Skip to content

Comments

chore(project): upgraded dependencies versions#251

Merged
KeiKey merged 2 commits intomainfrom
feature/update-dependencies
Aug 5, 2025
Merged

chore(project): upgraded dependencies versions#251
KeiKey merged 2 commits intomainfrom
feature/update-dependencies

Conversation

@KeiKey
Copy link
Contributor

@KeiKey KeiKey commented Jul 30, 2025

Upgraded dependencies based on snyk suggestions.

Upgraded axios to 1.11.0 in order to address a security issue with the previous versions.

Didn't remove the form-data override because it is still needed for @langchain/community. They have pushed a fix, but its not published yet.

@graymalkin77
Copy link

graymalkin77 commented Jul 30, 2025

🎉 Snyk checks have passed. No issues have been found so far.

security/snyk check is complete. No issues have been found. (View Details)

license/snyk check is complete. No issues have been found. (View Details)

code/snyk check is complete. No issues have been found. (View Details)

@KeiKey KeiKey force-pushed the feature/update-dependencies branch from b2ddc28 to 387e25b Compare July 31, 2025 14:35
@KeiKey KeiKey requested a review from a team August 3, 2025 23:52
"cross-spawn": "7.0.5",
"srt-parser-2": "1.1.3",
"axios": "1.8.3",
"axios": "1.11.0",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @KeiKey, do we still need axios override here? I can see axios exists in dependencies

Copy link
Contributor Author

@KeiKey KeiKey Aug 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @mhdha94 , yeah it is needed because we have 2 dependencies that still install a previous version of axios. These would be the installed versions without the override:
image

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@KeiKey I see. In that case, would it be possible to update either @langchain or ibm-cloud-sdk-core?

Both packages seem to have newer versions available. In fact, the latest release of ibm-cloud-sdk-core is already using axios@1.11.0:

https://github.com/IBM/node-sdk-core/blob/main/package.json

That said, I’m not sure if we can update them directly.

@langchain/community https://www.npmjs.com/package/@langchain/community/v/0.3.49?activeTab=versions has a newer version as well

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We try to update these remaining dependencies @KeiKey? I see you were already proactive to update many of the dependencies, which I really like, so try these extra ones as well :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mhdha94 @dcxn

We've already updated @cognigy/rest-api-client to the latest available version (2025.15.1), but it still uses axios@1.8.3. I also checked their repo, and it looks like even in the upcoming release, that won’t change.

Regarding @langchain/community, we’ll need to wait for a version that updates ibm-cloud-sdk-core. While ibm-cloud-sdk-core does have a version compatible with axios@1.11.0, @langchain/community isn’t using that version yet in their latest release.

I could’ve explained the reasoning for keeping these versions more clearly. Thanks for bringing it up!

** If/whenever we ping team Boron for them to upgrade axios to 1.11.0, we can also let them know to fix a npm warn deprecated warning that we are getting. They are using uuidv4, which is a deprecated package. uuid package is the suggested alternative.
image

@KeiKey KeiKey merged commit 70f450a into main Aug 5, 2025
4 checks passed
@dcxn
Copy link
Collaborator

dcxn commented Aug 12, 2025

🎉 This PR is included in version 1.8.6 🎉

The release is available on:

Your semantic-release bot 📦🚀

@dcxn dcxn added the released label Aug 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants