chore(deps-dev): bump the langchain group across 1 directory with 2 updates

[dependabot]

Bumps the langchain group with 2 updates in the / directory: langchain-openai and langchain.

Updates langchain-openai from 0.3.34 to 1.1.14

Release notes

Sourced from langchain-openai's releases.

langchain-openai==1.1.14

Changes since langchain-openai==1.1.13

release(openai): 1.1.14 (#36820) fix(openai): use SSRF-safe transport for image token counting (#36819) chore(deps): bump pytest to 9.0.3 (#36801) chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/partners/openai (#36795) chore: bump pillow from 12.1.1 to 12.2.0 in /libs/partners/openai (#36777)

langchain-openai==1.1.13

Changes since langchain-openai==1.1.12

release(openai): 1.1.13 (#36729) fix(openai): handle content blocks without type key in responses api conversion (#36725) chore(model-profiles): refresh model profile data (#36539) chore(openai): fix broken vcr cassette playback and add ci guard (#36502) fix(openai,groq,openrouter): use is-not-None checks in usage metadata token extraction (#36500) fix(core): fixed typos in the documentation (#36459) chore(model-profiles): refresh model profile data (#36455) feat(core): impute placeholder filenames for OpenAI file inputs (#36433) chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385) chore(model-profiles): refresh model profile data (#36368) fix(openai): update computer call test (#36352) fix(openai): let user-provided User-Agent override the Azure default (#35523) chore: bump requests from 2.32.5 to 2.33.0 in /libs/partners/openai (#36248)

langchain-openai==1.1.12

Changes since langchain-openai==1.1.11

fix(openai): bump min core version (#36180) release(openai): 1.1.12 (#36178) fix(core,model-profiles): add missing ModelProfile fields, warn on schema drift (#36129) fix(openai): support phase parameter (#36161) fix(openai): preserve namespace field in streaming function_call chunks (#36108) ci: suppress pytest streaming output in CI (#36092) ci: avoid unnecessary dep installs in lint targets (#36046) chore(model-profiles): refresh model profile data (#36039) chore: bump orjson from 3.11.5 to 3.11.6 in /libs/partners/openai (#35860) fix(openai): add type: message to Responses API input items (#35693) perf(.github): set a timeout on get min versions HTTP calls (#35851) feat(model-profiles): new fields + Makefile target (#35788) fix(openai): close PIL Image handles in token counting to prevent fd leak (#35742) fix(openai): typo (#35763) chore(model-profiles): refresh model profile data (#35754)

langchain-openai==1.1.11

Changes since langchain-openai==1.1.10

fix(openai): bump min core version (#35705) release(openai): 1.1.11 (#35703)

... (truncated)

Commits

• b7447c6 fix(infra): skip serdes tests in min-version release step (#36818)
• 41c0cc5 release(openai): 1.1.14 (#36820)
• 0516156 fix(openai): use SSRF-safe transport for image token counting (#36819)
• 338aa81 fix(core): restore cloud metadata IPs and link-local range in SSRF policy (#3...
• 51e9548 chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/text-splitters (#36797)
• e85c418 chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/model-profiles (#36798)
• 789126e chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/standard-tests (#36799)
• 937b3eb chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/langchain_v1 (#36800)
• a06c205 ci(infra): validate issue checkboxes by section (#36811)
• aa33b06 fix(langchain-classic): suppress mypy errors in compat code (#36806)
• Additional commits viewable in compare view

Updates langchain from 1.2.13 to 1.2.15

Release notes

Sourced from langchain's releases.

langchain-core==1.2.15

Changes since langchain-core==1.2.14

fix(core): improve error message for non-JSON-serializable tool schemas (#34376) fix(core): improve typing/docs for on_chat_model_start to clarify required positional args (#35324) perf(core): defer specific langsmith imports to reduce import time (#35298) revert: add ChatAnthropicBedrockWrapper (#35371) release(core): 1.2.15 (#35367) fix(anthropic): replace retired model IDs in tests and docstrings (#35365) feat(anthropic): add ChatAnthropicBedrock wrapper (#35091) style: fix some ruff noqa (#35321)

langchain==1.2.15

Changes since langchain==1.2.14

release: langchain v1.2.15 (#36496) chore: bump aiohttp from 3.13.3 to 3.13.4 in /libs/langchain_v1 (#36438)

langchain-core==1.2.14

Changes since langchain-core==1.2.13

release(core): 1.2.14 (#35328) chore(core): remove langserve from sys info util, add deepagents (#35325) fix(core): fix merge_lists incorrectly merging parallel tool calls (#35281) fix(core): accept int temperature in _get_ls_params for LangSmith tracing (#35302) revert: accept integer temperature values in _get_ls_params (#35319) fix(core): accept integer temperature values in _get_ls_params (#35317) docs(core): update load note to be precise (#35309) fix(core): prevent recursion error when args_schema is dict (#35260) fix(core): preserve index and timestamp fields when merging (#34731) docs(core): add security warnings and best practices for deserialization (#35282) docs: fix docstring inaccuracies and update outdated LangSmith URLs (#35283) fix(core): correct misleading jinja2 sandboxing comment (#35183) chore: bump the langchain-deps group across 3 directories with 8 updates (#35257)

langchain==1.2.14

Changes since langchain==1.2.13

release(langchain): 1.2.14 (#36396) chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385) test(langchain): cover runtime recursion limit override in create_agent (#36376) perf(langchain): reduce init speed by 15% (#36375) fix(langchain): update recursion limit for create_agent (#36351) fix(infra): correct lint_diff relative paths in package makefiles (#36333) chore: bump cryptography from 46.0.5 to 46.0.6 in /libs/langchain_v1 (#36324) fix(langchain): recognize ChatAnthropicVertex in _get_approximate_token_counter (#36320) chore(langchain): remove unnecessary description for toods list as a group (#36315) chore(langchain): add async implementation to todolist and test (#36313) chore(langchain): speed up todo list middleware init (#36311) chore: bump requests from 2.32.5 to 2.33.0 in /libs/langchain_v1 (#36241)

... (truncated)

Commits

• dd63731 release: langchain v1.2.15 (#36496)
• d1529dd fix(core): correct parameter names in filter_messages docstring example (#36462)
• e89afed release(core): 1.2.25 (#36473)
• 0b5f2c0 fix(core): harden check for txt files in deprecated prompt loading functions ...
• c9f51ae fix(core): fixed typos in the documentation (#36459)
• cd394b7 chore(model-profiles): refresh model profile data (#36455)
• 34c4a2a chore: bump aiohttp from 3.13.3 to 3.13.4 in /libs/partners/huggingface (#36436)
• 914cef0 chore: bump aiohttp from 3.13.3 to 3.13.4 in /libs/partners/xai (#36435)
• 66ad4f7 chore: bump aiohttp from 3.13.3 to 3.13.4 in /libs/langchain (#36439)
• 8fb12b8 chore: bump aiohttp from 3.13.3 to 3.13.4 in /libs/partners/fireworks (#36437)
• Additional commits viewable in compare view

[claude]

The langchain-openai bump spans a major version boundary (0.3.34 → 1.1.12), which may introduce breaking API changes in the test suite — worth a human check that CI passes.

Extended reasoning...

Overview

This is a dependabot PR updating two dev-only dependencies in pyproject.toml and uv.lock: langchain-openai (0.3.34 → 1.1.12) and langchain (1.2.13 → 1.2.15). Incidentally, langgraph (1.1.3 → 1.1.5) and langgraph-prebuilt (1.0.8 → 1.0.9) are also bumped as transitive resolution changes. All changes are to the [dependency-groups] dev section — none affect the published package.

Security Risks

No security risks from the version bumps themselves. The langchain 1.2.14 release includes a pygments CVE fix (CVE-2026-4539), which is a minor positive. No auth, crypto, or data-exposure surface in these changes.

Level of Scrutiny

The langchain-openai jump from 0.3.34 to 1.1.12 crosses a major version boundary and skips many minor versions, meaning the upstream library may have introduced API breaking changes. Even though it is a dev dependency, the test suite relies on it and tests could silently pass or fail depending on API compatibility. The constraint in pyproject.toml was widened from <0.4 to <1.2 to accommodate this, which is a deliberate widening. A human should confirm CI is green before merging.

Other Factors

No bugs were found by the automated bug hunting system. The langchain and langgraph bumps are minor patch-level and low risk. The lock file hash updates are consistent with the version changes. The main concern is solely the magnitude of the langchain-openai version jump.