Bump the pip group across 12 directories with 7 updates

[dependabot]

Bumps the pip group with 2 updates in the /comps/dataprep/src directory: pypdf and nltk.
Bumps the pip group with 1 update in the /comps/finetuning/src directory: ray.
Bumps the pip group with 2 updates in the /comps/guardrails/src/hallucination_detection directory: langgraph and langgraph-checkpoint.
Bumps the pip group with 1 update in the /comps/llms/utils/lm-eval directory: nltk.
Bumps the pip group with 2 updates in the /comps/rerankings/src directory: langgraph and langgraph-checkpoint.
Bumps the pip group with 2 updates in the /comps/retrievers/src directory: nltk and tornado.
Bumps the pip group with 2 updates in the /comps/struct2graph/src directory: langgraph and pypdf.
Bumps the pip group with 2 updates in the /comps/text2cypher/src directory: pypdf and nltk.
Bumps the pip group with 2 updates in the /comps/text2graph/src directory: langgraph and langgraph-checkpoint.
Bumps the pip group with 2 updates in the /comps/text2kg/src directory: pypdf and nltk.
Bumps the pip group with 4 updates in the /comps/third_parties/pathway/src directory: pypdf, nltk, tornado and authlib.
Bumps the pip group with 2 updates in the /comps/third_parties/video-llama/src directory: langgraph and langgraph-checkpoint.

Updates pypdf from 6.5.0 to 6.8.0

Release notes

Sourced from pypdf's releases.

Version 6.8.0, 2026-03-09

What's new

Security (SEC)

• Limit allowed /Length value of stream (#3675) by @​stefan6419846

New Features (ENH)

• Add /IRT (in-reply-to) support for markup annotations (#3631) by @​costajohnt

Documentation (DOC)

• Avoid using PageObject.replace_contents on PdfReader (#3669) by @​stefan6419846
• Document how to disable jbig2dec calls by @​stefan6419846

Full Changelog

Version 6.7.5, 2026-03-02

What's new

Security (SEC)

• Improve the performance of the ASCIIHexDecode filter (#3666) by @​stefan6419846

Full Changelog

Version 6.7.4, 2026-02-27

What's new

Security (SEC)

• Allow limiting output length for RunLengthDecode filter (#3664) by @​stefan6419846

Robustness (ROB)

• Deal with invalid annotations in extract_links (#3659) by @​stefan6419846

Full Changelog

Version 6.7.3, 2026-02-24

What's new

Security (SEC)

• Use zlib decompression limit when retrieving XFA data (#3658) by @​stefan6419846

Full Changelog

Version 6.7.2, 2026-02-22

What's new

Security (SEC)

• Prevent infinite loop from circular xref /Prev references (#3655) by @​rampageservices

Bug Fixes (BUG)

• Fix wrong LUT size error (#3651) by @​stefan6419846

... (truncated)

Changelog

Sourced from pypdf's changelog.

Version 6.8.0, 2026-03-09

Security (SEC)

• Limit allowed /Length value of stream (#3675)

New Features (ENH)

• Add /IRT (in-reply-to) support for markup annotations (#3631)

Documentation (DOC)

• Avoid using PageObject.replace_contents on PdfReader (#3669)
• Document how to disable jbig2dec calls

Full Changelog

Version 6.7.5, 2026-03-02

Security (SEC)

• Improve the performance of the ASCIIHexDecode filter (#3666)

Full Changelog

Version 6.7.4, 2026-02-27

Security (SEC)

• Allow limiting output length for RunLengthDecode filter (#3664)

Robustness (ROB)

• Deal with invalid annotations in extract_links (#3659)

Full Changelog

Version 6.7.3, 2026-02-24

Security (SEC)

• Use zlib decompression limit when retrieving XFA data (#3658)

Full Changelog

Version 6.7.2, 2026-02-22

Security (SEC)

• Prevent infinite loop from circular xref /Prev references (#3655)

