langchain

vlangchain-deepseek==1.1.0 scope: langchain-deepseek Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 6h AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

agents ai ai-agents anthropic chatgpt deepagents

+11 more

enterprise gemini generative-ai langchain langgraph llm multiagent openai pydantic python typescript

Affected surfaces

deps

ReleasePort's take

Moderate signal

editorial:auto 5h

The release bumps urllib3 and requests dependencies in /libs/partners/deepseek and enforces pygments >= 2.20.0 to patch CVE‑2026‑4539 across all packages.

Why it matters: CVE‑2026‑4539 severity is unquantified; enforce pygments version ≥ 2.20.0 in every package immediately.

Summary

AI summary

Add content‑block‑centric streaming (v2) to the core library.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Patch CVE-2026-4539 by enforcing pygments>=2.20.0 across all packages. Patch CVE-2026-4539 by enforcing pygments>=2.20.0 across all packages. Source: llm_adapter@2026-06-03 Confidence: high	—
Feature	Medium	Add content‑block‑centric streaming (v2) to core. Add content‑block‑centric streaming (v2) to core. Source: llm_adapter@2026-06-03 Confidence: high	—
Feature	Medium	Add `text_inputs` and `text_outputs` fields to model‑profiles. Add `text_inputs` and `text_outputs` fields to model‑profiles. Source: llm_adapter@2026-06-03 Confidence: high	—
Dependency	Low	Bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/deepseek. Bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/deepseek. Source: llm_adapter@2026-06-03 Confidence: high	—
Dependency	Low	Bump requests from 2.32.5 to 2.33.0 in /libs/partners/deepseek. Bump requests from 2.32.5 to 2.33.0 in /libs/partners/deepseek. Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix
Bugfix	Medium	Accept `base_url` as alias for `api_base` in deepseek. Accept `base_url` as alias for `api_base` in deepseek. Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Use proper URL parsing for Azure endpoint detection in deepseek. Use proper URL parsing for Azure endpoint detection in deepseek. Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Set Tool Choice to `required` for Azure Deployment when specific function dict is given. Set Tool Choice to `required` for Azure Deployment when specific function dict is given. Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Filter function_call blocks in token counting for OpenAI. Filter function_call blocks in token counting for OpenAI. Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Add missing `ModelProfile` fields and warn on schema drift. Add missing `ModelProfile` fields and warn on schema drift. Source: llm_adapter@2026-06-03 Confidence: low	—

Full changelog

Changes since langchain-deepseek==1.0.1

chore(infra): bump langchain-tests floor to 1.1.9 (#37610)
chore: bump idna from 3.10 to 3.15 in /libs/partners/deepseek (#37560)
ci(infra): harden Dependabot version-bound preservation (#37510)
chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/deepseek (#37341)
chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/partners/deepseek (#37282)
chore: bump langsmith from 0.7.31 to 0.8.3 in /libs/partners/deepseek (#37283)
chore(docs): update x handle references (#37081)
chore(model-profiles): refresh model profile data (#37015)
chore(model-profiles): refresh model profile data (#37005)
hotfix: bump min core versions (#36996)
feat(core): add content-block-centric streaming (v2) (#36834)
ci(infra): add pytest-xdist to partner test groups (#36988)
chore(model-profiles): refresh model profile data (#36982)
hotfix(ci): remove nobenchmark flag (#36959)
chore(partners): standardize integration test invocation (#36958)
chore(deps): bump pytest to 9.0.3 (#36801)
chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/partners/deepseek (#36787)
chore: add comment explaining pygments>=2.20.0 (#36570)
chore(model-profiles): refresh model profile data (#36554)
chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385)
chore: bump requests from 2.32.5 to 2.33.0 in /libs/partners/deepseek (#36256)
chore(partners): bump langchain-core min to 1.2.21 (#36183)
fix(core,model-profiles): add missing ModelProfile fields, warn on schema drift (#36129)
ci: suppress pytest streaming output in CI (#36092)
ci: avoid unnecessary dep installs in lint targets (#36046)
chore: bump orjson from 3.11.5 to 3.11.6 in /libs/partners/deepseek (#35868)
fix(deepseek): accept base_url as alias for api_base (#35789)
feat(model-profiles): new fields + Makefile target (#35788)
chore(model-profiles): refresh model profile data (#35646)
fix(deepseek): use proper URL parsing for azure endpoint detection (#35455)
fix(deepseek): Tool Choice to required for Azure Deployment in case specific function dict is given (#34848)
fix(model-profiles): sort generated profiles by model ID for stable diffs (#35344)
fix(infra): fix trailing comma regex in profile generation script (#35333)
chore: bump model profiles (#35294)
chore(deps): bump langsmith from 0.4.31 to 0.6.3 in /libs/partners/deepseek (#35156)
feat(model-profiles): add text_inputs and text_outputs (#35084)
chore: add make type target (#35015)
revert: "chore: add typing target in Makefile" (#35013)
chore: add typing target in Makefile (#35012)
chore: enrich pyproject.toml files (#34980)
chore(deps): bump the uv group across 20 directories with 3 updates (#34941)
chore: upgrade urllib3 to 2.6.3 (#34940)
chore: update twitter URLs (#34736)
chore: ban relative imports on all packages (#34691)
fix(openai): filter function_call blocks in token counting (#34396)
release(openai): 1.1.6: update max input tokens for gpt-5 series (#34419)
release(openai): 1.1.5 (#34409)
fix(openai): rely on langchain-core for setting chunk_position (#34404)
chore: update core dep in lockfiles (#34216)
release: (integration packages): 1.1 (#34088)
feat(model-profiles): distribute data across packages (#34024)

Security Fixes

dep: pygments >= 2.20.0 — fixes CVE-2026-4539

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track langchain

Get notified when new releases ship.

About langchain

The agent engineering platform

All releases →

Related context

Related tools

Related CVEs

CVE-2026-4539 NVD KEV EPSS

Earlier breaking changes

vlangchain-core==1.4.0 Deletes schema items marked for removal in schemas.py
vlangchain-core==1.4.0 Deletes function_calling.py utils marked for removal
vlangchain-core==1.4.0 Deletes get_relevant_documents function from API
vlangchain-core==1.4.0 Deletes pydantic_v1 module entirely from codebase
vlangchain-core==1.4.0 Deletes BaseMemory module, moved to langchain-classic