fix: upgrade langchain-classic to 1.0.7

[Jkavia]

• Update version constraint from ~=1.0.0 to >=1.0.7,<2.0.0 CVE-2026-45134
• Fixes issues present in version 1.0.4
• Update uv.lock with new dependency resolution

Summary by CodeRabbit

• Chores
  • Updated dependency version constraints for improved compatibility and stability.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 24c91bd6-4051-4921-abca-c168e72dbb35

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

The langchain-classic dependency constraint in src/lfx/pyproject.toml is updated from ~=1.0.0 to >=1.0.7,<2.0.0, raising the minimum required version and using an explicit range specifier instead of a compatible-release constraint.

Changes

Dependency Version Update

Layer / File(s)	Summary
langchain-classic version constraint src/lfx/pyproject.toml	The dependency constraint is updated from ~=1.0.0 to >=1.0.7,<2.0.0, raising the minimum version requirement to 1.0.7 and using an explicit range bound instead of a compatible-release specifier.

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 9

✅ Passed checks (9 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: upgrade langchain-classic to 1.0.7' clearly and directly describes the main change—upgrading a dependency to a specific version. It is concise, specific, and accurately reflects the primary modification in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Test Coverage For New Implementations	✅ Passed	This is a dependency version upgrade with no code changes. The check for test coverage applies to project code changes, not external dependency updates.
Test Quality And Coverage	✅ Passed	This PR is a dependency upgrade (langchain-classic 1.0.0→1.0.7). The check for "Test Quality and Coverage for new implementations" is not applicable since no new code is being implemented.
Test File Naming And Structure	✅ Passed	No test files are added or modified in this PR. It is a dependency upgrade only (langchain-classic version constraint change in pyproject.toml). The check is not applicable.
Excessive Mock Usage Warning	✅ Passed	PR upgrades langchain-classic. Test files use mocks to isolate external dependencies for streaming error handling. Mocks are documented and appropriate for validation, not excessive.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dep-upgrades-clean

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (release-1.9.3@d5ef588). Learn more about missing BASE report.

Additional details and impacted files

@@               Coverage Diff                @@
##             release-1.9.3   #13130   +/-   ##
================================================
  Coverage                 ?   53.02%           
================================================
  Files                    ?     2033           
  Lines                    ?   184537           
  Branches                 ?    27397           
================================================
  Hits                     ?    97849           
  Misses                   ?    85576           
  Partials                 ?     1112           

Flag	Coverage Δ
lfx	50.08% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Frontend Unit Test Coverage Report

Coverage Summary

Lines	Statements	Branches	Functions
	35.47% (40695/114715)	68.12% (5605/8227)	35.95% (943/2623)

Unit Test Results

Tests	Skipped	Failures	Errors	Time
4018	0 💤	0 ❌	0 🔥	9m 4s ⏱️

[ogabrielluiz]

LGTM. Safe hotfix bump — picks up the load/storage hardening fixes from langchain-classic 1.0.5–1.0.7. Verified no Langflow code imports the modules that were tightened (storage, load, hub); all callers use agents/chains/memory surface which is unchanged.

The failing 3.14 Group 5 check is an unrelated pre-existing pydantic v1 issue in langchain_community's baidu_qianfan import, not caused by this PR.

Minor (non-blocking) thought: the constraint widens from ~=1.0.0 to >=1.0.7,<2.0.0, so downstream consumers without a lock will accept future 1.x minors. If you want tighter pinning on a release branch, ~=1.0.7 would limit to 1.0.x. Either is reasonable.

[ogabrielluiz]

nit: since this is a hotfix on a release branch, would ~=1.0.7 work here? that keeps it pinned to 1.0.x and still picks up the security fixes, but avoids downstream installs (without our lock) auto-pulling future 1.x minor releases of langchain-classic. happy either way though — not blocking.

[Jkavia]

updated