chore(examples): bump @langchain/* to v1.x major#1633
Merged
Conversation
LangChain.js released v1 stable; bashkit-js's own peer dep already
accepts v1 (>=0.3), and the langchain_agent.mjs example imports
DynamicStructuredTool / ChatOpenAI / createReactAgent — all still
exported from @langchain/{core,openai,langgraph} v1 with compatible
constructor signatures. Verified by running the example: it gets past
construction and fails at the OpenAI API call as expected when no key
is configured.
Also bumps the pinned langsmith override from 0.5.25 → ^0.6.0 to
match (and clear GHSA-3644-q5cj-c5c7 — already done in #1632 for
the maintenance branch; this PR keeps examples consistent).
Devdep change only — no source changes required.
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
bashkit | 33aaffa | Commit Preview URL Branch Preview URL |
May 17 2026, 04:21 PM |
8 tasks
chaliy
added a commit
that referenced
this pull request
May 17, 2026
…8, deps (#1635) Follow-up to #1632 / #1633 — works through the deferred items the maintenance pass identified. ## Summary **1. `just vet` recipe (049d362)** Locally failed with `no such command: vet` because the recipe assumed cargo-vet was on PATH (CI installs it separately via `taiki-e/install-action`). Added a private `_ensure-vet` recipe that installs it on demand, and the three public recipes depend on it. Also pass `--locked` to match CI. **2. cargo update + supply-chain exemptions (6875e85)** Pulls 29 patch/minor transitive bumps (`aws-lc-rs` 1.16→1.17, `tower-http` 0.6.8→0.6.10, `russh` 0.60.2→0.60.3, `napi` 3.8→3.9, `wasm-bindgen` 0.2.120→0.2.121, …). Adds matching exemption entries in `supply-chain/config.toml` — every one of them is a patch/minor of a crate that already had an exemption for the prior version, consistent with the existing 594 exemptions the project accepts. Dependabot's weekly group PR will replace these with proper imported certifications via `cargo vet prune`. The previous attempt to land this hit the sandbox's inability to fetch import certs (cargo-vet's webpki-roots reject the proxy CA); exemptions avoid that. **3. Builtin count reconciliation (f9bfc3d)** README, `lib.rs` rustdoc, and bashkit-python README claimed 160. `compatibility.md` total said 150 with category counts summing to 110. `implementation-status.md` claimed 148+14=162. Authoritative count from the source: **142 always-on + 14 feature-gated = 156**. All five surfaces now agree. `compatibility.md`'s broken sub-category table is replaced with a two-row split that reconciles. **4. TM-INF-018 mitigation (04cebad)** Spec said the mitigation was "Configurable time source (fixed *or* offset)" but only the fixed variant was implemented. Adds `Bash::builder().epoch_offset(seconds)` which shifts `Utc::now()` by a constant — keeps elapsed-time semantics, blinds absolute wall-clock. `fixed_epoch` and `epoch_offset` are mutually exclusive on the builder (last call wins). Wired through `Date::with_offset_seconds`, `Interpreter::with_config`, and the builder. 4 unit + 4 integration tests. Spec and rustdoc threat-model doc now mark TM-INF-018 as **MITIGATED** (opt-in). **5. Crypto stack split tracking (fc36722, issue #1634)** RustCrypto 0.10/0.11 line split (`turso_core` / `aes-gcm 0.10` pull the old line; `bashkit` uses the new line directly). Cannot unify without upstream releases. Filed #1634 with watch conditions on `aes-gcm 0.11` and `turso_core 0.7+`. Added to `specs/maintenance.md` deferred-items table. ## Test plan - [x] `just vet` — passes locally now (was `error: no such command: vet`) - [x] `cargo build --workspace` clean - [x] `cargo test -p bashkit --lib` — 2239 pass - [x] `cargo test --test threat_model_tests tm_inf_018_date` — 4/4 pass - [x] `cargo clippy --workspace --all-targets -- -D warnings` clean - [x] `cargo fmt --check` clean - [x] `cargo vet --locked` succeeds (25 fully audited, 7 partially audited, 619 exempted) - [x] `cargo deny check` — advisories ok, bans ok, licenses ok, sources ok ## Not addressed (intentional) - Replacing `turso_core` to unblock the crypto split. Embedded SQLite via Turso is a core feature, not a swap candidate. Tracked in #1634. - Changing `date`'s default behavior to a virtual clock. That would be a breaking change for every embedder; `epoch_offset` is opt-in by design. --- _Generated by [Claude Code](https://claude.ai/code/session_017dpq8SdNvefnUW6egJJJYR)_
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
examples/package.json: bump@langchain/core0.3→1.1,@langchain/langgraph0.2→1.3,@langchain/openai0.5→1.4 (LangChain.js released v1 stable).examples/package.json: bump thelangsmithoverride from0.5.25to^0.6.0(clears GHSA-3644-q5cj-c5c7; already applied to maintenance branch in chore: deep-maintenance pass — fuzz fix, dep bumps, doc sync #1632, this PR keeps examples consistent).LangChain v1 kept the API surface used by
examples/langchain_agent.mjs(DynamicStructuredTool,ChatOpenAI,createReactAgentfrom@langchain/langgraph/prebuilt) — no source changes needed.Test plan
npm installclean, 0 vulnerabilitiesnode langchain_agent.mjsreaches the OpenAI call (constructors + tool wiring work; expectedOpenAI credentials missingexit)@everruns/bashkitinstall + langchain integration tests)Notes
examples/langchain_integration.mjsrequires a newer@everruns/bashkitthan the latest published 0.1.10 (uses the/langchainsubpath export). That's a pre-existing issue unrelated to this PR — surfaces whenever younpm installoutside of CI's wheel/binding build.crates/bashkit-js/langchain.tsalready uses the same v1-compatible APIs; no binding code change.Generated by Claude Code