chore(deps): update dependency langchain-community to v0.3.27 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
langchain-community (changelog)	0.3.20 -> 0.3.27
langchain-community (changelog)	==0.3.1 -> ==0.3.27

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

GitHub Vulnerability Alerts

CVE-2025-6984

The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd. This issue has been fixed in 0.3.27 of langchain-community.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Summary of Changes

Hello @renovate-bot, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates a critical dependency, langchain-community, to its latest version. The primary motivation for this update is to patch a known security vulnerability, thereby enhancing the overall security posture and stability of the affected applications.

Highlights

• Dependency Update: The langchain-community package has been updated to version 0.3.27 across multiple sample applications.
• Security Vulnerability Fix: This update specifically addresses CVE-2025-6984, an XML External Entity (XXE) vulnerability in the EverNoteLoader component of langchain-community, which could lead to sensitive information disclosure.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the langchain-community dependency across several sample applications to address a security vulnerability. While the update in gemini/sample-apps/llamaindex-rag/pyproject.toml is correct, the changes in the four requirements.txt files for the quickbot apps introduce critical dependency conflicts. The new version of langchain-community (0.3.27) is incompatible with the currently pinned version of langchain-core (0.3.9), which will cause installation failures. My review provides specific suggestions to update related langchain packages to resolve these conflicts and ensure the applications remain functional.

[gemini-code-assist]

Updating langchain-community to 0.3.27 without also updating langchain-core will cause a dependency conflict. According to its package information, langchain-community==0.3.27 requires langchain-core>=0.3.49. The currently pinned version langchain-core==0.3.9 is incompatible and will cause pip to fail during installation.

To resolve this, you should update langchain-core to a compatible version. It's also good practice to update the main langchain package to maintain compatibility across the ecosystem. I suggest aligning these versions with those used in the llamaindex-rag sample app within this repository.

langchain==0.3.22
langchain-community==0.3.27
langchain-core==0.3.49

[gemini-code-assist]

Updating langchain-community to 0.3.27 without also updating langchain-core will cause a dependency conflict. According to its package information, langchain-community==0.3.27 requires langchain-core>=0.3.49. The currently pinned version langchain-core==0.3.9 is incompatible and will cause pip to fail during installation.

To resolve this, you should update langchain-core to a compatible version. It's also good practice to update the main langchain package to maintain compatibility across the ecosystem. I suggest aligning these versions with those used in the llamaindex-rag sample app within this repository.

langchain==0.3.22
langchain-community==0.3.27
langchain-core==0.3.49

[gemini-code-assist]

Updating langchain-community to 0.3.27 without also updating langchain-core will cause a dependency conflict. According to its package information, langchain-community==0.3.27 requires langchain-core>=0.3.49. The currently pinned version langchain-core==0.3.9 is incompatible and will cause pip to fail during installation.

To resolve this, you should update langchain-core to a compatible version. It's also good practice to update the main langchain package to maintain compatibility across the ecosystem. I suggest aligning these versions with those used in the llamaindex-rag sample app within this repository.

langchain==0.3.22
langchain-community==0.3.27
langchain-core==0.3.49

[gemini-code-assist]

Updating langchain-community to 0.3.27 without also updating langchain-core will cause a dependency conflict. According to its package information, langchain-community==0.3.27 requires langchain-core>=0.3.49. The currently pinned version langchain-core==0.3.9 is incompatible and will cause pip to fail during installation.

To resolve this, you should update langchain-core to a compatible version. It's also good practice to update the main langchain package to maintain compatibility across the ecosystem. I suggest aligning these versions with those used in the llamaindex-rag sample app within this repository.

langchain==0.3.22
langchain-community==0.3.27
langchain-core==0.3.49