Merge branch 'master' into update-exa-search-types-v2

theishangoswami · web-flow · commit 5e0a87069eb0 · 2026-03-25T02:42:32.000+05:30
diff --git a/libs/core/langchain_core/prompts/base.py b/libs/core/langchain_core/prompts/base.py
@@ -15,6 +15,7 @@
 from pydantic import BaseModel, ConfigDict, Field, model_validator
 from typing_extensions import Self, override
 
+from langchain_core._api import deprecated
 from langchain_core.exceptions import ErrorCode, create_message
 from langchain_core.load import dumpd
 from langchain_core.output_parsers.base import BaseOutputParser  # noqa: TC001
@@ -350,6 +351,12 @@ def dict(self, **kwargs: Any) -> dict:
             prompt_dict["_type"] = self._prompt_type
         return prompt_dict
 
+    @deprecated(
+        since="1.2.21",
+        removal="2.0.0",
+        alternative="Use `dumpd`/`dumps` from `langchain_core.load` to serialize "
+        "prompts and `load`/`loads` to deserialize them.",
+    )
     def save(self, file_path: Path | str) -> None:
         """Save the prompt.
 
diff --git a/libs/core/langchain_core/prompts/chat.py b/libs/core/langchain_core/prompts/chat.py
@@ -22,6 +22,7 @@
 )
 from typing_extensions import Self, override
 
+from langchain_core._api import deprecated
 from langchain_core.messages import (
     AIMessage,
     AnyMessage,
@@ -1305,6 +1306,12 @@ def _prompt_type(self) -> str:
         """Name of prompt type. Used for serialization."""
         return "chat"
 
+    @deprecated(
+        since="1.2.21",
+        removal="2.0.0",
+        alternative="Use `dumpd`/`dumps` from `langchain_core.load` to serialize "
+        "prompts and `load`/`loads` to deserialize them.",
+    )
     def save(self, file_path: Path | str) -> None:
         """Save prompt to file.
 
diff --git a/libs/core/langchain_core/prompts/few_shot.py b/libs/core/langchain_core/prompts/few_shot.py
@@ -12,6 +12,7 @@
 )
 from typing_extensions import override
 
+from langchain_core._api import deprecated
 from langchain_core.example_selectors import BaseExampleSelector
 from langchain_core.messages import BaseMessage, get_buffer_string
 from langchain_core.prompts.chat import BaseChatPromptTemplate
@@ -237,6 +238,12 @@ def _prompt_type(self) -> str:
         """Return the prompt type key."""
         return "few_shot"
 
+    @deprecated(
+        since="1.2.21",
+        removal="2.0.0",
+        alternative="Use `dumpd`/`dumps` from `langchain_core.load` to serialize "
+        "prompts and `load`/`loads` to deserialize them.",
+    )
     def save(self, file_path: Path | str) -> None:
         """Save the prompt template to a file.
 
diff --git a/libs/core/langchain_core/prompts/few_shot_with_templates.py b/libs/core/langchain_core/prompts/few_shot_with_templates.py
@@ -6,6 +6,7 @@
 from pydantic import ConfigDict, model_validator
 from typing_extensions import Self
 
+from langchain_core._api import deprecated
 from langchain_core.example_selectors import BaseExampleSelector
 from langchain_core.prompts.prompt import PromptTemplate
 from langchain_core.prompts.string import (
@@ -215,6 +216,12 @@ def _prompt_type(self) -> str:
         """Return the prompt type key."""
         return "few_shot_with_templates"
 
+    @deprecated(
+        since="1.2.21",
+        removal="2.0.0",
+        alternative="Use `dumpd`/`dumps` from `langchain_core.load` to serialize "
+        "prompts and `load`/`loads` to deserialize them.",
+    )
     def save(self, file_path: Path | str) -> None:
         """Save the prompt to a file.
 
diff --git a/libs/core/langchain_core/prompts/loading.py b/libs/core/langchain_core/prompts/loading.py
@@ -7,6 +7,7 @@
 
 import yaml
 
+from langchain_core._api import deprecated
 from langchain_core.output_parsers.string import StrOutputParser
 from langchain_core.prompts.base import BasePromptTemplate
 from langchain_core.prompts.chat import ChatPromptTemplate
@@ -17,11 +18,51 @@
 logger = logging.getLogger(__name__)
 
 
-def load_prompt_from_config(config: dict) -> BasePromptTemplate:
+def _validate_path(path: Path) -> None:
+    """Reject absolute paths and ``..`` traversal components.
+
+    Args:
+        path: The path to validate.
+
+    Raises:
+        ValueError: If the path is absolute or contains ``..`` components.
+    """
+    if path.is_absolute():
+        msg = (
+            f"Path '{path}' is absolute. Absolute paths are not allowed "
+            f"when loading prompt configurations to prevent path traversal "
+            f"attacks. Use relative paths instead, or pass "
+            f"`allow_dangerous_paths=True` if you trust the input."
+        )
+        raise ValueError(msg)
+    if ".." in path.parts:
+        msg = (
+            f"Path '{path}' contains '..' components. Directory traversal "
+            f"sequences are not allowed when loading prompt configurations. "
+            f"Use direct relative paths instead, or pass "
+            f"`allow_dangerous_paths=True` if you trust the input."
+        )
+        raise ValueError(msg)
+
+
+@deprecated(
+    since="1.2.21",
+    removal="2.0.0",
+    alternative="Use `dumpd`/`dumps` from `langchain_core.load` to serialize "
+    "prompts and `load`/`loads` to deserialize them.",
+)
+def load_prompt_from_config(
+    config: dict, *, allow_dangerous_paths: bool = False
+) -> BasePromptTemplate:
     """Load prompt from config dict.
 
     Args:
         config: Dict containing the prompt configuration.
+        allow_dangerous_paths: If ``False`` (default), file paths in the
+            config (such as ``template_path``, ``examples``, and
+            ``example_prompt_path``) are validated to reject absolute paths
+            and directory traversal (``..``) sequences. Set to ``True`` only
+            if you trust the source of the config.
 
     Returns:
         A `PromptTemplate` object.
@@ -38,10 +79,12 @@ def load_prompt_from_config(config: dict) -> BasePromptTemplate:
         raise ValueError(msg)
 
     prompt_loader = type_to_loader_dict[config_type]
-    return prompt_loader(config)
+    return prompt_loader(config, allow_dangerous_paths=allow_dangerous_paths)
 
 
-def _load_template(var_name: str, config: dict) -> dict:
+def _load_template(
+    var_name: str, config: dict, *, allow_dangerous_paths: bool = False
+) -> dict:
     """Load template from the path if applicable."""
     # Check if template_path exists in config.
     if f"{var_name}_path" in config:
@@ -51,6 +94,8 @@ def _load_template(var_name: str, config: dict) -> dict:
             raise ValueError(msg)
         # Pop the template path from the config.
         template_path = Path(config.pop(f"{var_name}_path"))
+        if not allow_dangerous_paths:
+            _validate_path(template_path)
         # Load the template.
         if template_path.suffix == ".txt":
             template = template_path.read_text(encoding="utf-8")
@@ -61,12 +106,14 @@ def _load_template(var_name: str, config: dict) -> dict:
     return config
 
 
-def _load_examples(config: dict) -> dict:
+def _load_examples(config: dict, *, allow_dangerous_paths: bool = False) -> dict:
     """Load examples if necessary."""
     if isinstance(config["examples"], list):
         pass
     elif isinstance(config["examples"], str):
         path = Path(config["examples"])
+        if not allow_dangerous_paths:
+            _validate_path(path)
         with path.open(encoding="utf-8") as f:
             if path.suffix == ".json":
                 examples = json.load(f)
@@ -92,11 +139,17 @@ def _load_output_parser(config: dict) -> dict:
     return config
 
 
-def _load_few_shot_prompt(config: dict) -> FewShotPromptTemplate:
+def _load_few_shot_prompt(
+    config: dict, *, allow_dangerous_paths: bool = False
+) -> FewShotPromptTemplate:
     """Load the "few shot" prompt from the config."""
     # Load the suffix and prefix templates.
-    config = _load_template("suffix", config)
-    config = _load_template("prefix", config)
+    config = _load_template(
+        "suffix", config, allow_dangerous_paths=allow_dangerous_paths
+    )
+    config = _load_template(
+        "prefix", config, allow_dangerous_paths=allow_dangerous_paths
+    )
     # Load the example prompt.
     if "example_prompt_path" in config:
         if "example_prompt" in config:
@@ -105,19 +158,30 @@ def _load_few_shot_prompt(config: dict) -> FewShotPromptTemplate:
                 "be specified."
             )
             raise ValueError(msg)
-        config["example_prompt"] = load_prompt(config.pop("example_prompt_path"))
+        example_prompt_path = Path(config.pop("example_prompt_path"))
+        if not allow_dangerous_paths:
+            _validate_path(example_prompt_path)
+        config["example_prompt"] = load_prompt(
+            example_prompt_path, allow_dangerous_paths=allow_dangerous_paths
+        )
     else:
-        config["example_prompt"] = load_prompt_from_config(config["example_prompt"])
+        config["example_prompt"] = load_prompt_from_config(
+            config["example_prompt"], allow_dangerous_paths=allow_dangerous_paths
+        )
     # Load the examples.
-    config = _load_examples(config)
+    config = _load_examples(config, allow_dangerous_paths=allow_dangerous_paths)
     config = _load_output_parser(config)
     return FewShotPromptTemplate(**config)
 
 
-def _load_prompt(config: dict) -> PromptTemplate:
+def _load_prompt(
+    config: dict, *, allow_dangerous_paths: bool = False
+) -> PromptTemplate:
     """Load the prompt template from config."""
     # Load the template from disk if necessary.
-    config = _load_template("template", config)
+    config = _load_template(
+        "template", config, allow_dangerous_paths=allow_dangerous_paths
+    )
     config = _load_output_parser(config)
 
     template_format = config.get("template_format", "f-string")
@@ -134,12 +198,28 @@ def _load_prompt(config: dict) -> PromptTemplate:
     return PromptTemplate(**config)
 
 
-def load_prompt(path: str | Path, encoding: str | None = None) -> BasePromptTemplate:
+@deprecated(
+    since="1.2.21",
+    removal="2.0.0",
+    alternative="Use `dumpd`/`dumps` from `langchain_core.load` to serialize "
+    "prompts and `load`/`loads` to deserialize them.",
+)
+def load_prompt(
+    path: str | Path,
+    encoding: str | None = None,
+    *,
+    allow_dangerous_paths: bool = False,
+) -> BasePromptTemplate:
     """Unified method for loading a prompt from LangChainHub or local filesystem.
 
     Args:
         path: Path to the prompt file.
         encoding: Encoding of the file.
+        allow_dangerous_paths: If ``False`` (default), file paths referenced
+            inside the loaded config (such as ``template_path``, ``examples``,
+            and ``example_prompt_path``) are validated to reject absolute paths
+            and directory traversal (``..``) sequences. Set to ``True`` only
+            if you trust the source of the config.
 
     Returns:
         A `PromptTemplate` object.
@@ -154,11 +234,16 @@ def load_prompt(path: str | Path, encoding: str | None = None) -> BasePromptTemp
             "instead."
         )
         raise RuntimeError(msg)
-    return _load_prompt_from_file(path, encoding)
+    return _load_prompt_from_file(
+        path, encoding, allow_dangerous_paths=allow_dangerous_paths
+    )
 
 
 def _load_prompt_from_file(
-    file: str | Path, encoding: str | None = None
+    file: str | Path,
+    encoding: str | None = None,
+    *,
+    allow_dangerous_paths: bool = False,
 ) -> BasePromptTemplate:
     """Load prompt from file."""
     # Convert file to a Path object.
@@ -174,10 +259,14 @@ def _load_prompt_from_file(
         msg = f"Got unsupported file type {file_path.suffix}"
         raise ValueError(msg)
     # Load the prompt from the config now.
-    return load_prompt_from_config(config)
+    return load_prompt_from_config(config, allow_dangerous_paths=allow_dangerous_paths)
 
 
-def _load_chat_prompt(config: dict) -> ChatPromptTemplate:
+def _load_chat_prompt(
+    config: dict,
+    *,
+    allow_dangerous_paths: bool = False,  # noqa: ARG001
+) -> ChatPromptTemplate:
     """Load chat prompt from config."""
     messages = config.pop("messages")
     template = messages[0]["prompt"].pop("template") if messages else None
@@ -190,7 +279,7 @@ def _load_chat_prompt(config: dict) -> ChatPromptTemplate:
     return ChatPromptTemplate.from_template(template=template, **config)
 
 
-type_to_loader_dict: dict[str, Callable[[dict], BasePromptTemplate]] = {
+type_to_loader_dict: dict[str, Callable[..., BasePromptTemplate]] = {
     "prompt": _load_prompt,
     "few_shot": _load_few_shot_prompt,
     "chat": _load_chat_prompt,
diff --git a/libs/core/langchain_core/version.py b/libs/core/langchain_core/version.py
@@ -1,3 +1,3 @@
 """langchain-core version information and utilities."""
 
-VERSION = "1.2.21"
+VERSION = "1.2.22"
diff --git a/libs/core/pyproject.toml b/libs/core/pyproject.toml
@@ -21,7 +21,7 @@ classifiers = [
     "Topic :: Software Development :: Libraries :: Python Modules",
 ]
 
-version = "1.2.21"
+version = "1.2.22"
 requires-python = ">=3.10.0,<4.0.0"
 dependencies = [
     "langsmith>=0.3.45,<1.0.0",
diff --git a/libs/core/tests/unit_tests/prompts/test_loading.py b/libs/core/tests/unit_tests/prompts/test_loading.py
diff --git a/libs/core/uv.lock b/libs/core/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`"""langchain-core version information and utilities."""`
`2`	`2`
`3`		`-VERSION = "1.2.21"`
	`3`	`+VERSION = "1.2.22"`
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ classifiers = [`
`21`	`21`	`"Topic :: Software Development :: Libraries :: Python Modules",`
`22`	`22`	`]`
`23`	`23`
`24`		`-version = "1.2.21"`
	`24`	`+version = "1.2.22"`
`25`	`25`	`requires-python = ">=3.10.0,<4.0.0"`
`26`	`26`	`dependencies = [`
`27`	`27`	`"langsmith>=0.3.45,<1.0.0",`