Update langchain dependencies to current versions

[stbenjam]

Bump minimum version constraints for langchain ecosystem packages to address security vulnerabilities and ensure compatibility.

This is largely due to https://nvd.nist.gov/vuln/detail/CVE-2025-68665, but Sippy in prod is already running non-vulernable versions (and is protected by auth anyway).

This updated isn't strictly required, as we're rebuilding the Sippy container image at least once a day and pulling in updated packages. I'm not sure if we should be using requirements.lock for reproducible builds, but so far we're not really getting any severe breaking changes, and we are getting CVE fixes automatically. At least we set the right floor in requirements.txt.

Summary by CodeRabbit

• Chores
  • Updated core dependencies to latest compatible versions for improved stability, security, and compatibility with current ecosystem standards.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

Walkthrough

This pull request upgrades multiple langchain-related dependencies to higher minimum versions in the chat/requirements.txt file and adds new dependencies including pydantic, httpx, and typing-extensions. The langchain-mcp-adapters package is pinned to version >=0.2.1.

Changes

Cohort / File(s)	Summary
Dependency Version Updates chat/requirements.txt	Upgrades langchain ecosystem packages (langgraph, langchain, langchain-openai, langchain-google-genai, langchain-community, langchain-core) to higher minimum versions; adds pydantic, httpx, and typing-extensions; pins langchain-mcp-adapters to >=0.2.1

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Pre-merge checks and finishing touches

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating langchain dependencies to current versions, which is the primary modification shown in the chat/requirements.txt file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Go Error Handling	✅ Passed	The custom check for Go error handling is not applicable to this PR as only chat/requirements.txt was modified, containing no Go code.
Sql Injection Prevention	✅ Passed	This PR is a dependency update modifying only requirements.txt and does not change any SQL query construction or execution code. The SQL injection prevention check is not applicable.
Excessive Css In React Should Use Styles	✅ Passed	The custom check for 'Excessive CSS in React Should Use Styles' is not applicable to this pull request because it exclusively modifies Python package dependencies with no React components or CSS styling present.
Single Responsibility And Clear Naming	✅ Passed	This custom check is not applicable to the pull request. The PR only updates dependency versions in chat/requirements.txt and does not introduce or modify any code, packages, structs, methods, or naming conventions.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

chat/requirements.txt (1)

15-16: Minor: Unpinned dependencies lack version constraints.

Lines 15-16 specify watchfiles and websockets without any version constraints. While the PR description notes that the Sippy container is rebuilt daily and pulls updated packages, this approach can lead to subtle incompatibilities if major versions introduce breaking changes. Consider adding minimum version constraints to these packages (e.g., watchfiles>=0.20.0, websockets>=12.0.0) to improve reproducibility and reduce variability across environments.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 791e0fe and 5a638cb.

📒 Files selected for processing (1)

• chat/requirements.txt

🔇 Additional comments (2)

chat/requirements.txt (2)

1-1: Approved: langchain ecosystem packages with appropriate minimum versions.

The remaining langchain ecosystem packages have sensible minimum version constraints aligned with recent stable releases. langchain-core>=1.2.5 correctly addresses CVE-2025-68664, and the other packages (langgraph, langchain-openai, langchain-google-genai, langchain-community) have reasonable version floors.

Also applies to: 3-6

---

17-17: Approved: langchain-mcp-adapters pinned appropriately.

The explicit pin to langchain-mcp-adapters>=0.2.1 is appropriate for this newer ecosystem package.

[openshift-ci-robot]

Scheduling required tests:
/test e2e

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: petr-muller, stbenjam

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [stbenjam]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

Scheduling required tests:
/test e2e

[openshift-ci]

@stbenjam: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.