chore(deps): bump langgraph lower bounds to fix security vulnerabilities (#165)

bsbodden · web-flow · commit a6b5c10064ae · 2026-03-09T08:44:20.000-07:00
* chore(deps): bump langgraph and langgraph-checkpoint lower bounds for security fixes - langgraph-checkpoint: >=3.0.0 → >=4.0.0 (fixes CVE for BaseCache deserialization RCE, Dependabot alert #17) - langgraph: >=0.3.0 → >=1.0.10 (fixes unsafe msgpack deserialization, Dependabot alert #18) * fix: align prune()/aprune() signatures with upstream BaseCheckpointSaver langgraph-checkpoint 4.0.0 changed the base class signature from no prune() to prune(strategy="keep_latest"). Update all 4 implementations to accept the upstream `strategy` parameter while keeping `keep_last` as an optional override for backwards compatibility. Mapping: strategy="keep_latest" → keep_last=1, strategy="delete" → keep_last=0.
diff --git a/langgraph/checkpoint/redis/__init__.py b/langgraph/checkpoint/redis/__init__.py
@@ -1660,34 +1660,39 @@ def prune(
         self,
         thread_ids: Sequence[str],
         *,
-        keep_last: int = 1,
+        strategy: str = "keep_latest",
+        keep_last: Optional[int] = None,
         max_results: int = 10000,
     ) -> None:
         """Prune old checkpoints for the given threads per namespace.
 
-        Retains the ``keep_last`` most-recent checkpoints **per checkpoint
-        namespace** and removes the rest, along with their associated write
-        keys and key-registry sorted sets.
+        Retains the most-recent checkpoints **per checkpoint namespace** and
+        removes the rest, along with their associated write keys and
+        key-registry sorted sets.
 
         Each namespace (root ``""`` and any subgraph namespaces) is treated as
-        an independent checkpoint chain, so ``keep_last`` is applied separately
-        within each namespace.  Channel values are stored inline within each
-        checkpoint document, so they are automatically removed when the
-        checkpoint document is deleted.
+        an independent checkpoint chain.  Channel values are stored inline
+        within each checkpoint document, so they are automatically removed
+        when the checkpoint document is deleted.
 
         Args:
             thread_ids: Thread IDs whose old checkpoints should be pruned.
-            keep_last: Number of recent checkpoints to retain per namespace.
-                Use ``keep_last=1`` to keep only the latest checkpoint (default).
-                Use ``keep_last=0`` to remove all checkpoints for the thread.
-                For multi-tool interrupt chains, ``max(10, n_tool_calls * 3 + 5)``
-                is a safe heuristic.
+            strategy: Pruning strategy.  ``"keep_latest"`` retains only the
+                most recent checkpoint per namespace (default).  ``"delete"``
+                removes all checkpoints for the thread.
+            keep_last: Optional override — number of recent checkpoints to
+                retain per namespace.  When provided, takes precedence over
+                ``strategy``.  Use ``keep_last=0`` to remove all checkpoints.
             max_results: Maximum number of checkpoints fetched from the index
-                per thread in a single query.  Threads with more checkpoints
-                than this limit will only have the first ``max_results`` entries
-                considered for pruning.  Raise this value for very long-lived
-                threads.  Defaults to 10 000.
+                per thread in a single query.  Defaults to 10 000.
         """
+        # Resolve keep_last from strategy if not explicitly provided
+        if keep_last is None:
+            if strategy == "delete":
+                keep_last = 0
+            else:
+                keep_last = 1
+
         # Validate input
         if not thread_ids:
             raise ValueError("``thread_ids`` must be a non-empty sequence")
diff --git a/langgraph/checkpoint/redis/aio.py b/langgraph/checkpoint/redis/aio.py
@@ -2047,34 +2047,39 @@ async def aprune(
         self,
         thread_ids: Sequence[str],
         *,
-        keep_last: int = 1,
+        strategy: str = "keep_latest",
+        keep_last: Optional[int] = None,
         max_results: int = 10000,
     ) -> None:
         """Prune old checkpoints for the given threads per namespace.
 
-        Retains the ``keep_last`` most-recent checkpoints **per checkpoint
-        namespace** and removes the rest, along with their associated write
-        keys and key-registry sorted sets.
+        Retains the most-recent checkpoints **per checkpoint namespace** and
+        removes the rest, along with their associated write keys and
+        key-registry sorted sets.
 
         Each namespace (root ``""`` and any subgraph namespaces) is treated as
-        an independent checkpoint chain, so ``keep_last`` is applied separately
-        within each namespace.  Channel values are stored inline within each
-        checkpoint document, so they are automatically removed when the
-        checkpoint document is deleted.
+        an independent checkpoint chain.  Channel values are stored inline
+        within each checkpoint document, so they are automatically removed
+        when the checkpoint document is deleted.
 
         Args:
             thread_ids: Thread IDs whose old checkpoints should be pruned.
-            keep_last: Number of recent checkpoints to retain per namespace.
-                Use ``keep_last=1`` to keep only the latest checkpoint (default).
-                Use ``keep_last=0`` to remove all checkpoints for the thread.
-                For multi-tool interrupt chains, ``max(10, n_tool_calls * 3 + 5)``
-                is a safe heuristic.
+            strategy: Pruning strategy.  ``"keep_latest"`` retains only the
+                most recent checkpoint per namespace (default).  ``"delete"``
+                removes all checkpoints for the thread.
+            keep_last: Optional override — number of recent checkpoints to
+                retain per namespace.  When provided, takes precedence over
+                ``strategy``.  Use ``keep_last=0`` to remove all checkpoints.
             max_results: Maximum number of checkpoints fetched from the index
-                per thread in a single query.  Threads with more checkpoints
-                than this limit will only have the first ``max_results`` entries
-                considered for pruning.  Raise this value for very long-lived
-                threads.  Defaults to 10 000.
+                per thread in a single query.  Defaults to 10 000.
         """
+        # Resolve keep_last from strategy if not explicitly provided
+        if keep_last is None:
+            if strategy == "delete":
+                keep_last = 0
+            else:
+                keep_last = 1
+
         # Validate inputs
         if not thread_ids:
             raise ValueError("``thread_ids`` must be a non-empty sequence")
diff --git a/langgraph/checkpoint/redis/ashallow.py b/langgraph/checkpoint/redis/ashallow.py
@@ -901,23 +901,33 @@ async def aprune(
         self,
         thread_ids: Sequence[str],
         *,
-        keep_last: int = 1,
+        strategy: str = "keep_latest",
+        keep_last: Optional[int] = None,
     ) -> None:
         """Prune checkpoints for the given threads.
 
         ``AsyncShallowRedisSaver`` stores at most one checkpoint per namespace
-        by design, so ``keep_last >= 1`` is always a no-op.  ``keep_last=0``
-        removes all checkpoints for each thread (equivalent to
-        ``adelete_thread``).
+        by design, so ``strategy="keep_latest"`` (or ``keep_last >= 1``) is
+        always a no-op.  ``strategy="delete"`` (or ``keep_last=0``) removes
+        all checkpoints for each thread (equivalent to ``adelete_thread``).
 
         Args:
             thread_ids: Thread IDs to prune.
-            keep_last: Checkpoints to retain per namespace.  Any value >= 1
-                is a no-op for shallow savers.  Pass ``0`` to delete all.
+            strategy: Pruning strategy.  ``"keep_latest"`` is a no-op for
+                shallow savers (default).  ``"delete"`` removes all.
+            keep_last: Optional override.  Any value >= 1 is a no-op.
+                Pass ``0`` to delete all.
         """
+        # Resolve keep_last from strategy if not explicitly provided
+        if keep_last is None:
+            if strategy == "delete":
+                keep_last = 0
+            else:
+                keep_last = 1
+
         # Validate input
         if not thread_ids:
-            raise ValueError(f"``thread_ids`` must be a non-empty sequence")
+            raise ValueError("``thread_ids`` must be a non-empty sequence")
 
         if keep_last < 0:
             raise ValueError(f"``keep_last`` must be >= 0, got {keep_last}")
diff --git a/langgraph/checkpoint/redis/shallow.py b/langgraph/checkpoint/redis/shallow.py
@@ -769,23 +769,33 @@ def prune(
         self,
         thread_ids: Sequence[str],
         *,
-        keep_last: int = 1,
+        strategy: str = "keep_latest",
+        keep_last: Optional[int] = None,
     ) -> None:
         """Prune checkpoints for the given threads.
 
         ``ShallowRedisSaver`` stores at most one checkpoint per namespace by
-        design, so ``keep_last >= 1`` is always a no-op.  ``keep_last=0``
-        removes all checkpoints for each thread (equivalent to
-        ``delete_thread``).
+        design, so ``strategy="keep_latest"`` (or ``keep_last >= 1``) is
+        always a no-op.  ``strategy="delete"`` (or ``keep_last=0``) removes
+        all checkpoints for each thread (equivalent to ``delete_thread``).
 
         Args:
             thread_ids: Thread IDs to prune.
-            keep_last: Checkpoints to retain per namespace.  Any value >= 1
-                is a no-op for shallow savers.  Pass ``0`` to delete all.
+            strategy: Pruning strategy.  ``"keep_latest"`` is a no-op for
+                shallow savers (default).  ``"delete"`` removes all.
+            keep_last: Optional override.  Any value >= 1 is a no-op.
+                Pass ``0`` to delete all.
         """
+        # Resolve keep_last from strategy if not explicitly provided
+        if keep_last is None:
+            if strategy == "delete":
+                keep_last = 0
+            else:
+                keep_last = 1
+
         # Validate input
         if not thread_ids:
-            raise ValueError(f"``thread_ids`` must be a non-empty sequence")
+            raise ValueError("``thread_ids`` must be a non-empty sequence")
 
         if keep_last < 0:
             raise ValueError(f"``keep_last`` must be >= 0, got {keep_last}")
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -19,14 +19,14 @@ packages = [{ include = "langgraph" }]
 
 [tool.poetry.dependencies]
 python = ">=3.10,<3.15"
-langgraph-checkpoint = ">=3.0.0,<5.0.0"
+langgraph-checkpoint = ">=4.0.0,<5.0.0"
 redisvl = ">=0.15.0,<1.0.0"
 redis = ">=5.2.1"
 orjson = "^3.9.0"
 tomli = { version = "^2.0.1", python = "<3.11" }
 
 [tool.poetry.group.dev.dependencies]
-langgraph = ">=0.3.0"
+langgraph = ">=1.0.10"
 black = "^25.1.0"
 codespell = "^2.4.1"
 pytest = "^8.4.1"
