langchain==0.3.29
Two critical hardening fixes to prevent untrusted manifest attacks
Deep Dive
LangChain released version 0.3.29 with fixes that restrict deserialization in langchain.storage._lc_store and harden load() against untrusted manifests.
Key Points
- Restricts unsafe deserialization in langchain.storage._lc_store to block object injection
- Hardens load() against untrusted manifests in both langchain and langchain-core
- No feature additions; purely a security patch requiring upgrade for production use
Why It Matters
Essential security patch for LangChain users; unpatched instances risk RCE via untrusted serialized data.