chore(deps): bump the ai-providers group with 4 updates

[dependabot]

Bumps the ai-providers group with 4 updates: langchain, langgraph, langchain-core and langchain-anthropic.

Updates langchain from 1.2.13 to 1.3.1

Release notes

Sourced from langchain's releases.

langchain-core==1.3.1

Changes since langchain-core==1.3.0

release(core): 1.3.1 (#36972) feat(core): allow _format_output to pass through list of ToolOutputMixin instances (#36963) chore: bump nbconvert from 7.17.0 to 7.17.1 in /libs/core (#36923) feat(core): Update inheritance behavior for tracer metadata for special keys (#36900) chore: bump langsmith from 0.7.13 to 0.7.31 in /libs/core (#36813)

langchain-fireworks==1.3.1

Changes since langchain-fireworks==1.3.0

fix(fireworks): require api_key in FireworksEmbeddings (#37193) release(fireworks): 1.3.1 (#37189) fix(fireworks): strip non-wire keys from ToolMessage text content blocks (#37187)

langchain==1.3.1

Changes since langchain==1.3.0

release(langchain): 1.3.1 (#37454) fix(langchain): alias Bedrock providers in summarization token check (#37453)

langchain-core==1.3.0

Changes since langchain-core==1.2.31

release(core): release 1.3.0 (#36851) release(core): 1.3.0a3 (#36829) chore(core): keep checkpoint_ns behavior in streaming metadata for backwards compat (#36828) feat(core): Add chat model and LLM invocation params to traceable metadata (#36771) fix(core): restore cloud metadata IPs and link-local range in SSRF policy (#36816) chore(deps): bump pytest to 9.0.3 (#36801) chore(core): harden private SSRF utilities (#36768) fix(openai): handle content blocks without type key in responses api conversion (#36725) chore: bump pytest from 9.0.2 to 9.0.3 in /libs/core (#36719) release(core): 1.3.0.a2 (#36698) fix(core): Use reference counting for storing inherited run trees to support garbage collection (#36660) docs(core): nit (#36685) release(core): 1.3.0a1 (#36656) chore(core): reduce streaming metadata / perf (#36588)

langchain-fireworks==1.3.0

Changes since langchain-fireworks==1.2.1

release(fireworks): 1.3.0 (#37144) feat(fireworks): service_tier init kwarg on ChatFireworks (#37143) chore(model-profiles): refresh model profile data (#37122)

langchain==1.3.0

This release adds support for version="v3" in stream_events / astream_events for langchain agents. Refer to the event streaming guide for details.

... (truncated)

Commits

• b6b769b release(langchain): 1.3.1 (#37454)
• 36c381b fix(langchain): alias Bedrock providers in summarization token check (#37453)
• 0831e44 docs(openai): document base_url env var fallback chain (#37436)
• e208f38 chore: bump langsmith from 0.8.0 to 0.8.4 in /libs/partners/xai (#37411)
• a4a2be9 chore: bump langsmith from 0.8.0 to 0.8.4 in /libs/partners/qdrant (#37412)
• f5322d9 chore: bump langsmith from 0.8.0 to 0.8.4 in /libs/partners/perplexity (#37413)
• 5d9ac69 chore: bump langsmith from 0.8.0 to 0.8.4 in /libs/partners/openrouter (#37414)
• f42d80c fix(core): preserve chunk additional_kwargs across v3 stream assembly (#37435)
• 649d82f fix(core): preserve reasoning blocks alongside tool_call in v3 stream (#37434)
• 9f9a8a7 chore: bump langsmith from 0.8.0 to 0.8.4 in /libs/partners/ollama (#37415)
• Additional commits viewable in compare view

Updates langgraph from 1.1.3 to 1.2.0

Release notes

Sourced from langgraph's releases.

langgraph==1.2.0

Changes since 1.2.0a7

• release: bump alpha packages to official versions (#7775)
• feat(langgraph): durable error-handler resume across host crashes (#7773)
• feat(langgraph): add set_node_defaults() to StateGraph (#7747)
• chore(deps): bump urllib3 from 2.6.3 to 2.7.0 in /libs/langgraph (#7766)
• chore(deps): bump mistune from 3.2.0 to 3.2.1 in /libs/langgraph (#7733)
• chore(langgraph): bump langchain-core to 1.4.0 (#7767)
• feat(checkpoint): force delta channel snapshot after max supersteps since last snapshot (#7746)
• test(langgraph): de-flake heartbeat progress test (#7735)
• chore(langgraph): re-implement exit mode for delta channel (#7730)
• chore(deps): bump ty from 0.0.23 to 0.0.33 in /libs/sdk-py (#7666)
• docs(checkpoint): mark DeltaChannel and delta-history APIs as beta (#7732)
• chore(deps): bump jupyter-server from 2.17.0 to 2.18.0 in /libs/langgraph (#7713)
• feat(checkpoint-sqlite): override get_delta_channel_history with streaming walk (#7702)
• chore: "chore: minor clean up around checkpoint and delta channel" (#7706)
• chore: minor clean up around checkpoint and delta channel (#7705)

langgraph==1.2.0a7

Changes since 1.2.0a6

• release: alpha bump (a4) for langgraph, checkpoint, checkpoint-postgres (#7701)
• feat: public get_writes_history saver API + delta cadence rework (#7699)

langgraph==1.2.0a6

langgraph v1.2 (alpha)

This release adds finer-grained control over node execution — timeouts, error recovery, and graceful shutdown — a new channel type that cuts checkpoint overhead for long-running threads, and a new content-block-centric streaming API (v3) with typed, per-channel projections.

---

DeltaChannel (beta)

A new channel type that stores only the incremental delta at each step rather than re-serializing the full accumulated value. Most useful for channels that grow large over time — for example, a message list in a long-running thread. Without it, the full message list is written into every checkpoint; with DeltaChannel, only the new messages from each step are stored.

Use snapshot_frequency=K to write a full snapshot every K steps and bound read latency:

from typing import Annotated, Sequence
from typing_extensions import TypedDict
from langgraph.channels import DeltaChannel
batch reducer: receives the current value and all writes from the superstep at once
def list_reducer(messages: list[str], writes: Sequence[list[str]]) -> list[str]:
return [*messages, *(item for write in writes for item in write)]
class State(TypedDict):
messages: Annotated[list[str], DeltaChannel(list_reducer, snapshot_frequency=5)]

... (truncated)

Commits

• 3614e88 release: bump alpha packages to official versions (#7775)
• 6dff3b3 feat(langgraph): durable error-handler resume across host crashes (#7773)
• 786c42f release(cli): 0.4.26 (#7772)
• 8537ea9 fix(cli): add support for prerelease api_versions (#7771)
• 3db82d5 feat(langgraph): add set_node_defaults() to StateGraph (#7747)
• 029eabf chore(deps): bump urllib3 from 2.6.3 to 2.7.0 in /libs/checkpoint (#7762)
• f52f1ce chore(deps): bump the uv group across 2 directories with 1 update (#7749)
• e47a7bb chore(deps): bump langchain-core from 1.3.2 to 1.3.3 in /libs/checkpoint (#7752)
• 29fefa0 chore(deps): bump urllib3 from 2.6.3 to 2.7.0 in /libs/langgraph (#7766)
• 0c23779 chore(deps): bump urllib3 from 2.6.3 to 2.7.0 in /libs/cli (#7765)
• Additional commits viewable in compare view

Updates langchain-core from 1.2.22 to 1.4.0

Release notes

Sourced from langchain-core's releases.

langchain-core==1.4.0

Changes since langchain-core==0.3.86

chore(infra): merge v1.4 into master (#37350) chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/core (#37329) fix(core): avoid eager pydantic.v1 import in @deprecated (#37308) chore: bump mistune from 3.1.4 to 3.2.1 in /libs/core (#37237) chore: bump jupyter-server from 2.17.0 to 2.18.0 in /libs/core (#37204) release(core): 1.3.3 (#37198) fix(core): set deprecation since to 1.3.3 to match release (#37200) fix(core, langchain): harden load() against untrusted manifests (#37197) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (#37109) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (#37129) fix(core): preserve structured inputs on tool runs in tracers (#37108) release(perplexity): 1.2.0 (#37091) chore(docs): update x handle references (#37081) fix(core): make removal optional in warn_deprecated (#37056) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (#36663) chore(core): mark stream_v2/astream_v2 as beta (#36992) release(core): 1.3.2 (#36990) feat(core): add content-block-centric streaming (v2) (#36834) release(core): 1.3.1 (#36972) feat(core): allow _format_output to pass through list of ToolOutputMixin instances (#36963) chore: bump nbconvert from 7.17.0 to 7.17.1 in /libs/core (#36923) feat(core): Update inheritance behavior for tracer metadata for special keys (#36900) chore: bump langsmith from 0.7.13 to 0.7.31 in /libs/core (#36813) release(core): release 1.3.0 (#36851) release(core): 1.3.0a3 (#36829) chore(core): keep checkpoint_ns behavior in streaming metadata for backwards compat (#36828) feat(core): Add chat model and LLM invocation params to traceable metadata (#36771) fix(core): restore cloud metadata IPs and link-local range in SSRF policy (#36816) chore(deps): bump pytest to 9.0.3 (#36801) chore(core): harden private SSRF utilities (#36768) fix(openai): handle content blocks without type key in responses api conversion (#36725) chore: bump pytest from 9.0.2 to 9.0.3 in /libs/core (#36719) release(core): 1.3.0.a2 (#36698) fix(core): Use reference counting for storing inherited run trees to support garbage collection (#36660) docs(core): nit (#36685) release(core): 1.3.0a1 (#36656) chore(core): reduce streaming metadata / perf (#36588) release(core): release 1.2.28 (#36614) fix(core): add more sanitization to templates (#36612) release(core): 1.2.27 (#36586) fix(core): handle symlinks in deprecated prompt save path (#36585) chore: add comment explaining pygments>=2.20.0 (#36570) release(core): 1.2.26 (#36511) fix(core): add init validator and serialization mappings for Bedrock models (#34510) feat(core): add ChatBaseten to serializable mapping (#36510) chore(core): drop gpt-3.5-turbo from docstrings (#36497) fix(core): correct parameter names in filter_messages docstring example (#36462)

... (truncated)

Commits

• 70e66a1 chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/openrouter (#37352)
• da380bc chore(infra): merge v1.4 into master (#37350)
• bbd10fe chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/anthropic (#37343)
• 11bbfb7 chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/fireworks (#37339)
• 7fd61d2 chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/mistralai (#37338)
• 5c096bb chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/nomic (#37334)
• ac47d54 chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/chroma (#37333)
• 7e5c570 chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/qdrant (#37332)
• 2086b91 chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/core (#37329)
• 407e33a chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/langchain (#37327)
• Additional commits viewable in compare view

Updates langchain-anthropic from 1.4.0 to 1.4.3

Release notes

Sourced from langchain-anthropic's releases.

langchain-anthropic==1.4.3

Changes since langchain-anthropic==1.4.2

release(anthropic): 1.4.3 (#37166) refactor(langchain-classic): retarget deprecations to create_agent, other chores (#37164) chore(docs): update x handle references (#37081) fix(anthropic): guard httpx finalizers (#37064)

langchain-anthropic==1.4.2

Changes since langchain-anthropic==1.4.1

release(anthropic): 1.4.2 (#37061) fix(anthropic): restore cache_control on non-direct subclasses (#37057) hotfix: bump min core versions (#36996) feat(core): add content-block-centric streaming (v2) (#36834) hotfix(ci): remove nobenchmark flag (#36959) chore(partners): standardize integration test invocation (#36958)

langchain-anthropic==1.4.1

Changes since langchain-anthropic==1.4.0

fix(anthropic): strip null encrypted_content from compaction blocks (#36850) release(anthropic): 1.4.1 (#36848) feat(anthropic): support opus 4.7 features (#36847) chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/partners/anthropic (#36803) chore(deps): bump pytest to 9.0.3 (#36801) chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/partners/anthropic (#36789) chore(model-profiles): refresh model profile data (#36482) fix(core): fixed typos in the documentation (#36459) chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385) feat(anthropic): support adaptive thinking mode (#36293) chore: bump requests from 2.32.5 to 2.33.0 in /libs/partners/anthropic (#36258) chore(partners): bump langchain-core min to 1.2.21 (#36183) fix(core,model-profiles): add missing ModelProfile fields, warn on schema drift (#36129) ci: suppress pytest streaming output in CI (#36092) ci: avoid unnecessary dep installs in lint targets (#36046)

Commits

• 1c08d47 release(anthropic): 1.4.3 (#37166)
• 71708c6 release(langchain-classic): 1.0.5 (#37165)
• 5a9b1ec refactor(langchain-classic): retarget deprecations to create_agent, other c...
• 255f227 chore(langchain,langchain-classic): uncomment optional deps (#37163)
• c42b080 chore(model-profiles): refresh model profile data (#37162)
• e411a4e chore(model-profiles): refresh model profile data (#37148)
• 934d9e2 release(openrouter): 0.2.3 (#37146)
• 70f5626 fix(openrouter): merge fragmented reasoning_details in streaming (#36401)
• 2ed9359 release(mistralai): 1.1.3 (#37145)
• d1a3c3d feat(mistralai): add image input support for human messages (#37112)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	langchain-core@​1.2.22 ⏵ 1.4.0	-2	+18
	langgraph@​1.1.3 ⏵ 1.2.0	+1
	anthropic@​0.102.0
	langchain@​1.2.13 ⏵ 1.3.1	+1
	langchain-anthropic@​1.4.0 ⏵ 1.4.3	+1
	langgraph-checkpoint@​4.1.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: pypi langchain-core is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pyproject.toml → pypi/langchain-core@1.4.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/langchain-core@1.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: pypi langchain-core is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pyproject.toml → pypi/langchain-core@1.4.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/langchain-core@1.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[github-actions]

posthog-python Compliance Report

Date: 2026-05-25 15:54:29 UTC
Duration: 176120ms

✅ All Tests Passed!

45/45 tests passed

---

Capture Tests

✅ 29/29 tests passed

View Details

Test	Status	Duration
Format Validation.Event Has Required Fields	✅	517ms
Format Validation.Event Has Uuid	✅	1508ms
Format Validation.Event Has Lib Properties	✅	1507ms
Format Validation.Distinct Id Is String	✅	1507ms
Format Validation.Token Is Present	✅	1507ms
Format Validation.Custom Properties Preserved	✅	1506ms
Format Validation.Event Has Timestamp	✅	1507ms
Retry Behavior.Retries On 503	✅	9519ms
Retry Behavior.Does Not Retry On 400	✅	3505ms
Retry Behavior.Does Not Retry On 401	✅	3508ms
Retry Behavior.Respects Retry After Header	✅	9515ms
Retry Behavior.Implements Backoff	✅	23528ms
Retry Behavior.Retries On 500	✅	7507ms
Retry Behavior.Retries On 502	✅	7512ms
Retry Behavior.Retries On 504	✅	7511ms
Retry Behavior.Max Retries Respected	✅	23530ms
Deduplication.Generates Unique Uuids	✅	1496ms
Deduplication.Preserves Uuid On Retry	✅	7514ms
Deduplication.Preserves Uuid And Timestamp On Retry	✅	14517ms
Deduplication.Preserves Uuid And Timestamp On Batch Retry	✅	7514ms
Deduplication.No Duplicate Events In Batch	✅	1503ms
Deduplication.Different Events Have Different Uuids	✅	1507ms
Compression.Sends Gzip When Enabled	✅	1507ms
Batch Format.Uses Proper Batch Structure	✅	1507ms
Batch Format.Flush With No Events Sends Nothing	✅	1005ms
Batch Format.Multiple Events Batched Together	✅	1507ms
Error Handling.Does Not Retry On 403	✅	3509ms
Error Handling.Does Not Retry On 413	✅	3506ms
Error Handling.Retries On 408	✅	7513ms

Feature_Flags Tests

✅ 16/16 tests passed

View Details

Test	Status	Duration
Request Payload.Request With Person Properties Device Id	✅	1005ms
Request Payload.Flags Request Uses V2 Query Param	✅	1007ms
Request Payload.Flags Request Hits Flags Path Not Decide	✅	1007ms
Request Payload.Flags Request Omits Authorization Header	✅	1006ms
Request Payload.Token In Flags Body Matches Init	✅	1007ms
Request Payload.Groups Round Trip	✅	1006ms
Request Payload.Groups Default To Empty Object	✅	1007ms
Request Payload.Person Properties Distinct Id Auto Populated When Caller Omits It	✅	1007ms
Request Payload.Disable Geoip False Propagates As Geoip Disable False	✅	1007ms
Request Payload.Disable Geoip Omitted Defaults To False	✅	1007ms
Request Payload.Flag Keys To Evaluate Contains Only Requested Key	✅	1007ms
Request Lifecycle.No Flags Request On Init Alone	✅	503ms
Request Lifecycle.No Flags Request On Normal Capture	✅	1507ms
Request Lifecycle.Two Flag Calls Produce Two Remote Requests	✅	1011ms
Request Lifecycle.Mock Response Value Is Returned To Caller	✅	1003ms
Side Effect Events.Get Feature Flag Captures Feature Flag Called Event	✅	1509ms