plugins: sync 47 dep pins + langchain 0.2 → 1.x cascade + drop 3 dead deps#7179
Open
plugins: sync 47 dep pins + langchain 0.2 → 1.x cascade + drop 3 dead deps#7179
Conversation
Forward-compatible code change to unblock the langchain-core 0.2 → 1.x bump in the next commits. `langchain_core.pydantic_v1` was a shim that re-exported pydantic v1 classes; it was removed in langchain-core 1.0 along with the pydantic v1 → v2 transition. Two files touched: - plugins/_multion/router.py: `BooksToBuy` model used by `retrieve_books_to_buy` via `ChatGroq.with_structured_output`. This file is included via `main.py` → import-time pydantic_v1 load would crash uvicorn on langchain-core 1.x. - plugins/advanced/realtime.py: NOT imported by main.py (`# from advanced import realtime as advanced_realtime_router`), but fixed for cleanliness so the file remains importable. Field signature changes: `min_items=0` → `min_length=0` (the pydantic v2 equivalent constraint name for List fields). The change is forward- AND backward-compatible: pydantic v2 is already installed at 2.8.2, so the BooksToBuy/NewsCheck classes become pydantic v2 models. langchain 0.2's `with_structured_output` accepts pydantic v2 models, and so does 1.x — no runtime behaviour change.
Closes 1 HIGH CVE matching backend's #7126: - HIGH 7.5 CVE-2025-67221
Closes 3 CVEs matching backend's pin progression in #7126 (0.0.9 → 0.0.22) and #7146 (0.0.22 → 0.0.26): - HIGH 7.5 CVE-2024-53981 - HIGH 7.5 CVE-2026-24486 - MEDIUM 5.3 CVE-2026-40347
Closes 1 MEDIUM CVE matching backend's #7146: - MEDIUM 6.6 CVE-2026-28684
Closes 1 MEDIUM CVE matching backend's #7146 (also captures the 2.32 → 2.33 family bumps that backend went through): - MEDIUM 5.5 CVE-2026-25645 Pinned to 2.33.1 (exact) to match plugins/requirements.txt's fully-pinned-style; backend uses ~=2.33.0 because that file mixes styles, but plugins's 179 entries are all exact ==.
Closes 3 MEDIUM CVEs matching backend's #7146: - MEDIUM CVE-2024-56201 (sandbox escape) - MEDIUM CVE-2024-56326 (sandbox escape) - MEDIUM CVE-2025-27516 (sandbox escape)
Closes 1 MEDIUM CVE matching backend's #7146: - MEDIUM 5.3 CVE-2025-68480
Closes 4 CVEs matching backend's #7126: - HIGH 7.5 CVE-2025-47287 - HIGH 7.5 CVE-2026-31958 - HIGH 7.5 CVE-2024-52804 - HIGH 5.3 CVE-2026-35536
Closes 3 HIGH CVEs matching backend's #7126: - HIGH 7.5 CVE-2025-66471 - HIGH 7.5 CVE-2026-21441 - HIGH 7.5 CVE-2025-66418
Closes 2 CVEs matching backend's pin progression in #7127 (cryptography 43 → 46.0.5) and #7146 (46.0.5 → 46.0.7): - HIGH 6.5 CVE-2026-26007 - MEDIUM (CVSS 9.8) CVE-2026-39892 cffi cascades to 2.0.0 because cryptography 46.x requires cffi >= 2.0.0 (build-time C-extension change).
…yarl) Closes 5 CVEs matching backend's pin progression in #7126 (aiohttp 3.9.5 → 3.13.3) and #7146 (3.13.3 → 3.13.4): - HIGH 7.5 CVE-2025-69223 - 4× MEDIUM CVE-2026-22815, CVE-2026-34515, CVE-2026-34516, CVE-2026-34525 - LOW (CVSS 9.1) CVE-2026-34520 - 5× LOW aiosignal and yarl move with aiohttp (aiohttp 3.13.x requires aiosignal>=1.4 and yarl>=1.17).
Closes 1 CRITICAL CVE matching backend's #7126: - CRITICAL 9.1 CVE-2025-43859 (HTTP request smuggling via malformed chunked encoding) h11 and httpcore must move together (httpcore caps h11 to a specific minor).
…6.1.0) Closes 1 MEDIUM CVE matching backend's #7146: - MEDIUM CVE-2025-57804 (HTTP/2 priority frame parsing DoS) h2, hpack and hyperframe move together — h2 requires specific hpack and hyperframe minor versions.
Closes 1 HIGH CVE matching backend's #7127: - HIGH 7.5 CVE-2026-0994 (protobuf parser memory corruption) grpcio and grpcio-tools cascade with protobuf 5.29.x (must align to a compatible minor for the C-extension ABI). Bumped both to 1.66.0 to match backend.
…fastapi-cli Closes 3 CVEs matching backend's pin progression in #7127 (fastapi 0.111 → 0.118 / starlette 0.37 → 0.40) and #7146 (fastapi 0.118 → 0.121 / starlette 0.40 → 0.49.1): - HIGH 7.5 CVE-2024-47874 (starlette content-length DoS) - HIGH 7.5 CVE-2025-62727 (starlette FileResponse path traversal) - MEDIUM 5.3 CVE-2025-54121 fastapi and starlette must move together (fastapi caps starlette). fastapi-cli cascades with fastapi major releases.
… + pydantic-settings Matches backend's pins from #7149. langchain-core 1.x requires pydantic 2.10+ for the new typed-dict / runnable interfaces. pydantic and pydantic_core must move together (exact-version cap between the two). pydantic-settings 2.10.1 supports pydantic 2.11. This pair-bump is also what unblocks plugins/_multion/router.py's `from pydantic import BaseModel, Field` migration in 12d5198.
Matches backend's pin from #7149 — openai 1.109.1 is the floor required by langchain-openai 1.1.9 (in the next commit). Held below 1.1.10 to defer the openai 2.x SDK migration.
Closes the langchain-stack CVEs in plugins, matching backend's #7149 pin set (which also rolls in the earlier #7126 + #7146 langchain-core patch bumps): - HIGH 7.5 CVE-2026-34070 (langchain-core) - CRITICAL 8.2 CVE-2025-68664 + HIGH CVE-2025-65106 (langchain-core) - HIGH 0 CVE-2025-64439 (langgraph-checkpoint, transitive — but plugins doesn't use langgraph directly so this is informational) - MEDIUM 6.5 CVE-2026-41481 (langchain-text-splitters) - MEDIUM 5.3 CVE-2026-40087 (langchain-core) - 2× MEDIUM CVE-2026-25528 + CVE-2026-41182 (langsmith) Plugins is one MAJOR ahead of pusher's bump (0.2 → 1.x vs pusher 0.3 → 1.x), but the cascade is the same shape. The whole stack moves together because the major-version range caps lock-step. langchain-groq is plugins-specific (not in backend's set). Bumped to 1.1.2 — the first version compatible with langchain-core 1.x. The pydantic_v1 → pydantic v2 migration in 12d5198 is what unblocks this commit; `langchain_core.pydantic_v1` is removed in 1.x and would crash uvicorn at `_multion/router.py` import time without that fix.
12 patch/minor bumps to keep plugins ABI-aligned with backend: - attrs 23.2.0 → 24.1.0 - httpx 0.25.2 → 0.28.0 - packaging 23.2 → 24.2 - posthog 3.5.0 → 3.5.2 - prometheus_client 0.20.0 → 0.21.1 - qdrant-client 1.10.1 → 1.11.0 - redis 5.0.7 → 5.0.8 - SQLAlchemy 2.0.31 → 2.0.32 - tqdm 4.66.4 → 4.66.5 - typing_extensions 4.12.2 → 4.15.0 (required floor for langchain-core 1.x typed-dict `extra_items` keyword) - uvicorn 0.30.3 → 0.30.5 - uvloop 0.19.0 → 0.20.0 None of these have a direct CVE in backend's #7126/#7127/#7146/#7149 set. Bumped together because they're all small ABI-consistency moves with no behavioural risk.
agentops 0.2.6 hard-pinned `requests==2.31.0` which blocked the requests bump in 81492f2. agentops 0.4.21 widens the constraint to `requests<3.0.0,>=2.0.0`, unblocking the resolver. Note: agentops is in plugins/requirements.txt but not imported by any plugins/.py file at present. Bumping rather than removing — smaller-scope change, and the dep may be loaded by a plugin not yet wired into main.py.
asknews 0.7.36 hard-caps `cryptography<42.0.7`, blocking the cryptography 46.0.7 bump in 8906059 that closes CVE-2026-39892 (MEDIUM, CVSS 9.8). Latest asknews 0.13.45 still caps `cryptography<46.0.7` so even a bump can't unblock the fix. asknews is the AskNews search SDK. The only call site in plugins is `plugins/advanced/realtime.py` (`from langchain_community.tools.asknews import AskNewsSearch`), which is the deprecated REALTIME plugins module that main.py explicitly comments out: # from advanced import realtime as advanced_realtime_router # app.include_router(advanced_realtime_router.router) The deprecation reasons documented in main.py: 1. Super expensive to maintain (LLM every 3 seconds for 10h/day) 2. No efficient trigger mechanism 3. No killer use cases found So asknews has zero runtime usage. Removing it unblocks the cryptography security fix at no functional cost. `advanced/realtime.py` is left in place — it's still never imported. Backend's requirements.txt does not include asknews either, so this also brings plugins closer to backend.
langchain-groq 1.1.2 (from d68c9d8) requires `groq>=0.30.0,<1.0.0`. Plugins was on groq 0.11.0 — pinned at the time of langchain-groq 0.1.9 — which fails the new floor. Bumped to 0.37.1, the latest in the 0.x line (groq 1.x is held back by langchain-groq's <1.0.0 cap; the 1.x SDK migration is a separate cascade). Plugins-specific bump (not backend-driven; backend uses groq 0.9.0 but doesn't pin langchain-groq, so the constraint doesn't apply there).
Same pattern as 9ec44a6 (asknews removal): both pkgs are listed in plugins/requirements.txt but not imported by any plugins/.py file (verified via repo-wide `grep import multion / from multion / import agentops / from agentops` — zero hits). Both have been in the file since the initial move from plugins/example/ (commit fff6516 in Feb 2026) and were probably installed for the deprecated REALTIME plugins. Plugins/_multion/router.py — the only "multion" mention — uses raw HTTP `httpx.AsyncClient` calls against the MultiOn API, never the multion Python SDK. Why blocking: `multion` 1.3.5/1.3.8 hard-pin `agentops>=0.2.3,<0.3.0`, which conflicts with the agentops 0.4.21 bump in 3d81933. agentops itself was bumped to satisfy the requests~=2.33 floor in 81492f2. Removing both pkgs collapses this resolver pressure cleanly. Net effect on requirements.txt: -2 lines vs main, -3 if we count asknews (already removed in 9ec44a6). All three were dead deps and none had a direct CVE that would otherwise be lost.
mdmohsin7
added
backend
Member
Author
|
@morpheus review — Approved ✅ 3 files: 2 code changes + requirements.txt (48 line changes). 23 atomic commits. Code migration (commit 1):
Dead-dep removals verified:
agentops bump-then-remove: Commit 3d81933 bumps 0.2.6→0.4.21, commit 2967da5 removes it. Net effect: removal. History preserved per no-force-push rule — each commit was independently valid at authoring time. langchain 0.2→1.x cascade: Same shape as backend #7149 and pusher #7177, just a bigger jump (0.2 vs 0.3). Plus langchain-groq 0.1.9→1.1.2 (plugins-specific) requiring groq 0.11→0.37.1 floor. All 47 dep bumps match backend's verified pins. typing_extensions 4.15.0 now explicitly pinned (was auto-resolving). Full uvicorn boot with prod env, 38 routes including /multion/ verified. |
Contributor
Greptile SummaryThis PR migrates the
Confidence Score: 4/5Safe to merge — the active code path migrates correctly and the server boots cleanly per the smoke test. The active plugins/advanced/realtime.py — still references the dropped Important Files Changed
Reviews (1): Last reviewed commit: "Remove plugins multion + agentops deps (..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| @@ -2,7 +2,7 @@ | |||
|
|
|||
| from fastapi import APIRouter | |||
| from langchain_community.tools.asknews import AskNewsSearch | |||
Contributor
There was a problem hiding this comment.
AskNewsSearch
asknews was dropped from requirements.txt (it hard-capped cryptography), but the import and call to AskNewsSearch(max_results=2) on line 47 still rely on it. langchain_community only wraps the asknews SDK — calling AskNewsSearch(...) will raise an ImportError or ValidationError if the package is not installed. The file is currently commented out in main.py, so production is unaffected, but if this router is ever re-enabled the missing dependency will cause a silent boot failure or runtime crash.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Last of four service-sync PRs propagating backend's #7126 + #7127 + #7146 + #7149 bumps to the sub-services that don't auto-inherit
backend/requirements.txt. Follows #7173 (agent-proxy), #7177 (pusher) and #7178 (diarizer).Plugins is the biggest fan-out in the series — 110 shared packages with backend, 47 differing pins, plus a real langchain code migration (langchain-core 1.x removed the
pydantic_v1shim).What this PR does
23 atomic commits, organized to mirror backend's PR series.
1. Code migration (1 commit)
Forward-compatible:
plugins/_multion/router.pyandplugins/advanced/realtime.pymigrate fromlangchain_core.pydantic_v1(removed in langchain-core 1.0) topydanticv2 directly. Field signatures:min_items=0→min_length=0(the v2 equivalent for List constraints)._multion/router.pyis imported bymain.pyand registered as a router → would crash uvicorn at import time on langchain-core 1.x without this fix.advanced/realtime.pyis the deprecated REALTIME plugins module thatmain.pyexplicitly disables, but fixed for cleanliness.2. Security pin bumps (mirrors backend, 18 commits)
Same pattern as #7177 (pusher), reorganized into per-package-family commits:
3. Resolver-pressure fixes (4 commits)
Dead deps blocking the security bumps:
cryptography<42.0.7/ latest 0.13.45 still caps<46.0.7→ blocks CVE-2026-39892 fixagentops<0.3.0→ blocks resolver chainrequests==2.31.0→ blocks requests bumpAll three were unused — verified via repo-wide
grep import multion / from multion / import agentops / from agentops / from asknews / import asknews(zero hits). They've sat inplugins/requirements.txtsince the initial move fromplugins/example/(Feb 2026) and were probably installed for the deprecated REALTIME plugins. Backend doesn't have them either, so removing also brings plugins closer to backend.>=0.30.0. Plugins-specific (backend doesn't pin langchain-groq).CVEs closed (~25)
Test plan
End-to-end smoke test in a Python 3.12 venv with prod secrets pulled from GSM (sourced + shredded — no values left on disk):
pip install -r requirements.txtresolves cleanly after the dead-dep removals;pip checkreports no broken dependenciestyping_extensions==4.15.0auto-resolved,langchain-groq==1.1.2matches the new floor, etc.)uvicorn main:appboot with prod env (REDIS, OPENAI_API_KEY_PLUGINS, GROQ, NOTION OAuth, MEM0, HEY_OMI, ZAPIER, MULTION OAuth):Started server process+Application startup complete— zero errors, zero warningsiq_rating.main:Database initialized(SQLAlchemy 2.0.32 + sqlite layer works)GET /→ 200 with the API root listingGET /docs→ 200GET /openapi.json→ 200, schema is OpenAPI 3.1.0 (fastapi 0.121's output)/multion/...paths registered correctly (would have crashed at_multion/router.pyimport time without the migration, sincelangchain_core.pydantic_v1doesn't exist in 1.x)pydantic 2.11+langchain 1.x+ChatGroq+ChatOpenAI+langchain-core+langgraphinterop verified at module-loadSeries wrap
This is the last service-sync. After merge, the four sub-services that don't auto-inherit
backend/requirements.txt(agent-proxy, pusher, diarizer, plugins) will all be aligned with backend's #7126/#7127/#7146/#7149 security state.vad(backend/modal/) andnotifications-job(also under modal) auto-inherit and need no separate work.