[Snyk] Security upgrade langchain from 0.0.63 to 0.1.29

[snyk-io]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json
• package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Prototype Pollution SNYK-JS-EXPREVAL-13508636	665

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

---

EntelligenceAI PR Summary

This PR upgrades LangChain from 0.0.63 to 0.1.29, transitioning to a modular architecture with breaking changes in dependencies.

• Introduced modular LangChain packages: @langchain/community, @langchain/core, @langchain/openai
• Upgraded @anthropic-ai/sdk from 0.4.3 to 0.9.1 with updated dependencies
• Upgraded openai from 3.2.1 to 4.104.0 with breaking dependency structure changes
• Removed deprecated packages: @dqbd/tiktoken, @fortaine/fetch-event-source, browser-or-node, isomorphic-fetch
• Added modern replacements: js-tiktoken for tokenization, native fetch implementations
• Added new utility packages: langsmith, langchainhub, mustache, decamelize
• Updated @upstash/redis to use uncrypto for cryptographic operations

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
agent-gpt	Error			Nov 16, 2025 9:42pm
solana-ai-agent-gpt5	Error			Nov 16, 2025 9:42pm

[snyk-io]

⛔ Snyk checks have failed. 1 issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (1)
⛔	Open Source Security	0	0	1	0	1 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	langchain@​0.0.63 ⏵ 0.1.29	+1		+16

View full report

[entelligence-ai-pr-reviews]

🔒 Entelligence AI Vulnerability Scanner

✅ No security vulnerabilities found!

Your code passed our comprehensive security analysis.

---

[entelligence-ai-pr-reviews]

Walkthrough

This PR upgrades the LangChain library from version 0.0.63 to 0.1.29, representing a significant architectural shift from a monolithic package to a modular structure. The update introduces new scoped packages (@langchain/community, @langchain/core, @langchain/openai) and upgrades critical dependencies including @anthropic-ai/sdk (0.4.3→0.9.1) and openai (3.2.1→4.104.0). Several deprecated packages are removed and replaced with modern alternatives: @dqbd/tiktoken is replaced with js-tiktoken, and isomorphic-fetch dependencies are replaced with native fetch implementations. New utility packages (langsmith, langchainhub, mustache, decamelize) are added to support enhanced functionality. The @upstash/redis package is updated to use uncrypto instead of isomorphic-fetch for cryptographic operations.

Changes

File(s)	Summary
package.json	Updated langchain dependency from ^0.0.63 to ^0.1.29, representing a significant minor version bump with potential breaking changes and new features.
package-lock.json	Updated langchain from 0.0.63 to 0.1.29 with new modular dependencies (@langchain/community, @langchain/core, @langchain/openai); upgraded @anthropic-ai/sdk from 0.4.3 to 0.9.1 and openai from 3.2.1 to 4.104.0; removed deprecated packages (@dqbd/tiktoken, @fortaine/fetch-event-source, browser-or-node, isomorphic-fetch) and replaced with modern alternatives (js-tiktoken, native fetch); added new utility packages (langsmith, langchainhub, mustache, decamelize); updated @upstash/redis to use uncrypto instead of isomorphic-fetch.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    participant App as Application
    participant LC as langchain (v0.1.29)
    participant Core as @langchain/core
    participant Community as @langchain/community
    participant OpenAI as @langchain/openai
    participant Hub as langchainhub
    participant Smith as langsmith
    participant Anthropic as @anthropic-ai/sdk (v0.9.1)
    participant OpenAIAPI as openai (v4.104.0)
    participant Redis as @upstash/redis (v1.35.6)
    participant Tiktoken as js-tiktoken

    App->>LC: Initialize LangChain
    LC->>Core: Load core abstractions
    Core->>Tiktoken: Initialize tokenizer
    Tiktoken-->>Core: Tokenizer ready
    
    LC->>Community: Load community integrations
    Community->>Core: Register integrations
    
    LC->>OpenAI: Initialize OpenAI provider
    OpenAI->>Core: Register as LLM provider
    OpenAI->>OpenAIAPI: Setup API client
    OpenAIAPI-->>OpenAI: Client configured
    
    App->>LC: Create LLM chain
    LC->>Hub: Fetch prompt template
    Hub-->>LC: Return template
    
    LC->>Smith: Initialize tracing
    Smith-->>LC: Tracing enabled
    
    App->>LC: Execute chain with input
    
    alt Using OpenAI
        LC->>OpenAI: Route to OpenAI provider
        OpenAI->>OpenAIAPI: Send completion request
        OpenAIAPI-->>OpenAI: Return response
        OpenAI->>Smith: Log interaction
    else Using Anthropic
        LC->>Community: Route to Anthropic integration
        Community->>Anthropic: Send message request
        Anthropic-->>Community: Return response
        Community->>Smith: Log interaction
    end
    
    LC->>Redis: Cache result
    Redis-->>LC: Cached
    
    LC->>Core: Process response through chain
    Core->>Tiktoken: Count tokens
    Tiktoken-->>Core: Token count
    
    LC-->>App: Return final output
    
    Note over LC,Smith: New modular architecture<br/>separates concerns and<br/>enables better extensibility

Loading

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.