@langchain/langgraph — Greenflagged

LangGraph

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

hwchase17jacoblee93basprouleric_langchainandrewnguonlydavidduongmaddyadamssam_noyeslangchain-securityandy-langchainrcasuphntrlchristian-bromann

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:langchain	AI (phantom-deps): Langchain is a core dependency re-exported by this wrapper; phantom-dep pattern is expected for orchestration libraries.	ai	2026/04/22
phantom-deps	phantom-dep:zod	AI (phantom-deps): Zod is a direct dependency used in type validation; phantom-dep pattern is expected for schema libraries in wrapper packages.	ai	2026/04/22
phantom-deps	phantom-dep:@langchain/community	AI (phantom-deps): Same-org scoped dependency used in examples/config; phantom-dep pattern is expected in monorepo-style ecosystems.	ai	2026/04/22
phantom-deps	phantom-dep:@langchain/openai	AI (phantom-deps): Same-org scoped dependency used in examples/config; phantom-dep pattern is expected in monorepo-style ecosystems.	ai	2026/04/22
dependencies	unvetted-dep:double-ended-queue	AI (dependencies): double-ended-queue is a well-known, stable utility package with no security concerns; safe for use as a dependency in this package.	ai	2026/04/22
dependencies	unvetted-dep:@langchain/langgraph-checkpoint-sqlite	AI (dependencies): First-party sibling package from the same LangChain/LangGraph monorepo, published by the same trusted maintainer team.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): davidduong is a known LangChain team publisher (714 days, 207 approved). Legitimate maintainer rotation within the langchain-ai org.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Established LangChain package; lack of Sigstore provenance is a known gap for this package family, not a security indicator.	ai	2026/04/22
source-diff	encoded-string-file:dist/hash.js	AI (source-diff): The long hex string is the well-known XXH3 secret key constant, used by the xxHash hashing algorithm implementation. This is a legitimate cryptographic constant, not a malicious payload.	ai	2026/04/22
source-diff	encoded-string-file:dist/hash.cjs	AI (source-diff): The long hex string is the XXH3 hashing algorithm's secret/seed constant — a standard cryptographic constant used in the XXH3 implementation. Not a malicious payload.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): @standard-schema/spec is a legitimate, widely-used schema interface package pinned to 1.1.0; consistent with LangGraph's schema validation support direction.	ai	2026/04/22
provenance	missing-githead	AI (provenance): Package has SLSA provenance attestation via Sigstore, which is a stronger integrity signal. Missing gitHead reflects a CI pipeline change, not a malicious publish.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): Maintainer change is within the langchain-ai org; hntrl is a known LangChain contributor. Legitimate transition, not a takeover.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): benjamincburns removal is part of a legitimate org-level maintainer transition within langchain-ai.	ai	2026/04/22
dependencies	unvetted-dep:@langchain/langgraph-sdk	AI (dependencies): First-party LangChain sibling package published by the same org; expected dependency for langgraph ecosystem packages.	ai	2026/04/21
dependencies	unvetted-dep:@langchain/langgraph-checkpoint	AI (dependencies): First-party LangChain sibling package published by the same org; expected dependency for langgraph ecosystem packages.	ai	2026/04/21

Versions (showing 77 of 177)

Hide prereleases

Version	Deps	Published
0.2.26	4 / 37	2024-12-05
0.2.25	4 / 37	2024-12-05
0.2.24	4 / 37	2024-12-03
0.2.23	4 / 37	2024-11-27
0.2.22	4 / 37	2024-11-20
0.2.21	4 / 37	2024-11-18
0.2.20	4 / 37	2024-11-02
0.2.19	5 / 38	2024-10-31
0.2.18	4 / 38	2024-10-24
0.2.17	4 / 38	2024-10-22
0.2.16	4 / 38	2024-10-17
0.2.15	4 / 38	2024-10-14
0.2.14	4 / 38	2024-10-10
0.2.13	4 / 38	2024-10-08
0.2.12	4 / 35	2024-10-08
0.2.11	4 / 35	2024-10-02
0.2.10	4 / 35	2024-09-30
0.2.9	4 / 35	2024-09-27
0.2.8	4 / 35	2024-09-18
0.2.7	4 / 35	2024-09-18
0.2.6	4 / 35	2024-09-18
0.2.5	4 / 35	2024-09-18
0.2.4	4 / 35	2024-09-17
0.2.3	4 / 35	2024-09-14
0.2.2	4 / 35	2024-09-04
0.2.1	4 / 35	2024-09-03
0.2.0	4 / 35	2024-09-03
0.1.9	6 / 34	2024-08-29
0.1.8	6 / 34	2024-08-29
0.1.7	6 / 34	2024-08-28
0.1.6	6 / 34	2024-08-28
0.1.5	6 / 34	2024-08-28
0.1.4	6 / 34	2024-08-27
0.1.3	6 / 34	2024-08-27
0.1.2	6 / 33	2024-08-26
0.1.1	6 / 33	2024-08-23
0.1.0	6 / 33	2024-08-22
0.0.34	3 / 34	2024-08-12
0.0.33	3 / 33	2024-08-06
0.0.32	3 / 33	2024-08-06
0.0.31	3 / 33	2024-07-23
0.0.30	3 / 33	2024-07-22
0.0.29	3 / 33	2024-07-18
0.0.28	3 / 33	2024-07-16
0.0.27	3 / 33	2024-07-16
0.0.26	2 / 34	2024-07-02
0.0.25	2 / 34	2024-06-25
0.0.24	2 / 32	2024-06-20
0.0.23	2 / 32	2024-06-13
0.0.22	2 / 32	2024-06-06
0.0.21	2 / 32	2024-05-25
0.0.20	2 / 32	2024-05-23
0.0.19	2 / 32	2024-05-20
0.0.18	2 / 31	2024-05-20
0.0.17	2 / 31	2024-05-17
0.0.16	2 / 31	2024-05-17
0.0.15	2 / 31	2024-05-16
0.0.14	2 / 31	2024-05-16
0.0.13	3 / 30	2024-05-16
0.0.12	1 / 28	2024-03-27
0.0.11	1 / 28	2024-03-25
0.0.10	1 / 28	2024-02-27
0.0.9	1 / 27	2024-02-24
0.0.8	1 / 27	2024-02-16
0.0.7	1 / 27	2024-02-14
0.0.6	1 / 27	2024-02-12
0.0.5	1 / 27	2024-02-12
0.0.4	1 / 27	2024-02-10
0.0.3	1 / 27	2024-02-03
0.0.2	1 / 26	2024-01-18
0.0.1	5 / 23	2024-01-18
1.0.0-alpha.5	3 / 37	2025-10-01
1.0.0-alpha.4	3 / 37	2025-09-22
1.0.0-alpha.3	3 / 37	2025-09-18
1.0.0-alpha.2	3 / 37	2025-09-18
1.0.0-alpha.1	3 / 37	2025-09-11
1.0.0-alpha.0	3 / 38	2025-08-28