[Snyk] Security upgrade @langchain/core from 0.3.26 to 0.3.80#11
[Snyk] Security upgrade @langchain/core from 0.3.26 to 0.3.80#11
Conversation
…erabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-LANGCHAINCORE-14563113
There was a problem hiding this comment.
Pull request overview
This PR addresses a critical security vulnerability (SNYK-JS-LANGCHAINCORE-14563113) in @langchain/core by upgrading from version 0.3.26 to 0.3.80, fixing a Deserialization of Untrusted Data issue with a severity score of 853/1000.
- Upgrades @langchain/core dependency to address critical security vulnerability
- Updates package version by 54 minor versions (0.3.26 → 0.3.80)
- Note: The pnpm-lock.yaml requires manual update before merging (as indicated in the PR warning)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }, | ||
| "dependencies": { | ||
| "@langchain/core": "^0.3.26", | ||
| "@langchain/core": "^0.3.80", |
There was a problem hiding this comment.
This PR only updates @langchain/core in the example directory but misses updating the same dependency in the root package.json file (line 47), which is currently at version ^0.3.26. The security vulnerability affects both locations, so the root package.json should also be updated to version ^0.3.80 to ensure the vulnerability is fully addressed across the entire project.
Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
examples/tg-bot-starter/basic-tg-bot/package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-LANGCHAINCORE-14563113
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Deserialization of Untrusted Data