Bug Fixes (BUG)

• Fix wrong LUT size error (#3651)
• Fix handling of page boxes defined on /Pages (#3650)

Full Changelog

Version 6.7.1, 2026-02-17

... (truncated)

Commits

• a869ece REL: 6.8.0
• 3c550b3 SEC: Limit allowed /Length value of stream (#3675)
• 5dae0e2 MAINT: Document and test XMP security (#3674)
• b9f66ab DEV: Change to loadfile strategy for PyPy in CI (#3671)
• 071118b MAINT: Remove excessive logging in extract_links while not clear (#3670)
• 43add64 DEV: Timeout PyPy tests after one minute
• 4228dd2 DOC: Avoid using PageObject.replace_contents on PdfReader (#3669)
• 0e9792d ENH: Add /IRT (in-reply-to) support for markup annotations (#3631)
• ede6db9 DOC: Document how to disable jbig2dec calls
• 6d0fa2f MAINT: Move and rename _xobj_image_helpers.py (#3661)
• Additional commits viewable in compare view

Updates nltk from 3.9.2 to 3.9.3

Changelog

Sourced from nltk's changelog.

Version 3.9.3 2026-02-21

• Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (#3468)
• Block path traversal/arbitrary reads in nltk.data for protocol-less refs (#3467)
• Block path traversal/abs paths in corpus readers and FS pointers (#3479, #3480)
• Validate external StanfordSegmenter JARs using SHA256 (#3477)
• Add optional sandbox enforcement for filestring() (#3485)
• Maintenance: downloader/zipped models, CI/tooling updates

Thanks to the following contributors to 3.9.3: Chris Clauss, Eric Kafe, HyperPS, purificant, Shivansh-Game, Christopher Smith

Version 3.9.2 2025-10-01

• Update download checksums to use SHA256 in built index
• Fix percentage escape in new-style string formatting
• replace shortened URLs using goo.gl
• Make Wordnet interoperable with various taggers and tagged corpora
• Fix saving PerceptronTagger
• Document how to reproduce old Wordnet studies
• properly initialize Portuguese corpus reader
• support for mixed rules conversion into Chomsky Normal Form
• only import tkinter if a GUI is needed
• issue #2112 with Corenlp
• new environment variable NLTK_DOWNLOADER_FORCE_INTERACTIVE_SHELL
• Lesk defaults to most frequent sense in case of ties

Thanks to the following contributors to 3.9.2: Jose Cols, Peter de Blanc, GeneralPoxter, Eric Kafe, William LaCroix, Jason Liu, Samer Masterson, Mike014, purificant, Andrew Ernest Ritz, samertm, Ikram Ul Haq, Christopher Smith, Ryan Mannion

Version 3.9.1 2024-08-19

• Fixed bug that prevented wordnet from loading

Version 3.9 2024-08-18

• Fix security vulnerability CVE-2024-39705 (breaking change)
• Replace pickled models (punkt, chunker, taggers) by new pickle-free "_tab" packages
• No longer sort Wordnet synsets and relations (sort in calling function when required)
• Only strip the last suffix in Wordnet Morphy, thus restricting synsets() results
• Add Python 3.12 support
• Many other minor fixes

Thanks to the following contributors to 3.8.2: Tom Aarsen, Cat Lee Ball, Veralara Bernhard, Carlos Brandt, Konstantin Chernyshev, Michael Higgins, Eric Kafe, Vivek Kalyan, David Lukes, Rob Malouf, purificant, Alex Rudnick, Liling Tan, Akihiro Yamazaki.

Version 3.8.1 2023-01-02

• Resolve RCE vulnerability in localhost WordNet Browser (#3100)

... (truncated)

Commits

• 4154eb8 Merge pull request #3503 from ekaf/hotfix-3501
• 7a710cb Prepare release 3.9.3
• 1056b32 Merge pull request #3468 from HyperPS/fix/secure-unzip-rce
• 7dc5baa Resolve merge conflict in tag mapping using normalized nltk resource URL
• 7ef38b8 Merge pull request #3467 from HyperPS/develop
• b2e1164 Merge pull request #3485 from HyperPS/fix-filestring-sandbox-update
• ac0ce55 Merge pull request #3480 from HyperPS/fix/filesystem-sandbox-security
• 603e34d Merge pull request #3479 from HyperPS/fix/corpusreader-path-traversal
• b63a501 Merge pull request #3477 from HyperPS/fix/stanford-segmenter-rce-sha256
• df38955 Merge pull request #3494 from ekaf/ewnv
• Additional commits viewable in compare view

Updates ray from 2.47.1 to 2.54.0

Release notes

Sourced from ray's releases.

Ray-2.54.0

Ray Data

🎉 New Features

• Add checkpointing support to Ray Data (#59409)
• Compute Expressions: list operations (#59346), fixed-size arrays (#58741), string padding (#59552), logarithmic (#59549), trigonometric (#59712), arithmetic (#59678), and rounding (#59295)
• Add sql_params support to read_sql (#60030)
• Add AsList aggregation (#59920)
• Support CountDistinct aggregate (#59030)
• Add credential provider abstraction for Databricks UC datasource (#60457)
• Support callable classes for UDFExpr (#56725)
• Add autoscaler metrics to Data Dashboard (#60472)
• Add optional filesystem parameter to download expression (#60677)
• Allow specifying partitioning style or flavor in write_parquet() (#59102)
• New cluster autoscaler enabled by default (#60474)

💫 Enhancements

• Improve numerical stability in scalers by handling near-zero values (#60488)
• Export dataset operator output schema to event logger (#60086)
• Iceberg: add retry policy for Storage + Catalog writes (#60620)
• Iceberg: remove calls to Catalog Table in write tasks (#60476)
• Expose logical operators and rules via package exports (#60297, #60296)
• Demote Sort from requiring preserve_order (#60555)
• Improve appearance of repr(dataset) (#59631)
• Allow configuring DefaultClusterAutoscalerV2 thresholds via env vars (#60133)
• Use Arrow IPC for Arrow Schema serialization/deserialization (#60195)
• Store _source_paths in object store to prevent excessive spilling during read task serialization (#59999)
• Add more shuffle fusion rules (#59985)
• Enable and tune DownstreamCapacityBackpressurePolicy (#59753)
• Enable concurrency cap backpressure with tuning (#59392)
• Set default actor pool scale up threshold to 1.75 (#59512)
• Don't downscale actors if the operator hasn't received any inputs (#59883)
• Don't reserve GPU budget for non-GPU tasks (#59789)
• Only return selected data columns in hive-partitioned Parquet files (#60236)
• Ordered + FIFO bundle queue (#60228)
• Add node_id, pid, attempt number for hanging tasks (#59793)
• Revise resource allocator task scheduling to factor in pending task outputs (#60639)
• Track block serialization time (#60574)
• Use metrics from OpRuntimeMetrics for progress (#60304)
• Tabular form for streaming executor op metrics (#59774)
• Info-log cluster scale-up decisions (#60357)
• Use plain mode instead of grid mode for OpMetrics logging (#59907)
• Progress reporting refactors (#59350, #59629, #59880)
• Remove deprecated TENSOR_COLUMN_NAME constant (#60573)
• Remove meta_provider parameter (#60379)
• Decouple Ray Train from Ray Data by removing top-level ray.data imports (#60292)
• Move extension types to ray.data (#59420)
• Skip upscaling validation warning for fixed-size actor pools (#60569)

... (truncated)

Commits

• 48bd1f8 [data] revert "continue grabbing task state until response is not None" (#61066)
• 165b4aa [Data][Cherry-pick] Fixed min_scheduling_resources to fallback to incremental...
• 6835277 [rllib] disable failing tests that are not release blocking (#60933)
• f8e1102 [Core] Fix test_failed_task_runtime_env_setup failure on windows (#60852) (#6...
• 620214f [RLlib] Fix _test_dependency_torch (#60742) (#60888)
• 5d2115c cherrypick part of #60887 (#60897)
• e94871d [Data][Cherry-pick] Prevent Limit from getting pushed past map_groups (#6...
• a77457b [Data] Fixing ReservationOpResourceAllocator to properly borrow resources f...
• 0f27a3a [Serve] Video analysis example fix (#60784) (#60871)
• 1b1a9bd [Data] Fixing output backpressure unblocking sequence to properly handle term...
• Additional commits viewable in compare view

Updates langgraph from 1.0.5 to 1.0.10rc1

Release notes

Sourced from langgraph's releases.

langgraph==1.0.10rc1

Changes since 1.0.9

• release: Candidate (#6947)
• Merge commit from fork
• chore: add tests to confirm expected subgraph persistence behavior (#6943)
• fix(langgraph): correct ParentCommand bubbling when checkpoint_ns includes numeric task segments (#6864)
• chore: add make type target for type checking (#6748)

langgraph==1.0.9

Changes since 1.0.8

• release: langgraph + prebuilt (#6875)
• fix: sequential interrupt handling w/ functional API (#6863)
• chore: state_updated_at sort by (#6857)
• chore: bump orjson (#6852)
• chore: conformance testing (#6842)
• chore(deps): bump the all-dependencies group in /libs/langgraph with 6 updates (#6815)
• chore(deps): bump protobuf from 6.33.4 to 6.33.5 in /libs/langgraph (#6833)
• chore(deps): bump cryptography from 46.0.3 to 46.0.5 in /libs/langgraph (#6837)
• chore(deps): bump nbconvert from 7.16.6 to 7.17.0 in /libs/langgraph (#6832)
• chore: server runtime type (#6774)
• refactor: replace bare except with BaseException in AsyncQueue (#6765)

langgraph==1.0.8

Changes since 1.0.7

• release(langgraph): 1.0.8 (#6757)
• chore: shallow copy futures (#6755)
• fix: pydantic messages double streaming (#6753)
• chore(deps-dev): bump ruff from 0.14.7 to 0.14.11 in /libs/sdk-py (#6673)
• chore: Omit lock when using connection pool (#6734)
• docs: enhance Runtime and ToolRuntime class descriptions for clarity (#6689)
• docs: add clarity to use of thread_id (#6515)
• docs: add docstrings to add_node overloads (#6514)
• docs: update notebook links and add archival notices for examples (#6720)
• release(cli): 0.4.12 (#6716)

langgraph-prebuilt==1.0.8

Changes since prebuilt==1.0.7

• release: langgraph + prebuilt (#6875)
• fix: inject ToolRuntime for dynamically registered tools (#6874)
• chore: bump orjson (#6852)
• chore(deps): bump langchain-core from 1.2.12 to 1.2.13 in /libs/prebuilt in the all-dependencies group (#6849)
• chore: conformance testing (#6842)
• chore(deps): bump the all-dependencies group in /libs/prebuilt with 3 updates (#6810)
• chore: server runtime type (#6774)
• docs(prebuilt): update warning for create_react_agent (#6760)
• release(langgraph): 1.0.8 (#6757)

... (truncated)

Commits

• a04ec5d release: Candidate (#6947)
• 50df7d4 Merge commit from fork
• c4a4a46 chore: add tests to confirm expected subgraph persistence behavior (#6943)
• f178eb8 fix(langgraph): correct ParentCommand bubbling when checkpoint_ns includes nu...
• 48167d7 chore(deps): bump the all-dependencies group in /libs/cli with 2 updates (#6920)
• 806878a chore(deps): bump the all-dependencies group in /libs/checkpoint-postgres wit...
• 8087e6a docs(sdk-py): update auth docstrings to default-deny pattern (#6933)
• 8fbdb14 release(sdk-py): 0.3.9 (#6932)
• 5093802 chore(deps): bump the all-dependencies group in /libs/checkpoint with 2 updat...
• b89ef60 feat(sdk-py): add extract parameter to threads.search() (#6880)
• Additional commits viewable in compare view

Updates langgraph-checkpoint from 3.0.1 to 4.0.0

Release notes

Sourced from langgraph-checkpoint's releases.

langgraph-checkpoint==4.0.0

Changes since checkpoint==3.0.1

• fix: flip default on base cache (#6677)
• fix(checkpoint): InMemorySaver context managers should return self in… (#6529)
• fix: docstring for serializer protocol (#6525)
• chore: clean up some refs (#6487)
• chore: add pyproject.toml links (#6364)

langgraph-checkpoint-postgres==3.0.4

Changes since checkpointpostgres==3.0.3

• chore: Omit lock when using connection pool (#6734)
• chore(deps): upgrade dependencies with uv lock --upgrade (#6671)
• chore: update twitter URLs (#6683)

langgraph-checkpoint-postgres==3.0.3

Changes since checkpointpostgres==3.0.2

• fix: flip default on base cache (#6677)
• docs: storage nits (#6651)

langgraph-checkpoint-sqlite==3.0.3

Changes since checkpointsqlite==3.0.2

• fix: aiosqlite's breaking change (#6699)
• chore(deps): upgrade dependencies with uv lock --upgrade (#6671)
• chore: update twitter URLs (#6683)

langgraph-checkpoint-postgres==3.0.2

Changes since checkpointpostgres==3.0.1

• release(checkpoint-postgres): 3.0.1 (#6568)
• chore: pgqs (#6567)
• fix(checkpoint-postgres): ensure vector extension is created only if not exists (#6154)
• fix(checkpoint-postgres): Replace f-string SQL formatting with parameterized queries in migration statements (#6328)
• chore: add pyproject.toml links (#6364)
• docs: add license files for checkpoint-sqlite and checkpoint-postgres (#6392)

langgraph-checkpoint-sqlite==3.0.2

Changes since checkpointsqlite==3.0.1

• fix: flip default on base cache (#6677)
• docs: storage nits (#6651)

Commits

• f91d79d fix: flip default on base cache (#6677)
• cb2faa7 fix(prebuilt): support generic type arguments for ToolRuntime injection (#6509)
• a5827c5 fix: change default recursion limit (#6676)
• 5212369 feat(sdk-py): add end-time to crons client (#6674)
• 7045a23 fix: add state attribute to ToolCallRequest overrides (#6668)
• 728db10 fix: suppress unintended deprecation warning (#6669)
• 454af21 feat(sdk-py): cron.on_run_completed support (#6662)
• b4630d8 chore: delete docs (#6488)
• 311465b fix: sanitize namespace for deeply nested graph jumps (#6665)
• 8ccead9 docs: x-refs and explainer in tool node docs (#6653)
• Additional commits viewable in compare view

Updates nltk from 3.9.2 to 3.9.3

Changelog

Sourced from nltk's changelog.

Version 3.9.3 2026-02-21

• Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (#3468)
• Block path traversal/arbitrary reads in nltk.data for protocol-less refs (#3467)
• Block path traversal/abs paths in corpus readers and FS pointers (#3479, #3480)
• Validate external StanfordSegmenter JARs using SHA256 (#3477)
• Add optional sandbox enforcement for filestring() (#3485)
• Maintenance: downloader/zipped models, CI/tooling updates

Thanks to the following contributors to 3.9.3: Chris Clauss, Eric Kafe, HyperPS, purificant, Shivansh-Game, Christopher Smith

Version 3.9.2 2025-10-01

• Update download checksums to use SHA256 in built index
• Fix percentage escape in new-style string formatting
• replace shortened URLs using goo.gl
• Make Wordnet interoperable with various taggers and tagged corpora
• Fix saving PerceptronTagger
• Document how to reproduce old Wordnet studies
• properly initialize Portuguese corpus reader
• support for mixed rules conversion into Chomsky Normal Form
• only import tkinter if a GUI is needed
• issue #2112 with Corenlp
• new environment variable NLTK_DOWNLOADER_FORCE_INTERACTIVE_SHELL
• Lesk defaults to most frequent sense in case of ties

Thanks to the following contributors to 3.9.2: Jose Cols, Peter de Blanc, GeneralPoxter, Eric Kafe, William LaCroix, Jason Liu, Samer Masterson, Mike014, purificant, Andrew Ernest Ritz, samertm, Ikram Ul Haq, Christopher Smith, Ryan Mannion

Version 3.9.1 2024-08-19

• Fixed bug that prevented wordnet from loading

Version 3.9 2024-08-18

• Fix security vulnerability CVE-2024-39705 (breaking change)
• Replace pickled models (punkt, chunker, taggers) by new pickle-free "_tab" packages
• No longer sort Wordnet synsets and relations (sort in calling function when required)
• Only strip the last suffix in Wordnet Morphy, thus restricting synsets() results
• Add Python 3.12 support
• Many other minor fixes

Thanks to the following contributors to 3.8.2: Tom Aarsen, Cat Lee Ball, Veralara Bernhard, Carlos Brandt, Konstantin Chernyshev, Michael Higgins, Eric Kafe, Vivek Kalyan, David Lukes, Rob Malouf, purificant, Alex Rudnick, Liling Tan, Akihiro Yamazaki.

Version 3.8.1 2023-01-02

• Resolve RCE vulnerability in localhost WordNet Browser (#3100)

... (truncated)

Commits

• 4154eb8 Merge pull request #3503 from ekaf/hotfix-3501
• 7a710cb Prepare release 3.9.3
• 1056b32 Merge pull request #3468 from HyperPS/fix/secure-unzip-rce
• 7dc5baa Resolve merge conflict in tag mapping using normalized nltk resource URL
• 7ef38b8 Merge pull request #3467 from HyperPS/develop
• b2e1164 Merge pull request #3485 from HyperPS/fix-filestring-sandbox-update
• ac0ce55 Merge pull request #3480 from HyperPS/fix/filesystem-sandbox-security
• 603e34d Merge pull request #3479 from HyperPS/fix/corpusreader-path-traversal
• b63a501 Merge pull request #3477 from HyperPS/fix/stanford-segmenter-rce-sha256
• df38955 Merge pull request #3494 from ekaf/ewnv
• Additional commits viewable in compare view

Updates langgraph from 1.0.5 to 1.0.10rc1

Release notes

Sourced from langgraph's releases.

langgraph==1.0.10rc1

Changes since 1.0.9

• release: Candidate (#6947)
• Merge commit from fork
• chore: add tests to confirm expected subgraph persistence behavior (#6943)
• fix(langgraph): correct ParentCommand bubbling when checkpoint_ns includes numeric task segments (#6864)
• chore: add make type target for type checking (#6748)

langgraph==1.0.9

Changes since 1.0.8

• release: langgraph + prebuilt (#6875)
• fix: sequential interrupt handling w/ functional API (#6863)
• chore: state_updated_at sort by (#6857)
• chore: bump orjson (#6852)
• chore: conformance testing (#6842)
• chore(deps): bump the all-dependencies group in /libs/langgraph with 6 updates (#6815)
• chore(deps): bump protobuf from 6.33.4 to 6.33.5 in /libs/langgraph (#6833)
• chore(deps): bump cryptography from 46.0.3 to 46.0.5 in /libs/langgraph (#6837)
• chore(deps): bump nbconvert from 7.16.6 to 7.17.0 in /libs/langgraph (#6832)
• chore: server runtime type (#6774)
• refactor: replace bare except with BaseException in AsyncQueue (#6765)

langgraph==1.0.8

Changes since 1.0.7

• release(langgraph): 1.0.8 (#6757)
• chore: shallow copy futures (#6755)
• fix: pydantic messages double streaming (#6753)
• chore(deps-dev): bump ruff from 0.14.7 to 0.14.11 in /libs/sdk-py (#6673)
• chore: Omit lock when using connection pool (#6734)
• docs: enhance Runtime and ToolRuntime class descriptions for clarity (#6689)
• docs: add clarity to use of thread_id (#6515)
• docs: add docstrings to add_node overloads (#6514)
• docs: update notebook links and add archival notices for examples (#6720)
• release(cli): 0.4.12 (#6716)

langgraph-prebuilt==1.0.8

Changes since prebuilt==1.0.7

• release: langgraph + prebuilt (#6875)
• fix: inject ToolRuntime for dynamically registered tools (#6874)
• chore: bump orjson (#6852)
• chore(deps): bump langchain-core from 1.2.12 to 1.2.13 in /libs/prebuilt in the all-dependencies group (#6849)
• chore: conformance testing (#6842)
• chore(deps): bump the all-dependencies group in /libs/prebuilt with 3 updates (#6810)
• chore: server runtime type (#6774)
• docs(prebuilt): update warning for create_react_agent (#6760)
• release(langgraph): 1.0.8 (#6757)

... (truncated)

Commits

• a04ec5d release: Candidate (#6947)
• 50df7d4 Merge commit from fork
• c4a4a46 chore: add tests to confirm expected subgraph persistence behavior (#6943)
• f178eb8 fix(langgraph): correct ParentCommand bubbling when checkpoint_ns includes nu...
• 48167d7 chore(deps): bump the all-dependencies group in /libs/cli with 2 updates (#6920)
• 806878a chore(deps): bump the all-dependencies group in /libs/checkpoint-postgres wit...
• 8087e6a docs(sdk-py): update auth docstrings to default-deny pattern (#6933)
• 8fbdb14 release(sdk-py): 0.3.9 (#6932)
• 5093802 chore(deps): bump the all-dependencies group in /libs/checkpoint with 2 updat...
• b89ef60 feat(sdk-py): add extract parameter to threads.search() (#6880)
• Additional commits viewable in compare view

Updates langgraph-checkpoint from 3.0.1 to 4.0.0

Release notes

Sourced from langgraph-checkpoint's releases.

langgraph-checkpoint==4.0.0

Changes since checkpoint==3.0.1

• fix: flip default on base cache (#6677)
• fix(checkpoint): InMemorySaver context managers should return self in… (#6529)
• fix: docstring for serializer protocol (#6525)
• chore: clean up some refs (#6487)
• chore: add pyproject.toml links (#6364)

langgraph-checkpoint-postgres==3.0.4

Changes since checkpointpostgres==3.0.3

• chore: Omit lock when using connection pool (#6734)
• chore(deps): upgrade dependencies with uv lock --upgrade (#6671)
• chore: update twitter URLs (#6683)

langgraph-checkpoint-postgres==3.0.3

Changes since checkpointpostgres==3.0.2

• fix: flip default on base cache (#6677)
• docs: storage nits (#6651)

langgraph-checkpoint-sqlite==3.0.3

Changes since checkpointsqlite==3.0.2

• fix: aiosqlite's breaking change (#6699)
• chore(deps): upgrade dependencies with uv lock --upgrade (#6671)
• chore: update twitter URLs (#6683)

langgraph-checkpoint-postgres==3.0.2

Changes since checkpointpostgres==3.0.1

• release(checkpoint-postgres): 3.0.1 (#6568)
• chore: pgqs (#6567)
• fix(checkpoint-postgres): ensure vector extension is created only if not exists (#6154)
• fix(checkpoint-postgres): Replace f-string SQL formatting with parameterized queries in migration statements (#6328)
• chore: add pyproject.toml links (#6364)
• docs: add license files for checkpoint-sqlite and checkpoint-postgres (#6392)

langgraph-checkpoint-sqlite==3.0.2

Changes since checkpointsqlite==3.0.1

• fix: flip default on base cache (#6677)
• docs: storage nits (#6651)

Commits

• f91d79d fix: flip default on base cache (#6677)
• cb2faa7 fix(prebuilt): support generic type arguments for ToolRuntime injection (#6509)
• a5827c5 fix: change default recursion limit (#6676)
• 5212369 feat(sdk-py): add end-time to crons client (#6674)
• 7045a23 fix: add state attribute to ToolCallRequest overrides (#6668)
• 728db10 fix: suppress unintended deprecation warning (#6669)
• 454af21 feat(sdk-py): cron.on_run_completed support (#6662)
• b4630d8 chore: delete docs (#6488)
• 311465b fix: sanitize namespace for deeply nested graph jumps (#6665)
• 8ccead9 docs: x-refs and explainer in tool node docs (#6653)
• Additional commits viewable in compare view

Updates nltk from 3.9.2 to 3.9.3

Changelog

Sourced from nltk's changelog.

Version 3.9.3 2026-02-21

• Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (#3468)
• Block path traversal/arbitrary reads in nltk.data for protocol-less refs (#3467)
• Block path traversal/abs paths in corpus readers and FS pointers (#3479, #3480)
• Validate external StanfordSegmenter JARs using SHA256 (#3477)
• Add optional sandbox enforcement for filestring() (#3485)
• Maintenance: downloader/zipped models, CI/tooling updates

Thanks to the following contributors to 3.9.3: Chris Clauss, Eric Kafe, HyperPS, purificant, Shivansh-Game, Christopher Smith

Version 3.9.2 2025-10-01

• Update download checksums to use SHA256 in built index
• Fix percentage escape in new-style string formatting
• replace shortened URLs using goo.gl
• Make Wordnet interoperable with various taggers and tagged corpora
• Fix saving PerceptronTagger
• Document how to reproduce old Wordnet studies
• properly initialize Portuguese corpus reader
• support for mixed rules conversion into Chomsky Normal Form
• only import tkinter if a GUI is needed
• issue #2112 with Corenlp
• new environment variable NLTK_DOWNLOADER_FORCE_INTERACTIVE_SHELL
• Lesk defaults to most frequent sense in case of ties

Thanks to the following contributors to 3.9.2: Jose Cols, Peter de Blanc, GeneralPoxter, Eric Kafe, William LaCroix, Jason Liu, Samer Masterson, Mike014, purificant, Andrew Ernest Ritz, samertm, Ikram Ul Haq, Christopher Smith, Ryan Mannion

Version 3.9.1 2024-08-19

• Fixed bug that prevented wordnet from loading

Version 3.9 2024-08-18

• Fix security vulnerability CVE-2024-39705 (breaking change)
• Replace pickled models (punkt, chunker, taggers) by new pickle-free "_tab" packages
• No longer sort Wordnet synsets and relations (sort in calling function when required)
• Only strip the last suffix in Wordnet Morphy, thus restricting synsets() results
• Add Python 3.12 support
• Many other minor fixes

Thanks to the following contributors to 3.8.2: Tom Aarsen, Cat Lee Ball, Veralara Bernhard, Carlos Brandt, Konstantin Chernyshev, Michael Higgins, Eric Kafe, Vivek Kalyan, David Lukes, Rob Malouf, purificant, Alex Rudnick, Liling Tan, Akihiro Yamazaki.

Version 3.8.1 2023-01-02

• Resolve RCE vulnerability in localhost WordNet Browser (#3100)

... (truncated)

Commits

• 4154eb8 Merge pull request #3503 from ekaf/hotfix-3501