chore(deps): bump the pip group across 1 directory with 9 updates

[dependabot]

Bumps the pip group with 9 updates in the /WHartTest_Django directory:

Package	From	To
django	5.2	5.2.14
python-dotenv	1.1.1	1.2.2
langgraph	1.0.6	1.0.10rc1
langchain	1.2.3	1.3.9
langchain-openai	1.1.7	1.1.14
langchain-core	1.2.7	1.3.3
langgraph-checkpoint	4.0.0	4.1.1
langchain-text-splitters	1.1.0	1.1.2
pypdf	5.6.0	6.13.3

Updates django from 5.2 to 5.2.14

Commits

• 024c26b [5.2.x] Bumped version for 5.2.14 release.
• 2115d4e [5.2.x] Fixed CVE-2026-6907 -- Prevented caching of requests when Vary header...
• 47cf968 [5.2.x] Fixed CVE-2026-35192 -- Ensured Vary header is sent when setting sess...
• 2ec27ed [5.2.x] Fixed CVE-2026-5766 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE in Memory...
• ed18840 [5.2.x] Fixed typo in stub release notes for 5.2.14.
• de3f622 [5.2.x] Added stub release notes and release date for 5.2.14.
• fb61c8a [5.2.x] Refs CVE-2026-4292 -- Isolated new test in AdminViewListEditable.
• bd1a758 [5.2.x] Fixed two issues in release helper scripts/verify_release.sh.
• da57aaa [5.2.x] Added CVE-2026-3902, CVE-2026-4277, CVE-2026-4292, CVE-2026-33033, an...
• c9a8bdb [5.2.x] Post-release version bump.
• Additional commits viewable in compare view

Updates python-dotenv from 1.1.1 to 1.2.2

Release notes

Sourced from python-dotenv's releases.

v1.2.2

Added

• Support for Python 3.14, including the free-threaded (3.14t) build. (#)

Changed

• The dotenv run command now forwards flags directly to the specified command by @​bbc2 in theskumar/python-dotenv#607
• Improved documentation clarity regarding override behavior and the reference page.
• Updated PyPy support to version 3.11.
• Documentation for FIFO file support.
• Support for Python 3.9.

Fixed

• Improved set_key and unset_key behavior when interacting with symlinks by @​bbc2 in #790c5
• Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by @​JYOuyang in theskumar/python-dotenv#590

Breaking Changes

• dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

• In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

• dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

Misc

• skip 000 permission tests for root user by @​burnout-projects in theskumar/python-dotenv#561
• Bump actions/checkout from 5 to 6 in the github-actions group by @​dependabot[bot] in theskumar/python-dotenv#593
• Add Windows testing to CI by @​bbc2 in theskumar/python-dotenv#604
• Improve workflow efficiency with best practices by @​theskumar in theskumar/python-dotenv#609
• Remove the use of sh in tests by @​bbc2 in theskumar/python-dotenv#612

New Contributors

• @​JYOuyang made their first contribution in theskumar/python-dotenv#590
• @​burnout-projects made their first contribution in theskumar/python-dotenv#561
• @​cpackham-atlnz made their first contribution in theskumar/python-dotenv#597

Full Changelog: theskumar/python-dotenv@v1.2.1...v1.2.2

v1.2.1

What's Changed

... (truncated)

Changelog

Sourced from python-dotenv's changelog.

[1.2.2] - 2026-03-01

Added

• Support for Python 3.14, including the free-threaded (3.14t) build. (#588)

Changed

• The dotenv run command now forwards flags directly to the specified command by [@​bbc2] in #607
• Improved documentation clarity regarding override behavior and the reference page.
• Updated PyPy support to version 3.11.
• Documentation for FIFO file support.
• Dropped Support for Python 3.9.

Fixed

• Improved set_key and unset_key behavior when interacting with symlinks by [@​bbc2] in [790c5c0]
• Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by [@​JYOuyang] in #590

Breaking Changes

• dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

• In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

• dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

[1.2.1] - 2025-10-26

• Move more config to pyproject.toml, removed setup.cfg
• Add support for reading .env from FIFOs (Unix) by [@​sidharth-sudhir] in #586

[1.2.0] - 2025-10-26

• Upgrade build system to use PEP 517 & PEP 518 to use build and pyproject.toml by [@​EpicWink] in #583
• Add support for Python 3.14 by [@​23f3001135] in #579
• Add support for disabling of load_dotenv() using PYTHON_DOTENV_DISABLED env var. by [@​matthewfranglen] in #569

Commits

• 36004e0 Bump version: 1.2.1 → 1.2.2
• eb20252 docs: update changelog for v1.2.2
• 790c5c0 Merge commit from fork
• 43340da Remove the use of sh in tests (#612)
• 09d7cee docs: clarify override behavior and document FIFO support (#610)
• c8de288 ci: improve workflow efficiency with best practices (#609)
• 7bd9e3d Add Windows testing to CI (#604)
• 1baaf04 Drop Python 3.9 support and update to PyPy 3.11 (#608)
• 4a22cf8 ci: enable testing on Python 3.14t (free-threaded) (#588)
• e2e8e77 Fix license specifier (#597)
• Additional commits viewable in compare view

Updates langgraph from 1.0.6 to 1.0.10rc1

Release notes

Sourced from langgraph's releases.

langgraph==1.0.10rc1

Changes since 1.0.9

• release: Candidate (#6947)
• Merge commit from fork
• chore: add tests to confirm expected subgraph persistence behavior (#6943)
• fix(langgraph): correct ParentCommand bubbling when checkpoint_ns includes numeric task segments (#6864)
• chore: add make type target for type checking (#6748)

langgraph==1.0.9

Changes since 1.0.8

• release: langgraph + prebuilt (#6875)
• fix: sequential interrupt handling w/ functional API (#6863)
• chore: state_updated_at sort by (#6857)
• chore: bump orjson (#6852)
• chore: conformance testing (#6842)
• chore(deps): bump the all-dependencies group in /libs/langgraph with 6 updates (#6815)
• chore(deps): bump protobuf from 6.33.4 to 6.33.5 in /libs/langgraph (#6833)
• chore(deps): bump cryptography from 46.0.3 to 46.0.5 in /libs/langgraph (#6837)
• chore(deps): bump nbconvert from 7.16.6 to 7.17.0 in /libs/langgraph (#6832)
• chore: server runtime type (#6774)
• refactor: replace bare except with BaseException in AsyncQueue (#6765)

langgraph-prebuilt==1.0.9

Changes since prebuilt==1.0.8

• release: prebuilt 1.0.9 and langgraph 1.1.5 (#7401)
• feat: enhance runtime w/ more execution information (#7363)
• fix: tool node injection bug (#7391)
• release(langgraph): 1.1.4 (#7356)
• chore(deps): bump pygments from 2.19.2 to 2.20.0 in /libs/prebuilt (#7354)
• chore(deps): bump langchain-core from 1.2.20 to 1.2.22 in /libs/prebuilt in the minor-and-patch group (#7289)
• chore(deps): bump requests from 2.32.5 to 2.33.0 in /libs/prebuilt (#7281)
• chore(deps): bump the all-dependencies group in /libs/prebuilt with 2 updates (#7247)
• release(checkpoint-postgres): 3.0.5 (#7221)
• release(langgraph): 1.1.3 (#7215)
• chore(deps): bump the all-dependencies group in /libs/sdk-py with 2 updates (#7197)
• chore(deps): bump the all-dependencies group in /libs/prebuilt with 2 updates (#7196)
• chore(deps): bump orjson from 3.11.5 to 3.11.6 in /libs/prebuilt (#7145)
• release(langgraph): 1.1.2 (#7135)
• release(langgraph): 1.1.1 (#7120)
• release(langgraph): 1.1 (#7102)
• chore(deps): bump the all-dependencies group across 1 directory with 3 updates (#7072)
• chore(deps): bump the all-dependencies group across 1 directory with 4 updates (#7073)
• release(langgraph) 1.0.10 (#6967)
• release(checkpoint): 0.4.1 (#6966)
• chore: add serde events (#6954)
• chore: update defaults (#6953)
• release: rc2 (#6949)

