build(deps): bump the pip group across 5 directories with 4 updates by dependabot[bot] · Pull Request #2758 · pulumi/examples

dependabot · 2026-05-20T11:24:36Z

Bumps the pip group with 4 updates in the /aws-cs-langserve directory: idna, langchain-core, langsmith and urllib3.
Bumps the pip group with 4 updates in the /aws-go-langserve directory: idna, langchain-core, langsmith and urllib3.
Bumps the pip group with 4 updates in the /aws-py-langserve directory: idna, langchain-core, langsmith and urllib3.
Bumps the pip group with 4 updates in the /aws-ts-langserve directory: idna, langchain-core, langsmith and urllib3.
Bumps the pip group with 4 updates in the /aws-yaml-langserve directory: idna, langchain-core, langsmith and urllib3.

Updates idna from 3.10 to 3.15

Changelog

Sourced from idna's changelog.

3.15 (2026-05-12)

Enforce DNS-length cap on individual labels early in check_label, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.

Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared _unicode_dots_re from idna.core in the codec module.

Use raise ... from err for proper exception chaining and switch internal string formatting to f-strings.

Allow flit_core 4.x in the build backend.

Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.

Add Dependabot configuration for GitHub Actions.

Convert README and HISTORY from reStructuredText to Markdown.

Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.

3.14 (2026-05-10)

Removed opportunity to process long inputs into quadratic time by rejecting oversize inputs up-front. Closes a bypass of the CVE-2024-3651 mitigation. [CVE-2026-45409]

Thanks to Stan Ulbrych for reporting the issue.

3.13 (2026-04-22)

Correct classification error for codepoint U+A7F1

3.12 (2026-04-21)

Update to Unicode 17.0.0.

Issue a deprecation warning for the transitional argument.

Added lazy-loading to provide some performance improvements.

Removed vestiges of code related to Python 2 support, including segmentation of data structures specific to Jython.

Thanks to Rodrigo Nogueira for contributions to this release.

3.11 (2025-10-12)

Update to Unicode 16.0.0, including significant changes to UTS46 processing. As a result of Unicode ending support for it, transitional processing no longer has an effect and returns the same result.

... (truncated)

Commits

af30a09 Release 3.15
30314d4 Pre-release 3.15rc0
05d4b21 Merge pull request #237 from kjd/convert-docs-to-markdown
2987fdb Convert README and HISTORY from reStructuredText to Markdown
59fa800 Merge pull request #236 from kjd/dependabot/github_actions/actions-f3e34333ea
def6983 Merge branch 'master' into dependabot/github_actions/actions-f3e34333ea
bbd8004 Merge pull request #234 from StanFromIreland/patch-1
edd07c0 Bump github/codeql-action from 3.35.2 to 4.35.2 in the actions group
5557db0 Merge branch 'master' into patch-1
f11746c Merge pull request #235 from StanFromIreland/patch-2
Additional commits viewable in compare view

Updates langchain-core from 1.2.31 to 1.3.3

Release notes

Sourced from langchain-core's releases.

langchain-core==1.3.3

Changes since langchain-core==1.3.2

release(core): 1.3.3 (#37198) fix(core): set deprecation since to 1.3.3 to match release (#37200) fix(core, langchain): harden load() against untrusted manifests (#37197) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (#37109) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (#37129) fix(core): preserve structured inputs on tool runs in tracers (#37108) release(perplexity): 1.2.0 (#37091) chore(docs): update x handle references (#37081) fix(core): make removal optional in warn_deprecated (#37056) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (#36663) chore(core): mark stream_v2/astream_v2 as beta (#36992)

langchain-core==1.3.2

Changes since langchain-core==1.3.1

release(core): 1.3.2 (#36990) feat(core): add content-block-centric streaming (v2) (#36834)

langchain-core==1.3.1

Changes since langchain-core==1.3.0

release(core): 1.3.1 (#36972) feat(core): allow _format_output to pass through list of ToolOutputMixin instances (#36963) chore: bump nbconvert from 7.17.0 to 7.17.1 in /libs/core (#36923) feat(core): Update inheritance behavior for tracer metadata for special keys (#36900) chore: bump langsmith from 0.7.13 to 0.7.31 in /libs/core (#36813)

langchain-core==1.3.0

Changes since langchain-core==1.2.31

release(core): release 1.3.0 (#36851) release(core): 1.3.0a3 (#36829) chore(core): keep checkpoint_ns behavior in streaming metadata for backwards compat (#36828) feat(core): Add chat model and LLM invocation params to traceable metadata (#36771) fix(core): restore cloud metadata IPs and link-local range in SSRF policy (#36816) chore(deps): bump pytest to 9.0.3 (#36801) chore(core): harden private SSRF utilities (#36768) fix(openai): handle content blocks without type key in responses api conversion (#36725) chore: bump pytest from 9.0.2 to 9.0.3 in /libs/core (#36719) release(core): 1.3.0.a2 (#36698) fix(core): Use reference counting for storing inherited run trees to support garbage collection (#36660) docs(core): nit (#36685) release(core): 1.3.0a1 (#36656) chore(core): reduce streaming metadata / perf (#36588)

langchain-core==1.3.0a3

Initial release

... (truncated)

Commits

5039dfe release(core): 1.3.3 (#37198)
55a7707 fix(core): set deprecation since to 1.3.3 to match release (#37200)
c979c61 fix(core, langchain): harden load() against untrusted manifests (#37197)
d703110 docs: update README.md (#37190)
4d50a2a ci(infra): run pre-release checks before TestPyPI publish (#37194)
9bd730e fix(fireworks): require api_key in FireworksEmbeddings (#37193)
f475f41 release(mistralai): 1.1.4 (#37191)
7dbff48 fix(mistralai): strip non-wire keys from ToolMessage (#37188)
913816c release(fireworks): 1.3.1 (#37189)
4498d3d fix(fireworks): strip non-wire keys from ToolMessage text content blocks (#...
Additional commits viewable in compare view

Updates langsmith from 0.7.32 to 0.8.0

Release notes

Sourced from langsmith's releases.

v0.8.0

What's Changed

feat(js,py): JS 0.6.0, Py 0.8.0 by @jacoblee93 in langchain-ai/langsmith-sdk#2831

release(js): 0.6.0 by @jacoblee93 in langchain-ai/langsmith-sdk#2832

release(py): 0.8.0 by @jacoblee93 in langchain-ai/langsmith-sdk#2833

Full Changelog: langchain-ai/langsmith-sdk@v0.7.38...v0.8.0

v0.7.38

What's Changed

feat(js): add tracing of opencode by @dqbd in langchain-ai/langsmith-sdk#2776

chore(js): Remove types/uuid by @jacoblee93 in langchain-ai/langsmith-sdk#2814

docs(sandbox): document default idle TTL of 10 minutes by @DanielKneipp in langchain-ai/langsmith-sdk#2788

ci(py): Bump pytest timeout to 2m by @jacoblee93 in langchain-ai/langsmith-sdk#2815

chore(deps-dev): bump the js-minor-and-patch group across 1 directory with 4 updates by @dependabot[bot] in langchain-ai/langsmith-sdk#2803

chore(deps): update sphinx-autobuild requirement from >=2024 to >=2024.10.3 in /python by @dependabot[bot] in langchain-ai/langsmith-sdk#2809

chore(deps): update myst-nb requirement from >=1.1.1 to >=1.4.0 in /python by @dependabot[bot] in langchain-ai/langsmith-sdk#2810

chore(deps-dev): bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /python by @dependabot[bot] in langchain-ai/langsmith-sdk#2812

chore(deps-dev): bump @langchain/openai from 0.5.18 to 0.6.17 in /js by @dependabot[bot] in langchain-ai/langsmith-sdk#2806

chore(deps): bump the py-minor-and-patch group across 1 directory with 18 updates by @dependabot[bot] in langchain-ai/langsmith-sdk#2808

feat(py): Adds strands OTEL exporter by @jacoblee93 in langchain-ai/langsmith-sdk#2817

chore(js): Switch to oxfmt and oxlint by @jacoblee93 in langchain-ai/langsmith-sdk#2819

fix(py): fix RunTree ValidationError when inputs or outputs is a Pydantic BaseModel by @QuentinBrosse in langchain-ai/langsmith-sdk#2820

chore: add apac support by @joaquin-borggio-lc in langchain-ai/langsmith-sdk#2821

fix(js): Pull Claude Agent SDK subagent runs from transcript, add tool span for subagents, merge message blocks by id by @jacoblee93 in langchain-ai/langsmith-sdk#2816

release(js): 0.5.26 by @jacoblee93 in langchain-ai/langsmith-sdk#2824

release(py): 0.7.38 by @jacoblee93 in langchain-ai/langsmith-sdk#2825

Full Changelog: langchain-ai/langsmith-sdk@v0.7.37...v0.7.38

v0.7.37

What's Changed

perf(js): Offload serialize to worker thread at flush time by @jacoblee93 in langchain-ai/langsmith-sdk#2781

release(js): 0.5.24 by @emil-lc in langchain-ai/langsmith-sdk#2790

chore(js): Fix perf test flagging by @jacoblee93 in langchain-ai/langsmith-sdk#2792

feat(js,python): Adds hub model config and provider to schemas by @jacoblee93 in langchain-ai/langsmith-sdk#2793

fix(js): minor test improvements by @christian-bromann in langchain-ai/langsmith-sdk#2429

fix(js): Include auth headers on info requests by @jacoblee93 in langchain-ai/langsmith-sdk#2800

release(js): 0.5.25 by @jacoblee93 in langchain-ai/langsmith-sdk#2801

fix(python): flush both tracing_queue and compressed_traces in flush() by @angus-langchain in langchain-ai/langsmith-sdk#2796

chore(deps): bump postcss from 8.5.8 to 8.5.10 in /js/internal/environment_tests/test-exports-vite in the npm_and_yarn group across 1 directory by @dependabot[bot] in langchain-ai/langsmith-sdk#2791

chore(deps-dev): bump google-adk from 1.10.0 to 1.28.1 in /python by @dependabot[bot] in langchain-ai/langsmith-sdk#2794

fix(python): flush pending traces during Client.cleanup() by @angus-langchain in langchain-ai/langsmith-sdk#2799

fix(py): Fix concurrency for multiple Claude Agent SDK sessions by @jacoblee93 in langchain-ai/langsmith-sdk#2795

release(py): 0.7.37 by @jacoblee93 in langchain-ai/langsmith-sdk#2802

Full Changelog: langchain-ai/langsmith-sdk@v0.7.36...v0.7.37

... (truncated)

Commits

cf01c87 release(py): 0.8.0 (#2833)
fd049c8 release(js): 0.6.0 (#2832)
092a886 feat(js,py): JS 0.6.0, Py 0.8.0 (#2831)
ff180c0 release(py): 0.7.38 (#2825)
d9de3ca release(js): 0.5.26 (#2824)
1428394 fix(js): Pull Claude Agent SDK subagent runs from transcript, add tool span f...
838e957 chore: add apac support (#2821)
003f22a fix(py): fix RunTree ValidationError when inputs or outputs is a Pydantic Bas...
8f5ef27 chore(js): Switch to oxfmt and oxlint (#2819)
9873633 feat(py): Adds strands OTEL exporter (#2817)
Additional commits viewable in compare view

Updates urllib3 from 2.6.3 to 2.7.0

Release notes

Sourced from urllib3's releases.

2.7.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

Decompression-bomb safeguards of the streaming API were bypassed:

When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially. (Reported by @Cycloctane)

During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli library. (Reported by @kimkou2024)

See GHSA-mf9v-mfxr-j63j for details.

HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by @christos-spearbit)

Deprecations and Removals

Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (urllib3/urllib3#3763)

Removed support for end-of-life Python 3.9. (urllib3/urllib3#3720)

Removed support for end-of-life PyPy3.10. (urllib3/urllib3#4979)

Bumped the minimum supported pyOpenSSL version to 19.0.0. (urllib3/urllib3#3777)

Bugfixes

Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. (urllib3/urllib3#3636)

Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True. (urllib3/urllib3#4967)

Fixed HTTPResponse.stream() and HTTPResponse.read_chunked() to handle amt=0. (urllib3/urllib3#3793)

Updated _TYPE_BODY type alias to include missing Iterable[str], matching the documented and runtime behavior of chunked request bodies. (urllib3/urllib3#3798)

Fixed LocationParseError when paths resembling schemeless URIs were passed to HTTPConnectionPool.urlopen(). (urllib3/urllib3#3352)

Fixed BaseHTTPResponse.readinto() type annotation to accept memoryview in addition to bytearray, matching the io.RawIOBase.readinto contract and enabling use with io.BufferedReader without type errors. (urllib3/urllib3#3764)

Changelog

Sourced from urllib3's changelog.

2.7.0 (2026-05-07)

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

Decompression-bomb safeguards of the streaming API were bypassed:

When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially.

During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli <https://pypi.org/project/brotli/>__ library.

See GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>__ for details.

HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>__)

Deprecations and Removals

Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. ([#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763>__)

Removed support for end-of-life Python 3.9. ([#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720>__)

Removed support for end-of-life PyPy3.10. ([#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979>__)

Bumped the minimum supported pyOpenSSL version to 19.0.0. ([#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777>__)

Bugfixes

Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. ([#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636>__)

Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True.

... (truncated)

Commits

9a950b9 Release 2.7.0
5ec0de4 Merge commit from fork
2bdcc44 Merge commit from fork
f45b0df Fix a misleading example for ProxyManager (#4970)
577193c Switch to nightly PyPy3.11 in CI for now (#4984)
e90af45 Avoid infinite loop in HTTPResponse.read_chunked when amt=0 (#4974)
67ed74f Bump dev dependencies (#4972)
3abd481 Upgrade mypy to version 1.20.2 (#4978)
2b8725d Drop support for EOL PyPy3.10 (#4979)
2944b2a Upgrade setup-chrome and setup-firefox to fix warnings (#4973)
Additional commits viewable in compare view

Updates idna from 3.10 to 3.15

Changelog

Sourced from idna's changelog.

3.15 (2026-05-12)

Enforce DNS-length cap on individual labels early in check_label, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.

Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared _unicode_dots_re from idna.core in the codec module.

Use raise ... from err for proper exception chaining and switch internal string formatting to f-strings.

Allow flit_core 4.x in the build backend.

Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.

Add Dependabot configuration for GitHub Actions.

Convert README and HISTORY from reStructuredText to Markdown.

Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.

3.14 (2026-05-10)

Removed opportunity to process long inputs into quadratic time by rejecting oversize inputs up-front. Closes a bypass of the CVE-2024-3651 mitigation. [CVE-2026-45409]

Thanks to Stan Ulbrych for reporting the issue.

3.13 (2026-04-22)

Correct classification error for codepoint U+A7F1

3.12 (2026-04-21)

Update to Unicode 17.0.0.

Issue a deprecation warning for the transitional argument.

Added lazy-loading to provide some performance improvements.

Removed vestiges of code related to Python 2 support, including segmentation of data structures specific to Jython.

Thanks to Rodrigo Nogueira for contributions to this release.

3.11 (2025-10-12)

Update to Unicode 16.0.0, including significant changes to UTS46 processing. As a result of Unicode ending support for it, transitional processing no longer has an effect and returns the same result.

... (truncated)

Commits

af30a09 Release 3.15
30314d4 Pre-release 3.15rc0
05d4b21 Merge pull request #237 from kjd/convert-docs-to-markdown
2987fdb Convert README and HISTORY from reStructuredText to Markdown
59fa800 Merge pull request #236 from kjd/dependabot/github_actions/actions-f3e34333ea
def6983 Merge branch 'master' into dependabot/github_actions/actions-f3e34333ea
bbd8004 Merge pull request #234 from StanFromIreland/patch-1
edd07c0 Bump github/codeql-action from 3.35.2 to 4.35.2 in the actions group
5557db0 Merge branch 'master' into patch-1
f11746c Merge pull request #235 from StanFromIreland/patch-2
Additional commits viewable in compare view

Updates langchain-core from 1.2.31 to 1.3.3

Release notes

Sourced from langchain-core's releases.

langchain-core==1.3.3

Changes since langchain-core==1.3.2

release(core): 1.3.3 (#37198) fix(core): set deprecation since to 1.3.3 to match release (#37200) fix(core, langchain): harden load() against untrusted manifests (#37197) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (#37109) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (#37129) fix(core): preserve structured inputs on tool runs in tracers (#37108) release(perplexity): 1.2.0 (#37091) chore(docs): update x handle references (#37081) fix(core): make removal optional in warn_deprecated (#37056) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (#36663) chore(core): mark stream_v2/astream_v2 as beta (#36992)

langchain-core==1.3.2

Changes since langchain-core==1.3.1

release(core): 1.3.2 (#36990) feat(core): add content-block-centric streaming (v2) (#36834)

langchain-core==1.3.1

Changes since langchain-core==1.3.0

release(core): 1.3.1 (#36972) feat(core): allow _format_output to pass through list of ToolOutputMixin instances (#36963) chore: bump nbconvert from 7.17.0 to 7.17.1 in /libs/core (#36923) feat(core): Update inheritance behavior for tracer metadata for special keys (#36900) chore: bump langsmith from 0.7.13 to 0.7.31 in /libs/core (#36813)

langchain-core==1.3.0

Changes since langchain-core==1.2.31

release(core): release 1.3.0 (#36851) release(core): 1.3.0a3 (#36829) chore(core): keep checkpoint_ns behavior in streaming metadata for backwards compat (#36828) feat(core): Add chat model and LLM invocation params to traceable metadata (#36771) fix(core): restore cloud metadata IPs and link-local range in SSRF policy (#36816) chore(deps): bump pytest to 9.0.3 (#36801) chore(core): harden private SSRF utilities (#36768) fix(openai): handle content blocks without type key in responses api conversion (#36725) chore: bump pytest from 9.0.2 to 9.0.3 in /libs/core (#36719) release(core): 1.3.0.a2 (#36698) fix(core): Use reference counting for storing inherited run trees to support garbage collection (#36660) docs(core): nit (#36685) release(core): 1.3.0a1 (#36656) chore(core): reduce streaming metadata / perf (#36588)

langchain-core==1.3.0a3

Initial release

... (truncated)

Commits

5039dfe release(core): 1.3.3 (#37198)
55a7707 fix(core): set deprecation since to 1.3.3 to match release (#37200)
c979c61 fix(core, langchain): harden load() against untrusted manifests (#37197)
d703110 docs: update README.md (#37190)
4d50a2a ci(infra): run pre-release checks before TestPyPI publish (#37194)
9bd730e fix(fireworks): require api_key in FireworksEmbeddings (#37193)
f475f41 release(mistralai): 1.1.4 (#37191)
7dbff48 fix(mistralai): strip non-wire keys from ToolMessage (#37188)
913816c release(fireworks): 1.3.1 (#37189)
4498d3d fix(fireworks): strip non-wire keys from ToolMessage text content blocks (#...
Additional commits viewable in compare view

Updates langsmith from 0.7.32 to 0.8.0

Release notes

Sourced from langsmith's releases.

v0.8.0

What's Changed

feat(js,py): JS 0.6.0, Py 0.8.0 by @jacoblee93 in langchain-ai/langsmith-sdk#2831

release(js): 0.6.0 by @jacoblee93 in langchain-ai/langsmith-sdk#2832

release(py): 0.8.0 by @jacoblee93 in langchain-ai/langsmith-sdk#2833

Full Changelog: langchain-ai/langsmith-sdk@v0.7.38...v0.8.0

v0.7.38

What's Changed

feat(js): add tracing of opencode by @dqbd in langchain-ai/langsmith-sdk#2776

chore(js): Remove types/uuid by @jacoblee93 in langchain-ai/langsmith-sdk#2814

docs(sandbox): document default idle TTL of 10 minutes by @DanielKneipp in langchain-ai/langsmith-sdk#2788

ci(py): Bump pytest timeout to 2m by @jacoblee93 in langchain-ai/langsmith-sdk#2815

chore(deps-dev): bump the js-minor-and-patch group across 1 directory with 4 updates by @dependabot[bot] in langchain-ai/langsmith-sdk#2803

chore(deps): update sphinx-autobuild requirement from >=2024 to >=2024.10.3 in /python by @dependabot[bot] in langchain-ai/langsmith-sdk#2809

chore(deps): update myst-nb requirement from >=1.1.1 to >=1.4.0 in /python by @dependabot[bot] in langchain-ai/langsmith-sdk#2810

chore(deps-dev): bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /python by @dependabot[bot] in langchain-ai/langsmith-sdk#2812

chore(deps-dev): bump @langchain/openai from 0.5.18 to 0.6.17 in /js by @dependabot[bot] in langchain-ai/langsmith-sdk#2806

chore(deps): bump the py-minor-and-patch group across 1 directory with 18 updates by @dependabot[bot] in langchain-ai/langsmith-sdk#2808

feat(py): Adds strands OTEL exporter by @jacoblee93 in langchain-ai/langsmith-sdk#2817

chore(js): Switch to oxfmt and oxlint by @jacoblee93 in langchain-ai/langsmith-sdk#2819

fix(py): fix RunTree ValidationError when inputs or outputs is a Pydantic BaseModel by @QuentinBrosse in langchain-ai/langsmith-sdk#2820

chore: add apac support by @joaquin-borggio-lc in langchain-ai/langsmith-sdk#2821

fix(js): Pull Claude Agent SDK subagent runs from transcript, add tool span for subagents, merge message blocks by id by @jacoblee93 in langchain-ai/langsmith-sdk#2816

release(js): 0.5.26 by @jacoblee93 in langchain-ai/langsmith-sdk#2824

release(py): 0.7.38 by @jacoblee93 in langchain-ai/langsmith-sdk#2825

Full Changelog: langchain-ai/langsmith-sdk@v0.7.37...v0.7.38

v0.7.37

What's Changed

perf(js): Offload serialize to worker thread at flush time by @jacoblee93 in langchain-ai/langsmith-sdk#2781

release(js): 0.5.24 by @emil-lc in langchain-ai/langsmith-sdk#2790

chore(js): Fix perf test flagging by @jacoblee93 in langchain-ai/langsmith-sdk#2792

feat(js,python): Adds hub model config and provider to schemas by @jacoblee93 in langchain-ai/langsmith-sdk#2793

fix(js): minor test improvements by @christian-bromann in langchain-ai/langsmith-sdk#2429

fix(js): Include auth headers on info requests by @jacoblee93 in langchain-ai/langsmith-sdk#2800

release(js): 0.5.25 by @jacoblee93 in langchain-ai/langsmith-sdk#2801

fix(python): flush both tracing_queue and compressed_traces in flush() by @angus-langchain in langchain-ai/langsmith-sdk#2796

chore(deps): bump postcss from 8.5.8 to 8.5.10 in /js/internal/environment_tests/test-exports-vite in the npm_and_yarn group across 1 directory by @dependabot[bot] in langchain-ai/langsmith-sdk#2791

chore(deps-dev): bump google-adk from 1.10.0 to 1.28.1 in /python by @dependabot[bot] in langchain-ai/langsmith-sdk#2794

fix(python): flush pending traces during Client.cleanup() by @angus-langchain in langchain-ai/langsmith-sdk#2799

fix(py): Fix concurrency for multiple Claude Agent SDK sessions by @jacoblee93 in langchain-ai/langsmith-sdk#2795

release(py): 0.7.37 by @jacoblee93 in langchain-ai/langsmith-sdk#2802

Full Changelog: langchain-ai/langsmith-sdk@v0.7.36...v0.7.37

... (truncated)

Commits

cf01c87 release(py): 0.8.0 (#2833)
fd049c8 release(js): 0.6.0 (#2832)
092a886 feat(js,py): JS 0.6.0, Py 0.8.0 (#2831)
ff180c0 release(py): 0.7.38 (#2825)
d9de3ca release(js): 0.5.26 (#2824)
1428394 fix(js): Pull Claude Agent SDK subagent runs from transcript, add tool span f...
838e957 chore: add apac support (#2821)
003f22a fix(py): fix RunTree ValidationError when inputs or outputs is a Pydantic Bas...
8f5ef27 chore(js): Switch to oxfmt and oxlint (#2819)
9873633 feat(py): Adds strands OTEL exporter (#2817)
Additional commits viewable in compare view

Updates urllib3 from 2.6.3 to 2.7.0

Release notes

Sourced from urllib3's releases.

2.7.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

Decompression-bomb safeguards of the streaming API were bypassed:

When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially. (Reported by @Cycloctane)

During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli library. (Reported by @kimkou2024)

See GHSA-mf9v-mfxr-j63j for details.

HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by @christos-spearbit)

Deprecations and Removals

Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (urllib3/urllib3#3763)

Removed support for end-of-life Python 3.9. (urllib3/urllib3#3720)

Removed support for end-of-life PyPy3.10. (urllib3/urllib3#4979)

Bumped the minimum supported pyOpenSSL version to 19.0.0. (urllib3/urllib3#3777)

Bugfixes

Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. (urllib3/urllib3#3636)

Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True. (urllib3/urllib3#4967)

Fixed HTTPResponse.stream() and HTTPResponse.read_chunked() to handle amt=0. (urllib3/urllib3#3793)

Updated _TYPE_BODY type alias to include missing Iterable[str], matching the documented and runtime behavior of chunked request bodies. (urllib3/urllib3#3798)

Fixed LocationParseError when paths resembling schemeless URIs were passed to HTTPConnectionPool.urlopen(). (urllib3/urllib3#3352)

Fixed BaseHTTPResponse.readinto() type annotation to accept memoryview in addition to bytearray, matching the io.RawIOBase.readinto contract and enabling use with io.BufferedReader without type errors. (urllib3/urllib3#3764)

Changelog

Sourced from urllib3's changelog.

2.7.0 (2026-05-07)

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

Decompression-bomb safeguards of the streaming API were bypassed:

When HTTPRespon... Description has been truncated

Bumps the pip group with 4 updates in the /aws-cs-langserve directory: [idna](https://github.com/kjd/idna), [langchain-core](https://github.com/langchain-ai/langchain), [langsmith](https://github.com/langchain-ai/langsmith-sdk) and [urllib3](https://github.com/urllib3/urllib3). Bumps the pip group with 4 updates in the /aws-go-langserve directory: [idna](https://github.com/kjd/idna), [langchain-core](https://github.com/langchain-ai/langchain), [langsmith](https://github.com/langchain-ai/langsmith-sdk) and [urllib3](https://github.com/urllib3/urllib3). Bumps the pip group with 4 updates in the /aws-py-langserve directory: [idna](https://github.com/kjd/idna), [langchain-core](https://github.com/langchain-ai/langchain), [langsmith](https://github.com/langchain-ai/langsmith-sdk) and [urllib3](https://github.com/urllib3/urllib3). Bumps the pip group with 4 updates in the /aws-ts-langserve directory: [idna](https://github.com/kjd/idna), [langchain-core](https://github.com/langchain-ai/langchain), [langsmith](https://github.com/langchain-ai/langsmith-sdk) and [urllib3](https://github.com/urllib3/urllib3). Bumps the pip group with 4 updates in the /aws-yaml-langserve directory: [idna](https://github.com/kjd/idna), [langchain-core](https://github.com/langchain-ai/langchain), [langsmith](https://github.com/langchain-ai/langsmith-sdk) and [urllib3](https://github.com/urllib3/urllib3). Updates `idna` from 3.10 to 3.15 - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.md) - [Commits](kjd/idna@v3.10...v3.15) Updates `langchain-core` from 1.2.31 to 1.3.3 - [Release notes](https://github.com/langchain-ai/langchain/releases) - [Commits](langchain-ai/langchain@langchain-core==1.2.31...langchain-core==1.3.3) Updates `langsmith` from 0.7.32 to 0.8.0 - [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases) - [Commits](langchain-ai/langsmith-sdk@v0.7.32...v0.8.0) Updates `urllib3` from 2.6.3 to 2.7.0 - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.6.3...2.7.0) Updates `idna` from 3.10 to 3.15 - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.md) - [Commits](kjd/idna@v3.10...v3.15) Updates `langchain-core` from 1.2.31 to 1.3.3 - [Release notes](https://github.com/langchain-ai/langchain/releases) - [Commits](langchain-ai/langchain@langchain-core==1.2.31...langchain-core==1.3.3) Updates `langsmith` from 0.7.32 to 0.8.0 - [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases) - [Commits](langchain-ai/langsmith-sdk@v0.7.32...v0.8.0) Updates `urllib3` from 2.6.3 to 2.7.0 - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.6.3...2.7.0) Updates `idna` from 3.10 to 3.15 - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.md) - [Commits](kjd/idna@v3.10...v3.15) Updates `langchain-core` from 1.2.31 to 1.3.3 - [Release notes](https://github.com/langchain-ai/langchain/releases) - [Commits](langchain-ai/langchain@langchain-core==1.2.31...langchain-core==1.3.3) Updates `langsmith` from 0.7.32 to 0.8.0 - [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases) - [Commits](langchain-ai/langsmith-sdk@v0.7.32...v0.8.0) Updates `urllib3` from 2.6.3 to 2.7.0 - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.6.3...2.7.0) Updates `idna` from 3.10 to 3.15 - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.md) - [Commits](kjd/idna@v3.10...v3.15) Updates `langchain-core` from 1.2.31 to 1.3.3 - [Release notes](https://github.com/langchain-ai/langchain/releases) - [Commits](langchain-ai/langchain@langchain-core==1.2.31...langchain-core==1.3.3) Updates `langsmith` from 0.7.32 to 0.8.0 - [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases) - [Commits](langchain-ai/langsmith-sdk@v0.7.32...v0.8.0) Updates `urllib3` from 2.6.3 to 2.7.0 - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.6.3...2.7.0) Updates `idna` from 3.10 to 3.15 - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.md) - [Commits](kjd/idna@v3.10...v3.15) Updates `langchain-core` from 1.2.31 to 1.3.3 - [Release notes](https://github.com/langchain-ai/langchain/releases) - [Commits](langchain-ai/langchain@langchain-core==1.2.31...langchain-core==1.3.3) Updates `langsmith` from 0.7.32 to 0.8.0 - [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases) - [Commits](langchain-ai/langsmith-sdk@v0.7.32...v0.8.0) Updates `urllib3` from 2.6.3 to 2.7.0 - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.6.3...2.7.0) --- updated-dependencies: - dependency-name: idna dependency-version: '3.15' dependency-type: indirect dependency-group: pip - dependency-name: langchain-core dependency-version: 1.3.3 dependency-type: indirect dependency-group: pip - dependency-name: langsmith dependency-version: 0.8.0 dependency-type: indirect dependency-group: pip - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: indirect dependency-group: pip - dependency-name: idna dependency-version: '3.15' dependency-type: indirect dependency-group: pip - dependency-name: langchain-core dependency-version: 1.3.3 dependency-type: indirect dependency-group: pip - dependency-name: langsmith dependency-version: 0.8.0 dependency-type: indirect dependency-group: pip - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: indirect dependency-group: pip - dependency-name: idna dependency-version: '3.15' dependency-type: indirect dependency-group: pip - dependency-name: langchain-core dependency-version: 1.3.3 dependency-type: indirect dependency-group: pip - dependency-name: langsmith dependency-version: 0.8.0 dependency-type: indirect dependency-group: pip - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: indirect dependency-group: pip - dependency-name: idna dependency-version: '3.15' dependency-type: indirect dependency-group: pip - dependency-name: langchain-core dependency-version: 1.3.3 dependency-type: indirect dependency-group: pip - dependency-name: langsmith dependency-version: 0.8.0 dependency-type: indirect dependency-group: pip - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: indirect dependency-group: pip - dependency-name: idna dependency-version: '3.15' dependency-type: indirect dependency-group: pip - dependency-name: langchain-core dependency-version: 1.3.3 dependency-type: indirect dependency-group: pip - dependency-name: langsmith dependency-version: 0.8.0 dependency-type: indirect dependency-group: pip - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: indirect dependency-group: pip ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels May 20, 2026

