Skip to content

chore(deps): Bump the minor-and-patch group in /a2a/image_service with 9 updates#508

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/a2a/image_service/minor-and-patch-cbe9f53553
Open

chore(deps): Bump the minor-and-patch group in /a2a/image_service with 9 updates#508
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/a2a/image_service/minor-and-patch-cbe9f53553

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 28, 2026
edited
Loading

Bumps the minor-and-patch group in /a2a/image_service with 9 updates:

Package From To
langgraph 1.0.3 1.2.2
langchain-core 1.3.3 1.4.0
langchain-community 0.4.1 0.4.2
langchain-openai 1.0.3 1.2.2
openinference-instrumentation-langchain 0.1.55 0.1.66
opentelemetry-exporter-otlp 1.38.0 1.42.1
python-multipart 0.0.28 0.0.29
pyjwt 2.12.1 2.13.0
langsmith 0.8.4 0.8.6

Updates langgraph from 1.0.3 to 1.2.2

Release notes

Sourced from langgraph's releases.

langgraph==1.2.2

Changes since 1.2.1

  • chore(langgraph): bump version to 1.2.2 (#7914)
  • fix(langgraph): assign stable IDs to id=None BaseMessages before DeltaChannel checkpoint writes (#7913)
  • release(checkpoint): 4.1.1 (#7890)

langgraph==1.2.1

Changes since 1.2.0

  • release(langgraph): 1.2.1 (#7883)
  • feat(langgraph): add before_builtins opt-in for stream transformers (#7882)
  • chore(deps): bump idna from 3.11 to 3.15 in /libs/langgraph (#7866)
  • fix(langgraph): keep tool results out of v3 messages (#7838)
  • chore(deps): bump langsmith from 0.7.31 to 0.8.0 in /libs/langgraph (#7788)

langgraph==1.2.0

Changes since 1.2.0a7

  • release: bump alpha packages to official versions (#7775)
  • feat(langgraph): durable error-handler resume across host crashes (#7773)
  • feat(langgraph): add set_node_defaults() to StateGraph (#7747)
  • chore(deps): bump urllib3 from 2.6.3 to 2.7.0 in /libs/langgraph (#7766)
  • chore(deps): bump mistune from 3.2.0 to 3.2.1 in /libs/langgraph (#7733)
  • chore(langgraph): bump langchain-core to 1.4.0 (#7767)
  • feat(checkpoint): force delta channel snapshot after max supersteps since last snapshot (#7746)
  • test(langgraph): de-flake heartbeat progress test (#7735)
  • chore(langgraph): re-implement exit mode for delta channel (#7730)
  • chore(deps): bump ty from 0.0.23 to 0.0.33 in /libs/sdk-py (#7666)
  • docs(checkpoint): mark DeltaChannel and delta-history APIs as beta (#7732)
  • chore(deps): bump jupyter-server from 2.17.0 to 2.18.0 in /libs/langgraph (#7713)
  • feat(checkpoint-sqlite): override get_delta_channel_history with streaming walk (#7702)
  • chore: "chore: minor clean up around checkpoint and delta channel" (#7706)
  • chore: minor clean up around checkpoint and delta channel (#7705)

langgraph==1.2.0a7

Changes since 1.2.0a6

  • release: alpha bump (a4) for langgraph, checkpoint, checkpoint-postgres (#7701)
  • feat: public get_writes_history saver API + delta cadence rework (#7699)

langgraph==1.2.0a6

langgraph v1.2 (alpha)

This release adds finer-grained control over node execution — timeouts, error recovery, and graceful shutdown — a new channel type that cuts checkpoint overhead for long-running threads, and a new content-block-centric streaming API (v3) with typed, per-channel projections.

