releaseintermediate
[Release] langchain-ai/langchain langchain-classic==1.0.6: langchain-classic==1.0.6
By github-actions[bot]github
View original on githublangchain-classic version 1.0.6 release includes security hardening fixes for deserialization and manifest loading, a dependency bump for jupyter-server, and version-specific handling for hub.pull deprecation. The release focuses on improving robustness against untrusted inputs and maintaining compatibility with the classic API.
Key Points
- •Security fix: Restrict deserialization in langchain_classic.storage._lc_store to prevent unsafe object instantiation
- •Manifest hardening: Strengthen load() function against untrusted manifests across core and langchain modules
- •Dependency update: Bump jupyter-server from 2.17.0 to 2.18.0 for security and stability improvements
- •Deprecation handling: Use langchain-classic version for hub.pull deprecation warnings to ensure correct version reporting
- •Focus on backward compatibility: Changes maintain the classic API surface while improving security posture
- •Deserialization safety: Implement restrictions on what objects can be deserialized from storage to prevent injection attacks
Found this useful? Add it to a playbook for a step-by-step implementation guide.
Workflow Diagram
Start Process
Step A
Step B
Step C
Complete