fix(deps): upgrade langchain ecosystem to 1.x

common/pyproject.toml

@@ -6,21 +6,21 @@ authors = [{ name = "Trail of Bits", email = "opensource@trailofbits.com" }]
 license = "AGPL-3.0-only"
 requires-python = ">=3.12,<3.13"
 dependencies = [
-    "pydantic-settings ~=2.7.1",
+    "pydantic-settings ~=2.10.1",
     "pymongo ~=4.10.1",
     "redis ~=5.2.1",
-    "langchain-core ~=0.3.81",
-    "langchain-openai ~=0.3.30",
-    "langchain ~=0.3.27",
-    "langfuse ~=2.59.2",
+    "langchain-core ~=1.2.13",
+    "langchain-openai ~=1.1.0",
+    "langchain ~=1.2.0",
     "six ~=1.17.0",
 ]
 
 [project.optional-dependencies]
 full = [
     "protobuf>=5.0",
-    # openlit 1.36.6+ breaks langgraph ToolNode: https://github.com/openlit/openlit/issues/986
-    "openlit >=1.36.0,<1.36.6",
+    "langfuse ~=3.14.0",
+    # openlit ToolNode fix landed in 1.36.8: https://github.com/openlit/openlit/pull/991
+    "openlit >=1.36.8",
 ]
 
 
@@ -34,6 +34,11 @@ buttercup-challenge-task = "buttercup.common.challenge_task_cli:main"
 buttercup-task-registry = "buttercup.common.task_registry:task_registry_cli"
 
 
+[tool.uv]
+# openlit pins langchain<0.4.0 but hasn't updated for langchain 1.x yet.
+# Override to allow langchain 1.x; openlit core telemetry still works.
+override-dependencies = ["langchain>=1.2.0"]
+
 [tool.hatch.build.targets.wheel]
 packages = ["src/buttercup"]
 

common/src/buttercup/common/llm.py

@@ -5,11 +5,10 @@
 from typing import Any
 
 import requests
-from langchain.callbacks.base import BaseCallbackHandler
+from langchain_core.callbacks import BaseCallbackHandler
 from langchain_core.language_models import BaseChatModel
 from langchain_core.runnables import ConfigurableField, Runnable
 from langchain_openai.chat_models import ChatOpenAI
-from langfuse.callback import CallbackHandler
 from pydantic import SecretStr
 
 logger = logging.getLogger(__name__)
@@ -80,11 +79,11 @@ def get_langfuse_callbacks() -> list[BaseCallbackHandler]:
     """Get Langchain callbacks for monitoring LLM calls with LangFuse, if available."""
     if is_langfuse_available():
         try:
-            langfuse_handler = CallbackHandler(
-                public_key=os.getenv("LANGFUSE_PUBLIC_KEY"),
-                secret_key=os.getenv("LANGFUSE_SECRET_KEY"),
-                host=os.getenv("LANGFUSE_HOST"),
-            )
+            from langfuse.langchain import CallbackHandler
+
+            # langfuse 3.x reads LANGFUSE_PUBLIC_KEY, LANGFUSE_SECRET_KEY,
+            # and LANGFUSE_HOST from env vars automatically via get_client()
+            langfuse_handler = CallbackHandler()
             if langfuse_auth_check():
                 logger.info("Tracing with LangFuse enabled")
                 return [langfuse_handler]

fuzzer/pyproject.toml

@@ -8,7 +8,7 @@ requires-python = ">=3.12,<3.13"
 dependencies = [
     "common[full]",
     "redis ~=5.2.1",
-    "pydantic-settings ~=2.7.1",
+    "pydantic-settings ~=2.10.1",
     "beautifulsoup4 ~=4.13.3",
     "lxml ~=5.3.1",
     "cxxfilt>=0.3.0",
@@ -27,6 +27,10 @@ buttercup-corpus-sync = "buttercup.fuzzing_infra.corpus_sync:main"
 buttercup-corpus-merger = "buttercup.fuzzing_infra.corpus_merger:main"
 buttercup-fuzzer-utils = "buttercup.fuzzing_infra.utils_cli:main"
 
+[tool.uv]
+# openlit pins langchain<0.4.0 but hasn't updated for langchain 1.x yet
+override-dependencies = ["langchain>=1.2.0"]
+
 [tool.uv.sources]
 common = { path = "../common", editable = true }
 

orchestrator/pyproject.toml

@@ -11,7 +11,7 @@ dependencies = [
     "common[full]",
     "fastapi ~=0.128.0",
     "pydantic ~=2.11.0",
-    "pydantic-settings ~=2.7.1",
+    "pydantic-settings ~=2.10.1",
     "python-dateutil ~=2.9.0",
     "pyyaml ~=6.0.1",
     "requests ~=2.32.3",
@@ -63,6 +63,10 @@ build-backend = "hatchling.build"
 [tool.hatch.build.targets.wheel]
 packages = ["src/buttercup"]
 
+[tool.uv]
+# openlit pins langchain<0.4.0 but hasn't updated for langchain 1.x yet
+override-dependencies = ["langchain>=1.2.0"]
+
 [tool.uv.sources]
 common = { path = "../common", editable = true }
 

patcher/pyproject.toml

@@ -8,12 +8,12 @@ license = "AGPL-3.0-only"
 requires-python = ">=3.12,<3.13"
 dependencies = [
     "common[full]",
-    "langchain-community ~=0.3.27",
-    "langgraph ~=0.6.6",
-    "langgraph-checkpoint >=3.0.0",
-    "openai ~=1.100.2",
+    "langchain-community ~=0.4.0",
+    "langgraph ~=1.0.8",
+    "langgraph-checkpoint >=4.0.0",
+    "openai ~=1.109.1",
     "program-model",
-    "pydantic-settings ~=2.7.1",
+    "pydantic-settings ~=2.10.1",
     "python-dotenv ~=1.0.1",
     "unidiff ~=0.7.5",
 ]
@@ -59,6 +59,10 @@ ignore = [
 [tool.ruff.lint.per-file-ignores]
 "tests/**/*.py" = ["S101", "D"]  # Allow asserts, no docstrings in tests
 
+[tool.uv]
+# openlit pins langchain<0.4.0 but hasn't updated for langchain 1.x yet
+override-dependencies = ["langchain>=1.2.0"]
+
 [tool.uv.sources]
 common = { path = "../common", editable = true }
 program-model = { path = "../program-model", editable = true }