DeltaChannel (beta)

... (truncated)

Commits
  • add2696 chore(langgraph): bump version to 1.2.2 (#7914)
  • 5d5a641 fix(langgraph): assign stable IDs to id=None BaseMessages before DeltaChannel...
  • d1e2ff0 release(checkpoint): 4.1.1 (#7890)
  • e787af2 release(sdk-py): 0.3.15 (#7891)
  • 604534e fix(sdk-py): percent-encode caller-supplied identifiers in URL paths (#7893)
  • 346aa97 fix(checkpoint): restrict lc:2 envelope revival to default constructor (#7892)
  • 82b3872 chore(deps): bump the uv group across 2 directories with 1 update (#7853)
  • fcc4ab8 chore(deps): bump idna from 3.11 to 3.15 in /libs/checkpoint (#7860)
  • 701d344 chore(deps): bump idna from 3.11 to 3.15 in /libs/checkpoint-postgres (#7861)
  • 2c7967c chore(deps): bump idna from 3.11 to 3.15 in /libs/cli (#7865)
  • Additional commits viewable in compare view

Updates langchain-core from 1.3.3 to 1.4.0

Release notes

Sourced from langchain-core's releases.

langchain-core==1.4.0

Changes since langchain-core==0.3.86

chore(infra): merge v1.4 into master (#37350) chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/core (#37329) fix(core): avoid eager pydantic.v1 import in @deprecated (#37308) chore: bump mistune from 3.1.4 to 3.2.1 in /libs/core (#37237) chore: bump jupyter-server from 2.17.0 to 2.18.0 in /libs/core (#37204) release(core): 1.3.3 (#37198) fix(core): set deprecation since to 1.3.3 to match release (#37200) fix(core, langchain): harden load() against untrusted manifests (#37197) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (#37109) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (#37129) fix(core): preserve structured inputs on tool runs in tracers (#37108) release(perplexity): 1.2.0 (#37091) chore(docs): update x handle references (#37081) fix(core): make removal optional in warn_deprecated (#37056) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (#36663) chore(core): mark stream_v2/astream_v2 as beta (#36992) release(core): 1.3.2 (#36990) feat(core): add content-block-centric streaming (v2) (#36834) release(core): 1.3.1 (#36972) feat(core): allow _format_output to pass through list of ToolOutputMixin instances (#36963) chore: bump nbconvert from 7.17.0 to 7.17.1 in /libs/core (#36923) feat(core): Update inheritance behavior for tracer metadata for special keys (#36900) chore: bump langsmith from 0.7.13 to 0.7.31 in /libs/core (#36813) release(core): release 1.3.0 (#36851) release(core): 1.3.0a3 (#36829) chore(core): keep checkpoint_ns behavior in streaming metadata for backwards compat (#36828) feat(core): Add chat model and LLM invocation params to traceable metadata (#36771) fix(core): restore cloud metadata IPs and link-local range in SSRF policy (#36816) chore(deps): bump pytest to 9.0.3 (#36801) chore(core): harden private SSRF utilities (#36768) fix(openai): handle content blocks without type key in responses api conversion (#36725) chore: bump pytest from 9.0.2 to 9.0.3 in /libs/core (#36719) release(core): 1.3.0.a2 (#36698) fix(core): Use reference counting for storing inherited run trees to support garbage collection (#36660) docs(core): nit (#36685) release(core): 1.3.0a1 (#36656) chore(core): reduce streaming metadata / perf (#36588) release(core): release 1.2.28 (#36614) fix(core): add more sanitization to templates (#36612) release(core): 1.2.27 (#36586) fix(core): handle symlinks in deprecated prompt save path (#36585) chore: add comment explaining pygments>=2.20.0 (#36570) release(core): 1.2.26 (#36511) fix(core): add init validator and serialization mappings for Bedrock models (#34510) feat(core): add ChatBaseten to serializable mapping (#36510) chore(core): drop gpt-3.5-turbo from docstrings (#36497) fix(core): correct parameter names in filter_messages docstring example (#36462)

... (truncated)

Commits
  • 70e66a1 chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/openrouter (#37352)
  • da380bc chore(infra): merge v1.4 into master (#37350)
  • bbd10fe chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/anthropic (#37343)
  • 11bbfb7 chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/fireworks (#37339)
  • 7fd61d2 chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/mistralai (#37338)
  • 5c096bb chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/nomic (#37334)
  • ac47d54 chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/chroma (#37333)
  • 7e5c570 chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/qdrant (#37332)
  • 2086b91 chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/core (#37329)
  • 407e33a chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/langchain (#37327)
  • Additional commits viewable in compare view

Updates langchain-community from 0.4.1 to 0.4.2

Release notes

Sourced from langchain-community's releases.

langchain-community==0.4.2

Sunsetting langchain-community

langchain-community is being sunset. See langchain-ai/langchain-community#674 for details and guidance. Thank you to everyone who has contributed integrations, fixes, reviews, and maintenance over the years.

What's Changed

... (truncated)

Commits
  • 7c10a5f fix: bump deps and fix test (#676)
  • 0d3630d fix: sunset package (#675)
  • 3ade247 chore(deps): bump urllib3 from 2.6.3 to 2.7.0 in /libs/community (#662)
  • 27c60ba chore(deps): bump langsmith from 0.7.31 to 0.8.4 in /libs/community (#666)
  • 2e8d934 chore(deps): bump jupyter-server from 2.17.0 to 2.18.0 in /libs/community (#654)
  • f0b16c2 chore(deps): bump mistune from 3.2.0 to 3.2.1 in /libs/community (#656)
  • bfbfe3f chore(deps): update scikit-learn requirement from <2,>=1.2.2 to >=1.7.2,<2 in...
  • 4cbef29 chore(deps): update hdbcli requirement from <3,>=2.19.21 to >=2.28.20,<3 in /...
  • 22377e1 chore(deps): update keybert requirement from >=0.8.5 to >=0.9.0 in /libs/comm...
  • c4dbaa2 chore(deps): bump notebook from 7.5.4 to 7.5.6 in /libs/community (#646)
  • Additional commits viewable in compare view

Updates langchain-openai from 1.0.3 to 1.2.2

Release notes

Sourced from langchain-openai's releases.

langchain-openai==1.2.2

Changes since langchain-openai==1.2.1

release(openai): 1.2.2 (#37617) chore(infra): bump langchain-tests floor to 1.1.9 (#37610) test(openai): unbreak audio chat and Azure embedding integration tests (#37589) fix(openai): guard httpx finalizers (#37570) chore: bump langsmith from 0.8.4 to 0.8.5 in /libs/partners/openai (#37549) chore: bump idna from 3.11 to 3.15 in /libs/partners/openai (#37548) ci(infra): harden Dependabot version-bound preservation (#37510) test(standard-tests): assert ls_model_name honors per-call model override (#37504) fix(openai): source LLM context size from model profiles (#37489) chore(core,langchain,openai): refresh stale OpenAI model references (#37487) fix(openai): broaden condition for ContextOverflowError to accommodate other providers (#37457) docs(openai): document base_url env var fallback chain (#37436) chore: bump langsmith from 0.8.0 to 0.8.4 in /libs/partners/openai (#37416) chore: bump langsmith from 0.7.31 to 0.8.0 in /libs/partners/openai (#37398) chore(infra): merge v1.4 into master (#37350) chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/openai (#37330) chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/partners/openai (#37266) chore(docs): update x handle references (#37081) chore(model-profiles): refresh model profile data (#37074) chore(docs): update comment for chatopenai (#37034) chore(model-profiles): refresh model profile data (#37015)

langchain-openai==1.2.1

Changes since langchain-openai==1.2.0

hotfix: bump min core versions (#36996) release(openai): 1.2.1 (#36995) fix(openai): add gpt-5.5 pro to Responses API check (#36994) feat(core): add content-block-centric streaming (v2) (#36834) chore(model-profiles): refresh model profile data (#36982)

langchain-openai==1.2.0

Changes since langchain-openai==1.1.16

release(openai): 1.2.0 (#36961) feat(openai): prevent silent streaming hangs in ChatOpenAI (#36949) hotfix(ci): remove nobenchmark flag (#36959) chore(partners): standardize integration test invocation (#36958)

langchain-openai==1.1.16

Changes since langchain-openai==1.1.15

release(openai): 1.1.16 (#36927) fix(openai): tolerate prompt_cache_retention drift in streaming (#36925)

langchain-openai==1.1.15

Changes since langchain-openai==1.1.14

... (truncated)

