From 75bb8829112e7c8046074e8646e52a4655a0045e Mon Sep 17 00:00:00 2001 From: Greyson LaLonde Date: Fri, 15 May 2026 21:32:52 +0800 Subject: [PATCH] fix(deps): bump langsmith to >=0.8.0 for GHSA-3644-q5cj-c5c7 --- pyproject.toml | 4 ++-- uv.lock | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 1debca3eb..77bd580de 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -185,7 +185,7 @@ exclude-newer = "3 days" # python-multipart <0.0.27 has GHSA-pp6c-gr5w-3c5g (DoS via unbounded multipart headers). # gitpython <3.1.50 has GHSA-mv93-w799-cj2w (config_writer newline injection bypassing the 3.1.49 patch -> RCE via core.hooksPath). # urllib3 <2.7.0 has GHSA-qccp-gfcp-xxvc (ProxyManager cross-origin redirect leaks Authorization/Cookie) and GHSA-mf9v-mfxr-j63j (streaming decompression-bomb bypass); force 2.7.0+. -# langsmith <0.7.31 has GHSA-rr7j-v2q5-chgv (streaming token redaction bypass); force 0.7.31+. +# langsmith <0.8.0 has GHSA-3644-q5cj-c5c7 (public prompt manifest deserialization, SSRF/secret disclosure); force 0.8.0+. # authlib <1.6.11 has GHSA-jj8c-mmj3-mmgv (CSRF bypass in cache-based state storage). # litellm 1.83.8+ hard-pins openai==2.24.0, missing openai.types.responses used by crewai; # override to >=2.30.0 (the version litellm 1.83.7 used) until upstream relaxes the pin. @@ -203,7 +203,7 @@ override-dependencies = [ "uv>=0.11.6,<1", "python-multipart>=0.0.27,<1", "gitpython>=3.1.50,<4", - "langsmith>=0.7.31,<0.8", + "langsmith>=0.8.0,<1", "authlib>=1.6.11", ] diff --git a/uv.lock b/uv.lock index b67aebbc1..c31433e86 100644 --- a/uv.lock +++ b/uv.lock @@ -13,7 +13,7 @@ resolution-markers = [ ] [options] -exclude-newer = "2026-05-08T16:33:02.834109Z" +exclude-newer = "2026-05-12T13:27:48.906744Z" exclude-newer-span = "P3D" [manifest] @@ -31,7 +31,7 @@ overrides = [ { name = "gitpython", specifier = ">=3.1.50,<4" }, { name = "langchain-core", specifier = ">=1.3.3,<2" }, { name = "langchain-text-splitters", specifier = ">=1.1.2,<2" }, - { name = "langsmith", specifier = ">=0.7.31,<0.8" }, + { name = "langsmith", specifier = ">=0.8.0,<1" }, { name = "onnxruntime", marker = "python_full_version < '3.11'", specifier = "<1.24" }, { name = "openai", specifier = ">=2.30.0,<3" }, { name = "pillow", specifier = ">=12.1.1" }, @@ -3888,7 +3888,7 @@ sdist = { url = "https://files.pythonhosted.org/packages/0e/72/a3add0e4eec4eb9e2 [[package]] name = "langsmith" -version = "0.7.32" +version = "0.8.3" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "httpx" }, @@ -3901,9 +3901,9 @@ dependencies = [ { name = "xxhash" }, { name = "zstandard" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/2f/b4/a0b4a501bee6b8a741ce29f8c48155b132118483cddc6f9247735ddb38fa/langsmith-0.7.32.tar.gz", hash = "sha256:b59b8e106d0e4c4842e158229296086e2aa7c561e3f602acda73d3ad0062e915", size = 1184518, upload-time = "2026-04-15T23:42:41.885Z" } +sdist = { url = "https://files.pythonhosted.org/packages/de/8a/1e8ea5e8bab2a65fa95bd36229ef38e8723ec46e430e20ca2d953487a7f1/langsmith-0.8.3.tar.gz", hash = "sha256:767ff7a8d136ed42926bf99059ac631dc6883542d6e3104b32e71c7625e1fa05", size = 4460330, upload-time = "2026-05-07T19:56:56.18Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/62/bc/148f98ac7dad73ac5e1b1c985290079cfeeb9ba13d760a24f25002beb2c9/langsmith-0.7.32-py3-none-any.whl", hash = "sha256:e1fde928990c4c52f47dc5132708cec674355d9101723d564183e965f383bf5f", size = 378272, upload-time = "2026-04-15T23:42:39.905Z" }, + { url = "https://files.pythonhosted.org/packages/98/a9/51e644c1f1dbc3dd7d22dfd6412eab206d538c81e024e4f287373544bdcb/langsmith-0.8.3-py3-none-any.whl", hash = "sha256:b2e40e308222fa0beb2dccee3b4b30bfee9062d7a4f20a3e3e93df3c51a08ab4", size = 399048, upload-time = "2026-05-07T19:56:53.994Z" }, ] [[package]]