RFC: Expedited langchain 0.2 release

[baskaryan]

Context

Currently langchain (the package) depends on langchain-community. This is done only for backwards compatibility with langchain versions that predate the split of langchain and langchain-community. Since langchain 0.1 we have been planning to remove this dependency in langchain 0.2 and have added deprecation warnings indicating as much in all places where langchain-community is imported. The main motivation was to make our packages as modular and lightweight as possible. There are a number of other breaking changes we were hoping to make in 0.2 (some listed in #15713).

Recently a number of CVE’s have been filed against langchain. The relevant code for most of these originates in langchain-community and not langchain. We have remediated these as quickly as possible by patching the ones we agree with and disputing the others, however it can still take some time for them to be resolved in CVE databases. Having outstanding CVE’s in these databases prevents some organizations from being able to use langchain.

Proposal

We are proposing that we remove the dependency of langchain on langchain-community ASAP, and bump langchain to 0.2 to reflect this breaking change.

To our knowledge there are currently no CVE’s filed against langchain that we have not patched and submitted a resolution request for. However, to minimize the possibility of future CVE’s, we are proposing that we remove the dependency of langchain on langchain-community and all imports from langchain-community.

To emphasize, langchain 0.2 was always slated to drop the langchain-community dependency, which was only kept around in 0.1 for backwards compatibility. This is a change we were going to make at some point soon. We had originally planned to make a number of other breaking refactors in 0.2, but given the urgency of preventing any more CVE’s we think it’s best to remove the langchain-community dependency now and push back the refactors for langchain 0.3.

Impact

The impact of this change would be:

• langchain>=0.2 will not depend on langchain-community
• If you're using langchain-community modules and langchain>=0.2 you'll need to add langchain-community as an explicit dependency
• Any langchain imports that are actually langchain-community imports under the hood would stop working. e.g. currently you can run

# BEFORE: langchain<=0.1, langchain-community

# Incorrect but works, raises DeprecationWarning
from langchain.chat_models import ChatOllama

# Correct
from langchain_comunity.chat_models import ChatOllama

even though the ChatOllama implementation lives in langchain-community. Importing ChatOllama from langchain raises a DeprecationWarning but it still works. After this change users will need to import langchain-community modules from langchain-community directly

# AFTER: langchain==0.2, langchain-community

# Incorrect and raises error
from langchain.chat_models import ChatOllama

# Correct
from langchain_comunity.chat_models import ChatOllama

We're working on a migration script that should help correct any langchain imports that should be langchain-community imports.

Alternatives

• Remove langchain-community as s dependency but keep conditional imports from it, so that if you have it installed your existing langchain imports that use langchain-community under the hood will continue to work. We suspect this will cause CVE’s to continue being filed against langchain .
• Continue to fix CVE’s as they come up. Drop langchain-community as a dependency and bump to 0.2 later along with other breaking changes.

Request for comment

We’d love to know what people think of the proposal and its alternatives. The goal is to make life easier for our users, so if this change will cause you any issues we really want to know about it.

Please feel free to leave a comment, or leave a reaction:
👍 Move to 0.2 immediately with the only change being removing the langchain_community dependency
👎 Wait to remove langchain_community until a more proper 0.2 release

Related: Security policy

Identifying vulnerabilities so that we can remediate them is invaluable work. To make sure that we can address these as quickly as possible, and to make sure that only real vulnerabilities get filed, please follow our security policy:  https://github.com/langchain-ai/langchain/security/policy.

For more on how to build secure LangChain apps, please see our security guidelines: https://python.langchain.com/docs/security.

[spencermize]

1️⃣

[dipanjanS]

Since we have already started doing this with modules like langchain-openai which is now separate from langchain this makes sense, albeit it will be a bit difficult initially to adjust to because it breaks backwards compatibility. Having said that CVEs are definitely something serious so +1 from my side

[SoulEvill]

as user come back to langchain because of this change, focus on core not bloated library. so definitely +1 for me.

[leo-gan]

Since it is a breaking change, I assume you freeze the 0.1 version. What is the supporting time for it?
Please, explicitly declare the supporting period and the supporting details. Do you freeze the 0.1 documentation and open access to it for a period of time? What about the version of the core [and other dependent packages]? Do you also freeze and support them?

[jeanbapt]

Train a Bot on 0.2 and automated assistance for transition. Shut down all bots providing misleading advices on deprecated setups. Get a crystal clear doc and examples ( not with oldies examples ).

Keep this simple, secure and powerful. Resist the bloat. 🤗

[JacobFV]

👍 Remove langchain-community as s dependency but keep conditional imports from it

[baskaryan]

Our understanding is that this may lead to CVE's still being filed against langchain unfortunately

[kurianbenoy]

Go ahead. It's fine. Help users with proper error messages. That's all you need to do and then drop langchain-community from langchain package.

[sepiatone]

Any update as to when this might happen? Will open PRs be closed for it?

[shobhitagnihotri69]

Please update ducumenataion

[baskaryan]

we did a big update to docs! if you have any feedback we'd love to hear it #21716