Commits
  • a1e2daf release(openai): 1.2.2 (#37617)
  • 9e21348 fix(openai): guard httpx finalizers against uninitialized instances (#37568)
  • 74cecb4 ci(infra): expand integration tests dispatch dropdown to external partners (#...
  • 269d628 fix(standard-tests): recognize parametrize-nested xfails in override check (#...
  • 23d369e test(xai): tolerate extra block types in web search and xfail v1 streaming to...
  • aef86c4 chore(infra): bump langchain-tests floor to 1.1.9 (#37610)
  • ebc1880 release(standard-tests): 1.1.9 (#37609)
  • 22575ad test(standard-tests): allow extra content blocks in streaming assertions (#37...
  • 1aa4496 feat(langchain): register stream transformers on middleware (#37591)
  • d2931d8 release(fireworks): 1.4.1 (#37603)
  • Additional commits viewable in compare view

Updates openinference-instrumentation-langchain from 0.1.55 to 0.1.66

Release notes

Sourced from openinference-instrumentation-langchain's releases.

python-openinference-instrumentation-langchain: v0.1.66

0.1.66 (2026-05-18)

Bug Fixes

  • bump openinference-instrumentation minimum to >=0.1.51 (#3110) (bae43ff)

python-openinference-instrumentation-langchain: v0.1.65

0.1.65 (2026-05-14)

Bug Fixes

  • bump openinference-instrumentation minimum to >=0.1.50 (#3084) (8a96ad7)

python-openinference-instrumentation-langchain: v0.1.64

0.1.64 (2026-05-10)

Bug Fixes

  • bump openinference-instrumentation minimum to >=0.1.48 (#3042) (298e3bf)
  • bump openinference-instrumentation minimum to >=0.1.49 (#3063) (6fbe906)
Commits

Updates opentelemetry-exporter-otlp from 1.38.0 to 1.42.1

Changelog

Sourced from opentelemetry-exporter-otlp's changelog.

Version 1.42.1/0.63b1 (2026-05-21)

Fixed

  • Preserve the random trace ID flag when creating child spans instead of always setting the random trace id bit depending on the available trace id generator. (#5241)

Version 1.42.0/0.63b0 (2026-05-19)

Added

  • opentelemetry-api, opentelemetry-sdk: add support for 'random-trace-id' flags in W3C traceparent header trace flags. Implementations of IdGenerator that do randomly generate the 56 least significant bits, should also implement a is_trace_id_random methods that returns True. (#4854)
  • logs: add exception support to Logger emit and LogRecord attributes (#4908)
  • opentelemetry-exporter-otlp-proto-grpc: make retryable gRPC error codes configurable for gRPC exporters (#4917)
  • opentelemetry-sdk: Add create_logger_provider/configure_logger_provider to declarative file configuration, enabling LoggerProvider instantiation from config files without reading env vars (#4990)
  • opentelemetry-exporter-otlp-json-common: add 'opentelemetry-exporter-otlp-json-common' package for OTLP JSON exporters (#4996)
  • opentelemetry-sdk: Add service resource detector support to declarative file configuration via detection_development.detectors[].service (#5003)
  • opentelemetry-docker-tests: add docker-tests coverage of opentelemetry-exporter-otlp-proto-grpc and opentelemetry-exporter-otlp-proto-http metrics export (#5030)
  • Add registry keyword argument to PrometheusMetricReader to allow passing a custom Prometheus registry (#5055)
  • Add WeaverLiveCheck test util (#5088)
  • opentelemetry-sdk: add load_entry_point shared utility to declarative file configuration for loading plugins via entry points; refactor propagator loading to use it (#5093)
  • opentelemetry-sdk: add sampler plugin loading to declarative file configuration via the opentelemetry_sampler entry point group, matching the spec's PluginComponentProvider mechanism (#5095)

... (truncated)

Commits
  • 367e14d Prepare release 1.42.1/0.63b1 (#5243)
  • fd8e504 Preserve random trace ID flag for child spans (#5241) (#5242)
  • 013045e [release/v1.42.x-0.63bx] Prepare release 1.42.0/0.63b0 (#5225)
  • 1731583 ci: Enable GitHub Merge Queue support (#5209)
  • 7fab34d fix(config): allow deflate for OTLP HTTP exporters (#5075)
  • 0b690d2 ci: validate changelog fragment filenames (#5212)
  • d4fabb4 feat(config): exporter plugin loading via entry points for declarative config...
  • e19d346 feat(config): generic resource detector plugin loading for declarative config...
  • 1d69bd2 sdk/metrics: copy attributes dict to prevent post-recording mutation (#5106)
  • 990a611 feat(config): propagator plugin loading via entry points for declarative conf...
  • Additional commits viewable in compare view

Updates python-multipart from 0.0.28 to 0.0.29

Release notes

Sourced from python-multipart's releases.

Version 0.0.29

What's Changed

Full Changelog: Kludex/python-multipart@0.0.28...0.0.29

Changelog

Sourced from python-multipart's changelog.

0.0.29 (2026-05-17)

  • Handle malformed RFC 2231 continuations in parse_options_header #270.
Commits

Updates pyjwt from 2.12.1 to 2.13.0

Release notes

Sourced from pyjwt's releases.

2.13.0

PyJWT 2.13.0 — Security Release

This release bundles five security fixes plus three additional hardening / spec-compliance changes. We recommend all users upgrade.

Security

  • GHSA-xgmm-8j9v-c9wx — JWK JSON accepted as HMAC secret (algorithm confusion). HMACAlgorithm.prepare_key previously rejected PEM- and SSH-formatted asymmetric keys but did not catch a JWK passed as a raw JSON string. In a verifier configured with both symmetric and asymmetric algorithms in algorithms=[…] and a raw-JSON JWK as the key, an attacker could forge HS256 tokens using the JWK text as the HMAC secret. The guard has been extended to reject any JWK-shaped JSON. Reported by @​aradona91.

  • GHSA-jq35-7prp-9v3f — Algorithm allow-list bypass with PyJWK / PyJWKClient. When verifying with a PyJWK, the caller's algorithms=[…] allow-list was checked against the token header alg as a string only; actual verification used the algorithm bound to the PyJWK. An attacker who controlled a registered JWKS key could sign with one algorithm and advertise another on the header. PyJWT now requires the token header alg to match the PyJWK's algorithm before verification. Reported by @​sushi-gif.

  • GHSA-w7vc-732c-9m39 — DoS via base64 decode of unused payload segment when b64=false. For detached-payload JWS (b64=false), the compact-form payload segment was base64-decoded before being discarded in favor of the caller-supplied detached_payload. An attacker could inflate the unused segment to force CPU + memory cost without holding a valid signature. The segment is now required to be empty per RFC 7515 Appendix F, and is no longer decoded. Reported by @​thesmartshadow.

  • GHSA-993g-76c3-p5m4PyJWKClient accepts non-HTTP(S) URIs. PyJWKClient.fetch_data passed its URI to urllib.request.urlopen, which by default also handles file://, ftp://, and data: schemes. An application that fed an attacker-influenced URI into PyJWKClient could be coerced into reading local files or reaching other unintended schemes. PyJWKClient now rejects any URI whose scheme isn't http or https. Reported by @​KEIJOT.

  • GHSA-fhv5-28vv-h8m8PyJWKClient cache wiped on fetch error. A finally-block put(jwk_set=None) cleared the JWK Set cache whenever a fetch raised, turning a transient JWKS-endpoint outage into application-wide auth failure. The cache write was moved into the success path; transient errors no longer evict valid cached keys. Reported by @​eddieran.

Fixed

  • Reject empty HMAC keys outright in HMACAlgorithm.prepare_key with InvalidKeyError instead of accepting them with only a warning. Defends against the os.getenv("JWT_SECRET", "") footgun. Thanks to @​SnailSploit and @​spartan8806 for the reports.
  • Forward per-call options (including enforce_minimum_key_length) from PyJWT.decode through to PyJWS._verify_signature. The option was previously silently dropped between the two layers, so it only took effect when set on the PyJWT instance. Thanks to @​WLUB for the report.
  • RFC 7797 §3 compliance for b64=false: the encoder now auto-adds "b64" to crit, and the decoder rejects tokens that set b64=false without listing it in crit. Thanks to @​MachineLearning-Nerd for the report.

Changed

  • Migrate the dev, docs, and tests package extras to dependency groups, by @​kurtmckee in #1152.

Upgrade notes

Most fixes are invisible to correctly-configured callers. A few behavioral changes you may encounter:

  • Empty HMAC keys now raise. If your app passed "" or b"" as a secret (often via a missing env var, e.g. os.getenv("JWT_SECRET", "")), encode/decode will now raise InvalidKeyError. This is the intended behavior — fix the configuration.
  • PyJWK decoding now requires the token's alg to match the JWK's algorithm. Previously a mismatch was silently honored if the header alg appeared in the allow-list. Tokens that relied on this mismatch will now fail with InvalidAlgorithmError.
  • PyJWKClient now rejects non-HTTP(S) URIs at construction time. Tests or dev environments that fetched JWKS from file:// URIs need to switch to a local HTTP server or load the JWKS by other means (e.g. construct PyJWKSet.from_dict(...) directly).
  • b64=false tokens are now strictly RFC 7515 / 7797 compliant. Tokens with a non-empty compact-form payload segment, or that omit "b64" from crit, will be rejected. PyJWT-produced tokens always satisfy both invariants, so round-trips through PyJWT are unaffected.
  • enforce_minimum_key_length set per-call now takes effect. Callers who passed options={"enforce_minimum_key_length": True} to jwt.decode() previously got no enforcement; they will now get InvalidKeyError on undersized keys, as documented.

Full changelog: jpadilla/pyjwt@2.12.1...2.13.0

Changelog

Sourced from pyjwt's changelog.

v2.13.0 <https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0>__

Security


- Reject JWK JSON documents passed as raw HMAC secrets in
  ``HMACAlgorithm.prepare_key`` to close an algorithm-confusion gap that
  the existing PEM/SSH guard did not cover. Reported by @aradona91 in
  `GHSA-xgmm-8j9v-c9wx <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx>`__.
- Bind the JWT header ``alg`` to ``PyJWK.algorithm_name`` during
  verification so the caller's ``algorithms=[...]`` allow-list cannot be
  bypassed when decoding with a ``PyJWK`` / ``PyJWKClient`` key. Reported
  by @sushi-gif in `GHSA-jq35-7prp-9v3f <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f>`__.
- Reject non-``http(s)`` URI schemes in ``PyJWKClient`` so attacker-
  influenced URIs cannot read local files or reach unintended schemes via
  urllib's default ``file://`` / ``ftp://`` / ``data:`` handlers. Reported
  by @KEIJOT in `GHSA-993g-76c3-p5m4 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4>`__.
- Preserve the cached JWK Set on fetch errors in ``PyJWKClient.fetch_data``.
  The previous ``finally``-block ``put(None)`` pattern cleared the cache
  on any transient outage, turning one bad JWKS request into application-
  wide auth failure. Reported by @eddieran in `GHSA-fhv5-28vv-h8m8 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8>`__.
- Skip the unconditional base64 decode of the compact-form payload segment
  when ``b64=false`` is set in the protected header, and require that
  segment to be empty (RFC 7515 Appendix F detached form). Closes an
  unauthenticated DoS amplifier. Reported by @thesmartshadow in
  `GHSA-w7vc-732c-9m39 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39>`__.

Fixed



- Reject ...

Description has been truncated

@dependabot
chore(deps): Bump the minor-and-patch group
362619d 
Bumps the minor-and-patch group in /a2a/image_service with 9 updates:

| Package | From | To |
| --- | --- | --- |
| [langgraph](https://github.com/langchain-ai/langgraph) | `1.0.3` | `1.2.2` |
| [langchain-core](https://github.com/langchain-ai/langchain) | `1.3.3` | `1.4.0` |
| [langchain-community](https://github.com/langchain-ai/langchain-community) | `0.4.1` | `0.4.2` |
| [langchain-openai](https://github.com/langchain-ai/langchain) | `1.0.3` | `1.2.2` |
| [openinference-instrumentation-langchain](https://github.com/Arize-ai/openinference) | `0.1.55` | `0.1.66` |
| [opentelemetry-exporter-otlp](https://github.com/open-telemetry/opentelemetry-python) | `1.38.0` | `1.42.1` |
| [python-multipart](https://github.com/Kludex/python-multipart) | `0.0.28` | `0.0.29` |
| [pyjwt](https://github.com/jpadilla/pyjwt) | `2.12.1` | `2.13.0` |
| [langsmith](https://github.com/langchain-ai/langsmith-sdk) | `0.8.4` | `0.8.6` |


Updates `langgraph` from 1.0.3 to 1.2.2
- [Release notes](https://github.com/langchain-ai/langgraph/releases)
- [Commits](langchain-ai/langgraph@1.0.3...1.2.2)

Updates `langchain-core` from 1.3.3 to 1.4.0
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](langchain-ai/langchain@langchain-core==1.3.3...langchain-core==1.4.0)

Updates `langchain-community` from 0.4.1 to 0.4.2
- [Release notes](https://github.com/langchain-ai/langchain-community/releases)
- [Commits](langchain-ai/langchain-community@libs/community/v0.4.1...libs/community/v0.4.2)

Updates `langchain-openai` from 1.0.3 to 1.2.2
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](langchain-ai/langchain@langchain-openai==1.0.3...langchain-openai==1.2.2)

Updates `openinference-instrumentation-langchain` from 0.1.55 to 0.1.66
- [Release notes](https://github.com/Arize-ai/openinference/releases)
- [Commits](Arize-ai/openinference@python-openinference-instrumentation-langchain-v0.1.55...python-openinference-instrumentation-langchain-v0.1.66)

Updates `opentelemetry-exporter-otlp` from 1.38.0 to 1.42.1
- [Release notes](https://github.com/open-telemetry/opentelemetry-python/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-python/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-python@v1.38.0...v1.42.1)

Updates `python-multipart` from 0.0.28 to 0.0.29
- [Release notes](https://github.com/Kludex/python-multipart/releases)
- [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md)
- [Commits](Kludex/python-multipart@0.0.28...0.0.29)

Updates `pyjwt` from 2.12.1 to 2.13.0
- [Release notes](https://github.com/jpadilla/pyjwt/releases)
- [Changelog](https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst)
- [Commits](jpadilla/pyjwt@2.12.1...2.13.0)

Updates `langsmith` from 0.8.4 to 0.8.6
- [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases)
- [Commits](langchain-ai/langsmith-sdk@v0.8.4...v0.8.6)

---
updated-dependencies:
- dependency-name: langgraph
  dependency-version: 1.2.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: langchain-core
  dependency-version: 1.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: langchain-community
  dependency-version: 0.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: langchain-openai
  dependency-version: 1.2.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: openinference-instrumentation-langchain
  dependency-version: 0.1.66
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: opentelemetry-exporter-otlp
  dependency-version: 1.42.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: python-multipart
  dependency-version: 0.0.29
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: pyjwt
  dependency-version: 2.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: langsmith
  dependency-version: 0.8.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels May 28, 2026
This was referenced May 28, 2026
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

Kagenti Issue Prioritization
Status: New /:ToDo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rubambiza