LangChain Core

registryPyPI

package namelangchain-core

maintainerLangChain AI

LangChain Core is the foundational package in the LangChain ecosystem, defining the base abstractions for runnables, messages, prompts, output parsers, and the LangChain Expression Language (LCEL). Most LangChain integrations depend on this package rather than the top-level `langchain` package. It ships separately to allow lightweight installs without the full integration suite.

api usage

Checking LangChain Core

langchain-core 0.3.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=langchain-core&version=0.3.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "langchain-core",
  "version": "0.3.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Core abstraction packages are present in every application that imports any LangChain integration. A compromise here propagates automatically to all dependent packages and all downstream applications without requiring a separate update.

Attestd monitors langchain-core using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

pypi_yank

Versions yanked on PyPI with a security-related yanked_reason annotation. Confidence 0.80.

Supply chain overview All PyPI packages LangChain LangGraph OpenAI SDK (Python)Response fields