LangChain Experimental, CVEs and Repo Restructure

[hwchase17]

TL;DR:

1. We're making changes to repo structure on Friday July 21, 2023.
2. There will be breaking changes to langchain.experimental on Friday July 28, 2023. We will move more experimental code to it's own package, which includes everything in langchain/experimental as well as anything with a CVE.

UPDATE 7/22

We have just completed the repo reorg and released langchain_experimental==0.0.1 (https://pypi.org/project/langchain-experimental/)

Note that we are NOT yet removing from the core langchain package - we will give people a week to migrate here.

See MIGRATE.md for how to migrate

Zero changes to functionality of things moved there

Vulnerabilities this addresses:

PALChain:

https://security.snyk.io/vuln/SNYK-PYTHON-LANGCHAIN-5752409
https://security.snyk.io/vuln/SNYK-PYTHON-LANGCHAIN-5759265
SQLDatabaseChain

https://security.snyk.io/vuln/SNYK-PYTHON-LANGCHAIN-5759268
load_prompt (Python files only)

https://security.snyk.io/vuln/SNYK-PYTHON-LANGCHAIN-5725807

ORIGINAL

Last week we talked about some high level changes to Langchain we’re considering and/or already implementing. This is an update on some immediate steps we’re taking over the next week.

One of the big issues we discussed was splitting LangChain into multiple packages. There’s a lot going on in LangChain, making it harder to navigate and more vulnerable to security issues. To start, we are going to split LangChain experimental into it’s own package and migrate any chains/agents with security concerns (CVEs) to that package.

The benefits of this include:

• Clear distinction of experimental code: until now it's been unclear what pieces of LangChain code are more experimental and which you could be confident in using in production. Splitting into separate packages makes this very clear
• CVE-less core langchain: this will remove any CVEs from the core langchain package
• Increased attention for experimental code: one of the things people love about langchain is how fast the community adds new ideas and papers. But sometimes it could feel weird adding something relatively unpolished to the library. With langchain-experimental you can contribute experimental ideas without worrying that it'll be misconstrued for production-ready code
• Leaner langchain: this will make langchain slimmer, more focused, and more lightweight.

We will move everything in langchain/experimental and all chains and agents that execute arbitrary SQL and Python code:

• langchain/experimental
• SQL chain
• SQL agent
• CSV agent
• Pandas agent
• Python agent

Our immediate steps are going to be:

• Friday morning PST: Change the structure of the repo to be libs/{package_name}. Other things besides the package (like the docs) will be kept at the top level still.
  • To start, there will only be one package: libs/langchain
• Friday afternoon PST: Add a second package, libs/langchain-experimental. This will include everything currently in langchain/experimental as well as all chains/agents listed above.
  • We will NOT remove those components from libs/langchain yet, but will keep them in LangChain for another week to give folks time to migrate off
• Next Friday afternoon PST: Remove langchain/experimental and everything listed above from the core langchain package

We will update this discussion as we make progress. We realize this will probably cause some short term pains: the developer experience will have to change to this multi-package setup and there will be breaking changes in a week. Still, we think these are changes worth making to have a more lean core package with no security vulnerabilities.

Going forward, we will also encourage smaller, more experimental chains to start in LangChain experimental.

If you have any thoughts, concerns or feedback, please let us know!

Updates:

• What the initial new structure may look like: (WIP) set up experimental #7959

[tjaffri]

Looks like this change went in this morning... thanks @hwchase17!

However, when I run any poetry command after syncing to the new source structure... I get the following error... anyone have ideas how to fix? Googling it seems unhelpful... looks like maybe this open issue: python-poetry/poetry#8122

~/Source/github/docugami.langchain# poetry install

'name'
~/Source/github/docugami.langchain# poetry debug info

Poetry

'name'

[hwchase17]

you will likely have to run any commands inside the respective packages now... eg cd libs/langchain and then run

does that fix? we're working on updating the contributing and dev guide asap

[tjaffri]

Yep... cd libs/langchain then poetry install works. Trying other stuff now, like the tests and making sure I can step into code from the notebooks. Unfamiliar with poetry beyond basic project structures with toml files in the root, so yes any updates to the docs would be super helpful! If there is something simple I can help document as I learn, please let me know!

[tjaffri]

Another issue... sorry @hwchase17. As noted above, I did cd libs/langchain so now my poetry-created venv is at libs/langchain/.venv. However, vscode cannot detect the .venv... maybe because it only looks in the root? Screenshot below.

I think maybe there are ways to do this with vscode workspaces... but I am out of my depth here. Would love help from somebody more familiar with vscode and poetry.

[hwchase17]

hmmm i am using pyenv and virtualenv and its working for me. is there an option to enter your python path explicitly? and manually select it that way?

I'm also going to write up developer guide now

[tjaffri]

Here is something that worked:

1. First, go to a .py file (I was in a Jupyter notebook) and click the "select Interpreter" button on the bottom right. Type in the path to python bin in the .venv i.e. /libs/langchain/.venv/bin/python. Docs: https://code.visualstudio.com/docs/python/environments#_manually-specify-an-interpreter
2. Now, if you go to the Jupyter notebook the .venv will show up

I can try to clean this up and put this in the developer guide with screenshots if you have a WIP draft.

Note that I don't explicitly use pyenv/virtualenv... I just do poetry install and that creates the .venv. I suspect others do something similar if they are not super advanced.

[ppramesi]

Will this be done to Langchain typescript package also?

[hwchase17]

yes, although there is less in there and less with CVEs so should be easier. cc @jacoblee93

[mpskex]

Should we migrate PR #7454 as well? I guess it should be experimental for now.

[hwchase17]

yes please! that would be great!

[mpskex]

Just merged master and ready for review.

[kapilnag]

we have application which uses SQL and Pandas agent, how much impact we can expect from this movement. Will it be temporary or we need to look for some other options?

[hwchase17]

at the moment those are not changing, just SQL chain

[syedhaider786s]

Hey! Thank you for all the insight, I'm building a SQL agent and when I run "from langchain.chains import SQLDatabaseChain" it gives me the following:

"ImportError: cannot import name 'SQLDatabaseChain' from 'langchain.chains' (/usr/local/lib/python3.10/dist-packages/langchain/chains/init.py)"

I have also tried using the following line but it also did not work "from langchain_experimental.sql import SQLDatabaseChain"

I'm guessing this is related to the reorganization of packages? Would appreciate any help to workaround this :)

[gambastyle]

im having the same problem

[buttermonster]

pip install langchain-experimental

[brunodemelo]

is csv_agent being deprecated to langchain-experimental, as well?