Skip to content

chore(deps): bump langsmith, @langchain/langgraph and @langchain/core in /runtimes/langgraph-ts#393

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/runtimes/langgraph-ts/multi-485ac3a4c8
Open

chore(deps): bump langsmith, @langchain/langgraph and @langchain/core in /runtimes/langgraph-ts#393
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/runtimes/langgraph-ts/multi-485ac3a4c8

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Jun 2, 2026

Bumps langsmith to 0.7.3 and updates ancestor dependencies langsmith, @langchain/langgraph and @langchain/core. These dependencies need to be updated together.

Updates langsmith from 0.3.87 to 0.7.3

Release notes

Sourced from langsmith's releases.

v0.7.3

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.7.2...v0.7.3

v0.7.2

What's Changed

New Contributors

Full Changelog: langchain-ai/langsmith-sdk@v0.7.1...v0.7.2

v0.7.1

What's Changed

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for langsmith since your current version.

Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.


Updates @langchain/langgraph from 0.2.74 to 1.3.3

Release notes

Sourced from @​langchain/langgraph's releases.

@​langchain/langgraph@​1.3.3

Patch Changes

  • #2037 9eb478f Thanks @​pawel-twardziak! - Decouple ContextType generic from configurable in PregelOptions so that providing a custom context type no longer incorrectly narrows the configurable parameter.

  • #2457 91a5494 Thanks @​christian-bromann! - fix(langgraph): pass context with stateful RemoteGraph runs

    Pop thread_id from run config.configurable and forward context to the SDK so checkpointed remote runs accept user context without a 400 from ambiguous parameters. Closes #1922.

  • #1988 6d4bf92 Thanks @​Axadali! - Fix race condition in IterableReadableWritableStream.push() that caused ERR_INVALID_STATE errors when streaming with multiple parallel nodes and aborting the stream.

  • #2409 101b70a Thanks @​pragnyanramtha! - Preserve non-plain objects passed through Send and Command argument deserialization.

  • #2344 0125920 Thanks @​dependabot! - chore(deps): bump uuid to 14.0.0 and keep checkpoint ID ordering stable

    Bump uuid from 10.x/13.x to 14.0.0 across packages. Starting with uuid 11, v6({ clockseq }) no longer advances the sub-millisecond time counter when an explicit clockseq is passed, so checkpoint IDs created within the same millisecond were ordered only by clockseq. Since checkpoint IDs are sorted lexicographically, this broke ordering — most visibly for the negative clockseq used by the first ("input") checkpoint, which sorted as the newest.

    uuid6() now maintains its own monotonic (msecs, nsecs) clock (mirroring uuid 10's internal v1 behavior) so the time component is always strictly increasing and checkpoint ordering no longer depends on the clockseq value. emptyCheckpoint() also uses a non-negative clockseq.

  • Updated dependencies [863b555, 0125920]:

    • @​langchain/langgraph-sdk@​1.9.11
    • @​langchain/langgraph-checkpoint@​1.0.4

@​langchain/langgraph@​1.3.2

Patch Changes

  • #2415 9d3c9dd Thanks @​christian-bromann! - Move @langchain/core from a runtime dependency back to a required peer dependency so installing the SDK alone no longer pulls in @langchain/core (and js-tiktoken, etc.). Consumers that use streaming or message coercion must install @langchain/core explicitly or via @langchain/langgraph.

  • Updated dependencies [9d3c9dd]:

    • @​langchain/langgraph-sdk@​1.9.4

@​langchain/langgraph-checkpoint-mongodb@​1.3.2

Patch Changes

  • #2186 26c2e32 Thanks @​jackjin1997! - fix: metadata filter in list() now works by querying a plain JSON shadow copy instead of the serialized binary blob

@​langchain/langgraph@​1.3.1

Patch Changes

  • #2339 2b88da4 Thanks @​vigneshpatel14! - fix(langgraph): surface structuredResponse parse failures in createReactAgent

  • #2406 e54ae90 Thanks @​christian-bromann! - fix(langgraph-core): keep tool results out of v3 message streams

  • #2376 4fd1e9f Thanks @​hntrl! - fix(langgraph): prefer configurable assistant and graph IDs for runtime server info

    Update runtime serverInfo construction to read assistant_id and graph_id from config.configurable first, with fallback to config.metadata for compatibility. Also expands execution_info tests to cover configurable sourcing, precedence, and metadata fallback behavior.

... (truncated)

Changelog

Sourced from @​langchain/langgraph's changelog.

1.3.3

Patch Changes

  • #2037 9eb478f Thanks @​pawel-twardziak! - Decouple ContextType generic from configurable in PregelOptions so that providing a custom context type no longer incorrectly narrows the configurable parameter.

  • #2457 91a5494 Thanks @​christian-bromann! - fix(langgraph): pass context with stateful RemoteGraph runs

    Pop thread_id from run config.configurable and forward context to the SDK so checkpointed remote runs accept user context without a 400 from ambiguous parameters. Closes #1922.

  • #1988 6d4bf92 Thanks @​Axadali! - Fix race condition in IterableReadableWritableStream.push() that caused ERR_INVALID_STATE errors when streaming with multiple parallel nodes and aborting the stream.

  • #2409 101b70a Thanks @​pragnyanramtha! - Preserve non-plain objects passed through Send and Command argument deserialization.

  • #2344 0125920 Thanks @​dependabot! - chore(deps): bump uuid to 14.0.0 and keep checkpoint ID ordering stable

    Bump uuid from 10.x/13.x to 14.0.0 across packages. Starting with uuid 11, v6({ clockseq }) no longer advances the sub-millisecond time counter when an explicit clockseq is passed, so checkpoint IDs created within the same millisecond were ordered only by clockseq. Since checkpoint IDs are sorted lexicographically, this broke ordering — most visibly for the negative clockseq used by the first ("input") checkpoint, which sorted as the newest.

    uuid6() now maintains its own monotonic (msecs, nsecs) clock (mirroring uuid 10's internal v1 behavior) so the time component is always strictly increasing and checkpoint ordering no longer depends on the clockseq value. emptyCheckpoint() also uses a non-negative clockseq.

  • Updated dependencies [863b555, 0125920]:

    • @​langchain/langgraph-sdk@​1.9.11
    • @​langchain/langgraph-checkpoint@​1.0.4

1.3.2

Patch Changes

  • #2415 9d3c9dd Thanks @​christian-bromann! - Move @langchain/core from a runtime dependency back to a required peer dependency so installing the SDK alone no longer pulls in @langchain/core (and js-tiktoken, etc.). Consumers that use streaming or message coercion must install @langchain/core explicitly or via @langchain/langgraph.

  • Updated dependencies [9d3c9dd]:

    • @​langchain/langgraph-sdk@​1.9.4

1.3.1

Patch Changes

  • #2339 2b88da4 Thanks @​vigneshpatel14! - fix(langgraph): surface structuredResponse parse failures in createReactAgent

  • #2406 e54ae90 Thanks @​christian-bromann! - fix(langgraph-core): keep tool results out of v3 message streams

  • #2376 4fd1e9f Thanks @​hntrl! - fix(langgraph): prefer configurable assistant and graph IDs for runtime server info

    Update runtime serverInfo construction to read assistant_id and graph_id from config.configurable first, with fallback to config.metadata for compatibility. Also expands execution_info tests to cover configurable sourcing, precedence, and metadata fallback behavior.

  • Updated dependencies [44746b1, 4cc6491, ae8af2d, 01dd046, 2ad1aa4, 75e651b, f1d651a]:

    • @​langchain/langgraph-sdk@​1.9.3

... (truncated)

Commits
  • d2ca90f chore: version packages (#2453)
  • 101b70a fix: preserve non-plain Send args (#2409)
  • 0125920 chore(deps): bump uuid from 10.0.0 to 14.0.0 (#2344)
  • 91a5494 fix(langgraph): pass context with stateful RemoteGraph runs (#2457)
  • 6d4bf92 fix(langgraph): StreamMessagesHandler throws "Controller is already closed" e...
  • c5dcbd1 fix(langgraph): handle null thread checkpoint in RemoteGraph.getState (#2331)
  • 9eb478f fix(langgraph): decouple ContextType from configurable in PregelOptions (#2037)
  • 4d12fe0 docs: more readme cleanups
  • 5175003 docs: update readme further
  • 4c5fea7 fix(docs): update links in readme
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​langchain/langgraph since your current version.

Install script changes

This version adds prepublish script that runs during installation. Review the package contents before updating.


Updates @langchain/core from 0.3.80 to 1.1.48

Release notes

Sourced from @​langchain/core's releases.

@​langchain/core@​1.1.48

Patch Changes

  • #10832 1b24369 Thanks @​info-arnav! - fix(core, openrouter): make CJS default re-exports callable

  • #10666 2bb55b0 Thanks @​hnustwjj! - feat(openrouter): surface reasoning content as v1 standard content blocks

    convertOpenRouterResponseToBaseMessage and convertOpenRouterDeltaToBaseMessageChunk now copy OpenRouter's reasoning (flat string) and reasoning_details (structured array) fields onto additional_kwargs.reasoning_content / additional_kwargs.reasoning_details. A new ChatOpenRouterTranslator is registered in @langchain/core under the "openrouter" provider key so AIMessage.contentBlocks emits standard {type: "reasoning"} blocks alongside text and tool calls.

    Previously, reasoning text returned by reasoning-capable models routed through OpenRouter (DeepSeek R1, Minimax M2, Claude extended thinking, o-series, etc.) was silently dropped: only the reasoning_tokens count was preserved via usage_metadata. Consumers using standard content blocks (including the frontend agent UI patterns shown in the docs) could not display the model's chain of thought.

  • #10918 3999fab Thanks @​christian-bromann! - fix(openai): stream custom tool calls through Responses API chunks

@​langchain/core@​1.1.47

Patch Changes

  • #10906 f61b345 Thanks @​hntrl! - feat(core): add uuid v6 utility support

    Add v6 UUID generation support to @langchain/core/utils/uuid by vendoring the upstream uuidjs v6 implementation and its v1ToV6 helper, exporting v6 from the UUID utils index, and adding tests for deterministic generation, buffer/offset behavior, validation/versioning, and ordering.

  • #10872 a640079 Thanks @​hntrl! - chore(deps): remove redundant @​types/uuid declarations

    Remove @types/uuid from package manifests that rely on @langchain/core/utils/uuid or do not require uuid type stubs directly, and refresh the lockfile entries accordingly.

  • #10792 3682268 Thanks @​Genmin! - fix(core): apply v1 message casting after implicit streaming aggregation

  • #10901 f26fc4a Thanks @​christian-bromann! - fix(testing): share fakeModel invocation state across bindTools instances

@​langchain/core@​1.1.46

Patch Changes

  • #10847 1659e7d Thanks @​hntrl! - chore(core): reduce transitive dependency exposure and tighten release hygiene

    Remove direct runtime dependencies on ansi-styles, camelcase, and decamelize by inlining equivalent logic in core internals, and enable npm provenance in the release workflow.

  • #10790 ef78bc6 Thanks @​Genmin! - fix(core): keep different content block types separate when merging chunks

... (truncated)

Commits
  • caad091 chore: version packages (#10919)
  • f4a6149 chore(deps): bump fast-uri from 3.1.0 to 3.1.2 (#10926)
  • 7b12f6d chore(deps): bump protobufjs from 7.5.6 to 7.6.0 (#10930)
  • 5c6c5fe chore(deps): bump ws from 5.2.4 to 8.20.0 (#10915)
  • a8652ce docs: fix typos, add Ollama setup, update outdated references (#10922)
  • 2bb55b0 feat(openrouter): surface reasoning as v1 standard content blocks (#10666)
  • 4ecb660 fix(langchain): set name on todoListMiddleware ToolMessages (#10706)
  • 20f27df fix(ibm): handle API errors in streaming responses (#10721)
  • 4566873 feat(ibm): add integration test to IBM implementation (#10732)
  • 6e4337f fix(aws): add claude-haiku-4 to supportedToolChoiceValuesForModel (#10743)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump langsmith, @langchain/langgraph and @langchain/core
ddc7158 
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) to 0.7.3 and updates ancestor dependencies [langsmith](https://github.com/langchain-ai/langsmith-sdk), [@langchain/langgraph](https://github.com/langchain-ai/langgraphjs/tree/HEAD/libs/langgraph-core) and [@langchain/core](https://github.com/langchain-ai/langchainjs). These dependencies need to be updated together.


Updates `langsmith` from 0.3.87 to 0.7.3
- [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases)
- [Commits](https://github.com/langchain-ai/langsmith-sdk/commits/v0.7.3)

Updates `@langchain/langgraph` from 0.2.74 to 1.3.3
- [Release notes](https://github.com/langchain-ai/langgraphjs/releases)
- [Changelog](https://github.com/langchain-ai/langgraphjs/blob/main/libs/langgraph-core/CHANGELOG.md)
- [Commits](https://github.com/langchain-ai/langgraphjs/commits/@langchain/langgraph@1.3.3/libs/langgraph-core)

Updates `@langchain/core` from 0.3.80 to 1.1.48
- [Release notes](https://github.com/langchain-ai/langchainjs/releases)
- [Commits](https://github.com/langchain-ai/langchainjs/compare/@langchain/core==0.3.80...@langchain/core@1.1.48)

---
updated-dependencies:
- dependency-name: langsmith
  dependency-version: 0.7.3
  dependency-type: indirect
- dependency-name: "@langchain/langgraph"
  dependency-version: 1.3.3
  dependency-type: direct:production
- dependency-name: "@langchain/core"
  dependency-version: 1.1.48
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot requested a review from pallakatos as a code owner June 2, 2026 13:31
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 2, 2026
@dependabot dependabot Bot requested a review from lachie83 as a code owner June 2, 2026 13:31
@dependabot dependabot Bot added the javascript Pull requests that update javascript code label Jun 2, 2026
@dependabot dependabot Bot requested a review from johnsonshi as a code owner June 2, 2026 13:31
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 2, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 2, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
npm/@langchain/core 1.1.48 UnknownUnknown
npm/@langchain/langgraph 1.3.3 UnknownUnknown
npm/@langchain/langgraph-checkpoint 1.0.4 UnknownUnknown
npm/@langchain/langgraph-sdk 1.9.11 UnknownUnknown
npm/@langchain/protocol 0.0.16 UnknownUnknown
npm/@standard-schema/spec 1.1.0 UnknownUnknown
npm/eventemitter3 5.0.4 🟢 4
Details
CheckScoreReason
Code-Review⚠️ 1GitHub code reviews found for 3 commits out of the last 30 -- score normalized to 1
Maintained⚠️ 23 commit(s) out of 30 and 0 issue activity out of 30 found in the last 90 days -- score normalized to 2
CII-Best-Practices⚠️ 0no badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0non read-only tokens detected in GitHub workflows
Packaging⚠️ -1no published package detected
License🟢 10license file detected
Pinned-Dependencies🟢 7dependency not pinned by hash detected -- score normalized to 7
Vulnerabilities🟢 10no vulnerabilities detected
Dependency-Update-Tool⚠️ 0no update tool detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Fuzzing⚠️ 0project is not fuzzed
Security-Policy⚠️ 0security policy file not detected
npm/is-network-error 1.3.2 UnknownUnknown
npm/langsmith 0.7.3 🟢 7.9
Details
CheckScoreReason
Code-Review🟢 8Found 9/11 approved changesets -- score normalized to 8
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 1030 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Packaging🟢 10packaging workflow detected
SAST🟢 10SAST tool is run on all commits
npm/p-queue 9.3.0 🟢 4.6
Details
CheckScoreReason
Maintained🟢 1012 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Security-Policy🟢 10security policy file detected
Code-Review⚠️ 1Found 3/30 approved changesets -- score normalized to 1
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ -1no releases found
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/p-retry 7.1.1 🟢 3.7
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Maintained⚠️ 12 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Security-Policy🟢 10security policy file detected
Code-Review⚠️ 1Found 5/30 approved changesets -- score normalized to 1
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ -1no releases found
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/p-timeout 7.0.1 🟢 3.8
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 3Found 11/30 approved changesets -- score normalized to 3
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy🟢 10security policy file detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/uuid 14.0.0 🟢 5.1
Details
CheckScoreReason
Code-Review⚠️ 2Found 6/28 approved changesets -- score normalized to 2
Maintained🟢 1016 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1internal error: internal error: invalid GitHub workflow: :30:31: could not parse as YAML: mapping values are not allowed in this context [syntax-check]
Token-Permissions⚠️ -1internal error: internal error: invalid GitHub workflow: :30:31: could not parse as YAML: mapping values are not allowed in this context [syntax-check]
Security-Policy⚠️ 0security policy file detected
Pinned-Dependencies⚠️ -1internal error: internal error: invalid GitHub workflow: :30:31: could not parse as YAML: mapping values are not allowed in this context [syntax-check]
Dangerous-Workflow⚠️ -1internal error: internal error: invalid GitHub workflow: :30:31: could not parse as YAML: mapping values are not allowed in this context [syntax-check]
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
SAST⚠️ -1internal error: internal error: invalid GitHub workflow: :30:31: could not parse as YAML: mapping values are not allowed in this context [syntax-check]

Scanned Files

  • runtimes/langgraph-ts/package-lock.json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pallakatos pallakatos Awaiting requested review from pallakatos pallakatos is a code owner

@lachie83 lachie83 Awaiting requested review from lachie83 lachie83 is a code owner

@johnsonshi johnsonshi Awaiting requested review from johnsonshi johnsonshi is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants