← Back to the AI Dependency AtlasExact repository supply-chain dossier

Chat

f13/microservices/chat
pypi

This dossier retains 20 exact component occurrences from 2 published evidence files at one immutable repository commit.

opencode:5711a93870fdf9bdproject ID + commit SHA + exact evidence path

Published dependency evidence does not prove deployment, productive use, procurement or runtime reachability.

project ID + commit SHA + exact evidence path
20exact component occurrences
10package identities
2evidence files
13OSV records returned
Exact published evidence

Files that resolve this repository’s dependencies

Every file remains tied to the observed commit. A parse error stays visible and never becomes a zero.

Evidence pathrequirements-dev.txt
Format
exact-manifest-pin
Parser state
parsed
Resolved components
10
Open exact source ↗
Evidence pathrequirements.txt
Format
exact-manifest-pin
Parser state
parsed
Resolved components
10
Open exact source ↗
Observed relations

Package identities at this commit

pypiLangChain Corepypi:langchain-core
2 Occurrences1.4.6 · 1.4.8
MIT7 OSV records returned
pypiLangChainpypi:langchain
2 Occurrences1.3.11 · 1.3.8
MIT3 OSV records returned
pypiLangGraphpypi:langgraph
2 Occurrences1.2.4 · 1.2.7
MIT2 OSV records returned
pypiLangChain OpenAIpypi:langchain-openai
2 Occurrences1.3.0 · 1.3.3
MIT1 OSV record returned
pypiOpenAI SDKpypi:openai
2 Occurrences2.41.1 · 2.44.0
Apache-2.0
pypiLangChain · Linkuppypi:langchain-linkup
2 Occurrences0.2.1
MIT
pypiLangChain · MCP Adapterspypi:langchain-mcp-adapters
2 Occurrences0.3.0
MIT
pypiLangChain · Protocolpypi:langchain-protocol
2 Occurrences0.0.16 · 0.0.18
MIT
pypiLangChain · Tavilypypi:langchain-tavily
2 Occurrences0.2.18
MIT
pypitiktokenpypi:tiktoken
2 Occurrences0.13.0
non-standard
OSV

Related OSV records

GHSA-2g6r-c272-w58r

LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages

2 repositories13 Jul 2026
GHSA-3644-q5cj-c5c7

LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning

3 repositories13 Jul 2026
GHSA-5chr-fjjv-38qv

langchain-core allows unauthorized users to read arbitrary files from the host file system

1 repository07 Jul 2026
GHSA-6qv9-48xg-fc7f

LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates

1 repository07 Jul 2026
GHSA-926x-3r5x-gfhw

LangChain has incomplete f-string validation in prompt templates

2 repositories13 Jul 2026
GHSA-c67j-w6g6-q2cm

LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs

1 repository02 Jul 2026
GHSA-g48c-2wqr-h844

LangGraph checkpoint loading has unsafe msgpack deserialization

3 repositories06 Jun 2026
GHSA-gr75-jv2w-4656

LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders

4 repositories13 Jul 2026
GHSA-pjwx-r37v-7724

LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists

2 repositories13 Jul 2026
GHSA-qh6h-p6c9-ff54

LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions

2 repositories13 Jul 2026
GHSA-r7w7-9xr2-qq2r

langchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding

2 repositories06 Jun 2026
GHSA-w39p-vh2g-g8g5

LangGraph SDK has unsafe URL path construction

2 repositories13 Jul 2026
PYSEC-2024-323

Not reported

1 repository13 Jul 2026
Interpretation boundary

Exact identities in, explicit limits out

The collector reads bounded lockfiles, SBOMs and exact double-equals pins at one immutable commit. Version ranges are never resolved by assumption.

Retrieval, parsing, matching and publishing use no generative AI model.

i6eal (2026): Chat — exact AI dependency evidence dossier, data state 19 Jul 2026. https://i6eal.de/en/tools/ki-abhaengigkeitsatlas/repository/opencode-5711/

Reading this dossier

Does this repository dossier prove deployment?
No. It documents dependencies published at one observed commit, not a deployed environment.
Why are exact versions required?
OSV and registry metadata can be linked reproducibly only to an observed package@version tuple. The collector never substitutes a newest release for a range.
Does a missing row mean the dependency is absent?
No. It means not observed within the bounded files and repository checkpoint. Incomplete trees and parser failures remain explicit.

Need a permanent dependency evidence trail for another public code cohort?

We build source-backed data products with stable identities, reproducible joins and boundaries that remain visible.

Discuss a data projectExplore all tools