... (truncated)

Commits

• a04ec5d release: Candidate (#6947)
• 50df7d4 Merge commit from fork
• c4a4a46 chore: add tests to confirm expected subgraph persistence behavior (#6943)
• f178eb8 fix(langgraph): correct ParentCommand bubbling when checkpoint_ns includes nu...
• 48167d7 chore(deps): bump the all-dependencies group in /libs/cli with 2 updates (#6920)
• 806878a chore(deps): bump the all-dependencies group in /libs/checkpoint-postgres wit...
• 8087e6a docs(sdk-py): update auth docstrings to default-deny pattern (#6933)
• 8fbdb14 release(sdk-py): 0.3.9 (#6932)
• 5093802 chore(deps): bump the all-dependencies group in /libs/checkpoint with 2 updat...
• b89ef60 feat(sdk-py): add extract parameter to threads.search() (#6880)
• Additional commits viewable in compare view

Updates langchain from 1.2.3 to 1.3.9

Release notes

Sourced from langchain's releases.

langchain==1.3.9

Changes since langchain==1.3.8

release(anthropic): 1.4.6 (#38105) release(langchain): 1.3.9 (#38104) fix(langchain,anthropic): confine file-search results and tighten anthropic allowed_prefixes (#38106)

langchain==1.3.8

Changes since langchain==1.3.7

release(langchain): 1.3.8 (#38096) style(core,langchain,langchain-classic,partners): replace double backticks in docstrings (#38095) release(core): 1.4.6 (#38061) chore(langchain): add overloads to create_agent (#34309) chore(infra): bump mypy to 2.1 and unify type-check config across the monorepo (#36470) fix(langchain): support async middleware decorator typing (#34584) fix(langchain): tighten structured output model fallbacks (#38042) release(anthropic): 1.4.5 (#38036) hotfix(core): bump lockfile(s) (#38032) refactor(langchain): refactor test_create_agent_tool_validation (#34443)

langchain==1.3.7

Changes since langchain==1.3.6

release(langchain): 1.3.7 (#38024) style(langchain): add ruff rules ARG (#34435) feat(langchain): add ProviderToolSearchMiddleware (#37969) chore(langchain): activate mypy warn_return_any (#34249) test(langchain): mark legacy trigger view for 2.0 removal (#38002)

langchain==1.3.6

Changes since langchain==1.3.5

release(langchain): 1.3.6 (#38001) fix(langchain): preserve summarization trigger compatibility (#38000)

langchain==1.3.5

Changes since langchain==1.3.4

release(langchain): 1.3.5 (#37998) feat(langchain): port AND-capable trigger conditions to SummarizationMiddleware (#34576) hotfix(openai): min core dep (#37990) feat(openai): support apply_patch built-in tool (#37157) chore: bump pyarrow from 21.0.0 to 23.0.1 in /libs/langchain_v1 (#37930) chore: bump dependencies (#37892) chore: bump aiohttp from 3.13.4 to 3.14.0 in /libs/langchain_v1 (#37888)

langchain==1.3.4

Changes since langchain==1.3.3

... (truncated)

Commits

• 3bfb6a3 release(langchain): 1.3.9 (#38104)
• dcaf779 fix(langchain,anthropic): confine file-search results and tighten anthropic `...
• 0392b6b fix(core): fix Pydantic v1 support in tools/runnable (#33698)
• f6d63bc release(langchain): 1.3.8 (#38096)
• 5d20596 style(core,langchain,langchain-classic,partners): replace double backticks in...
• fb55c66 chore: bump langsmith from 0.8.9 to 0.8.14 in /libs/partners/huggingface (#38...
• 51daae5 chore: bump langsmith from 0.8.9 to 0.8.14 in /libs/partners/chroma (#38092)
• 70e9579 chore: bump langsmith from 0.8.9 to 0.8.14 in /libs/partners/fireworks (#38093)
• 6c0e9af chore: bump langsmith from 0.8.9 to 0.8.14 in /libs/partners/xai (#38094)
• 222dc84 ci(infra): clarify early PR auto-close guidance (#38090)
• Additional commits viewable in compare view

