Bump the pip group across 1 directory with 3 updates

[dependabot]

Bumps the pip group with 3 updates in the /backend directory: langchain-community, python-multipart and requests.

Updates langchain-community from 0.2.17 to 0.3.27

Release notes

Sourced from langchain-community's releases.

langchain==0.3.27

Changes since langchain==0.3.26

fix(langchain): update deps release(langchain): 0.3.27 (#32227) feat(langchain): add ruff rules PL (#32079) docs: formatting cleanup (#32188) fix: replace deprecated Pydantic .schema() calls with v1/v2 compatible pattern (#32162) feat(langchain): add ruff rules TRY (#32047) feat(langchain): add ruff rules PT (#32010) fix(ollama): robustly parse single-quoted JSON in tool calls (#32109) fix(core): JSON Schema reference resolution for list indices (#32088) refactor(langchain): remove model_rebuild (#32080) feat(langchain): add ruff rules G (#32029) feat(langchain): add ruff rules DTZ (#32021) feat(langchain): add ruff rules PTH (#32008) chore: update error message formatting (#31980) docs: add Google-style docstrings to tools and llms modules (zapier, … (#31957) chore[langchain]: fix broad base except in crawler.py (#31941) ruff: restore stacklevels, disable autofixing (#31919) ruff: add bugbear across packages (#31917) exception: update Exception to ValueError for clearer error handling (#31915) langchain[patch]: harden xml parser for xmloutput agent (#31859) langchain: Add ruff rules B (#31908) langchain: Fix Evaluator's _check_evaluation_args (#31910) langchain: Use pytest.raises and pytest.fail to handle exceptions in tests (#31911) huggingface[patch]: ruff fixes and rules (#31912) anthropic[patch]: ruff fixes and rules (#31899) ruff: more rules across the board & fixes (#31898) fix: automatically fix issues with ruff (#31897) fix: complete exception handling for UpstashRedisEntityStore (#31893) fix: lint/format (#31894) langchain: Add ruff rule RUF (#31874) langchain: Add ruff rules FBT (#31885) langchain: Add ruff rule RET (#31875) langchain: Add ruff rules C4 (#31879) langchain: Add ruff rules SIM (#31881) langchain: Add ruff rules A (#31888) langchain: Add ruff rules EM (#31873) langchain: Add ruff rules PIE (#31880) langchain: Add ruff rule W (#31876) langchain: Bump ruff version to 0.12 (#31867) langchain[patch]: fix a bug where now.replace(day=now.day - 1) would raise a ValueError when now.day is equal to 1 (#31878) langchain[patch]: Add bandit rules (#31818) core[path]: Use context manager for FileCallbackHandler (#31813) openai[patch]: allow specification of output format for Responses API (#31686) openai[patch]: add attribute to always use previous_response_id (#31734) docs: fix typo in globals.py (#31728) core[patch]: Add additional hashing options to indexing API, warn on SHA-1 (#31649) langchain[patch]: smith.evaluation.progress.ProgressBarCallback: Make output after progress bar ends configurable (#31583)

... (truncated)

Commits

• bdf1cd3 fix(langchain): update deps
• 77c9819 fix(text-splitters): update langchain-core version to 0.3.72
• 7f015b6 fix(text-splitters): update lock for release
• 71ad451 Merge branch 'master' of github.com:langchain-ai/langchain
• 2c42893 fix(langchain): update langchain-core version to 0.3.72
• 0e139fb release(langchain): 0.3.27 (#32227)
• 622bb05 fix(langchain): class HTMLSemanticPreservingSplitter ignores the text inside ...
• 56dde3a feat(langchain): v1 scaffolding (#32166)
• bd3d649 release(core): 0.3.72 (#32214)
• fb5da83 fix(core): Dereference Refs for pydantic schema fails in tool schema generati...
• Additional commits viewable in compare view

Updates python-multipart from 0.0.6 to 0.0.18

Release notes

Sourced from python-multipart's releases.

Version 0.0.18

What's Changed

• Hard break if found data after last boundary on MultipartParser by @​Kludex in Kludex/python-multipart#189

---

Full Changelog: Kludex/python-multipart@0.0.17...0.0.18

Version 0.0.17

What's Changed

• Handle PermissionError in fallback code for old import name by @​defnull in Kludex/python-multipart#182

---

Full Changelog: Kludex/python-multipart@0.0.16...0.0.17

Version 0.0.16

What's Changed

• Add dunder attributes to multipart package by @​Kludex in Kludex/python-multipart#177

---

Full Changelog: Kludex/python-multipart@0.0.15...0.0.16

Version 0.0.15

What's Changed

• Replace FutureWarning to PendingDeprecationWarning #174.
• Add missing files to SDist #171.

---

Full Changelog: Kludex/python-multipart@0.0.14...0.0.15

Version 0.0.14

What's Changed

• fix: use alternate scheme for importing multipart by @​henryiii in Kludex/python-multipart#168

Full Changelog: Kludex/python-multipart@0.0.13...0.0.14

Version 0.0.13

What's Changed

• Rename import to python_multipart by @​henryiii in Kludex/python-multipart#166

New Contributors

• @​henryiii made their first contribution in Kludex/python-multipart#166

Full Changelog: Kludex/python-multipart@0.0.12...0.0.13

... (truncated)

Changelog

Sourced from python-multipart's changelog.

0.0.18 (2024-11-28)

• Hard break if found data after last boundary on MultipartParser #189.

0.0.17 (2024-10-31)

• Handle PermissionError in fallback code for old import name #182.

0.0.16 (2024-10-27)

• Add dunder attributes to multipart package #177.

0.0.15 (2024-10-27)

• Replace FutureWarning to PendingDeprecationWarning #174.
• Add missing files to SDist #171.

0.0.14 (2024-10-24)

• Fix import scheme for multipart module (#168).

0.0.13 (2024-10-20)

• Rename import to python_multipart #166.

0.0.12 (2024-09-29)

• Improve error message when boundary character does not match #124.
• Add mypy strict typing #140.
• Enforce 100% coverage #159.

0.0.11 (2024-09-28)

• Improve performance, especially in data with many CR-LF #137.
• Handle invalid CRLF in header name #141.

0.0.10 (2024-09-21)

• Support on_header_begin #103.
• Improve type hints on FormParser #104.
• Fix OnFileCallback type #106.
• Improve type hints #110.
• Improve type hints on File #111.
• Add type hint to helper functions #112.
• Minor fix for Field.repr #114.
• Fix use of chunk_size parameter #136.
• Allow digits and valid token chars in headers #134.
• Fix headers being carried between parts #135.

0.0.9 (2024-02-10)

... (truncated)

Commits

• 5b1aed8 Version 0.0.18 (#191)
• 9205a0e Hard break if found data after last boundary on MultipartParser (#189)
• 170e604 Update ruff & mypy (#188)
• e53b541 Create SECURITY.md (#187)
• 02d1ec1 fuzz: fix boundary error (#179)
• 616b81e Version 0.0.17 (#183)
• ca52662 Handle PermissionError in fallback code for old import name (#182)
• 8764067 Version 0.0.16 (#177)
• ce85154 Version 0.0.15 (#175)
• 73fb55d ci: check-sdist (#172)
• Additional commits viewable in compare view

Updates requests from 2.31.0 to 2.32.4

Release notes

Sourced from requests's releases.

v2.32.4

2.32.4 (2025-06-10)

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file. (#6965)

Improvements

• Numerous documentation improvements

Deprecations

• Added support for pypy 3.11 for Linux and macOS. (#6926)
• Dropped support for pypy 3.9 following its end of support. (#6926)

v2.32.3

2.32.3 (2024-05-29)

Bugfixes

• Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of HTTPAdapter. (#6716)
• Fixed issue where Requests started failing to run on Python versions compiled without the ssl module. (#6724)

v2.32.2

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

v2.32.1

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

v2.32.0

2.32.0 (2024-05-20)

... (truncated)

Changelog

Sourced from requests's changelog.

2.32.4 (2025-06-10)

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

Improvements

• Numerous documentation improvements

Deprecations

• Added support for pypy 3.11 for Linux and macOS.
• Dropped support for pypy 3.9 following its end of support.

2.32.3 (2024-05-29)

Bugfixes

• Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of HTTPAdapter. (#6716)
• Fixed issue where Requests started failing to run on Python versions compiled without the ssl module. (#6724)

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

2.32.0 (2024-05-20)

Security

... (truncated)

Commits

• 021dc72 Polish up release tooling for last manual release
• 821770e Bump version and add release notes for v2.32.4
• 59f8aa2 Add netrc file search information to authentication documentation (#6876)
• 5b4b64c Add more tests to prevent regression of CVE 2024 47081
• 7bc4587 Add new test to check netrc auth leak (#6962)
• 96ba401 Only use hostname to do netrc lookup instead of netloc
• 7341690 Merge pull request #6951 from tswast/patch-1
• 6716d7c remove links
• a7e1c74 Update docs/conf.py
• c799b81 docs: fix dead links to kenreitz.org
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by CodeRabbit

• Chores
  • Updated backend libraries to the latest stable releases to improve security, compatibility, and overall reliability.
  • Enhances resilience of network requests and data handling under varied conditions.
  • Improves performance and stability of background operations with no expected changes to the user interface.
  • Includes routine maintenance to reduce potential bugs and align with current platform standards.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
sql-ball	Ready	Preview	Comment	Oct 12, 2025 10:02pm

[coderabbitai]

Walkthrough

Dependency versions updated in backend/requirements.txt: langchain-community, python-multipart, and requests. No other files or APIs changed.

Changes

Cohort / File(s)	Summary
Dependency version bumps backend/requirements.txt	Upgraded langchain-community 0.2.17 → 0.3.27, python-multipart 0.0.6 → 0.0.18, requests 2.31.0 → 2.32.4. No other dependency changes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

I twitch my whiskers at version streams,
Three tidy bumps in dependency dreams.
Packages hop to numbers new,
Carrots counted, checksums true.
I thump the ground—release is neat!
Now back to code, and a lettuce treat. 🥕🐇

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title Check	❓ Inconclusive	The title loosely reflects that dependencies were bumped but is vague and includes unnecessary details like “across 1 directory with 3 updates” that do not clearly convey which packages changed or the nature of the update. It fails to provide a concise, specific summary of the main change, making it harder for a teammate to understand the purpose at a glance. A clearer title would specify the affected dependencies and context.	Please revise the title to succinctly highlight the main change, for example: “Update backend dependencies: langchain-community, python-multipart, and requests.”

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dependabot/pip/backend/pip-e415333ee0

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ThomasJButler]

@coderabbitai review please :)

[coderabbitai]

@ThomasJButler, I'll review the dependency updates for you!

This PR includes important security fixes:

• requests: Fixes CVE-2024-47081 (netrc credential leak) and CVE-2024-35195
• python-multipart: Multiple security and parsing improvements
• langchain-community: Various bug fixes and enhancements

I'll analyze the changes and provide feedback shortly.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9b3213a and 56d1d2b.

📒 Files selected for processing (1)

• backend/requirements.txt (1 hunks)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Stop: version conflict with langchain pin.

langchain-community 0.3.27 requires the LangChain 0.3.x stack (langchain, langchain-core) but we still pin langchain==0.2.16. Pip will refuse to resolve this set, so installs will fail. Either upgrade langchain (and related packages) to the matching 0.3.x line or keep langchain-community on a compatible 0.2.x release.

🤖 Prompt for AI Agents

In backend/requirements.txt around line 5 there's a version conflict:
langchain-community==0.3.27 requires the LangChain 0.3.x stack but the project
pins langchain==0.2.16, causing pip resolution failures; fix by either upgrading
langchain (and langchain-core and any other langchain-related packages) to
matching 0.3.x versions that are compatible with langchain-community 0.3.27, or
downgrade langchain-community to a 0.2.x release that is compatible with
langchain==0.2.16, then update the requirements file and re-run dependency
resolution/lockfile generation to ensure a consistent set.