fix(deps): update dependency @langchain/community to v1 [security]#1252
Open
renovate[bot] wants to merge 1 commit intomainfrom
Open
fix(deps): update dependency @langchain/community to v1 [security]#1252renovate[bot] wants to merge 1 commit intomainfrom
renovate[bot] wants to merge 1 commit intomainfrom
Conversation
renovate
bot
requested review from
devesh-juspay,
junaid-shirur,
kalpadhwaryu,
shivamashtikar and
zereraz
as code owners
renovate
bot
force-pushed
the
renovate/npm-langchain-community-vulnerability
branch
10 times, most recently
from
012817d to
2092b9b
Compare
renovate
bot
force-pushed
the
renovate/npm-langchain-community-vulnerability
branch
4 times, most recently
from
29a9f1e to
84c19af
Compare
renovate
bot
force-pushed
the
renovate/npm-langchain-community-vulnerability
branch
from
84c19af to
92fa512
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^0.3.22→^1.1.18Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2026-26019
Description
The
RecursiveUrlLoaderclass in@langchain/communityis a web crawler that recursively follows links from a starting URL. ItspreventOutsideoption (enabled by default) is intended to restrict crawling to the same site as the base URL.The implementation used
String.startsWith()to compare URLs, which does not perform semantic URL validation. An attacker who controls content on a crawled page could include links to domains that share a string prefix with the target (e.g.,https://example.com.attacker.compasses astartsWithcheck againsthttps://example.com), causing the crawler to follow links to attacker-controlled or internal infrastructure.Additionally, the crawler performed no validation against private or reserved IP addresses. A crawled page could include links targeting cloud metadata services (
169.254.169.254), localhost, or RFC 1918 addresses, and the crawler would fetch them without restriction.Impact
An attacker who can influence the content of a page being crawled (e.g., by placing a link on a public-facing page, forum, or user-generated content) could cause the crawler to:
10.x,172.16.x,192.168.x)This is exploitable in any environment where
RecursiveUrlLoaderruns on infrastructure with access to cloud metadata or internal services — which includes most cloud-hosted deployments.Resolution
Two changes were made:
Origin comparison replaced. The
startsWithcheck was replaced with a strict origin comparison using the URL API (new URL(link).origin === new URL(baseUrl).origin). This correctly validates scheme, hostname, and port as a unit, preventing subdomain-based bypasses.SSRF validation added to all fetch operations. A new URL validation module (
@langchain/core/utils/ssrf) was introduced and applied before every outbound fetch in the crawler. This blocks requests to:169.254.169.254,169.254.170.2,100.100.100.200,metadata.google.internal, and related hostnames10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,127.0.0.0/8,169.254.0.0/16::1,fc00::/7,fe80::/10file:,ftp:,javascript:, etc.)Cloud metadata endpoints are unconditionally blocked and cannot be overridden.
Workarounds
Users who cannot upgrade immediately should avoid using
RecursiveUrlLoaderon untrusted or user-influenced content, or should run the crawler in a network environment without access to cloud metadata or internal services.CVE-2026-27795
Summary
A redirect-based Server-Side Request Forgery (SSRF) bypass exists in
RecursiveUrlLoaderin@langchain/community. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019).Affected Component
@langchain/communityRecursiveUrlLoaderpreventOutside(default:true) is insufficient to prevent this bypass when redirects are followed automatically.Description
RecursiveUrlLoaderis a web crawler that recursively follows links from a starting URL. The existing SSRF mitigation validates the initial URL before fetching, but it does not re-validate when the request follows redirects. Because fetch follows redirects by default, an attacker can supply a public URL that passes validation and then redirects to a private network address, localhost, or cloud metadata endpoint.This constitutes a “check‑then‑act” gap in the request lifecycle: the safety check occurs before the redirect chain is resolved, and the final destination is never validated.
Impact
If an attacker can influence content on a page being crawled (e.g., user‑generated content, untrusted external pages), they can cause the crawler to:
10.x,172.16.x,192.168.x)This is exploitable in any environment where
RecursiveUrlLoaderruns with access to internal networks or metadata services, which includes most cloud-hosted deployments.Attack Scenario
Example redirector:
Root Cause
validateSafeUrl) is only performed on the initial URL.redirect: "follow"default), so the request can change destinations without additional validation.Resolution
Upgrade to
@langchain/community>= 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validatingLocationtargets before following them.redirect: "manual").Locationis resolved and validated withvalidateSafeUrl()before the next request.Reources
Release Notes
langchain-ai/langchainjs (@langchain/community)
v1.1.18Patch Changes
#9900
a9b5059Thanks @hntrl! - fix(core): update method signatures to usePartial<CallOptions>for options parametersUpdated
invoke,stream,generate, andgeneratePromptmethod signatures acrossRunnable,BaseChatModel, andBaseLLMto correctly acceptPartial<CallOptions>instead of fullCallOptions. This aligns the implementation with theRunnableInterfacespecification and allows users to pass partial options (e.g.,{ signal: abortedSignal }) without TypeScript errors.#9900
a9b5059Thanks @hntrl! - Improved abort signal handling for chat models:ModelAbortErrorclass in@langchain/core/errorsthat contains partial output when a model invocation is aborted mid-streaminvoke()now throwsModelAbortErrorwith accumulatedpartialOutputwhen aborted during streaming (when using streaming callback handlers)stream()throws a regularAbortErrorwhen aborted (since chunks are already yielded to the caller)_generate()and_streamResponseChunks()methodsv1.1.16Patch Changes
#9830
70387a1Thanks @bracesproul! - fix: More undefined null errors and tests#9679
a7c6ec5Thanks @christian-bromann! - feat(openai): elevate OpenAI image generation outputs to proper image content blocks#9817
5e04543Thanks @Ashx098! - read error.status when response.status is absent to avoid retrying OpenAI SDK 4xx#9819
40b4467Thanks @MrDockal! - Tool call content returns compacted json#9815
17e30bdThanks @hntrl! - fix(core): respect tracingEnabled=false from RunTree when env tracing is enabledv1.1.15Patch Changes
230462dThanks @christian-bromann! - fix(core): preserve index and timestamp fields in _mergeDictsv1.1.14Patch Changes
#9990
d5e3db0Thanks @hntrl! - feat(core): Add SSRF protection module (@langchain/core/utils/ssrf) with utilities for validating URLs against private IPs, cloud metadata endpoints, and localhost.fix(community): Harden
RecursiveUrlLoaderagainst SSRF attacks by integratingvalidateSafeUrland replacing string-based URL comparison with origin-basedisSameOriginfrom the shared SSRF module.Updated dependencies [
d5e3db0,6939dab,ad581c7]:v1.1.13Patch Changes
#9777
3efe79cThanks @christian-bromann! - fix(core): properly elevate reasoning tokens#9789
b8561c1Thanks @hntrl! - source JsonOutputParser content from text accessorv1.1.12Compare Source
Patch Changes
23be5afThanks @christian-bromann! - fix(@langchain/core): add literal name type inference to tool()v1.1.11Compare Source
Patch Changes
a46a249Thanks @christian-bromann! - fix(core): allow shared object references in serializationv1.1.10Compare Source
Patch Changes
817fc9aThanks @bracesproul! - fix:_mergeDictserror when merging undefined valuesv1.1.9Compare Source
Patch Changes
#9725
56600b9Thanks @Orenoid! - fix(langchain): update merge logic for numeric values inmergeDicts#9736
dc5c2acThanks @hntrl! - fix(core): handle circular references inload#9739
c28d24aThanks @christian-bromann! - fix(core): use getBufferString for message summarization#9702
bfcb87dThanks @christian-bromann! - fix(core): improve interop with Zodv1.1.8Patch Changes
#9707
e5063f9Thanks @hntrl! - add security hardening forload#9684
8996647Thanks @christian-bromann! - fix(core): document purpose of name in base messagev1.1.6Compare Source
Patch Changes
#9835
adb3625Thanks @maahir30! - Use UTF-8 byte length for metadata fieldsUpdated dependencies []:
v1.1.5Compare Source
Patch Changes
#9641
005c729Thanks @christian-bromann! - fix(community/core): various security fixes#7907
ab78246Thanks @jasonphillips! - fix(core): handle subgraph nesting better in graph_mermaid#9589
8cc81c7Thanks @nathannewyen! - test(core): add test for response_metadata in streamEvents#9644
f32e499Thanks @hntrl! - add bindTools to FakeListChatModel#9508
a28d83dThanks @shubham-021! - Fix toFormattedString() to properly display nested objects in tool call arguments instead of [object Object]#9165
2e5ad70Thanks @pawel-twardziak! - fix(mcp-adapters): preserve timeout from RunnableConfig in MCP tool calls#9647
e456c66Thanks @hntrl! - handle missing parent runs in tracer to prevent LangSmith 400 errors#9597
1cfe603Thanks @hntrl! - use uuid7 for run idsv1.1.4Compare Source
Patch Changes
3efe79c]:v1.1.3Compare Source
Patch Changes
#9534
bd2c46eThanks @christian-bromann! - fix(@langchain/core): update and bundlep-retry,ansi-styles,camelcaseanddecamelizedependencies#9544
487378bThanks @hntrl! - fix tool chunk concat behavior (#9450)#9505
138e7fbThanks @chosh-dev! - feat: replace btoa with toBase64Url for encoding in drawMermaidImagev1.1.2Patch Changes
#9601
d79d2ffThanks @Orenoid! - feat(zhipuai): support tool calling in ChatZhipuAIUpdated dependencies [
13c9d5b,cc502e1,75b3b90]:v1.1.1Patch Changes
#9495
636b994Thanks @gsriram24! - fix: use dynamic import for p-retry to support CommonJS environments#9531
38f0162Thanks @hntrl! - addextrasto toolsv1.1.0Compare Source
Minor Changes
#9424
f17b2c9Thanks @hntrl! - add support forbetasparam#9424
f17b2c9Thanks @hntrl! - add support for native structured outputPatch Changes
f17b2c9Thanks @hntrl! - bump sdk versionv1.0.7Compare Source
Patch Changes
#9436
ca32dd7Thanks @sinedied! - Fix possible race condition in FileSystemChatMessageHistory#8333
dc396c4Thanks @ejscribner! - community[minor]: Create CouchbaseQueryVectorStoreUpdated dependencies []:
v1.0.6Patch Changes
f7cfeceThanks @deepansh946! - Updated error handling behaviour of AgentNodev1.0.5Patch Changes
#9403
944bf56Thanks @christian-bromann! - improvements to toolEmulator middleware#9388
831168aThanks @hntrl! - useprofile.maxInputTokensin summarization middleware#9393
f1e2f9eThanks @christian-bromann! - align context editing with summarization interface#9427
bad7aeaThanks @dqbd! - fix(langchain): add tool call contents and tool call ID to improve token count approximation#9396
ed6b581Thanks @christian-bromann! - rename exit behavior from throw to errorv1.0.4Patch Changes
#9326
3e0cab6Thanks @ayanyev! - Milvus vector store client: ignore auto-calculated fields in collection schema during payload validationUpdated dependencies [
415cb0b,a2ad61e,34c472d]:v1.0.3Patch Changes
v1.0.2Patch Changes
v0.3.59v0.3.58Compare Source
68e6f49)df3399f)006319a)c8ebe6d)1e31844)028aa59)594e334)6bf4e90)eebca00)33e0bb6)eff0ce1)9df1dc3)16fb7bd)247f577)8ff1728)3695806)9d948b0)5f73e53)70eb7bc)06ebd78)bb5b2de)6540e07)09f644d)68670cb)2b2f009)43cf1f3)eb7c01f)a8d782b)934a548)caba026)v0.3.57Compare Source
v0.3.56Compare Source
v0.3.55Compare Source
v0.3.54Compare Source
v0.3.53Compare Source
v0.3.52Compare Source
v0.3.51Compare Source
v0.3.50Compare Source
v0.3.49Compare Source
v0.3.48Compare Source
v0.3.47Compare Source
v0.3.46Compare Source
v0.3.45Compare Source
v0.3.44Compare Source
v0.3.43Compare Source
v0.3.42Compare Source
v0.3.41Compare Source
v0.3.40Compare Source
v0.3.39Compare Source
v0.3.38Compare Source
v0.3.37Compare Source
v0.3.36Compare Source
v0.3.35Compare Source
v0.3.34Compare Source
v0.3.33Compare Source
v0.3.32Compare Source
v0.3.31Compare Source
v0.3.30Compare Source
v0.3.29Compare Source
v0.3.28Compare Source
v0.3.27Compare Source
What's Changed
Runnable.bindby @benjamincburns in #8192window.LanguageModelby @jtpio in #8173New Contributors
Full Changelog: langchain-ai/langchainjs@0.3.26...0.3.27
v0.3.26Compare Source
What's Changed
Full Changelog: langchain-ai/langchainjs@0.3.25...0.3.26
v0.3.25Compare Source
What's Changed
ensureTableInDatabasein typeorm vectorstore. by @n1md7 in #4504Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.