Upgrade dependencies for dependabot fixes

[dhirenmathur]

Summary by CodeRabbit

• Chores
  • Upgraded many core dependencies and AI/ML libraries to newer major releases and added clients for auth, cloud storage, telemetry, and developer tooling.
  • Introduced new utilities for caching, task monitoring, and token handling.
• Refactor
  • Updated internal imports and library integrations to align with upgraded packages and APIs.

[coderabbitai]

Walkthrough

Upgrades many Python dependencies in requirements.txt (including langchain ecosystem, torch, aiohttp, cryptography, auth/cloud libs, and developer tooling) and changes one import: StructuredTool is imported from langchain_core.tools instead of langchain.tools.

Changes

Cohort / File(s)	Summary
Dependency Version Upgrades requirements.txt	Bumped many packages (notably langchain → 1.0.x, langchain-core → 1.0.x, langsmith, torch 2.5.1→2.8.0, aiohttp 3.11.9→3.12.14, cryptography 42.0.8→44.0.1, Pillow 10.0.1→10.3.0, etc.). Added libraries: auth0-python, google-cloud-secret-manager, google-cloud-storage, pre-commit, isort, black, redis, flower, sentry-sdk[fastapi], posthog, newrelic, tiktoken, agentops, pydantic[email], and others.
Import Adjustment in code analysis tool app/modules/intelligence/tools/code_query_tools/code_analysis.py	Switched import for StructuredTool from langchain.tools to langchain_core.tools inside universal_analyze_code_tool; factory usage and arguments remain unchanged.

Sequence Diagram(s)

(Skipped — changes are dependency updates and a single import redirect; no meaningful new control flow to diagram.)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Areas to focus on:
  • Any code importing StructuredTool or other langchain APIs (ensure consistent langchain_core usage).
  • Integration points that may break across major langchain/langgraph upgrades.
  • Torch/model loading and serialization paths for compatibility with torch 2.8.0.
  • New auth/cloud library usage and any credential/secret manager code paths.

Possibly related PRs

• feat: prompt improvements, new tools and pydantic agent update #412 — Adjusts the same StructuredTool import/use in universal_analyze_code_tool; likely overlaps with this import change.

Poem

🐰 I hopped through packages, nose in the breeze,
Updated stacks and swapped imports with ease.
One tiny hop from langchain to core,
I left fresh footprints across the floor. 🥕✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately reflects the main objective of upgrading multiple dependencies in requirements.txt to address dependabot-identified security and compatibility issues.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dependabot_high_critical

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d3962a1 and fc5869e.

📒 Files selected for processing (2)

• app/modules/intelligence/tools/code_query_tools/code_analysis.py (1 hunks)
• requirements.txt (4 hunks)

🔇 Additional comments (5)

app/modules/intelligence/tools/code_query_tools/code_analysis.py (1)

572-572: LGTM! Import path correctly updated for langchain 1.0.5 compatibility.

The import change from langchain.tools to langchain_core.tools is correct and necessary for compatibility with the upgraded langchain 1.0.5, which removed deprecated import paths.

requirements.txt (4)

55-55: LGTM! Transformers upgrade resolves HIGH severity vulnerabilities.

The upgrade to transformers>=4.53.0 correctly addresses the ReDoS and input validation CVEs (CVE-2025-6051, CVE-2025-6921, CVE-2025-3777) flagged in the previous review.

---

3-3: Cryptography upgrade looks good.

The upgrade from cryptography 42.0.8 to 44.0.1 addresses multiple security vulnerabilities. This is a routine security update.

---

30-37: Langchain ecosystem upgrades correctly coordinated.

The coordinated upgrades across the langchain ecosystem (langchain→1.0.5, langchain-core→1.0.4, langgraph→1.0.3, and related packages) are properly aligned with the import path fix in code_analysis.py. These major version upgrades introduce breaking changes that have been appropriately addressed.

---

56-56: torch 2.8.0 exists on PyPI and is a valid version.

The concern about torch 2.8.0 being a typo is resolved—it's a legitimate release between 2.7.1 and 2.9.0. However, please confirm that compatibility with transformers and sentence-transformers has been tested, as the upgrade from torch 2.5.1 to 2.8.0 may introduce breaking changes across the dependency chain.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2614c14 and 41bea2f.

📒 Files selected for processing (1)

• requirements.txt (4 hunks)

🧰 Additional context used

🪛 OSV Scanner (2.2.4)

requirements.txt

[HIGH] 53-53: transformers 4.48.0: undefined

(PYSEC-2025-40)

---

[HIGH] 53-53: transformers 4.48.0: Transformers is vulnerable to ReDoS attack through its DonutProcessor class

(GHSA-37mw-44qp-f5jm)

---

[HIGH] 53-53: transformers 4.48.0: Hugging Face Transformers vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer

(GHSA-4w7r-h757-3r74)

---

[HIGH] 53-53: transformers 4.48.0: Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer

(GHSA-59p9-h35m-wg4g)

---

[HIGH] 53-53: transformers 4.48.0: Hugging Face Transformers Regular Expression Denial of Service (ReDoS) vulnerability

(GHSA-9356-575x-2w9m)

---

[HIGH] 53-53: transformers 4.48.0: Transformers Regular Expression Denial of Service (ReDoS) vulnerability

(GHSA-fpwr-67px-3qhx)

---

[HIGH] 53-53: transformers 4.48.0: Transformers vulnerable to ReDoS attack through its get_imports() function

(GHSA-jjph-296x-mrcr)

---

[HIGH] 53-53: transformers 4.48.0: Transformers's Improper Input Validation vulnerability can be exploited through username injection

(GHSA-phhr-52qp-3mj4)

---

[HIGH] 53-53: transformers 4.48.0: Transformers's ReDoS vulnerability in get_configuration_file can lead to catastrophic backtracking

(GHSA-q2wp-rjmx-x6x9)

---

[HIGH] 53-53: transformers 4.48.0: Hugging Face Transformers Regular Expression Denial of Service

(GHSA-qq3j-4f4f-9583)

---

[HIGH] 53-53: transformers 4.48.0: Hugging Face Transformers library has Regular Expression Denial of Service

(GHSA-rcv9-qm8p-9p6j)

🔇 Additional comments (2)

requirements.txt (2)

9-9: LGTM: Minor/patch dependency updates.

Lines 9, 49, 51, and 72 show safe minor and patch version updates:

• langsmith: 0.3.3→0.4.42
• authlib: 1.6.3→1.6.5
• requests: 2.32.3→2.32.5
• Pillow: 10.0.1→10.3.0

These are appropriate dependabot-driven security updates with low risk of breaking changes.

Also applies to: 49-49, 51-51, 72-72

---

54-55: I need to search for more specific information about torch 2.8.0 breaking changes to determine if there are definitive issues or if this is just a general precaution.

Test torch 2.8.0 with sentence-transformers 4.0.2 in your environment.

sentence-transformers requires PyTorch 1.11.0+, which covers PyTorch 2.x. However, verify this combination works in your environment by running quick inference tests, as version mismatches between Sentence Transformers, Transformers, and PyTorch can break functionality or cause performance issues. torch 2.8.0 dropped support for older GPUs (Maxwell, Pascal, Volta), so confirm your target hardware is compatible.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

requirements.txt (2)

30-36: Verify langchain code migration and deprecated import fix.

The langchain ecosystem major version upgrades (1.0.5, langchain-core 1.0.4, langgraph 1.0.3) are correctly pinned, but this PR must include corresponding code changes. A past review identified a deprecated import that will break with these versions:

• Required fix: app/modules/intelligence/tools/code_query_tools/code_analysis.py:569 — Change from langchain.tools import StructuredTool to from langchain_core.tools import StructuredTool (langchain 1.0.5 removes deprecated APIs).

Confirm that this code fix has been applied in this PR branch.

#!/bin/bash
# Verify the deprecated import has been fixed
grep -n "from langchain.tools import StructuredTool" app/modules/intelligence/tools/code_query_tools/code_analysis.py
# Expected: No output (import should be from langchain_core.tools)

# Verify the correct import is in place
grep -n "from langchain_core.tools import StructuredTool" app/modules/intelligence/tools/code_query_tools/code_analysis.py
# Expected: One match at line 569

---

54-54: 🔴 Critical: Upgrade transformers to resolve HIGH severity ReDoS vulnerabilities.

The current pin transformers>=4.48.0 is incompatible with the PR objective ("Upgrade dependencies for dependabot fixes"). Static analysis flags 11 HIGH severity vulnerabilities in transformers 4.48.0, including:

• CVE-2025-6051: ReDoS in EnglishNormalizer
• CVE-2025-6921: ReDoS in AdamWeightDecay
• CVE-2025-3777: Improper URL validation in image_utils.py
• Multiple ReDoS attacks (DonutProcessor, MarianTokenizer, get_configuration_file)

A prior review already identified this issue and recommended upgrading to >=4.53.0 (or >=4.54.1 for latest stable).

Apply this diff:

-transformers>=4.48.0
+transformers>=4.53.0

Verify torch 2.8.0 compatibility with transformers >=4.53.0 before merging.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 41bea2f and 3c8927f.

📒 Files selected for processing (1)

• requirements.txt (4 hunks)

🧰 Additional context used

🪛 OSV Scanner (2.2.4)

requirements.txt

[HIGH] 54-54: transformers 4.48.0: undefined

(PYSEC-2025-40)

---

[HIGH] 54-54: transformers 4.48.0: Transformers is vulnerable to ReDoS attack through its DonutProcessor class

(GHSA-37mw-44qp-f5jm)

---

[HIGH] 54-54: transformers 4.48.0: Hugging Face Transformers vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer

(GHSA-4w7r-h757-3r74)

---

[HIGH] 54-54: transformers 4.48.0: Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer

(GHSA-59p9-h35m-wg4g)

---

[HIGH] 54-54: transformers 4.48.0: Hugging Face Transformers Regular Expression Denial of Service (ReDoS) vulnerability

(GHSA-9356-575x-2w9m)

---

[HIGH] 54-54: transformers 4.48.0: Transformers Regular Expression Denial of Service (ReDoS) vulnerability

(GHSA-fpwr-67px-3qhx)

---

[HIGH] 54-54: transformers 4.48.0: Transformers vulnerable to ReDoS attack through its get_imports() function

(GHSA-jjph-296x-mrcr)

---

[HIGH] 54-54: transformers 4.48.0: Transformers's Improper Input Validation vulnerability can be exploited through username injection

(GHSA-phhr-52qp-3mj4)

---

[HIGH] 54-54: transformers 4.48.0: Transformers's ReDoS vulnerability in get_configuration_file can lead to catastrophic backtracking

(GHSA-q2wp-rjmx-x6x9)

---

[HIGH] 54-54: transformers 4.48.0: Hugging Face Transformers Regular Expression Denial of Service

(GHSA-qq3j-4f4f-9583)

---

[HIGH] 54-54: transformers 4.48.0: Hugging Face Transformers library has Regular Expression Denial of Service

(GHSA-rcv9-qm8p-9p6j)

🔇 Additional comments (2)

requirements.txt (2)

55-55: Verify torch 2.8.0 compatibility with sentence-transformers and transformers.

The torch version is upgraded from 2.5.1 to 2.8.0. Verify that this is compatible with:

• sentence-transformers==4.0.2
• transformers>=4.53.0 (after the security fix above)

Ensure no regressions by running the test suite with the updated dependency stack.

---

3-3: Minor/patch version upgrades look good.

The following upgrades are minor/patch version bumps and align with the PR objective:

• cryptography: 42.0.8 → 44.0.1
• langsmith: 0.3.3 → 0.4.42 (coordinated with langchain major upgrade)
• aiohttp: 3.11.9 → 3.12.14
• authlib: 1.6.3 → 1.6.5
• requests: 2.32.3 → 2.32.5
• Pillow: 10.0.1 → 10.3.0

These are low-risk security/stability updates. No concerns.

Also applies to: 9-9, 29-29, 50-50, 52-52, 73-73

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud