sec: upgrade langchain stack from 0.2.x to current #121

Open
opened 2026-06-13 21:35:38 -07:00 by pyr0ball · 0 comments
Owner

Summary

The installed langchain ecosystem is severely out of date and carries multiple known CVEs.

Package Installed CVEs
langchain 0.2.11 CVE-2024-8309 (no fix in 0.2.x), CVE-2024-7774
langchain-core 0.2.36 CVE-2024-10940, CVE-2025-65106/68664, CVE-2026-26013/40087/44843
langchain-community 0.2.10 CVE-2024-8309, CVE-2025-6984
langsmith 0.1.93 CVE-2026-41182, CVE-2026-45134

Why this is a multi-sprint effort

The 0.2.x → 0.3+ migration introduced breaking API changes across all these packages. Any code using langchain.chat_models, langchain.llms, or LLMChain needs updating. A compatibility audit is required before bumping.

Acceptance criteria

  • Audit all langchain imports in scripts/ and dev-api.py
  • Upgrade to latest stable langchain + langchain-core + langchain-community + langchain-openai + langchain-anthropic + langchain-ollama + langchain-google-genai
  • All existing tests pass after upgrade
  • langsmith pinned to >= 0.8.0

Part of the 2026-06-13 CVE scan. Other CVEs in that scan have been patched on the feat/cve-fixes branch.

## Summary The installed langchain ecosystem is severely out of date and carries multiple known CVEs. | Package | Installed | CVEs | |---|---|---| | `langchain` | 0.2.11 | CVE-2024-8309 (no fix in 0.2.x), CVE-2024-7774 | | `langchain-core` | 0.2.36 | CVE-2024-10940, CVE-2025-65106/68664, CVE-2026-26013/40087/44843 | | `langchain-community` | 0.2.10 | CVE-2024-8309, CVE-2025-6984 | | `langsmith` | 0.1.93 | CVE-2026-41182, CVE-2026-45134 | ## Why this is a multi-sprint effort The 0.2.x → 0.3+ migration introduced breaking API changes across all these packages. Any code using `langchain.chat_models`, `langchain.llms`, or `LLMChain` needs updating. A compatibility audit is required before bumping. ## Acceptance criteria - [ ] Audit all langchain imports in `scripts/` and `dev-api.py` - [ ] Upgrade to latest stable langchain + langchain-core + langchain-community + langchain-openai + langchain-anthropic + langchain-ollama + langchain-google-genai - [ ] All existing tests pass after upgrade - [ ] `langsmith` pinned to >= 0.8.0 ## Related Part of the 2026-06-13 CVE scan. Other CVEs in that scan have been patched on the `feat/cve-fixes` branch.
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Circuit-Forge/peregrine#121
No description provided.