From 1323f98730945ceb84da80f10f9080579cf2d255 Mon Sep 17 00:00:00 2001 From: Abhijeet Prasad Date: Tue, 12 May 2026 17:41:05 +0000 Subject: [PATCH] chore(deps): bump langchain-openai to 1.1.14 (SSRF advisory) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The 1.1.13 pin in the test-langchain dependency group was below the patched 1.1.14, which fixes a validate-then-fetch TOCTOU / DNS rebinding window in _url_to_size() (used by the OpenAI image-token counter). The practical impact is limited to blind probing — the response body is never returned to the caller — but the pin should still move forward. Confirmed langchain integration tests pass on latest with the new pin (uv.lock refreshed; cassettes replay cleanly). Co-Authored-By: Claude Opus 4.7 --- py/pyproject.toml | 2 +- py/uv.lock | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/py/pyproject.toml b/py/pyproject.toml index 4abb7d30..d61c928c 100644 --- a/py/pyproject.toml +++ b/py/pyproject.toml @@ -152,7 +152,7 @@ test-pydantic-ai-logfire = [ test-langchain = [ {include-group = "test"}, - "langchain-openai==1.1.13", + "langchain-openai==1.1.14", "langchain-anthropic==1.4.0", "langgraph==1.1.6", ] diff --git a/py/uv.lock b/py/uv.lock index 7e6b2172..9ecf906c 100644 --- a/py/uv.lock +++ b/py/uv.lock @@ -831,7 +831,7 @@ test-crewai = [ ] test-langchain = [ { name = "langchain-anthropic" }, - { name = "langchain-openai", version = "1.1.13", source = { registry = "https://pypi.org/simple" } }, + { name = "langchain-openai", version = "1.1.14", source = { registry = "https://pypi.org/simple" } }, { name = "langgraph" }, { name = "pytest" }, { name = "pytest-asyncio" }, @@ -1004,7 +1004,7 @@ test-crewai = [ ] test-langchain = [ { name = "langchain-anthropic", specifier = "==1.4.0" }, - { name = "langchain-openai", specifier = "==1.1.13" }, + { name = "langchain-openai", specifier = "==1.1.14" }, { name = "langgraph", specifier = "==1.1.6" }, { name = "pytest", specifier = "==9.0.3" }, { name = "pytest-asyncio", specifier = "==1.3.0" }, @@ -4057,7 +4057,7 @@ wheels = [ [[package]] name = "langchain-openai" -version = "1.1.13" +version = "1.1.14" source = { registry = "https://pypi.org/simple" } resolution-markers = [ "python_full_version >= '3.14'", @@ -4071,9 +4071,9 @@ dependencies = [ { name = "openai", version = "2.32.0", source = { registry = "https://pypi.org/simple" } }, { name = "tiktoken" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/c3/63/0fed7cae7103e4b7aced76208aa92c02ae78bdf1be48bd9d83e4051d6c31/langchain_openai-1.1.13.tar.gz", hash = "sha256:88e13342407016785bd3c48be32ded1f28b992403bbb82505b558d81b038adc2", size = 1114743, upload-time = "2026-04-15T01:37:19.409Z" } +sdist = { url = "https://files.pythonhosted.org/packages/8e/f5/b1a56f703fb90952b07ff9fb5507123a39df1267d62a7f2bb821c5dbb628/langchain_openai-1.1.14.tar.gz", hash = "sha256:71b4262932fabe506ce79c175dbc956cc48f24d81e20b27662df493147750643", size = 1115195, upload-time = "2026-04-16T14:55:24.696Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/6e/d1/ca789988897096883289f9597ee653574b67b4b2a8f40bc306dfd73742d5/langchain_openai-1.1.13-py3-none-any.whl", hash = "sha256:54ba1e9f2f0f428aeea68271a87823a0a1b22360283990a713c731d2ef7da926", size = 88723, upload-time = "2026-04-15T01:37:18.062Z" }, + { url = "https://files.pythonhosted.org/packages/0b/fa/8c33befbc0cf81b21371cc1dab4e7bf94a80b8116194f263a5021ec02529/langchain_openai-1.1.14-py3-none-any.whl", hash = "sha256:cb525d2011f9813fc15a7dcfd4bca5b87badcbcb2c113a7fbe45d1b8a1bbb69c", size = 88705, upload-time = "2026-04-16T14:55:23.159Z" }, ] [[package]]