fix(security): fix requests, pygments; risk-accept langchain-core (ENG-13418)

langchain/pyproject.toml

@@ -30,6 +30,8 @@ h11 = "^0.16.0"
 urllib3 = "^2.5.0"
 langsmith = ">=0.6.3"
 orjson = ">=3.11.6"
+requests = ">=2.33.0"
+pygments = ">=2.20.0"
 
 [tool.ruff.lint]
 select = ["E", "F", "I", "T201"]

osv-scanner.toml

@@ -4,6 +4,6 @@ ignoreUntil = "2026-06-15T00:00:00Z"
 reason = "langchain-core SSRF via image_url token counting (LOW). Fix requires upgrading langchain-core 0.3.x -> 1.2.11, a breaking major version change incompatible with our ^0.3.15 constraint. No semver-compatible fix available."
 
 [[IgnoredVulns]]
-id = "GHSA-5239-wwwm-4pmq"
-ignoreUntil = "2026-06-23T00:00:00Z"
-reason = "LOW severity (CVSS 3.3). pygments 2.19.2 is the latest release and is marked last_affected — no fix version published yet. ReDoS in AdlLexer (pygments/lexers/archetype.py) is only exploitable with attacker-controlled syntax highlighting inputs."
+id = "GHSA-qh6h-p6c9-ff54"
+ignoreUntil = "2026-04-27T12:04:00Z"
+reason = "langchain-core path traversal in load_prompt/load_prompt_from_config (HIGH, CVE-2026-34070). Fix requires upgrading langchain-core 0.3.x -> 1.2.22, a breaking major version change. langchain-community 0.3.x hard-constrains langchain-core<1.0.0, making a semver-compatible upgrade impossible without also migrating langchain-community to a stable 1.x release (currently only alpha). No fix available in the 0.3.x line."