[Snyk] Security upgrade langchain from 0.0.63 to 0.1.29

[snyk-io]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json
• package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Prototype Pollution SNYK-JS-EXPREVAL-13833679	665

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

---

EntelligenceAI PR Summary

This PR upgrades LangChain from 0.0.63 to 0.1.29, transitioning to a modular architecture and updating critical dependencies.

• Introduced modular LangChain packages: @langchain/community, @langchain/core, @langchain/openai
• Upgraded @anthropic-ai/sdk from 0.4.3 to 0.9.1 with updated dependencies
• Upgraded openai from 3.2.1 to 4.104.0 with breaking dependency structure changes
• Removed deprecated packages: @dqbd/tiktoken, @fortaine/fetch-event-source, browser-or-node, isomorphic-fetch
• Added modern replacements: js-tiktoken for tokenization, native fetch implementations
• Added new utility packages: langsmith, langchainhub, mustache, decamelize
• Updated @upstash/redis to use uncrypto for cryptographic operations

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
agent-gpt	Error			Nov 8, 2025 1:57am
solana-ai-agent-gpt5	Error			Nov 8, 2025 1:57am

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[entelligence-ai-pr-reviews]

🔒 Entelligence AI Vulnerability Scanner

✅ No security vulnerabilities found!

Your code passed our comprehensive security analysis.

---

[entelligence-ai-pr-reviews]

Walkthrough

This PR upgrades the LangChain library from version 0.0.63 to 0.1.29, representing a significant architectural shift from a monolithic package to a modular structure. The update introduces new scoped packages (@langchain/community, @langchain/core, @langchain/openai) and upgrades critical dependencies including @anthropic-ai/sdk (0.4.3→0.9.1) and openai (3.2.1→4.104.0). Several deprecated packages are removed and replaced with modern alternatives: @dqbd/tiktoken is replaced with js-tiktoken, and isomorphic-fetch dependencies are replaced with native fetch implementations. New utility packages (langsmith, langchainhub, mustache, decamelize) are added to support enhanced functionality. The @upstash/redis package is updated to use uncrypto instead of isomorphic-fetch for cryptographic operations.

Changes

File(s)	Summary
package.json	Updated langchain dependency from ^0.0.63 to ^0.1.29, representing a significant minor version bump with potential breaking changes and new features.
package-lock.json	Updated langchain from 0.0.63 to 0.1.29 with new modular dependencies (@langchain/community, @langchain/core, @langchain/openai); upgraded @anthropic-ai/sdk from 0.4.3 to 0.9.1 and openai from 3.2.1 to 4.104.0; removed deprecated packages (@dqbd/tiktoken, @fortaine/fetch-event-source, browser-or-node, isomorphic-fetch) and replaced with modern alternatives (js-tiktoken, native fetch); added new utility packages (langsmith, langchainhub, mustache, decamelize); updated @upstash/redis to use uncrypto instead of isomorphic-fetch.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    participant App as Application
    participant LC as langchain (v0.1.29)
    participant Core as @langchain/core
    participant OpenAI as @langchain/openai
    participant Community as @langchain/community
    participant Smith as langsmith
    participant Hub as langchainhub
    participant Anthropic as @anthropic-ai/sdk (v0.9.1)
    participant OpenAISDK as openai (v4.104.0)
    participant Redis as @upstash/redis (v1.35.6)

    Note over App,Redis: Initialization Phase
    App->>LC: Initialize LangChain
    LC->>Core: Load core abstractions
    Core-->>LC: Core components ready
    LC->>OpenAI: Initialize OpenAI integration
    OpenAI->>OpenAISDK: Connect to OpenAI API
    OpenAISDK-->>OpenAI: Connection established
    LC->>Community: Load community integrations
    Community-->>LC: Integrations ready

    Note over App,Redis: LLM Request Flow
    App->>LC: Create LLM chain/agent
    LC->>Core: Use base abstractions
    
    alt OpenAI Model
        LC->>OpenAI: Route to OpenAI provider
        OpenAI->>OpenAISDK: Make API call
        OpenAISDK-->>OpenAI: Return response
        OpenAI-->>LC: Formatted response
    else Anthropic Model
        LC->>Community: Route to Anthropic integration
        Community->>Anthropic: Make API call
        Anthropic-->>Community: Return response
        Community-->>LC: Formatted response
    end

    Note over App,Redis: Observability & Tracing
    LC->>Smith: Log chain execution
    Smith-->>LC: Tracking confirmed
    
    Note over App,Redis: Prompt Management
    App->>Hub: Fetch prompt template
    Hub-->>App: Return template
    App->>LC: Execute with template

    Note over App,Redis: Caching Layer
    LC->>Redis: Check cache
    alt Cache Hit
        Redis-->>LC: Return cached result
    else Cache Miss
        Redis-->>LC: No cache
        LC->>OpenAI: Execute request
        OpenAI-->>LC: Response
        LC->>Redis: Store in cache
    end

    LC-->>App: Final response

Loading

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.

[openzeppelin-code]

[Snyk] Security upgrade langchain from 0.0.63 to 0.1.29

Generated at commit: 421a16eb5ef31b676025055b6e9d9bd5a56066cf

🚨 Report Summary

	Severity Level	Results
Contracts	Critical High Medium Low Note Total	0 0 0 0 0 0
Dependencies	Critical High Medium Low Note Total	0 0 0 0 0 0

---

For more details view the full report in OpenZeppelin Code Inspector

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	langchain@​0.0.63 ⏵ 0.1.29	+1		+16

View full report