chore: bump urllib3+langchain; specify werkzeug as transitive dep

[willkill07]

Description

Closes

By Submitting this PR I confirm:

• I am familiar with the Contributing Guidelines.
• We require that all contributors "sign-off" on their commits. This certifies that the contribution is your original work, or you have rights to submit it under the same license, or a compatible license.
  • Any contribution which contains commits that are not Signed-Off will not be accepted.
• When the PR is ready for review, new or existing tests cover these changes.
• When the PR is ready for review, the documentation is up to date with these changes.

Summary by CodeRabbit

• Chores
  • Bumped werkzeug from 3.1.4 to 3.1.5 to keep compatibility and security patches up to date.
  • Added/updated urllib3 entry to ensure networking stability.
  • Upgraded langchain from 1.2.2 to 1.2.3 for improved library fixes and reliability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Three pyproject.toml files were updated to change dependency versions: werkzeug was bumped to ~=3.1.5 in two places, urllib3~=2.6.3 was added to the root project dependencies, and langchain was bumped from 1.2.2 to 1.2.3.

Changes

Cohort / File(s)	Summary
Semantic Kernel dependency bump packages/nvidia_nat_semantic_kernel/pyproject.toml	Updated werkzeug from ~=3.1.4 to ~=3.1.5.
Root project dependency additions pyproject.toml	Added urllib3~=2.6.3 to project dependencies; added werkzeug~=3.1.5 to dev dependency group.
LangChain dependency bump packages/nvidia_nat_langchain/pyproject.toml	Updated langchain from 1.2.2 to 1.2.3.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main changes: bumping urllib3 and langchain dependencies, and specifying werkzeug as a transitive dependency, following imperative mood conventions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/nvidia_nat_semantic_kernel/pyproject.toml (1)

1-4: Add the standard SPDX Apache-2.0 header to this file (it’s missing).

This file appears to start at [build-system], so it doesn’t meet the “every changed source file starts with the SPDX Apache-2.0 header” rule.

Proposed fix (prepend header)

+# SPDX-FileCopyrightText: Copyright (c) 2026, NVIDIA CORPORATION & AFFILIATES.
+# All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 [build-system]
 build-backend = "setuptools.build_meta"
 requires = ["setuptools >= 64", "setuptools-scm>=8"]

As per coding guidelines.

🤖 Fix all issues with AI agents

In @pyproject.toml:
- Around line 337-339: The dev dependency list in pyproject.toml has "werkzeug"
misplaced; move the "werkzeug~=3.1.5" entry inside the [dependency-groups].dev
block so it is alphabetically sorted between "vale" and "yapf", and then
regenerate/update the uv.lock file to keep the lockfile in sync; also confirm
whether "werkzeug" is intended as a runtime dependency for the nvidia-nat
package—if so, add it to the primary dependencies instead of only to the dev
group.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f41f0a0 and 68976fc.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• packages/nvidia_nat_semantic_kernel/pyproject.toml
• pyproject.toml

🧰 Additional context used

📓 Path-based instructions (7)

{pyproject.toml,packages/*/pyproject.toml}

📄 CodeRabbit inference engine (.cursor/rules/general.mdc)

Package dependencies should use '=' format with two-digit versions (e.g., '=1.0')

Files:

• pyproject.toml
• packages/nvidia_nat_semantic_kernel/pyproject.toml

**/*.{py,yaml,yml,json,toml}

📄 CodeRabbit inference engine (.cursor/rules/general.mdc)

Indent with 4 spaces (never tabs) and ensure every file ends with a single newline

Files:

• pyproject.toml
• packages/nvidia_nat_semantic_kernel/pyproject.toml

**/*.{py,js,ts,tsx,jsx,sh,yaml,yml,json,toml,md,mdx,rst}

📄 CodeRabbit inference engine (.cursor/rules/general.mdc)

**/*.{py,js,ts,tsx,jsx,sh,yaml,yml,json,toml,md,mdx,rst}: Every file must start with the standard SPDX Apache-2.0 header
Confirm that copyright years are up-to-date whenever a file is changed
All source files must include the SPDX Apache-2.0 header template

Files:

• pyproject.toml
• packages/nvidia_nat_semantic_kernel/pyproject.toml

{pyproject.toml,uv.lock}

📄 CodeRabbit inference engine (.cursor/rules/general.mdc)

New dependencies must be added to both 'pyproject.toml' (alphabetically) and 'uv.lock' via 'uv pip install --sync'

Files:

• pyproject.toml

**/*

⚙️ CodeRabbit configuration file

**/*: # Code Review Instructions

• Ensure the code follows best practices and coding standards. - For Python code, follow
  PEP 20 and
  PEP 8 for style guidelines.
• Check for security vulnerabilities and potential issues. - Python methods should use type hints for all parameters and return values (except for return values of None,
  in that situation no return type hint is needed).
  Example:

  def my_function(param1: int, param2: str) -> bool:
      pass

• For Python exception handling, ensure proper stack trace preservation:
  • When re-raising exceptions: use bare raise statements to maintain the original stack trace,
    and use logger.error() (not logger.exception()) to avoid duplicate stack trace output.
  • When catching and logging exceptions without re-raising: always use logger.exception()
    to capture the full stack trace information.

Documentation Review Instructions - Verify that documentation and comments are clear and comprehensive. - Verify that the documentation doesn't contain any TODOs, FIXMEs or placeholder text like "lorem ipsum". - Verify that the documentation doesn't contain any offensive or outdated terms. - Verify that documentation and comments are free of spelling mistakes, ensure the documentation doesn't contain any

words listed in the ci/vale/styles/config/vocabularies/nat/reject.txt file, words that might appear to be
spelling mistakes but are listed in the ci/vale/styles/config/vocabularies/nat/accept.txt file are OK.

• Documentation in Markdown files should not contain usage of a possessive 's with inanimate objects
  (ex: "the system's performance" should be "the performance of the system").
• Documentation in Markdown files should not use NAT as an acronym, always spell out NeMo Agent Toolkit.
  The exception to this rule is when referring to package names or code identifiers that contain "nat", th...

Files:

• pyproject.toml
• packages/nvidia_nat_semantic_kernel/pyproject.toml

packages/*/pyproject.toml

📄 CodeRabbit inference engine (.cursor/rules/general.mdc)

Each package in 'packages/' should contain a 'pyproject.toml' file with a dependency on 'nvidia-nat' or another package with name starting with 'nvidia-nat-'

Files:

• packages/nvidia_nat_semantic_kernel/pyproject.toml

packages/**/*

⚙️ CodeRabbit configuration file

packages/**/*: - This directory contains optional plugin packages for the toolkit, each should contain a pyproject.toml file. - The pyproject.toml file should declare a dependency on nvidia-nat or another package with a name starting
with nvidia-nat-. This dependency should be declared using ~=<version>, and the version should be a two
digit version (ex: ~=1.0).

• Not all packages contain Python code, if they do they should also contain their own set of tests, in a
  tests/ directory at the same level as the pyproject.toml file.
• When adding a new package, that new package name (as defined in the pyproject.toml file) should
  be added as a dependency to the nvidia-nat-all package in packages/nvidia_nat_all/pyproject.toml

Files:

• packages/nvidia_nat_semantic_kernel/pyproject.toml

🧠 Learnings (5)

📓 Common learnings

Learnt from: CR
Repo: NVIDIA/NeMo-Agent-Toolkit PR: 0
File: .cursor/rules/general.mdc:0-0
Timestamp: 2026-01-05T15:46:49.677Z
Learning: Applies to {pyproject.toml,uv.lock} : New dependencies must be added to both 'pyproject.toml' (alphabetically) and 'uv.lock' via 'uv pip install <pkg> --sync'

Learnt from: bbednarski9
Repo: NVIDIA/NeMo-Agent-Toolkit PR: 1217
File: packages/nvidia_nat_adk/pyproject.toml:38-38
Timestamp: 2025-12-02T19:36:36.626Z
Learning: In pyproject.toml dependency declarations, while the general guideline is to use two-digit version format with ~= (e.g., ~=1.18), using three-digit format (e.g., ~=1.18.0) is appropriate when intentionally restricting to a specific minor version line to allow patch updates but exclude newer minor versions (e.g., allowing 1.18.1 but blocking 1.19.x).

