Skip to content

build(deps): bump uuid, @langchain/langgraph and @langchain/core in /runtimes/langgraph-ts#392

Merged
pallakatos merged 1 commit into
mainfrom
dependabot/npm_and_yarn/runtimes/langgraph-ts/multi-dd637fb0b6
Jun 22, 2026
Merged

build(deps): bump uuid, @langchain/langgraph and @langchain/core in /runtimes/langgraph-ts#392
pallakatos merged 1 commit into
mainfrom
dependabot/npm_and_yarn/runtimes/langgraph-ts/multi-dd637fb0b6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 2, 2026

Copy link
Copy Markdown
Contributor

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.


Removes uuid. It's no longer used after updating ancestor dependencies uuid, @langchain/langgraph and @langchain/core. These dependencies need to be updated together.

Removes uuid

Updates @langchain/langgraph from 0.2.74 to 1.4.4

Release notes

Sourced from @​langchain/langgraph's releases.

@​langchain/langgraph@​1.4.4

Patch Changes

  • #2552 d662cbb Thanks @​christian-bromann! - fix(langgraph): isolate concurrent singleton-agent invocations by thread

    ensureLangGraphConfig ignores the ambient AsyncLocalStorage configurable on root-level invokes that supply an invoke-time thread_id and have no nesting keys (ignoring graph-bound .withConfig() defaults). On a fresh top-level run the ambient configurable can belong to another concurrent invocation, so its keys — internal scratchpad/task-input as well as user keys like tenant_id/user_id — must not leak in; values the caller wants arrive through the explicit (bound + invoke-time) configs. Ambient nesting (__pregel_read__) and bound child graphs invoked from parent tasks are unaffected. This prevents cross-invocation leakage between concurrent invoke() calls on a shared compiled graph (e.g. BullMQ workers with concurrency > 1). Complements the config-merge fix that stopped shared graph-bound metadata/configurable objects from being mutated across invocations (#2040).

  • #2553 1c2aa5b Thanks @​christian-bromann! - fix(langgraph): recognize JSON-erased Overwrite values across runtimes

    Overwrite already survives JSON serialization in JS because Overwrite.toJSON() emits the canonical { "__overwrite__": value } sentinel. _getOverwriteValue now additionally recognizes the discriminator form { "type": "__overwrite__", value } produced when a typed Overwrite from another runtime (e.g. a Python dataclass routed through the LangGraph API server) is serialized and its type is erased. This keeps Overwrite (and DeltaChannel) semantics intact across cross-runtime JSON boundaries. These delta-channel APIs remain Beta.

@​langchain/langgraph@​1.4.2

Patch Changes

  • #2527 9e114e5 Thanks @​christian-bromann! - chore(deps): remove uuid dependency in favor of embedded uuid in core

    Replace direct uuid package imports with @langchain/core/utils/uuid across langgraph packages to deduplicate dependencies and align with @​langchain/core's embedded UUID utilities.

  • Updated dependencies [ba31f04, e7e8035, 9e114e5]:

    • @​langchain/langgraph-sdk@​1.9.22
    • @​langchain/langgraph-checkpoint@​1.1.1

@​langchain/langgraph@​1.4.1

Patch Changes

  • #2520 2da5c33 Thanks @​christian-bromann! - fix(state): validate Zod state updates from nodes

    Validate node return values and Command updates against Zod state schema constraints before applying them to graph state.

... (truncated)

Changelog

Sourced from @​langchain/langgraph's changelog.

1.4.4

Patch Changes

  • #2552 d662cbb Thanks @​christian-bromann! - fix(langgraph): isolate concurrent singleton-agent invocations by thread

    ensureLangGraphConfig ignores the ambient AsyncLocalStorage configurable on root-level invokes that supply an invoke-time thread_id and have no nesting keys (ignoring graph-bound .withConfig() defaults). On a fresh top-level run the ambient configurable can belong to another concurrent invocation, so its keys — internal scratchpad/task-input as well as user keys like tenant_id/user_id — must not leak in; values the caller wants arrive through the explicit (bound + invoke-time) configs. Ambient nesting (__pregel_read__) and bound child graphs invoked from parent tasks are unaffected. This prevents cross-invocation leakage between concurrent invoke() calls on a shared compiled graph (e.g. BullMQ workers with concurrency > 1). Complements the config-merge fix that stopped shared graph-bound metadata/configurable objects from being mutated across invocations (#2040).

