chore(deps): Bump @langchain/community from 1.0.5 to 1.1.18

[dependabot]

Bumps @langchain/community from 1.0.5 to 1.1.18.

Release notes

Sourced from @​langchain/community's releases.

@​langchain/community@​1.1.18

Patch Changes

• #10108 e7576ee Thanks @​hntrl! - fix: replace retired Anthropic model IDs with active replacements

  • Update default model in ChatAnthropic from claude-3-5-sonnet-latest to claude-sonnet-4-5-20250929
  • Regenerate model profiles with latest data from models.dev API
  • Replace retired claude-3-5-haiku-20241022, claude-3-7-sonnet-20250219, claude-3-5-sonnet-20240620, and claude-3-5-sonnet-20241022 in tests, docstrings, and examples

• #10116 2812d2b Thanks @​hntrl! - Validate redirects in RecursiveUrlLoader to prevent SSRF bypasses.

• Updated dependencies []:

  • @​langchain/classic@​1.0.19

@​langchain/community@​1.1.16

Patch Changes

• Updated dependencies [27186c5, 05396f7, 5a6f26b, 7be50a7]:
  • @​langchain/core@​1.1.25
  • @​langchain/openai@​1.2.8
  • @​langchain/classic@​1.0.18

@​langchain/community@​1.1.14

Patch Changes

• #9990 d5e3db0 Thanks @​hntrl! - feat(core): Add SSRF protection module (@langchain/core/utils/ssrf) with utilities for validating URLs against private IPs, cloud metadata endpoints, and localhost.

  fix(community): Harden RecursiveUrlLoader against SSRF attacks by integrating validateSafeUrl and replacing string-based URL comparison with origin-based isSameOrigin from the shared SSRF module.

• Updated dependencies [d5e3db0, 6939dab, ad581c7]:

  • @​langchain/core@​1.1.21
  • @​langchain/openai@​1.2.7
  • @​langchain/classic@​1.0.17

@​langchain/community@​1.1.12

Patch Changes

• Updated dependencies [0870ca0, 8f0757f, cf46089]:
  • @​langchain/openai@​1.2.5
  • @​langchain/classic@​1.0.15

@​langchain/community@​1.1.11

Patch Changes

• #9905 41bfea5 Thanks @​christian-bromann! - fix(classic/community/core): avoid long lived abort signals

• Updated dependencies [41bfea5]:

  • @​langchain/classic@​1.0.14
  • @​langchain/openai@​1.2.4

@​langchain/community@​1.1.10

... (truncated)

Commits

• a591053 chore: version packages (#10110)
• 2812d2b fix(community): validate redirects in RecursiveUrlLoader (#10116)
• 0050c91 fix(langchain): reset shared currentSystemMessage on middleware handler retry...
• 66df7fa fix(anthropic): convert tool_calls to tool_use blocks when AIMessage content ...
• eed16fa chore(deps): bump actions/stale from 10.1.1 to 10.2.0 in the gh-actions-minor...
• 02b0d49 chore(deps): bump langsmith from 0.5.4 to 0.5.6 (#10130)
• 630890a feat(openrouter): default OpenRouter attribution headers (#10109)
• e7576ee fix(anthropic): replace retired model IDs in tests and mock data (#10108)
• c0409e6 chore: version packages (#10095)
• fb2226e Revert "chore(deps): bump ansi-styles from 5.2.0 to 6.2.3" (#10104)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[appmod-pr-genie]

Configure Coding Standards

To enable comprehensive code quality checks for your pull requests, please configure coding standards for this repository.
Please visit the Coding Standards Configuration Page to set up the standards that align with your project's requirements.

Note: For now, Core Standards are used for analysis until you configure your own coding standards.

🧞 Quick Guide for PR-Genie

Tip

• Use [email-to: reviewer1@techolution.com, reviewer2@techolution.com] in the PR description to get an email notification when the PR Analysis is complete.

• You can include the relevant User Story IDs (from User Story Mode) like [TSP-001] or [TSP-001-A][TSP-002-B] in your PR title to generate a Functional Assessment of your PR.

Automated by Appmod Quality Assurance System

[appmod-pr-genie]

Functional Assessment

Verdict: ⚠️ Partially Completed

🧠 User Story ID: LANG-UPG-001-A — Upgrade @langchain/community Dependency

📝 Feature Completeness

The Requirement was..

Upgrade @langchain/community from 1.0.5 to 1.1.18, regenerate lockfile, update Anthropic model IDs, and implement SSRF protection in RecursiveUrlLoader.

