Skip to content

Bump the pip group across 1 directory with 9 updates#4

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/pip-9903b9deca
Open

Bump the pip group across 1 directory with 9 updates#4
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/pip-9903b9deca

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 25, 2026

Copy link
Copy Markdown
Contributor

Bumps the pip group with 9 updates in the / directory:

Package From To
langchain-core 0.3.65 1.2.28
langchain-text-splitters 0.3.8 1.1.2
langsmith 0.3.45 0.7.31
orjson 3.10.18 3.11.6
pillow 11.3.0 12.2.0
protobuf 6.31.1 6.33.5
requests 2.32.4 2.33.0
tornado 6.5.1 6.5.5
urllib3 2.5.0 2.6.3

Updates langchain-core from 0.3.65 to 1.2.28

Release notes

Sourced from langchain-core's releases.

langchain-core==1.2.28

Changes since langchain-core==1.2.27

release(core): release 1.2.28 (#36614) fix(core): add more sanitization to templates (#36612)

langchain-core==1.2.27

Changes since langchain-core==1.2.26

release(core): 1.2.27 (#36586) fix(core): handle symlinks in deprecated prompt save path (#36585) chore: add comment explaining pygments>=2.20.0 (#36570)

Credit to Jeff Ponte (@​JDP-Security) for reporting the symlink resolution issue in #36585.

langchain-core==1.2.26

Changes since langchain-core==1.2.25

release(core): 1.2.26 (#36511) fix(core): add init validator and serialization mappings for Bedrock models (#34510) feat(core): add ChatBaseten to serializable mapping (#36510) chore(core): drop gpt-3.5-turbo from docstrings (#36497) fix(core): correct parameter names in filter_messages docstring example (#36462)

langchain-core==1.2.25

Changes since langchain-core==1.2.24

release(core): 1.2.25 (#36473) fix(core): harden check for txt files in deprecated prompt loading functions (#36471) fix(core): fixed typos in the documentation (#36459)

Credit to Jeff Ponte (@​JDP-Security) for reporting the symlink resolution issue resolved in #36471.

langchain-core==1.2.24

Changes since langchain-core==1.2.23

release(core): 1.2.24 (#36434) feat(core): impute placeholder filenames for OpenAI file inputs (#36433) chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385) fix(core): add "computer" to _WellKnownOpenAITools (#36261)

langchain-core==1.2.23

Changes since langchain-core==1.2.22

release(core): 1.2.23 (#36323) revert: Revert "fix(core): trace invocation params in metadata" (#36322) chore: bump requests from 2.32.5 to 2.33.0 in /libs/core (#36243)

langchain-core==1.2.22

Changes since langchain-core==1.2.21

... (truncated)

Commits

Updates langchain-text-splitters from 0.3.8 to 1.1.2

Release notes

Sourced from langchain-text-splitters's releases.

langchain-text-splitters==1.1.2

Changes since langchain-text-splitters==1.1.1

release(text-splitters): 1.1.2 (#36822) fix(text-splitters): deprecate and use SSRF-safe transport in split_text_from_url (#36821) chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/text-splitters (#36797) chore(deps): bump pytest to 9.0.3 (#36801) chore: bump pytest from 9.0.2 to 9.0.3 in /libs/text-splitters (#36714) chore: add comment explaining pygments>=2.20.0 (#36570) release(core): 1.2.26 (#36511) chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385) fix(text-splitters): prevent silent data loss for empty dict values in RecursiveJsonSplitter (#35079) feat(text-splitters): support spacy tests with Python 3.14 (#36198) fix(infra): correct lint_diff relative paths in package makefiles (#36333) chore: bump requests from 2.32.5 to 2.33.0 in /libs/text-splitters (#36238) chore: bump nltk from 3.9.3 to 3.9.4 in /libs/text-splitters (#36237) chore(partners): bump langchain-core min to 1.2.21 (#36183) chore(text-splitters): bump nltk in lock file (#36112) ci: suppress pytest streaming output in CI (#36092) chore(text-splitters): speed up ci (#36050) ci: avoid unnecessary dep installs in lint targets (#36046) chore: bump orjson from 3.11.5 to 3.11.6 in /libs/text-splitters (#35856) chore: bump locks, lint (#35985) perf(.github): set a timeout on get min versions HTTP calls (#35851) chore: bump tornado from 6.5.2 to 6.5.5 in /libs/text-splitters (#35774) chore: bump the minor-and-patch group across 3 directories with 3 updates (#35589) chore: bump the other-deps group across 3 directories with 2 updates (#35512) chore: bump nltk from 3.9.2 to 3.9.3 in /libs/text-splitters (#35449) chore: bump the other-deps group across 3 directories with 2 updates (#35407)

langchain-text-splitters==1.1.1

Changes since langchain-text-splitters==1.1.0

release(text-splitters): 1.1.1 (#35318) fix(text-splitters): prevent JSFrameworkTextSplitter from mutating self._separators on each split_text() call (#35316) chore: bump transformers from 5.1.0 to 5.2.0 in /libs/text-splitters in the other-deps group across 1 directory (#35279) chore: bump the other-deps group across 3 directories with 2 updates (#35255) style: bump ruff version to 0.15 (#35042) fix: Server-Side Request Forgery (SSRF) in HTMLHeaderTextSplitter.split_text_from_url (#35196) feat(text-splitters): add model_kwargs to SentenceTransformersTokenTextSplitter (#35113) chore(deps): bump langsmith from 0.4.31 to 0.6.3 in /libs/text-splitters (#35162) chore(deps): bump the other-deps group across 3 directories with 12 updates (#35127) chore(deps): bump the other-deps group across 3 directories with 8 updates (#35120) chore: add make type target (#35015) revert: "chore: add typing target in Makefile" (#35013) chore: add typing target in Makefile (#35012) fix(text-splitters): reverse preserved elements iterator in HTMLSemanticPreservingSplitter (#34080) chore: enrich pyproject.toml files (#34980) chore(deps): bump the uv group across 20 directories with 3 updates (#34941) chore: upgrade urllib3 to 2.6.3 (#34940)

... (truncated)

Commits
  • 58c4e5b release(text-splitters): 1.1.2 (#36822)
  • c289bf1 fix(text-splitters): deprecate and use SSRF-safe transport in split_text_from...
  • b7447c6 fix(infra): skip serdes tests in min-version release step (#36818)
  • 41c0cc5 release(openai): 1.1.14 (#36820)
  • 0516156 fix(openai): use SSRF-safe transport for image token counting (#36819)
  • 338aa81 fix(core): restore cloud metadata IPs and link-local range in SSRF policy (#3...
  • 51e9548 chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/text-splitters (#36797)
  • e85c418 chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/model-profiles (#36798)
  • 789126e chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/standard-tests (#36799)
  • 937b3eb chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/langchain_v1 (#36800)
  • Additional commits viewable in compare view

Updates langsmith from 0.3.45 to 0.7.31

Release notes

Sourced from langsmith's releases.

v0.7.31

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.7.30...v0.7.31

v0.7.30

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.7.29...v0.7.30

v0.7.29

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.7.28...v0.7.29

v0.7.28

What's Changed

... (truncated)

Commits
  • c434999 release(py): 0.7.31 (#2716)
  • 47d7c4a feat: Filter kwargs from new token events (#2714)
  • 3c57445 chore(deps-dev): bump rich from 14.3.3 to 15.0.0 in /python (#2708)
  • 2be6cd0 chore(deps-dev): bump types-psutil from 7.2.2.20260130 to 7.2.2.20260408 in /...
  • b8b6ca3 chore(deps-dev): bump the js-minor-and-patch group across 1 directory with 7 ...
  • 9897cb3 chore(deps): bump actions/github-script from 8 to 9 (#2706)
  • 572c018 chore(deps-dev): bump @​anthropic-ai/sdk from 0.85.0 to 0.86.0 in /js (#2702)
  • 5744752 chore(deps): bump the py-minor-and-patch group across 1 directory with 10 upd...
  • 960cae7 chore(deps): bump pnpm/action-setup from 5 to 6 (#2705)
  • 9370e76 chore(deps-dev): bump types-tqdm from 4.67.3.20260303 to 4.67.3.20260408 in /...
  • Additional commits viewable in compare view

Updates orjson from 3.10.18 to 3.11.6

Release notes

Sourced from orjson's releases.

3.11.6

Changed

  • orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
  • Drop support for Python 3.9.
  • ABI compatibility with CPython 3.15 alpha 5.
  • Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

  • Fix sporadic crash serializing deeply nested list of dict.

3.11.5

Changed

  • Show simple error message instead of traceback when attempting to build on unsupported Python versions.

3.11.4

Changed

  • ABI compatibility with CPython 3.15 alpha 1.
  • Publish PyPI wheels for 3.14 and manylinux i686, manylinux arm7, manylinux ppc64le, manylinux s390x.
  • Build now requires a C compiler.

3.11.3

Fixed

  • Fix PyPI project metadata when using maturin 1.9.2 or later.

3.11.2

Fixed

  • Fix build using Rust 1.89 on amd64.

Changed

  • Build now depends on Rust 1.85 or later instead of 1.82.

3.11.1

Changed

  • Publish PyPI wheels for CPython 3.14.

Fixed

  • Fix str on big-endian architectures.

3.11.0

... (truncated)

Changelog

Sourced from orjson's changelog.

3.11.6 - 2026-01-29

Changed

  • orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
  • Drop support for Python 3.9.
  • ABI compatibility with CPython 3.15 alpha 5.
  • Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

  • Fix sporadic crash serializing deeply nested list of dict.

3.11.5 - 2025-12-06

Changed

  • Show simple error message instead of traceback when attempting to build on unsupported Python versions.

3.11.4 - 2025-10-24

Changed

  • ABI compatibility with CPython 3.15 alpha 1.
  • Publish PyPI wheels for 3.14 and manylinux i686, manylinux arm7, manylinux ppc64le, manylinux s390x.
  • Build now requires a C compiler.

3.11.3 - 2025-08-26

Fixed

  • Fix PyPI project metadata when using maturin 1.9.2 or later.

3.11.2 - 2025-08-12

Fixed

  • Fix build using Rust 1.89 on amd64.

Changed

  • Build now depends on Rust 1.85 or later instead of 1.82.

... (truncated)

Commits

Updates pillow from 11.3.0 to 12.2.0

Release notes

Sourced from pillow's releases.

12.2.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html

Documentation

Dependencies

Testing

Other changes

... (truncated)

Commits

Updates protobuf from 6.31.1 to 6.33.5

Release notes

Sourced from protobuf's releases.

Protocol Buffers v34.0-rc1

Announcements

Bazel

Compiler

C++

... (truncated)

Commits

Updates requests from 2.32.4 to 2.33.0

Release notes

Sourced from requests's releases.

v2.33.0

2.33.0 (2026-03-25)

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

  • Various typo fixes and doc improvements.

New Contributors

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

v2.32.5

2.32.5 (2025-08-18)

Bugfixes

  • The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

  • Added support for Python 3.14.
  • Dropped support for Python 3.8 following its end of support.
Changelog

Sourced from requests's changelog.

2.33.0 (2026-03-25)

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

  • Various typo fixes and doc improvements.

2.32.5 (2025-08-18)

Bugfixes

  • The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

  • Added support for Python 3.14.
  • Dropped support for Python 3.8 following its end of support.
Commits
  • bc04dfd v2.33.0
  • 66d21cb Merge commit from fork
  • 8b9bc8f Move badges to top of README (#7293)
  • e331a28 Remove unused extraction call (#7292)
  • 753fd08 docs: fix FAQ grammar in httplib2 example
  • 774a0b8 docs(socks): same block as other sections
  • 9c72a41 Bump github/codeql-action from 4.33.0 to 4.34.1
  • ebf7190 Bump github/codeql-action from 4.32.0 to 4.33.0
  • 0e4ae38 docs: exclude Response.is_permanent_redirect from API docs (#7244)
  • d568f47 docs: clarify Quickstart POST example (#6960)
  • Additional commits viewable in compare view

Updates tornado from 6.5.1 to 6.5.5

Changelog

Sourced from tornado's changelog.

Release notes

.. toctree:: :maxdepth: 2

releases/v6.5.5 releases/v6.5.4 releases/v6.5.3 releases/v6.5.2 releases/v6.5.1 releases/v6.5.0 releases/v6.4.2 releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releas...

Description has been truncated

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Apr 25, 2026
Bumps the pip group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [langchain-core](https://github.com/langchain-ai/langchain) | `0.3.65` | `1.2.28` |
| [langchain-text-splitters](https://github.com/langchain-ai/langchain) | `0.3.8` | `1.1.2` |
| [langsmith](https://github.com/langchain-ai/langsmith-sdk) | `0.3.45` | `0.7.31` |
| [orjson](https://github.com/ijl/orjson) | `3.10.18` | `3.11.6` |
| [pillow](https://github.com/python-pillow/Pillow) | `11.3.0` | `12.2.0` |
| [protobuf](https://github.com/protocolbuffers/protobuf) | `6.31.1` | `6.33.5` |
| [requests](https://github.com/psf/requests) | `2.32.4` | `2.33.0` |
| [tornado](https://github.com/tornadoweb/tornado) | `6.5.1` | `6.5.5` |
| [urllib3](https://github.com/urllib3/urllib3) | `2.5.0` | `2.6.3` |



Updates `langchain-core` from 0.3.65 to 1.2.28
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](langchain-ai/langchain@langchain-core==0.3.65...langchain-core==1.2.28)

Updates `langchain-text-splitters` from 0.3.8 to 1.1.2
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](langchain-ai/langchain@langchain-text-splitters==0.3.8...langchain-text-splitters==1.1.2)

Updates `langsmith` from 0.3.45 to 0.7.31
- [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases)
- [Commits](langchain-ai/langsmith-sdk@v0.3.45...v0.7.31)

Updates `orjson` from 3.10.18 to 3.11.6
- [Release notes](https://github.com/ijl/orjson/releases)
- [Changelog](https://github.com/ijl/orjson/blob/master/CHANGELOG.md)
- [Commits](ijl/orjson@3.10.18...3.11.6)

Updates `pillow` from 11.3.0 to 12.2.0
- [Release notes](https://github.com/python-pillow/Pillow/releases)
- [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst)
- [Commits](python-pillow/Pillow@11.3.0...12.2.0)

Updates `protobuf` from 6.31.1 to 6.33.5
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Commits](https://github.com/protocolbuffers/protobuf/commits)

Updates `requests` from 2.32.4 to 2.33.0
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.32.4...v2.33.0)

Updates `tornado` from 6.5.1 to 6.5.5
- [Changelog](https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst)
- [Commits](tornadoweb/tornado@v6.5.1...v6.5.5)

Updates `urllib3` from 2.5.0 to 2.6.3
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](urllib3/urllib3@2.5.0...2.6.3)

---
updated-dependencies:
- dependency-name: langchain-core
  dependency-version: 1.2.28
  dependency-type: direct:production
- dependency-name: langchain-text-splitters
  dependency-version: 1.1.2
  dependency-type: direct:production
- dependency-name: langsmith
  dependency-version: 0.7.31
  dependency-type: direct:production
- dependency-name: orjson
  dependency-version: 3.11.6
  dependency-type: direct:production
- dependency-name: pillow
  dependency-version: 12.2.0
  dependency-type: direct:production
- dependency-name: protobuf
  dependency-version: 6.33.5
  dependency-type: direct:production
- dependency-name: requests
  dependency-version: 2.33.0
  dependency-type: direct:production
- dependency-name: tornado
  dependency-version: 6.5.5
  dependency-type: direct:production
- dependency-name: urllib3
  dependency-version: 2.6.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/pip/pip-9903b9deca branch from 6f31c33 to 19f7f20 Compare April 25, 2026 09:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants