build(deps): bump langchain-core from 1.2.16 to 1.2.28 in /agents

[dependabot]

Bumps langchain-core from 1.2.16 to 1.2.28.

Release notes

Sourced from langchain-core's releases.

langchain-core==1.2.28

Changes since langchain-core==1.2.27

release(core): release 1.2.28 (#36614) fix(core): add more sanitization to templates (#36612)

langchain-core==1.2.27

Changes since langchain-core==1.2.26

release(core): 1.2.27 (#36586) fix(core): handle symlinks in deprecated prompt save path (#36585) chore: add comment explaining pygments>=2.20.0 (#36570)

Credit to Jeff Ponte (@​JDP-Security) for reporting the symlink resolution issue in #36585.

langchain-core==1.2.26

Changes since langchain-core==1.2.25

release(core): 1.2.26 (#36511) fix(core): add init validator and serialization mappings for Bedrock models (#34510) feat(core): add ChatBaseten to serializable mapping (#36510) chore(core): drop gpt-3.5-turbo from docstrings (#36497) fix(core): correct parameter names in filter_messages docstring example (#36462)

langchain-core==1.2.25

Changes since langchain-core==1.2.24

release(core): 1.2.25 (#36473) fix(core): harden check for txt files in deprecated prompt loading functions (#36471) fix(core): fixed typos in the documentation (#36459)

Credit to Jeff Ponte (@​JDP-Security) for reporting the symlink resolution issue resolved in #36471.

langchain-core==1.2.24

Changes since langchain-core==1.2.23

release(core): 1.2.24 (#36434) feat(core): impute placeholder filenames for OpenAI file inputs (#36433) chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385) fix(core): add "computer" to _WellKnownOpenAITools (#36261)

langchain-core==1.2.23

Changes since langchain-core==1.2.22

release(core): 1.2.23 (#36323) revert: Revert "fix(core): trace invocation params in metadata" (#36322) chore: bump requests from 2.32.5 to 2.33.0 in /libs/core (#36243)

langchain-core==1.2.22

Changes since langchain-core==1.2.21

... (truncated)

Commits

• dd7c3eb release(core): release 1.2.28 (#36614)
• af2ed47 fix(core): add more sanitization to templates (#36612)
• 7e5858d release(standard-tests): 1.1.6 (#36610)
• fe99cb2 fix(standard-tests): update standard tests for sandbox backends (#36036)
• 65bbd47 chore(model-profiles): refresh model profile data (#36596)
• 6486404 release(core): 1.2.27 (#36586)
• 7629c74 fix(core): handle symlinks in deprecated prompt save path (#36585)
• ce21bf4 ci: convert working-directory to validated dropdown (#36575)
• b8698ea release(ollama): 1.1.0 (#36574)
• 3beba77 feat(ollama): support response_format (#34612)
• Additional commits viewable in compare view

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Recently published: pypi langchain-core published yesterday Location: Package overview From: ? → pypi/langchain@1.2.10 → pypi/langchain-litellm@0.5.1 → pypi/deepagents@0.4.4 → pypi/langchain-core@1.2.28 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/langchain-core@1.2.28. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report