Skip to content

version bump 3006 - litellm, langchain, black, pytest (CVEs)#274

Merged
asamal4 merged 1 commit into
lightspeed-core:mainfrom
asamal4:version-bump-3006
Jun 30, 2026
Merged

version bump 3006 - litellm, langchain, black, pytest (CVEs)#274
asamal4 merged 1 commit into
lightspeed-core:mainfrom
asamal4:version-bump-3006

Conversation

@asamal4

@asamal4 asamal4 commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Description

Version bump up - litellm, langchain, black, pytest (CVEs)

Type of change

  • Refactor
  • New feature
  • Bug fix
  • CVE fix
  • Optimization
  • Documentation Update
  • Configuration Update
  • Bump-up service version
  • Bump-up dependent library
  • Bump-up library or tool used for development (does not change the final image)
  • CI configuration change
  • Unit tests improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

  • Assisted-by: Claude

Related Tickets & Documents

  • Related Issue #
  • Closes #

Checklist before requesting a review

  • I have performed a self-review of my code.
  • PR has passed all pre-merge test jobs.
  • If it is a core feature, I have added thorough tests.

Testing

  • Please provide detailed steps to perform tests related to this code change.
  • How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

Summary by CodeRabbit

  • Chores

    • Refreshed dependency version constraints and regenerated requirement files (including frozen “all-extras” and other requirement sets) to match newer upstream releases.
    • Updated a range of runtime libraries used for AI integrations, networking, observability/telemetry, and developer tooling.
    • Adjusted development tool version constraints to newer acceptable ranges.
  • Tests

    • Made a minor formatting tweak in a unit test file; no test behavior changed.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b7dd5021-67f8-41ca-a68e-354b113371f8

📥 Commits

Reviewing files that changed from the base of the PR and between 58527f9 and 2556f1d.

⛔ Files ignored due to path filters (2)
  • uv-gpu.lock is excluded by !**/*.lock
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (6)
  • pyproject.toml
  • requirements-all-extras.txt
  • requirements-local-embeddings.txt
  • requirements-nlp-metrics.txt
  • requirements.txt
  • tests/unit/core/metrics/test_geval.py
✅ Files skipped from review due to trivial changes (4)
  • tests/unit/core/metrics/test_geval.py
  • requirements-nlp-metrics.txt
  • requirements-all-extras.txt
  • requirements-local-embeddings.txt

Walkthrough

Updates dependency ranges in pyproject.toml and regenerates the four requirements files with refreshed pinned versions and provenance comment edits. One test file receives a blank-line formatting change.

Changes

Dependency Updates

Layer / File(s) Summary
pyproject.toml constraints
pyproject.toml
litellm, langchain[huggingface], black, and pytest dependency ranges are updated.
Core lockfile dependency bumps
requirements.txt, requirements-all-extras.txt, requirements-local-embeddings.txt, requirements-nlp-metrics.txt
Refreshes early pins for aiohttp, anyio, click, google-auth, greenlet, importlib-metadata, instructor, jsonschema, and langchain.
LangChain and OpenAI stack
requirements.txt, requirements-all-extras.txt, requirements-local-embeddings.txt, requirements-nlp-metrics.txt
Updates langchain-openai, langfuse, langgraph, langsmith, litellm, openai, and coordinated opentelemetry-* pins, with related provenance comments adjusted.
Remaining pin refreshes
requirements.txt, requirements-all-extras.txt, requirements-local-embeddings.txt, requirements-nlp-metrics.txt
Updates protobuf, regex, rpds-py, tiktoken, typer, websockets, and xxhash, with additional # via ... comment edits.
Test file formatting
tests/unit/core/metrics/test_geval.py
Adds a blank line after the module docstring; no logic changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: a CVE-related dependency version bump for litellm, langchain, black, and pytest.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@asamal4 asamal4 force-pushed the version-bump-3006 branch 2 times, most recently from ee00534 to 58527f9 Compare June 30, 2026 09:37
bsatapat-jpg
bsatapat-jpg previously approved these changes Jun 30, 2026

@bsatapat-jpg bsatapat-jpg left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Tested for all the Python version, working fine.
Thanks

@xmican10

Copy link
Copy Markdown
Collaborator

Thanks! Why is there a downgrade in these packages -- langsmith, langfuse, anyio, instructor, opentelemetry and protobuf? Is it intentional?

@asamal4

asamal4 commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator Author

@xmican10

Thanks! Why is there a downgrade in these packages -- langsmith, langfuse, anyio, instructor, opentelemetry and protobuf? Is it intentional?

it is happening through internal package resolving - primarily due to changes in litellm which metadata and few other packages. These are getting downgraded internally, not by us

@asamal4 asamal4 changed the title version bump 3006 - litellm, black, pytest (CVEs) version bump 3006 - litellm, langchain, black, pytest (CVEs) Jun 30, 2026
@asamal4 asamal4 force-pushed the version-bump-3006 branch from 58527f9 to 2556f1d Compare June 30, 2026 11:12
@asamal4

asamal4 commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator Author

@bsatapat-jpg @xmican10 PTAL again, added langchain

@bsatapat-jpg

Copy link
Copy Markdown
Collaborator

Great now it's working without instructor mode fix.
Tested for different metrics as wel. It's working fine for me.
Thanks

@bsatapat-jpg bsatapat-jpg left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@xmican10 xmican10 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@asamal4 asamal4 merged commit 61df039 into lightspeed-core:main Jun 30, 2026
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants