MLE-12345 Bumping JS to latest dependencies #29
Conversation
Added override for qs, which comes from marklogic.
|
Note the package-lock.json file for this was specifying 0.3.3, which is earlier than the buggy version with a CVE. But this bumps it to the latest patched version. |
There was a problem hiding this comment.
Pull request overview
This PR updates JavaScript dependencies to their latest versions and adds an override for the qs package to address a transitive dependency from marklogic.
- Major version updates to langchain (0.3.2 → 1.2.4) and marklogic (3.5.0 → 4.0.0)
- Updated @langchain/openai to version 1.2.1
- Added
qspackage override to ensure version ^6.14.1 is used
Files not reviewed (1)
- rag-langchain-js/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "langchain": "1.2.4", | ||
| "marklogic": "4.0.0" |
There was a problem hiding this comment.
Dependencies are pinned to exact versions (without ^ or ~ prefix). Consider using semantic versioning ranges (e.g., ^1.2.4) to allow automatic patch and minor updates, which is the standard practice for application dependencies.
| }, | ||
| "devDependencies": { | ||
| "@langchain/openai": "^0.3.0" | ||
| "@langchain/openai": "1.2.1" |
There was a problem hiding this comment.
The @langchain/openai devDependency is pinned to an exact version without a semver range. For consistency with the stated purpose of updating to 'latest dependencies', consider using ^1.2.1 to allow future patch and minor updates.
| "@langchain/openai": "1.2.1" | |
| "@langchain/openai": "^1.2.1" |
Added override for qs, which comes from marklogic.