fix(security): bump langsmith, orjson, minimatch; drop Python 3.9 (ENG-12174)

[andriy-sudo]

Summary

Fixes ENG-12174 and all other open HIGH/MEDIUM Dependabot alerts in this repo.

Vulnerabilities Fixed

Package	Old	New	Advisory	Severity	Status
langsmith	0.4.37	0.6.4	GHSA-v34v-rq6j-cj6p	Medium	✅ Fixed
orjson	3.11.5	3.11.7	GHSA-hx9q-6w63-j58v	High	✅ Fixed
minimatch	3.1.2	3.1.5	GHSA-7r86-cg39-jmmj	High	✅ Fixed
langchain-core	0.3.83	—	GHSA-2g6r-c272-w58r	Low	⚠️ Risk accepted — fix requires langchain-core 1.2.11 (breaking major upgrade from ^0.3.x; see osv-scanner.toml, ignored until 2026-06-15)

Changes

• langchain/pyproject.toml: Bumped Python requirement from >=3.9 to >=3.10 (required by langsmith >=0.6.3). Added explicit floor pins for langsmith >=0.6.3 and orjson >=3.11.6.
• langchain/poetry.lock: Regenerated — langsmith 0.4.37 (Python 3.9 fallback) is gone; langsmith 0.6.4 and orjson 3.11.7 are the resolved versions.
• zapier/package.json: Added "minimatch": "^3.1.3" override to force transitive dep past vulnerable range.
• zapier/package-lock.json: Regenerated — minimatch 3.1.2 → 3.1.5.
• osv-scanner.toml: Removed expired ignore for GHSA-v6h2-p8h4-qcjw (brace-expansion now fixed at 1.1.12 in zapier lock). Added ignore for GHSA-2g6r-c272-w58r with documented rationale.

Test plan

• OSV Scanner PR check passes green
• No new vulnerabilities introduced

🤖 Generated with Claude Code

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request updates project dependencies and configuration across three files. In langchain/pyproject.toml, the minimum Python version requirement is increased from 3.9 to 3.10, and two new dependencies are added: langsmith (>=0.6.3) and orjson (>=3.11.6). The osv-scanner.toml file updates an ignored vulnerability entry, changing the vulnerability ID and extending the ignore date to 2026-06-15, noting an SSRF issue related to image_url token counting in langchain-core. In zapier/package.json, a new package override is added for minimatch at version ^3.1.3 under the overrides section.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately summarizes the main change: bumping security-related dependencies and dropping Python 3.9 support to address vulnerabilities.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, detailing the vulnerabilities fixed, dependencies updated, and files modified.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch andriy/ENG-12174-fix-langsmith-orjson-minimatch

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

langchain/pyproject.toml (1)

31-32: Use compatible release constraints for new runtime dependencies.

At lines 31–32, >=... allows unplanned major version upgrades (e.g., langsmith to 1.x, orjson to 4.x), risking breaking changes. Use Poetry's compatible release operator (~=) instead, which restricts to patch-level updates within the current minor version.

Suggested diff

-langsmith = ">=0.6.3"
-orjson = ">=3.11.6"
+langsmith = "~=0.6.3"
+orjson = "~=3.11.6"

(This is equivalent to >=0.6.3,<0.7.0 and >=3.11.6,<3.12.0 respectively, per Poetry's recommended approach for non-breaking compatible updates.)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@langchain/pyproject.toml` around lines 31 - 32, The dependency constraints
for langsmith and orjson in pyproject.toml use the unbounded ">=" operator which
allows major/minor jumps; update those entries (the langsmith and orjson
dependency lines) to use Poetry's compatible release operator ("~=") so they
become compatible-release constraints (e.g., ~=0.6.3 and ~=3.11.6) to limit
upgrades to non-breaking patch releases within the current minor series.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@langchain/pyproject.toml`:
- Around line 31-32: The dependency constraints for langsmith and orjson in
pyproject.toml use the unbounded ">=" operator which allows major/minor jumps;
update those entries (the langsmith and orjson dependency lines) to use Poetry's
compatible release operator ("~=") so they become compatible-release constraints
(e.g., ~=0.6.3 and ~=3.11.6) to limit upgrades to non-breaking patch releases
within the current minor series.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9dd44237-b0fe-4d2b-8376-7b9ef71f0ce2

📥 Commits

Reviewing files that changed from the base of the PR and between 8489c96 and e9906c7.

⛔ Files ignored due to path filters (2)

• langchain/poetry.lock is excluded by !**/*.lock
• zapier/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• langchain/pyproject.toml
• osv-scanner.toml
• zapier/package.json