Skip to content

Commit

Permalink
remove CVEs (#8092)
Browse files Browse the repository at this point in the history
This PR aims to move all code with CVEs into `langchain.experimental`.
Note that we are NOT yet removing from the core `langchain` package - we
will give people a week to migrate here.

See MIGRATE.md for how to migrate

Zero changes to functionality

Vulnerabilities this addresses:

PALChain:
- https://security.snyk.io/vuln/SNYK-PYTHON-LANGCHAIN-5752409
- https://security.snyk.io/vuln/SNYK-PYTHON-LANGCHAIN-5759265

SQLDatabaseChain
- https://security.snyk.io/vuln/SNYK-PYTHON-LANGCHAIN-5759268

`load_prompt` (Python files only)
- https://security.snyk.io/vuln/SNYK-PYTHON-LANGCHAIN-5725807
  • Loading branch information
hwchase17 committed Jul 21, 2023
1 parent 08c658d commit d353d66
Show file tree
Hide file tree
Showing 55 changed files with 1,283 additions and 29 deletions.
47 changes: 47 additions & 0 deletions MIGRATE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Migrating to `langchain.experimental`

We are moving any experimental components of langchain, or components with vulnerability issues, into `langchain.experimental`.
This guide covers how to migrate.

## Installation

Previously:

`pip install -U langchain`

Now:

`pip install -U langchain langchain.experimental`

## PALChain

Previously:

`from langchain.chains import PALChain`

Now:

`from langchain.experimental.pal_chain import PALChain`

## SQLDatabaseChain

Previously:

`from langchain.chains import SQLDatabaseChain`

Now:

`from langchain.experimental.sql import SQLDatabaseChain`

## `load_prompt` for Python files

Note: this only applies if you want to load Python files as prompts.
If you want to load json/yaml files, no change is needed.

Previously:

`from langchain.prompts import load_prompt`

Now:

`from langchain.experimental.prompts import load_prompt`
File renamed without changes.
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

from typing import List, Optional

from pydantic import ValidationError

from langchain.chains.llm import LLMChain
from langchain.chat_models.base import BaseChatModel
from langchain.experimental.autonomous_agents.autogpt.output_parser import (
Expand All @@ -21,7 +23,6 @@
from langchain.tools.base import BaseTool
from langchain.tools.human.tool import HumanInputRun
from langchain.vectorstores.base import VectorStoreRetriever
from pydantic import ValidationError


class AutoGPT:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
from typing import Any, Dict, List

from pydantic import Field

from langchain.memory.chat_memory import BaseChatMemory, get_prompt_input_key
from langchain.vectorstores.base import VectorStoreRetriever
from pydantic import Field


class AutoGPTMemory(BaseChatMemory):
Expand Down
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
import time
from typing import Any, Callable, List

from pydantic import BaseModel

from langchain.experimental.autonomous_agents.autogpt.prompt_generator import get_prompt
from langchain.prompts.chat import (
BaseChatPromptTemplate,
)
from langchain.schema.messages import BaseMessage, HumanMessage, SystemMessage
from langchain.tools.base import BaseTool
from langchain.vectorstores.base import VectorStoreRetriever
from pydantic import BaseModel


class AutoGPTPrompt(BaseChatPromptTemplate, BaseModel):
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
from collections import deque
from typing import Any, Dict, List, Optional

from pydantic import BaseModel, Field

from langchain.callbacks.manager import CallbackManagerForChainRun
from langchain.chains.base import Chain
from langchain.experimental.autonomous_agents.baby_agi.task_creation import (
Expand All @@ -15,7 +17,6 @@
)
from langchain.schema.language_model import BaseLanguageModel
from langchain.vectorstores.base import VectorStore
from pydantic import BaseModel, Field


class BabyAGI(Chain, BaseModel):
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
from langchain import LLMChain, PromptTemplate
from langchain.chains import LLMChain
from langchain.prompts import PromptTemplate
from langchain.schema.language_model import BaseLanguageModel


Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
from langchain import LLMChain, PromptTemplate
from langchain.chains import LLMChain
from langchain.prompts import PromptTemplate
from langchain.schema.language_model import BaseLanguageModel


Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
from langchain import LLMChain, PromptTemplate
from langchain.chains import LLMChain
from langchain.prompts import PromptTemplate
from langchain.schema.language_model import BaseLanguageModel


Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
from typing import Any, ClassVar, Dict, List, Optional, Type

import pydantic

from langchain.base_language import BaseLanguageModel
from langchain.callbacks.manager import CallbackManagerForChainRun
from langchain.chains.base import Chain
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,10 @@

import duckdb
import pandas as pd
from pydantic import BaseModel, Field, PrivateAttr, root_validator, validator

from langchain.experimental.cpal.constants import Constant
from langchain.graphs.networkx_graph import NetworkxEntityGraph
from pydantic import BaseModel, Field, PrivateAttr, root_validator, validator


class NarrativeModel(BaseModel):
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,12 @@
from datetime import datetime
from typing import Any, Dict, List, Optional, Tuple

from langchain import LLMChain
from pydantic import BaseModel, Field

from langchain.chains import LLMChain
from langchain.experimental.generative_agents.memory import GenerativeAgentMemory
from langchain.prompts import PromptTemplate
from langchain.schema.language_model import BaseLanguageModel
from pydantic import BaseModel, Field


class GenerativeAgent(BaseModel):
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
from datetime import datetime
from typing import Any, Dict, List, Optional

from langchain import LLMChain
from langchain.chains import LLMChain
from langchain.prompts import PromptTemplate
from langchain.retrievers import TimeWeightedVectorStoreRetriever
from langchain.schema import BaseMemory, Document
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,10 @@
import json
from typing import TYPE_CHECKING, Any, List, Optional, cast

from pydantic import Field, root_validator

from langchain.callbacks.manager import CallbackManagerForLLMRun
from langchain.llms.huggingface_pipeline import HuggingFacePipeline
from pydantic import Field, root_validator

if TYPE_CHECKING:
import jsonformer
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,11 @@

from typing import TYPE_CHECKING, Any, List, Optional, cast

from pydantic import Field, root_validator

from langchain.callbacks.manager import CallbackManagerForLLMRun
from langchain.llms.huggingface_pipeline import HuggingFacePipeline
from langchain.llms.utils import enforce_stop_tokens
from pydantic import Field, root_validator

if TYPE_CHECKING:
import rellm
Expand Down
10 changes: 10 additions & 0 deletions libs/experimental/langchain/experimental/pal_chain/__init__.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
"""Implements Program-Aided Language Models.
As in https://arxiv.org/pdf/2211.10435.pdf.
This is vulnerable to arbitrary code execution:
https://github.com/hwchase17/langchain/issues/5872
"""
from langchain.experimental.pal_chain.base import PALChain

__all__ = ["PALChain"]

0 comments on commit d353d66

Please sign in to comment.