Updates langchain-openai from 1.1.7 to 1.1.14

Release notes

Sourced from langchain-openai's releases.

langchain-openai==1.1.14

Changes since langchain-openai==1.1.13

release(openai): 1.1.14 (#36820) fix(openai): use SSRF-safe transport for image token counting (#36819) chore(deps): bump pytest to 9.0.3 (#36801) chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/partners/openai (#36795) chore: bump pillow from 12.1.1 to 12.2.0 in /libs/partners/openai (#36777)

langchain-openai==1.1.13

Changes since langchain-openai==1.1.12

release(openai): 1.1.13 (#36729) fix(openai): handle content blocks without type key in responses api conversion (#36725) chore(model-profiles): refresh model profile data (#36539) chore(openai): fix broken vcr cassette playback and add ci guard (#36502) fix(openai,groq,openrouter): use is-not-None checks in usage metadata token extraction (#36500) fix(core): fixed typos in the documentation (#36459) chore(model-profiles): refresh model profile data (#36455) feat(core): impute placeholder filenames for OpenAI file inputs (#36433) chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385) chore(model-profiles): refresh model profile data (#36368) fix(openai): update computer call test (#36352) fix(openai): let user-provided User-Agent override the Azure default (#35523) chore: bump requests from 2.32.5 to 2.33.0 in /libs/partners/openai (#36248)

Commits

• b7447c6 fix(infra): skip serdes tests in min-version release step (#36818)
• 41c0cc5 release(openai): 1.1.14 (#36820)
• 0516156 fix(openai): use SSRF-safe transport for image token counting (#36819)
• 338aa81 fix(core): restore cloud metadata IPs and link-local range in SSRF policy (#3...
• 51e9548 chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/text-splitters (#36797)
• e85c418 chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/model-profiles (#36798)
• 789126e chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/standard-tests (#36799)
• 937b3eb chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/langchain_v1 (#36800)
• a06c205 ci(infra): validate issue checkboxes by section (#36811)
• aa33b06 fix(langchain-classic): suppress mypy errors in compat code (#36806)
• Additional commits viewable in compare view

Updates langchain-core from 1.2.7 to 1.3.3

Release notes

Sourced from langchain-core's releases.

langchain-core==1.3.3

Changes since langchain-core==1.3.2

release(core): 1.3.3 (#37198) fix(core): set deprecation since to 1.3.3 to match release (#37200) fix(core, langchain): harden load() against untrusted manifests (#37197) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (#37109) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (#37129) fix(core): preserve structured inputs on tool runs in tracers (#37108) release(perplexity): 1.2.0 (#37091) chore(docs): update x handle references (#37081) fix(core): make removal optional in warn_deprecated (#37056) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (#36663) chore(core): mark stream_v2/astream_v2 as beta (#36992)

langchain-core==1.3.2

Changes since langchain-core==1.3.1

release(core): 1.3.2 (#36990) feat(core): add content-block-centric streaming (v2) (#36834)

langchain-core==1.3.1

Changes since langchain-core==1.3.0

release(core): 1.3.1 (#36972) feat(core): allow _format_output to pass through list of ToolOutputMixin instances (#36963) chore: bump nbconvert from 7.17.0 to 7.17.1 in /libs/core (#36923) feat(core): Update inheritance behavior for tracer metadata for special keys (#36900) chore: bump langsmith from 0.7.13 to 0.7.31 in /libs/core (#36813)

langchain-core==1.3.0

Changes since langchain-core==1.2.31

release(core): release 1.3.0 (#36851) release(core): 1.3.0a3 (#36829) chore(core): keep checkpoint_ns behavior in streaming metadata for backwards compat (#36828) feat(core): Add chat model and LLM invocation params to traceable metadata (#36771) fix(core): restore cloud metadata IPs and link-local range in SSRF policy (#36816) chore(deps): bump pytest to 9.0.3 (#36801) chore(core): harden private SSRF utilities (#36768) fix(openai): handle content blocks without type key in responses api conversion (#36725) chore: bump pytest from 9.0.2 to 9.0.3 in /libs/core (#36719) release(core): 1.3.0.a2 (#36698) fix(core): Use reference counting for storing inherited run trees to support garbage collection (#36660) docs(core): nit (#36685) release(core): 1.3.0a1 (#36656) chore(core): reduce streaming metadata / perf (#36588)

langchain-core==1.3.0a3

Initial release

... (truncated)

Commits

• 5039dfe release(core): 1.3.3 (#37198)
• 55a7707 fix(core): set deprecation since to 1.3.3 to match release (#37200)
• c979c61 fix(core, langchain): harden load() against untrusted manifests (#37197)
• d703110 docs: update README.md (#37190)
• 4d50a2a ci(infra): run pre-release checks before TestPyPI publish (#37194)
• 9bd730e fix(fireworks): require api_key in FireworksEmbeddings (#37193)
• f475f41 release(mistralai): 1.1.4 (#37191)
• 7dbff48 fix(mistralai): strip non-wire keys from ToolMessage (#37188)
• 913816c release(fireworks): 1.3.1 (#37189)
• 4498d3d fix(fireworks): strip non-wire keys from ToolMessage text content blocks (#...
• Additional commits viewable in compare view

Updates langgraph-checkpoint from 4.0.0 to 4.1.1

Release notes

Sourced from langgraph-checkpoint's releases.

langgraph-checkpoint==4.1.1

Changes since checkpoint==4.1.0

• release(checkpoint): 4.1.1 (#7890)
• fix(checkpoint): restrict lc:2 envelope revival to default constructor (#7892)
• chore(deps): bump idna from 3.11 to 3.15 in /libs/checkpoint (#7860)
• chore(deps): bump langsmith from 0.7.31 to 0.8.0 in /libs/checkpoint (#7784)

langgraph-checkpoint==4.1.0

Changes since checkpoint==4.1.0a4

• release: bump alpha packages to official versions (#7775)
• chore(deps): bump urllib3 from 2.6.3 to 2.7.0 in /libs/checkpoint (#7762)
• chore(deps): bump langchain-core from 1.3.2 to 1.3.3 in /libs/checkpoint (#7752)
• feat(checkpoint): force delta channel snapshot after max supersteps since last snapshot (#7746)
• fix(checkpoint): specify allowed_objects in Reviver (#7743)
• chore: remove keepset helper (#7745)
• chore(langgraph): add guide/conformance for delta channel checkpointer (#7736)
• docs(checkpoint): mark DeltaChannel and delta-history APIs as beta (#7732)
• chore(deps): bump the minor-and-patch group across 1 directory with 3 updates (#7670)
• chore: "chore: minor clean up around checkpoint and delta channel" (#7706)
• chore: minor clean up around checkpoint and delta channel (#7705)

langgraph-checkpoint==4.1.0a4

Changes since checkpoint==4.1.0a3

• release: alpha bump (a4) for langgraph, checkpoint, checkpoint-postgres (#7701)
• feat: public get_writes_history saver API + delta cadence rework (#7699)

langgraph-checkpoint==4.1.0a3

Changes since checkpoint==4.1.0a2

• release: alpha bump (a3) for langgraph, checkpoint, checkpoint-postgres (#7678)
• chore(langgraph): use two phase read to avoid unnecessary data transport (#7660)
• release: alpha for timers (#7647)
• feat(langgraph): DeltaChannel: store sentinel in blobs, reconstruct from checkpoint_writes (#7586)
• chore: dynamic push-task timeouts (#7646)
• chore: update x links to langchain_oss (#7645)
• release(checkpoint): 4.0.3 (#7625)
• fix(checkpoint): revive lc=2 JSON blobs for safe types without allowlist (#7582)

langgraph-checkpoint==4.1.0a2

Changes since checkpoint==4.1.0a1

langgraph-checkpoint==4.1.0a1

Changes since checkpoint==4.0.3

• release: alpha for timers (#7647)
• feat(langgraph): DeltaChannel: store sentinel in blobs, reconstruct from checkpoint_writes (#7586)
• chore: dynamic push-task timeouts (#7646)

... (truncated)

Commits

• d1e2ff0 release(checkpoint): 4.1.1 (#7890)
• e787af2 release(sdk-py): 0.3.15 (#7891)
• 604534e fix(sdk-py): percent-encode caller-supplied identifiers in URL paths (#7893)
• 346aa97 fix(checkpoint): restrict lc:2 envelope revival to default constructor (#7892)
• 82b3872 chore(deps): bump the uv group across 2 directories with 1 update (#7853)
• fcc4ab8 chore(deps): bump idna from 3.11 to 3.15 in /libs/checkpoint (#7860)
• 701d344 chore(deps): bump idna from 3.11 to 3.15 in /libs/checkpoint-postgres (#7861)
• 2c7967c chore(deps): bump idna from 3.11 to 3.15 in /libs/cli (#7865)
• bf7fec0 release(langgraph): 1.2.1 (#7883)
• 8215a9d feat(langgraph): add before_builtins opt-in for stream transformers (#7882)
• Additional commits viewable in compare view

Updates langchain-text-splitters from 1.1.0 to 1.1.2

Release notes

Sourced from langchain-text-splitters's releases.

langchain-text-splitters==1.1.2

Changes since langchain-text-splitters==1.1.1

release(text-splitters): 1.1.2 (#36822) fix(text-splitters): deprecate and use SSRF-safe transport in split_text_from_url (#36821) chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/text-splitters (#36797) chore(deps): bump pytest to 9.0.3 (#36801) chore: bump pytest from 9.0.2 to 9.0.3 in /libs/text-splitters (#36714) chore: add comment explaining pygments>=2.20.0 (#36570) release(core): 1.2.26 (#36511) chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385) fix(text-splitters): prevent silent data loss for empty dict values in RecursiveJsonSplitter (#35079) feat(text-splitters): support spacy tests with Python 3.14 (#36198) fix(infra): correct lint_diff relative paths in package makefiles (#36333) chore: bump requests from 2.32.5 to 2.33.0 in /libs/text-splitters (#36238) chore: bump nltk from 3.9.3 to 3.9.4 in /libs/text-splitters (#36237) chore(partners): bump langchain-core min to 1.2.21 (#36183) chore(text-splitters): bump nltk in lock file (#36112) ci: suppress pytest streaming output in CI (#36092) chore(text-splitters): speed up ci (#36050) ci: avoid unnecessary dep installs in lint targets (#36046) chore: bump orjson from 3.11.5 to 3.11.6 in /libs/text-splitters (#35856) chore: bump locks, lint (#35985) perf(.github): set a timeout on get min versions HTTP calls (#35851) chore: bump tornado from 6.5.2 to 6.5.5 in /libs/text-splitters (#35774) chore: bump the minor-and-patch group across 3 directories with 3 updates (#35589) chore: bump the other-deps group across 3 directories with 2 updates (#35512) chore: bump nltk from 3.9.2 to 3.9.3 in /libs/text-splitters (#35449) chore: bump the other-deps group across 3 directories with 2 updates (#35407)

Commits

• 58c4e5b release(text-splitters): 1.1.2 (#36822)
• c289bf1 fix(text-splitters): deprecate and use SSRF-safe transport in split_text_from...
• b7447c6 fix(infra): skip serdes tests in min-version release step (#36818)
• 41c0cc5 release(openai): 1.1.14 (#36820)
• 0516156 fix(openai): use SSRF-safe transport for image token counting (#36819)
• 338aa81 fix(core): restore cloud metadata IPs and link-local range in SSRF policy (#3...
• 51e9548 chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/text-splitters (#36797)
• e85c418 chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/model-profiles (#36798)
• 789126e chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/standard-tests (#36799)
• 937b3eb chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/langchain_v1 (#36800)
• Additional commits viewable in compare view

Updates pypdf from 5.6.0 to 6.13.3

Release notes

Sourced from pypdf's releases.

Version 6.13.3, 2026-06-17

What's new

Security (SEC)

• Apply MAX_DECLARED_STREAM_LENGTH to streams without length as well (#3871) by @​stefan6419846

Performance Improvements (PI)

• Avoid per-pixel getpixel loop for 1-bit indexed images (#3854) by @​Samuel-Harris

Robustness (ROB)

• Several fixes by @​metsw24-max

Maintenance (MAINT)

• Make mypy assert messages consistent (#3849) by @​j-t-1

Full Changelog

Version 6.13.2, 2026-06-10

What's new

Security (SEC)

• Detect multi-hop cyclic /Pages trees in _flatten to prevent SIGSEGV (#3847) by @​fredericoschardong

Robustness (ROB)

• Fix UnboundLocalError in _read_standard_xref_table on a malformed entry (#3841) by @​joszamama
• Raise PdfStreamError on non-hexadecimal bytes in hex readers (#3832) by @​metsw24-max

Full Changelog

Version 6.13.1, 2026-06-08

What's new

Security (SEC)

• Prevent infinite loops when processing threads/articles (#3839) by @​stefan6419846

Full Changelog

Version 6.13.0, 2026-06-05

What's new

Security (SEC)

• Avoid infinite loops for outlines and text extraction (#3830) by @​stefan6419846

New Features (ENH)

• Add Japanese predefined CMaps (#3800) by @​yasuhiroiwaki
• Font: Collect all character widths, not only those that can be unicode mapped (#3798) by @​PJBrs

Robustness (ROB)

• Recover a corrupt trailing startxref pointer (closes #3238) (#3826) by @​gaoflow
• Handle /Pages node without /Kids during flattening (#3825) by @​gaoflow

... (truncated)

Changelog

Sourced from pypdf's changelog.

Version 6.13.3, 2026-06-17

Security (SEC)

• Apply MAX_DECLARED_STREAM_LENGTH to streams without length as well (#3871)

Performance Improvements (PI)

• Avoid per-pixel getpixel loop for 1-bit indexed images (#3854)

Robustness (ROB)

• Several fixes

Maintenance (MAINT)

• Make mypy assert messages consistent (#3849)

Full Changelog

Version 6.13.2, 2026-06-10

Security (SEC)

• Detect multi-hop cyclic /Pages trees in _flatten to prevent SIGSEGV (#3847)

Robustness (ROB)

• Fix UnboundLocalError in _read_standard_xref_table on a malformed entry (#3841)
• Raise PdfStreamError on non-hexadecimal bytes in hex readers (#3832)

Full Changelog

Version 6.13.1, 2026-06-08

Security (SEC)

• Prevent infinite loops when processing threads/articles (#3839)

Full Changelog

Version 6.13.0, 2026-06-05

Security (SEC)

• Avoid infinite loops for outlines and text extraction (#3830)

New Features (ENH)

• Add Japanese predefined CMaps (#3800)
• Font: Collect all character widths, not only those that can be unicode mapped (#3798)

Robustness (ROB)

• Recover a corrupt trailing startxref pointer (closes #3238) (#3826)
• Handle /Pages node without /Kids during flattening (#3825)
• Accept inline image EI marker at the end of a content stream (#3827)

Maintenance (MAINT)

• Type the always-raising deprecation helpers as NoReturn ...

  Description has been truncated