith prototype pollution (moderate)

Changes

Package From To Type
@langchain/core ^0.3.56 ^1.1.40 peerDependency
langchain ^0.3.2 ^1.3.3 devDependency
@langchain/openai ^0.3.5 ^1.4.4 devDependency

package-lock.json was regenerated from scratch due to version conflicts between the old lock file and the new dependency ranges.

Breaking changes

None for us. Our usage is limited to StructuredTool, BaseToolkit, ToolParams, and CallbackManagerForToolRun — all stable APIs unaffected by v1 changes.

Testing

  • npm audit — 0 vulnerabilities
  • npm run build — clean
  • npm test — 11/11 passing
  • MCP server tested manually in Claude Code:
    • Listed time offs ✅
    • Fetched employment by ID ✅

@vmuno vmuno requested a review from gabrielseco April 22, 2026 01:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gabrielseco gabrielseco Awaiting requested review from gabrielseco

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vmuno