pulumi-bot mentioned this pull request May 20, 2026

Workflow failure: [PR #2758] - Test examples #2759

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the pip group across 5 directories with 4 updates#2758

build(deps): bump the pip group across 5 directories with 4 updates#2758
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/aws-cs-langserve/pip-16a080b11d

dependabot Bot commented on behalf of github May 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 20, 2026

3.15 (2026-05-12)

3.14 (2026-05-10)

3.13 (2026-04-22)

3.12 (2026-04-21)

3.11 (2025-10-12)

langchain-core==1.3.3

langchain-core==1.3.2

langchain-core==1.3.1

langchain-core==1.3.0

langchain-core==1.3.0a3

v0.8.0

What's Changed

v0.7.38

What's Changed

v0.7.37

What's Changed

2.7.0

🚀 urllib3 is fundraising for HTTP/2 support

Security

Deprecations and Removals

Bugfixes

2.7.0 (2026-05-07)

Security

Deprecations and Removals

Bugfixes

3.15 (2026-05-12)

3.14 (2026-05-10)

3.13 (2026-04-22)

3.12 (2026-04-21)

3.11 (2025-10-12)

langchain-core==1.3.3

langchain-core==1.3.2

langchain-core==1.3.1

langchain-core==1.3.0

langchain-core==1.3.0a3

v0.8.0

What's Changed

v0.7.38

What's Changed

v0.7.37

What's Changed

2.7.0

🚀 urllib3 is fundraising for HTTP/2 support

Security

Deprecations and Removals

Bugfixes

2.7.0 (2026-05-07)

Security

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants