fix(deps): bump langchain-core to ^1.2.5 to address CVE-2025-68664 (AI-Triage PR)

[devin-ai-integration]

Summary

Bumps langchain-core from ^1.0.0 to ^1.2.5 to address a critical security vulnerability (CVE-2025-68664 / GHSA-c67j-w6g6-q2cm, CVSS 9.3).

The vulnerability is a serialization injection flaw in langchain-core's dumps/loads APIs that allows attackers to extract secrets and environment variables. This affects all connectors using the vector-db-based extras (destination-milvus, destination-weaviate, destination-pinecone, destination-pgvector, destination-snowflake-cortex).

Changes:

• Updated langchain_core version constraint from ^1.0.0 to ^1.2.5 in pyproject.toml
• Regenerated poetry.lock (resolves to langchain-core 1.2.6)
• New transitive dependency uuid-utils 0.13.0 added by langchain-core 1.2.6

Review & Testing Checklist for Human

• Verify API compatibility: Check that langchain-core 1.2.x doesn't have breaking changes affecting airbyte_cdk/destinations/vector_db_based/embedder.py or document_processor.py
• Test vector DB destinations: Run integration tests for at least one vector DB destination (e.g., destination-pgvector) to confirm embeddings still work correctly
• Verify uuid-utils compatibility: Ensure the new transitive dependency doesn't conflict with existing dependencies

Recommended Test Plan

1. Install updated CDK with poetry install --all-extras
2. Run the CDK test suite: poe pytest-fast
3. Test a vector DB destination connector locally with the updated CDK branch

Notes

• Related oncall issue: https://github.com/airbytehq/oncall/issues/10773
• Vulnerability details: GitHub Advisory GHSA-c67j-w6g6-q2cm
• Due date per vulnerability policy: January 21, 2025
• Devin session: https://app.devin.ai/sessions/714bf186f022434a9b8ec8cad43c99ed
• Requested by: Danylo Jablonski (@DanyloGL) via oncall triage

Updates since last revision

• Resolved merge conflicts with main branch and regenerated poetry.lock

[devin-ai-integration]

Original prompt from API User

Issue #10773 by @DanyloGL: Critical Vulnerability (Extensibility): langchain-core (ID: GHSA-c67j-w6g6-q2cm)

Issue URL: https://github.com/airbytehq/oncall/issues/10773

Please use playbook macro: !issue_triage

PLAYBOOK_md:
# `/ai-triage` Slash Command Playbook

You are AI Triage Devin, an expert at analyzing Airbyte-related issues and providing actionable insights. You are responding to a GitHub slash command request. After reading the provided context, you should post a comment to confirm you understand the request and stating what your next steps will be, along with a link to your session. Once your triage and analysis is complete, update your comment with the full results of your triage. Collapse all of your comments under expandable sections.

IMPORTANT: Expect that your user has no access to the session and cannot talk with you directly. Do not wait for feedback or confirmation on any action.

## Context

You are analyzing the issue provided to you above. You will need to pull comment history on this issue to ensure you have full context.

## Your Task: Static Analysis and Triage

1. **Issue Analysis and Confirmation**: Read the complete issue content including all comments for full context.
   - **Post an initial comment immediately** (within 1-2 minutes) to confirm you understand the assignment and that you are looking into it. Include your session URL.
   - If you are missing any critical information or context (e.g., workspace UUID, connector version, error logs, reproduction steps, customer environment details), include in your initial comment a request for additional context. (Do not block waiting for an answer, but instead continue as if you will not get any more information in your current session.)

2. **Research**: Check the internet for similar errors, symptoms, or issues reported by the community. Look for:
   - Similar error messages or stack traces in Airbyte documentation.
   - Known issues in Airbyte GitHub repositories.
   - Community discuss... (11138 chars truncated...)

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[github-actions]

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

Testing This CDK Version

You can test this version of the CDK using the following:

# Run the CLI from this branch:
uvx 'git+https://github.com/airbytehq/airbyte-python-cdk.git@devin/1767710896-fix-langchain-core-cve-2025-68664#egg=airbyte-python-cdk[dev]' --help

# Update a connector to use the CDK from this branch ref:
cd airbyte-integrations/connectors/source-example
poe use-cdk-branch devin/1767710896-fix-langchain-core-cve-2025-68664

Helpful Resources

• CDK API Reference

PR Slash Commands

Airbyte Maintainers can execute the following slash commands on your PR:

• /autofix - Fixes most formatting and linting issues
• /poetry-lock - Updates poetry.lock file
• /test - Runs connector tests with the updated CDK
• /prerelease - Triggers a prerelease publish with default arguments
• /poe build - Regenerate git-committed build artifacts, such as the pydantic models which are generated from the manifest JSON schema in YAML.
• /poe <command> - Runs any poe command in the CDK environment

📝 Edit this welcome message.

[github-actions]

PyTest Results (Fast)

3 824 tests  ±0   3 812 ✅ ±0   6m 36s ⏱️ -6s
    1 suites ±0      12 💤 ±0 
    1 files   ±0       0 ❌ ±0 

Results for commit 3a276a5. ± Comparison against base commit 80bcfc5.

♻️ This comment has been updated with latest results.

[github-actions]

PyTest Results (Full)

3 827 tests  ±0   3 815 ✅ ±0   11m 1s ⏱️ +6s
    1 suites ±0      12 💤 ±0 
    1 files   ±0       0 ❌ ±0 

Results for commit 3a276a5. ± Comparison against base commit 80bcfc5.

♻️ This comment has been updated with latest results.

[Anatolii Yatsuk (tolik0)]

/prerelease

Prerelease Job Info

This job triggers the publish workflow with default arguments to create a prerelease.

Prerelease job started... Check job output.

✅ Prerelease workflow triggered successfully.

View the publish workflow run: https://github.com/airbytehq/airbyte-python-cdk/actions/runs/20921460134

[Copilot]

Pull request overview

This PR updates the langchain-core dependency from ^1.0.0 to ^1.2.5 to address CVE-2025-68664, a critical serialization injection vulnerability (CVSS 9.3) that could allow attackers to extract secrets and environment variables. The update affects connectors using vector-db-based extras.

Changes:

• Bumped langchain_core version constraint to address security vulnerability
• Regenerated poetry.lock to resolve to langchain-core 1.2.6
• Added new transitive dependency uuid-utils 0.13.0

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.