chore(security): bump vulnerable dependencies to patched versions

[kk2211]

Linked Issue

Addresses security scanner findings for vulnerable dependencies across the mem0 monorepo.

Description

Raise Python floor to 3.10 and refresh root + embedchain lockfiles to close all security scanner findings. Bump Next.js in the two active apps to close the December 11, 2025 CVE line. Delete an unmaintained example that was the source of several other scanner hits.

Root mem0 (pyproject.toml + poetry.lock)

• Python floor: 3.9 → 3.10 (3.9 is not tested in CI; unblocks nltk/authlib upgrades)
• litellm: >=1.74.0 → >=1.83.7
• langchain-core: new explicit range >=0.3.81,<1.0.0 in extras
• langchain / langchain-community: capped >=0.3.0,<1.0.0 to match lock's 0.3.x resolution
• langchain-aws: capped >=0.2.23,<0.3.0
• weaviate-client: >=4.4.0,<4.15.0 → >=4.15.4,<5.0.0 (aligns manifest with lock reality)
• Dropped dev_py_3_9 Hatch env and test-py-3.9 Make target
• Refreshed lock: authlib 1.6.10, h11 0.16.0, httpcore 1.0.9, nltk 3.9.4, torch 2.7.1/2.11.0, langchain-core 0.3.84, litellm 1.83.7

Embedchain (embedchain/pyproject.toml + embedchain/poetry.lock)

• torch: 2.3.0 → >=2.6.0,<3
• Refreshed lock: authlib 1.6.10, h11 0.16.0, httpcore 1.0.9, torch 2.8.0/2.11.0, langchain-core 0.3.84
• gradio: ==4.11.0 → >=4.14.0 in gradio.app deployment requirements
• embedchain example pins: 0.1.3, 0.1.31, 0.0.58 → 0.1.57 in rest-api, chainlit, discord_bot examples
• Deleted embedchain/examples/full_stack/ — unmaintained tree containing Next 13.4.9, embedchain==0.0.58 backend, and @babel/traverse 7.22.8 in its lockfile. Also removed matching docs nav entry and "Full Stack Chatbot" card.

JS apps

• openmemory/ui: next 15.2.4 → 15.2.8 (CVE-2025-55183 / CVE-2025-55184 / CVE-2025-67779)
• examples/mem0-demo: next 15.2.0 → 15.2.8, matching eslint-config-next bump

Security requirements coverage

Requirement	Status	Delivered via
pip gradio ≥ 4.14.0	✅	embedchain/.../gradio.app/requirements.txt
pip embedchain ≥ 0.1.57	✅	embedchain example requirements.txt files
npm @babel/traverse ≥ 7.23.2	✅	mem0-ts 7.26.9 + vercel-ai-sdk 7.27.0 (already); legacy 7.22.8 removed via full_stack deletion
npm next ≥ 15.2.6	✅	Both Next apps at 15.2.8; legacy 13.4.9 removed
pip h11 ≥ 0.16.0	✅	Root lock 0.16.0, embedchain lock 0.16.0
pip torch ≥ 2.6.0	✅	Root lock 2.7.1/2.11.0, embedchain lock 2.8.0/2.11.0
pip langchain-core ≥ 0.3.81	✅	Root lock 0.3.84, embedchain lock 0.3.84
pip nltk > 3.9.2	✅	Root lock 3.9.4
pip authlib > 1.6.8	✅	Root lock 1.6.10, embedchain lock 1.6.10
pip litellm ≥ 1.83.0	✅	pyproject >=1.83.7, root lock 1.83.7

Type of Change

• Bug fix (security patches for vulnerable dependencies)
• New feature
• Breaking change (Python 3.9 support dropped for root mem0ai package)
• Refactor
• Documentation update

Breaking Changes

Dropped Python 3.9 support for the root mem0ai package. Python 3.9 was not tested in CI (matrix is 3.10/3.11/3.12) but requires-python advertised >=3.9. The policy now matches CI reality. Embedchain still supports Python 3.9 (its CI matrix is unchanged).

Users on Python 3.9 will need to upgrade to Python 3.10+. No migration path needed if already on 3.10+.

Test Coverage

• Tested manually across Python 3.10, 3.11, and 3.12
• Added/updated unit tests
• Added/updated integration tests
• No new tests needed (security patches, no behavior change)

Local verification performed

Python (root mem0):

Python	Install	Lint	Full suite
3.10.14	✅	✅	1034 passed, 0 failed
3.11.10	✅	✅	960 passed, 58 failed, 16 errors — identical to baseline main (byte-for-byte diff, zero regressions)
3.12.7	✅	✅	1034 passed, 0 failed

The 3.11 failures are a pre-existing posthog distinct_id compatibility issue specific to Python 3.11, verified against baseline main in the same venv. Not introduced by this PR.

Embedchain: poetry install on refreshed lock succeeds; core test suite 96 passed, 1 pre-existing optional-dep failure.

TypeScript / JS:

• openmemory/ui: pnpm run build clean on Next 15.2.8
• examples/mem0-demo: pnpm run build clean on Next 15.2.8
• mem0-ts: 33 suites, 524 tests passed
• vercel-ai-sdk: build clean
• openclaw: 12 suites, 352 tests passed
• cli/node: lint + typecheck + 90 tests passed

Python CLI: lint + 147 tests passed.

Over 3,200 tests executed. Zero new failures caused by this PR.

Checklist

• Code follows project style guidelines
• Self-review performed
• Tests verified across all supported Python versions
• New and existing tests pass locally
• No documentation update needed (security patches, no public API changes)

Deferred / out of scope

None — all 10 scanner requirements from the original ticket are addressed in this PR.

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
embedchain	🟢 Ready	View Preview	Apr 14, 2026, 9:20 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.