Skip to content

chore(deps): bump uuid, @langchain/langgraph, @langchain/langgraph-checkpoint and @langchain/langgraph-cli#4

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-115a0f3b6a
Open

chore(deps): bump uuid, @langchain/langgraph, @langchain/langgraph-checkpoint and @langchain/langgraph-cli#4
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-115a0f3b6a

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Jun 2, 2026

Bumps uuid to 14.0.0 and updates ancestor dependencies uuid, @langchain/langgraph, @langchain/langgraph-checkpoint and @langchain/langgraph-cli. These dependencies need to be updated together.

Updates uuid from 13.0.2 to 14.0.0

Release notes

Sourced from uuid's releases.

v14.0.0

14.0.0 (2026-04-19)

⚠ BREAKING CHANGES

  • expect crypto to be global everywhere (requires node@20+) (#935)
  • drop node@18 support (#934)

Features

Bug Fixes

  • expect crypto to be global everywhere (requires node@20+) (#935) (f2c235f)
  • Use GITHUB_TOKEN for release-please and enable npm provenance (#925) (ffa3138)
Changelog

Sourced from uuid's changelog.

14.0.0 (2026-04-19)

Security

  • Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.

⚠ BREAKING CHANGES

  • crypto is now expected to be globally defined (requires node@20+) (#935)
  • drop node@18 support (#934)
  • upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

  • make browser exports the default (#901)

Bug Fixes

12.0.0 (2025-09-05)

⚠ BREAKING CHANGES

  • update to typescript@5.2 (#887)
  • remove CommonJS support (#886)
  • drop node@16 support (#883)

Features

Bug Fixes

11.1.0 (2025-02-19)

... (truncated)

Commits
  • 7c1ea08 chore(main): release 14.0.0 (#926)
  • 3d2c5b0 Merge commit from fork
  • f2c235f fix!: expect crypto to be global everywhere (requires node@20+) (#935)
  • 529ef08 chore: upgrade TypeScript and fixup types (#927)
  • 086fd79 chore: update dependencies (#933)
  • dc4ddb8 feat!: drop node@18 support (#934)
  • 0f1f9c9 chore: switch to Biome for parsing and linting (#932)
  • e2879e6 chore: use maintained version of npm-run-all (#930)
  • ffa3138 fix: Use GITHUB_TOKEN for release-please and enable npm provenance (#925)
  • 0423d49 docs: remove obsolete v1 option notes (#915)
  • Additional commits viewable in compare view

Updates @langchain/langgraph from 1.3.2 to 1.3.4

Release notes

Sourced from @​langchain/langgraph's releases.

@​langchain/langgraph@​1.3.4

Patch Changes

  • #2035 7c3a98b Thanks @​JadenKim-dev! - fix(core): prevent Zod schema defaults from overwriting checkpoint state in Command.update

  • Updated dependencies [0491534]:

    • @​langchain/langgraph-sdk@​1.9.12

@​langchain/langgraph@​1.3.3

Patch Changes

  • #2037 9eb478f Thanks @​pawel-twardziak! - Decouple ContextType generic from configurable in PregelOptions so that providing a custom context type no longer incorrectly narrows the configurable parameter.

  • #2457 91a5494 Thanks @​christian-bromann! - fix(langgraph): pass context with stateful RemoteGraph runs

    Pop thread_id from run config.configurable and forward context to the SDK so checkpointed remote runs accept user context without a 400 from ambiguous parameters. Closes #1922.

  • #1988 6d4bf92 Thanks @​Axadali! - Fix race condition in IterableReadableWritableStream.push() that caused ERR_INVALID_STATE errors when streaming with multiple parallel nodes and aborting the stream.

  • #2409 101b70a Thanks @​pragnyanramtha! - Preserve non-plain objects passed through Send and Command argument deserialization.

  • #2344 0125920 Thanks @​dependabot! - chore(deps): bump uuid to 14.0.0 and keep checkpoint ID ordering stable

    Bump uuid from 10.x/13.x to 14.0.0 across packages. Starting with uuid 11, v6({ clockseq }) no longer advances the sub-millisecond time counter when an explicit clockseq is passed, so checkpoint IDs created within the same millisecond were ordered only by clockseq. Since checkpoint IDs are sorted lexicographically, this broke ordering — most visibly for the negative clockseq used by the first ("input") checkpoint, which sorted as the newest.

    uuid6() now maintains its own monotonic (msecs, nsecs) clock (mirroring uuid 10's internal v1 behavior) so the time component is always strictly increasing and checkpoint ordering no longer depends on the clockseq value. emptyCheckpoint() also uses a non-negative clockseq.

  • Updated dependencies [863b555, 0125920]:

    • @​langchain/langgraph-sdk@​1.9.11
    • @​langchain/langgraph-checkpoint@​1.0.4

@​langchain/langgraph-checkpoint-mongodb@​1.3.3

Patch Changes

Changelog

Sourced from @​langchain/langgraph's changelog.

1.3.4

Patch Changes

  • #2035 7c3a98b Thanks @​JadenKim-dev! - fix(core): prevent Zod schema defaults from overwriting checkpoint state in Command.update

  • Updated dependencies [0491534]:

    • @​langchain/langgraph-sdk@​1.9.12

1.3.3

Patch Changes

  • #2037 9eb478f Thanks @​pawel-twardziak! - Decouple ContextType generic from configurable in PregelOptions so that providing a custom context type no longer incorrectly narrows the configurable parameter.

  • #2457 91a5494 Thanks @​christian-bromann! - fix(langgraph): pass context with stateful RemoteGraph runs

    Pop thread_id from run config.configurable and forward context to the SDK so checkpointed remote runs accept user context without a 400 from ambiguous parameters. Closes #1922.

  • #1988 6d4bf92 Thanks @​Axadali! - Fix race condition in IterableReadableWritableStream.push() that caused ERR_INVALID_STATE errors when streaming with multiple parallel nodes and aborting the stream.

  • #2409 101b70a Thanks @​pragnyanramtha! - Preserve non-plain objects passed through Send and Command argument deserialization.

  • #2344 0125920 Thanks @​dependabot! - chore(deps): bump uuid to 14.0.0 and keep checkpoint ID ordering stable

    Bump uuid from 10.x/13.x to 14.0.0 across packages. Starting with uuid 11, v6({ clockseq }) no longer advances the sub-millisecond time counter when an explicit clockseq is passed, so checkpoint IDs created within the same millisecond were ordered only by clockseq. Since checkpoint IDs are sorted lexicographically, this broke ordering — most visibly for the negative clockseq used by the first ("input") checkpoint, which sorted as the newest.

    uuid6() now maintains its own monotonic (msecs, nsecs) clock (mirroring uuid 10's internal v1 behavior) so the time component is always strictly increasing and checkpoint ordering no longer depends on the clockseq value. emptyCheckpoint() also uses a non-negative clockseq.

  • Updated dependencies [863b555, 0125920]:

    • @​langchain/langgraph-sdk@​1.9.11
    • @​langchain/langgraph-checkpoint@​1.0.4
Commits
  • c6b29fb chore: version packages (#2465)
  • 7c3a98b fix(core): prevent Zod schema defaults from overwriting checkpoint state in C...
  • d2ca90f chore: version packages (#2453)
  • 101b70a fix: preserve non-plain Send args (#2409)
  • 0125920 chore(deps): bump uuid from 10.0.0 to 14.0.0 (#2344)
  • 91a5494 fix(langgraph): pass context with stateful RemoteGraph runs (#2457)
  • 6d4bf92 fix(langgraph): StreamMessagesHandler throws "Controller is already closed" e...
  • c5dcbd1 fix(langgraph): handle null thread checkpoint in RemoteGraph.getState (#2331)
  • 9eb478f fix(langgraph): decouple ContextType from configurable in PregelOptions (#2037)
  • 4d12fe0 docs: more readme cleanups
  • Additional commits viewable in compare view

Updates @langchain/langgraph-checkpoint from 1.0.2 to 1.0.4

Release notes

Sourced from @​langchain/langgraph-checkpoint's releases.

@​langchain/langgraph-checkpoint@​1.0.4

Patch Changes

  • #2344 0125920 Thanks @​dependabot! - chore(deps): bump uuid to 14.0.0 and keep checkpoint ID ordering stable

    Bump uuid from 10.x/13.x to 14.0.0 across packages. Starting with uuid 11, v6({ clockseq }) no longer advances the sub-millisecond time counter when an explicit clockseq is passed, so checkpoint IDs created within the same millisecond were ordered only by clockseq. Since checkpoint IDs are sorted lexicographically, this broke ordering — most visibly for the negative clockseq used by the first ("input") checkpoint, which sorted as the newest.

    uuid6() now maintains its own monotonic (msecs, nsecs) clock (mirroring uuid 10's internal v1 behavior) so the time component is always strictly increasing and checkpoint ordering no longer depends on the clockseq value. emptyCheckpoint() also uses a non-negative clockseq.

@​langchain/langgraph-checkpoint@​1.0.3

Patch Changes

  • #2352 14f2a79 Thanks @​Nagendhra-web! - fix(langgraph-checkpoint): block prototype pollution in MemorySaver via reserved storage keys

    MemorySaver previously embedded thread_id, checkpoint_ns, checkpoint_id, and task_id directly into property accesses on the nested plain objects this.storage and this.writes. A caller able to shape any of those fields (every quickstart, tutorial, and test fixture uses MemorySaver by default) could pass "__proto__", "constructor", or "prototype" and have the subsequent assignment mutate Object.prototype. From that point every plain object in the process inherits the injected property, breaking for...in loops, truthy short-circuits, and downstream serializers across unrelated code paths. CWE-1321.

    Adds an assertSafeStorageKey chokepoint applied at every public entry that touches storage or writes (put, putWrites, deleteThread, getTuple, list). The guard rejects non-string values, the empty string (unless explicitly opted-in for checkpoint_ns), and the three prototype-pollution keys. Behaviour for valid string identifiers is unchanged.

Changelog

Sourced from @​langchain/langgraph-checkpoint's changelog.

1.0.4

Patch Changes

  • #2344 0125920 Thanks @​dependabot! - chore(deps): bump uuid to 14.0.0 and keep checkpoint ID ordering stable

    Bump uuid from 10.x/13.x to 14.0.0 across packages. Starting with uuid 11, v6({ clockseq }) no longer advances the sub-millisecond time counter when an explicit clockseq is passed, so checkpoint IDs created within the same millisecond were ordered only by clockseq. Since checkpoint IDs are sorted lexicographically, this broke ordering — most visibly for the negative clockseq used by the first ("input") checkpoint, which sorted as the newest.

    uuid6() now maintains its own monotonic (msecs, nsecs) clock (mirroring uuid 10's internal v1 behavior) so the time component is always strictly increasing and checkpoint ordering no longer depends on the clockseq value. emptyCheckpoint() also uses a non-negative clockseq.

1.0.3

Patch Changes

  • #2352 14f2a79 Thanks @​Nagendhra-web! - fix(langgraph-checkpoint): block prototype pollution in MemorySaver via reserved storage keys

    MemorySaver previously embedded thread_id, checkpoint_ns, checkpoint_id, and task_id directly into property accesses on the nested plain objects this.storage and this.writes. A caller able to shape any of those fields (every quickstart, tutorial, and test fixture uses MemorySaver by default) could pass "__proto__", "constructor", or "prototype" and have the subsequent assignment mutate Object.prototype. From that point every plain object in the process inherits the injected property, breaking for...in loops, truthy short-circuits, and downstream serializers across unrelated code paths. CWE-1321.

    Adds an assertSafeStorageKey chokepoint applied at every public entry that touches storage or writes (put, putWrites, deleteThread, getTuple, list). The guard rejects non-string values, the empty string (unless explicitly opted-in for checkpoint_ns), and the three prototype-pollution keys. Behaviour for valid string identifiers is unchanged.

Commits
  • d2ca90f chore: version packages (#2453)
  • 0125920 chore(deps): bump uuid from 10.0.0 to 14.0.0 (#2344)
  • 381a9f6 chore: version packages (#2445)
  • 14f2a79 fix(langgraph-checkpoint): block prototype pollution in MemorySaver via reser...
  • 1f11df2 chore: version packages (#2364)
  • 085a07f feat(core): event based streaming (#2314)
  • 9102d52 fix(langgraph): propagate tracer metadata defaults from configurable (#2315)
  • d88f29b chore(repo): migrate linting and formatting from ESLint/Prettier to oxlint/ox...
  • a1e2abf chore: version packages (#2174)
  • b6cfe55 feat(langgraph): add support for Uint8Array for JsonPlusSerializer (#2190)
  • See full diff in compare view

Updates @langchain/langgraph-cli from 1.2.2 to 1.2.4

Release notes

Sourced from @​langchain/langgraph-cli's releases.

@​langchain/langgraph-cli@​1.2.4

Patch Changes

@​langchain/langgraph-cli@​1.2.3

Patch Changes

  • #2443 80a8c12 Thanks @​christian-bromann! - refactor(sdk): drop StreamSubmitOptions.command and simplify forkFrom

    Remove the misleading submit({ command }) surface from protocol-v2 StreamController; HITL resume is respond() only. Accept forkFrom as a plain checkpoint id string and align protocol-v2 servers and docs.

  • Updated dependencies [80c2806, 80a8c12, 2c14b12]:

    • @​langchain/langgraph-api@​1.2.3
Changelog

Sourced from @​langchain/langgraph-cli's changelog.

1.2.4

Patch Changes

1.2.3

Patch Changes

  • #2443 80a8c12 Thanks @​christian-bromann! - refactor(sdk): drop StreamSubmitOptions.command and simplify forkFrom

    Remove the misleading submit({ command }) surface from protocol-v2 StreamController; HITL resume is respond() only. Accept forkFrom as a plain checkpoint id string and align protocol-v2 servers and docs.

  • Updated dependencies [80c2806, 80a8c12, 2c14b12]:

    • @​langchain/langgraph-api@​1.2.3
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump uuid, @langchain/langgraph, @langchain/langgraph-ch…
30e2fcf 
…eckpoint and @langchain/langgraph-cli

Bumps [uuid](https://github.com/uuidjs/uuid) to 14.0.0 and updates ancestor dependencies [uuid](https://github.com/uuidjs/uuid), [@langchain/langgraph](https://github.com/langchain-ai/langgraphjs/tree/HEAD/libs/langgraph-core), [@langchain/langgraph-checkpoint](https://github.com/langchain-ai/langgraphjs/tree/HEAD/libs/checkpoint) and [@langchain/langgraph-cli](https://github.com/langchain-ai/langgraphjs/tree/HEAD/libs/langgraph-cli). These dependencies need to be updated together.


Updates `uuid` from 13.0.2 to 14.0.0
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md)
- [Commits](uuidjs/uuid@v13.0.2...v14.0.0)

Updates `@langchain/langgraph` from 1.3.2 to 1.3.4
- [Release notes](https://github.com/langchain-ai/langgraphjs/releases)
- [Changelog](https://github.com/langchain-ai/langgraphjs/blob/main/libs/langgraph-core/CHANGELOG.md)
- [Commits](https://github.com/langchain-ai/langgraphjs/commits/@langchain/langgraph@1.3.4/libs/langgraph-core)

Updates `@langchain/langgraph-checkpoint` from 1.0.2 to 1.0.4
- [Release notes](https://github.com/langchain-ai/langgraphjs/releases)
- [Changelog](https://github.com/langchain-ai/langgraphjs/blob/main/libs/checkpoint/CHANGELOG.md)
- [Commits](https://github.com/langchain-ai/langgraphjs/commits/@langchain/langgraph-checkpoint@1.0.4/libs/checkpoint)

Updates `@langchain/langgraph-cli` from 1.2.2 to 1.2.4
- [Release notes](https://github.com/langchain-ai/langgraphjs/releases)
- [Changelog](https://github.com/langchain-ai/langgraphjs/blob/main/libs/langgraph-cli/CHANGELOG.md)
- [Commits](https://github.com/langchain-ai/langgraphjs/commits/@langchain/langgraph-cli@1.2.4/libs/langgraph-cli)

---
updated-dependencies:
- dependency-name: uuid
  dependency-version: 14.0.0
  dependency-type: indirect
- dependency-name: "@langchain/langgraph"
  dependency-version: 1.3.4
  dependency-type: direct:production
- dependency-name: "@langchain/langgraph-checkpoint"
  dependency-version: 1.0.4
  dependency-type: indirect
- dependency-name: "@langchain/langgraph-cli"
  dependency-version: 1.2.4
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 2, 2026
@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented Jun 2, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
codevibe Ready Ready Preview, Comment Jun 2, 2026 6:06pm

@dependabot dependabot Bot added the javascript Pull requests that update javascript code label Jun 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants