fix: Update dependency versions - pyproject.toml

[HimavarshaVS]

Description

This PR updates the dependency version bounds in pyproject.toml to ensure:

1. Compatibility with upstream packages.
2. Security and stability by avoiding unbounded major version upgrades.
3. Consistency across dev and main dependencies.

Changes

• Updated main dependencies with upper bounds < next_major.0.0 where applicable.
• Updated dev dependencies similarly to stay within safe version ranges.
• Additional files modified :
  - src/backend/base/langflow/initial_setup/starter_projects/Knowledge Ingestion.json
  - src/backend/base/langflow/initial_setup/starter_projects/Knowledge Retrieval.json

Testing

Able to successfully launch langflow

Summary by CodeRabbit

• Chores
  • Standardized dependency ranges with upper bounds across the app to reduce unexpected major upgrades and improve stability.
  • Aligned starter project templates with compatible versions (e.g., cryptography, scrapegraph, apify-client).
• Bug Fixes
  • Improved installation reliability and runtime compatibility across environments and Python versions by tightening version constraints.
  • Reduced risk of breaking changes from upstream releases.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Dependency specifications were revised across multiple pyproject.toml files to introduce upper bounds and tighten ranges. Several starter project JSON templates adjusted specific dependency versions (cryptography, scrapegraph_py, apify_client). No application code, control flow, or public API changes were made.

Changes

Cohort / File(s)	Summary of Changes
Root dependency constraints pyproject.toml	Converted many exact/min-only pins to ranged constraints with upper bounds; standardized guards across packages (e.g., certifi, redis, datasets, chromadb, multiple langchain integrations, scipy, openai, pytest-timeout, pyyaml, etc.).
Backend base dependency constraints src/backend/base/pyproject.toml	Tightened upper bounds for numerous runtime and tooling dependencies (e.g., gunicorn <23, structlog <26, cryptography <43, networkx <4); added/adjusted bounds for validators and others; no script entrypoint changes.
LFX module dependency constraints src/lfx/pyproject.toml	Added upper bounds to most dependencies (e.g., langchain-core, pandas, pydantic, fastapi, uvicorn); updated validators to <1.0.0; no runtime/control-flow edits.
Starter projects — cryptography version src/backend/base/langflow/initial_setup/starter_projects/Knowledge Ingestion.json, src/backend/base/langflow/initial_setup/starter_projects/Knowledge Retrieval.json	Downgraded cryptography from 43.0.3 to 42.0.8.
Starter projects — scrapegraph_py version src/backend/base/langflow/initial_setup/starter_projects/Search agent.json	Changed scrapegraph_py from 1.31.0 to 1.30.0.
Starter projects — apify_client version src/backend/base/langflow/initial_setup/starter_projects/Social Media Agent.json	Updated apify_client from 2.1.0 to 1.12.2 (two occurrences).

Sequence Diagram(s)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• fix: Bump Chroma versions for Graph RAG updates and changes #9952 — Also modifies overlapping dependency declarations (e.g., chromadb, langchain-astradb, langchain-chroma), indicating direct relation at version-spec level.

Suggested labels

size:XXL, lgtm

Suggested reviewers

• erichare
• jordanrfrazier
• edwinjosechittilappilly

Pre-merge checks and finishing touches

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Test Coverage For New Implementations	✅ Passed	This pull request solely updates dependency version constraints in pyproject.toml files and adjusts versions in starter project JSON configurations without adding or modifying any application source code, new components, bug fixes, or features; accordingly, there are no new code paths that require corresponding tests. The existing test suite remains intact and will surface any compatibility regressions resulting from these dependency changes. No new or updated test files are expected or necessary for pure dependency management revisions.
Test Quality And Coverage	✅ Passed	This pull request only updates dependency version constraints in TOML and JSON configuration files and does not introduce or modify any functional code, async routines, or API endpoints; therefore, there is no new implementation that requires test coverage, and the existing test suite remains sufficient.
Test File Naming And Structure	✅ Passed	This pull request only updates dependency version constraints and lockfiles without adding, removing, or modifying any test files, so the existing tests’ naming patterns and structures remain unchanged and compliant with the project’s conventions.
Excessive Mock Usage Warning	✅ Passed	This PR does not modify any test files, so there are no new or altered mocks to review and therefore no risk of excessive mock usage introduced by this change.
Title Check	✅ Passed	The title clearly and concisely captures the primary change of updating dependency versions without extraneous details, making it immediately understandable to reviewers scanning the history.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[erichare]

Fantastic addition @HimavarshaVS . Agree with @jordanrfrazier 's comments, once those are in i think this can be approved. The version updates have been a long time coming, and pinning versions vs using >= etc has been kind of messy and not clear. This will definitely help improve things, and as Jordan mentions we have more flexibility now that uv actually resolves the dependency in less than a week 😄

Looks great!

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/backend/base/langflow/initial_setup/starter_projects/Knowledge Ingestion.json (1)

749-749: Approve downgrade to 42.0.8 as the latest 42.x release with all high/moderate patches included. Note that the low-severity “Vulnerable OpenSSL in wheels” advisory (published 2025-02-11) affects both 42.x and 43.x and is only fixed in 44.0.1—upgrade to ≥44.0.1 and adjust your bounds if you need that specific patch.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ddf2d4b and 08a372d.

⛔ Files ignored due to path filters (2)

• src/backend/base/uv.lock is excluded by !**/*.lock
• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (7)

• pyproject.toml (4 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/Knowledge Ingestion.json (1 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/Knowledge Retrieval.json (1 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/Search agent.json (1 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/Social Media Agent.json (2 hunks)
• src/backend/base/pyproject.toml (4 hunks)
• src/lfx/pyproject.toml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: test-starter-projects

🔇 Additional comments (7)

src/lfx/pyproject.toml (1)

11-41: LGTM! Dependency upper bounds added appropriately.

The addition of upper bounds to prevent unbounded major version upgrades is a good practice that:

• Improves build reproducibility
• Prevents breaking changes from unexpected major version bumps
• Aligns with the PR objective to maintain stability

All bounds follow semantic versioning conventions (blocking next major version), which is the recommended approach.

src/backend/base/pyproject.toml (4)

55-55: Cryptography upper bound reduction explains JSON downgrades.

The cryptography upper bound was reduced from <44.0.0 to <43.0.0. This explains the version downgrades to 42.0.8 in the starter project JSON files (Knowledge Ingestion.json and Knowledge Retrieval.json).

Ensure this tightened constraint is compatible with all dependencies that require cryptography, and that version 42.0.8 has no known security vulnerabilities.

See the verification script in the review comment for Knowledge Ingestion.json (line 749) to check cryptography security status.

---

79-93: LGTM! Main dependency upper bounds added appropriately.

The addition of upper bounds to validators, networkx, json-repair, and other dependencies follows best practices and aligns with the PR objectives.

---

98-132: LGTM! Dev dependency upper bounds added appropriately.

The systematic addition of upper bounds to all dev dependencies improves build reproducibility and prevents breaking changes during development.

---

25-25: Relax or document gunicorn upper bound change. 23.0.0 (released 2024-08-10) includes only minor docs fixes, a new worker_class parameter, deadlock/security fixes, and no breaking changes (github.com). If excluding 23.x wasn’t intentional, revert to <24.0.0; otherwise, document why 23.x must be blocked.

pyproject.toml (2)

32-133: LGTM! Comprehensive dependency upper bounds added.

The systematic addition of upper bounds across runtime dependencies follows the PR objectives and incorporates feedback from previous review comments. Key improvements:

• Replaces exact version pins with flexible ranges (e.g., types-cachetools>=5.5.0.20240820,<6.0.0)
• Adds upper bounds to langchain ecosystem packages (e.g., langchain-astradb>=0.6.1,<1.0.0)
• Consolidates per-Python-version constraints into universal upper-bounded ranges where appropriate
• Increases datasets upper bound to <4.0.0 as discussed in previous review comments

This approach improves dependency resolution speed (as noted by reviewer erichare regarding "uv") while maintaining compatibility guarantees.

Based on past review comments addressing the approach with jordanrfrazier.

---

136-183: LGTM! Dev dependency upper bounds added consistently.

The addition of upper bounds to all dev dependencies mirrors the approach taken for runtime dependencies and ensures consistent dependency management across the project.

[codecov]

Codecov Report

❌ Patch coverage is 40.00000% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 24.21%. Comparing base (c42b539) to head (96bdb39).
⚠️ Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
...rc/backend/base/langflow/api/v1/knowledge_bases.py	0.00%	2 Missing ⚠️
src/backend/base/langflow/__main__.py	66.66%	1 Missing ⚠️

❌ Your project status has failed because the head coverage (47.25%) is below the target coverage (55.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #10028      +/-   ##
==========================================
+ Coverage   24.12%   24.21%   +0.09%     
==========================================
  Files        1091     1091              
  Lines       40014    40013       -1     
  Branches     5543     5542       -1     
==========================================
+ Hits         9653     9691      +38     
+ Misses      30190    30151      -39     
  Partials      171      171              

Flag	Coverage Δ
backend	47.25% <40.00%> (+0.25%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
src/backend/base/langflow/__main__.py	55.36% <66.66%> (ø)
...rc/backend/base/langflow/api/v1/knowledge_bases.py	17.37% <0.00%> (ø)

... and 12 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud