chore(deps): bump the pip group across 2 directories with 2 updates

[dependabot]

Bumps the pip group with 2 updates in the / directory: langchain-core and cryptography.
Bumps the pip group with 2 updates in the /requirements-ci directory: langchain-core and cryptography.

Updates langchain-core from 1.2.18 to 1.2.22

Release notes

Sourced from langchain-core's releases.

langchain-core==1.2.22

Changes since langchain-core==1.2.21

release(core): 1.2.22 (#36201) fix(core): validate paths in prompt.save and load_prompt, deprecate methods (#36200)

langchain-core==1.2.21

Changes since langchain-core==1.2.20

release(core): 1.2.21 (#36179) fix(core,model-profiles): add missing ModelProfile fields, warn on schema drift (#36129) chore(core): remove stale blockbuster allowlist for deleted context module (#36168) ci: suppress pytest streaming output in CI (#36092)

langchain-core==1.2.20

Changes since langchain-core==1.2.19

release(core): 1.2.20 (#36085) fix(core): trace invocation params in metadata (#36080) feat: Add LangSmith integration metadata to create_agent and init_chat_model (#35810) feat(core): harden anti-ssrf (#35960) ci: avoid unnecessary dep installs in lint targets (#36046) docs(core): document base_url in mermaid api (#35961) chore: bump orjson from 3.11.5 to 3.11.6 in /libs/core (#35805) chore: housekeeping (#35850)

langchain-core==1.2.19

Changes since langchain-core==1.2.18

release(core): 1.2.19 (#35832) chore(core): move BaseCrossEncoder to langchain-core (#35809) chore: bump tornado from 6.5.2 to 6.5.5 in /libs/core (#35775)

Commits

• d22df94 release(core): 1.2.22 (#36201)
• 27add91 fix(core): validate paths in prompt.save and load_prompt, deprecate metho...
• 7563fce chore(model-profiles): refresh model profile data (#36195)
• 3e64c25 chore: use repo permissions instead of org membership for maintainer override...
• 1778b08 chore(partners): bump langchain-core min to 1.2.21 (#36183)
• ad574fc fix(openai): bump min core version (#36180)
• 19f81cf release(core): 1.2.21 (#36179)
• 6d07ef2 release(openai): 1.1.12 (#36178)
• 2f64d80 fix(core,model-profiles): add missing ModelProfile fields, warn on schema d...
• 5ffece5 chore(core): remove stale blockbuster allowlist for deleted context module (#...
• Additional commits viewable in compare view

Updates cryptography from 46.0.5 to 46.0.6

Changelog

Sourced from cryptography's changelog.

46.0.6 - 2026-03-25

* **SECURITY ISSUE**: Fixed a bug where name constraints were not applied
  to peer names during verification when the leaf certificate contains a
  wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug,
  including those used by the Web PKI. Credit to **Oleh Konko (1seal)** for
  reporting the issue. **CVE-2026-34073**
.. _v46-0-5:

Commits

• 91d7288 Cherry-pick #14542 (#14543)
• See full diff in compare view

Updates langchain-core from 1.2.18 to 1.2.22

Release notes

Sourced from langchain-core's releases.

langchain-core==1.2.22

Changes since langchain-core==1.2.21

release(core): 1.2.22 (#36201) fix(core): validate paths in prompt.save and load_prompt, deprecate methods (#36200)

langchain-core==1.2.21

Changes since langchain-core==1.2.20

release(core): 1.2.21 (#36179) fix(core,model-profiles): add missing ModelProfile fields, warn on schema drift (#36129) chore(core): remove stale blockbuster allowlist for deleted context module (#36168) ci: suppress pytest streaming output in CI (#36092)

langchain-core==1.2.20

Changes since langchain-core==1.2.19

release(core): 1.2.20 (#36085) fix(core): trace invocation params in metadata (#36080) feat: Add LangSmith integration metadata to create_agent and init_chat_model (#35810) feat(core): harden anti-ssrf (#35960) ci: avoid unnecessary dep installs in lint targets (#36046) docs(core): document base_url in mermaid api (#35961) chore: bump orjson from 3.11.5 to 3.11.6 in /libs/core (#35805) chore: housekeeping (#35850)

langchain-core==1.2.19

Changes since langchain-core==1.2.18

release(core): 1.2.19 (#35832) chore(core): move BaseCrossEncoder to langchain-core (#35809) chore: bump tornado from 6.5.2 to 6.5.5 in /libs/core (#35775)

Commits

• d22df94 release(core): 1.2.22 (#36201)
• 27add91 fix(core): validate paths in prompt.save and load_prompt, deprecate metho...
• 7563fce chore(model-profiles): refresh model profile data (#36195)
• 3e64c25 chore: use repo permissions instead of org membership for maintainer override...
• 1778b08 chore(partners): bump langchain-core min to 1.2.21 (#36183)
• ad574fc fix(openai): bump min core version (#36180)
• 19f81cf release(core): 1.2.21 (#36179)
• 6d07ef2 release(openai): 1.1.12 (#36178)
• 2f64d80 fix(core,model-profiles): add missing ModelProfile fields, warn on schema d...
• 5ffece5 chore(core): remove stale blockbuster allowlist for deleted context module (#...
• Additional commits viewable in compare view

Updates cryptography from 46.0.5 to 46.0.6

Changelog

Sourced from cryptography's changelog.

46.0.6 - 2026-03-25

* **SECURITY ISSUE**: Fixed a bug where name constraints were not applied
  to peer names during verification when the leaf certificate contains a
  wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug,
  including those used by the Web PKI. Credit to **Oleh Konko (1seal)** for
  reporting the issue. **CVE-2026-34073**
.. _v46-0-5:

Commits

• 91d7288 Cherry-pick #14542 (#14543)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

✅ SSOT Configuration Compliance: Passing

🎉 No hardcoded values detected that have SSOT config equivalents!

[github-actions]

🤖 AutoBot Phase Validation Results

System Maturity: 0.0%

Phase Status:

Recommendations: