Update dependencies#516
Merged
Merged
Conversation
…TP CVEs Bump langchain-pinecone 0.2.2 -> ^0.2.13 and pinecone SDK 5.4.2 -> 7.3.0, which drops langchain-pinecone's aiohttp<3.11 cap and lets aiohttp advance 3.10.11 -> 3.14.1 (the security target). Closes 21 aiohttp Dependabot alerts. No source changes required: the pinecone APIs in use (Pinecone(api_key=), .Index(), list_indexes(), ServerlessSpec) are stable across v5->v7 and both create_index() call sites already use keyword args. langchain-core held at 0.3.x (its 1.x migration is a separate PR). Lock also sheds unused test-only transitive deps (pytest-asyncio/-socket/-benchmark, vcrpy, langchain-tests) that were free-riding via the old pinecone pin.
Bump pytest 8.4.2 -> 9.0.3 and urllib3 2.6.3 -> 2.7.0; closes 7 Dependabot alerts (urllib3 #32/#43/#44/#57/#99, pytest #91/#96). Add .github/dependabot.yml (pip + github-actions, weekly, grouped minor/patch) so future updates arrive as PRs rather than silent alerts. Stacked on deps/pinecone-aiohttp. Only pytest and urllib3 changed in the lock; pinecone/aiohttp/langchain held firm. Unit tests 9/9 green on pytest 9.
Bump langchain-core 0.3.85->1.4.1, langchain-openai 0.3.35->1.2.2, langchain-community 0.3.31->0.4.2, langchain-text-splitters 0.3.11->1.1.2, and openai SDK 1.109.1->2.41.0. Closes Dependabot alerts #62/#76 (langchain-core), #94/#97 (langchain-openai) and #93 (langchain-text-splitters) - all fixed only on the 1.x line. Sole code change: embeddings.py used the deprecated langchain_pinecone.Pinecone alias (removed at 1.0) -> PineconeVectorStore. All other langchain/openai APIs in use are stable across the bump (Document, similarity_search_with_score, OpenAIEmbeddings, DataFrameLoader/JSONLoader, RecursiveCharacterTextSplitter, OpenAI().models.list()). Stacked on deps/safe-bumps; pinecone/aiohttp/pytest/ urllib3 held firm. Unit 9/9; 8/10 import smokes pass (2 fail on a pre-existing undeclared 'datasets' HuggingFace import, unrelated to this change).
josephjclark
approved these changes
Jun 10, 2026
josephjclark
added a commit
that referenced
this pull request
Jun 10, 2026
* Update dependencies (#516) * chore(deps): upgrade pinecone 7 + aiohttp 3.14 to close transitive HTTP CVEs Bump langchain-pinecone 0.2.2 -> ^0.2.13 and pinecone SDK 5.4.2 -> 7.3.0, which drops langchain-pinecone's aiohttp<3.11 cap and lets aiohttp advance 3.10.11 -> 3.14.1 (the security target). Closes 21 aiohttp Dependabot alerts. No source changes required: the pinecone APIs in use (Pinecone(api_key=), .Index(), list_indexes(), ServerlessSpec) are stable across v5->v7 and both create_index() call sites already use keyword args. langchain-core held at 0.3.x (its 1.x migration is a separate PR). Lock also sheds unused test-only transitive deps (pytest-asyncio/-socket/-benchmark, vcrpy, langchain-tests) that were free-riding via the old pinecone pin. * chore(deps): pytest 9 + urllib3 2.7 + dependabot config Bump pytest 8.4.2 -> 9.0.3 and urllib3 2.6.3 -> 2.7.0; closes 7 Dependabot alerts (urllib3 #32/#43/#44/#57/#99, pytest #91/#96). Add .github/dependabot.yml (pip + github-actions, weekly, grouped minor/patch) so future updates arrive as PRs rather than silent alerts. Stacked on deps/pinecone-aiohttp. Only pytest and urllib3 changed in the lock; pinecone/aiohttp/langchain held firm. Unit tests 9/9 green on pytest 9. * chore(deps): migrate to LangChain 1.x + openai SDK 2.x Bump langchain-core 0.3.85->1.4.1, langchain-openai 0.3.35->1.2.2, langchain-community 0.3.31->0.4.2, langchain-text-splitters 0.3.11->1.1.2, and openai SDK 1.109.1->2.41.0. Closes Dependabot alerts #62/#76 (langchain-core), #94/#97 (langchain-openai) and #93 (langchain-text-splitters) - all fixed only on the 1.x line. Sole code change: embeddings.py used the deprecated langchain_pinecone.Pinecone alias (removed at 1.0) -> PineconeVectorStore. All other langchain/openai APIs in use are stable across the bump (Document, similarity_search_with_score, OpenAIEmbeddings, DataFrameLoader/JSONLoader, RecursiveCharacterTextSplitter, OpenAI().models.list()). Stacked on deps/safe-bumps; pinecone/aiohttp/pytest/ urllib3 held firm. Unit 9/9; 8/10 import smokes pass (2 fail on a pre-existing undeclared 'datasets' HuggingFace import, unrelated to this change). * update dependencies and add tests * trim tests --------- Co-authored-by: Stuart Corbishley <[email protected]> * move id replacement (#515) * version: 1.3.0 --------- Co-authored-by: Hanna Paasivirta <[email protected]> Co-authored-by: Stuart Corbishley <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Short Description
Dependency updates: Combines three update branches (containing pinecone/aiohttp CVE bumps, safe bumps, langchain 1.x); updates anthropic and adds new unit tests around OpenAI and Pinecone usage.
Fixes #509
Implementation Details
Major framework upgrades
langchainmeta-package is removed; legacy namespace now provided bylangchain-classic1.0.7 (LangChain 1.0 split). No runtime code imports it.Provider SDK
Security / transitive bumps
Tooling
.github/dependabot.ymlAI Usage
Please disclose how you've used AI in this work (it's cool, we just want to know!):
You can read more details in our Responsible AI Policy