npm/langsmith — 4 CVEs

HIGH7.1CVE-2026-45134LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning

from 0, < 0.6.0

MEDIUM5.8CVE-2026-25528LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection

>= 0.3.41, < 0.4.6

MEDIUM5.6CVE-2026-40190LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`

from 0, < 0.5.18

MEDIUM5.3LangSmith SDK: Streaming token events bypass output redaction

from 0, < 0.5.19

pkg:npm/langsmith