📚 Learning: 2026-01-05T15:46:49.677Z

Learnt from: CR
Repo: NVIDIA/NeMo-Agent-Toolkit PR: 0
File: .cursor/rules/general.mdc:0-0
Timestamp: 2026-01-05T15:46:49.677Z
Learning: Applies to {pyproject.toml,uv.lock} : New dependencies must be added to both 'pyproject.toml' (alphabetically) and 'uv.lock' via 'uv pip install <pkg> --sync'

Applied to files:

• pyproject.toml

📚 Learning: 2026-01-05T16:32:00.641Z

Learnt from: mnajafian-nv
Repo: NVIDIA/NeMo-Agent-Toolkit PR: 1324
File: examples/config_inheritance/pyproject.toml:15-15
Timestamp: 2026-01-05T16:32:00.641Z
Learning: In the NVIDIA/NeMo-Agent-Toolkit repository, the develop branch may reference unreleased versions of nvidia-nat (e.g., 1.5) in pyproject.toml dependency specifications even before those versions are published to PyPI. This is intentional pre-release version management, and the workspace dependencies use editable local installs (e.g., `nvidia-nat = { path = "../..", editable = true }`) to ensure development works correctly with the local sources.

Applied to files:

• pyproject.toml
• packages/nvidia_nat_semantic_kernel/pyproject.toml

📚 Learning: 2026-01-05T15:46:49.676Z

Learnt from: CR
Repo: NVIDIA/NeMo-Agent-Toolkit PR: 0
File: .cursor/rules/general.mdc:0-0
Timestamp: 2026-01-05T15:46:49.676Z
Learning: Applies to packages/*/pyproject.toml : Each package in 'packages/' should contain a 'pyproject.toml' file with a dependency on 'nvidia-nat' or another package with name starting with 'nvidia-nat-'

Applied to files:

• pyproject.toml
• packages/nvidia_nat_semantic_kernel/pyproject.toml

📚 Learning: 2025-11-10T21:26:35.059Z

Learnt from: jiaxiangr
Repo: NVIDIA/NeMo-Agent-Toolkit PR: 974
File: packages/nvidia_nat_all/pyproject.toml:39-39
Timestamp: 2025-11-10T21:26:35.059Z
Learning: In packages/nvidia_nat_all/pyproject.toml, workspace dependencies (nvidia-nat-* plugin packages) should NOT have version constraints because they are managed as workspace dependencies. Version constraints are only applied to the base nvidia-nat package and external dependencies, not to internal workspace packages.

Applied to files:

• pyproject.toml
• packages/nvidia_nat_semantic_kernel/pyproject.toml

🔇 Additional comments (2)

packages/nvidia_nat_semantic_kernel/pyproject.toml (2)

28-30: werkzeug~=3.1.5 bump looks fine; verify version exists + lockfile was regenerated.

Patch-precision ~= is reasonable if you’re intentionally staying on the 3.1.* line (per repo learnings about using 3-digit ~= to constrain a minor line).

Based on learnings, confirm uv.lock is updated via uv pip install ... --sync.

---

70-72: Invalid line references and incomplete comment.

This review comment references lines 70-72 and 337-339, but the file packages/nvidia_nat_semantic_kernel/pyproject.toml contains only 60 lines. Additionally, the comment section is empty with no actionable feedback provided. Please clarify which specific lines require review and what the actual concern is.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @pyproject.toml:
- Around line 343-344: Move the "werkzeug" dependency so it appears
alphabetically before "yapf" and change its version spec from "~=3.1.5" to the
two-digit precision "~=3.1"; optionally remove or relocate the "# transitive
dependencies" comment above the dependency if it interferes with ordering.
- Around line 70-71: Move the dependency entries so they are alphabetically
ordered and change three-part version specifiers to two-part precision: in the
dependencies list, place "urllib3~=2.6" before "wikipedia~=1.4" (replace ~=2.6.3
with ~=2.6); in the dev dependency-group, place "werkzeug~=3.1" before
"yapf==0.43.*" (replace ~=3.1.5 with ~=3.1); ensure the exact tokens "urllib3"
and "werkzeug" are updated and relocated accordingly without altering other
entries.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 68976fc and 71acf23.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• packages/nvidia_nat_langchain/pyproject.toml
• pyproject.toml

✅ Files skipped from review due to trivial changes (1)

• packages/nvidia_nat_langchain/pyproject.toml

🧰 Additional context used

📓 Path-based instructions (6)

{pyproject.toml,packages/*/pyproject.toml}

📄 CodeRabbit inference engine (.cursor/rules/general.mdc)

Package dependencies should use '=' format with two-digit versions (e.g., '=1.0')

Files:

• pyproject.toml

**/*.{py,yaml,yml,json,toml}

📄 CodeRabbit inference engine (.cursor/rules/general.mdc)

Indent with 4 spaces (never tabs) and ensure every file ends with a single newline

Files:

• pyproject.toml

**/*.{py,js,ts,tsx,jsx,sh,yaml,yml,json,toml,md,mdx,rst}

📄 CodeRabbit inference engine (.cursor/rules/general.mdc)

**/*.{py,js,ts,tsx,jsx,sh,yaml,yml,json,toml,md,mdx,rst}: Every file must start with the standard SPDX Apache-2.0 header
Confirm that copyright years are up-to-date whenever a file is changed
All source files must include the SPDX Apache-2.0 header template

Files:

• pyproject.toml

{pyproject.toml,uv.lock}

📄 CodeRabbit inference engine (.cursor/rules/general.mdc)

New dependencies must be added to both 'pyproject.toml' (alphabetically) and 'uv.lock' via 'uv pip install --sync'

Files:

• pyproject.toml

**/*

⚙️ CodeRabbit configuration file

**/*: # Code Review Instructions

• Ensure the code follows best practices and coding standards. - For Python code, follow
  PEP 20 and
  PEP 8 for style guidelines.
• Check for security vulnerabilities and potential issues. - Python methods should use type hints for all parameters and return values (except for return values of None,
  in that situation no return type hint is needed).
  Example:

  def my_function(param1: int, param2: str) -> bool:
      pass

• For Python exception handling, ensure proper stack trace preservation:
  • When re-raising exceptions: use bare raise statements to maintain the original stack trace,
    and use logger.error() (not logger.exception()) to avoid duplicate stack trace output.
  • When catching and logging exceptions without re-raising: always use logger.exception()
    to capture the full stack trace information.

Documentation Review Instructions - Verify that documentation and comments are clear and comprehensive. - Verify that the documentation doesn't contain any TODOs, FIXMEs or placeholder text like "lorem ipsum". - Verify that the documentation doesn't contain any offensive or outdated terms. - Verify that documentation and comments are free of spelling mistakes, ensure the documentation doesn't contain any

words listed in the ci/vale/styles/config/vocabularies/nat/reject.txt file, words that might appear to be
spelling mistakes but are listed in the ci/vale/styles/config/vocabularies/nat/accept.txt file are OK.

• Documentation in Markdown files should not contain usage of a possessive 's with inanimate objects
  (ex: "the system's performance" should be "the performance of the system").
• Documentation in Markdown files should not use NAT as an acronym, always spell out NeMo Agent Toolkit.
  The exception to this rule is when referring to package names or code identifiers that contain "nat", th...

Files:

• pyproject.toml

pyproject.toml

⚙️ CodeRabbit configuration file

pyproject.toml: # pyproject.toml example section review instructions - Ensure that for any examples that are added or removed, the examples list in the pyproject.toml file is updated accordingly.
This is only necessary if the example added contains a pyproject.toml file (e.g. it is installable as a package)

• Any added examples should be added to the examples list in the pyproject.toml file. - Any removed examples should be removed from the examples list in the pyproject.toml file. - All added examples must have a nat_ prefix within the uv.sources name. The path to the example does NOT need to have this prefix. If the example does not have a nat_ prefix, it should be added.

Files:

• pyproject.toml

🧠 Learnings (6)

📓 Common learnings

Learnt from: CR
Repo: NVIDIA/NeMo-Agent-Toolkit PR: 0
File: .cursor/rules/general.mdc:0-0
Timestamp: 2026-01-05T15:46:49.677Z
Learning: Applies to {pyproject.toml,uv.lock} : New dependencies must be added to both 'pyproject.toml' (alphabetically) and 'uv.lock' via 'uv pip install <pkg> --sync'

Learnt from: bbednarski9
Repo: NVIDIA/NeMo-Agent-Toolkit PR: 1217
File: packages/nvidia_nat_adk/pyproject.toml:38-38
Timestamp: 2025-12-02T19:36:36.626Z
Learning: In pyproject.toml dependency declarations, while the general guideline is to use two-digit version format with ~= (e.g., ~=1.18), using three-digit format (e.g., ~=1.18.0) is appropriate when intentionally restricting to a specific minor version line to allow patch updates but exclude newer minor versions (e.g., allowing 1.18.1 but blocking 1.19.x).

📚 Learning: 2026-01-05T15:46:49.677Z

Learnt from: CR
Repo: NVIDIA/NeMo-Agent-Toolkit PR: 0
File: .cursor/rules/general.mdc:0-0
Timestamp: 2026-01-05T15:46:49.677Z
Learning: Applies to {pyproject.toml,uv.lock} : New dependencies must be added to both 'pyproject.toml' (alphabetically) and 'uv.lock' via 'uv pip install <pkg> --sync'

Applied to files:

• pyproject.toml

📚 Learning: 2026-01-05T15:46:49.676Z

Learnt from: CR
Repo: NVIDIA/NeMo-Agent-Toolkit PR: 0
File: .cursor/rules/general.mdc:0-0
Timestamp: 2026-01-05T15:46:49.676Z
Learning: Applies to {pyproject.toml,packages/*/pyproject.toml} : Package dependencies should use '~=<version>' format with two-digit versions (e.g., '~=1.0')

Applied to files:

• pyproject.toml

📚 Learning: 2026-01-05T16:32:00.641Z

Learnt from: mnajafian-nv
Repo: NVIDIA/NeMo-Agent-Toolkit PR: 1324
File: examples/config_inheritance/pyproject.toml:15-15
Timestamp: 2026-01-05T16:32:00.641Z
Learning: In the NVIDIA/NeMo-Agent-Toolkit repository, the develop branch may reference unreleased versions of nvidia-nat (e.g., 1.5) in pyproject.toml dependency specifications even before those versions are published to PyPI. This is intentional pre-release version management, and the workspace dependencies use editable local installs (e.g., `nvidia-nat = { path = "../..", editable = true }`) to ensure development works correctly with the local sources.

Applied to files:

• pyproject.toml

📚 Learning: 2025-11-10T21:26:35.059Z

Learnt from: jiaxiangr
Repo: NVIDIA/NeMo-Agent-Toolkit PR: 974
File: packages/nvidia_nat_all/pyproject.toml:39-39
Timestamp: 2025-11-10T21:26:35.059Z
Learning: In packages/nvidia_nat_all/pyproject.toml, workspace dependencies (nvidia-nat-* plugin packages) should NOT have version constraints because they are managed as workspace dependencies. Version constraints are only applied to the base nvidia-nat package and external dependencies, not to internal workspace packages.

Applied to files:

• pyproject.toml

📚 Learning: 2026-01-05T15:46:49.676Z

Learnt from: CR
Repo: NVIDIA/NeMo-Agent-Toolkit PR: 0
File: .cursor/rules/general.mdc:0-0
Timestamp: 2026-01-05T15:46:49.676Z
Learning: Applies to packages/*/pyproject.toml : Each package in 'packages/' should contain a 'pyproject.toml' file with a dependency on 'nvidia-nat' or another package with name starting with 'nvidia-nat-'

Applied to files:

• pyproject.toml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: CI Pipeline / Check

🔇 Additional comments (1)

pyproject.toml (1)

70-71: Verify uv.lock synchronization.

Per the repository's coding guidelines, new dependencies must be added to both pyproject.toml (alphabetically) and uv.lock via uv pip install <pkg> --sync. Please confirm that uv.lock has been updated for the new urllib3 and werkzeug dependencies.

Based on learnings, new dependencies must be synchronized with uv.lock.

[mnajafian-nv]

Hey! Thanks for the PR. Everything looks great just need a few small changes:

1. Version format: Change ~=2.6.3 to ~=2.6 and ~=3.1.5 to ~=3.1 (per your guideline lines)
2. Alphabetical order: Move urllib3 before uvicorn, werkzeug before yapf
3. Regenerate: uv pip install . --sync

Q. Why pin urllib3/werkzeug explicitly when they're transitive deps? Does semantic-kernel actually need werkzeug?

[willkill07]

/merge