← Back to the AI Dependency AtlasExact package identity dossier

LangChain Core

pypi:langchain-core
pypi

This dossier links the stable identity pypi:langchain-core to 5 exact observed versions across 5 public repositories.

pypipypi:langchain-coreecosystem:name + exact version + evidence path

A package identity or provider interface in published code does not prove configuration, an account, procurement, data transfer or an API call.

ecosystem:name + exact version + evidence path
5repositories
7exact evidence rows
5exact versions
1reported license expression
7OSV records returned
Exact published evidence

Observed exact versions and registry metadata

Publication age and licenses come from deps.dev metadata. They are context—not a maintenance, legal or portability verdict.

Exact version0.2.2802 Aug 2024
Repositories
1
Occurrences
1
Reported licenses
MIT
no verified publish attestation reported7 OSV records
Open exact source ↗
Exact version1.2.709 Jan 2026
Repositories
1
Occurrences
1
Reported licenses
MIT
no verified publish attestation reported4 OSV records
Open exact source ↗
Exact version1.4.611 Jun 2026
Repositories
1
Occurrences
1
Reported licenses
MIT
no verified publish attestation reportedNo OSV record returned for this exact version
Open exact source ↗
Exact version1.4.712 Jun 2026
Repositories
1
Occurrences
1
Reported licenses
MIT
no verified publish attestation reportedNo OSV record returned for this exact version
Open exact source ↗
Exact version1.4.818 Jun 2026
Repositories
2
Occurrences
3
Reported licenses
MIT
no verified publish attestation reportedNo OSV record returned for this exact version
Open exact source ↗
Observed relations

Repositories carrying this identity

Chatf13/microservices/chat
1.4.6 · 1.4.82 Occurrences
Chatoc000155135727/chat
1.4.82 Occurrences
ai-websearch-benchmarkdatenlabor-bmz/ai-websearch-benchmark
1.2.71 Occurrence
ai-legal-graphiorb/ai-legal-graph
0.2.281 Occurrence
MUCGPTlandeshauptstadt-muenchen/mucgpt
1.4.71 Occurrence
Exact published evidence

exact evidence rows

ai-legal-graphiorb/ai-legal-graph
pypi:langchain-core@0.2.28requirements.txt
direct declarationnot marked as development-only
Open exact source ↗
ai-websearch-benchmarkdatenlabor-bmz/ai-websearch-benchmark
pypi:langchain-core@1.2.7uv.lock
declaration relationship not reporteddevelopment scope not reported
Open exact source ↗
Chatf13/microservices/chat
pypi:langchain-core@1.4.6requirements-dev.txt
generated or transitive declarationnot marked as development-only
Open exact source ↗
Chatoc000155135727/chat
pypi:langchain-core@1.4.8requirements-dev.txt
generated or transitive declarationnot marked as development-only
Open exact source ↗
Chatoc000155135727/chat
pypi:langchain-core@1.4.8requirements.txt
generated or transitive declarationnot marked as development-only
Open exact source ↗
Chatf13/microservices/chat
pypi:langchain-core@1.4.8requirements.txt
generated or transitive declarationnot marked as development-only
Open exact source ↗
MUCGPTlandeshauptstadt-muenchen/mucgpt
pypi:langchain-core@1.4.7mucgpt-core-service/uv.lock
declaration relationship not reporteddevelopment scope not reported
Open exact source ↗
OSV

Related OSV records

GHSA-2g6r-c272-w58r

LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages

2 repositories13 Jul 2026
GHSA-5chr-fjjv-38qv

langchain-core allows unauthorized users to read arbitrary files from the host file system

1 repository07 Jul 2026
GHSA-6qv9-48xg-fc7f

LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates

1 repository07 Jul 2026
GHSA-926x-3r5x-gfhw

LangChain has incomplete f-string validation in prompt templates

2 repositories13 Jul 2026
GHSA-c67j-w6g6-q2cm

LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs

1 repository02 Jul 2026
GHSA-pjwx-r37v-7724

LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists

2 repositories13 Jul 2026
GHSA-qh6h-p6c9-ff54

LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions

2 repositories13 Jul 2026
Interpretation boundary

Exact identities in, explicit limits out

Only exact npm and PyPI tuples are enriched. Reported SPDX expressions are metadata; no compatibility, obligation or legal conclusion is inferred.

Retrieval, parsing, matching and publishing use no generative AI model.

i6eal (2026): LangChain Core — exact AI dependency evidence dossier, data state 19 Jul 2026. https://i6eal.de/en/tools/ki-abhaengigkeitsatlas/paket/langchain-core-82117efb/

Reading this dossier

Does package presence prove that a provider is used?
No. Even a direct interface declaration does not establish configuration, credentials, procurement, data transfer or an API call.
Why are exact versions required?
OSV and registry metadata can be linked reproducibly only to an observed package@version tuple. The collector never substitutes a newest release for a range.
Does a missing row mean the dependency is absent?
No. It means not observed within the bounded files and repository checkpoint. Incomplete trees and parser failures remain explicit.

Need a permanent dependency evidence trail for another public code cohort?

We build source-backed data products with stable identities, reproducible joins and boundaries that remain visible.

Discuss a data projectExplore all tools