chore(deps-dev): bump @langchain/core from 1.0.1 to 1.1.8

[dependabot]

Bumps @langchain/core from 1.0.1 to 1.1.8.

Release notes

Sourced from @​langchain/core's releases.

@​langchain/core@​1.1.8

Patch Changes

• #9707 e5063f9 Thanks @​hntrl! - add security hardening for load

• #9684 8996647 Thanks @​christian-bromann! - fix(core): document purpose of name in base message

@​langchain/core@​1.1.6

Patch Changes

• #9668 a7b2a7d Thanks @​bracesproul! - fix: Cannot merge two undefined objects error

• #9657 a496c5f Thanks @​dqbd! - fix(core): avoid writing to TransformStream in EventStreamCallbackHandler when underlying ReadableStream is closed

• #9658 1da1325 Thanks @​dqbd! - fix(core): ensure streaming test chat models respect AbortSignal

@​langchain/core@​1.1.5

Patch Changes

• #9641 005c729 Thanks @​christian-bromann! - fix(community/core): various security fixes

• #7907 ab78246 Thanks @​jasonphillips! - fix(core): handle subgraph nesting better in graph_mermaid

• #9589 8cc81c7 Thanks @​nathannewyen! - test(core): add test for response_metadata in streamEvents

• #9644 f32e499 Thanks @​hntrl! - add bindTools to FakeListChatModel

• #9508 a28d83d Thanks @​shubham-021! - Fix toFormattedString() to properly display nested objects in tool call arguments instead of [object Object]

• #9165 2e5ad70 Thanks @​pawel-twardziak! - fix(mcp-adapters): preserve timeout from RunnableConfig in MCP tool calls

• #9647 e456c66 Thanks @​hntrl! - handle missing parent runs in tracer to prevent LangSmith 400 errors

• #9597 1cfe603 Thanks @​hntrl! - use uuid7 for run ids

@​langchain/core@​1.1.4

Patch Changes

• #9575 0bade90 Thanks @​hntrl! - bin p-retry

• #9574 6c40d00 Thanks @​hntrl! - Revert "fix(@​langchain/core): update and bundle dependencies (#9534)"

@​langchain/core@​1.1.3

Patch Changes

• #9534 bd2c46e Thanks @​christian-bromann! - fix(@​langchain/core): update and bundle p-retry, ansi-styles, camelcase and decamelize dependencies

• #9544 487378b Thanks @​hntrl! - fix tool chunk concat behavior (#9450)

• #9505 138e7fb Thanks @​chosh-dev! - feat: replace btoa with toBase64Url for encoding in drawMermaidImage

... (truncated)

Commits

• de32b32 chore: version packages (#9697)
• e5063f9 fix!(core/langchain): hardening for load (#9707)
• 8b3e611 chore(turbopuffer): rollback version (#9698)
• 8996647 fix(core): document purpose of name in base message (#9684)
• 8df6264 chore: version packages (#9676)
• df9c42b feat(core): usage_metadata in extra.metadata (#9686)
• 4ea3a52 fix(ci): use appropriate path for core PR labels (#9696)
• ffb2402 feat(langchain): context (#9673)
• 8d2982b feat(core): Make runnable transform trace in a single payload in LangChainTra...
• 2b36431 fix(mcp-adapters): bump @​modelcontextprotocol/sdk to address CVE-2025-66414 (...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​langchain/core since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Important

Bump @langchain/core from 1.0.1 to 1.1.8 in package.json with security and functionality improvements.

• Dependency Update:
  • Bump @langchain/core from 1.0.1 to 1.1.8 in package.json.
• Improvements:
  • Security hardening for load function.
  • Fix for merging undefined objects.
  • Improved handling of closed ReadableStream in EventStreamCallbackHandler.
  • Various security fixes and better subgraph nesting handling.
  • Use uuid7 for run IDs to prevent errors.
  • Added bindTools to FakeListChatModel and improved toFormattedString() for nested objects.

^{This description was created by for f3220e2. You can customize this summary. It will automatically update as commits are pushed.}

Disclaimer: Experimental PR review

Greptile Summary

This PR updates @langchain/core from version 1.0.1 to 1.1.8, bringing important security hardening and bug fixes.

Key Changes:

• Security hardening for the load function (addresses potential security vulnerabilities)
• Fixed "Cannot merge two undefined objects" error
• Fixed handling of closed ReadableStreams in EventStreamCallbackHandler
• Fixed missing parent runs in tracer to prevent LangSmith 400 errors
• Now using uuid7 for run IDs instead of uuid4
• Removed p-retry as a direct dependency (now bundled internally)

Transitive Updates:

• langsmith: 0.3.74 → 0.4.2
• js-tiktoken: 1.0.20 → 1.0.21
• Minor version bumps for ansi-styles, console-table-printer, and semver

The update is fully backward compatible - all APIs used in the codebase (types, base classes, messages from @langchain/core) remain stable. The langchain CallbackHandler implementation should continue to work without any code changes.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• This is a standard dependency update from a bot that includes important security fixes and bug improvements. All changes are within the minor version range (1.0.1 → 1.1.8) and maintain backward compatibility. The codebase only uses stable APIs from @langchain/core that have not changed. The security hardening for the load function is a valuable improvement.
• No files require special attention

Important Files Changed

Filename	Overview
package.json	Updated @langchain/core from ^1.0.1 to ^1.1.8 for security fixes and bug improvements
pnpm-lock.yaml	Lock file updated with new dependency versions, including transitive updates to langsmith, js-tiktoken, and other packages

Sequence Diagram

sequenceDiagram
    participant D as Dependabot
    participant P as package.json
    participant L as pnpm-lock.yaml
    participant LC as @langchain/core
    participant LS as langsmith
    participant T as Transitive Deps

    D->>P: Update @langchain/core: 1.0.1 → 1.1.8
    P->>L: Trigger lock file update
    L->>LC: Resolve @langchain/core@1.1.8
    LC->>LS: Pull langsmith 0.4.2 (was 0.3.74)
    LC->>T: Update js-tiktoken, ansi-styles, etc
    T-->>L: Lock transitive dependencies
    L-->>D: Dependencies resolved and locked

Loading

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
langfuse-js	Ready	Preview	Dec 23, 2025 8:10pm