chore(deps-dev): bump the langchain group across 1 directory with 2 updates

[dependabot]

Bumps the langchain group with 2 updates in the / directory: langchain-openai and langchain.

Updates langchain-openai from 0.3.34 to 1.3.2

Release notes

Sourced from langchain-openai's releases.

langchain-openai==1.3.2

Changes since langchain-openai==1.3.1

release(openai): 1.3.2 (#38130)

langchain-openai==1.3.1

Changes since langchain-openai==1.3.0

docs: refresh README installation and resources (#38119) test(core,langchain): update tests for explicit deserialization allowlists (#38118) release(core): 1.4.7 (#38111) fix(core,partners): rename package version trace metadata (#38110) style(core,langchain,langchain-classic,partners): replace double backticks in docstrings (#38095) test(openai): use gpt-4o for image token counting (#38089) release(core): 1.4.6 (#38061) feat(core,partners): add package version tracking to tracing metadata (#35295) fix(core,openai): normalize v1 streamed tool calls (#35983) chore(infra): bump mypy to 2.1 and unify type-check config across the monorepo (#36470) feat(standard-tests): validate tool call chunks during streaming (#34707) fix(langchain): tighten structured output model fallbacks (#38042)

langchain-openai==1.3.0

Changes since langchain-openai==1.2.2

hotfix(openai): min core dep (#37990) release(openai): 1.3.0 (#37989) feat(openai): support apply_patch built-in tool (#37157) chore(model-profiles): refresh model profile data (#37973) test(langchain,partners): disable pytest-benchmark under xdist to silence PytestBenchmarkWarning (#37901) chore(model-profiles): refresh model profile data (#37895)

langchain-openai==1.2.2

Changes since langchain-openai==1.2.1

release(openai): 1.2.2 (#37617) chore(infra): bump langchain-tests floor to 1.1.9 (#37610) test(openai): unbreak audio chat and Azure embedding integration tests (#37589) fix(openai): guard httpx finalizers (#37570) chore: bump langsmith from 0.8.4 to 0.8.5 in /libs/partners/openai (#37549) chore: bump idna from 3.11 to 3.15 in /libs/partners/openai (#37548) ci(infra): harden Dependabot version-bound preservation (#37510) test(standard-tests): assert ls_model_name honors per-call model override (#37504) fix(openai): source LLM context size from model profiles (#37489) chore(core,langchain,openai): refresh stale OpenAI model references (#37487) fix(openai): broaden condition for ContextOverflowError to accommodate other providers (#37457) docs(openai): document base_url env var fallback chain (#37436) chore: bump langsmith from 0.8.0 to 0.8.4 in /libs/partners/openai (#37416) chore: bump langsmith from 0.7.31 to 0.8.0 in /libs/partners/openai (#37398) chore(infra): merge v1.4 into master (#37350) chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/openai (#37330)

... (truncated)

Commits

• 879cad0 release(openai): 1.3.2 (#38130)
• 37b339f fix(openai): build Codex async headers off the event loop in _agenerate (#3...
• 11429a9 fix(openai): avoid sync token reads in Codex streaming (#38128)
• 454e195 hotfix(openai): skip Codex live integration tests in CI (#38124)
• 9e6f58b hotfix(openai): switch version (#38123)
• bf7b018 refactor(openai): mark Codex OAuth classes private (#38122)
• 34af883 chore(infra): wire up per-partner version-consistency pre-commit hooks (#38121)
• 8180a09 release(openai): 1.4.0 (#38120)
• 6c2b70e feat(openai): add ChatGPT OAuth-backed ChatOpenAICodex chat model (#37569)
• 63cc1f4 docs: refresh README installation and resources (#38119)
• Additional commits viewable in compare view

Updates langchain from 1.2.13 to 1.3.10

Release notes

Sourced from langchain's releases.

langchain==1.3.10

Changes since langchain==1.3.9

release(langchain): 1.3.10 (#38255) chore: bump cryptography from 46.0.7 to 48.0.1 in /libs/langchain_v1 (#38176) chore: bump aiohttp from 3.14.0 to 3.14.1 in /libs/langchain_v1 (#38179) fix(langchain): switch summary format (#38171) fix(langchain): detect provider strategy for dated gpt-5.2/gpt-5.4 snapshots (#38222) chore(langchain): improve typing in tests (#38163) chore: bump pyjwt from 2.12.0 to 2.13.0 in /libs/langchain_v1 (#38168) release(openai): 1.3.2 (#38130) hotfix(openai): switch version (#38123) release(openai): 1.4.0 (#38120) docs: refresh README installation and resources (#38119) test(core,langchain): update tests for explicit deserialization allowlists (#38118) release(core): 1.4.7 (#38111) release(anthropic): 1.4.6 (#38105)

langchain==1.3.9

Changes since langchain==1.3.8

release(anthropic): 1.4.6 (#38105) release(langchain): 1.3.9 (#38104) fix(langchain,anthropic): confine file-search results and tighten anthropic allowed_prefixes (#38106)

langchain==1.3.8

Changes since langchain==1.3.7

release(langchain): 1.3.8 (#38096) style(core,langchain,langchain-classic,partners): replace double backticks in docstrings (#38095) release(core): 1.4.6 (#38061) chore(langchain): add overloads to create_agent (#34309) chore(infra): bump mypy to 2.1 and unify type-check config across the monorepo (#36470) fix(langchain): support async middleware decorator typing (#34584) fix(langchain): tighten structured output model fallbacks (#38042) release(anthropic): 1.4.5 (#38036) hotfix(core): bump lockfile(s) (#38032) refactor(langchain): refactor test_create_agent_tool_validation (#34443)

langchain==1.3.7

Changes since langchain==1.3.6

release(langchain): 1.3.7 (#38024) style(langchain): add ruff rules ARG (#34435) feat(langchain): add ProviderToolSearchMiddleware (#37969) chore(langchain): activate mypy warn_return_any (#34249) test(langchain): mark legacy trigger view for 2.0 removal (#38002)

langchain==1.3.6

Changes since langchain==1.3.5

... (truncated)

Commits

• a807a9c release(langchain): 1.3.10 (#38255)
• 15b0a49 chore: bump jupyter-server from 2.18.0 to 2.20.0 in /libs/core (#38252)
• 612139f chore: bump tornado from 6.5.6 to 6.5.7 in /libs/text-splitters (#38175)
• 921e370 chore: bump cryptography from 46.0.7 to 48.0.1 in /libs/langchain_v1 (#38176)
• 1aabc26 chore: bump aiohttp from 3.14.0 to 3.14.1 in /libs/langchain_v1 (#38179)
• 8d51355 chore: bump aiohttp from 3.14.0 to 3.14.1 in /libs/langchain (#38180)
• 0b1b7bb chore: bump cryptography from 46.0.7 to 48.0.1 in /libs/langchain (#38181)
• dfd0627 chore: bump starlette from 1.0.1 to 1.3.1 in /libs/langchain (#38182)
• 0269392 chore: bump tornado from 6.5.6 to 6.5.7 in /libs/langchain (#38183)
• 24d0b37 chore: bump tornado from 6.5.6 to 6.5.7 in /libs/core (#38184)
• Additional commits viewable in compare view

[claude]

The langchain-openai bump spans a major version boundary (0.3.34 → 1.1.12), which may introduce breaking API changes in the test suite — worth a human check that CI passes.

Extended reasoning...

Overview

This is a dependabot PR updating two dev-only dependencies in pyproject.toml and uv.lock: langchain-openai (0.3.34 → 1.1.12) and langchain (1.2.13 → 1.2.15). Incidentally, langgraph (1.1.3 → 1.1.5) and langgraph-prebuilt (1.0.8 → 1.0.9) are also bumped as transitive resolution changes. All changes are to the [dependency-groups] dev section — none affect the published package.

Security Risks

No security risks from the version bumps themselves. The langchain 1.2.14 release includes a pygments CVE fix (CVE-2026-4539), which is a minor positive. No auth, crypto, or data-exposure surface in these changes.

Level of Scrutiny

The langchain-openai jump from 0.3.34 to 1.1.12 crosses a major version boundary and skips many minor versions, meaning the upstream library may have introduced API breaking changes. Even though it is a dev dependency, the test suite relies on it and tests could silently pass or fail depending on API compatibility. The constraint in pyproject.toml was widened from <0.4 to <1.2 to accommodate this, which is a deliberate widening. A human should confirm CI is green before merging.

Other Factors

No bugs were found by the automated bug hunting system. The langchain and langgraph bumps are minor patch-level and low risk. The lock file hash updates are consistent with the version changes. The main concern is solely the magnitude of the langchain-openai version jump.