fix: Bump Chroma versions for Graph RAG updates and changes

[erichare]

This pull request updates several dependency versions in the pyproject.toml file to ensure compatibility with newer releases and to take advantage of recent improvements and bug fixes. The most important changes involve relaxing version constraints, upgrading key packages, and aligning related dependencies.

Dependency version updates and compatibility improvements:

• Relaxed the version constraint for boto3 to allow any version from 1.34.162 up to, but not including, 2.0.0, improving flexibility for future updates.
• Updated chromadb to require version 1.0.0 or higher, removing the previous upper limit and allowing for newer features and fixes.

LangChain and related ecosystem upgrades:

• Upgraded several langchain packages for improved functionality and compatibility:
  • langchain-astradb from ~0.6.0 to ~0.6.1
  • langchain-chroma from >=0.1.4,<0.2.0 to >=0.2.6
  • langchain-aws from 0.2.7 to 0.2.33
  • langchain-mongodb from 0.2.0 to 0.7.0
• Updated langchain-graph-retriever and graph-retriever from 0.6.1 to 0.8.0 for improved graph retrieval capabilities.

Summary by CodeRabbit

• Chores
  • Updated multiple dependencies to newer, compatible versions and relaxed strict version pins to improve ecosystem compatibility and future updates.
• Bug Fixes
  • Enhances stability and compatibility with newer cloud, database, and retrieval integrations through upstream fixes included in dependency updates.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Updated dependency constraints in pyproject.toml, replacing strict pins with ranges and bumping versions for several packages, including boto3, chromadb, and multiple langchain-related libraries.

Changes

Cohort / File(s)	Summary of Changes
Dependency range and version updates pyproject.toml	- boto3: ==1.34.162 → >=1.34.162,<2.0.0 - chromadb: >=0.5.6,<0.6.0 → >=1.0.0 - langchain-astradb: ~=0.6.0 → ~=0.6.1 - langchain-chroma: >=0.1.4,<0.2.0 → >=0.2.6 - langchain-aws: ==0.2.7 → ==0.2.33 - langchain-mongodb: ==0.2.0 → ==0.7.0 - langchain-graph-retriever: ==0.6.1 → ==0.8.0 - graph-retriever: ==0.6.1 → ==0.8.0

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

lgtm

Suggested reviewers

• ogabrielluiz
• jordanrfrazier
• Cristhianzl

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title concisely summarizes the primary change — bumping Chroma-related versions to support Graph RAG updates — and aligns with the dependency updates in pyproject.toml; it is specific and readable while appropriately focusing on the main intent of the PR.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pyproject.toml (1)

35-36: Duplicate/conflicting certifi specs.

Both a range and an exact pin are listed; this effectively pins to 2024.8.30. Consider keeping only the intended constraint.

Apply one of:

• Keep the pin and remove the range, or
• Keep the range and drop the pin (preferred if lockfile provides reproducibility).

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ca3425e and 9d7031a.

⛔ Files ignored due to path filters (2)

• src/frontend/package-lock.json is excluded by !**/package-lock.json
• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• pyproject.toml (4 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: Run Frontend Tests / merge-reports
• GitHub Check: Run Backend Tests / Unit Tests - Python 3.10 - Group 3
• GitHub Check: Run Backend Tests / Unit Tests - Python 3.10 - Group 5
• GitHub Check: Lint Backend / Run Mypy (3.10)
• GitHub Check: Run Backend Tests / Integration Tests - Python 3.10
• GitHub Check: Run Backend Tests / Unit Tests - Python 3.10 - Group 2
• GitHub Check: Run Backend Tests / Unit Tests - Python 3.10 - Group 4
• GitHub Check: Run Backend Tests / Unit Tests - Python 3.10 - Group 1
• GitHub Check: Lint Backend / Run Mypy (3.12)
• GitHub Check: Lint Backend / Run Mypy (3.13)
• GitHub Check: Lint Backend / Run Mypy (3.11)
• GitHub Check: Run Frontend Unit Tests / Frontend Jest Unit Tests
• GitHub Check: Test Starter Templates

🔇 Additional comments (5)

pyproject.toml (5)

82-82: Minor bump for langchain-astradb is fine.

---

88-89: Cap langchain-chroma to <0.3.0; verify langchain-aws pairing

Repo uses langchain_chroma.Chroma extensively (vectorstores, knowledge_bases, tests) — pin to avoid unexpected 0.3.0 API breaks.

File: pyproject.toml Lines: 88-89

Apply:

-    "langchain-chroma>=0.2.6",
+    "langchain-chroma>=0.2.6,<0.3.0",

Verify: langchain-aws==0.2.33 is imported (BedrockEmbeddings/ChatBedrock, etc.) in src/lfx/.../amazon_*.py — confirm the recommended boto3/botocore range for that langchain-aws release before upgrading dependencies or changing constraints.

---

56-56: Cap chromadb to <2.0.0 and verify API usage

Unbounded major upgrades can break our code — we import chromadb.Client and chromadb.config.Settings; lock the dependency and verify our usage against Chroma 1.x.

Locations:

• src/lfx/src/lfx/components/vectorstores/chroma.py — imports chromadb.config.Settings and chromadb.Client
• src/lfx/src/lfx/components/chroma/chroma.py — imports chromadb.config.Settings and chromadb.Client
• Tests/data referencing chromadb.Client: src/backend/tests/data/Vector_store.json and src/backend/tests/unit/components/vectorstores/test_chroma_vector_store_component.py

Apply:

-    "chromadb>=1.0.0",
+    "chromadb>=1.0.0,<2.0.0",

---

116-117: Confirm Graph RAG libs to 0.8.0 — verify API/rename migrations

Found usages to check:

• src/lfx/src/lfx/components/vectorstores/graph_rag.py — imports: graph_retriever.strategies, from langchain_graph_retriever import GraphRetriever; GraphRetriever(...) instantiation; from graph_retriever.edges.metadata import Id.
• src/lfx/src/lfx/components/datastax/graph_rag.py — same usages.
• docs/docs/Components/components-vector-stores.mdx — doc reference.

Verify GraphRetriever constructor/signature, strategies module/class names, edges.metadata.Id presence and any config/constructor arg changes introduced in v0.8.0; update these call sites (and docs) if names/params changed.

---

92-92: Large jump in langchain-mongodb: audit for breaking API changes.

Going from 0.2.0 → 0.7.0 likely includes breaking changes. Validate the following callsites and imports against 0.7.0 APIs:

• pyproject.toml: langchain-mongodb==0.7.0 (version bump).
• src/lfx/src/lfx/components/vectorstores/mongodb_atlas.py — imports MongoDBAtlasVectorSearch from langchain_community.vectorstores; uses MongoDBAtlasVectorSearch.from_documents(...) and MongoDBAtlasVectorSearch(embedding=..., collection=..., index_name=...). Verify these methods/signatures still exist.
• src/lfx/src/lfx/components/mongodb/mongodb_atlas.py — same usages; verify consistency.
• src/lfx/src/lfx/interface/initialize/loading.py and src/backend/base/langflow/interface/initialize/loading.py — call params["retriever"].as_retriever(); confirm as_retriever() still exists and returns the expected retriever type.
• src/lfx/src/lfx/components/deactivated/vector_store.py — returns vectorstore.as_retriever(); verify compatibility.

If APIs changed, update callers or pin to a compatible langchain-mongodb version.

[edwinjosechittilappilly]

LGTM

[edwinjosechittilappilly]

Approved it!
code LGTM. lets wait for the CI tests to merged.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud