Skip to content

Commit aa6c244

Browse files
devin-ai-integration[bot]devin-ai-integration[bot]
committed
fix(deps): bump langchain-core to ^1.2.5 to address CVE-2025-68664
This addresses the critical serialization injection vulnerability (GHSA-c67j-w6g6-q2cm / CVE-2025-68664) in langchain-core that allows attackers to steal secrets via the dumps/loads APIs. Fixed versions: 0.3.81+ (0.x branch) or 1.2.5+ (1.x branch) Related oncall issue: airbytehq/oncall#10773 Co-Authored-By: unknown <>
1 parent 49ff36e commit aa6c244

2 files changed

Lines changed: 39 additions & 5 deletions

File tree

poetry.lock

Lines changed: 38 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

pyproject.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@ avro = { version = ">=1.11.2,<1.13.0", optional = true } # TODO: Move into dev
6464
cohere = { version = ">=4.21,<6.0.0", optional = true }
6565
fastavro = { version = ">=1.11.0,<2.0.0", optional = true }
6666
langchain_community = { version = "^0.4", optional = true }
67-
langchain_core = { version = "^1.0.0", optional = true }
67+
langchain_core = { version = "^1.2.5", optional = true }
6868
langchain_text_splitters = { version = "^1.0.0", optional = true }
6969
markdown = { version = "*", optional = true } # TODO: Remove if unused
7070
openai = { version = "0.27.9", extras = ["embeddings"], optional = true } # Used indirectly by langchain library

0 commit comments

Comments
 (0)