[Release] langchain-ai/langchain langchain-huggingface==1.2.2: langchain-huggingface==1.2.2

langchain-huggingface version 1.2.2 is a maintenance release that hardens hostname validation and rejects URLs in repo_id fields. The release includes security updates (CVE-2026-4539 via pygments), dependency bumps for langsmith, pytest, aiohttp, and other packages, and performance improvements like avoiding unnecessary HuggingFace API calls for local endpoints. Key changes focus on stability, security, and dependency management across the HuggingFace partner library.

Key Points

• •Hardened hostname validation and reject URLs in repo_id to improve security and prevent misuse
• •Fixed CVE-2026-4539 by bumping pygments to >=2.20.0 across all packages
• •Upgraded langsmith from 0.6.3 to 0.7.31 for improved functionality and stability
• •Optimized HuggingFaceEndpoint to avoid unnecessary API calls when using local instances
• •Bumped langchain-core minimum requirement to 1.2.21 for better compatibility
• •Updated pytest to 9.0.3 and other dependencies (aiohttp, requests, orjson, tornado) for latest features and security patches
• •Added ModelProfile schema validation with warnings for drift detection
• •Improved CI/CD pipeline by suppressing pytest streaming output and avoiding unnecessary dependency installations
• •Enhanced documentation with full installation guidance and sentence-transformers>=5.2.0 migration notes
• •Refreshed model profile data to ensure accurate model information

Workflow Diagram

Concepts