security: upgrade langchain

[maxdeichmann]

Important

Upgrade @langchain/core dependency from ^1.0.1 to ^1.1.8 in package.json.

• Dependencies:
  • Upgrade @langchain/core from ^1.0.1 to ^1.1.8 in package.json.

^{This description was created by for 5c70428. You can customize this summary. It will automatically update as commits are pushed.}

Disclaimer: Experimental PR review

Greptile Summary

This PR upgrades @langchain/core from v1.0.1 to v1.1.8 as a security update. The upgrade is compatible with the existing codebase, as the CallbackHandler was already adapted for v1.1.x compatibility in commit 74f8d1b.

Key Changes:

• Updated @langchain/core to v1.1.8 (minor version bump within semver range)
• Transitive dependency updates: langsmith (0.3.74 → 0.4.2), js-tiktoken (1.0.20 → 1.0.21), semver (7.7.2 → 7.7.3)
• Removed p-retry as a direct dependency (likely internalized by langsmith)
• Added console-table-printer 2.15.0 as a new transitive dependency

Compatibility:
The codebase is already compatible with langchain v1.1.x - the CallbackHandler was previously updated to handle the new message format where inputs/outputs can contain a messages array (in addition to the previous input array format).

Confidence Score: 5/5

• This PR is safe to merge with no risk
• The upgrade is a minor version bump within the declared semver range (^1.0.1 allows 1.1.8). The CallbackHandler was already adapted for v1.1.x compatibility in a previous commit (74f8d1b), ensuring backward compatibility. All transitive dependency updates are minor/patch versions with no breaking changes. The removal of p-retry as a direct dependency suggests it was internalized by langsmith, which is a normal dependency consolidation.
• No files require special attention

Important Files Changed

Filename	Overview
package.json	Upgraded @langchain/core from ^1.0.1 to ^1.1.8 for security patch
pnpm-lock.yaml	Updated lockfile with new @langchain/core v1.1.8 and transitive dependencies (langsmith 0.4.2, js-tiktoken 1.0.21, semver 7.7.3); removed p-retry dependency

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant Pkg as package.json
    participant Lock as pnpm-lock.yaml
    participant LC as @langchain/core
    participant LS as langsmith
    participant JT as js-tiktoken

    Dev->>Pkg: Update @langchain/core: ^1.0.1 → ^1.1.8
    Dev->>Lock: Run pnpm install
    Lock->>LC: Resolve @langchain/core@1.1.8
    LC->>LS: Require langsmith (peer dep)
    Lock->>LS: Update langsmith: 0.3.74 → 0.4.2
    LC->>JT: Require js-tiktoken
    Lock->>JT: Update js-tiktoken: 1.0.20 → 1.0.21
    Lock->>Lock: Remove p-retry direct dependency
    Lock->>Lock: Add console-table-printer@2.15.0
    Lock->>Lock: Update semver: 7.7.2 → 7.7.3
    Lock-->>Dev: Lock file updated with compatible versions

Loading

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
langfuse-js	Ready	Preview	Dec 24, 2025 10:52am

[greptile-apps]

Greptile's behavior is changing!

From now on, if a review finishes with no comments, we will not post an additional "statistics" comment to confirm that our review found nothing to comment on. However, you can confirm that we reviewed your changes in the status check section.

_{This feature can be toggled off in your Code Review Settings by deselecting "Create a status check for each PR".}