MLE-12345 Bumping JS to latest dependencies #28
Conversation
Added override for qs, which comes from marklogic.
There was a problem hiding this comment.
Pull request overview
This PR updates JavaScript dependencies to their latest versions, including langchain, marklogic, and @langchain/openai packages. It also adds an override for the qs package to ensure a specific version is used across the dependency tree.
- Updated langchain from ^0.3.2 to 1.2.4
- Updated marklogic from ^3.5.0 to 4.0.0
- Updated @langchain/openai from ^0.3.0 to 1.2.1
- Added override for qs package to ^6.14.1
- Removed @langchain/core dependency
Files not reviewed (1)
- rag-langchain-js/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "langchain": "^0.3.2", | ||
| "marklogic": "^3.5.0" | ||
| "langchain": "1.2.4", | ||
| "marklogic": "4.0.0" |
There was a problem hiding this comment.
Dependencies are pinned to exact versions without semver ranges (e.g., ^1.2.4). This prevents automatic patch and minor version updates. Consider using caret (^) or tilde (~) ranges to allow safe updates while maintaining compatibility.
| "marklogic": "4.0.0" | |
| "marklogic": "^4.0.0" |
| }, | ||
| "devDependencies": { | ||
| "@langchain/openai": "^0.3.0" | ||
| "@langchain/openai": "1.2.1" |
There was a problem hiding this comment.
devDependency is pinned to an exact version without a semver range. Consider using a caret (^) prefix to allow automatic patch and minor version updates for development dependencies.
| "@langchain/openai": "1.2.1" | |
| "@langchain/openai": "^1.2.1" |
|
Note the package-lock.json file for this was specifying 0.3.3, which is earlier than the buggy version with a CVE. But this bumps it to the latest patched version. |
rjrudin
changed the title
Added override for qs, which comes from marklogic.