This is what is built...

The package version was updated in pnpm-workspace.yaml and the lockfile was regenerated. However, no code changes were found for model ID updates or SSRF protection logic.

---

📊 Implementation Status

ID	Feature/Sub-Feature	Status	Files
1	Dependency Update		pnpm-workspace.yaml, pnpm-lock.yaml
1.1	└─ Package.json/Workspace Update		pnpm-workspace.yaml
1.2	└─ Lockfile Regeneration		pnpm-lock.yaml

ID	Feature/Sub-Feature	Status	Files
2	RecursiveUrlLoader Validation & Security
2.1	└─ SSRF Protection Implementation

ID	Feature/Sub-Feature	Status	Files
3	Model Profile & Signal Management
3.1	└─ Anthropic Model Compatibility
3.2	└─ Signal Management Fixes

---

✅ Completed Components

ID	Feature	Summary
1	Dependency Update	Implemented: Updated @langchain/community to 1.1.18 in workspace config and regenerated the lockfile with resolved sub-dependencies.
1.1	Package.json/Workspace Update	Implemented: Version bumped to 1.1.18.
1.2	Lockfile Regeneration	Implemented: pnpm-lock.yaml reflects the new version and dependency tree.

---

❌ Gaps & Issues

ID	Feature	Gap/Issue	Priority
2	RecursiveUrlLoader Validation & Security	Missing: No implementation of validateSafeUrl or isSameOrigin logic found in the provided diff.
2.1	SSRF Protection Implementation	Missing: No changes detected in RecursiveUrlLoader or SSRF utility integration.
3	Model Profile & Signal Management	Missing: No updates to Anthropic model IDs (claude-sonnet-4-5) or abort signal fixes were detected in the source code.
3.1	Anthropic Model Compatibility	Missing: Default model remains unchanged in the codebase.
3.2	Signal Management Fixes	Missing: No evidence of abort signal handling logic changes.

---

🎯 Conclusion & Final Assessment

Important

🟢 Completed Features: Key completed features include the successful upgrade of @langchain/community to version 1.1.18 within the pnpm workspace and the corresponding regeneration of the lockfile.

🔴 Incomplete Features: Key incomplete features include the lack of SSRF protection logic in RecursiveUrlLoader, missing Anthropic model ID updates, and the absence of abort signal management fixes.

[appmod-pr-genie]

⚙️ DevOps and Release Automation

🟢 Status: Passed

🌟 Excellent work! Your code passed the DevOps review. Some improvements are suggested which will greatly improve the security of your infrastructure.

---

🟡 Recommended Improvements

Filename	Severity	Violation Description
pnpm-lock.yaml		The lockfile includes tar@7.5.6, which is explicitly marked as deprecated due to widely publicized security vulnerabilities.
pnpm-lock.yaml		The lockfile includes glob@10.5.0, which is explicitly marked as deprecated due to widely publicized security vulnerabilities.
pnpm-lock.yaml		The lockfile includes prebuild-install@7.1.3, which is deprecated and no longer maintained, posing a risk to build reliability.

🎯 Conclusion

• Periodically run pnpm audit to proactively identify and update dependencies with known vulnerabilities or deprecations.
• Consider implementing a CI check that fails if deprecated packages with security warnings are introduced into the lockfile.

Important

Please carefully assess each DevOps and migration violation's impact before proceeding to ensure smooth transitions between environments.

[appmod-pr-genie]

Deprecated Package with Security Vulnerabilities

I've noticed that the dependency tar@7.5.6 is included in the lockfile, and it's marked as deprecated due to known security vulnerabilities. Using outdated packages with security flaws can expose the application to significant risks.

Let's prioritize updating any direct or transitive dependency that relies on this version of tar to a newer, secure version to mitigate this risk.

[appmod-pr-genie]

Deprecated Package with Security Vulnerabilities

I've spotted that the dependency glob@10.5.0 is present in the lockfile and is marked as deprecated because of known security vulnerabilities. Continuing to use this version could introduce security risks into the build and deployment process.

Let's investigate which package is pulling in this version of glob and update it to use a more recent and secure version.

[appmod-pr-genie]

Deprecated Build Tool Dependency

I see that prebuild-install@7.1.3 is a dependency, but it's marked as deprecated and unmaintained. Relying on unmaintained build tools can lead to build failures on newer Node.js versions or different system architectures, which compromises deployment reliability.

Let's identify which native addon depends on this and encourage its author to migrate to a modern alternative like prebuildify or node-gyp-build.

[appmod-pr-genie]

🔍 Technical Quality Assessment

📋 Summary

We are updating the core AI tools our system uses to the latest versions. This ensures our AI features remain compatible with the newest models (like the latest Claude models) and includes important security fixes that protect our system from malicious web links.

💼 Business Impact

• What Changed: We've updated the 'brain' of our AI features to use the most recent versions. We also added a 'security guard' that checks web links more carefully to prevent unauthorized access to our internal systems.
• Why It Matters: Staying up-to-date ensures our AI features don't break when providers like Anthropic retire old models. It also closes security gaps that could have been used to peek at our private internal data.
• User Experience: Customers using AI features will benefit from more reliable connections to the latest AI models. There should be no visible change in how the app looks, but it will be more stable and secure behind the scenes.

🎯 Purpose & Scope

• Primary Purpose: Security Improvement & AI Tool Updates
• Scope: AI orchestration layer and system-wide software dependency management
• Files Changed: 2 files (0 added, 2 modified, 0 deleted)

📊 Change Analysis

Files by Category:

• Core Logic: 0 files
• API/Routes: 0 files
• Tests: 0 files
• Configuration: 2 files
• Documentation: 0 files
• Others: 0 files

Impact Distribution:

• High Impact: 0 files
• Medium Impact: 1 files
• Low Impact: 1 files

⚠️ Issues & Risks

• Total Issues: 1 across 1 files
• Critical Issues: 1
• Major Issues: 0
• Minor Issues: 0
• Technical Risk Level: Medium

Key Concerns:

• [FOR DEVELOPERS] Multiple deprecated versions of 'glob' (7.x through 10.x) are being pulled in, posing a ReDoS risk.
• [FOR DEVELOPERS] Significant version jump in 'openai' library may have subtle changes in error handling.

🚀 Recommendations

For Developers:

• [FOR DEVELOPERS] Run 'pnpm update glob tar' to resolve deprecation warnings and security vulnerabilities.
• [FOR DEVELOPERS] Verify ChatAnthropic implementation specifically, as default models have changed from Claude 3.5 to Claude 4.5.

For Stakeholders:

• Approve the update but ensure the technical team addresses the 'deprecated tool' warnings before the next major release
• Budget a small amount of QA time to verify that AI responses (like chat or data extraction) are still accurate

For ProjectManagers:

• Coordinate a quick smoke test of AI features to ensure the library updates didn't change the 'tone' or 'accuracy' of AI responses
• Update the technical roadmap to include a 'dependency cleanup' sprint in the next month

---

Click to Expand File Summaries

File	Status	Description	Impact	Issues Detected
pnpm-lock.yaml	Modified ( +215/ -154)	Updates multiple LangChain related packages and their dependencies, including @langchain/community from 1.0.5 to 1.1.18 and openai from 6.9.1 to 6.22.0. It also adds deprecation warnings for several packages.	Medium – The update involves significant version bumps for core AI libraries and introduces security-related deprecation notices for 'glob' and 'tar'. This may require testing for breaking changes in AI orchestration logic.	1
pnpm-workspace.yaml	Modified ( +1/ -1)	Updated the version of @langchain/community from 1.0.5 to 1.1.18 in the pnpm workspace catalog.	Low – This is a dependency version bump which includes bug fixes and security improvements (SSRF protection) as noted in the release notes.	0

[appmod-pr-genie]

Security Risk: Deprecated and Vulnerable Dependencies

I noticed that several versions of the glob package (7.2.3, 8.1.0, 9.3.5, 10.5.0, 11.1.0) are being marked as deprecated due to widely publicized security vulnerabilities. Using these versions in production poses a significant security risk. We should look into upgrading these to the latest supported versions (v11+) where the vulnerabilities are resolved.

[appmod-pr-genie]

Compliance & Security Assessment

🌟 Excellent work! Your code passed all coding standards checks with zero violations. 👏

[appmod-pr-genie]

Appmod Quality Check: FAILED❌

❌ Quality gate failed - This pull request requires attention before merging.

📊 Quality Metrics

Metric	Value	Status
Quality Score	80%	✅
Issues Found	1	❌
CS Violations	0	✅
Risk Level	High	❌

🎯 Assessment

Action required - Please address the identified issues before proceeding.

📋 View Detailed Report for comprehensive analysis and recommendations.

---

Automated by Appmod Quality Assurance System