  • #2553 1c2aa5b Thanks @​christian-bromann! - fix(langgraph): recognize JSON-erased Overwrite values across runtimes

    Overwrite already survives JSON serialization in JS because Overwrite.toJSON() emits the canonical { "__overwrite__": value } sentinel. _getOverwriteValue now additionally recognizes the discriminator form { "type": "__overwrite__", value } produced when a typed Overwrite from another runtime (e.g. a Python dataclass routed through the LangGraph API server) is serialized and its type is erased. This keeps Overwrite (and DeltaChannel) semantics intact across cross-runtime JSON boundaries. These delta-channel APIs remain Beta.

1.4.3

Patch Changes

  • #2544 4487214 Thanks @​christian-bromann! - fix(langgraph): make concurrent DeltaChannel writes deterministic on replay

    Concurrent same-superstep writes to a DeltaChannel could reconstruct from a checkpoint differently than they were applied live, because live execution ordered them by task path while savers replayed them by task id. This fixes that divergence in two complementary ways:

    • Plain concurrent writes are now applied in the canonical (task_id, idx) order on both paths: _applyWrites orders them that way live, and the getDeltaChannelHistory walk enforces the same order so reconstruction matches live for every saver (Postgres, SQLite, MongoDB, Redis, and custom).
    • An Overwrite now wins its entire super-step: every sibling write in the same step — before AND after the Overwrite — is discarded, matching BinaryOperatorAggregate. This makes the result independent of the (unstable) ordering of concurrent fan-in writes; previously a plain write that landed after an Overwrite in the same step was still folded in.

... (truncated)

Commits
  • e6082e0 chore: version packages (#2554)
  • d662cbb fix(langgraph): isolate concurrent singleton-agent invocations by thread (#2552)
  • 1c2aa5b fix(langgraph): recognize JSON-erased Overwrite values across runtimes (#2553)
  • 73ecaa0 chore: version packages (#2536)
  • 4487214 fix(langgraph): replay concurrent DeltaChannel writes in live order (#2544)
  • bc667a9 fix(langgraph): support DeltaChannel fields in StateSchema (#2549)
  • e73bf8a test(langgraph-core): add test coverage on merging tags and metadata
  • be09666 fix(langgraph): dispatch stream messages handler inline (#2537)
  • 38cfe01 fix(langgraph): merge instead of overwrite in ensureLangGraphConfig (#2531)
  • a9fce5e chore(deps-dev): bump @​vitest/browser from 4.1.8 to 4.1.9 (#2539)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​langchain/langgraph since your current version.

Install script changes

This version adds prepublish script that runs during installation. Review the package contents before updating.


Updates @langchain/core from 0.3.80 to 1.2.0

Release notes

Sourced from @​langchain/core's releases.

@​langchain/core@​1.2.0

Minor Changes

Patch Changes

  • #11047 ac0f71d Thanks @​christian-bromann! - fix(core): preserve AIMessage content blocks

    Keep existing v1 contentBlocks when constructing AIMessage instances so serialized messages do not lose block content during deserialization.

@​langchain/core@​1.1.48

Patch Changes

  • #10832 1b24369 Thanks @​info-arnav! - fix(core, openrouter): make CJS default re-exports callable

  • #10666 2bb55b0 Thanks @​hnustwjj! - feat(openrouter): surface reasoning content as v1 standard content blocks

    convertOpenRouterResponseToBaseMessage and convertOpenRouterDeltaToBaseMessageChunk now copy OpenRouter's reasoning (flat string) and reasoning_details (structured array) fields onto additional_kwargs.reasoning_content / additional_kwargs.reasoning_details. A new ChatOpenRouterTranslator is registered in @langchain/core under the "openrouter" provider key so AIMessage.contentBlocks emits standard {type: "reasoning"} blocks alongside text and tool calls.

    Previously, reasoning text returned by reasoning-capable models routed through OpenRouter (DeepSeek R1, Minimax M2, Claude extended thinking, o-series, etc.) was silently dropped: only the reasoning_tokens count was preserved via usage_metadata. Consumers using standard content blocks (including the frontend agent UI patterns shown in the docs) could not display the model's chain of thought.

  • #10918 3999fab Thanks @​christian-bromann! - fix(openai): stream custom tool calls through Responses API chunks

@​langchain/core@​1.1.47

Patch Changes

  • #10906 f61b345 Thanks @​hntrl! - feat(core): add uuid v6 utility support

    Add v6 UUID generation support to @langchain/core/utils/uuid by vendoring the upstream uuidjs v6 implementation and its v1ToV6 helper, exporting v6 from the UUID utils index, and adding tests for deterministic generation, buffer/offset behavior, validation/versioning, and ordering.

  • #10872 a640079 Thanks @​hntrl! - chore(deps): remove redundant @​types/uuid declarations

    Remove @types/uuid from package manifests that rely on @langchain/core/utils/uuid or do not require uuid type stubs directly, and refresh the lockfile entries accordingly.

  • #10792 3682268 Thanks @​Genmin! - fix(core): apply v1 message casting after implicit streaming aggregation

  • #10901 f26fc4a Thanks @​christian-bromann! - fix(testing): share fakeModel invocation state across bindTools instances

... (truncated)

Commits
  • c5e8962 chore: version packages (#11059)
  • e51478a feat(aws): bedrock prompt caching middleware (#11080)
  • 7d61f5f fix(groq): tighten @​langchain/core peer dependency to ^1.1.30 (#11069)
  • 2e28115 feat(deps): native streamEvents ChatModelStreamEvent protocol (#10924)
  • 6d212ef docs(tavily): fix "refering" typo in tool description (#11067)
  • a001816 chore(deps): bump esbuild from 0.28.0 to 0.28.1 in /environment_tests/test-ex...
  • 234c8bb ci(infra): pin GitHub Actions to full-length commit SHAs (#11061)
  • 4aeaa76 feat(langchain): add when predicate to human-in-the-loop middleware (#11012)
  • ac0f71d fix(core): preserve AIMessage content blocks (#11047)
  • 39f338e chore: remove deprecated @​langchain/google-cloud-sql-pg package (#11060)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 2, 2026
@dependabot dependabot Bot requested a review from pallakatos as a code owner June 2, 2026 13:30
@dependabot dependabot Bot added the javascript Pull requests that update javascript code label Jun 2, 2026
@dependabot dependabot Bot requested review from johnsonshi and lachie83 as code owners June 2, 2026 13:30
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 2, 2026
@github-actions

github-actions Bot commented Jun 2, 2026

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
npm/@langchain/core 1.2.0 UnknownUnknown
npm/@langchain/langgraph 1.4.4 UnknownUnknown
npm/@langchain/langgraph-checkpoint 1.1.2 UnknownUnknown
npm/@langchain/langgraph-sdk 1.9.23 UnknownUnknown
npm/@langchain/protocol 0.0.16 UnknownUnknown
npm/@standard-schema/spec 1.1.0 UnknownUnknown
npm/eventemitter3 5.0.4 🟢 4
Details
CheckScoreReason
Code-Review⚠️ 1GitHub code reviews found for 3 commits out of the last 30 -- score normalized to 1
Maintained⚠️ 23 commit(s) out of 30 and 0 issue activity out of 30 found in the last 90 days -- score normalized to 2
CII-Best-Practices⚠️ 0no badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0non read-only tokens detected in GitHub workflows
Packaging⚠️ -1no published package detected
License🟢 10license file detected
Pinned-Dependencies🟢 7dependency not pinned by hash detected -- score normalized to 7
Vulnerabilities🟢 10no vulnerabilities detected
Dependency-Update-Tool⚠️ 0no update tool detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Fuzzing⚠️ 0project is not fuzzed
Security-Policy⚠️ 0security policy file not detected
npm/is-network-error 1.3.2 UnknownUnknown
npm/langsmith 0.7.10 🟢 8.6
Details
CheckScoreReason
Code-Review🟢 8Found 25/28 approved changesets -- score normalized to 8
Maintained🟢 1030 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Binary-Artifacts🟢 10no binaries found in the repo
License🟢 10license file detected
Pinned-Dependencies🟢 9dependency not pinned by hash detected -- score normalized to 9
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 10security policy file detected
Fuzzing⚠️ 0project is not fuzzed
Packaging🟢 10packaging workflow detected
SAST🟢 10SAST tool is run on all commits
npm/p-queue 9.3.0 🟢 4.5
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review⚠️ 1Found 3/30 approved changesets -- score normalized to 1
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Maintained🟢 911 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 9
Security-Policy🟢 10security policy file detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/p-retry 7.1.1 🟢 3.7
Details
CheckScoreReason
Code-Review⚠️ 1Found 5/30 approved changesets -- score normalized to 1
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy🟢 10security policy file detected
Binary-Artifacts🟢 10no binaries found in the repo
Maintained⚠️ 12 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/p-timeout 7.0.1 🟢 3.8
Details
CheckScoreReason
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Code-Review🟢 3Found 11/30 approved changesets -- score normalized to 3
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0

Scanned Files

  • runtimes/langgraph-ts/package-lock.json

@pallakatos

Copy link
Copy Markdown
Collaborator

@dependabot rebase

Removes [uuid](https://github.com/uuidjs/uuid). It's no longer used after updating ancestor dependencies [uuid](https://github.com/uuidjs/uuid), [@langchain/langgraph](https://github.com/langchain-ai/langgraphjs/tree/HEAD/libs/langgraph-core) and [@langchain/core](https://github.com/langchain-ai/langchainjs). These dependencies need to be updated together.


Removes `uuid`

Updates `@langchain/langgraph` from 0.2.74 to 1.4.4
- [Release notes](https://github.com/langchain-ai/langgraphjs/releases)
- [Changelog](https://github.com/langchain-ai/langgraphjs/blob/main/libs/langgraph-core/CHANGELOG.md)
- [Commits](https://github.com/langchain-ai/langgraphjs/commits/@langchain/langgraph@1.4.4/libs/langgraph-core)

Updates `@langchain/core` from 0.3.80 to 1.2.0
- [Release notes](https://github.com/langchain-ai/langchainjs/releases)
- [Commits](https://github.com/langchain-ai/langchainjs/compare/@langchain/core==0.3.80...@langchain/core@1.2.0)

---
updated-dependencies:
- dependency-name: "@langchain/core"
  dependency-version: 1.1.48
  dependency-type: direct:production
- dependency-name: "@langchain/langgraph"
  dependency-version: 1.3.3
  dependency-type: direct:production
- dependency-name: uuid
  dependency-version: 14.0.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps): bump uuid, @langchain/langgraph and @langchain/core in /runtimes/langgraph-ts build(deps): bump uuid, @langchain/langgraph and @langchain/core in /runtimes/langgraph-ts Jun 22, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/runtimes/langgraph-ts/multi-dd637fb0b6 branch from 2a417cf to 6a1b24a Compare June 22, 2026 10:40
@pallakatos

Copy link
Copy Markdown
Collaborator

@dependabot rebase

@pallakatos pallakatos merged commit 77b9d40 into main Jun 22, 2026
33 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/runtimes/langgraph-ts/multi-dd637fb0b6 branch June 22, 2026 11:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant